radar: pass 38 — migration plan DRAFTED (5 specs + open-questions); decision point: review + start implementation loop? branch stays local

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

lib/apl/conformance.conf

@@ -0,0 +1,63 @@
+# APL conformance config — sourced by lib/guest/conformance.sh.
+
+LANG_NAME=apl
+MODE=counters
+COUNTERS_PASS=apl-test-pass
+COUNTERS_FAIL=apl-test-fail
+TIMEOUT_PER_SUITE=300
+
+PRELOADS=(
+  spec/stdlib.sx
+  lib/r7rs.sx
+  lib/apl/runtime.sx
+  lib/apl/tokenizer.sx
+  lib/apl/parser.sx
+  lib/apl/transpile.sx
+  lib/apl/test-harness.sx
+)
+
+SUITES=(
+  "structural:lib/apl/tests/structural.sx"
+  "operators:lib/apl/tests/operators.sx"
+  "dfn:lib/apl/tests/dfn.sx"
+  "tradfn:lib/apl/tests/tradfn.sx"
+  "valence:lib/apl/tests/valence.sx"
+  "programs:lib/apl/tests/programs.sx"
+  "system:lib/apl/tests/system.sx"
+  "idioms:lib/apl/tests/idioms.sx"
+  "eval-ops:lib/apl/tests/eval-ops.sx"
+  "pipeline:lib/apl/tests/pipeline.sx"
+)
+
+emit_scoreboard_json() {
+  local n=${#GC_NAMES[@]} i sep
+  printf '{\n'
+  printf '  "suites": {\n'
+  for ((i=0; i<n; i++)); do
+    sep=","; [ $i -eq $((n-1)) ] && sep=""
+    printf '    "%s": {"pass": %d, "fail": %d}%s\n' \
+      "${GC_NAMES[$i]}" "${GC_PASS[$i]}" "${GC_FAIL[$i]}" "$sep"
+  done
+  printf '  },\n'
+  printf '  "total_pass": %d,\n' "$GC_TOTAL_PASS"
+  printf '  "total_fail": %d,\n' "$GC_TOTAL_FAIL"
+  printf '  "total": %d\n' "$GC_TOTAL"
+  printf '}\n'
+}
+
+emit_scoreboard_md() {
+  local n=${#GC_NAMES[@]} i
+  printf '# APL Conformance Scoreboard\n\n'
+  printf '_Generated by `lib/apl/conformance.sh`_\n\n'
+  printf '| Suite | Pass | Fail | Total |\n'
+  printf '|-------|-----:|-----:|------:|\n'
+  for ((i=0; i<n; i++)); do
+    printf '| %s | %d | %d | %d |\n' \
+      "${GC_NAMES[$i]}" "${GC_PASS[$i]}" "${GC_FAIL[$i]}" "${GC_TOTAL_S[$i]}"
+  done
+  printf '| **Total** | **%d** | **%d** | **%d** |\n' "$GC_TOTAL_PASS" "$GC_TOTAL_FAIL" "$GC_TOTAL"
+  printf '\n'
+  printf '## Notes\n\n'
+  printf '%s\n' '- Suites use the standard `apl-test name got expected` framework loaded against `lib/apl/runtime.sx` + `lib/apl/transpile.sx`.'
+  printf '%s\n' '- `lib/apl/tests/parse.sx` and `lib/apl/tests/scalar.sx` use their own self-contained frameworks and are excluded from this scoreboard.'
+}

lib/apl/conformance.sh

@@ -1,116 +1,5 @@
 #!/usr/bin/env bash
-# lib/apl/conformance.sh — run APL test suites, emit scoreboard.json + scoreboard.md.
-
-set -uo pipefail
-cd "$(git rev-parse --show-toplevel)"
-
-SX_SERVER="${SX_SERVER:-/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe}"
-if [ ! -x "$SX_SERVER" ]; then
-  SX_SERVER="hosts/ocaml/_build/default/bin/sx_server.exe"
-fi
-if [ ! -x "$SX_SERVER" ]; then
-  echo "ERROR: sx_server.exe not found." >&2
-  exit 1
-fi
-
-SUITES=(structural operators dfn tradfn valence programs system idioms eval-ops pipeline)
-
-OUT_JSON="lib/apl/scoreboard.json"
-OUT_MD="lib/apl/scoreboard.md"
-
-run_suite() {
-  local suite=$1
-  local file="lib/apl/tests/${suite}.sx"
-  local TMP
-  TMP=$(mktemp)
-  cat > "$TMP" << EPOCHS
-(epoch 1)
-(load "spec/stdlib.sx")
-(load "lib/r7rs.sx")
-(load "lib/apl/runtime.sx")
-(load "lib/apl/tokenizer.sx")
-(load "lib/apl/parser.sx")
-(load "lib/apl/transpile.sx")
-(epoch 2)
-(eval "(define apl-test-pass 0)")
-(eval "(define apl-test-fail 0)")
-(eval "(define apl-test (fn (name got expected) (if (= got expected) (set! apl-test-pass (+ apl-test-pass 1)) (set! apl-test-fail (+ apl-test-fail 1)))))")
-(epoch 3)
-(load "${file}")
-(epoch 4)
-(eval "(list apl-test-pass apl-test-fail)")
-EPOCHS
-
-  local OUTPUT
-  OUTPUT=$(timeout 300 "$SX_SERVER" < "$TMP" 2>/dev/null)
-  rm -f "$TMP"
-
-  local LINE
-  LINE=$(echo "$OUTPUT" | awk '/^\(ok-len 4 / {getline; print; exit}')
-  if [ -z "$LINE" ]; then
-    LINE=$(echo "$OUTPUT" | grep -E '^\(ok 4 \([0-9]+ [0-9]+\)\)' | tail -1 \
-            | sed -E 's/^\(ok 4 //; s/\)$//')
-  fi
-
-  local P F
-  P=$(echo "$LINE" | sed -E 's/^\(([0-9]+) ([0-9]+)\).*/\1/')
-  F=$(echo "$LINE" | sed -E 's/^\(([0-9]+) ([0-9]+)\).*/\2/')
-  P=${P:-0}
-  F=${F:-0}
-  echo "${P} ${F}"
-}
-
-declare -A SUITE_PASS
-declare -A SUITE_FAIL
-TOTAL_PASS=0
-TOTAL_FAIL=0
-
-echo "Running APL conformance suite..." >&2
-for s in "${SUITES[@]}"; do
-  read -r p f < <(run_suite "$s")
-  SUITE_PASS[$s]=$p
-  SUITE_FAIL[$s]=$f
-  TOTAL_PASS=$((TOTAL_PASS + p))
-  TOTAL_FAIL=$((TOTAL_FAIL + f))
-  printf "  %-12s %d/%d\n" "$s" "$p" "$((p+f))" >&2
-done
-
-# scoreboard.json
-{
-  printf '{\n'
-  printf '  "suites": {\n'
-  first=1
-  for s in "${SUITES[@]}"; do
-    if [ $first -eq 0 ]; then printf ',\n'; fi
-    printf '    "%s": {"pass": %d, "fail": %d}' "$s" "${SUITE_PASS[$s]}" "${SUITE_FAIL[$s]}"
-    first=0
-  done
-  printf '\n  },\n'
-  printf '  "total_pass": %d,\n' "$TOTAL_PASS"
-  printf '  "total_fail": %d,\n' "$TOTAL_FAIL"
-  printf '  "total": %d\n' "$((TOTAL_PASS + TOTAL_FAIL))"
-  printf '}\n'
-} > "$OUT_JSON"
-
-# scoreboard.md
-{
-  printf '# APL Conformance Scoreboard\n\n'
-  printf '_Generated by `lib/apl/conformance.sh`_\n\n'
-  printf '| Suite | Pass | Fail | Total |\n'
-  printf '|-------|-----:|-----:|------:|\n'
-  for s in "${SUITES[@]}"; do
-    p=${SUITE_PASS[$s]}
-    f=${SUITE_FAIL[$s]}
-    printf '| %s | %d | %d | %d |\n' "$s" "$p" "$f" "$((p+f))"
-  done
-  printf '| **Total** | **%d** | **%d** | **%d** |\n' "$TOTAL_PASS" "$TOTAL_FAIL" "$((TOTAL_PASS + TOTAL_FAIL))"
-  printf '\n'
-  printf '## Notes\n\n'
-  printf '%s\n' '- Suites use the standard `apl-test name got expected` framework loaded against `lib/apl/runtime.sx` + `lib/apl/transpile.sx`.'
-  printf '%s\n' '- `lib/apl/tests/parse.sx` and `lib/apl/tests/scalar.sx` use their own self-contained frameworks and are excluded from this scoreboard.'
-} > "$OUT_MD"
-
-echo "Wrote $OUT_JSON and $OUT_MD" >&2
-echo "Total: $TOTAL_PASS pass, $TOTAL_FAIL fail" >&2
-
-[ "$TOTAL_FAIL" -eq 0 ]
+# lib/apl/conformance.sh — APL conformance via the shared guest driver.
+# Config lives in lib/apl/conformance.conf (MODE=counters). Override the binary
+# with SX_SERVER=path/to/sx_server.exe bash lib/apl/conformance.sh
+exec bash "$(dirname "$0")/../guest/conformance.sh" "$(dirname "$0")/conformance.conf" "$@"

lib/apl/scoreboard.json

@@ -9,9 +9,9 @@
     "system": {"pass": 13, "fail": 0},
     "idioms": {"pass": 64, "fail": 0},
     "eval-ops": {"pass": 14, "fail": 0},
-    "pipeline": {"pass": 40, "fail": 0}
+    "pipeline": {"pass": 152, "fail": 0}
   },
-  "total_pass": 450,
+  "total_pass": 562,
   "total_fail": 0,
-  "total": 450
+  "total": 562
 }

lib/apl/scoreboard.md

@@ -13,8 +13,8 @@ _Generated by `lib/apl/conformance.sh`_
 | system | 13 | 0 | 13 |
 | idioms | 64 | 0 | 64 |
 | eval-ops | 14 | 0 | 14 |
-| pipeline | 40 | 0 | 40 |
-| **Total** | **450** | **0** | **450** |
+| pipeline | 152 | 0 | 152 |
+| **Total** | **562** | **0** | **562** |
 
 ## Notes
 

lib/apl/test-harness.sx

@@ -0,0 +1,15 @@
+; lib/apl/test-harness.sx — counters + assertion fn for the shared conformance
+; driver (lib/guest/conformance.sh, MODE=counters). Loaded as a PRELOAD so each
+; suite starts from a fresh 0/0; suites call (apl-test name got expected).
+
+(define apl-test-pass 0)
+(define apl-test-fail 0)
+
+(define
+  apl-test
+  (fn
+    (name got expected)
+    (if
+      (= got expected)
+      (set! apl-test-pass (+ apl-test-pass 1))
+      (set! apl-test-fail (+ apl-test-fail 1)))))

lib/persist/api.sx

@@ -1,10 +0,0 @@
-; persist/api — the public entry point. persist/open returns a backend (the
-; in-memory one by default; pass a custom backend to inject file/pg/ipfs-ref).
-; All facet functions take this backend as their first argument.
-; Requires: lib/persist/backend.sx, lib/persist/log.sx, lib/persist/kv.sx.
-
-(define
-  persist/open
-  (fn
-    (&rest args)
-    (if (= (len args) 0) (persist/mem-backend) (first args))))

lib/persist/backend.sx

@@ -1,34 +0,0 @@
-; persist/backend — the injected storage protocol. Every facet (log, kv,
-; snapshot) goes through a backend dict, never touching storage directly, so
-; file/pg/ipfs-ref backends swap in unchanged. A backend is a dict of fns:
-;   {:append :read :last-seq :truncate-through :streams
-;    :kv-get :kv-put :kv-delete :kv-has? :kv-keys}
-; The in-memory backend is the test default. State is three dicts held in a
-; closure and mutated with set!: logs (stream -> event list), seqs (stream ->
-; last assigned seq — a monotonic high-water mark that survives compaction so
-; truncating the log prefix never lets a future append reuse a seq), kv. The
-; stream catalog comes from seqs, so a fully-compacted stream still lists.
-
-(define
-  persist/mem-backend
-  (fn
-    ()
-    (let ((logs {}) (seqs {}) (kv {})) {:truncate-through (fn (stream n) (let ((cur (get logs stream))) (set! logs (assoc logs stream (filter (fn (e) (> (persist/event-seq e) n)) (if cur cur (list))))))) :kv-keys (fn () (keys kv)) :read (fn (stream) (let ((cur (get logs stream))) (if cur cur (list)))) :kv-has? (fn (key) (has-key? kv key)) :last-seq (fn (stream) (let ((s (get seqs stream))) (if s s 0))) :streams (fn () (keys seqs)) :append (fn (stream event) (begin (let ((cur (get logs stream))) (set! logs (assoc logs stream (append (if cur cur (list)) event)))) (set! seqs (assoc seqs stream (persist/event-seq event))))) :kv-delete (fn (key) (set! kv (dissoc kv key))) :kv-put (fn (key val) (set! kv (assoc kv key val))) :kv-get (fn (key) (get kv key))})))
-
-; protocol accessors — call a backend op by keyword
-(define
-  persist/backend-append
-  (fn (b stream event) ((get b :append) stream event)))
-(define persist/backend-read (fn (b stream) ((get b :read) stream)))
-(define
-  persist/backend-last-seq
-  (fn (b stream) ((get b :last-seq) stream)))
-(define persist/backend-streams (fn (b) ((get b :streams))))
-(define
-  persist/backend-truncate
-  (fn (b stream n) ((get b :truncate-through) stream n)))
-(define persist/backend-kv-get (fn (b key) ((get b :kv-get) key)))
-(define persist/backend-kv-put (fn (b key val) ((get b :kv-put) key val)))
-(define persist/backend-kv-delete (fn (b key) ((get b :kv-delete) key)))
-(define persist/backend-kv-has? (fn (b key) ((get b :kv-has?) key)))
-(define persist/backend-kv-keys (fn (b) ((get b :kv-keys))))

lib/persist/batch.sx

@@ -1,40 +0,0 @@
-; persist/batch — commit several events to a stream as one contiguous block.
-; Each spec is (type at data). Plain append-batch always appends; the -expect
-; form is the transactional commit: it checks the stream is still at `expected`
-; before writing ANY event, so a batch is all-or-nothing under a concurrent
-; writer (conflict is a value, not a partial write). For an order + its line
-; items, an audit entry + its reason, etc. Requires: lib/persist/log.sx.
-
-; append a list of (type at data) specs as one block; returns the stored events
-; (a real cons-list, in order, with contiguous seqs)
-(define
-  persist/append-batch
-  (fn
-    (b stream specs)
-    (reverse
-      (reduce
-        (fn
-          (acc spec)
-          (cons
-            (persist/append
-              b
-              stream
-              (first spec)
-              (nth spec 1)
-              (nth spec 2))
-            acc))
-        (list)
-        specs))))
-
-; transactional batch: commit all specs only if the stream is still at expected,
-; else return a conflict and write nothing
-(define
-  persist/append-batch-expect
-  (fn
-    (b stream expected specs)
-    (let
-      ((actual (persist/last-seq b stream)))
-      (if
-        (= actual expected)
-        (persist/append-batch b stream specs)
-        {:actual actual :expected expected :conflict true}))))

lib/persist/blob.sx

@@ -1,66 +0,0 @@
-; persist/blob — large objects (images, media) are NOT persist's to hold. They
-; live in a content-addressed store (artdag/IPFS); persist stores only a
-; reference: {:cid :size :mime}. The blob store is a SEPARATE injected
-; dependency with its own transport (perform in production, a mock content store
-; in tests), distinct from the event/kv backend. The invariant: a blob ref that
-; lands in the log or kv carries the CID + metadata and never the bytes.
-; Requires: lib/persist/backend.sx.
-
-(define persist/blob-ref (fn (cid size mime) {:mime mime :size size :cid cid}))
-(define persist/blob-ref? (fn (r) (has-key? r :cid)))
-(define persist/blob-cid (fn (r) (get r :cid)))
-(define persist/blob-size (fn (r) (get r :size)))
-(define persist/blob-mime (fn (r) (get r :mime)))
-
-; blob store protocol over an injectable transport
-(define persist/blob-io (fn (transport) {:put (fn (bytes mime) (transport {:op "blob/put" :args (list bytes mime)})) :get (fn (cid) (transport {:op "blob/get" :args (list cid)})) :has? (fn (cid) (transport {:op "blob/has?" :args (list cid)}))}))
-
-; production blob store — transport is the kernel's perform
-(define
-  persist/blob-store-backend
-  (fn () (persist/blob-io (fn (req) (perform req)))))
-
-; store bytes via the blob backend; return ONLY the ref (cid + metadata) — this
-; is what the caller persists in the log/kv. The bytes never enter persist.
-(define
-  persist/blob-store
-  (fn
-    (blob bytes mime)
-    (let
-      ((cid ((get blob :put) bytes mime)))
-      (persist/blob-ref cid (len bytes) mime))))
-
-(define
-  persist/blob-fetch
-  (fn (blob ref) ((get blob :get) (persist/blob-cid ref))))
-(define
-  persist/blob-exists?
-  (fn (blob ref) ((get blob :has?) (persist/blob-cid ref))))
-
-; mock content-addressed store (stands in for artdag/IPFS). CID is a
-; deterministic content address: identical bytes dedupe to one CID. A real
-; store computes a SHA3/IPFS CID host-side; the prefix keeps the mock readable.
-(define persist/blob-cid-of (fn (bytes) (str "cid:" bytes)))
-
-(define
-  persist/blob-serve
-  (fn
-    (store req)
-    (let
-      ((op (get req :op)) (args (get req :args)))
-      (cond
-        ((equal? op "blob/put")
-          (let
-            ((cid (persist/blob-cid-of (first args))))
-            (begin (persist/backend-kv-put store cid (first args)) cid)))
-        ((equal? op "blob/get") (persist/backend-kv-get store (first args)))
-        ((equal? op "blob/has?")
-          (persist/backend-kv-has? store (first args)))
-        (else (error (str "persist/blob-serve: unknown op " op)))))))
-
-(define
-  persist/blob-mock-transport
-  (fn (store) (fn (req) (persist/blob-serve store req))))
-(define
-  persist/mock-blob
-  (fn (store) (persist/blob-io (persist/blob-mock-transport store))))

lib/persist/catalog.sx

@@ -1,35 +0,0 @@
-; persist/catalog — enumerate the streams a backend holds. The catalog is the
-; set of streams ever appended to (from the seq high-water marks), so a stream
-; whose log has been fully compacted still appears. $-prefixed streams are
-; reserved for internal indexes (e.g. the $global commit index) and are hidden
-; from the public catalog; use streams-all to see them. For admin, global ops,
-; and cross-stream tooling. Requires: lib/persist/backend.sx, lib/persist/log.sx.
-
-(define persist/reserved-stream? (fn (s) (starts-with? s "$")))
-
-; every stream including reserved internal indexes
-(define persist/streams-all (fn (b) (persist/backend-streams b)))
-
-; public streams (reserved internal indexes hidden)
-(define
-  persist/streams
-  (fn
-    (b)
-    (filter
-      (fn (s) (not (persist/reserved-stream? s)))
-      (persist/streams-all b))))
-
-(define persist/stream-count (fn (b) (len (persist/streams b))))
-(define
-  persist/stream-exists?
-  (fn (b stream) (contains? (persist/streams b) stream)))
-
-; total logical events across all public streams (sum of high-water marks)
-(define
-  persist/total-events
-  (fn
-    (b)
-    (reduce
-      (fn (acc s) (+ acc (persist/last-seq b s)))
-      0
-      (persist/streams b))))

lib/persist/compaction.sx

@@ -1,43 +0,0 @@
-; persist/compaction — once a snapshot subsumes a log prefix, those events are
-; dead weight: replay starts from the snapshot, so events with seq <= the
-; snapshot's seq are never folded again. Compaction checkpoints then truncates
-; that prefix. The seq counter is monotonic (backend high-water mark) so future
-; appends keep climbing — the surviving tail keeps its original seqs and replay
-; from the snapshot still equals a full replay of the pre-compaction log.
-; Policy is explicit: compact when the uncompacted tail reaches `every` events.
-; Requires: lib/persist/snapshot.sx, lib/persist/log.sx.
-
-; events accumulated since the last snapshot for name
-(define
-  persist/uncompacted
-  (fn
-    (b stream name seed)
-    (-
-      (persist/last-seq b stream)
-      (persist/project-seq (persist/snapshot-load b name seed)))))
-
-; policy: should we compact yet? tail since snapshot >= every
-(define
-  persist/should-compact?
-  (fn
-    (b stream name every seed)
-    (>= (persist/uncompacted b stream name seed) every)))
-
-; checkpoint then drop the snapshotted prefix; returns the new snapshot state
-(define
-  persist/compact
-  (fn
-    (b stream name step seed)
-    (let
-      ((state (persist/checkpoint b stream name step seed)))
-      (begin (persist/truncate b stream (persist/project-seq state)) state))))
-
-; compact only if the policy fires; always returns the current snapshot state
-(define
-  persist/maybe-compact
-  (fn
-    (b stream name step seed every)
-    (if
-      (persist/should-compact? b stream name every seed)
-      (persist/compact b stream name step seed)
-      (persist/snapshot-load b name seed))))

lib/persist/concurrency.sx

@@ -1,24 +0,0 @@
-; persist/concurrency — optimistic concurrency for the log facet. The caller
-; passes the seq it believes is current (the last-seq it last observed). If the
-; stream has advanced since, the append is refused and a conflict VALUE is
-; returned — never a crash, never a silent overwrite. The caller re-reads the
-; tail and retries. This is the substrate-level answer to "two writers, one
-; stream": the loser gets a result it can act on.
-; Requires: lib/persist/log.sx.
-
-(define
-  persist/append-expect
-  (fn
-    (b stream expected type at data)
-    (let
-      ((actual (persist/last-seq b stream)))
-      (if
-        (= actual expected)
-        (persist/append b stream type at data)
-        {:actual actual :expected expected :conflict true}))))
-
-(define
-  persist/conflict?
-  (fn (r) (if (has-key? r :conflict) (get r :conflict) false)))
-(define persist/conflict-expected (fn (r) (get r :expected)))
-(define persist/conflict-actual (fn (r) (get r :actual)))

