Add guarded conflict recovery plans#72
Conversation
|
Fresh-context review found two blocking concerns:
Verification: |
|
Addressed both blocking review concerns in commit
Verification passed:
|
|
High: exact rebase recovery still ignores refs that abort can overwrite ( Verification: |
|
Addressed the exact rebase recovery ref concern from #72 (comment) in commit
Verification passed:
|
|
High: deferred sequence requests are revalidated only after the first side effect ( |
|
Addressed the deferred sequence policy bypass from #72 (comment) in commit
Verification passed:
|
|
High: exact rebase recovery can overwrite ignored worktree data changed after preview ( Verification: |
|
Addressed concern #4973048113 in commit
Verification passed:
|
|
Fresh-context review of current head
Verification at |
|
Implemented all three blocking fixes in
Exact verification completed successfully:
Post-push status is clean and |
|
High: confirmation-time recovery revalidation is a non-coherent snapshot and can miss concurrent edits ( High: snapshots remain unbounded in memory and work despite the new sparse-file test ( Medium: untracked/ignored filesystem changes are not captured completely ( Verification at current head |
|
Addressed the recovery snapshot review in commit Design changes:
Regression coverage includes the synchronized concurrent edit, an actual 64 MiB tracked binary bound, a 10,001-file ignored tree, relevant file-count and metadata-entry limits, ignored content and chmod changes, file-to-directory replacement, incorrect top-level Verification passed at
Git does not expose a transaction spanning arbitrary external worktree edits and |
|
High: a relevant directory is snapshotted without its contents, so abort can delete post-preview data ( |
|
Addressed #72 (comment) in commit
Verification passed:
|
|
High: final recovery validation still has an unguarded compare-to-act window that can lose concurrent state ( Verification at |
|
Addressed #72 (comment) in commit Design:
Deterministic regression:
Verification passed:
Risk/tradeoff: confirmed merge/rebase recovery actions are intentionally unavailable through BitByGit rather than exposing a data-loss race. Recovery must be performed outside BitByGit until an actual cross-resource fence is implemented. |
|
High: every recovery action is permanently non-functional ( |
|
Addressed both #72 (comment) and #72 (comment) in commit Design:
Deterministic coverage:
Verification passed:
Residual risk: Git still cannot transactionally lock arbitrary editor writes to worktree files. The bounded repeated state captures continue to detect those changes before spawn; the new prepared transaction fence specifically closes the demonstrated recovery-ref overwrite path without disabling recovery. |
|
High: the ref fence can reject only after recovery has already mutated the repository ( High: overwrite-sensitive worktree/index state is still unfenced after the final capture ( High: installing the temporary hook can overwrite files in the configured hooks directory ( |
|
Addressed #72 (comment) in commit Design:
Regressions:
Verification passed exactly:
Residual risk: stock Git exposes no transaction spanning arbitrary editor writes, the index, operation metadata, and refs for merge/rebase porcelain. The final capture closes the deterministic pre-spawn boundary covered here and removal of BitByGit's prepared hook eliminates the application-induced post-reset rejection, but an unrelated process that writes after Git has been spawned remains governed by Git's native locking/overwrite behavior; arbitrary worktree editor writes are not transactionally lockable by BitByGit. |
|
Superseding my previous comment with the complete post-spawn redesign in Design:
Actual regressions:
Verification passed at
True residual constraints:
|
Summary
Verification
cargo fmt --all --checkcargo clippy --locked --workspace --all-targets -- -D warningscargo test --locked --workspaceFixes #55