Phase 1: Strategy B: lazy invalidate-on-use revocation #71

Merged

erikinkinen merged 3 commits from 1-strategy-b-lazy-invalidate-on-use-revocation into main 2026-03-05 13:59:02 +01:00

Conversation 0 Commits 3 Files changed 23 +967 -44

erikinkinen commented 2026-03-05 13:58:16 +01:00

Owner

Copy link

Closes #31

---

Summary

This PR implements Strategy B (lazy_invalidate) for deferred revocation enforcement.

RevokeCap under lazy strategy now marks resolved target edges as invalidated instead of deleting them, and UseCap denies use of invalidated existing edges with explicit reason invalidated.

The existing eager-delete path remains unchanged in semantics, including oracle completeness hard-gate. Event-log version stays at v=3; reason taxonomy is extended without introducing v=4.

---

Scope

Included

• RevokerKind::LazyInvalidate
• RevocationEnforcementPolicy on IRevoker
• Built-in lazy_invalidate_revoker()
• EdgeStore invalidation marker index and APIs
• Revoke policy split:
  • eager strategies: delete edges + oracle completeness gate
  • lazy strategy: mark invalidated only
• UseCapOutcomeReason::Invalidated
• Event-log reason support for invalidated across v1/v2/v3 result handling
• v3 revoker parsing/encoding support for lazy_invalidate
• Graph validation + snapshot/replay equality integration for invalidation index
• Tests for marker mechanics, deferred failures, determinism, replay/tamper, and CLI
• Phase 1 docs update for Strategy B semantics and reason taxonomy

Explicitly excluded

• New event-log schema version
• Transitive/provenance semantics changes
• Cost counter definition changes from #28
• Strategy policy changes for existing eager revokers

---

Behavioral Notes

• Lazy revoke does not remove edges at revoke time.
• Lazy revoke invalidates exactly the resolved target set.
• UseCap on an invalidated existing edge returns denied with reason invalidated.
• Removal-based oracle completeness gate remains eager-only.
• Replay determinism remains strategy-correct via v3 revoker metadata.

---

Verification

• cmake --build _build --target aes_edge_store_tests aes_graph_validation_tests aes_apply_event_tests aes_engine_tests aes_snapshot_tests aes_revocation_strategy_tests aes_event_log_format_tests aes_event_log_reader_tests aes_event_log_replay_tests aes_cli_simulate_tests aes
• ctest --test-dir _build --output-on-failure -R "aes_edge_store_tests|aes_graph_validation_tests|aes_apply_event_tests|aes_engine_tests|aes_snapshot_tests|aes_revocation_strategy_tests"
• ctest --test-dir _build --output-on-failure -R "aes_event_log_format_tests|aes_event_log_reader_tests|aes_event_log_replay_tests|aes_cli_simulate_tests|aes_revocation_oracle_tests|aes_invalid_event_determinism_tests"

---

Review Focus

• Correctness of policy split in apply_revoke_cap (eager delete vs lazy invalidate)
• UseCap evaluation order and invalidated outcome handling
• Invalidation marker lifecycle invariants in EdgeStore
• Event-log reason/replay validation consistency for invalidated
• Determinism and tamper detection coverage for v3 lazy_invalidate

