review quick-wins: JIT gate, crash guards, crit-2 signal-return, regen repair

Server (sx_server.ml):
- HTTP mode: JIT hook now opt-in via SX_SERVING_JIT, matching epoch mode
  (was unconditional — live serving-JIT miscompiles J1/J2/J3 de-risked)
- command channel: malformed/non-ASCII line returns an error response
  instead of killing the shared process (C1/C1b)
- response cache: soft error pages no longer cached (S4);
  http_render_page returns (html, is_error)

Kernel spec + regen:
- crit-2: signal-return frame stored the saved kont under :f but the reader
  looked up "saved-kont" — handler value became the whole program's result
  and the covering test passed vacuously. Fixed; raise-continuable now also
  resumes at the raise site (rest-k, not unwound-k), mirroring signal-condition
- quasiquote: R7RS longhand unquote-splicing aliased to splice-unquote
  (used to serialize literally — silent zero-splice)
- guard: re-raise sentinel gensym'd per execution (was forgeable by any
  (list '__guard-reraise__ x) value)
- do: IIFE-head form no longer misparses as a Scheme do-loop
- render: area/base/embed/param/track added to HTML_TAGS (were void-only
  and rendered as Undefined symbol)
- REGEN REPAIR: checked-in sx_ref.ml carried hand-written additions that
  every regeneration silently lost (let-values/define-values/delay/
  delay-force registrations, AdtValue define-type) plus 5 regen blockers
  (arrow-name mangling, 3-arg get, &rest defines, HO-position helper refs,
  transpiler prim-table gaps). Moved into bootstrap.py FIXUPS/skips and the
  transpiler prim table — regen is now reproducible, compiles, and tests
  at baseline (CI Dockerfile.test steps 3-4 could not previously have
  produced a compiling kernel)

Primitives:
- contains?: dict key-check arm per its spec doc
- expt: promotes to float on int63 overflow ((expt 2 100) returned 0)
- mcp_tree parity with sx_primitives: get (Integer indices + 3-arg default),
  split (literal substring, was char-class — the historical gotcha lived
  here), empty? on ""/{}, contains?, equal?, keyword-name, char-code
  (Integer), parse-number (Integer-aware)

Python/docs:
- shared/sx/boundary.py: dead validation now logs a one-time WARNING instead
  of silently no-oping (full revival gated: tier-1 declarations deleted and
  SX_BOUNDARY_STRICT=1 is live in production compose)
- CLAUDE.md: canonical reference now points at spec/*.sx; island authoring
  rules corrected (let IS sequential, bodies ARE implicit begin)

Verification: full suite 5762 passed / 274 failed — fail set byte-identical
to the pre-change baseline (273 in-progress hs-* + pre-existing r7rs radix
shadow). All repros verified fixed on both the native binary and the rebuilt
WASM browser kernel. Review findings: /tmp/sx-review/*.md

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-03 13:49:43 +00:00
parent 071c2f9a8a
commit dc7aa709bd
14 changed files with 3445 additions and 3213 deletions

View File

@@ -26,8 +26,21 @@ _DECLARED_IO: frozenset[str] | None = None
_DECLARED_HELPERS: dict[str, frozenset[str]] | None = None
_LOAD_FAILURE_WARNED = False
def _load_declarations() -> None:
global _DECLARED_PURE, _DECLARED_IO, _DECLARED_HELPERS
# KNOWN-BROKEN (2026-07 review, finding C24): `.ref.boundary_parser` was
# moved to hosts/python/boundary_parser.py AND its tier-1 declaration
# source (shared/sx/ref/boundary.sx) was deleted, so this ImportError
# fires on every call and boundary validation has been a silent no-op —
# including under SX_BOUNDARY_STRICT=1, which production compose sets.
# Do NOT "fix" the import in isolation: reviving validation while strict
# mode is live in production requires first recreating the core
# declarations and proving zero violations across all services
# (remediation plan, Phase 2 "Python boundary"). Until then we make the
# dead state visible instead of silent.
global _DECLARED_PURE, _DECLARED_IO, _DECLARED_HELPERS, _LOAD_FAILURE_WARNED
if _DECLARED_PURE is not None:
return
try:
@@ -42,7 +55,15 @@ def _load_declarations() -> None:
# Don't cache failure — parser may not be ready yet (circular import
# during startup). Will retry on next call. Validation functions
# skip checks when declarations aren't loaded.
logger.debug("Boundary declarations not ready yet: %s", e)
if not _LOAD_FAILURE_WARNED:
_LOAD_FAILURE_WARNED = True
logger.warning(
"SX boundary validation is INACTIVE (declarations failed to "
"load: %s). All validate_* calls are no-ops, even under "
"SX_BOUNDARY_STRICT=1.", e,
)
else:
logger.debug("Boundary declarations not ready yet: %s", e)
def _is_strict() -> bool: