Implement local merge queue (Mac mini, sign-on-green, replace Actions)

[obj-p]

Track implementing the local merge queue per the plan in docs/local-merge-queue-plan.md (landed in #229).

Goal

Replace GitHub Actions with a Mac mini single-worker merge queue. Only the maintainer can push to a queue remote. A clean-room macOS VM rebases onto origin/main, runs the merge bar (lint + unit + example integration), signs verified commits with a VM-only key, and fast-forwards main through a deploy key that a ruleset names as the sole bypass actor. No CI runs on GitHub.

Phases (each has a single pass/fail check in the plan)

• Phase 1 — VM pipeline. post-toolchain snapshot + in-VM script that checks out a SHA, rebases, runs the pipeline, signs on green. Verify: known-good SHA returns signed, known-bad rejected, key injected at run (not baked into snapshot).
• Phase 2 — Key bundle + injection. Encrypted bundle; harness decrypts and injects onto tmpfs. Verify: rebuild snapshot from provisioning only, inject bundle, landing signs under the same identity.
• Phase 3 — Host harness. Bare queue remote + receive hook, VM restore/push-in/collect, local branch reset. Verify: end-to-end landing on a scratch repo via git push queue.
• Phase 4 — GitHub cutover. Bootstrap PreviewsMCP: deploy key, ruleset, require-signed-commits, allowed_signers, disable Actions. Verify: account push to main rejected, web merge button blocked, VM landing shows PR merged.
• Phase 5 — Rehost drill. Move the queue to a second Mac using only the rehost runbook. Verify: a landing succeeds with no manual step carried from the first host.

Key decisions (settled in the plan)

• Host: Mac mini at a Tailscale IP, single-worker.
• Keys: external encrypted bundle injected at run (option B), not baked into the snapshot.
• Layout: separate private merge-queue tool repo (harness + VM kit from research/vm/ + bootstrap); PreviewsMCP holds only .mergequeue.toml + allowed_signers.
• No GitHub CI; Actions disabled. Fork PRs get no automated signal until run through the queue.

Open questions (from the plan)

• Warm build caches in the snapshot vs a pristine environment.
• Per-push advisory tier vs per-merge full pipeline.
• Batching if landings back up (Bors-style).
• Secret store for the bundle: age-encrypted file vs macOS keychain vs secrets manager.
• Snapshot transport on rehost: copy the image vs rebuild from provisioning.

[obj-p]

Gate spike result (subproblem 1: prove the GitHub gate)

Ran the gate end-to-end on a throwaway public repo with gh, two key pairs, and rulesets. No VM, no harness. The gate works, but the plan's single-ruleset design was wrong and is now corrected in docs/local-merge-queue-plan.md.

Headline finding: two rulesets, not one

A bypass actor with bypass_mode: always bypasses every rule in its ruleset, required_signatures included. So a single ruleset with deploy-key bypass + signatures lets the deploy key push unsigned commits. Fix (verified): a separate required_signatures ruleset with an empty bypass list. That also makes landing on main require both the deploy key and the signing key, stronger than the plan's "signing key is attestation only."

Checks

Check	Result
Account push direct to main	rejected
Web merge button (gh pr merge as account)	rejected
Deploy-key push of signed commit	lands, verified=true
Deploy-key push of unsigned commit, single ruleset	accepted (the trap)
Deploy-key push of unsigned commit, separate no-bypass ruleset	rejected
Local git verify-commit of landed main	good signature

Confirmed assumptions

• A personal-account repo does accept DeployKey as a ruleset bypass actor (stored as actor_id: null, the whole deploy-key category, so keep exactly one read-write deploy key).
• Rulesets need a public repo or GitHub Pro. PreviewsMCP is public, so free.
• GitHub only marks a commit verified when its signing key is registered on an account (needs the admin:ssh_signing_key token scope).

Operational gotchas for the host harness

• The deploy-key push must force IdentitiesOnly=yes and IdentityAgent=none, or a host ~/.ssh/config identity or loaded agent key makes the push authenticate as the account and the gate rejects it.
• required_signatures checks every new commit in a push, not just the tip. The VM must rebase so all landed commits are signed.

Plan doc updated on branch merge-queue-gate-spike-findings (commit 80f52ea): two-ruleset trust boundary, bootstrap runbook split, and the two gotchas added to phases 1, 3, and 4.