lib/persist/conformance.sh

@@ -1,128 +0,0 @@
-#!/usr/bin/env bash
-# lib/persist/conformance.sh — run persist test suites, emit scoreboard.json + scoreboard.md.
-
-set -uo pipefail
-cd "$(git rev-parse --show-toplevel)"
-
-SX_SERVER="${SX_SERVER:-/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe}"
-if [ ! -x "$SX_SERVER" ]; then
-  SX_SERVER="hosts/ocaml/_build/default/bin/sx_server.exe"
-fi
-if [ ! -x "$SX_SERVER" ]; then
-  echo "ERROR: sx_server.exe not found." >&2
-  exit 1
-fi
-
-SUITES=(event log kv project subscribe concurrency snapshot compaction durable blob view cas catalog query batch upcast idempotency global example-acl recovery)
-
-OUT_JSON="lib/persist/scoreboard.json"
-OUT_MD="lib/persist/scoreboard.md"
-
-run_suite() {
-  local suite=$1
-  local file="lib/persist/tests/${suite}.sx"
-  local TMP
-  TMP=$(mktemp)
-  cat > "$TMP" << EPOCHS
-(epoch 1)
-(load "spec/stdlib.sx")
-(load "lib/r7rs.sx")
-(load "lib/persist/event.sx")
-(load "lib/persist/backend.sx")
-(load "lib/persist/log.sx")
-(load "lib/persist/kv.sx")
-(load "lib/persist/project.sx")
-(load "lib/persist/concurrency.sx")
-(load "lib/persist/snapshot.sx")
-(load "lib/persist/compaction.sx")
-(load "lib/persist/durable.sx")
-(load "lib/persist/blob.sx")
-(load "lib/persist/view.sx")
-(load "lib/persist/catalog.sx")
-(load "lib/persist/query.sx")
-(load "lib/persist/batch.sx")
-(load "lib/persist/upcast.sx")
-(load "lib/persist/idempotency.sx")
-(load "lib/persist/global.sx")
-(load "lib/persist/examples/acl.sx")
-(load "lib/persist/subscribe.sx")
-(load "lib/persist/api.sx")
-(epoch 2)
-(eval "(define persist-test-pass 0)")
-(eval "(define persist-test-fail 0)")
-(eval "(define persist-test (fn (name got expected) (if (equal? got expected) (set! persist-test-pass (+ persist-test-pass 1)) (set! persist-test-fail (+ persist-test-fail 1)))))")
-(epoch 3)
-(load "${file}")
-(epoch 4)
-(eval "(list persist-test-pass persist-test-fail)")
-EPOCHS
-
-  local OUTPUT
-  OUTPUT=$(timeout 300 "$SX_SERVER" < "$TMP" 2>/dev/null)
-  rm -f "$TMP"
-
-  local LINE
-  LINE=$(echo "$OUTPUT" | awk '/^\(ok-len 4 / {getline; print; exit}')
-  if [ -z "$LINE" ]; then
-    LINE=$(echo "$OUTPUT" | grep -E '^\(ok 4 \([0-9]+ [0-9]+\)\)' | tail -1 \
-            | sed -E 's/^\(ok 4 //; s/\)$//')
-  fi
-
-  local P F
-  P=$(echo "$LINE" | sed -E 's/^\(([0-9]+) ([0-9]+)\).*/\1/')
-  F=$(echo "$LINE" | sed -E 's/^\(([0-9]+) ([0-9]+)\).*/\2/')
-  P=${P:-0}
-  F=${F:-0}
-  echo "${P} ${F}"
-}
-
-declare -A SUITE_PASS
-declare -A SUITE_FAIL
-TOTAL_PASS=0
-TOTAL_FAIL=0
-
-echo "Running persist conformance suite..." >&2
-for s in "${SUITES[@]}"; do
-  read -r p f < <(run_suite "$s")
-  SUITE_PASS[$s]=$p
-  SUITE_FAIL[$s]=$f
-  TOTAL_PASS=$((TOTAL_PASS + p))
-  TOTAL_FAIL=$((TOTAL_FAIL + f))
-  printf "  %-12s %d/%d\n" "$s" "$p" "$((p+f))" >&2
-done
-
-# scoreboard.json
-{
-  printf '{\n'
-  printf '  "suites": {\n'
-  first=1
-  for s in "${SUITES[@]}"; do
-    if [ $first -eq 0 ]; then printf ',\n'; fi
-    printf '    "%s": {"pass": %d, "fail": %d}' "$s" "${SUITE_PASS[$s]}" "${SUITE_FAIL[$s]}"
-    first=0
-  done
-  printf '\n  },\n'
-  printf '  "total_pass": %d,\n' "$TOTAL_PASS"
-  printf '  "total_fail": %d,\n' "$TOTAL_FAIL"
-  printf '  "total": %d\n' "$((TOTAL_PASS + TOTAL_FAIL))"
-  printf '}\n'
-} > "$OUT_JSON"
-
-# scoreboard.md
-{
-  printf '# persist Conformance Scoreboard\n\n'
-  printf '_Generated by `lib/persist/conformance.sh`_\n\n'
-  printf '| Suite | Pass | Fail | Total |\n'
-  printf '|-------|-----:|-----:|------:|\n'
-  for s in "${SUITES[@]}"; do
-    p=${SUITE_PASS[$s]}
-    f=${SUITE_FAIL[$s]}
-    printf '| %s | %d | %d | %d |\n' "$s" "$p" "$f" "$((p+f))"
-  done
-  printf '| **Total** | **%d** | **%d** | **%d** |\n' "$TOTAL_PASS" "$TOTAL_FAIL" "$((TOTAL_PASS + TOTAL_FAIL))"
-} > "$OUT_MD"
-
-echo "Wrote $OUT_JSON and $OUT_MD" >&2
-echo "Total: $TOTAL_PASS pass, $TOTAL_FAIL fail" >&2
-
-[ "$TOTAL_FAIL" -eq 0 ]

lib/persist/durable.sx

@@ -1,71 +0,0 @@
-; persist/durable — a backend whose every op crosses the kernel's IO-suspension
-; boundary. Each op performs an IO request {:op "persist/..." :args (...)};
-; under the real kernel `perform` suspends the CEK machine and the host (file,
-; pg, ipfs-ref) services the request and resumes with the result — so the facet
-; code above (log/kv/project/snapshot/compaction) never changes. The TRANSPORT
-; is injectable: production passes the kernel's perform; tests pass a mock
-; servicer over an in-memory disk. Same request shapes either way, so the whole
-; existing facet stack runs unchanged on the mock-durable backend.
-; Requires: lib/persist/backend.sx.
-
-; request encoders — the exact payloads the durable backend performs
-(define persist/req-append (fn (stream event) {:op "persist/append" :args (list stream event)}))
-(define persist/req-read (fn (stream) {:op "persist/read" :args (list stream)}))
-(define persist/req-last-seq (fn (stream) {:op "persist/last-seq" :args (list stream)}))
-(define persist/req-streams (fn () {:op "persist/streams" :args (list)}))
-(define persist/req-truncate (fn (stream n) {:op "persist/truncate" :args (list stream n)}))
-(define persist/req-kv-get (fn (key) {:op "persist/kv-get" :args (list key)}))
-(define persist/req-kv-put (fn (key val) {:op "persist/kv-put" :args (list key val)}))
-(define persist/req-kv-delete (fn (key) {:op "persist/kv-delete" :args (list key)}))
-(define persist/req-kv-has? (fn (key) {:op "persist/kv-has?" :args (list key)}))
-(define persist/req-kv-keys (fn () {:op "persist/kv-keys" :args (list)}))
-
-; a backend parameterized over a transport (req -> response)
-(define persist/io-backend (fn (transport) {:truncate-through (fn (stream n) (transport (persist/req-truncate stream n))) :kv-keys (fn () (transport (persist/req-kv-keys))) :read (fn (stream) (transport (persist/req-read stream))) :kv-has? (fn (key) (transport (persist/req-kv-has? key))) :last-seq (fn (stream) (transport (persist/req-last-seq stream))) :streams (fn () (transport (persist/req-streams))) :append (fn (stream event) (transport (persist/req-append stream event))) :kv-delete (fn (key) (transport (persist/req-kv-delete key))) :kv-put (fn (key val) (transport (persist/req-kv-put key val))) :kv-get (fn (key) (transport (persist/req-kv-get key)))}))
-
-; production backend — transport is the kernel's perform (suspends; host resumes)
-(define
-  persist/durable-backend
-  (fn () (persist/io-backend (fn (req) (perform req)))))
-
-; reference host: service one request against a disk (any backend protocol impl).
-; This is what a real host plugs into the kernel's IO resolver, and the mock-IO
-; harness for tests: it never touches a real disk, just an in-memory backend.
-(define
-  persist/serve
-  (fn
-    (disk req)
-    (let
-      ((op (get req :op)) (args (get req :args)))
-      (cond
-        ((equal? op "persist/append")
-          (persist/backend-append disk (first args) (nth args 1)))
-        ((equal? op "persist/read")
-          (persist/backend-read disk (first args)))
-        ((equal? op "persist/last-seq")
-          (persist/backend-last-seq disk (first args)))
-        ((equal? op "persist/streams") (persist/backend-streams disk))
-        ((equal? op "persist/truncate")
-          (persist/backend-truncate disk (first args) (nth args 1)))
-        ((equal? op "persist/kv-get")
-          (persist/backend-kv-get disk (first args)))
-        ((equal? op "persist/kv-put")
-          (persist/backend-kv-put disk (first args) (nth args 1)))
-        ((equal? op "persist/kv-delete")
-          (persist/backend-kv-delete disk (first args)))
-        ((equal? op "persist/kv-has?")
-          (persist/backend-kv-has? disk (first args)))
-        ((equal? op "persist/kv-keys") (persist/backend-kv-keys disk))
-        (else (error (str "persist/serve: unknown op " op)))))))
-
-; mock transport: a perform-replacement that services against a disk in-process
-(define
-  persist/mock-transport
-  (fn (disk) (fn (req) (persist/serve disk req))))
-
-; a durable backend wired to a mock disk — exercises the full io-backend path
-; (request-encode -> serve -> disk) with no suspension, so the existing facet
-; suite runs against it unchanged.
-(define
-  persist/mock-durable
-  (fn (disk) (persist/io-backend (persist/mock-transport disk))))

lib/persist/event.sx

@@ -1,13 +0,0 @@
-; persist/event — an event is the unit of the log facet:
-;   {:stream :seq :type :at :data}
-; stream = which append-only stream, seq = 1-based position within it,
-; type = event kind, at = caller-supplied timestamp (never a clock here:
-; replay must stay pure), data = payload dict.
-
-(define persist/event (fn (stream seq type at data) {:data data :type type :at at :stream stream :seq seq}))
-
-(define persist/event-stream (fn (e) (get e :stream)))
-(define persist/event-seq (fn (e) (get e :seq)))
-(define persist/event-type (fn (e) (get e :type)))
-(define persist/event-at (fn (e) (get e :at)))
-(define persist/event-data (fn (e) (get e :data)))

lib/persist/examples/acl.sx

@@ -1,79 +0,0 @@
-; persist/examples/acl — a WORKED MIGRATION REFERENCE. A subsystem (acl grants:
-; who may access what) currently hand-rolls an in-memory mutable map that loses
-; every grant on restart and keeps no audit trail. This shows the same subsystem
-; rebuilt on persist. It is the template other subsystem loops copy; it does NOT
-; touch the real lib/acl (out of this loop's scope).
-;
-; BEFORE — hand-rolled, ephemeral, no history, no concurrency safety:
-;   (define acl-grants {})                      ; resource -> principal list (mutable)
-;   (define acl-grant!  (fn (r p) (set! acl-grants (assoc acl-grants r (cons p (get acl-grants r))))))
-;   (define acl-revoke! (fn (r p) (set! acl-grants (assoc acl-grants r (remove p ...)))))
-;   (define acl-can?    (fn (r p) (contains? (get acl-grants r) p)))
-;   ;; vanishes on restart; "when/why was X granted?" is unanswerable.
-;
-; AFTER — on persist. Grants/revokes are EVENTS (history matters), the current
-; grant set is a PROJECTION, checks read a materialized VIEW, and the audit trail
-; is a time-windowed query. Every fn takes a backend `b`, so the same code runs
-; on the in-memory backend today and the durable backend unchanged.
-; Requires: lib/persist/log.sx, lib/persist/project.sx, lib/persist/view.sx,
-;           lib/persist/query.sx.
-
-(define acl/stream (fn (resource) (str "acl/" resource)))
-
-; write side — grant/revoke append events (the history is the source of truth)
-(define
-  acl/grant
-  (fn
-    (b resource principal at)
-    (persist/append b (acl/stream resource) "granted" at {:principal principal})))
-(define
-  acl/revoke
-  (fn
-    (b resource principal at)
-    (persist/append b (acl/stream resource) "revoked" at {:principal principal})))
-
-; fold step: grant adds a principal (once), revoke removes it
-(define
-  acl/step
-  (fn
-    (set e)
-    (let
-      ((p (get (persist/event-data e) :principal)))
-      (if
-        (equal? (persist/event-type e) "granted")
-        (if (contains? set p) set (append set p))
-        (filter (fn (x) (not (equal? x p))) set)))))
-
-; read side — current grant set + membership check (replays the log)
-(define
-  acl/grants
-  (fn
-    (b resource)
-    (persist/project-fold b (acl/stream resource) acl/step (list))))
-(define
-  acl/can?
-  (fn (b resource principal) (contains? (acl/grants b resource) principal)))
-
-; materialized view — attach to a hub for O(1) checks that stay current on write
-(define
-  acl/view
-  (fn
-    (resource)
-    (persist/view
-      (str "acl-current/" resource)
-      (acl/stream resource)
-      acl/step
-      (list))))
-(define
-  acl/can-fast?
-  (fn
-    (b resource principal)
-    (contains? (persist/view-peek b (acl/view resource)) principal)))
-
-; audit — grants/revokes for a resource in a time window (the new capability the
-; hand-rolled version could never answer)
-(define
-  acl/audit-window
-  (fn
-    (b resource from to)
-    (persist/read-window b (acl/stream resource) from to)))

lib/persist/global.sx

@@ -1,55 +0,0 @@
-; persist/global — a global commit ordering across streams. Per-stream seqs only
-; order within a stream; a unified timeline (e.g. feed's home feed, a global
-; audit trail) needs a single order across streams. `persist/gappend` appends to
-; the target stream and then records a pointer in a reserved $global index whose
-; own seq IS the global commit position. Reading the index in order and
-; resolving each pointer yields every event in commit order. This is opt-in:
-; streams that don't need global ordering use plain persist/append and never
-; touch $global. Determinism: the order is the $global append order, replayed
-; identically. Requires: lib/persist/log.sx, lib/persist/catalog.sx.
-
-(define persist/global-stream "$global")
-
-; append with a global commit position. Returns the stored stream event; the
-; event's global position is the seq of its pointer in $global.
-(define
-  persist/gappend
-  (fn
-    (b stream type at data)
-    (let
-      ((ev (persist/append b stream type at data)))
-      (begin (persist/append b persist/global-stream "ref" at {:stream stream :seq (persist/event-seq ev)}) ev))))
-
-; the global index: pointer events in commit order (each pointer's seq = gpos)
-(define persist/global-log (fn (b) (persist/read b persist/global-stream)))
-
-; the current global commit position (count of globally-ordered appends)
-(define
-  persist/global-pos
-  (fn (b) (persist/last-seq b persist/global-stream)))
-
-; resolve a pointer event to the actual stream event it references
-(define
-  persist/resolve-ref
-  (fn
-    (b ptr)
-    (let
-      ((d (persist/event-data ptr)))
-      (first (persist/read-from b (get d :stream) (get d :seq))))))
-
-; every globally-ordered event, in commit order
-(define
-  persist/read-global
-  (fn
-    (b)
-    (map (fn (ptr) (persist/resolve-ref b ptr)) (persist/global-log b))))
-
-; pointer events at or after a global position (incremental global consumers)
-(define
-  persist/global-from
-  (fn (b gpos) (persist/read-from b persist/global-stream gpos)))
-
-; fold over all events in global commit order
-(define
-  persist/project-global
-  (fn (b step seed) (reduce step seed (persist/read-global b))))

lib/persist/idempotency.sx

@@ -1,28 +0,0 @@
-; persist/idempotency — exactly-once append under retries. A command retried
-; after a network blip must not append its event twice. The caller supplies an
-; idempotency key; the first append for that (stream, key) stores the event and
-; remembers the key in the kv facet; a repeat returns the SAME event without
-; appending. Because the marker lives in kv, idempotency holds across a restart
-; too. Keyed per stream. Requires: lib/persist/log.sx, lib/persist/kv.sx.
-
-(define persist/idem-key (fn (stream key) (str "idem/" stream "/" key)))
-
-; true if an append-once has already been recorded for (stream, key)
-(define
-  persist/seen?
-  (fn (b stream key) (persist/kv-has? b (persist/idem-key stream key))))
-
-; append at most once per (stream, key). Returns the stored event either way —
-; freshly appended on first use, the remembered one on a repeat.
-(define
-  persist/append-once
-  (fn
-    (b stream key type at data)
-    (let
-      ((k (persist/idem-key stream key)))
-      (if
-        (persist/kv-has? b k)
-        (persist/kv-get b k)
-        (let
-          ((ev (persist/append b stream type at data)))
-          (begin (persist/kv-put b k ev) ev))))))

lib/persist/kv.sx

@@ -1,44 +0,0 @@
-; persist/kv — the kv facet: current-state values, no history. For things
-; whose history does NOT matter (stock counts, config, profiles, session
-; blobs) and where projections materialize their read models.
-; Requires: lib/persist/backend.sx.
-
-(define persist/kv-get (fn (b key) (persist/backend-kv-get b key)))
-(define
-  persist/kv-put
-  (fn (b key val) (begin (persist/backend-kv-put b key val) val)))
-(define persist/kv-delete (fn (b key) (persist/backend-kv-delete b key)))
-(define persist/kv-has? (fn (b key) (persist/backend-kv-has? b key)))
-(define persist/kv-keys (fn (b) (persist/backend-kv-keys b)))
-
-; get with a default when the key is absent
-(define
-  persist/kv-get-or
-  (fn
-    (b key dflt)
-    (if (persist/kv-has? b key) (persist/kv-get b key) dflt)))
-
-; read-modify-write: apply f to the current value (or dflt if absent), store result
-(define
-  persist/kv-update
-  (fn
-    (b key dflt f)
-    (persist/kv-put b key (f (persist/kv-get-or b key dflt)))))
-
-; compare-and-swap: set key to new ONLY if its current value equals expected.
-; Returns new on success, or a conflict value {:conflict true :expected :actual}
-; the caller can re-read and retry on. The kv analogue of log append-expect.
-(define
-  persist/kv-cas
-  (fn
-    (b key expected new)
-    (let
-      ((actual (persist/kv-get b key)))
-      (if (equal? actual expected) (persist/kv-put b key new) {:actual actual :expected expected :conflict true}))))
-
-; create-only: put a value only if the key is absent; conflict if it exists
-(define
-  persist/kv-put-new
-  (fn
-    (b key val)
-    (if (persist/kv-has? b key) {:actual (persist/kv-get b key) :conflict true :reason "exists"} (persist/kv-put b key val))))

lib/persist/log.sx

@@ -1,43 +0,0 @@
-; persist/log — the log facet: append-only event streams. seq is assigned from
-; a monotonic per-stream high-water mark (1-based) held by the backend, so it
-; keeps climbing even after the log prefix is compacted away. Reads return the
-; events currently stored, oldest-first.
-; Requires: lib/persist/event.sx, lib/persist/backend.sx.
-
-; logical last seq assigned in a stream (0 if none) — survives compaction
-(define
-  persist/last-seq
-  (fn (b stream) (persist/backend-last-seq b stream)))
-
-; number of events physically stored in a stream (shrinks on compaction)
-(define
-  persist/count
-  (fn (b stream) (len (persist/backend-read b stream))))
-
-; append an event, auto-assigning the next seq. Returns the stored event.
-(define
-  persist/append
-  (fn
-    (b stream type at data)
-    (let
-      ((seq (+ 1 (persist/last-seq b stream))))
-      (let
-        ((ev (persist/event stream seq type at data)))
-        (begin (persist/backend-append b stream ev) ev)))))
-
-; read all events currently stored in a stream, oldest-first
-(define persist/read (fn (b stream) (persist/backend-read b stream)))
-
-; read events with seq >= from
-(define
-  persist/read-from
-  (fn
-    (b stream from)
-    (filter
-      (fn (e) (>= (persist/event-seq e) from))
-      (persist/read b stream))))
-
-; drop events with seq <= n (compaction); the seq counter is untouched
-(define
-  persist/truncate
-  (fn (b stream n) (persist/backend-truncate b stream n)))

lib/persist/project.sx

@@ -1,30 +0,0 @@
-; persist/project — a projection folds a stream's events into a read model.
-; A projection state is {:value v :seq s} where s is the last seq folded in,
-; so a projection can resume incrementally from where it left off (replay only
-; the tail). step : (value event) -> value. Determinism: step must be pure —
-; time lives on the event (event-at), never a clock here.
-; Requires: lib/persist/event.sx, lib/persist/log.sx.
-
-; fold the tail (events with seq > prior's seq) onto a prior projection state
-(define
-  persist/project-resume
-  (fn
-    (b stream step prior)
-    (let
-      ((tail (persist/read-from b stream (+ 1 (get prior :seq)))))
-      (reduce (fn (acc e) {:value (step (get acc :value) e) :seq (persist/event-seq e)}) prior tail))))
-
-; project the whole stream from seed
-(define
-  persist/project
-  (fn (b stream step seed) (persist/project-resume b stream step {:value seed :seq 0})))
-
-(define persist/project-value (fn (p) (get p :value)))
-(define persist/project-seq (fn (p) (get p :seq)))
-
-; convenience: project and return just the value
-(define
-  persist/project-fold
-  (fn
-    (b stream step seed)
-    (persist/project-value (persist/project b stream step seed))))

lib/persist/query.sx

@@ -1,54 +0,0 @@
-; persist/query — read-side helpers over a stream: slice by seq range, filter by
-; timestamp / type / predicate. Pure reads composed from persist/read, no
-; backend changes. The log is bad at ad-hoc relational queries (project into a
-; kv read model for those) but these cover the common log scans: an audit window
-; by time, a type filter, a since-cursor for incremental consumers.
-; Requires: lib/persist/log.sx.
-
-; events with seq in [from, to] inclusive
-(define
-  persist/read-between
-  (fn
-    (b stream from to)
-    (filter
-      (fn
-        (e)
-        (and (>= (persist/event-seq e) from) (<= (persist/event-seq e) to)))
-      (persist/read b stream))))
-
-; events at or after a timestamp (events carry :at; never a clock here)
-(define
-  persist/read-since
-  (fn
-    (b stream at)
-    (filter (fn (e) (>= (persist/event-at e) at)) (persist/read b stream))))
-
-; events whose :at is in [from, to] inclusive — an audit window
-(define
-  persist/read-window
-  (fn
-    (b stream from to)
-    (filter
-      (fn
-        (e)
-        (and (>= (persist/event-at e) from) (<= (persist/event-at e) to)))
-      (persist/read b stream))))
-
-; events matching a predicate (e -> truthy)
-(define
-  persist/read-where
-  (fn (b stream pred) (filter pred (persist/read b stream))))
-
-; events of a given type
-(define
-  persist/read-by-type
-  (fn
-    (b stream type)
-    (filter
-      (fn (e) (equal? (persist/event-type e) type))
-      (persist/read b stream))))
-
-; count events matching a predicate
-(define
-  persist/count-where
-  (fn (b stream pred) (len (persist/read-where b stream pred))))

lib/persist/scoreboard.json

@@ -1,27 +0,0 @@
-{
-  "suites": {
-    "event": {"pass": 6, "fail": 0},
-    "log": {"pass": 9, "fail": 0},
-    "kv": {"pass": 13, "fail": 0},
-    "project": {"pass": 9, "fail": 0},
-    "subscribe": {"pass": 9, "fail": 0},
-    "concurrency": {"pass": 8, "fail": 0},
-    "snapshot": {"pass": 11, "fail": 0},
-    "compaction": {"pass": 11, "fail": 0},
-    "durable": {"pass": 15, "fail": 0},
-    "blob": {"pass": 14, "fail": 0},
-    "view": {"pass": 11, "fail": 0},
-    "cas": {"pass": 11, "fail": 0},
-    "catalog": {"pass": 10, "fail": 0},
-    "query": {"pass": 9, "fail": 0},
-    "batch": {"pass": 10, "fail": 0},
-    "upcast": {"pass": 9, "fail": 0},
-    "idempotency": {"pass": 9, "fail": 0},
-    "global": {"pass": 11, "fail": 0},
-    "example-acl": {"pass": 10, "fail": 0},
-    "recovery": {"pass": 6, "fail": 0}
-  },
-  "total_pass": 201,
-  "total_fail": 0,
-  "total": 201
-}

lib/persist/scoreboard.md

@@ -1,27 +0,0 @@
-# persist Conformance Scoreboard
-
-_Generated by `lib/persist/conformance.sh`_
-
-| Suite | Pass | Fail | Total |
-|-------|-----:|-----:|------:|
-| event | 6 | 0 | 6 |
-| log | 9 | 0 | 9 |
-| kv | 13 | 0 | 13 |
-| project | 9 | 0 | 9 |
-| subscribe | 9 | 0 | 9 |
-| concurrency | 8 | 0 | 8 |
-| snapshot | 11 | 0 | 11 |
-| compaction | 11 | 0 | 11 |
-| durable | 15 | 0 | 15 |
-| blob | 14 | 0 | 14 |
-| view | 11 | 0 | 11 |
-| cas | 11 | 0 | 11 |
-| catalog | 10 | 0 | 10 |
-| query | 9 | 0 | 9 |
-| batch | 10 | 0 | 10 |
-| upcast | 9 | 0 | 9 |
-| idempotency | 9 | 0 | 9 |
-| global | 11 | 0 | 11 |
-| example-acl | 10 | 0 | 10 |
-| recovery | 6 | 0 | 6 |
-| **Total** | **201** | **0** | **201** |

lib/persist/snapshot.sx

@@ -1,40 +0,0 @@
-; persist/snapshot — checkpoint a projection so a read model rebuilds as
-; snapshot + tail instead of a full replay. A snapshot is just a projection
-; state {:value :seq} stored in the kv facet under a namespaced key. The
-; headline property (tested both ways): snapshot + tail == full replay. Replay
-; is pure — it depends only on the stored snapshot and the log tail, never a
-; clock. Requires: lib/persist/project.sx, lib/persist/kv.sx.
-
-(define persist/snapshot-key (fn (name) (str "snapshot/" name)))
-
-; load the stored snapshot for name, or a fresh {:value seed :seq 0} if none
-(define
-  persist/snapshot-load
-  (fn
-    (b name seed)
-    (persist/kv-get-or b (persist/snapshot-key name) {:value seed :seq 0})))
-
-; store a projection state as the snapshot for name; returns the state
-(define
-  persist/snapshot-save
-  (fn (b name state) (persist/kv-put b (persist/snapshot-key name) state)))
-
-(define
-  persist/snapshot-exists?
-  (fn (b name) (persist/kv-has? b (persist/snapshot-key name))))
-
-; replay = snapshot + tail: load the snapshot then fold events after it
-(define
-  persist/replay
-  (fn
-    (b stream name step seed)
-    (persist/project-resume b stream step (persist/snapshot-load b name seed))))
-
-; replay then persist the new snapshot; returns the updated state
-(define
-  persist/checkpoint
-  (fn
-    (b stream name step seed)
-    (let
-      ((state (persist/replay b stream name step seed)))
-      (begin (persist/snapshot-save b name state) state))))

