Phase 1: Revocation cost accounting framework #68

Merged

erikinkinen merged 3 commits from 1-revocation-cost-accounting-framework into main

2026-03-05 11:52:31 +01:00

erikinkinen commented

2026-03-05 11:14:33 +01:00

Owner

Closes #28

Summary

This PR implements a deterministic, strategy-independent revocation cost accounting framework for Phase 1.

It adds revocation cost counters to core revocation outcomes, introduces time/step context via event-log result builder state, and logs per-revocation counters in a new event-log v=2 result schema.

Added counter dimensions:

edges_scanned
edges_removed
nodes_touched
request_index
step

Scope

Included

core revocation cost counters on RevocationResult
Deterministic counter computation in apply_revoke_cap
Event-log result builder API for v2 (build_event_log_result_v2)
Event-log v=2 encode/decode and strict schema validation
Replay-side validation of logged v2 result data against re-executed outcomes
CLI simulate path updated to emit v=2 records
Phase 1 documentation update for per-request counters and v2 logging semantics
Expanded tests for counters, v2 schema, builder state progression, replay tamper detection, and CLI output expectations

Explicitly excluded

Revocation strategy/policy changes
Non-deterministic or wall-clock timing metrics
Logging of failed revocation attempts as event records
Changes to v0/v1 backward compatibility behavior (decode support remains)

Design intent

The design keeps accounting strategy-independent by deriving counters from normalized selectors and authoritative graph state, not implementation internals.

v=2 is introduced instead of changing v=1 to preserve strict v1 behavior and compatibility while enabling richer revocation accounting fields.

Phase discipline

This is a Phase 1 change.

It extends revocation semantics and logging while preserving Phase 0 invariants:

event-driven mutation only
deterministic replay
strict schema validation
reproducible outcomes

Verification

cmake --build _build --target aes aes_apply_event_tests aes_engine_tests aes_event_log_format_tests aes_event_log_reader_tests aes_event_log_replay_tests aes_cli_simulate_tests aes_revocation_oracle_tests aes_reachability_tests aes_residual_authority_tests
ctest --test-dir _build --output-on-failure -R "aes_apply_event_tests|aes_engine_tests"
ctest --test-dir _build --output-on-failure -R "aes_event_log_format_tests|aes_event_log_reader_tests|aes_event_log_replay_tests|aes_cli_simulate_tests"
ctest --test-dir _build --output-on-failure -R "aes_revocation_oracle_tests|aes_reachability_tests|aes_residual_authority_tests"

Notes

Review focus:

correctness of edges_scanned/edges_removed/nodes_touched semantics
request_index progression and step binding
v2 strict schema constraints (RevokeCap requires revocation_cost_v2, non-RevokeCap forbids it)
replay tamper detection behavior for v2 result fields
CLI output version change from v1 to v2

Closes #28 --- ## Summary This PR implements a deterministic, strategy-independent revocation cost accounting framework for Phase 1. It adds revocation cost counters to core revocation outcomes, introduces time/step context via event-log result builder state, and logs per-revocation counters in a new event-log `v=2` result schema. Added counter dimensions: - `edges_scanned` - `edges_removed` - `nodes_touched` - `request_index` - `step` --- ## Scope ### **Included** - `core` revocation cost counters on `RevocationResult` - Deterministic counter computation in `apply_revoke_cap` - Event-log result builder API for v2 (`build_event_log_result_v2`) - Event-log `v=2` encode/decode and strict schema validation - Replay-side validation of logged v2 result data against re-executed outcomes - CLI simulate path updated to emit `v=2` records - Phase 1 documentation update for per-request counters and v2 logging semantics - Expanded tests for counters, v2 schema, builder state progression, replay tamper detection, and CLI output expectations ### **Explicitly excluded** - Revocation strategy/policy changes - Non-deterministic or wall-clock timing metrics - Logging of failed revocation attempts as event records - Changes to v0/v1 backward compatibility behavior (decode support remains) --- ## Design intent The design keeps accounting strategy-independent by deriving counters from normalized selectors and authoritative graph state, not implementation internals. `v=2` is introduced instead of changing `v=1` to preserve strict v1 behavior and compatibility while enabling richer revocation accounting fields. --- ## Phase discipline This is a Phase 1 change. It extends revocation semantics and logging while preserving Phase 0 invariants: - event-driven mutation only - deterministic replay - strict schema validation - reproducible outcomes --- ## Verification - [x] `cmake --build _build --target aes aes_apply_event_tests aes_engine_tests aes_event_log_format_tests aes_event_log_reader_tests aes_event_log_replay_tests aes_cli_simulate_tests aes_revocation_oracle_tests aes_reachability_tests aes_residual_authority_tests` - [x] `ctest --test-dir _build --output-on-failure -R "aes_apply_event_tests|aes_engine_tests"` - [x] `ctest --test-dir _build --output-on-failure -R "aes_event_log_format_tests|aes_event_log_reader_tests|aes_event_log_replay_tests|aes_cli_simulate_tests"` - [x] `ctest --test-dir _build --output-on-failure -R "aes_revocation_oracle_tests|aes_reachability_tests|aes_residual_authority_tests"` --- ## Notes Review focus: - correctness of `edges_scanned/edges_removed/nodes_touched` semantics - `request_index` progression and `step` binding - v2 strict schema constraints (`RevokeCap` requires `revocation_cost_v2`, non-`RevokeCap` forbids it) - replay tamper detection behavior for v2 result fields - CLI output version change from v1 to v2