Phase 1: Strategy C: lineage-based revocation (basic) #72

Merged

erikinkinen merged 3 commits from 1-strategy-c-lineage-based-revocation-basic into main

2026-03-06 09:51:16 +01:00

erikinkinen commented

2026-03-06 09:30:32 +01:00

Owner

Task

Closes #32

Summary

This PR adds Strategy C (lineage_basic) as a behavior-divergent, deterministic revocation strategy that revokes selected roots plus their ancestor chain (no depth limit), while keeping eager-delete enforcement.

It introduces explicit parent-edge lineage metadata on capability edges, wires lineage_basic through CLI and event-log v3 revoker metadata, and adds canonical comparison tests against eager traversal strategies.

Included

Parent-edge metadata on capability edges:
- CapabilityEdge::parent_edge (std::optional<EdgeId>)
- delegation writes parent reference
- parent reference is preserved even if parent edge is later removed
Lineage strategy implementation:
- new RevokerKind::LineageBasic
- new lineage_basic_revoker() accessor
- deterministic root+ancestor resolution
Runtime/config wiring:
- CLI supports --revoker lineage_basic
- event-log v3 revoker parse/encode accepts lineage_basic
Deterministic comparison coverage:
- exact expected vectors for lineage_basic vs eager_bfs and eager_dfs
- engine-level differential behavior assertions
- v3 reader/replay compatibility and tamper detection for lineage strategy
Docs updates in Phase 1 strategy section and compare-to-eager expectations

Not Included

Event-log version bump (v3 remains current)
New revocation policy mode (Strategy C is EagerDelete)
Changes to cost counter semantics from #28
Changes to lazy invalidation behavior from #31

Design Notes

lineage_basic target semantics:
- normalize selector (sort + unique)
- invalid edge id => InvalidArgument
- missing selected root => NotFound
- traversal order:
  - roots processed ascending by EdgeId
  - each root emits root -> parent -> grandparent -> ...
  - visited-once across overlapping roots
  - missing parent edge is a boundary, not an error
Existing eager completeness oracle gate remains in place.

Verification

cmake --build _build --target aes_revocation_strategy_tests aes_apply_event_tests aes_engine_tests aes_edge_store_tests aes_graph_validation_tests aes_snapshot_tests aes_event_log_format_tests aes_event_log_reader_tests aes_event_log_replay_tests aes_cli_simulate_tests
ctest --test-dir _build --output-on-failure -R "aes_revocation_strategy_tests|aes_apply_event_tests|aes_engine_tests|aes_cli_simulate_tests"
ctest --test-dir _build --output-on-failure -R "aes_event_log_format_tests|aes_event_log_reader_tests|aes_event_log_replay_tests|aes_revocation_oracle_tests|aes_invalid_event_determinism_tests"

Review Focus

Parent reference lifecycle correctness (DelegateCap, remove, snapshot/validation)
Deterministic ancestry resolution order and visited-once behavior
Exact canonical vector expectations in lineage-vs-eager comparison tests
v3 revoker metadata strictness and replay tamper detection for lineage_basic

# Task Closes #32 --- ## Summary This PR adds Strategy C (`lineage_basic`) as a behavior-divergent, deterministic revocation strategy that revokes selected roots plus their ancestor chain (no depth limit), while keeping eager-delete enforcement. It introduces explicit parent-edge lineage metadata on capability edges, wires `lineage_basic` through CLI and event-log v3 revoker metadata, and adds canonical comparison tests against eager traversal strategies. --- ## Included - Parent-edge metadata on capability edges: - `CapabilityEdge::parent_edge` (`std::optional<EdgeId>`) - delegation writes parent reference - parent reference is preserved even if parent edge is later removed - Lineage strategy implementation: - new `RevokerKind::LineageBasic` - new `lineage_basic_revoker()` accessor - deterministic root+ancestor resolution - Runtime/config wiring: - CLI supports `--revoker lineage_basic` - event-log v3 `revoker` parse/encode accepts `lineage_basic` - Deterministic comparison coverage: - exact expected vectors for `lineage_basic` vs `eager_bfs` and `eager_dfs` - engine-level differential behavior assertions - v3 reader/replay compatibility and tamper detection for lineage strategy - Docs updates in Phase 1 strategy section and compare-to-eager expectations --- ## Not Included - Event-log version bump (v3 remains current) - New revocation policy mode (Strategy C is `EagerDelete`) - Changes to cost counter semantics from #28 - Changes to lazy invalidation behavior from #31 --- ## Design Notes - `lineage_basic` target semantics: - normalize selector (`sort + unique`) - invalid edge id => `InvalidArgument` - missing selected root => `NotFound` - traversal order: - roots processed ascending by `EdgeId` - each root emits `root -> parent -> grandparent -> ...` - visited-once across overlapping roots - missing parent edge is a boundary, not an error - Existing eager completeness oracle gate remains in place. --- ## Verification - [x] `cmake --build _build --target aes_revocation_strategy_tests aes_apply_event_tests aes_engine_tests aes_edge_store_tests aes_graph_validation_tests aes_snapshot_tests aes_event_log_format_tests aes_event_log_reader_tests aes_event_log_replay_tests aes_cli_simulate_tests` - [x] `ctest --test-dir _build --output-on-failure -R "aes_revocation_strategy_tests|aes_apply_event_tests|aes_engine_tests|aes_cli_simulate_tests"` - [x] `ctest --test-dir _build --output-on-failure -R "aes_event_log_format_tests|aes_event_log_reader_tests|aes_event_log_replay_tests|aes_revocation_oracle_tests|aes_invalid_event_determinism_tests"` --- ## Review Focus - Parent reference lifecycle correctness (`DelegateCap`, remove, snapshot/validation) - Deterministic ancestry resolution order and visited-once behavior - Exact canonical vector expectations in lineage-vs-eager comparison tests - v3 revoker metadata strictness and replay tamper detection for `lineage_basic`