(module ImprovementGovernanceDemo
  (capsule "0.7")

  (contract NoUnauthorizedEffects
    (summary "Successors must not acquire undeclared live authority."))

  (lineage CandidateLineage
    (parent "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")
    (candidate "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb")
    (reason "Improve claim triage while preserving authority boundaries.")
    (proposed-by agent:ReviewImprover)
    (created-at "2026-05-16T00:00:00Z"))

  (objective BetterTriage
    (summary "Improve claim triage quality without expanding live authority.")
    (metric f1_score "evals/claim_triage_gold.jsonl")
    (metric latency_ms)
    (maximize f1_score)
    (constraint latency_ms <= 500)
    (constraint live_effects_added == 0))

  (eval-suite ClaimReviewRegression
    (summary "Regression suite for candidate claim-review successors.")
    (dataset "evals/claim_review_regression.jsonl")
    (metric exact_match >= 98)
    (metric unsafe_action_rate == 0)
    (must-pass examples)
    (must-pass replay "ledgers/golden/*.jsonl"))

  (verification-hook ImprovementSafety
    (summary "Safety obligations generated for the recursive improvement gate.")
    (target lean4)
    (status open)
    (subject successor-contract:SafeSuccessor)
    (subject gate:DeployCandidate)
    (obligation deploy_requires_eval_pass)
    (obligation deploy_requires_approval)
    (obligation effect_expansion_requires_security_approval))

  (successor-contract SafeSuccessor
    (summary "Successor candidates must preserve authority and evaluation invariants.")
    (preserve contract:NoUnauthorizedEffects)
    (forbid effect-expansion unless approval:SecurityOwner)
    (require eval-suite:ClaimReviewRegression)
    (require verification-status checked)
    (require ledgered true))

  (budget ImprovementBudget
    (summary "Bound the autonomous iteration envelope for candidate generation.")
    (max-iterations 3)
    (max-llm-calls 50)
    (max-ci-runs 10)
    (max-wall-clock-ms 3600000)
    (max-cost-usd 25)
    (allow-effects llm.call repo.diff repo.propose_patch repo.apply_patch.sandboxed ci.run eval.run proof.emit proof.verify approval.request risk.review deploy.shadow deploy.canary deploy.promote deploy.rollback)
    (deny-effects deploy.live secret.read model.train.frontier))

  (gate DeployCandidate
    (summary "A candidate can reach deployment only after eval, contract, proof, ledger, and human approval evidence.")
    (requires eval-suite ClaimReviewRegression passed)
    (requires successor-contract SafeSuccessor preserved)
    (requires approval SecurityOwner granted)
    (requires verification-status checked)
    (requires ledgered true)
    (on-fail quarantine)
    (on-pass canary))

  (deployment-policy CandidatePolicy
    (summary "Deploy successors through shadow and canary stages with rollback to the parent hash.")
    (mode shadow-first)
    (canary-percent 5)
    (rollback-to parent)
    (promote-gate DeployCandidate)
    (quarantine-on eval-regression policy-violation unexpected-effect missing-ledger-record))

  (improvement-record CandidateRecord
    (summary "Illustrative ledger record for one candidate successor.")
    (parent-hash "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")
    (candidate-hash "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb")
    (diff-hash "sha256:cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc")
    (objective BetterTriage)
    (eval-result ClaimReviewRegression passed)
    (proof-result ImprovementSafety checked)
    (policy-decision DeployCandidate passed)
    (approval SecurityOwner approved "security@example.test")
    (deployment-outcome shadow ok)
    (rollback-pointer "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"))

  (machine ImprovementCycle
    (version "0.1")
    (event ProposeCandidate)
    (event StaticCheckPassed)
    (event EvalPassed)
    (event VerificationPassed)
    (event Approved)
    (event ShadowOk)
    (event CanaryOk)
    (event PolicyViolation)
    (initial drafting)

    (state drafting
      (on ProposeCandidate
        (target static_check)
        (effects
          (repo.propose_patch))))

    (state static_check
      (on StaticCheckPassed
        (target evaluate)
        (effects
          (ci.run))))

    (state evaluate
      (on EvalPassed
        (target verify)
        (effects
          (eval.run ClaimReviewRegression))))

    (state verify
      (on VerificationPassed
        (target human_review)
        (effects
          (proof.verify ImprovementSafety))))

    (state human_review
      (on Approved
        (target shadow_deploy)
        (effects
          (approval.request DeployCandidate))))

    (state shadow_deploy
      (on ShadowOk
        (target canary_deploy)
        (effects
          (deploy.shadow CandidatePolicy)))
      (on PolicyViolation
        (target quarantined)
        (effects
          (deploy.rollback CandidatePolicy))))

    (state canary_deploy
      (on CanaryOk
        (target promoted)
        (effects
          (deploy.canary CandidatePolicy)
          (deploy.promote CandidatePolicy)))
      (on PolicyViolation
        (target quarantined)
        (effects
          (deploy.rollback CandidatePolicy))))

    (state promoted (type final))
    (state quarantined (type final))))