Admit contract-defined inverse intents from causal history#659
Admit contract-defined inverse intents from causal history#659flyingrobots wants to merge 8 commits into
Conversation
|
Warning Review limit reached
Next review available in: 22 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (40)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…verse-admission # Conflicts: # CHANGELOG.md
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9bf2def0e5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| receipt_digest: matching_entry.and_then(|entry| { | ||
| entry | ||
| .receipt_ref | ||
| .map(|receipt_ref| hex_hash(&receipt_ref.receipt_content_digest)) |
There was a problem hiding this comment.
Emit exact receipt coordinates in posture output
When two decided submissions produce identical tick-receipt content, this still reports only receipt_content_digest, even though TickReceipt::digest is intentionally not tied to the admitted tick/commit coordinate. In that scenario wal submission-posture prints the same Receipt for distinct causal receipt events, so callers cannot use the CLI output to identify the exact retained receipt needed by the new inverse/ancestry surfaces; emit the CausalTickReceiptRef identity or its coordinate fields instead of just the content digest.
Useful? React with 👍 / 👎.
| let correlation = self | ||
| .runtime | ||
| .receipt_correlation_for_receipt_ref(&request.target_receipt_ref) | ||
| .ok_or_else(|| ContractInverseObstruction::TargetReceiptUnavailable { |
There was a problem hiding this comment.
Reject inverse requests for rejected target receipts
When target_receipt_ref names a receipt correlation whose receipt entry was Rejected(FootprintConflict), this path still treats it as an invertible target, decodes the original mutation, and invokes the inverse law. In that conflict scenario the original contract mutation never changed state, so admitting the produced inverse can create a spurious forward mutation; after resolving the correlation, verify that the target outcome is an applied receipt entry before constructing the inverse context.
Useful? React with 👍 / 👎.
| causal_parent_receipts.sort_unstable(); | ||
| causal_parent_receipts.dedup(); |
There was a problem hiding this comment.
Reject non-canonical parent receipt encodings
If a committed ReceiptCorrelationRecorded payload contains duplicate or out-of-order parent receipts, recovery currently sorts and deduplicates it instead of rejecting the WAL bytes. That means a byte-valid but non-canonical segment can silently rewrite the causal ancestry that inverse/recovery indexes expose, rather than surfacing corruption; decode should reject payloads whose parent list is not already canonical (or whose re-encoded bytes differ).
Useful? React with 👍 / 👎.
Summary
Closes #472.
Why
Undo and redo must be forward causal history, not process-local snapshots or an LRU correlation cache. An application contract owns inverse semantics; Echo owns evidence resolution, admission, durability, ordering, and receipts.
Validation
cargo test -p warp-core --features native_rule_bootstrap,trusted_runtime,host_testcargo test -p warp-core --features native_rule_bootstrap --test installed_contract_registry_testscargo test -p warp-cli --test cli_integrationcargo check --workspace --all-targetscargo clippyfor warp-core and warp-cli targetscargo fmt --all -- --checkgit diff --check