lib/persist/subscribe.sx

@@ -1,21 +0,0 @@
-; persist/subscribe — a subscription hub wraps a backend with per-stream
-; callbacks fired after each append. The canonical use: a callback re-runs a
-; projection (or bumps a kv counter) so read models update incrementally on
-; write instead of being recomputed on read.
-;   callback signature: (backend stream event) -> ignored
-; Publish goes through the hub; direct persist/append on the backend bypasses
-; subscribers by design (bulk loads, replay).
-; Requires: lib/persist/log.sx.
-
-(define persist/hub (fn (b) (let ((subs {})) {:subscriber-count (fn (stream) (let ((cs (get subs stream))) (if cs (len cs) 0))) :publish (fn (stream type at data) (let ((ev (persist/append b stream type at data))) (begin (for-each (fn (cb) (cb b stream ev)) (let ((cs (get subs stream))) (if cs cs (list)))) ev))) :subscribe (fn (stream cb) (let ((cur (get subs stream))) (set! subs (assoc subs stream (append (if cur cur (list)) cb))))) :backend b})))
-
-(define persist/hub-backend (fn (h) (get h :backend)))
-(define
-  persist/subscribe
-  (fn (h stream cb) ((get h :subscribe) stream cb)))
-(define
-  persist/publish
-  (fn (h stream type at data) ((get h :publish) stream type at data)))
-(define
-  persist/subscriber-count
-  (fn (h stream) ((get h :subscriber-count) stream)))

lib/persist/tests/batch.sx

@@ -1,122 +0,0 @@
-; Extension — atomic batch append: contiguous seqs, transactional all-or-nothing.
-
-(persist-test
-  "batch assigns contiguous seqs"
-  (let
-    ((b (persist/open)))
-    (let
-      ((evs (persist/append-batch b "s" (list (list "a" 0 {}) (list "b" 0 {}) (list "c" 0 {})))))
-      (list
-        (persist/event-seq (first evs))
-        (persist/event-seq (nth evs 2)))))
-  (list 1 3))
-(persist-test
-  "batch returns events in order"
-  (let
-    ((b (persist/open)))
-    (let
-      ((evs (persist/append-batch b "s" (list (list "a" 0 {}) (list "b" 0 {})))))
-      (list
-        (persist/event-type (first evs))
-        (persist/event-type (nth evs 1)))))
-  (list "a" "b"))
-(persist-test
-  "batch grows the stream by its size"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append-batch
-        b
-        "s"
-        (list
-          (list "a" 0 {})
-          (list "b" 0 {})
-          (list "c" 0 {})))
-      (persist/count b "s")))
-  3)
-(persist-test
-  "batch continues an existing stream"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (let
-        ((evs (persist/append-batch b "s" (list (list "a" 0 {}) (list "b" 0 {})))))
-        (persist/event-seq (first evs)))))
-  2)
-(persist-test
-  "empty batch is a no-op"
-  (let
-    ((b (persist/open)))
-    (begin (persist/append-batch b "s" (list)) (persist/count b "s")))
-  0)
-(persist-test
-  "batch-expect with correct seq commits all"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append-batch-expect
-        b
-        "s"
-        0
-        (list
-          (list "a" 0 {})
-          (list "b" 0 {})))
-      (persist/count b "s")))
-  2)
-(persist-test
-  "batch-expect with stale seq writes nothing"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append-batch-expect
-        b
-        "s"
-        0
-        (list
-          (list "a" 0 {})
-          (list "b" 0 {})))
-      (persist/count b "s")))
-  1)
-(persist-test
-  "batch-expect stale returns a conflict"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/conflict?
-        (persist/append-batch-expect
-          b
-          "s"
-          0
-          (list (list "a" 0 {}))))))
-  true)
-(persist-test
-  "batch data is preserved"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append-batch
-        b
-        "order"
-        (list
-          (list "placed" 0 {:id 1})
-          (list "line" 0 {:sku "x"})))
-      (get
-        (persist/event-data (nth (persist/read b "order") 1))
-        :sku)))
-  "x")
-(persist-test
-  "batch works on the durable backend"
-  (let
-    ((db (persist/mock-durable (persist/mem-backend))))
-    (begin
-      (persist/append-batch
-        db
-        "s"
-        (list
-          (list "a" 0 {})
-          (list "b" 0 {})))
-      (persist/last-seq db "s")))
-  2)

lib/persist/tests/blob.sx

@@ -1,112 +0,0 @@
-; Phase 4 — blob backend: store the ref, never the bytes. Bytes live in a
-; separate content-addressed store (mock here).
-
-(persist-test
-  "blob-ref carries cid"
-  (persist/blob-cid (persist/blob-ref "c1" 10 "image/png"))
-  "c1")
-(persist-test
-  "blob-ref carries size"
-  (persist/blob-size (persist/blob-ref "c1" 10 "image/png"))
-  10)
-(persist-test
-  "blob-ref carries mime"
-  (persist/blob-mime (persist/blob-ref "c1" 10 "image/png"))
-  "image/png")
-(persist-test
-  "blob-ref? true for a ref"
-  (persist/blob-ref? (persist/blob-ref "c1" 1 "x"))
-  true)
-(persist-test
-  "blob-ref? false for a plain dict"
-  (persist/blob-ref? {:n 1})
-  false)
-
-(persist-test
-  "store returns a ref, not the bytes"
-  (let
-    ((blob (persist/mock-blob (persist/mem-backend))))
-    (persist/blob-ref? (persist/blob-store blob "PNGDATA" "image/png")))
-  true)
-(persist-test
-  "store records the byte length as size"
-  (let
-    ((blob (persist/mock-blob (persist/mem-backend))))
-    (persist/blob-size (persist/blob-store blob "12345" "text/plain")))
-  5)
-(persist-test
-  "fetch round-trips the bytes via the ref"
-  (let
-    ((blob (persist/mock-blob (persist/mem-backend))))
-    (let
-      ((ref (persist/blob-store blob "PAYLOAD" "text/plain")))
-      (persist/blob-fetch blob ref)))
-  "PAYLOAD")
-(persist-test
-  "exists? true after store"
-  (let
-    ((blob (persist/mock-blob (persist/mem-backend))))
-    (let
-      ((ref (persist/blob-store blob "X" "text/plain")))
-      (persist/blob-exists? blob ref)))
-  true)
-(persist-test
-  "content addressing: same bytes dedupe to same cid"
-  (let
-    ((blob (persist/mock-blob (persist/mem-backend))))
-    (equal?
-      (persist/blob-cid (persist/blob-store blob "SAME" "text/plain"))
-      (persist/blob-cid (persist/blob-store blob "SAME" "text/plain"))))
-  true)
-(persist-test
-  "different bytes get different cids"
-  (let
-    ((blob (persist/mock-blob (persist/mem-backend))))
-    (equal?
-      (persist/blob-cid (persist/blob-store blob "A" "text/plain"))
-      (persist/blob-cid (persist/blob-store blob "B" "text/plain"))))
-  false)
-
-; ---------- the invariant: persist holds the ref, never the bytes ----------
-(persist-test
-  "a blob ref stored in kv is a ref"
-  (let
-    ((db (persist/mock-durable (persist/mem-backend)))
-      (blob (persist/mock-blob (persist/mem-backend))))
-    (begin
-      (persist/kv-put
-        db
-        "avatar"
-        (persist/blob-store blob "BIGIMAGE" "image/png"))
-      (persist/blob-ref? (persist/kv-get db "avatar"))))
-  true)
-(persist-test
-  "the kv value does not contain the bytes"
-  (let
-    ((db (persist/mock-durable (persist/mem-backend)))
-      (blob (persist/mock-blob (persist/mem-backend))))
-    (begin
-      (persist/kv-put
-        db
-        "avatar"
-        (persist/blob-store blob "BIGIMAGE" "image/png"))
-      (has-key? (persist/kv-get db "avatar") :bytes)))
-  false)
-(persist-test
-  "a blob ref stored in the log is a ref, bytes fetched separately"
-  (let
-    ((db (persist/mock-durable (persist/mem-backend)))
-      (store (persist/mem-backend)))
-    (let
-      ((blob (persist/mock-blob store)))
-      (begin
-        (persist/append
-          db
-          "uploads"
-          "added"
-          0
-          (persist/blob-store blob "FILEBYTES" "application/pdf"))
-        (let
-          ((ref (persist/event-data (first (persist/read db "uploads")))))
-          (list (persist/blob-ref? ref) (persist/blob-fetch blob ref))))))
-  (list true "FILEBYTES"))

lib/persist/tests/cas.sx

@@ -1,96 +0,0 @@
-; Extension — kv compare-and-swap: atomic current-state updates. Uses
-; persist/conflict? from concurrency.sx.
-
-(persist-test
-  "cas on absent key with nil expected succeeds"
-  (let ((b (persist/open))) (persist/kv-cas b "k" nil 1))
-  1)
-(persist-test
-  "cas with matching expected succeeds"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/kv-put b "k" 5)
-      (persist/kv-cas b "k" 5 6)
-      (persist/kv-get b "k")))
-  6)
-(persist-test
-  "cas with stale expected returns a conflict"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/kv-put b "k" 5)
-      (persist/conflict? (persist/kv-cas b "k" 4 6))))
-  true)
-(persist-test
-  "a conflicting cas does not write"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/kv-put b "k" 5)
-      (persist/kv-cas b "k" 4 6)
-      (persist/kv-get b "k")))
-  5)
-(persist-test
-  "cas conflict carries expected and actual"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/kv-put b "k" 5)
-      (let
-        ((r (persist/kv-cas b "k" 4 6)))
-        (list (persist/conflict-expected r) (persist/conflict-actual r)))))
-  (list 4 5))
-(persist-test
-  "two cas racers: first wins, second conflicts"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/kv-put b "stock" 10)
-      (persist/kv-cas b "stock" 10 9)
-      (persist/conflict? (persist/kv-cas b "stock" 10 9))))
-  true)
-(persist-test
-  "retry after cas conflict succeeds"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/kv-put b "stock" 10)
-      (persist/kv-cas b "stock" 10 9)
-      (let
-        ((r (persist/kv-cas b "stock" 10 9)))
-        (if
-          (persist/conflict? r)
-          (persist/kv-cas b "stock" (persist/conflict-actual r) 8)
-          r))))
-  8)
-(persist-test
-  "put-new on absent key succeeds"
-  (let ((b (persist/open))) (persist/kv-put-new b "k" 1))
-  1)
-(persist-test
-  "put-new on existing key conflicts"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/kv-put b "k" 1)
-      (persist/conflict? (persist/kv-put-new b "k" 2))))
-  true)
-(persist-test
-  "put-new does not overwrite"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/kv-put b "k" 1)
-      (persist/kv-put-new b "k" 2)
-      (persist/kv-get b "k")))
-  1)
-(persist-test
-  "cas works on the durable backend"
-  (let
-    ((db (persist/mock-durable (persist/mem-backend))))
-    (begin
-      (persist/kv-put db "k" 1)
-      (persist/kv-cas db "k" 1 2)
-      (persist/kv-get db "k")))
-  2)

lib/persist/tests/catalog.sx

@@ -1,86 +0,0 @@
-; Extension — stream catalog: enumerate streams, count, existence, totals.
-
-(persist-test
-  "empty backend has no streams"
-  (persist/stream-count (persist/open))
-  0)
-(persist-test
-  "stream-exists? false when absent"
-  (persist/stream-exists? (persist/open) "orders")
-  false)
-(persist-test
-  "append registers a stream"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "orders" "x" 0 {})
-      (persist/stream-exists? b "orders")))
-  true)
-(persist-test
-  "stream-count counts distinct streams"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "a" "x" 0 {})
-      (persist/append b "b" "x" 0 {})
-      (persist/append b "a" "x" 0 {})
-      (persist/stream-count b)))
-  2)
-(persist-test
-  "compacted-away stream still lists"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "a" "x" 0 {})
-      (persist/checkpoint b "a" "snap" (fn (acc e) acc) 0)
-      (persist/truncate b "a" 1)
-      (list (persist/count b "a") (persist/stream-exists? b "a"))))
-  (list 0 true))
-(persist-test
-  "kv-only backend lists no streams"
-  (let
-    ((b (persist/open)))
-    (begin (persist/kv-put b "k" 1) (persist/stream-count b)))
-  0)
-(persist-test
-  "total-events sums high-water marks"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "a" "x" 0 {})
-      (persist/append b "a" "x" 0 {})
-      (persist/append b "b" "x" 0 {})
-      (persist/total-events b)))
-  3)
-(persist-test
-  "total-events counts compacted events too"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "a" "x" 0 {})
-      (persist/append b "a" "x" 0 {})
-      (persist/checkpoint b "a" "snap" (fn (acc e) acc) 0)
-      (persist/truncate b "a" 2)
-      (persist/total-events b)))
-  2)
-(persist-test
-  "catalog works on the durable backend"
-  (let
-    ((db (persist/mock-durable (persist/mem-backend))))
-    (begin
-      (persist/append db "a" "x" 0 {})
-      (persist/append db "b" "x" 0 {})
-      (persist/stream-count db)))
-  2)
-(persist-test
-  "catalog survives restart"
-  (let
-    ((disk (persist/mem-backend)))
-    (begin
-      (let
-        ((db (persist/mock-durable disk)))
-        (begin
-          (persist/append db "a" "x" 0 {})
-          (persist/append db "b" "x" 0 {})))
-      (persist/stream-count (persist/mock-durable disk))))
-  2)

lib/persist/tests/compaction.sx

@@ -1,124 +0,0 @@
-; Phase 3 — compaction: drop the snapshotted prefix; replay determinism holds.
-
-(define comp-count (fn (acc e) (+ acc 1)))
-
-(persist-test
-  "uncompacted counts events since snapshot"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/uncompacted b "s" "snap" 0)))
-  2)
-(persist-test
-  "should-compact? false below threshold"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/should-compact? b "s" "snap" 3 0)))
-  false)
-(persist-test
-  "should-compact? true at threshold"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/should-compact? b "s" "snap" 3 0)))
-  true)
-(persist-test
-  "compact truncates the snapshotted prefix"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/compact b "s" "snap" comp-count 0)
-      (persist/count b "s")))
-  0)
-(persist-test
-  "compact preserves logical last-seq"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/compact b "s" "snap" comp-count 0)
-      (persist/last-seq b "s")))
-  2)
-(persist-test
-  "append after compaction continues the seq"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/compact b "s" "snap" comp-count 0)
-      (persist/event-seq (persist/append b "s" "x" 0 {}))))
-  3)
-(persist-test
-  "replay after compaction == full count before compaction"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/compact b "s" "snap" comp-count 0)
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/project-value
-        (persist/replay b "s" "snap" comp-count 0))))
-  5)
-(persist-test
-  "determinism: post-compaction replay value equals uncompacted full replay"
-  (let
-    ((b (persist/open)) (c (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/append c "s" "x" 0 {})
-      (persist/append c "s" "x" 0 {})
-      (persist/append c "s" "x" 0 {})
-      (persist/compact b "s" "snap" comp-count 0)
-      (persist/append b "s" "x" 0 {})
-      (persist/append c "s" "x" 0 {})
-      (equal?
-        (persist/project-value
-          (persist/replay b "s" "snap" comp-count 0))
-        (persist/project-fold c "s" comp-count 0))))
-  true)
-(persist-test
-  "maybe-compact below threshold does not truncate"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/maybe-compact b "s" "snap" comp-count 0 5)
-      (persist/count b "s")))
-  1)
-(persist-test
-  "maybe-compact at threshold truncates"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/maybe-compact b "s" "snap" comp-count 0 2)
-      (persist/count b "s")))
-  0)
-(persist-test
-  "compact is idempotent on an empty tail"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/compact b "s" "snap" comp-count 0)
-      (persist/project-value
-        (persist/compact b "s" "snap" comp-count 0))))
-  1)

lib/persist/tests/concurrency.sx

@@ -1,96 +0,0 @@
-; Phase 2 — optimistic concurrency: conflict is a real result, not a crash.
-
-(persist-test
-  "append-expect 0 on empty stream succeeds"
-  (persist/event-seq
-    (persist/append-expect
-      (persist/open)
-      "s"
-      0
-      "x"
-      0
-      {}))
-  1)
-(persist-test
-  "append-expect with correct seq succeeds"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/event-seq
-        (persist/append-expect b "s" 1 "x" 0 {}))))
-  2)
-(persist-test
-  "append-expect with stale seq returns a conflict"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/conflict?
-        (persist/append-expect b "s" 1 "x" 0 {}))))
-  true)
-(persist-test
-  "a successful append is not a conflict"
-  (persist/conflict?
-    (persist/append-expect
-      (persist/open)
-      "s"
-      0
-      "x"
-      0
-      {}))
-  false)
-(persist-test
-  "conflict carries expected and actual"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (let
-        ((r (persist/append-expect b "s" 0 "x" 0 {})))
-        (list (persist/conflict-expected r) (persist/conflict-actual r)))))
-  (list 0 2))
-(persist-test
-  "a conflicting append does not write"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append-expect b "s" 0 "x" 0 {})
-      (persist/count b "s")))
-  1)
-(persist-test
-  "two writers: first wins, second conflicts"
-  (let
-    ((b (persist/open)))
-    (let
-      ((seen (persist/last-seq b "s")))
-      (begin
-        (persist/append-expect b "s" seen "x" 0 {:who "A"})
-        (persist/conflict?
-          (persist/append-expect b "s" seen "x" 0 {:who "B"})))))
-  true)
-(persist-test
-  "retry after conflict succeeds"
-  (let
-    ((b (persist/open)))
-    (let
-      ((seen (persist/last-seq b "s")))
-      (begin
-        (persist/append-expect b "s" seen "x" 0 {:who "A"})
-        (let
-          ((r (persist/append-expect b "s" seen "x" 0 {:who "B"})))
-          (if
-            (persist/conflict? r)
-            (persist/event-seq
-              (persist/append-expect
-                b
-                "s"
-                (persist/conflict-actual r)
-                "x"
-                0
-                {:who "B"}))
-            (persist/event-seq r))))))
-  2)

lib/persist/tests/durable.sx

@@ -1,163 +0,0 @@
-; Phase 4 — durable backend over the IO-suspension boundary, tested with a mock
-; transport (the mock-IO harness for the durable protocol). The whole facet
-; stack must run unchanged on mock-durable, and a "crash/restart" (drop the
-; backend, keep the disk) must recover state by replay.
-
-(define dur-count (fn (acc e) (+ acc 1)))
-
-; ---------- request encoders ----------
-(persist-test
-  "req-append encodes op + args"
-  (persist/req-append "s" {:k 1})
-  {:op "persist/append" :args (list "s" {:k 1})})
-(persist-test
-  "req-kv-put encodes op + args"
-  (persist/req-kv-put "k" 7)
-  {:op "persist/kv-put" :args (list "k" 7)})
-
-; ---------- serve round-trips against a disk ----------
-(persist-test
-  "serve append then serve read"
-  (let
-    ((disk (persist/mem-backend)))
-    (begin
-      (persist/serve
-        disk
-        (persist/req-append
-          "s"
-          (persist/event "s" 1 "x" 0 {:n 1})))
-      (get
-        (persist/event-data
-          (first (persist/serve disk (persist/req-read "s"))))
-        :n)))
-  1)
-(persist-test
-  "serve kv-put then kv-get"
-  (let
-    ((disk (persist/mem-backend)))
-    (begin
-      (persist/serve disk (persist/req-kv-put "k" 42))
-      (persist/serve disk (persist/req-kv-get "k"))))
-  42)
-(persist-test
-  "serve unknown op is a clear error"
-  (let
-    ((disk (persist/mem-backend)))
-    (guard (e (true "errored")) (persist/serve disk {:op "persist/bogus" :args (list)})))
-  "errored")
-
-; ---------- full facet stack on mock-durable ----------
-(persist-test
-  "log facet works on mock-durable"
-  (let
-    ((db (persist/mock-durable (persist/mem-backend))))
-    (begin
-      (persist/append db "s" "x" 0 {})
-      (persist/append db "s" "x" 0 {})
-      (persist/count db "s")))
-  2)
-(persist-test
-  "seq assignment works on mock-durable"
-  (let
-    ((db (persist/mock-durable (persist/mem-backend))))
-    (begin
-      (persist/append db "s" "x" 0 {})
-      (persist/event-seq (persist/append db "s" "x" 0 {}))))
-  2)
-(persist-test
-  "kv facet works on mock-durable"
-  (let
-    ((db (persist/mock-durable (persist/mem-backend))))
-    (begin (persist/kv-put db "k" 5) (persist/kv-get db "k")))
-  5)
-(persist-test
-  "projection works on mock-durable"
-  (let
-    ((db (persist/mock-durable (persist/mem-backend))))
-    (begin
-      (persist/append db "s" "x" 0 {})
-      (persist/append db "s" "x" 0 {})
-      (persist/append db "s" "x" 0 {})
-      (persist/project-fold db "s" dur-count 0)))
-  3)
-(persist-test
-  "snapshot + replay work on mock-durable"
-  (let
-    ((db (persist/mock-durable (persist/mem-backend))))
-    (begin
-      (persist/append db "s" "x" 0 {})
-      (persist/append db "s" "x" 0 {})
-      (persist/checkpoint db "s" "snap" dur-count 0)
-      (persist/append db "s" "x" 0 {})
-      (persist/project-value
-        (persist/replay db "s" "snap" dur-count 0))))
-  3)
-(persist-test
-  "compaction works on mock-durable"
-  (let
-    ((db (persist/mock-durable (persist/mem-backend))))
-    (begin
-      (persist/append db "s" "x" 0 {})
-      (persist/append db "s" "x" 0 {})
-      (persist/compact db "s" "snap" dur-count 0)
-      (list (persist/count db "s") (persist/last-seq db "s"))))
-  (list 0 2))
-
-; ---------- crash / restart replay ----------
-(persist-test
-  "restart recovers log state from the disk"
-  (let
-    ((disk (persist/mem-backend)))
-    (begin
-      (let
-        ((db (persist/mock-durable disk)))
-        (begin
-          (persist/append db "s" "x" 0 {})
-          (persist/append db "s" "x" 0 {})))
-      (let
-        ((db2 (persist/mock-durable disk)))
-        (persist/project-fold db2 "s" dur-count 0))))
-  2)
-(persist-test
-  "restart continues the seq counter"
-  (let
-    ((disk (persist/mem-backend)))
-    (begin
-      (let
-        ((db (persist/mock-durable disk)))
-        (begin
-          (persist/append db "s" "x" 0 {})
-          (persist/append db "s" "x" 0 {})))
-      (let
-        ((db2 (persist/mock-durable disk)))
-        (persist/event-seq (persist/append db2 "s" "x" 0 {})))))
-  3)
-(persist-test
-  "restart recovers a kv value"
-  (let
-    ((disk (persist/mem-backend)))
-    (begin
-      (let
-        ((db (persist/mock-durable disk)))
-        (persist/kv-put db "cfg" "on"))
-      (let ((db2 (persist/mock-durable disk))) (persist/kv-get db2 "cfg"))))
-  "on")
-(persist-test
-  "restart from snapshot equals full replay"
-  (let
-    ((disk (persist/mem-backend)))
-    (begin
-      (let
-        ((db (persist/mock-durable disk)))
-        (begin
-          (persist/append db "s" "x" 0 {})
-          (persist/append db "s" "x" 0 {})
-          (persist/checkpoint db "s" "snap" dur-count 0)
-          (persist/append db "s" "x" 0 {})))
-      (let
-        ((db2 (persist/mock-durable disk)))
-        (equal?
-          (persist/project-value
-            (persist/replay db2 "s" "snap" dur-count 0))
-          (persist/project-fold db2 "s" dur-count 0)))))
-  true)

lib/persist/tests/event.sx

@@ -1,30 +0,0 @@
-; Phase 1 — event record accessors. Uses the persist-test harness
-; (persist-test name got expected) provided by conformance.sh.
-
-(persist-test
-  "event-stream"
-  (persist/event-stream
-    (persist/event "s" 1 "t" 0 {}))
-  "s")
-(persist-test
-  "event-seq"
-  (persist/event-seq (persist/event "s" 3 "t" 0 {}))
-  3)
-(persist-test
-  "event-type"
-  (persist/event-type
-    (persist/event "s" 1 "create" 0 {}))
-  "create")
-(persist-test
-  "event-at"
-  (persist/event-at (persist/event "s" 1 "t" 42 {}))
-  42)
-(persist-test
-  "event-data"
-  (persist/event-data
-    (persist/event "s" 1 "t" 0 {:x 9}))
-  {:x 9})
-(persist-test
-  "event is a dict with all fields"
-  (len (keys (persist/event "s" 1 "t" 0 {})))
-  5)