Closes #31 --- ## Summary This PR implements Strategy B (`lazy_invalidate`) for deferred revocation enforcement. `RevokeCap` under lazy strategy now marks resolved target edges as invalidated instead of deleting them, and `UseCap` denies use of invalidated existing edges with explicit reason `invalidated`. The existing eager-delete path remains unchanged in semantics, including oracle completeness hard-gate. Event-log version stays at `v=3`; reason taxonomy is extended without introducing `v=4`. --- ## Scope ### Included - `RevokerKind::LazyInvalidate` - `RevocationEnforcementPolicy` on `IRevoker` - Built-in `lazy_invalidate_revoker()` - `EdgeStore` invalidation marker index and APIs - Revoke policy split: - eager strategies: delete edges + oracle completeness gate - lazy strategy: mark invalidated only - `UseCapOutcomeReason::Invalidated` - Event-log reason support for `invalidated` across v1/v2/v3 result handling - v3 revoker parsing/encoding support for `lazy_invalidate` - Graph validation + snapshot/replay equality integration for invalidation index - Tests for marker mechanics, deferred failures, determinism, replay/tamper, and CLI - Phase 1 docs update for Strategy B semantics and reason taxonomy ### Explicitly excluded - New event-log schema version - Transitive/provenance semantics changes - Cost counter definition changes from #28 - Strategy policy changes for existing eager revokers --- ## Behavioral Notes - Lazy revoke does not remove edges at revoke time. - Lazy revoke invalidates exactly the resolved target set. - `UseCap` on an invalidated existing edge returns denied with reason `invalidated`. - Removal-based oracle completeness gate remains eager-only. - Replay determinism remains strategy-correct via v3 `revoker` metadata. --- ## Verification - [x] `cmake --build _build --target aes_edge_store_tests aes_graph_validation_tests aes_apply_event_tests aes_engine_tests aes_snapshot_tests aes_revocation_strategy_tests aes_event_log_format_tests aes_event_log_reader_tests aes_event_log_replay_tests aes_cli_simulate_tests aes` - [x] `ctest --test-dir _build --output-on-failure -R "aes_edge_store_tests|aes_graph_validation_tests|aes_apply_event_tests|aes_engine_tests|aes_snapshot_tests|aes_revocation_strategy_tests"` - [x] `ctest --test-dir _build --output-on-failure -R "aes_event_log_format_tests|aes_event_log_reader_tests|aes_event_log_replay_tests|aes_cli_simulate_tests|aes_revocation_oracle_tests|aes_invalid_event_determinism_tests"` --- ## Review Focus - Correctness of policy split in `apply_revoke_cap` (eager delete vs lazy invalidate) - `UseCap` evaluation order and `invalidated` outcome handling - Invalidation marker lifecycle invariants in `EdgeStore` - Event-log reason/replay validation consistency for `invalidated` - Determinism and tamper detection coverage for v3 `lazy_invalidate`

erikinkinen added this to the Phase 1 milestone 2026-03-05 13:58:16 +01:00

erikinkinen added the

phase-1

revocation

labels 2026-03-05 13:58:16 +01:00

erikinkinen self-assigned this 2026-03-05 13:58:16 +01:00

erikinkinen added 3 commits 2026-03-05 13:58:16 +01:00

Phase 1: Add invalidation markers (#31) 300e15d403

Phase 1: Modify UseCap to check invalidation (#31) 43a2252a53

Phase 1: Add deferred failure behavior tests (#31) ef5126b4d4

erikinkinen added this to the AES — Active Workboard project 2026-03-05 13:58:17 +01:00

erikinkinen merged commit 5d272e443d into main 2026-03-05 13:59:02 +01:00

erikinkinen referenced this pull request from a commit 2026-03-05 13:59:03 +01:00

Phase 1: Strategy B: lazy invalidate-on-use revocation (#71)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

  

cli

  

core

  

docs

  

event

  

experiment

  

figure

  

invariant

  

metrics

  

oracle

  

phase-0

  

phase-1

  

phase-2

  

phase-3

  

phase-4

  

phase-5

  

phase-6

  

provenance

  

revocation

  

tests

  

workload

No labels

bug

cli

core

docs

event

experiment

figure

invariant

metrics

oracle

phase-0

phase-1

phase-2

phase-3

phase-4

phase-5

phase-6

provenance

revocation

tests

workload

Milestone

Clear milestone

No items

No milestone

Phase 1

Projects

Clear projects

No items

No project

AES — Active Workboard

Assignees

Clear assignees

No assignees

erikinkinen

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

erikinkinen/AES!71

No description provided.