This is a great orchestration model!

I've been building a work ledger that could plug into Symphony as an optional acceptance + provenance layer.

Here's the split I'm thinking:

Symphony = execution authority. Dispatch, retries, workspace isolation, run lifecycle.

Work Ledger = acceptance/receipt authority. The layer that decides when "run finished" becomes "work accepted" — with proof.

Work Ledger + Symphony = Work Control Plane

What the ledger actually does:

1. Defines the acceptance boundary: "Agent completed" ≠ "canonical." Acceptance fires when gates pass. Either merge or a workflow-defined handoff state.

2. Emits portable receipts: Append-only records: what changed, why, evidence, who approved, integrity fingerprint. Receipts travel across repos, orgs, boundaries.

3. Preserves provenance: Durable history across retries, restarts, agents. Queryable "why was this accepted?" durably.

4. Stays runtime-agnostic: Same trust model whether the executor is Symphony, a human, or mixed.

Git-native integration points

Optional, feature-flagged, no persistent DB required for Symphony core:

• issue claimed/released → ledger event
• run attempt start/finish/retry → ledger event
• PR opened/updated → evidence links (base_sha, head_sha, PR URL)
• merge + required checks pass → canonical acceptance receipt

Receipt keys: issue_id, attempt, session_id, workspace_key, merge_commit_sha, gate_outcomes, reviewer_decision, reason_code, timestamp.

Why this matters

Symphony answers: "Did execution run?"
Work ledger answers: "Is this now trusted and canonical with proof?"

No intent to replace or complicate Symphony. Just the acceptance layer that sits alongside.

Happy to discuss.

-Ben