lib/persist/tests/example-acl.sx

@@ -1,104 +0,0 @@
-; Reference migration — acl grants on persist. Proves the AFTER behaviour,
-; including the capabilities the hand-rolled BEFORE version could not provide
-; (durability across restart + an audit trail).
-
-(persist-test
-  "grant then can?"
-  (let
-    ((b (persist/open)))
-    (begin
-      (acl/grant b "doc-1" "alice" 0)
-      (acl/can? b "doc-1" "alice")))
-  true)
-(persist-test
-  "no grant means no access"
-  (acl/can? (persist/open) "doc-1" "alice")
-  false)
-(persist-test
-  "revoke removes access"
-  (let
-    ((b (persist/open)))
-    (begin
-      (acl/grant b "doc-1" "alice" 0)
-      (acl/revoke b "doc-1" "alice" 1)
-      (acl/can? b "doc-1" "alice")))
-  false)
-(persist-test
-  "multiple principals tracked independently"
-  (let
-    ((b (persist/open)))
-    (begin
-      (acl/grant b "doc-1" "alice" 0)
-      (acl/grant b "doc-1" "bob" 1)
-      (acl/revoke b "doc-1" "alice" 2)
-      (list (acl/can? b "doc-1" "alice") (acl/can? b "doc-1" "bob"))))
-  (list false true))
-(persist-test
-  "granting twice is idempotent in the set"
-  (let
-    ((b (persist/open)))
-    (begin
-      (acl/grant b "doc-1" "alice" 0)
-      (acl/grant b "doc-1" "alice" 1)
-      (len (acl/grants b "doc-1"))))
-  1)
-(persist-test
-  "grants on different resources are isolated"
-  (let
-    ((b (persist/open)))
-    (begin
-      (acl/grant b "doc-1" "alice" 0)
-      (acl/grant b "doc-2" "bob" 0)
-      (list (acl/can? b "doc-1" "bob") (acl/can? b "doc-2" "bob"))))
-  (list false true))
-(persist-test
-  "audit window answers when-was-it-granted (new capability)"
-  (let
-    ((b (persist/open)))
-    (begin
-      (acl/grant b "doc-1" "alice" 100)
-      (acl/revoke b "doc-1" "alice" 200)
-      (acl/grant b "doc-1" "bob" 300)
-      (len (acl/audit-window b "doc-1" 150 300))))
-  2)
-(persist-test
-  "materialized view stays current on publish"
-  (let
-    ((b (persist/open)))
-    (let
-      ((h (persist/view-attach (persist/hub b) (acl/view "doc-1"))))
-      (begin
-        (persist/publish
-          h
-          (acl/stream "doc-1")
-          "granted"
-          0
-          {:principal "alice"})
-        (acl/can-fast? b "doc-1" "alice"))))
-  true)
-(persist-test
-  "grants survive restart on the durable backend (the headline win)"
-  (let
-    ((disk (persist/mem-backend)))
-    (begin
-      (let
-        ((db (persist/mock-durable disk)))
-        (begin
-          (acl/grant db "doc-1" "alice" 0)
-          (acl/grant db "doc-1" "bob" 1)))
-      (let
-        ((db2 (persist/mock-durable disk)))
-        (list (acl/can? db2 "doc-1" "alice") (acl/can? db2 "doc-1" "bob")))))
-  (list true true))
-(persist-test
-  "revoke before restart is still revoked after"
-  (let
-    ((disk (persist/mem-backend)))
-    (begin
-      (let
-        ((db (persist/mock-durable disk)))
-        (begin
-          (acl/grant db "doc-1" "alice" 0)
-          (acl/revoke db "doc-1" "alice" 1)))
-      (acl/can? (persist/mock-durable disk) "doc-1" "alice")))
-  false)

lib/persist/tests/global.sx

@@ -1,123 +0,0 @@
-; Extension — global commit ordering across streams.
-
-(persist-test
-  "gappend returns the stream event with its local seq"
-  (let
-    ((b (persist/open)))
-    (persist/event-seq
-      (persist/gappend b "orders" "placed" 0 {})))
-  1)
-(persist-test
-  "global-pos advances per gappend regardless of stream"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/gappend b "orders" "placed" 0 {})
-      (persist/gappend b "users" "joined" 0 {})
-      (persist/gappend b "orders" "placed" 0 {})
-      (persist/global-pos b)))
-  3)
-(persist-test
-  "read-global returns events in commit order across streams"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/gappend b "orders" "placed" 0 {:n 1})
-      (persist/gappend b "users" "joined" 0 {:n 2})
-      (persist/gappend b "orders" "placed" 0 {:n 3})
-      (let
-        ((g (persist/read-global b)))
-        (list
-          (get (persist/event-data (nth g 0)) :n)
-          (get (persist/event-data (nth g 1)) :n)
-          (get (persist/event-data (nth g 2)) :n)))))
-  (list 1 2 3))
-(persist-test
-  "read-global resolves to the right streams"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/gappend b "orders" "placed" 0 {})
-      (persist/gappend b "users" "joined" 0 {})
-      (let
-        ((g (persist/read-global b)))
-        (list
-          (persist/event-stream (nth g 0))
-          (persist/event-stream (nth g 1))))))
-  (list "orders" "users"))
-(persist-test
-  "project-global folds across all streams in order"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/gappend b "a" "x" 0 {:v 10})
-      (persist/gappend b "b" "x" 0 {:v 20})
-      (persist/gappend b "a" "x" 0 {:v 30})
-      (persist/project-global
-        b
-        (fn (acc e) (+ acc (get (persist/event-data e) :v)))
-        0)))
-  60)
-(persist-test
-  "global index is hidden from the public catalog"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/gappend b "orders" "placed" 0 {})
-      (persist/gappend b "users" "joined" 0 {})
-      (list (persist/stream-count b) (persist/stream-exists? b "$global"))))
-  (list 2 false))
-(persist-test
-  "streams-all reveals the reserved index"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/gappend b "orders" "placed" 0 {})
-      (contains? (persist/streams-all b) "$global")))
-  true)
-(persist-test
-  "global-from gives pointers at or after a position"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/gappend b "a" "x" 0 {})
-      (persist/gappend b "a" "x" 0 {})
-      (persist/gappend b "a" "x" 0 {})
-      (len (persist/global-from b 2))))
-  2)
-(persist-test
-  "plain append does not touch the global index"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "orders" "placed" 0 {})
-      (persist/gappend b "orders" "placed" 0 {})
-      (persist/global-pos b)))
-  1)
-(persist-test
-  "global ordering works on the durable backend"
-  (let
-    ((db (persist/mock-durable (persist/mem-backend))))
-    (begin
-      (persist/gappend db "a" "x" 0 {:v 1})
-      (persist/gappend db "b" "x" 0 {:v 2})
-      (persist/project-global
-        db
-        (fn (acc e) (+ acc (get (persist/event-data e) :v)))
-        0)))
-  3)
-(persist-test
-  "global order survives restart (determinism)"
-  (let
-    ((disk (persist/mem-backend)))
-    (begin
-      (let
-        ((db (persist/mock-durable disk)))
-        (begin
-          (persist/gappend db "a" "x" 0 {:v 1})
-          (persist/gappend db "b" "x" 0 {:v 2})))
-      (persist/project-global
-        (persist/mock-durable disk)
-        (fn (acc e) (+ acc (get (persist/event-data e) :v)))
-        0)))
-  3)

lib/persist/tests/idempotency.sx

@@ -1,92 +0,0 @@
-; Extension — exactly-once append under retries.
-
-(persist-test
-  "seen? false before first append"
-  (persist/seen? (persist/open) "orders" "cmd-1")
-  false)
-(persist-test
-  "append-once appends on first use"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append-once b "orders" "cmd-1" "placed" 0 {})
-      (persist/count b "orders")))
-  1)
-(persist-test
-  "seen? true after first append"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append-once b "orders" "cmd-1" "placed" 0 {})
-      (persist/seen? b "orders" "cmd-1")))
-  true)
-(persist-test
-  "repeat with same key does not append again"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append-once b "orders" "cmd-1" "placed" 0 {})
-      (persist/append-once b "orders" "cmd-1" "placed" 0 {})
-      (persist/append-once b "orders" "cmd-1" "placed" 0 {})
-      (persist/count b "orders")))
-  1)
-(persist-test
-  "repeat returns the same event (same seq)"
-  (let
-    ((b (persist/open)))
-    (let
-      ((e1 (persist/append-once b "orders" "cmd-1" "placed" 0 {})))
-      (persist/event-seq
-        (persist/append-once b "orders" "cmd-1" "placed" 0 {}))))
-  1)
-(persist-test
-  "different keys append separately"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append-once b "orders" "cmd-1" "placed" 0 {})
-      (persist/append-once b "orders" "cmd-2" "placed" 0 {})
-      (persist/count b "orders")))
-  2)
-(persist-test
-  "idempotency is per-stream"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append-once b "a" "cmd-1" "x" 0 {})
-      (persist/append-once b "b" "cmd-1" "x" 0 {})
-      (list (persist/count b "a") (persist/count b "b"))))
-  (list 1 1))
-(persist-test
-  "stored data is preserved on first append"
-  (let
-    ((b (persist/open)))
-    (get
-      (persist/event-data
-        (persist/append-once b "s" "k" "x" 0 {:n 9}))
-      :n))
-  9)
-(persist-test
-  "idempotency survives restart on the durable backend"
-  (let
-    ((disk (persist/mem-backend)))
-    (begin
-      (persist/append-once
-        (persist/mock-durable disk)
-        "orders"
-        "cmd-1"
-        "placed"
-        0
-        {})
-      (let
-        ((db2 (persist/mock-durable disk)))
-        (begin
-          (persist/append-once
-            db2
-            "orders"
-            "cmd-1"
-            "placed"
-            0
-            {})
-          (persist/count db2 "orders")))))
-  1)

lib/persist/tests/kv.sx

@@ -1,86 +0,0 @@
-; Phase 1 — kv facet: get/put/delete/has?/keys, get-or, update.
-
-(persist-test "absent key reads nil" (persist/kv-get (persist/open) "x") nil)
-(persist-test
-  "has? false when absent"
-  (persist/kv-has? (persist/open) "x")
-  false)
-(persist-test
-  "put then get"
-  (let
-    ((b (persist/open)))
-    (begin (persist/kv-put b "x" 7) (persist/kv-get b "x")))
-  7)
-(persist-test
-  "put returns value"
-  (let ((b (persist/open))) (persist/kv-put b "x" 9))
-  9)
-(persist-test
-  "has? true after put"
-  (let
-    ((b (persist/open)))
-    (begin (persist/kv-put b "x" 1) (persist/kv-has? b "x")))
-  true)
-(persist-test
-  "put overwrites"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/kv-put b "x" 1)
-      (persist/kv-put b "x" 2)
-      (persist/kv-get b "x")))
-  2)
-(persist-test
-  "delete removes key"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/kv-put b "x" 1)
-      (persist/kv-delete b "x")
-      (persist/kv-has? b "x")))
-  false)
-(persist-test
-  "delete then get is nil"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/kv-put b "x" 1)
-      (persist/kv-delete b "x")
-      (persist/kv-get b "x")))
-  nil)
-(persist-test
-  "keys lists stored keys"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/kv-put b "a" 1)
-      (persist/kv-put b "b" 2)
-      (len (persist/kv-keys b))))
-  2)
-(persist-test
-  "get-or returns default when absent"
-  (persist/kv-get-or (persist/open) "x" 99)
-  99)
-(persist-test
-  "get-or returns value when present"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/kv-put b "x" 5)
-      (persist/kv-get-or b "x" 99)))
-  5)
-(persist-test
-  "kv-update applies fn over default"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/kv-update b "n" 0 (fn (v) (+ v 1)))
-      (persist/kv-update b "n" 0 (fn (v) (+ v 1)))
-      (persist/kv-get b "n")))
-  2)
-(persist-test
-  "kv facet does not touch log"
-  (let
-    ((b (persist/open)))
-    (begin (persist/kv-put b "x" 1) (persist/count b "x")))
-  0)

lib/persist/tests/log.sx

@@ -1,81 +0,0 @@
-; Phase 1 — log facet: append/read/read-from, sequential seq, stream isolation.
-; Note: map returns an array-backed list not equal? to a (list ...) literal,
-; so assertions build their compared list with list/nth, not map.
-
-(persist-test
-  "empty stream reads empty"
-  (len (persist/read (persist/open) "orders"))
-  0)
-(persist-test
-  "last-seq empty is 0"
-  (persist/last-seq (persist/open) "orders")
-  0)
-(persist-test
-  "append returns event with seq 1"
-  (persist/event-seq
-    (persist/append (persist/open) "orders" "placed" 0 {:id 1}))
-  1)
-(persist-test
-  "append assigns sequential seqs"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "orders" "placed" 0 {})
-      (persist/append b "orders" "placed" 1 {})
-      (persist/event-seq
-        (persist/append b "orders" "placed" 2 {}))))
-  3)
-(persist-test
-  "read returns events oldest-first"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "a" 0 {:n 1})
-      (persist/append b "s" "b" 0 {:n 2})
-      (let
-        ((es (persist/read b "s")))
-        (list
-          (get (persist/event-data (nth es 0)) :n)
-          (get (persist/event-data (nth es 1)) :n)))))
-  (list 1 2))
-(persist-test
-  "count tracks appends"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "a" 0 {})
-      (persist/append b "s" "a" 0 {})
-      (persist/count b "s")))
-  2)
-(persist-test
-  "streams are isolated"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s1" "a" 0 {})
-      (persist/append b "s2" "a" 0 {})
-      (persist/append b "s2" "a" 0 {})
-      (list (persist/count b "s1") (persist/count b "s2"))))
-  (list 1 2))
-(persist-test
-  "read-from filters by seq"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "a" 0 {})
-      (persist/append b "s" "a" 0 {})
-      (persist/append b "s" "a" 0 {})
-      (let
-        ((es (persist/read-from b "s" 2)))
-        (list
-          (persist/event-seq (nth es 0))
-          (persist/event-seq (nth es 1))))))
-  (list 2 3))
-(persist-test
-  "read-from past end is empty"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "a" 0 {})
-      (len (persist/read-from b "s" 5))))
-  0)

lib/persist/tests/project.sx

@@ -1,115 +0,0 @@
-; Phase 2 — projections: fold a stream into a read model, resume incrementally.
-
-(persist-test
-  "project empty stream returns seed value"
-  (persist/project-fold
-    (persist/open)
-    "s"
-    (fn (acc e) (+ acc 1))
-    0)
-  0)
-(persist-test
-  "project empty stream seq is 0"
-  (persist/project-seq
-    (persist/project (persist/open) "s" (fn (a e) a) 0))
-  0)
-(persist-test
-  "project counts events"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/project-fold
-        b
-        "s"
-        (fn (acc e) (+ acc 1))
-        0)))
-  3)
-(persist-test
-  "project sums event data"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "ledger" "credit" 0 {:amt 10})
-      (persist/append b "ledger" "credit" 1 {:amt 5})
-      (persist/append b "ledger" "debit" 2 {:amt 3})
-      (persist/project-fold
-        b
-        "ledger"
-        (fn
-          (bal e)
-          (if
-            (equal? (persist/event-type e) "credit")
-            (+ bal (get (persist/event-data e) :amt))
-            (- bal (get (persist/event-data e) :amt))))
-        0)))
-  12)
-(persist-test
-  "project tracks last seq"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/project-seq (persist/project b "s" (fn (a e) a) 0))))
-  2)
-(persist-test
-  "resume folds only the tail"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (let
-        ((p1 (persist/project b "s" (fn (acc e) (+ acc 1)) 0)))
-        (begin
-          (persist/append b "s" "x" 0 {})
-          (persist/project-value
-            (persist/project-resume
-              b
-              "s"
-              (fn (acc e) (+ acc 1))
-              p1))))))
-  3)
-(persist-test
-  "resume with no new events is a no-op"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (let
-        ((p1 (persist/project b "s" (fn (acc e) (+ acc 1)) 0)))
-        (persist/project-value
-          (persist/project-resume b "s" (fn (acc e) (+ acc 1)) p1)))))
-  1)
-(persist-test
-  "resume advances seq"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (let
-        ((p1 (persist/project b "s" (fn (a e) a) 0)))
-        (begin
-          (persist/append b "s" "x" 0 {})
-          (persist/append b "s" "x" 0 {})
-          (persist/project-seq
-            (persist/project-resume b "s" (fn (a e) a) p1))))))
-  3)
-(persist-test
-  "full project equals seed-resume from zero"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (equal?
-        (persist/project b "s" (fn (acc e) (+ acc 1)) 0)
-        (persist/project-resume
-          b
-          "s"
-          (fn (acc e) (+ acc 1))
-          {:value 0 :seq 0}))))
-  true)

lib/persist/tests/query.sx

@@ -1,101 +0,0 @@
-; Extension — read-side query helpers. Assertions count / index, not map vs list.
-
-(define q-seqs (fn (es) (map persist/event-seq es)))
-
-(persist-test
-  "read-between slices a seq range"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (let
-        ((es (persist/read-between b "s" 2 3)))
-        (list
-          (len es)
-          (persist/event-seq (first es))
-          (persist/event-seq (nth es 1))))))
-  (list 2 2 3))
-(persist-test
-  "read-between is inclusive of endpoints"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (len (persist/read-between b "s" 1 3))))
-  3)
-(persist-test
-  "read-since filters by timestamp"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 100 {})
-      (persist/append b "s" "x" 200 {})
-      (persist/append b "s" "x" 300 {})
-      (len (persist/read-since b "s" 200))))
-  2)
-(persist-test
-  "read-window is an inclusive time range"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 100 {})
-      (persist/append b "s" "x" 200 {})
-      (persist/append b "s" "x" 300 {})
-      (persist/append b "s" "x" 400 {})
-      (len (persist/read-window b "s" 200 300))))
-  2)
-(persist-test
-  "read-by-type filters by event type"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "created" 0 {})
-      (persist/append b "s" "updated" 0 {})
-      (persist/append b "s" "created" 0 {})
-      (len (persist/read-by-type b "s" "created"))))
-  2)
-(persist-test
-  "read-where filters by predicate over data"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {:amt 5})
-      (persist/append b "s" "x" 0 {:amt 15})
-      (persist/append b "s" "x" 0 {:amt 25})
-      (len
-        (persist/read-where
-          b
-          "s"
-          (fn (e) (> (get (persist/event-data e) :amt) 10))))))
-  2)
-(persist-test
-  "count-where counts matches"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "a" 0 {})
-      (persist/append b "s" "b" 0 {})
-      (persist/append b "s" "a" 0 {})
-      (persist/count-where
-        b
-        "s"
-        (fn (e) (equal? (persist/event-type e) "a")))))
-  2)
-(persist-test
-  "queries return empty on empty stream"
-  (len (persist/read-since (persist/open) "s" 0))
-  0)
-(persist-test
-  "queries work on the durable backend"
-  (let
-    ((db (persist/mock-durable (persist/mem-backend))))
-    (begin
-      (persist/append db "s" "x" 100 {})
-      (persist/append db "s" "x" 200 {})
-      (len (persist/read-since db "s" 150))))
-  1)

lib/persist/tests/recovery.sx

@@ -1,126 +0,0 @@
-; Phase 4 — crash/restart integration. A whole subsystem (an order ledger:
-; event log + a kv read model kept by a subscription + a periodic snapshot + an
-; invoice blob ref) on the durable backend must survive a restart. "Crash" =
-; drop every in-process object (backend, hub, projections); "restart" = rebuild
-; them over the SAME disk + blob store. Nothing but the disk and content store
-; carries across, exactly as a real process restart.
-
-(define rec-count (fn (acc e) (+ acc 1)))
-
-(persist-test
-  "log survives restart and seq continues"
-  (let
-    ((disk (persist/mem-backend)))
-    (begin
-      (let
-        ((db (persist/mock-durable disk)))
-        (begin
-          (persist/append db "orders" "placed" 0 {:id "a"})
-          (persist/append db "orders" "placed" 1 {:id "b"})))
-      (let
-        ((db2 (persist/mock-durable disk)))
-        (list
-          (persist/project-fold db2 "orders" rec-count 0)
-          (persist/event-seq
-            (persist/append db2 "orders" "placed" 2 {:id "c"}))))))
-  (list 2 3))
-(persist-test
-  "subscription-driven kv read model survives restart"
-  (let
-    ((disk (persist/mem-backend)))
-    (begin
-      (let
-        ((h (persist/hub (persist/mock-durable disk))))
-        (begin
-          (persist/subscribe
-            h
-            "orders"
-            (fn
-              (bk s e)
-              (persist/kv-update
-                bk
-                "order-count"
-                0
-                (fn (n) (+ n 1)))))
-          (persist/publish h "orders" "placed" 0 {})
-          (persist/publish h "orders" "placed" 1 {})))
-      (let
-        ((db2 (persist/mock-durable disk)))
-        (persist/kv-get db2 "order-count"))))
-  2)
-(persist-test
-  "snapshot taken before crash drives replay after restart"
-  (let
-    ((disk (persist/mem-backend)))
-    (begin
-      (let
-        ((db (persist/mock-durable disk)))
-        (begin
-          (persist/append db "orders" "placed" 0 {})
-          (persist/append db "orders" "placed" 1 {})
-          (persist/checkpoint db "orders" "count" rec-count 0)
-          (persist/append db "orders" "placed" 2 {})))
-      (let
-        ((db2 (persist/mock-durable disk)))
-        (equal?
-          (persist/project-value
-            (persist/replay db2 "orders" "count" rec-count 0))
-          (persist/project-fold db2 "orders" rec-count 0)))))
-  true)
-(persist-test
-  "compacted log still replays correctly after restart"
-  (let
-    ((disk (persist/mem-backend)))
-    (begin
-      (let
-        ((db (persist/mock-durable disk)))
-        (begin
-          (persist/append db "orders" "placed" 0 {})
-          (persist/append db "orders" "placed" 1 {})
-          (persist/append db "orders" "placed" 2 {})
-          (persist/compact db "orders" "count" rec-count 0)
-          (persist/append db "orders" "placed" 3 {})))
-      (let
-        ((db2 (persist/mock-durable disk)))
-        (persist/project-value
-          (persist/replay db2 "orders" "count" rec-count 0)))))
-  4)
-(persist-test
-  "invoice blob ref survives restart, bytes fetched from content store"
-  (let
-    ((disk (persist/mem-backend)) (store (persist/mem-backend)))
-    (begin
-      (let
-        ((db (persist/mock-durable disk)) (blob (persist/mock-blob store)))
-        (persist/kv-put
-          db
-          "invoice"
-          (persist/blob-store blob "INVOICEPDF" "application/pdf")))
-      (let
-        ((db2 (persist/mock-durable disk))
-          (blob2 (persist/mock-blob store)))
-        (persist/blob-fetch blob2 (persist/kv-get db2 "invoice")))))
-  "INVOICEPDF")
-(persist-test
-  "two independent restarts converge to the same state (determinism)"
-  (let
-    ((disk (persist/mem-backend)))
-    (begin
-      (let
-        ((db (persist/mock-durable disk)))
-        (begin
-          (persist/append db "orders" "placed" 0 {})
-          (persist/append db "orders" "placed" 1 {})
-          (persist/append db "orders" "placed" 2 {})))
-      (equal?
-        (persist/project-fold
-          (persist/mock-durable disk)
-          "orders"
-          rec-count
-          0)
-        (persist/project-fold
-          (persist/mock-durable disk)
-          "orders"
-          rec-count
-          0))))
-  true)

lib/persist/tests/snapshot.sx

@@ -1,114 +0,0 @@
-; Phase 3 — snapshots + replay. Headline: snapshot + tail == full replay.
-
-(define snap-count (fn (acc e) (+ acc 1)))
-
-(persist-test
-  "no snapshot loads fresh seed state"
-  (persist/snapshot-load (persist/open) "feed" 0)
-  {:value 0 :seq 0})
-(persist-test
-  "snapshot-exists? false initially"
-  (persist/snapshot-exists? (persist/open) "feed")
-  false)
-(persist-test
-  "checkpoint stores a snapshot"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/checkpoint b "s" "snap" snap-count 0)
-      (persist/snapshot-exists? b "snap")))
-  true)
-(persist-test
-  "checkpoint value equals full projection"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/project-value
-        (persist/checkpoint b "s" "snap" snap-count 0))))
-  3)
-(persist-test
-  "checkpoint records the last seq"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/project-seq
-        (persist/checkpoint b "s" "snap" snap-count 0))))
-  2)
-(persist-test
-  "replay after checkpoint only folds the tail"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/checkpoint b "s" "snap" snap-count 0)
-      (persist/append b "s" "x" 0 {})
-      (persist/project-value
-        (persist/replay b "s" "snap" snap-count 0))))
-  3)
-(persist-test
-  "snapshot + tail == full replay (value)"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (persist/checkpoint b "s" "snap" snap-count 0)
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (equal?
-        (persist/project-value
-          (persist/replay b "s" "snap" snap-count 0))
-        (persist/project-fold b "s" snap-count 0))))
-  true)
-(persist-test
-  "snapshot + tail == full replay (whole state)"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/checkpoint b "s" "snap" snap-count 0)
-      (persist/append b "s" "x" 0 {})
-      (persist/append b "s" "x" 0 {})
-      (equal?
-        (persist/replay b "s" "snap" snap-count 0)
-        (persist/project b "s" snap-count 0))))
-  true)
-(persist-test
-  "replay determinism: two replays from same snapshot agree"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/checkpoint b "s" "snap" snap-count 0)
-      (persist/append b "s" "x" 0 {})
-      (equal?
-        (persist/replay b "s" "snap" snap-count 0)
-        (persist/replay b "s" "snap" snap-count 0))))
-  true)
-(persist-test
-  "re-checkpoint advances the snapshot"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/checkpoint b "s" "snap" snap-count 0)
-      (persist/append b "s" "x" 0 {})
-      (persist/checkpoint b "s" "snap" snap-count 0)
-      (persist/project-seq (persist/snapshot-load b "snap" 0))))
-  2)
-(persist-test
-  "snapshots are keyed independently"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "s" "x" 0 {})
-      (persist/checkpoint b "s" "a" snap-count 0)
-      (persist/snapshot-exists? b "b")))
-  false)

