Phase 1: Strategy A: eager traversal revocation #70

Merged

erikinkinen merged 3 commits from 1-strategy-a-eager-traversal-revocation into main

2026-03-05 13:35:14 +01:00

erikinkinen commented

2026-03-05 13:26:54 +01:00

Owner

Closes #30

Summary

This PR implements Strategy A eager traversal revocation with deterministic BFS/DFS behavior and an oracle-gated completeness check.

It adds two new revocation strategies:

eager_bfs
eager_dfs

and keeps them replay-safe by introducing event-log v=3 with per-record revoker metadata.

Included

IRevoker surface extended with eager traversal strategy kinds.
Eager target resolution over live delegation lineage (parent -> children).
Delegation lineage indexing in EdgeStore:
- parent-to-children lookup
- child-to-parent lookup
- lifecycle maintenance on delegate/remove/reduce-rights paths
Deterministic traversal rules:
- roots in ascending EdgeId
- children expanded in ascending EdgeId
- BFS FIFO, DFS stack with reverse-push for ascending preorder
- visited-once semantics across overlapping roots
Hard completeness gate in revoke application using post-revocation oracle:
- completeness failure => Errc::InvariantViolation
Event-log v=3 support:
- required record field: revoker
- strict schema validation
- replay applies each record with its logged revoker
- v0/v1/v2 backward-compatible read/replay preserved
CLI integration:
- --revoker <direct|snapshot_direct|eager_bfs|eager_dfs>
- simulate writes v=3 records with revoker

Explicitly Excluded

Soundness as a runtime gate (completeness-only gate in this issue).
Semantics beyond delegation-lineage traversal.
Breaking changes to existing v0/v1/v2 log consumption.

Verification

cmake --build _build --target aes_apply_event_tests aes_engine_tests aes_revocation_strategy_tests aes_event_log_format_tests aes_event_log_reader_tests aes_event_log_replay_tests aes_cli_simulate_tests aes
ctest --test-dir _build --output-on-failure -R "aes_event_log_format_tests|aes_event_log_reader_tests|aes_event_log_replay_tests|aes_cli_simulate_tests|aes_apply_event_tests|aes_engine_tests|aes_revocation_strategy_tests|aes_revocation_oracle_tests|aes_invalid_event_determinism_tests"

Review Focus

Traversal closure and deterministic output order for BFS/DFS.
Delegation lineage index correctness under edge lifecycle mutations.
Oracle completeness hard-fail behavior in revoke path.
v=3 schema strictness and replay strategy correctness via revoker.

Closes #30 --- ## Summary This PR implements Strategy A eager traversal revocation with deterministic BFS/DFS behavior and an oracle-gated completeness check. It adds two new revocation strategies: - `eager_bfs` - `eager_dfs` and keeps them replay-safe by introducing event-log `v=3` with per-record revoker metadata. --- ## Included - `IRevoker` surface extended with eager traversal strategy kinds. - Eager target resolution over live delegation lineage (`parent -> children`). - Delegation lineage indexing in `EdgeStore`: - parent-to-children lookup - child-to-parent lookup - lifecycle maintenance on delegate/remove/reduce-rights paths - Deterministic traversal rules: - roots in ascending `EdgeId` - children expanded in ascending `EdgeId` - BFS FIFO, DFS stack with reverse-push for ascending preorder - visited-once semantics across overlapping roots - Hard completeness gate in revoke application using post-revocation oracle: - completeness failure => `Errc::InvariantViolation` - Event-log `v=3` support: - required record field: `revoker` - strict schema validation - replay applies each record with its logged revoker - `v0/v1/v2` backward-compatible read/replay preserved - CLI integration: - `--revoker <direct|snapshot_direct|eager_bfs|eager_dfs>` - simulate writes `v=3` records with `revoker` --- ## Explicitly Excluded - Soundness as a runtime gate (completeness-only gate in this issue). - Semantics beyond delegation-lineage traversal. - Breaking changes to existing `v0/v1/v2` log consumption. --- ## Verification - [x] `cmake --build _build --target aes_apply_event_tests aes_engine_tests aes_revocation_strategy_tests aes_event_log_format_tests aes_event_log_reader_tests aes_event_log_replay_tests aes_cli_simulate_tests aes` - [x] `ctest --test-dir _build --output-on-failure -R "aes_event_log_format_tests|aes_event_log_reader_tests|aes_event_log_replay_tests|aes_cli_simulate_tests|aes_apply_event_tests|aes_engine_tests|aes_revocation_strategy_tests|aes_revocation_oracle_tests|aes_invalid_event_determinism_tests"` --- ## Review Focus - Traversal closure and deterministic output order for BFS/DFS. - Delegation lineage index correctness under edge lifecycle mutations. - Oracle completeness hard-fail behavior in revoke path. - `v=3` schema strictness and replay strategy correctness via `revoker`.