READY-TO-ASSEMBLE-LEGO1-PATCH1 06 — [P1-3] Atomic Failure-Model State Machine — 2026-06-22
READY-TO-ASSEMBLE-LEGO1-PATCH1 06 — [P1-3] Atomic Failure-Model State Machine — 2026-06-22
Closes Codex P1-3. Gate: REGISTRATION_HOLD · CAN_PROCEED = NO · 0 runtime mutations. Design-only; no step executed.
1. Defect (reconstructed)
Prior S2–S8 were separate writes with no transaction boundaries, compensation checkpoints, retry/replay rules, or partial-failure handling; the rollback SQL allowed :successor=NULL, did not prove successor existence/admissibility, did not bind target/successor versions, and did not atomically require the audit record. SUPERSEDED.
2. State machine (executable, idempotent via p_idempotency_root)
Every transition is dispatched through fn_process_agent_api_dispatch(..., p_mode, p_idempotency_root); the idempotency_root is constant for the whole build so a retry resumes rather than duplicates.
| State | Entry guard | Action | On success → | On failure → (compensation) |
|---|---|---|---|---|
S0_PREFLIGHT |
— | run file 07 preflight (read-only) | S1_RESERVED |
ABORT_PREFLIGHT (no writes) |
S1_RESERVED |
preflight GO | acquire lease + CAS-consume grant (file 05) | S2_SCHEMA |
ABORT_NO_LEASE (no writes; grant untouched if CAS lost) |
S2_SCHEMA |
grant consumed | dot_iu_create_collection + table_registry wiring (metadata-first), idempotent |
S3_VERIFY_SCHEMA |
COMP_SCHEMA (reverse collection via reversible DOT; release lease) |
S3_VERIFY_SCHEMA |
schema applied | VERIFY_ONLY assert schema_digest matches | S4_VALUES |
COMP_SCHEMA |
S4_VALUES |
schema verified | admit manifest values via staging gateway, one governed entry per value, idempotent by (operation_code,protocol_version) |
S5_VERIFY_VALUES |
COMP_VALUES (retire partial values via reversible lifecycle DOT) |
S5_VERIFY_VALUES |
values admitted | assert manifest_digest + count + guard views (file 08) | S6_EVIDENCE |
COMP_VALUES |
S6_EVIDENCE |
values verified | write governed audit + evidence + readback (file 09) | S7_FINALIZE |
COMP_EVIDENCE (record failure artifact) |
S7_FINALIZE |
evidence written | finalize grant state + release lease | DONE |
COMP_FINALIZE |
3. Atomicity & partial-failure rules
- Transaction boundary: each
Sxwrite is a single governed transaction; cross-state consistency is reconciled by the idempotent re-entry (the dispatcher resumes at the first incomplete state). - Partial-failure stop states: failure after schema (
COMP_SCHEMA), after partial value admission (COMP_VALUES), after audit (COMP_EVIDENCE), each named and fail-closed; none silently continues. - Grant single-use preserved: because consume is at
S1(file 05), a mid-build failure never leaves the grant reusable; recovery runs under the same lease + idempotency_root or requires a fresh grant. - Retry: safe — same
idempotency_root⇒ completed states are skipped; the dispatcher dedupes. - Idempotency keys: schema by collection name; values by
(operation_code, protocol_version); audit byidempotency_root + state.
4. Enforced rollback invariants (corrected; supersedes prior file-08 §5)
A C1 rollback/supersession step is admitted only if all hold (else fail-closed with the RBP code):
| Rule | Enforcement |
|---|---|
| Target is a versioned row | target (operation_code, protocol_version) or vocab_id — never operation_code alone (file 03) |
successor not null when superseding |
status='superseded' ⇒ successor_(operation_code,protocol_version) set ⇒ else ROLLBACK_SUCCESSOR_RULE_ABSENT (RBP-7) |
| Successor exists | composite FK ⇒ else reject |
| Successor admissible (active, compatible version) | guard check ⇒ else ROLLBACK_FORWARD_FAIL_CLOSED_VIOLATED (RBP-8) |
| Version binding | target version and successor version both explicit (no wrong-version hit) |
| Atomic audit | the supersession and its rollback_ref audit row commit in the same governed transaction ⇒ else ROLLBACK_AUDIT_TRAIL_ABSENT (RBP-9) |
| No delete | only status transition (no DELETE) ⇒ deletion ⇒ ROLLBACK_DELETES_REFERENCED_IDENTITY (RBP-2) |
| Locality | within the C1 collection only ⇒ else ROLLBACK_NOT_LOCAL (RBP-10) |
| Separate authorization | rollback execution is its own authorized act (own grant + lease) |
5. Boundary attestation
Design-only state machine; no transition executed, no compensation run, no rollback executed. REGISTRATION_HOLD retained; CAN_PROCEED = NO; 0 runtime mutations. Supersedes prior file-06 §2 step order and file-08 §5 rollback SQL.