lib/persist/tests/subscribe.sx

@@ -1,130 +0,0 @@
-; Phase 2 — subscription hub: callbacks fire on publish, drive read models.
-
-(persist-test
-  "no subscribers initially"
-  (persist/subscriber-count (persist/hub (persist/open)) "s")
-  0)
-(persist-test
-  "subscribe registers a callback"
-  (let
-    ((h (persist/hub (persist/open))))
-    (begin
-      (persist/subscribe h "s" (fn (b s e) nil))
-      (persist/subscriber-count h "s")))
-  1)
-(persist-test
-  "publish appends to the log"
-  (let
-    ((b (persist/open)))
-    (let
-      ((h (persist/hub b)))
-      (begin
-        (persist/publish h "s" "x" 0 {})
-        (persist/publish h "s" "x" 0 {})
-        (persist/count b "s"))))
-  2)
-(persist-test
-  "publish returns the stored event"
-  (let
-    ((h (persist/hub (persist/open))))
-    (persist/event-seq (persist/publish h "s" "x" 0 {:id 1})))
-  1)
-(persist-test
-  "callback fires on publish — drives a kv read model"
-  (let
-    ((b (persist/open)))
-    (let
-      ((h (persist/hub b)))
-      (begin
-        (persist/subscribe
-          h
-          "s"
-          (fn
-            (bk s e)
-            (persist/kv-update
-              bk
-              "count"
-              0
-              (fn (n) (+ n 1)))))
-        (persist/publish h "s" "x" 0 {})
-        (persist/publish h "s" "x" 0 {})
-        (persist/publish h "s" "x" 0 {})
-        (persist/kv-get b "count"))))
-  3)
-(persist-test
-  "callback receives the event"
-  (let
-    ((b (persist/open)))
-    (let
-      ((h (persist/hub b)))
-      (begin
-        (persist/subscribe
-          h
-          "s"
-          (fn (bk s e) (persist/kv-put bk "last" (persist/event-type e))))
-        (persist/publish h "s" "created" 0 {})
-        (persist/kv-get b "last"))))
-  "created")
-(persist-test
-  "subscriptions are per-stream"
-  (let
-    ((b (persist/open)))
-    (let
-      ((h (persist/hub b)))
-      (begin
-        (persist/subscribe
-          h
-          "s1"
-          (fn
-            (bk s e)
-            (persist/kv-update bk "n" 0 (fn (n) (+ n 1)))))
-        (persist/publish h "s2" "x" 0 {})
-        (persist/kv-get-or b "n" 0))))
-  0)
-(persist-test
-  "multiple subscribers all fire"
-  (let
-    ((b (persist/open)))
-    (let
-      ((h (persist/hub b)))
-      (begin
-        (persist/subscribe
-          h
-          "s"
-          (fn
-            (bk s e)
-            (persist/kv-update bk "a" 0 (fn (n) (+ n 1)))))
-        (persist/subscribe
-          h
-          "s"
-          (fn
-            (bk s e)
-            (persist/kv-update bk "b" 0 (fn (n) (+ n 10)))))
-        (persist/publish h "s" "x" 0 {})
-        (list (persist/kv-get b "a") (persist/kv-get b "b")))))
-  (list 1 10))
-(persist-test
-  "incremental read model via resume in callback"
-  (let
-    ((b (persist/open)))
-    (let
-      ((h (persist/hub b)))
-      (begin
-        (persist/kv-put b "proj" {:value 0 :seq 0})
-        (persist/subscribe
-          h
-          "s"
-          (fn
-            (bk s e)
-            (persist/kv-put
-              bk
-              "proj"
-              (persist/project-resume
-                bk
-                s
-                (fn (acc ev) (+ acc 1))
-                (persist/kv-get bk "proj")))))
-        (persist/publish h "s" "x" 0 {})
-        (persist/publish h "s" "x" 0 {})
-        (persist/project-value (persist/kv-get b "proj")))))
-  2)

lib/persist/tests/upcast.sx

@@ -1,115 +0,0 @@
-; Extension — event schema evolution via upcasters.
-
-; v1 "placed" events had {:total N}; v2 wants {:amount N :currency "GBP"}.
-(define up-placed (fn (e) (persist/upcast-data e {:amount (get (persist/event-data e) :total) :currency "GBP"})))
-
-(persist-test
-  "unregistered type passes through unchanged"
-  (let
-    ((reg (persist/upcasters)))
-    (persist/event-data
-      (persist/upcast
-        reg
-        (persist/event "s" 1 "other" 0 {:x 1}))))
-  {:x 1})
-(persist-test
-  "registered upcaster lifts an old event"
-  (let
-    ((reg (persist/register-upcaster (persist/upcasters) "placed" up-placed)))
-    (get
-      (persist/event-data
-        (persist/upcast
-          reg
-          (persist/event "s" 1 "placed" 0 {:total 50})))
-      :amount))
-  50)
-(persist-test
-  "upcaster adds the new field"
-  (let
-    ((reg (persist/register-upcaster (persist/upcasters) "placed" up-placed)))
-    (get
-      (persist/event-data
-        (persist/upcast
-          reg
-          (persist/event "s" 1 "placed" 0 {:total 50})))
-      :currency))
-  "GBP")
-(persist-test
-  "upcast preserves stream/seq/type/at"
-  (let
-    ((reg (persist/register-upcaster (persist/upcasters) "placed" up-placed)))
-    (let
-      ((e (persist/upcast reg (persist/event "orders" 7 "placed" 99 {:total 1}))))
-      (list
-        (persist/event-seq e)
-        (persist/event-at e)
-        (persist/event-type e))))
-  (list 7 99 "placed"))
-(persist-test
-  "registry is immutable — register returns a new dict"
-  (let
-    ((r0 (persist/upcasters)))
-    (begin
-      (persist/register-upcaster r0 "placed" up-placed)
-      (has-key? r0 "placed")))
-  false)
-(persist-test
-  "read-upcast lifts every event in a stream"
-  (let
-    ((b (persist/open))
-      (reg
-        (persist/register-upcaster (persist/upcasters) "placed" up-placed)))
-    (begin
-      (persist/append b "orders" "placed" 0 {:total 10})
-      (persist/append b "orders" "placed" 0 {:total 20})
-      (let
-        ((es (persist/read-upcast b "orders" reg)))
-        (list
-          (get (persist/event-data (nth es 0)) :amount)
-          (get (persist/event-data (nth es 1)) :amount)))))
-  (list 10 20))
-(persist-test
-  "project-upcast folds over the current shape"
-  (let
-    ((b (persist/open))
-      (reg
-        (persist/register-upcaster (persist/upcasters) "placed" up-placed)))
-    (begin
-      (persist/append b "orders" "placed" 0 {:total 10})
-      (persist/append b "orders" "placed" 0 {:total 20})
-      (persist/project-upcast
-        b
-        "orders"
-        reg
-        (fn (acc e) (+ acc (get (persist/event-data e) :amount)))
-        0)))
-  30)
-(persist-test
-  "mixed old and new events fold uniformly"
-  (let
-    ((b (persist/open))
-      (reg
-        (persist/register-upcaster (persist/upcasters) "placed" up-placed)))
-    (begin
-      (persist/append b "orders" "placed" 0 {:total 5})
-      (persist/append b "orders" "placed" 0 {:total 7 :amount 7})
-      (persist/project-upcast
-        b
-        "orders"
-        reg
-        (fn (acc e) (+ acc (get (persist/event-data e) :amount)))
-        0)))
-  12)
-(persist-test
-  "upcast works on the durable backend"
-  (let
-    ((db (persist/mock-durable (persist/mem-backend)))
-      (reg
-        (persist/register-upcaster (persist/upcasters) "placed" up-placed)))
-    (begin
-      (persist/append db "orders" "placed" 0 {:total 42})
-      (get
-        (persist/event-data
-          (nth (persist/read-upcast db "orders" reg) 0))
-        :amount)))
-  42)

lib/persist/tests/view.sx

@@ -1,105 +0,0 @@
-; Extension — materialized views: stay current on write, read O(1) via peek.
-
-(define vw-count (fn (acc e) (+ acc 1)))
-(define vw (persist/view "order-count" "orders" vw-count 0))
-
-(persist-test "view-name" (persist/view-name vw) "order-count")
-(persist-test "view-stream" (persist/view-stream vw) "orders")
-(persist-test
-  "view-value folds the stream"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "orders" "x" 0 {})
-      (persist/append b "orders" "x" 0 {})
-      (persist/view-value b vw)))
-  2)
-(persist-test
-  "view-refresh persists a snapshot that peek then reads"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "orders" "x" 0 {})
-      (persist/view-refresh b vw)
-      (persist/view-peek b vw)))
-  1)
-(persist-test
-  "peek lags an un-refreshed tail"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "orders" "x" 0 {})
-      (persist/view-refresh b vw)
-      (persist/append b "orders" "x" 0 {})
-      (persist/view-peek b vw)))
-  1)
-(persist-test
-  "view-value sees the whole stream even after a stale snapshot"
-  (let
-    ((b (persist/open)))
-    (begin
-      (persist/append b "orders" "x" 0 {})
-      (persist/view-refresh b vw)
-      (persist/append b "orders" "x" 0 {})
-      (persist/view-value b vw)))
-  2)
-(persist-test
-  "attached view stays current on publish — peek needs no manual refresh"
-  (let
-    ((b (persist/open)))
-    (let
-      ((h (persist/view-attach (persist/hub b) vw)))
-      (begin
-        (persist/publish h "orders" "x" 0 {})
-        (persist/publish h "orders" "x" 0 {})
-        (persist/publish h "orders" "x" 0 {})
-        (persist/view-peek b vw))))
-  3)
-(persist-test
-  "attached view advances the snapshot seq incrementally"
-  (let
-    ((b (persist/open)))
-    (let
-      ((h (persist/view-attach (persist/hub b) vw)))
-      (begin
-        (persist/publish h "orders" "x" 0 {})
-        (persist/publish h "orders" "x" 0 {})
-        (persist/project-seq
-          (persist/snapshot-load b "order-count" 0)))))
-  2)
-(persist-test
-  "attach only reacts to its own stream"
-  (let
-    ((b (persist/open)))
-    (let
-      ((h (persist/view-attach (persist/hub b) vw)))
-      (begin
-        (persist/publish h "other" "x" 0 {})
-        (persist/view-peek b vw))))
-  0)
-(persist-test
-  "materialized view works on the durable backend"
-  (let
-    ((db (persist/mock-durable (persist/mem-backend))))
-    (let
-      ((h (persist/view-attach (persist/hub db) vw)))
-      (begin
-        (persist/publish h "orders" "x" 0 {})
-        (persist/publish h "orders" "x" 0 {})
-        (persist/view-peek db vw))))
-  2)
-(persist-test
-  "view sum over event data"
-  (let
-    ((b (persist/open))
-      (sumv
-        (persist/view
-          "rev"
-          "sales"
-          (fn (acc e) (+ acc (get (persist/event-data e) :amt)))
-          0)))
-    (begin
-      (persist/append b "sales" "sale" 0 {:amt 10})
-      (persist/append b "sales" "sale" 1 {:amt 25})
-      (persist/view-value b sumv)))
-  35)

lib/persist/upcast.sx

@@ -1,44 +0,0 @@
-; persist/upcast — event schema evolution. An append-only log keeps events
-; forever, so old events have old shapes. Rather than migrate stored data (you
-; can't rewrite history) or branch every projection on version, register an
-; upcaster per event type: a pure (event -> event) that lifts an old event to
-; the current shape. Reads pass through the registry so projections see ONE
-; shape. The registry is an immutable dict the consumer threads (no global
-; mutable state). Requires: lib/persist/event.sx, lib/persist/log.sx.
-
-(define persist/upcasters (fn () {}))
-(define persist/register-upcaster (fn (reg type fn) (assoc reg type fn)))
-
-; apply the registered upcaster for an event's type, or pass it through unchanged
-(define
-  persist/upcast
-  (fn
-    (reg e)
-    (let ((f (get reg (persist/event-type e)))) (if f (f e) e))))
-
-; read a stream with every event lifted to current shape
-(define
-  persist/read-upcast
-  (fn
-    (b stream reg)
-    (map (fn (e) (persist/upcast reg e)) (persist/read b stream))))
-
-; project over upcasted events — projections never see a legacy shape
-(define
-  persist/project-upcast
-  (fn
-    (b stream reg step seed)
-    (reduce step seed (persist/read-upcast b stream reg))))
-
-; helper: upcast an event's :data by merging in/overriding fields, keeping the
-; record's stream/seq/type/at. Common upcaster body.
-(define
-  persist/upcast-data
-  (fn
-    (e new-data)
-    (persist/event
-      (persist/event-stream e)
-      (persist/event-seq e)
-      (persist/event-type e)
-      (persist/event-at e)
-      (merge (persist/event-data e) new-data))))

lib/persist/view.sx

@@ -1,49 +0,0 @@
-; persist/view — a materialized view: the consumer-facing read model. It bundles
-; a stream, a fold (step + seed) and a snapshot name. Attached to a hub it
-; refreshes incrementally on every publish, so the materialized value stays
-; current on write and reads are O(1) snapshot loads (persist/view-peek) instead
-; of a full fold. This is what feed indices, mod audit rollups, search counters,
-; etc. sit on. Requires: lib/persist/snapshot.sx, lib/persist/subscribe.sx.
-
-(define persist/view (fn (name stream step seed) {:name name :step step :stream stream :seed seed}))
-(define persist/view-name (fn (v) (get v :name)))
-(define persist/view-stream (fn (v) (get v :stream)))
-
-; bring the view's snapshot up to date with the log tail; returns the state
-(define
-  persist/view-refresh
-  (fn
-    (b v)
-    (persist/checkpoint
-      b
-      (get v :stream)
-      (get v :name)
-      (get v :step)
-      (get v :seed))))
-
-; current materialized value — refreshes first, so never stale
-(define
-  persist/view-value
-  (fn (b v) (persist/project-value (persist/view-refresh b v))))
-
-; O(1) read of the last persisted snapshot value WITHOUT folding the tail. Equal
-; to view-value when the view is attached (kept current on every publish);
-; otherwise may lag the log by the un-refreshed tail.
-(define
-  persist/view-peek
-  (fn
-    (b v)
-    (persist/project-value
-      (persist/snapshot-load b (get v :name) (get v :seed)))))
-
-; attach to a hub: refresh the view on every publish to its stream
-(define
-  persist/view-attach
-  (fn
-    (h v)
-    (begin
-      (persist/subscribe
-        h
-        (persist/view-stream v)
-        (fn (bk s e) (persist/view-refresh bk v)))
-      h)))

