READY-TO-ASSEMBLE-LEGO1-PATCH2 06 — Atomicity / Idempotency / Partial-Failure / Retry / Rollback Proof (B5) — 2026-06-22
READY-TO-ASSEMBLE-LEGO1-PATCH2 06 — Atomicity / Idempotency / Partial-Failure / Retry / Rollback Proof (B5) — 2026-06-22
Closes/holds Codex 5.5. Gate: REGISTRATION_HOLD · CAN_PROCEED = NO · 0 runtime mutations. Design-only.
1. Codex residuals (reproduced)
"Same idempotency_root ⇒ dispatcher resumes" is false — the dispatcher only validates/observes (file 01 R1). Each PATCH1 state was a separate txn (compensations could fail independently); COMP_SCHEMA/VALUES/EVIDENCE/FINALIZE were labels, not handlers; "reverse collection" was not reconciled with no-delete. Confirmed real.
2. Corrected transition model (resume engine is a STORED state row, not the dispatcher)
Idempotency/resume is owned by a governed build-run table c1_build_run(idempotency_root PK, state, last_ok_state, started_at, …) written by the build state machine handler — not by fn_process_agent_api_dispatch. Retry with the same idempotency_root reads last_ok_state and resumes; completed states are skipped.
| State | Action (governed channel) | On fail → compensation |
|---|---|---|
| S0 PREFLIGHT (read-only, file 07) | — | ABORT (no writes) |
| S1 RESERVE+CONSUME (file 05 §3, one txn) | lease + CAS-consume | ABORT_NO_LEASE (grant untouched if CAS lost) |
S2 SCHEMA (DOT_C1_SCHEMA_ENSURE) |
collection+fields+table_registry |
COMP_SCHEMA |
| S3 VERIFY_SCHEMA (VERIFY_ONLY) | assert schema_digest |
COMP_SCHEMA |
S4 VALUES (DOT_C1_VALUE_ADMIT, idempotent by (operation_code,protocol_version)) |
one governed write/value | COMP_VALUES |
| S5 VERIFY_VALUES | assert manifest_digest+count |
COMP_VALUES |
| S6 EVIDENCE (governed audit handler) | audit+readback (file 10) | COMP_EVIDENCE (record failure artifact) |
| S7 FINALIZE | grant final state + release lease | COMP_FINALIZE |
3. Atomicity / partial-failure / retry rules
Each Sx write is a single governed transaction; cross-state consistency is reconciled by idempotent resume from last_ok_state. Named fail-closed stop states after schema/values/audit; none silently continues. Consume at S1 ⇒ a mid-build failure never re-arms the grant. Retry dedupes via the stored run row + per-value idempotency.
4. Rollback invariants (no DELETE; versioned compensation)
Compensation uses versioned retire/supersede, never DELETE. (The catalog confirms reversible lifecycle DOTs exist as a pattern — dot_iu_supersede_piece, dot_iu_retire_piece, dot_iu_restore_piece are reversible=true — but only for IU pieces; C1 needs its own governed compensation handlers.) A rollback step is admitted only if: target is a versioned row (operation_code,protocol_version)/vocab_id (never operation_code alone); successor present+exists (composite FK) when superseding (else RBP-7); successor admissible (else RBP-8); supersession + rollback_ref audit commit in one txn (else RBP-9); no DELETE (else RBP-2); local to the C1 collection (else RBP-10); rollback is its own separately-authorized act.
5. Honest status
The model (resume table, transaction boundaries, compensation semantics, no-delete rollback) is fully specified. But the transition/compensation handlers and c1_build_run table do not exist and cannot be created under REGISTRATION_HOLD/0-mutation. Classification: PREPARATION_GAP (tied to B1). The design is closed; the executable contracts are absent.
6. Boundary attestation
Design-only; no transition/compensation/rollback executed. REGISTRATION_HOLD retained; CAN_PROCEED = NO; 0 runtime mutations. Supersedes PATCH1 file 06 §2 (dispatcher-resume) and §3 (label compensations).