plans/abstractions.md

@@ -0,0 +1,639 @@
+# Abstraction Radar — backlog
+
+Maintained by the read-only `radar` loop (see `plans/agent-briefings/radar-loop.md`).
+Detection only — implementation is a separate, coordinated step owned by the
+relevant subsystem loop, never by radar.
+
+**AHA gate to reach _Proposed_:** ≥3 real consumers · all past Phase 2 & API-stable ·
+structurally identical (file:line evidence) · a natural home (usually NOT lib/guest).
+Anything short → _Watching_ (what's missing) or _Rejected_ (why).
+
+---
+
+## Last scan
+
+- **Date:** 2026-06-07 (radar loop, pass 38)
+- **Pass 38 — migration plan DRAFTED (planning loop worklist complete).** All 5 specs
+  written under `loops/migration:plans/migration/` (host-readiness, strangler-shadow-
+  harness, slice-01-blog, data-migration, slice-sequencing); loop added a 6th revealed
+  thread `open-questions.md` (digest for humans) then is end-of-worklist. **Decision point
+  for the operator: review the plan + decide whether to start an IMPLEMENTATION loop**
+  (first target per the plan: `lib/host` Phase 1 + multi-`Set-Cookie` fix → slice-01-blog
+  1a). Branch `loops/migration` is local/un-pushed (per operator's no-push preference).
+  No new radar candidate; A1 at 13; fed-sx still on deadlock.
+- **Date:** 2026-06-07 (radar loop, pass 37)
+- **Pass 37 — migration plan 4/5 specs done.** Long-pole shipped: `data-migration.md`
+  (Postgres → persist via **genesis-import** — seed each stream with current DB state as
+  initial events). Only `slice-sequencing.md` left; loop self-pacing fine. No new radar
+  candidate; events (iCal import) + content (sanitize, 799/799) incremental; A1 at 13.
+- **Date:** 2026-06-07 (radar loop, pass 36)
+- **Pass 36 — migration planning loop healthy + productive.** Self-pacing restored (now
+  schedules its own ~20min wake-ups). Shipped 2 more specs (3/5 threads): strangler-shadow-
+  harness (Caddy handle-per-route + offline-replay shadow-diff at the `content/blocks`
+  facade) and slice-01-blog (GET /<slug>/; **found blog already has `Post.sx_content` +
+  lexical→SX pipeline** — a real head-start). data-migration + slice-sequencing pending.
+  No new radar candidate; A1 steady at 13; fed-sx still on deadlock.
+- **Date:** 2026-06-07 (radar loop, pass 35)
+- **Pass 35 — quiet for findings; ops note.** The migration PLANNING loop had completed
+  host-readiness and **stalled idle ~1hr** (self-paced `/loop` didn't re-fire after one
+  iteration). Nudged it to continue its worklist (now on strangler-shadow-harness) +
+  schedule its own next wake-up. No new radar candidate; events/content incremental;
+  A1 steady at 13; fed-sx still on the deadlock reproducer.
+- **Date:** 2026-06-07 (radar loop, pass 34)
+- **Pass 34 — quiet, no new finding.** Minimal churn: migration planning loop still on
+  host-readiness (next thread pending, self-paced); maude scoreboard refresh; fed-sx
+  grinding the fed-prims deadlock; A1 adopters steady at 13. Nothing new to discover.
+- **Date:** 2026-06-07 (radar loop, pass 33)
+- **Pass 33 — host-layer story clarified (refines the migration strategy).** `dream` =
+  **Dream-on-SX**: OCaml's Dream web framework on the SX CEK, and the project owner's
+  **confirmed decision to move rose-ash OFF Quart onto Dream** as the ergonomic HTTP front
+  door over the native SX server (router/session/middleware/cors/csrf/auth/ws/html/json —
+  16 modules). So the host layer is: **host-on-sx native server (Phases 1-3, carries it
+  now) → Dream-on-SX framework front door (gated on ocaml-on-sx Phases 1-5) + host-persist
+  (done) + fed-sx (AP transport).** The migration PLANNING loop (new, tmux `migration`,
+  commit-only) is now the owner of refining this — it already shipped `host-readiness.md`
+  pinning the near-term gate to **`lib/host` (unbuilt) + a multi-`Set-Cookie` primitive
+  fix** (`sx_server.ml:735`). NOTE: `plans/rose-ash-on-sx-migration.md` under-specified the
+  framework layer (said "host-on-sx HTTP host"); the Dream-over-Quart decision + the
+  native→Dream sequence is the correction — the planning loop will fold it into its specs.
+  `maude` at Phase 5 (rewriting-logic substrate). Radar tracks; planning loop details.
+- **Date:** 2026-06-07 (radar loop, pass 32)
+- **Pass 32 — A1 DONE.** `loops/conformance` merged to architecture (`db76cc8c`); 13 adopters
+  now on the shared driver; radar spot-checked common-lisp = 487/487 green post-merge →
+  coordination flag CLEARED. A1 moved to a new **Done** section. New nascent subsystems
+  `dream` + `maude` (0 files), `fed-prims` resumed (mutex-deadlock fix). The idle
+  `a1-conformance` loop can be retired (worklist complete).
+- **Date:** 2026-06-07 (radar loop, pass 31)
+- **Pass 31 — A1 conformance loop WORKLIST COMPLETE.** tcl excluded (foreign `*.tcl`); final:
+  4 migrated (common-lisp/erlang/feed/go) + 5 excluded (forth/js/ocaml/smalltalk/tcl). A1 =
+  **12 on shared driver + 6 excluded**; only the parity-gated merge to architecture remains.
+  commerce shipped a refund saga on flow (2nd flow use) + finished Phase 5 → going quiescent.
+  relations building graph algos (all-paths) — still unconsumed (W9 unchanged).
+- **Date:** 2026-06-07 (radar loop, pass 30)
+- **Pass 30:** conformance loop near done — `ocaml` + `smalltalk` excluded (both foreign
+  `test.sh`/corpus runners, as predicted). Tally: 4 migrated, 4 excluded, **tcl only** left.
+  Next A1 milestone = the `loops/conformance`→architecture merge under adopter-parity. No
+  new candidate; relations/artdag steady (no new W9 delegation).
+- **Date:** 2026-06-07 (radar loop, pass 29)
+- **Pass 29:** conformance loop excluded `js` (test262 fixtures) → 4 migrated + 2 excluded,
+  3 remain (ocaml/smalltalk/tcl). New subsystems advancing fast: `relations` → Phase 4
+  federation, `artdag` → Phase 6 federation → both fold into W1 (now 7 federation modules,
+  theme-not-shape holds) and W9 (relations past Phase 2 but not yet consumed by anyone).
+- **Date:** 2026-06-07 (radar loop, pass 28)
+- **Pass 28 — fleet expanding again.** Conformance loop: `go` migrated 609/609; **`forth`
+  excluded** (foreign Forth corpus — classify-then-exclude working). 4 migrated +1 excluded
+  on the branch; js/ocaml/smalltalk/tcl remain. **2 new subsystems:** `relations` (Phase 1,
+  parent/child rel facts → new W9 nascent watch) and `artdag` (nascent, 0 files). `events`
+  MERGED to architecture (its persist+flow adoption now integrated — W4/W8 landed). Briefing
+  commit hints more incoming: `dream`, `host`, +5 language chisels.
+- **Date:** 2026-06-07 (radar loop, passes 26–27)
+- **Passes 26–27 (routine tracking):** conformance loop steady at ~1 migration/iteration —
+  erlang 761/761, then feed 189/189. A1 = 8 on architecture + 3 on the branch; 6 remain.
+  W4 still gated (host-persist adapter not landed); no new subsystem; app loops on
+  incremental domain work (commerce Phase 5 payment envelope, content/events/identity/fed-sx).
+  Nothing new to discover; merge-time adopter-parity flag still open.
+- **Date:** 2026-06-07 (radar loop, pass 25)
+- **Pass 25:** A1 → **8 adopters** (events via its own loop) + common-lisp 487/487 on the
+  conformance branch. The conformance loop **extended the shared `lib/guest` driver**
+  (per-suite counters/preloads) to do it → raised a **coordination flag in A1**: verify the
+  branch is non-regressive against all 8 adopters before merging to architecture. commerce
+  drafting Phase 5 provider-neutral payment envelope. No new candidate; A1 advancing fast.
+- **Date:** 2026-06-07 (radar loop, pass 24)
+- **Pass 24 — three real updates.** (1) **A1 → 7 adopters** (search migrated, counters mode
+  — corrects the earlier exclusion). (2) The dedicated `conformance` loop ran its 1st
+  iteration: refused to force-migrate common-lisp (parity gate worked) and surfaced a
+  **driver feature-gap** (per-suite counters + preloads) gating the complex multi-suite
+  candidates → A1 now splits simple-now vs gated-on-driver-enhancement. (3) **W8 commerce
+  is LIVE** ("order lifecycle as a durable flow-on-sx flow, Phase 3 done") → 2 live flow
+  consumers. events shipped TZ/DST; mod reverted its extraction note (declined on re-read).
+- **Date:** 2026-06-07 (radar loop, pass 23)
+- **Pass 23 — trigger fired (empty streak ends at 19–22).** commerce recorded a Phase 3
+  **flow-integration design** (order saga as a flow-on-sx flow, payment suspended until
+  webhook resume) → 2nd durable-flow consumer; **W8 broadened** from "delivery" to
+  "externally-resumed orchestration on lib/flow." events made its federation transport
+  **fed-sx-ready** (injected) → reinforces W1's 5/5 inject-fed-sx seam. acl left tmux
+  (now fully quiescent). host-persist adapter still not landed (W4 migration still gated).
+- **Empty-discovery streak: passes 19–22** (last verified pass 22). Fleet at steady state —
+  active loops (content CvRDT, events recurrence/reschedule, identity grant-mgmt, fed-sx
+  outbox internals) are building *inside* their domains, not cross-cutting infra. Census
+  exhausted (p17); all gates re-tested (W1 p18, W2 p19). No new candidate clears any gate.
+- **Radar is now trigger-driven.** The next substantive pass needs one of: **(a)** a new
+  subsystem worktree spawning (auto-joins scan), or **(b)** host-persist's durable adapter
+  landing → unblocks the W4 acl/mod→persist/log migration, or **(c)** a quiescent
+  subsystem (acl/mod/search/commerce, static ~9–16 passes) resuming. Polling ~hourly until
+  one fires; will tighten cadence then.
+- **Date:** 2026-06-07 (radar loop, pass 20)
+- **Pass 20 — honest empty pass.** 3 new census recurrences since p17 (normalize/index ×2,
+  query ×3) — all **name collisions** (same noun, domain-specific op), added to the table.
+  Recorded the meta-pattern: the fleet shares vocabulary, not structure. Most subsystems
+  quiescent (acl/mod/search/commerce static ~9-15 passes = API-stable); only events/
+  identity/content/fed-sx still committing domain features. No new gate-clearer.
+- **Date:** 2026-06-07 (radar loop, pass 19)
+- **Pass 19 — honest empty pass.** Scanned 10 active subsystems. content/index.sx is a
+  blog index/tag-cloud listing (presentation, not full-text search — no search reinvention)
+  and content/multi-doc indexing adds no per-viewer filter. **W2 re-tested: still 2**
+  (feed, search) — acl's `permit?`-like matches are its own authZ *engine* (the home),
+  not a downstream read filter. No new candidate cleared any gate.
+- **Date:** 2026-06-07 (radar loop, pass 18)
+- **Pass 18 — W1 gate re-test.** events shipped Phase 4 federation (5th consumer): a 5th
+  divergent merge (sorted agenda + `:origin` provenance), trust-gate = runtime list
+  membership (shares mod's mechanism, not acl's). Reinforces W1's "theme not shape" — but
+  the **inject-fed-sx-transport seam is now 5/5**, strengthening "all are fed-sx
+  consumers-in-waiting." Trust sub-pattern refined: mod+events (runtime set) vs acl (rule).
+- **Date:** 2026-06-07 (radar loop, pass 17)
+- **Pass 17 — filename census declared EXHAUSTED** (see the Census-status table above).
+  Examined the last unswept ≥2 recurrences (schema/engine = acl⇄mod substrate twins;
+  catalog/batch = name collisions; store = divergent). No new candidate. Incremental churn
+  elsewhere (content 621/621, identity PAR, events reminders). Future passes pivot from
+  censusing to re-testing gates as consumers mature.
+- **Date:** 2026-06-07 (radar loop, pass 16)
+- **Pass 16:** events started Phase 3 — **durable notification delivery on `lib/flow`**
+  (new W8: at-least-once + idempotency exemplar; fed-sx/mod roll their own outbox). The two
+  `notify.sx` (feed vs events) are a name collision (read-side digest vs delivery), noted
+  in W8. Substrate-adoption story deepening: app domains now consume persist (content/
+  commerce/events), flow (events), commerce (events), acl-authZ (identity).
+- **Date:** 2026-06-07 (radar loop, pass 15)
+- **Pass 15:** added the **scanning-method note** above after `query.sx` again proved to
+  be merged-lib copies (lib/prolog + lib/persist in every worktree). Corrected census
+  surfaced `wire`×2 (content+mod) → Rejected (shared role, divergent structure: generic SX
+  serializer vs bespoke pipe-format under a Prolog-env string-prim constraint). events↔
+  commerce integration appeared (paid tickets); acl/mod/search quiescent ~7 passes (now
+  API-stable). No new gate-clearer.
+- **Date:** 2026-06-07 (radar loop, pass 14)
+- **Pass 14:** filename census flagged `snapshot`×?? — but the `*/lib/persist/snapshot.sx`
+  copies are just the merged `lib/persist` in each worktree, NOT consumers (same artifact
+  as `lib/feed/rank.sx` everywhere). The one distinct file, `content/snapshot.sx`,
+  reimplements persist's projection-checkpoint on raw KV instead of using `persist/snapshot`
+  → new W7 (persist-adoption nudge). `audit`×3 = the W4 fakes (acl/mod/identity), known.
+- **Date:** 2026-06-07 (radar loop, pass 13)
+- **Pass 13 — honest re-test, no gate-clearer.** Re-tested the two longest-waiting gates
+  against the maturing app-domain loops: **W2** (per-viewer visibility) still 2 consumers
+  (feed, search) — commerce/content/events/identity add no per-viewer read filter; **W3**
+  (pagination) still 2 (feed, search) — `content/page.sx` is an HTML wrapper, not
+  pagination (filename collision, noted in W3). Incremental churn only elsewhere.
+- **Date:** 2026-06-07 (radar loop, pass 12)
+- **Pass 12:** `events` shipped **transactional booking on persist** (3rd live persist
+  consumer) using `persist/append-expect` (optimistic-concurrency CAS, lock-free capacity
+  safety). W4 ledger now shows a persist feature-ladder append → append-once → append-expect
+  that the hand-rolled fakes can't match. No new candidate; W4 reinforced.
+- **Date:** 2026-06-07 (radar loop, pass 11)
+- **Pass 11 — W4 sharpened with a consumer ledger.** commerce built an **order ledger on
+  persist** (2nd live exemplar; uses `persist/append-once` for webhook idempotency) and
+  identity a **grant audit ledger** (in-memory Erlang fake, gated on an Erlang↔persist
+  bridge). The append-only monotonic-seq event-log pattern is now validated across 4
+  domains, 2 live on persist + 3 fakes flagged for adoption. See W4 table.
+- **Date:** 2026-06-07 (radar loop, pass 10)
+- **Pass 10:** commerce/content/events/identity advancing (content 238/238). Probed a
+  shape outside the routing table — **guarded lifecycle state machines** (mod/lifecycle +
+  identity/membership) → new W6: shared *design principle*, divergent *structure*
+  (SX transition-table vs Erlang gen_server), NOT an extraction target. No gate-clearer.
+- **Date:** 2026-06-07 (radar loop, pass 9)
+- **Pass 9:** `commerce` + `content` reached Phase 2 (`content` 162/162). **Key find:
+  `content` built its op log directly on `persist/log`** (backend-injected, append+replay-
+  to-seq) — the live reference exemplar for W4 (see W4). `events` MONTHLY RRULE,
+  `identity` OAuth2 auth-code + PKCE, search boolean-filtered ranked. A1 still 6 adopters.
+- **Date:** 2026-06-06 (radar loop, pass 8)
+- **Pass 8 — fleet expanded by 4 app-domain loops** (the briefing's anticipated
+  `commerce`/`identity` arrivals, auto-picked up by dynamic discovery). All early-stage,
+  **pre-Phase-2 → moving targets, none count toward any gate yet**:
+  - `commerce` (Phase 1: `api/cart/catalog/price`). Its "per-line audit" is a cost
+    *breakdown view* (`api.sx:44`), **not** an append-only decision log → NOT a W4
+    consumer.
+  - `events` (Phase 1: `calendar.sx`, RRULE expansion).
+  - `identity` (early: `session/token`). Defers authZ to acl (`token.sx:15`) — reinforces
+    W2's "delegate `permit?` to acl-on-sx" routing; identity = authN, acl = authZ.
+  - `content` (just-started: `block.sx`).
+  These are the future consumers W2/W3 are waiting on — re-check their per-viewer filters
+  / pagination once each clears Phase 2. No new gate-clearer this pass.
+- **Pass 7:** **A1 jumped 4→6 adopters** — `acl` + `mod` migrated to the shared
+  conformance driver (first app-domain adopters; proves it generalizes past substrates).
+  `host-persist` closed its blob-adapter blocker (durable storage adapter now landing →
+  W4 migration path opening). search shipped proximity/NEAR; flow + persist quiescent.
+- **Pass 6:** new worktree **`host-persist`** (active — building persist's durable host
+  adapter); `feed` went quiescent (left tmux). acl shipped hardening (+25), fed-sx-m1 at
+  Step 6c. **mod loop independently wrote a shared-plumbing note** (`mod-on-sx.md`,
+  538b8a53) corroborating W4/W5 — folded its claims + home disagreements into W1/W4/W5.
+  No new gate-clearer (audit log still 2 consumers), but consumers are now API-stable.
+- **Pass 5:** search (+highlight/snippet) and fed-sx-m1 (+follower_graph) moved; rest
+  unchanged. Filename census: `api`×6, `fed`×3, then `schema/rank/query/page/explain/
+  engine/batch/audit`×2. Examined the ×6 `api.sx` → Rejected (shared name, divergent
+  structure incl. implicit-vs-explicit-state contract). rank/batch/engine all ≤2 +
+  substrate/domain-divergent → no new gate-clearer.
+- **Pass 4:** no churn vs pass 3 (same worktrees/tmux/HEADs/adopters). Swept audit+explain
+  surfaces: acl/mod share an append-only-log shape (→ sharpened W4 with persist/log API
+  evidence) and a proof-explain shape (→ new W5, substrate-bound). No new gate-clearer.
+- **Pass 3 (earlier today):** subsystem set + tmux + A1 adopters (4) all unchanged vs pass 2. Loops
+  advanced: acl shipped Phase 4 federation; search shipped Phase 4 + pagination; feed
+  shipped pagination/threading; mod at Ext 19 (capstone); persist did a worked acl-grants
+  migration (W4). New shape found: offset/limit pagination → folded into W3.
+- **Subsystem set discovered:** loop worktrees `acl, erlang, fed-prims, fed-sx-m1,
+  feed, flow, go, kernel, mod, ocaml, persist, radar, ruby, search,
+  sx-vm-extensions`; main-repo `lib/*` incl. merged `feed` + substrates (`apl,
+  common-lisp, datalog, erlang, forth, go, haskell, hyperscript, js, lua, minikanren,
+  ocaml, prolog, scheme, smalltalk, tcl`) + `lib/guest`.
+  Actively looping (tmux): `acl, fed-sx-m1, feed, flow, mod, persist, search`
+  (+ radar).
+- **New since pass 1:** worktrees `kernel` (empty/unset — not yet a repo) and `ocaml`
+  (`lib/ocaml/baseline` only). Both early-stage, pre–Phase 2 → out of proposal scope.
+- Re-enumerate every pass; new loops (e.g. a future `commerce`/`identity`) auto-join.
+
+**Census status (pass 17): EXHAUSTED.** Every own-namespace filename recurring ≥2× has
+been examined and dispositioned — further filename-censusing is low-yield until new
+subsystems/modules appear. Map:
+| filename | owners | verdict |
+|---|---|---|
+| `api` ×10 | all | Rejected — shared role, divergent state contract |
+| `fed`/`federation` | feed/search/mod/acl(+content) | W1 — theme not shape |
+| `audit` ×3 | acl/mod/identity | W4 — append-only log → persist/log |
+| `page` ×3 | feed/search (pagination) + content (HTML wrapper) | W3 + collision noted |
+| `explain` ×2 | acl/mod | W5 — proof tree, substrate-bound |
+| `snapshot` ×2 | persist(facet) + content(reinvents) | W7 |
+| `wire` ×2 | content(SX serializer) / mod(pipe-format) | Rejected — divergent |
+| `schema`,`engine` ×2 | acl/mod | substrate-twin parallels (Datalog vs Prolog); only audit (W4) is liftable |
+| `catalog`,`batch` ×2 | commerce/persist, mod/persist | name collisions, unrelated |
+| `normalize` ×2 | content(tree-prune)/feed(record-coerce) | name collision (pass 20) |
+| `index` ×2 | content(listing)/search(inverted index) | name collision (pass 20) |
+| `query` ×3 | content(doc-block)/search(bool AST)/persist(stream-read) | 3-way name collision (pass 20) |
+| `store` ×2 | content(on persist) / flow(workflow records) | related concept, divergent |
+| `rank` ×2 | feed/search | different domains (activities vs docs), ≤2 |
+**acl⇄mod are structural twins** (decision engine over a logic substrate, Datalog vs
+Prolog) — they parallel across engine/schema/explain/audit/fed, but only the *audit log*
+is substrate-agnostic and liftable (→ W4); the rest are substrate-idiomatic. Next passes:
+re-test gates (W2/W3/W8) as consumers mature, watch new modules — not re-census.
+
+**Meta-pattern (pass 20):** new module names keep *recurring* but the operations keep
+*colliding* — same noun, domain-specific op (normalize, index, query, catalog, batch,
+notify, page, store all proved to be collisions). This is *why* genuine extraction
+candidates are rare: the fleet shares vocabulary, not structure. The real shared assets
+are the **substrate subsystems** (persist, flow, acl, fed-sx) that app domains *adopt*
+(W1/W2/W4/W7/W8), not hand-rolled libs to extract.
+
+**Scanning-method note (learned the hard way, passes 5/12/14/15):** a filename census
+for *cross-subsystem* recurrence MUST restrict to each subsystem's OWN namespace —
+`X/lib/X/*.sx` — never `X/lib/*/`. The merged substrate libs (`lib/prolog`, `lib/persist`,
+`lib/feed`, `lib/datalog`, …) are checked out inside *every* worktree, so a naive census
+reports e.g. `query.sx`/`snapshot.sx`/`rank.sx` ×N as phantom recurrences that are really
+one merged file copied N times. Correct one-liner:
+`for w in <subsystems>; do for f in $w/lib/$w/*.sx; do basename $f .sx; done; done | sort | uniq -c | sort -rn`.
+
+---
+
+## Done
+
+### A1 · Shared conformance driver — ✅ COMPLETE (merged `db76cc8c`, pass 32)
+Full closed loop: radar detected it → dedicated `conformance` loop implemented it
+(classify-then-migrate-or-exclude, hard parity gate) → **merged to architecture**
+(`db76cc8c Merge loops/conformance into architecture: A1 conformance-driver migration`)
+→ radar spot-verified post-merge (**common-lisp 487/487 green** on architecture — exercises
+the new per-suite-counters/preloads driver feature, the riskiest change). Final state:
+- **13 on the shared driver:** acl, apl, common-lisp, datalog, erlang, events, feed, go,
+  haskell, mod, prolog, relations, search.
+- **6 correctly excluded** (foreign-program runners — a legitimately different harness):
+  forth, js, ocaml, smalltalk, tcl, lua.
+- The shared driver gained per-suite counters + per-suite preloads (backward-compatible);
+  spot-check confirms existing adopters unaffected. Coordination flag CLEARED.
+Detail of the migration arc retained under the original entry below.
+
+## Proposed (cleared the gate)
+
+_(empty — A1 graduated to Done, pass 32.)_
+
+### A1 · Adopt the shared conformance driver across subsystems
+- **Pattern:** every subsystem hand-rolls a near-identical `conformance.sh`
+  (epoch-load → eval → scoreboard emit) and an inline `<x>-test name got expected`
+  pass/fail counter.
+- **Consumers (≥3, overwhelming):** 15 `lib/*/conformance.sh` — `apl, feed, datalog,
+  flow, mod, lua, erlang, forth, go, common-lisp, haskell, js, ocaml, prolog,
+  smalltalk, tcl`.
+- **Home:** `lib/guest` — the one legitimate exception (the shared driver
+  `lib/guest/conformance.sh` + `lib/guest/conformance.sx` already exist; modes
+  `dict` and `counters`).
+- **Status: IN PROGRESS — 6 adopters (pass 7).** `prolog` (dict), `haskell` (counters),
+  `apl` (dict), `datalog` (dict), and **`acl` (dict) + `mod` (dict), newly migrated this
+  pass** — all 3-line exec shims into `lib/guest/conformance.sh` with a `conformance.conf`.
+  **acl + mod are the first *app-domain* adopters** (not language substrates) — strong
+  evidence the driver generalizes beyond the substrate layer, which was the open question.
+  The `apl` migration earlier *surfaced a latent bug*: the old awk extractor
+  under-counted `pipeline` (40 vs the real 152 assertions); true apl total is **562**,
+  not 450 — evidence that adopting the driver also improves correctness.
+- **Not a target (different harness shape):** `lua/conformance.sh` is a Python runner
+  (`lib/lua/conformance.py`) that walks real `*.lua` source files via `lua-eval-ast`
+  and classifies pass/fail/timeout — it does not run SX `deftest` suites with a
+  counter/dict scoreboard, so the shared driver does not fit. Excluded, not pending.
+- **Remaining hand-rolled candidates (~120–220 lines each):** `common-lisp, erlang,
+  feed, forth, go, js, ocaml, smalltalk, tcl` — now being worked by the dedicated
+  `conformance` loop (above). (`lua` excluded: walks real `*.lua` files via Python.
+  `smalltalk` likely excludes too — runs `*.st` via its own `test.sh`. `search` was
+  thought to be excluded but DID migrate via counters mode — see the 7-adopter note.)
+- **Action:** each remaining subsystem's OWN loop migrates when quiescent — add a
+  `conformance.conf` (+ a `test-harness.sx` preload defining its counters) and
+  replace `conformance.sh` with the 1-line exec shim
+  (`exec bash …/guest/conformance.sh …/conformance.conf "$@"`). Recipe template:
+  `lib/haskell/conformance.conf` (counters) or `lib/prolog/conformance.conf` (dict).
+  Keep the `bash lib/X/conformance.sh` entry point so no loop is disrupted.
+- **Priority: HIGH** (15 consumers, low risk, interface-preserving, additive).
+- **8 adopters on architecture** (pass 25): acl, apl, datalog, **events**, haskell, mod,
+  prolog, search — `events` migrated via its OWN loop; `search` via counters mode (which
+  corrects the earlier "search excluded" note). **+4 on the `loops/conformance` branch:
+  `common-lisp` 487/487, `erlang` 761/761, `feed` 189/189, `go` 609/609** — pending merge.
+  **5 EXCLUDED — all foreign-runner harnesses** (correctly, not force-migrated): `forth`
+  (Hayes core.fr via awk+python), `js` (test262 `.js`/`.expected`), `ocaml` (scrapes
+  `test.sh` + `.ml` baseline), `smalltalk` (scrapes `test.sh` + `*.st` corpus), `tcl`
+  (foreign `*.tcl` vs `# expected:` annotations).
+- **✅ CONFORMANCE LOOP WORKLIST COMPLETE (pass 31).** Final A1 picture:
+  - **12 on the shared driver:** acl, apl, datalog, events, haskell, mod, prolog, search
+    (on architecture) + common-lisp, erlang, feed, go (on `loops/conformance`, pending merge).
+  - **6 correctly excluded** (foreign-program runners — testing a language impl against an
+    external corpus is legitimately a different harness): forth, js, ocaml, smalltalk, tcl, lua.
+  - **Honest finding:** the driver's reach is narrower than the raw "15 conformance.sh"
+    count implied — language substrates that run real `.lua/.st/.ml/.tcl/.js/.fr` programs
+    *should* keep their foreign runners. ~half migrate, ~half don't, and that's correct.
+  - **One step left:** merge `loops/conformance` → architecture under the **adopter-parity
+    check** (the coordination flag above — the shared `lib/guest` driver change must be
+    proven non-regressive against all existing adopters first). The loop is now idle.
+- **NOW IN PROGRESS — dedicated loop (2026-06-07).** A human-triggered `conformance` loop
+  (worktree `/root/rose-ash-loops/conformance`, branch `loops/conformance`, tmux session
+  `a1-conformance`, briefing `plans/agent-briefings/conformance-loop.md`) is working the
+  remaining candidates (common-lisp, erlang, feed, forth, go, js, ocaml, smalltalk, tcl)
+  one per iteration, **classify-then-migrate-or-exclude with a hard test-count parity gate**
+  (reverts on any mismatch; never pushes to main/architecture). Radar tracks; it implements.
+- **Driver-capability boundary found (pass 24, first iteration).** The loop did NOT
+  force-migrate `common-lisp` (baseline 305/0 across 12 suites) — the shared driver can't
+  reproduce it: `MODE=counters` supports only ONE global pass/fail counter pair + ONE fixed
+  preload set, but common-lisp needs **per-suite counter names** (8 distinct pairs) and
+  **per-suite preload chains**. It logged a precise blocker + unblock path (extend the
+  `SUITES` entry format with optional per-suite counters/preloads) and moved on.
+- **Driver gap RESOLVED next iteration (pass 25) — but it touched the shared driver.** The
+  loop extended `lib/guest/conformance.sh` (+38 lines: optional per-suite counters + per-suite
+  preloads in the `SUITES` format, backward-compatible) and then migrated common-lisp at
+  **487/487** (above the 305 baseline — likely another extractor under-count correction, à la
+  apl's `pipeline`). The parity gate held throughout.
+- **⚠ COORDINATION FLAG (radar): the `loops/conformance` branch now carries a change to the
+  SHARED `lib/guest` driver** used by all 8 adopters. It's additive by design, but **before
+  this branch merges to `architecture`, re-run the existing adopters' suites under the new
+  driver to confirm zero regression** (acl/apl/datalog/events/haskell/mod/prolog/search).
+  This is the one cross-cutting risk in an otherwise per-subsystem-isolated effort — surfaced
+  here so the merge is gated on adopter-parity, not assumed.
+
+---
+
+## Watching (real but not yet through the gate)
+
+### W1 · Federation scaffold (merge / ingest / backfill / trust-gate)
+- **FAILS the structural-identity gate (deep-dived 2026-06-06, all 4 read).** Consumer
+  count is met (4) but they are *superficially* similar, not structurally identical —
+  the federated unit and merge op differ fundamentally:
+
+  | Subsystem (file) | Federated unit | Merge op | Trust gate | Injected transport |
+  |---|---|---|---|---|
+  | feed (`fed.sx:14,18,40`) | activity streams | dedupe by `(actor verb object)` | none (visibility via `permit?` separately) | `send-fn`, `fetch-fn` |
+  | search (`fed.sx:8`) | inverted indices | relabel DocId `peer*1000+local` + union posting lists | none | none (pure merge fn) |
+  | mod (`fed.sx:11-14,99`) | moderation decisions | advisory-list vs applied-list; bind iff `mod/trusted?` | **yes — runtime list** `mod/trusted? peer scope` | mock outbox / `fed-send!` |
+  | acl (`federation.sx:43,56`) | Datalog delegate facts | pull facts, gate by `trust`/`level_covers` rule, re-saturate | **yes — Datalog rule** at query time | `transport` dict |
+  | events (`federation.sx`) | calendar agendas | fold trusted peers' agendas into one sorted agenda + `:origin` provenance | **yes — runtime list** `ev/trusts?` (peer-id ∈ trust-set) | injected behind `ev/peer-agenda` |
+
+- **The ONLY real commonality is the injection seam** (now 5/5, pass 18), not extractable
+  code: every one says "the real transport is `fed-sx`'s job; inject `send-fn`/`fetch-fn`/
+  `transport`/`peer-agenda` and mock it in tests." That is an architectural *convention the
+  fleet already follows*. The merge op diverges 5 ways (dedupe / index-union / advisory /
+  fact-saturation / agenda-sort). The trust gate, where present, splits: **mod + events use
+  a runtime trust-set membership check; acl uses a declarative Datalog rule** — so even the
+  trust sub-pattern is 2-of-3, and the membership check is a trivial one-liner (below the
+  extraction threshold). No shared merge, no single shared trust mechanism.
+- **Disposition:** do NOT extract a shared "federation lib." When `fed-sx` ships its
+  real transport, these 4 become its *consumers* (wiring `send-fn`/`fetch-fn`/`transport`
+  to it) — that work belongs to each subsystem's loop + the `fed-sx` loop, not a
+  cross-cutting extraction. Stop re-proposing on the shared name. Home: `fed-sx`.
+- **Now 7 federation modules (pass 29):** + `relations` (Phase 4: erel trust-gating,
+  peer_rel/trust, fed-sx mock transport — Datalog-rule trust like acl) and `artdag`
+  (Phase 6: content-addressed cache + trust + **invalidation** — a merge shape unlike any
+  other). Each new one reinforces "theme not shape": 7 divergent merges, all sharing only
+  the inject-fed-sx-transport seam. Verdict unchanged — they're fed-sx consumers-in-waiting.
+- **Narrower sub-claim (mod note, pass 6; refined pass 18):** mod asserts the *fed
+  trust/outbox* shape shares between mod+acl. Radar evidence refines this: the trust gate
+  splits by mechanism, not by subsystem pair — **mod + events** both use a runtime
+  trust-set membership check (`mod/trusted?`, `ev/trusts?`), while **acl** uses a Datalog
+  rule. So a "trust-set membership" helper has 2 consumers (mod, events) — but it's a
+  one-line `member?` and the merge it gates diverges, so still not worth extracting.
+  Resolve at the architecture-merge point if a heavier shared trust-set surface emerges.
+
+### W2 · Per-viewer visibility / permission filter
+- **2 shipped consumers, same shape** — `filter <injected-permit> <ranked/candidate stream>`:
+  - `feed/lib/feed/acl.sx:27` `feed/visible = (feed/filter stream (fn (a) (permit? viewer a)))`,
+    capstone at `:34` (stream → ACL → rank → top-N). `permit?` injected, sig `(viewer activity)→bool`.
+  - `search/lib/search/fed.sx:16` `aclFilter permit docs = filter permit docs`;
+    `topNTfIdfAcl n permit ts idx = take n (aclFilter permit (rankTfIdf ts idx))`.
+    `permit` injected, sig `DocId→Bool` (viewer baked in by caller).
+- **NOT a consumer:** `mod/lib/mod/policy.sx` is moderation policy (reviewer actions),
+  no per-viewer read filter. So mod won't be the 3rd.
+- **Missing:** (a) only 2 consumers, need ≥3; (b) the two interfaces *diverge* —
+  feed passes `(viewer, item)`, search bakes the viewer in — so any shared form must
+  pick a convention; (c) both already **inject** the predicate, and the filter body is
+  literally one line (`filter permit xs`). Leaning toward: the predicate's home is
+  `acl-on-sx` (`permit?`), and the one-line filter is too thin to extract.
+- **Home when ripe:** delegate `permit?` to `acl-on-sx`; do NOT extract the filter.
+  Re-check if a 3rd genuine per-viewer read filter ships (e.g. events/commerce).
+
+### W3 · Collection helpers (group-by, dedupe-by-key, stable top-N, distinct-order, offset/limit page)
+- feed built all of these on APL primitives. search/commerce/events will want
+  group-by / top-N.
+- **NEW (2026-06-06): offset/limit pagination shipped in 2 subsystems, identical shape**
+  `take limit (drop offset xs)`:
+  - `feed/lib/feed/page.sx:9` `feed/page` (offset/limit window over a stream).
+  - `search/lib/search/page.sx:9` `paginate off lim docs = take lim (drop off docs)`.
+  - NOT a 3rd: `persist/lib/persist/query.sx:5` has a *since-cursor* for incremental log
+    consumption — resumable-stream semantics, not result windowing. Different shape.
+  - feed *also* has cursor-by-`:at` recency pagination (`page.sx:21-44`); search has no
+    cursor. So only the plain offset/limit window is shared, and it is a literal 1-liner.
+- **Missing:** ≥3 stable consumers; AND every item here is collection math that belongs
+  in the **substrate** (APL/Haskell already expose grade/sort/unique/take/drop), not a
+  shared lib. A 1-line `take/drop` window is far below the extraction threshold. Watch;
+  revisit only if a non-substrate subsystem needs the same windowing without take/drop.
+- **Filename-collision caution (pass 13):** `content/lib/content/page.sx` is an **HTML
+  page wrapper** (full HTML5 doc), NOT pagination — do not count it as a 3rd pagination
+  consumer. `page.sx` now means two unrelated things across the fleet. Re-tested pass 13:
+  pagination still only feed + search (2).
+
+### W4 · In-memory store fakes → `persist-on-sx`
+- Not an abstraction to extract — a migration target. Every subsystem fakes its
+  store with a mutable list (`feed/-log`, flow store, mod audit, …).
+- **Owner:** `persist-on-sx` (in progress). Tracked there, listed here for visibility.
+- **Concrete instance (file:line, found pass 4): the append-only decision/audit log.**
+  `acl/lib/acl/audit.sx` and `mod/lib/mod/audit.sx` are the SAME hand-rolled shape, and
+  `persist/lib/persist/log.sx` (the persist *log facet*) already implements it durably:
+
+  | role | acl/audit.sx | mod/audit.sx | persist/log.sx (target) |
+  |---|---|---|---|
+  | log var | `acl-audit-log` :9 | `mod/*audit-log*` :10 | backend stream |
+  | monotonic seq | `acl-audit-seq` :10 | `mod/*audit-seq*` :11 | per-stream high-water :1 |
+  | append (auto-seq) | `acl-audit-decide!` | commit :32 | `persist/append` :17 |
+  | count | `acl-audit-count` :51 | `mod/audit-count` :44 | `persist/count` :12 |
+  | read-all oldest-first | snapshot/tail :73 | `mod/audit-all` :43 | `persist/read` :29 |
+  | read seq≥from | — | by-seq | `persist/read-from` :31 |
+
+  Both deliberately use a monotonic seq with **no wall-clock** (deterministic/testable) —
+  identical to persist/log's design. Action when persist's host adapter lands: acl + mod
+  loops swap their in-memory log for `persist/log`. 2 consumers today; not a new lib —
+  the home already exists. Belongs to acl/mod loops × persist loop, not an extraction.
+- **Cross-loop corroboration (pass 6):** the mod loop independently reached the same
+  conclusion — `mod/plans/mod-on-sx.md` (commit 538b8a53): *"mod-sx (Prolog) and acl-sx
+  (Datalog) converged on the same module shape … only the audit log + fed trust/outbox
+  shapes truly share; extract at the architecture-merge point, refactoring both consumers
+  atomically, not unilaterally from a loop branch."* Confirms the shape AND the
+  do-not-extract-unilaterally stance.
+- **Home disagreement to resolve at merge:** mod's note proposes lifting the audit-log
+  primitives into **`lib/guest/`**. Radar routing disagrees: a durable append-only log is
+  a **`persist-on-sx`** concern (the log facet already exists), not language-impl plumbing.
+  Hold the line — `lib/guest` is lexer/parser/AST/HM/test-runner, not an event log.
+- **Migration is becoming concrete:** new `host-persist` loop (worktree + tmux, pass 6)
+  is building the durable-storage host adapter persist was blocked on — once it lands,
+  acl/mod can actually swap to `persist/log`.
+- **LIVE REFERENCE EXEMPLAR (pass 9): `content` already does it right.** `content`
+  (Phase 2 complete, 162/162) built its op log directly on `persist/log` instead of
+  faking it — `content/lib/content/store.sx`: backend injected via `(persist/open)`
+  ("content knows nothing about which backend", :10); append op as event
+  `persist/append b (content/-stream doc-id) …` (:20); read `persist/read` (:36);
+  `persist/last-seq` (:47); **version = replay op stream up to a seq**
+  (filter `persist/event-seq ev <= seq`, :61). "The op log is the source of truth …
+  the materialised doc is a cache, never primary state."
+  This proves the W4 target is real, not hypothetical: acl + mod's hand-rolled
+  monotonic-seq logs should adopt exactly content's `persist/log` pattern.
+- **Consumer ledger of the append-only monotonic-seq event log (pass 11):**
+
+  | consumer | what | backing | note |
+  |---|---|---|---|
+  | content (`store.sx`) | doc op log | **persist/log ✓ live** | plain append + replay-to-seq |
+  | commerce (`ledger.sx`) | order ledger | **persist/log ✓ live** | `persist/append-once` — idempotent, webhook-replay-safe :40,58 |
+  | events (`booking.sx`) | booking roster | **persist/log ✓ live** | `persist/append-expect` — optimistic-concurrency CAS, capacity-safe, lock-free |
+  | acl (`audit.sx`) | decision log | in-memory fake (SX) | migrate directly when host adapter lands |
+  | mod (`audit.sx`) | decision log | in-memory fake (SX) | migrate directly |
+  | identity (`audit.sx`) | grant ledger | in-memory fake (**Erlang**) | `{Seq,Subject,Action}`; needs an **Erlang↔persist bridge** first — author scoped it out until persist lands ("queryable semantics identical") |
+
+- **Two takeaways:** (1) the pattern is **validated across domains** — CRDT doc ops,
+  financial orders, event bookings, rule decisions, OAuth grants all reduce to the same
+  append-only monotonic-seq stream; (2) migrating to `persist/log` is strictly *better*
+  than the fakes — persist exposes a **feature ladder the fakes don't have**:
+  `append` (content) → `append-once`/idempotency (commerce) → `append-expect`/optimistic-
+  concurrency (events). Every fake would have to reinvent a weaker version of these.
+  This is an **adoption** item (the home already exists), NOT a new extraction — owned by
+  persist/host-persist × each consumer loop. The SX fakes (acl, mod) migrate directly;
+  the Erlang fake (identity) is gated on an Erlang↔persist bridge.
+
+### W5 · Proof-tree explanation over a logic-program derivation
+- `acl/lib/acl/explain.sx` (reconstructs a canonical proof by goal-directed search over a
+  saturated Datalog db) and `mod/lib/mod/explain.sx` (renders a Prolog-style proof tree
+  goal-by-goal with proved/unproved marks + unification bindings) are the same *idea*.
+- **Missing / disposition:** only 2 consumers, and they sit on **different substrates**
+  (acl→`lib/datalog`, mod→`lib/prolog`). Proof reconstruction/rendering is logic-engine
+  machinery → it belongs in each **substrate** (datalog/prolog), not a shared app lib.
+  Watch; revisit only if a 3rd logic-backed subsystem reimplements proof explanation.
+- **Cross-loop note (pass 6):** mod's note calls `mod/proof-goals` (re-query-each-goal)
+  generic and proposes lifting it into **`lib/guest/`**. Radar caveat: proof-tree
+  reconstruction *is* engine-agnostic logic machinery, but `lib/guest` is for
+  lexer/parser/AST/HM/match/test-runner — a logic-engine proof helper is a poor fit there.
+  If genuinely shared by ≥3 engines, a `lib/logic`-style substrate helper is the better
+  home than `lib/guest`. Still 2 consumers → stays Watching either way.
+
+---
+
+### W9 · Parent/child relationship tracking → the new `relations` subsystem (nascent)
+- **New subsystem (pass 28):** `relations` (loops/relations, Phase 1 — `schema.sx`+`api.sx`,
+  rel facts + `relate`/`unrelate`/`children`/`parents`/`related`, 22 tests). Per CLAUDE.md
+  it's the canonical "cross-domain parent/child relationship tracking."
+- **Why watch:** several subsystems already track parent/child *locally* — feed reply-to
+  threading (`thread`/`replies`), content nested block trees, events occurrence/RECURRENCE-ID
+  links. If `relations` becomes the shared home, those are candidate *delegators* (like
+  acl=authZ, persist=log). But it's **Phase 1, pre-Phase-2, moving target** — and each
+  local impl is currently domain-specific (different keys/semantics). Do NOT propose yet.
+  Re-check when relations is past Phase 2 AND ≥3 subsystems' relationship logic could
+  genuinely delegate to it. `artdag` also just spawned (nascent, 0 files) — tracking only.
+  (pass 32: `dream` + `maude` also spawned, nascent 0-files; `fed-prims` resumed.)
+- **Update pass 29:** relations rocketed to **Phase 4** (one gate — past Phase 2 — now met),
+  but it's building ITSELF out (schema/federation), **not yet being consumed** by anyone.
+  The blocker is the other gate: 0 subsystems currently *delegate* their parent/child logic
+  to it (feed/content/events still track locally). Watch for the first real delegation.
+  (artdag also raced to Phase 6 — these ports advance fast; treat committed state as truth.)
+
+### W8 · Durable externally-resumed orchestration on `lib/flow` (suspend→host-IO→resume)
+- **The shared shape:** a durable `flow` that `request`s an external action (a suspend
+  point), the **host** performs the IO, then `flow/resume`s the flow with the outcome;
+  flow's deterministic replay means a completed step never re-runs on recovery.
+- **Consumers (pass 24): 2 LIVE** (events delivery, commerce order saga).
+  - `events/lib/events/notify.sx` (**live**) — reminders/digests as durable flows;
+    suspend on delivery `dispatch`, resume with send outcome. At-least-once + idempotency key.
+  - `commerce` (**LIVE** as of pass 24 — "order lifecycle as a durable flow-on-sx flow,
+    21 tests, Phase 3 done") — order saga `(defflow ordf … (request 'reserve oid) … )`:
+    reserve→pay→fulfil as a flow, **payment stays suspended until the payment webhook calls
+    `flow/resume`**. Carries only the order-id; pure orchestration over `ledger.sx`.
+  - **Now 2 LIVE consumers** of the *same* pattern: long-running process, external resume
+    (delivery dispatch vs payment webhook). fed-sx/mod still roll their own outbox (watch
+    for convergence). Strengthens "lib/flow is the home"; still adoption, not extraction.
+- **Disposition:** `lib/flow` IS the abstraction (events proves it, commerce adopts it) →
+  this is an **adoption** observation like W4, NOT an extraction. Home = `lib/flow`.
+- **Flow-onboarding friction (light signal):** commerce's note logs real gotchas adopting
+  flow — `flow-make-env` returns a large likely-cyclic env (don't print it), env build is
+  slow (budget ~540s like flow's own suite). If ≥3 subsystems hit the same onboarding
+  gotchas, that's a signal to smooth `lib/flow`'s adopter API — flow's concern, flagged here.
+- **Name-collision caveat:** `notify.sx` means two unrelated things — `feed/notify.sx` is
+  a *read-side digest* (group inbox by verb+object), NOT delivery. Do not pair them.
+
+### W7 · Snapshot/projection-checkpoint reimplemented vs `persist/snapshot` (delegate)
+- `persist/lib/persist/snapshot.sx` already provides a **generic** projection checkpoint:
+  store `{:value :seq}` in the kv facet under a namespaced key; the headline property is
+  **snapshot + tail == full replay** (pure, clock-free).
+- `content/lib/content/snapshot.sx` **reimplements that same pattern on raw persist KV**
+  rather than delegating: `persist/kv-put b (content/-snap-key doc-id) {:doc … :seq seq}`
+  (:20), `persist/kv-has?`/`kv-get` (:27-28), and its own tail-replay (:53-59). It never
+  calls `persist/snapshot-*`. content's doc-materialisation *is* a projection fold over
+  its op stream — exactly what `persist/snapshot` checkpoints generically.
+- **Disposition:** persist-adoption nudge (like W4): content could delegate to
+  `persist/snapshot` (its projection = "fold ops → doc"), dropping the duplicated
+  KV+replay code. Home already exists → NOT an extraction; owned by content × persist
+  loops. Only 1 reinventor today; watch whether commerce/events/identity also hand-roll a
+  snapshot on raw KV instead of using the facet (would strengthen the nudge). NB timeline:
+  unclear if `persist/snapshot` predated content's — flag, don't blame.
+
+### W6 · Guarded lifecycle state machine (illegal transition = explicit error)
+- Recurs as a **design principle**, NOT a shared structure (found pass 10):
+  - `mod/lib/mod/lifecycle.sx` — pure SX: immutable case `{:state :error :history …}`,
+    explicit transition table `mod/lc-transitions` (:31), illegal transition returns the
+    case unchanged with `:error` set. States open→triaged→decided→appealed→final.
+  - `identity/lib/identity/membership.sx` — an **Erlang `gen_server`** fragment (identity
+    runs on erlang-on-sx): a `receive` loop with `case find(...) of … {error, St}` guards.
+    States none→pending→active→lapsed→revoked.
+- **Both share the guideline** ("invalid transitions are explicit errors, never silent
+  no-ops") but **implement it substrate-idiomatically** — SX transition-table over
+  immutable values vs an Erlang process loop with per-message case guards. Same W1/`api.sx`
+  trap: shared *idea*, divergent *structure*.
+- **Disposition:** not an extraction target — the FSM mechanism is ~10 substrate-specific
+  lines; the value is in each domain's state graph, not the plumbing. At most a **design
+  guideline** ("model lifecycle as a guarded FSM with explicit-error transitions"). Watch
+  whether commerce-checkout / events-booking add their own — if so it confirms the
+  *guideline*, still not a lib. Do not propose extracting a shared state-machine lib.
+
+## Rejected (considered, declined — do not re-propose)
+
+- **"Continuous auto-implementing abstractor loop."** Rejected at design time: an
+  agent writing across `lib/<x>/**` breaks the worktree isolation that makes the
+  fleet safe, and is rewarded for manufacturing premature/wrong abstractions. The
+  radar is read-only by design. (This file is the alternative.)
+- **Shared `api.sx` "public boundary" module (×6).** Rejected pass 4-5: every subsystem
+  has an `api.sx` (acl, feed, flow, mod, persist, search — a 100% filename match), but it
+  is a naming *convention for the public entry point*, not a shared structure. They
+  disagree on the most basic contract: acl/feed use **implicit module state**
+  (`acl/api.sx` "implicit current db", `feed/api.sx` "single mutable log") while
+  `persist/api.sx` threads an **explicit backend as every call's first arg**; flow's api
+  *builds a Scheme env*, search's api *concatenates a Haskell source string*, mod's is a
+  *lifecycle state-machine façade* (17 defs vs persist's 1). Same role, no common shape —
+  the W1 coincidental-resemblance trap. Do not re-propose on the filename.
+- **Shared `wire.sx` "serialization" module (×2).** Rejected pass 15: content + mod both
+  have a `wire.sx`, but `content/wire.sx` uses the **generic SX serializer**
+  (`serialize`/`parse`, full-fidelity round-trip) while `mod/wire.sx` is a **bespoke
+  versioned pipe-delimited line** (subset of fields, `split` hand-built over slice/len
+  because mod's Prolog-loaded env strips string prims). Shared role (wire format),
+  divergent structure + substrate constraint → not a candidate; the SX serializer is
+  already the shared tool for SX-substrate subsystems, and mod can't use it. (Same family
+  as the `api.sx` rejection above.)
+- **Dumping app-domain plumbing into `lib/guest`.** Rejected: `lib/guest` is for
+  language-implementation plumbing. App patterns route to acl/fed-sx/persist/
+  substrate/host instead (see the routing rule in the briefing).

plans/agent-briefings/persist-loop.md

@@ -1,115 +0,0 @@
-# persist-on-sx loop agent (single agent, queue-driven)
-
-Role: iterates `plans/persist-on-sx.md` forever. **Durable state on the SX kernel**
-— the foundation substrate every other subsystem currently fakes with an in-memory
-mutable list. Event log (append-only streams) + kv (current-state) over one
-injectable backend; pure projections; snapshots; durable IO at the kernel's
-`perform` boundary. This is **substrate-level**, not a guest language.
-
-```
-description: persist-on-sx queue loop
-subagent_type: general-purpose
-run_in_background: true
-isolation: worktree
-```
-
-## Prompt
-
-You are the sole background agent working `plans/persist-on-sx.md`. Isolated
-worktree `/root/rose-ash-loops/persist` on branch `loops/persist`, forever, one
-commit per feature. Push to `origin/loops/persist` after every commit. Never touch
-`main` or `architecture`.
-
-## Restart baseline — check before iterating
-
-1. Read `plans/persist-on-sx.md` — roadmap + Progress log. Note the scope table:
-   persist owns the **log** + **kv** facets; blobs are delegated (store the CID,
-   not the bytes); cache is out of scope. Do not event-source everything.
-2. `ls lib/persist/` — pick up from the most advanced file.
-3. If `lib/persist/tests/*.sx` exist, run them via `bash lib/persist/conformance.sh`.
-   Green before new work.
-4. If `lib/persist/scoreboard.md` exists, that's your baseline.
-5. **Learn the substrate before writing durable code.** persist sits on the kernel's
-   IO-suspension surface — the third CEK phase: `perform`, `cek-step-loop`,
-   `cek-resume`, `make-cek-suspended`. Study how IO is requested and resumed, and
-   how `spec/harness.sx` mocks an IO platform for tests (assert-io-*). Phases 1–3
-   need NO real IO — the in-memory backend is pure SX. Real durable IO (Phase 4)
-   goes through `perform` and is tested against the mock-IO harness, not a real disk.
-   Verify the actual exported names with sx_find_all / grep before relying on them.
-
-## The queue
-
-Phase order per `plans/persist-on-sx.md`:
-
-- **Phase 1** — log + kv + in-memory backend (event record, injectable backend
-  protocol, append/read, kv get/put/delete, api).
-- **Phase 2** — projections (`fold step seed`) + subscriptions; concurrency
-  conflict as a real result.
-- **Phase 3** — snapshots + replay (checkpoint, replay = snapshot + tail,
-  determinism).
-- **Phase 4** — durable backend via kernel IO (`perform`), blob-ref interface,
-  crash/restart replay against the mock-IO harness.
-
-Within a phase, pick the checkbox that unlocks the most tests per effort.
-
-Every iteration: implement → test → commit → tick `[ ]` → Progress log → next.
-
-## Ground rules (hard)
-
-- **Scope:** only `lib/persist/**` and `plans/persist-on-sx.md`. Do **not** edit
-  `spec/`, `hosts/`, `shared/`, or any `lib/<lang>/`. You may **import** the
-  kernel's IO-suspension + platform-IO surface only. **Do NOT add host primitives.**
-  If a durable IO op you need doesn't exist, it belongs in `hosts/` (out of scope) →
-  Blockers entry with a minimal repro, and stop on that item.
-- **NEVER call `sx_build`.** 600s watchdog. If the sx_server binary is broken →
-  Blockers entry, stop. Run tests by invoking the sx_server binary directly from a
-  conformance.sh (model it on an existing one, e.g. `lib/apl/conformance.sh`),
-  pointing `SX_SERVER` at `/root/rose-ash/hosts/ocaml/_build/default/bin/sx_server.exe`
-  — fresh worktrees have no `_build/`.
-- **Determinism:** replay must be pure — same log → same state. No clocks/randomness
-  inside projections; timestamps live on the event, passed in.
-- **Shared-file issues** → plan's Blockers with minimal repro; don't fix here.
-- **SX files:** `sx-tree` MCP tools ONLY. **They take `file:` not `path:`** — a
-  wrong key yields `Yojson Type_error("Expected string, got null")`, which looks
-  like a broken binary but is just a param mismatch. `sx_validate` after edits.
-  Path-based edits (`sx_replace_node`) count comment headers in their indices and
-  can clobber the wrong node — re-read after, or prefer `sx_write_file` for small
-  files.
-- **Unicode in `.sx`:** raw UTF-8 only, never `\uXXXX` escapes.
-- **Commit granularity:** one feature per commit. Short factual messages
-  (`persist: kv facet get/put/delete + 6 tests`). Push to `origin/loops/persist`.
-- **Plan file:** update Progress log (newest first) + tick boxes every commit.
-
-## persist-specific gotchas
-
-- **Two facets, not one.** Don't force current-state values (a stock count, a
-  config value, a session blob) through the event log — that's the kv facet. Event
-  log is for things whose *history* matters.
-- **Backend is injected.** The in-memory backend is the test default; never hardwire
-  it. Every op goes through the backend protocol so file/pg/ipfs swap in unchanged.
-- **Optimistic concurrency is a real result.** A conflicting append returns a
-  conflict value the caller can retry on — not a crash, not a silent overwrite.
-- **Blobs by reference only.** persist stores a content-address/CID + metadata. The
-  bytes live in a content-addressed store (artdag/IPFS). Never put large payloads in
-  the log.
-- **Replay determinism is the headline property.** Snapshot + tail must equal full
-  replay. Test it explicitly, both directions.
-
-## General gotchas (all loops)
-
-- SX `do` = R7RS iteration. Use `begin` for multi-expr sequences.
-- `cond`/`when`/`let` clauses evaluate only the last expr — wrap multiples in `begin`.
-- `let` is parallel, not sequential — nest `let`s when a binding references an earlier one.
-- `env-bind!` creates a binding; `env-set!` mutates an existing one (walks scope chain).
-- `sx_validate` after every structural edit.
-- Namespace-prefix all helpers (`persist/...`) — short/host-colliding names get
-  silently shadowed or hang the runtime.
-
-## Style
-
-- No comments in `.sx` unless non-obvious.
-- No new planning docs — update `plans/persist-on-sx.md` inline.
-- Short, factual commit messages.
-- One feature per iteration. Commit. Log. Push. Next.
-
-Go. Start by reading the plan; find the first unchecked `[ ]`; implement it.

plans/agent-briefings/radar-loop.md

@@ -0,0 +1,117 @@
+# abstraction-radar loop agent (read-only scout)
+
+Role: continuously scan **all** rose-ash subsystems for genuine abstraction /
+deduplication opportunities and maintain a ranked, evidence-backed backlog at
+`plans/abstractions.md`. You are a **scout, not an implementer** — you detect and
+document; you never refactor across subsystems.
+
+```
+description: abstraction-radar (read-only scout)
+subagent_type: general-purpose
+run_in_background: true
+isolation: worktree
+```
+
+## Prompt
+
+You are the sole background agent on branch `loops/radar`, worktree
+`/root/rose-ash-loops/radar`, forever. Self-paced. Your ONLY writes are to
+`plans/abstractions.md` (and, rarely, refining this briefing). Push to
+`origin/loops/radar` after each update. Never touch `main` or `architecture`.
+
+## The one hard rule: you do NOT edit `lib/**` — ever
+
+You read across every subsystem and write findings to `plans/abstractions.md`.
+You do **not** implement abstractions, migrate code, or edit any `lib/<x>/**`
+file in any worktree. Implementation is a separate, coordinated, human-triggered
+step — proposing well is your whole job. An abstractor that writes across
+subsystems would collide with the very isolation that keeps the other loops safe;
+that is exactly why you are read-only.
+
+## Dynamic discovery — re-enumerate every iteration, never hardcode
+
+The set of subsystems grows as new loops are spawned. Each iteration, rebuild the
+list from the filesystem + tmux so newly-added subsystems are automatically in
+scope:
+
+1. `ls -d /root/rose-ash-loops/*/` — every loop worktree. For a worktree named `X`,
+   its in-flight subsystem is `lib/X/` **inside that worktree**
+   (`/root/rose-ash-loops/X/lib/X/`) — that's the current, possibly-uncommitted
+   state. Read it there, not from your own worktree.
+2. `ls -d /root/rose-ash/lib/*/` — subsystems merged into / dormant on the main repo
+   (e.g. `feed` once merged, the language substrates `apl`/`haskell`/`prolog`/…).
+3. `tmux ls` — which subsystems are actively looping right now (affects whether a
+   candidate's consumers are "stable" — see the gate).
+
+Treat the union as your scan surface. When a `commerce` or `identity` loop appears
+later, step 1 picks it up with no change to you. Note in `abstractions.md` the
+date and the subsystem set you scanned, so drift is visible.
+
+## The AHA gate — before ANY candidate goes in the backlog as "proposed"
+
+"Avoid Hasty Abstractions." A wrong shared abstraction is far costlier than the
+duplication it replaces. A candidate may be listed as **proposed** only if ALL hold:
+
+- **≥3 real consumers** (not 2 — three independent uses). Fewer → log it under
+  "Watching" with its consumer count, do not propose.
+- **All consumers past Phase 2 and API-stable.** If a consumer's loop is mid-flight
+  and its interfaces are still moving (`tmux ls` shows it active + its plan has
+  unchecked early-phase boxes), the pattern is a moving target → "Watching."
+- **Structurally identical, not superficially similar.** Show the shared shape with
+  file:line evidence from each consumer. Coincidental resemblance is the #1 trap.
+- **It has a natural home.** And that home is usually **not** `lib/guest` — see the
+  routing rule below.
+
+Anything failing a gate goes under **Watching** (with what's missing) or
+**Rejected** (with why), never silently dropped — so it isn't re-proposed each pass.
+
+## Routing rule — most patterns do NOT belong in lib/guest
+
+`lib/guest` is for **language-implementation plumbing** (lexer/parser/AST/HM/match/
+test-runner), and it has its own consumer-gated roadmap. App-subsystem patterns
+almost always have a better home — route, don't dump:
+
+| Pattern kind | Home (not lib/guest) |
+|---|---|
+| per-viewer visibility / permission filter | `acl-on-sx` (delegate to `permit?`) |
+| federation scaffold (merge/ingest/backfill/trust) | `fed-sx` |
+| durable store / event log / kv | `persist-on-sx` |
+| collection math (group-by, dedupe, stable top-N) | the substrate (APL/Haskell/…) |
+| HTTP/handler/middleware plumbing | `host-on-sx` |
+| conformance/test harness | `lib/guest` (the one real exception — `test-runner.sx` + the shared driver live there) |
+
+If a pattern's home is one of the subsystems, the recommended **action** is "adopt
+/ delegate there," and the work belongs to that subsystem's own loop (in its
+scope), not to a cross-cutting change.
+
+## Each iteration
+
+1. Re-discover the subsystem set (above). Record it + the date in `abstractions.md`.
+2. Pick ONE thread: either deep-dive a "Watching" candidate to gather file:line
+   evidence and re-test its gates, or sweep for a new recurring shape across the
+   current set.
+3. Update `plans/abstractions.md`: move items between Watching / Proposed /
+   In-progress (owned by a subsystem loop) / Done / Rejected, with evidence.
+4. Keep it ranked by (consumers × effort-saved ÷ risk). Short, factual.
+5. Commit (`radar: <one-line finding>`) and push to `origin/loops/radar`.
+
+Do not invent work to look busy: if a pass finds nothing that clears the gate,
+record "scanned N subsystems on <date>, no new candidates cleared the gate" and
+stop until next iteration. Empty passes are a valid, honest result.
+
+## Gotchas
+
+- SX files: `sx-tree` MCP tools take `file:` not `path:`. But you mostly READ —
+  prefer `sx_find_across`, `sx_comp_usage`, `sx_comp_list`, `sx_summarise`, plus
+  `Grep`/`Glob`/`Bash` for cross-worktree scanning.
+- `plans/abstractions.md` is a `.md` — edit it with normal Write/Edit, not sx-tree.
+- Never run `sx_build`. You don't build anything; you read.
+
+## Style
+
+- Evidence over assertion: every claim cites file:line in ≥3 consumers.
+- Honest empty passes. Rejected items stay rejected with a reason.
+- One finding per commit. Update. Push. Next.
+
+Go. Read `plans/abstractions.md` (seeded), re-discover the subsystem set, and
+advance the highest-value thread.

plans/persist-on-sx.md

@@ -42,7 +42,7 @@ read models (feeds, indices, audit logs) update incrementally.
 
 ## Status (rolling)
 
-`bash lib/persist/conformance.sh` → **201/201** (Phases 1–4 complete + extensions + a reference migration)
+`bash lib/persist/conformance.sh` → **0/0** (not yet started)
 
 ## Ground rules
 
@@ -87,325 +87,33 @@ lib/persist/backend.sx              lib/persist/api.sx
 ```
 
 ## Phase 1 — Log + kv + in-memory backend
-- [x] `event.sx` — event record, stream/seq helpers
-- [x] `backend.sx` — injectable protocol + in-memory impl (log + kv)
-- [x] `log.sx` — `append` (optimistic seq), `read`, `read-from`
-- [x] `kv.sx` — `get`/`put`/`delete` current-state
-- [x] `api.sx` + tests + scoreboard + conformance.sh
+- [ ] `event.sx` — event record, stream/seq helpers
+- [ ] `backend.sx` — injectable protocol + in-memory impl (log + kv)
+- [ ] `log.sx` — `append` (optimistic seq), `read`, `read-from`
+- [ ] `kv.sx` — `get`/`put`/`delete` current-state
+- [ ] `api.sx` + tests + scoreboard + conformance.sh
 
 ## Phase 2 — Projections + subscriptions
-- [x] `project.sx` — `(project stream step seed)`, incremental fold
-- [x] subscription hook — projection / kv read model re-runs on append
-- [x] concurrency conflict surfaced as a real result, not a crash
+- [ ] `project.sx` — `(project stream step seed)`, incremental fold
+- [ ] subscription hook — projection / kv read model re-runs on append
+- [ ] concurrency conflict surfaced as a real result, not a crash
 
 ## Phase 3 — Snapshots + replay
-- [x] `snapshot.sx` — checkpoint a projection; replay = snapshot + tail
-- [x] compaction policy; replay-determinism tests
+- [ ] `snapshot.sx` — checkpoint a projection; replay = snapshot + tail
+- [ ] compaction policy; replay-determinism tests
 
 ## Phase 4 — Durable backends via kernel IO
-- [x] file/log backend driven through `perform` (IO-suspension boundary)
-- [x] blob backend interface (store ref/CID; bytes live in artdag/IPFS)
-- [x] crash/restart replay test (mock IO platform)
-- [x] migration notes for swapping mem → durable under a live subsystem
-
-### Migration notes — mem → durable under a live subsystem
-
-The facet API takes the backend as its first argument and never names a concrete
-backend, so swapping storage is a one-line change at the open site:
-
-```
-(persist/open)                              ; in-memory (test / ephemeral)
-(persist/mock-durable (persist/mem-backend)); durable protocol, in-process disk
-(persist/durable-backend)                   ; production: ops cross perform → host
-```
-
-Everything above the backend — `append`/`read`/`project`/`subscribe`/`snapshot`
-/`compact` — is byte-identical across all three. A subsystem migrates by:
-
-1. **Pick the seam.** The subsystem holds one backend value (today an in-memory
-   list). Replace its construction with `persist/open`/`durable-backend`; leave
-   every call site untouched.
-2. **Backfill.** For an existing in-memory store, replay its current state into
-   the durable backend once (append historical events / `kv-put` current
-   values) before cutting reads over. New writes go to durable from then on.
-3. **Read models rebuild themselves.** A projection is pure `(fold step seed)`;
-   after cutover, `persist/replay` (snapshot + tail) reconstructs every read
-   model from the durable log — no bespoke migration of derived state.
-4. **Blobs first, by reference.** Move large payloads into the content store and
-   store only `persist/blob-ref`s; the log/kv stay small, so the backfill in (2)
-   never copies bytes.
-5. **Concurrency is already handled.** Two writers racing a stream get a
-   `persist/conflict?` result, not corruption — the same on mem or durable, so
-   no new code is needed at cutover.
-
-The only behavioural difference durable introduces is that each op crosses the
-kernel IO-suspension boundary (`perform`): under the real kernel the call
-suspends and the host resumes it transparently, so the facet code is unaware.
-Tests prove this by routing the identical request shapes through `persist/serve`
-over an in-process disk (the mock-IO harness).
-
-## Extensions (post-roadmap)
-- [x] `view.sx` — materialized views: bundle stream + fold + snapshot name;
-  `view-attach` keeps the snapshot current on every publish so `view-peek` is an
-  O(1) read. The consumer-facing read-model abstraction (feed indices, audit
-  rollups, search counters).
-
-- [x] `kv.sx` CAS — `persist/kv-cas` (compare-and-swap) + `persist/kv-put-new`
-  (create-only): atomic current-state updates, conflict as a real value (kv
-  analogue of log `append-expect`). For sessions, acl grants, stock counts.
-
-- [x] `catalog.sx` — stream catalog: `persist/streams`/`stream-count`/
-  `stream-exists?`/`total-events`. Backend `:streams` op (from seq high-water
-  marks, so compacted streams still list), threaded through mem + durable.
-
-- [x] `query.sx` — read-side scans: `read-between` (seq range), `read-since`/
-  `read-window` (by `:at`), `read-by-type`, `read-where`, `count-where`. Pure
-  reads for audit windows / type filters / since-cursors.
-
-- [x] `batch.sx` — `persist/append-batch` commits a list of `(type at data)`
-  specs as one contiguous block; `persist/append-batch-expect` is transactional
-  (all-or-nothing guarded by optimistic concurrency). For an order + its line
-  items as one commit.
-
-- [x] `upcast.sx` — event schema evolution: register a pure `(event -> event)`
-  upcaster per type; `read-upcast`/`project-upcast` lift old events to the
-  current shape on read so projections see one shape. Immutable registry;
-  `upcast-data` helper merges new `:data` fields. Addresses the schema-evolution
-  trap without rewriting history.
-
-- [x] `idempotency.sx` — exactly-once append under retries: `persist/append-once`
-  keyed by a caller idempotency key (per stream), returning the same event on a
-  repeat. Marker lives in kv, so idempotency holds across restart. `seen?` check.
-
-- [x] `global.sx` — global commit ordering across streams (the primitive feed's
-  unified timeline needs). `persist/gappend` records a pointer in a reserved
-  `$global` index whose seq is the commit position; `read-global`/
-  `project-global` replay every event in commit order; `global-from` for
-  incremental consumers. Opt-in (plain `append` never touches it); reserved
-  index hidden from the public catalog. Deterministic across restart.
+- [ ] file/log backend driven through `perform` (IO-suspension boundary)
+- [ ] blob backend interface (store ref/CID; bytes live in artdag/IPFS)
+- [ ] crash/restart replay test (mock IO platform)
+- [ ] migration notes for swapping mem → durable under a live subsystem
 
 ## Consumers (post-foundation, not in scope here)
 feed/-log, flow store, mod/audit, search index, acl grants, identity sessions all
 become `persist` log or kv. Track each migration in that subsystem's plan.
 
-**Reference migration:** `lib/persist/examples/acl.sx` is a worked, tested
-template — an ACL-grants store rebuilt on persist (grants/revokes as events,
-current set as a projection, O(1) checks via a materialized view, an audit-window
-query). It carries an explicit BEFORE (hand-rolled ephemeral map) → AFTER
-diff in its header and proves the headline win (grants survive restart) on the
-durable backend. Other subsystem loops copy this pattern; it does not touch the
-real `lib/acl`.
-
 ## Progress log
-- **Reference migration: acl grants (201/201).** `lib/persist/examples/acl.sx` —
-  a worked, in-scope template migrating an ACL-grants store from a hand-rolled
-  ephemeral map to persist: grants/revokes as events, current set as a
-  projection, O(1) checks via a materialized view, audit via `read-window`.
-  Header carries the BEFORE→AFTER diff. 10 tests, incl. grants surviving restart
-  on the durable backend (the capability the BEFORE version lacked). The pattern
-  other subsystem loops copy.
-- **Ext: global commit ordering (191/191).** `global.sx` — `persist/gappend`
-  records a pointer in a reserved `$global` index (its seq = global commit
-  position); `read-global`/`project-global` resolve pointers to events in commit
-  order; `global-from` for incremental global consumers. Opt-in; `$`-streams are
-  now reserved + hidden from the public catalog (`streams-all` reveals them).
-  Gives feed its cross-stream timeline. 11 tests incl. durable + restart
-  determinism.
-- **Ext: exactly-once append (180/180).** `idempotency.sx` —
-  `persist/append-once` appends at most once per (stream, idempotency key),
-  returning the same event on a repeat; the marker lives in kv so it survives
-  restart (verified on durable). `persist/seen?` check. 9 tests.
-- **Ext: event schema evolution (171/171).** `upcast.sx` — per-type pure
-  `(event -> event)` upcasters in an immutable registry; `read-upcast`/
-  `project-upcast` lift legacy events to the current shape on read so
-  projections never branch on version. `upcast-data` merges new `:data` fields
-  keeping stream/seq/type/at. 9 tests incl. mixed old/new + durable.
-- **Ext: atomic batch append (162/162).** `batch.sx` — `persist/append-batch`
-  commits `(type at data)` specs as one contiguous block (real cons-list, in
-  order); `persist/append-batch-expect` checks the stream is still at expected
-  before writing any event, so the batch is all-or-nothing under a concurrent
-  writer. 10 tests incl. conflict-writes-nothing + durable.
-- **Ext: read-side query helpers (152/152).** `query.sx` — `read-between` (seq
-  range), `read-since`/`read-window` (by `:at`), `read-by-type`, `read-where`,
-  `count-where`. Pure scans over `persist/read`; for ad-hoc relational queries
-  consumers still project into a kv read model. 9 tests incl. durable.
-- **Ext: stream catalog (143/143).** New backend op `:streams` (keys of the seq
-  high-water-mark dict, threaded through mem-backend + durable serve/io-backend)
-  so fully-compacted streams still enumerate. `catalog.sx`:
-  `persist/streams`/`stream-count`/`stream-exists?`/`total-events`. 10 tests
-  incl. durable + restart.
-- **Ext: kv compare-and-swap (133/133).** `persist/kv-cas` sets a key only if
-  its current value equals expected, else returns `{:conflict :expected
-  :actual}`; `persist/kv-put-new` is create-only. The kv analogue of log
-  `append-expect` — atomic current-state for sessions/acl/stock. 11 tests incl.
-  racer + retry + durable backend.
-- **Ext: materialized views (122/122).** `view.sx` — `persist/view` bundles
-  stream + step + seed + snapshot name; `view-attach` subscribes it to a hub so
-  every publish refreshes the snapshot incrementally; `view-peek` is then an
-  O(1) current read (no fold), `view-value` always folds the tail so it's never
-  stale. 11 tests incl. on durable backend + a sum-over-data view.
-- **Phase 4c+4d (111/111) — Phase 4 complete, roadmap done.** `recovery.sx` — a
-  6-test crash/restart integration: an order ledger (event log + subscription
-  kv read model + snapshot + compaction + invoice blob ref) over the durable
-  backend, where "crash" drops every in-process object and "restart" rebuilds
-  over the same disk + content store. Log, read model, snapshot, compacted
-  replay, and blob ref all survive; seq continues; two restarts converge
-  (determinism). Migration notes (mem → durable under a live subsystem) added
-  inline above.
-- **Phase 4b (105/105).** `blob.sx` — large objects stay out of persist. A blob
-  ref is `{:cid :size :mime}`; the blob store is a SEPARATE injected dependency
-  (`persist/blob-io` over an injectable transport, perform in prod / mock
-  content store in tests). `persist/blob-store` puts bytes and returns ONLY the
-  ref; `persist/blob-fetch` retrieves bytes via the ref. Mock store is
-  content-addressed (same bytes dedupe). 14 tests assert the invariant: a ref in
-  the log/kv carries the CID, never the bytes (`has-key? :bytes` is false).
-- **Phase 4a (91/91).** `durable.sx` — a backend whose every op crosses the
-  kernel IO boundary via `(perform {:op "persist/..." :args (...)})`. The
-  transport is injectable: `persist/durable-backend` uses the kernel's
-  `perform` (suspends; host resumes); `persist/mock-durable` uses
-  `persist/serve` over an in-memory disk. `persist/serve` is the reference host
-  + the mock-IO harness. Because the request shapes are identical, the ENTIRE
-  facet stack (log/kv/project/snapshot/compaction) runs unchanged on
-  mock-durable — verified. Crash/restart (drop backend, keep disk) recovers log
-  + kv + snapshot by replay; seq counter continues. 15 tests. See Blockers for
-  why end-to-end perform suspension isn't exercised under sx_server.exe.
-- **Phase 3b (76/76) — Phase 3 complete.** Backend refactor: `last-seq` is now
-  a monotonic per-stream high-water mark (backend `seqs` dict), not physical
-  length, so a compacted log keeps assigning climbing seqs. Added backend
-  `:truncate-through` + `persist/truncate`. `compaction.sx` — `persist/compact`
-  checkpoints then drops events with seq <= snapshot seq; `should-compact?`/
-  `maybe-compact` give an explicit "compact every N tail events" policy. 11
-  tests: post-compaction replay value == uncompacted full replay (determinism),
-  seq continuity after truncation, idempotence. `persist/count` = physical
-  stored count (shrinks on compaction) vs `persist/last-seq` = logical.
-- **Phase 3a (65/65).** `snapshot.sx` — a snapshot is a projection state
-  `{:value :seq}` stored in the kv facet under `snapshot/<name>`.
-  `persist/checkpoint` replays + saves; `persist/replay` = snapshot + tail.
-  11 tests assert the headline both ways: snapshot+tail == full replay (value
-  and whole state), plus replay determinism.
-- **Phase 2c (54/54) — Phase 2 complete.** `concurrency.sx` — optimistic
-  concurrency: `persist/append-expect b stream expected ...` refuses the append
-  if the stream advanced past `expected`, returning a conflict VALUE
-  `{:conflict true :expected :actual}` (never a crash, never a silent
-  overwrite). `persist/conflict?` + accessors; caller re-reads actual and
-  retries. 8 tests incl. two-writer race + retry.
-- **Phase 2b (46/46).** `subscribe.sx` — `persist/hub` wraps a backend with
-  per-stream callbacks. `persist/publish` appends then fires subscribers
-  `(backend stream event)`; direct `persist/append` bypasses them by design
-  (bulk load/replay). Canonical use: callback re-runs `project-resume` or bumps
-  a kv counter so read models update on write. 9 tests.
-- **Phase 2a (37/37).** `project.sx` — projection state `{:value :seq}`;
-  `persist/project` folds whole stream from seed, `persist/project-resume`
-  folds only the tail (seq > prior seq) so read models update incrementally.
-  step is pure `(value event) -> value`. 9 tests incl. resume==full-from-zero.
-- **Phase 1 complete (28/28).** `event.sx` (event record + accessors),
-  `backend.sx` (injectable protocol + in-memory log/kv impl, closure state via
-  set!), `log.sx` (append/read/read-from, sequential per-stream seq, stream
-  isolation), `kv.sx` (get/put/delete/has?/keys/get-or/update), `api.sx`
-  (`persist/open` — mem default, backend injectable). conformance.sh + three
-  suites (event/log/kv). Gotcha logged in Blockers: `map` returns an
-  array-backed list not `equal?` to a `(list ...)` literal — assertions build
-  compared lists with list/nth.
+(loop fills this in)
 
 ## Blockers
-
-### OPEN — host durable-storage adapter (the only gap to real durability)
-
-**Owner:** a `hosts/` loop (NOT this one — `lib/persist/**` is the scope fence,
-and `sx_build` is forbidden here). **Without it, durable persistence silently
-drops all writes.**
-
-**Symptom / minimal repro.** `persist/durable-backend` performs
-`{:op "persist/..." :args (...)}` for every storage op. Under `sx_server.exe`
-the kernel's default IO resolver answers unknown ops with `nil` — so the durable
-backend does not error, it *silently no-ops*:
-
-```
-; load event/backend/log/durable, then:
-(let ((b (persist/durable-backend)))
-  (begin (persist/append b "s" "x" 0 {})
-         (persist/append b "s" "x" 0 {})
-         (list (persist/event-seq (persist/append b "s" "x" 0 {}))
-               (persist/count b "s")
-               (persist/read b "s"))))
-; => (1 0 nil)   ; every append gets seq 1, nothing stored, reads empty — DATA LOSS
-```
-
-The in-memory backend (`persist/open`) is correct and complete; this gap is
-*only* the production transport.
-
-**What to build.** A host servicer that answers the `persist/*` IO ops against a
-real store (sqlite/files/pg). It is the production twin of `persist/serve`
-(`lib/persist/durable.sx`) — same op names, same request/response shapes — so
-mirror that function and back it with durable storage instead of a mem-backend.
-
-**Op contract** (request `{:op :args}` → response). `args` is a positional list;
-events are dicts `{:stream :seq :type :at :data}`:
-
-| op | args | returns | semantics |
-|----|------|---------|-----------|
-| `persist/append`   | `(stream event)` | (ignored) | store `event` in `stream` |
-| `persist/read`     | `(stream)`       | event list (oldest-first) | currently-stored events |
-| `persist/last-seq` | `(stream)`       | number | **monotonic high-water mark** (see below) |
-| `persist/streams`  | `()`             | stream-name list | every stream ever appended to |
-| `persist/truncate` | `(stream n)`     | (ignored) | drop events with `seq <= n` |
-| `persist/kv-get`   | `(key)`          | value or nil | |
-| `persist/kv-put`   | `(key val)`      | (ignored) | upsert |
-| `persist/kv-delete`| `(key)`          | (ignored) | remove key |
-| `persist/kv-has?`  | `(key)`          | boolean | |
-| `persist/kv-keys`  | `()`             | key list | |
-
-**Hard invariants** (the facets above rely on these; mem-backend + `persist/serve`
-are the reference):
-1. **`last-seq` is a per-stream monotonic counter, NOT the row count.** It must
-   keep climbing after `truncate`, so a compacted stream never reassigns a seq.
-   Store the counter separately from the rows.
-2. `append` is the only seq-assigner upstream (`log.sx` does `last-seq + 1`); the
-   host must not renumber.
-3. `read` returns events in append order with `:seq` intact (post-truncate it
-   returns only the surviving tail).
-4. `streams` is the set of streams that ever had an append (survives full
-   compaction) — keep it keyed off the seq counters, like mem-backend's `seqs`.
-5. Values round-trip structurally: dicts/lists/numbers/strings/nil/booleans in =
-   same out (event `:data`, kv values, blob refs).
-
-**Blobs** are a *separate* adapter with the same pattern: ops `blob/put`
-`(bytes mime)` → cid, `blob/get` `(cid)` → bytes, `blob/has?` `(cid)` → bool
-(see `lib/persist/blob.sx` / `persist/blob-serve`). Back it with the
-content-addressed store (artdag/IPFS); persist only ever stores the returned ref.
-
-**Where to register.** `hosts/ocaml/bin/sx_server.ml`:
-- the in-process resolver `Sx_types._cek_io_resolver` (~line 3864) — add a
-  `"persist/..."` match arm dispatching to the new storage module (used by
-  SSR/`eval_with_io`); and/or
-- the bridge path in `cek_run_with_io` (~line 528–576), which currently forwards
-  unknown ops via `io_request op args` to the external bridge — a Python-bridge
-  handler is the alternative home if storage lives Python-side.
-Pick one home; the op names are the contract, not the location.
-
-**Acceptance test.** Swap the transport: point a `persist/io-backend` at the new
-host servicer (instead of `persist/serve` over a mem disk) and run the existing
-`durable` + `recovery` suites — they must stay green, and state must survive an
-actual process restart (kill the server, restart, replay → recovered). That is
-exactly what `lib/persist/tests/durable.sx` and `recovery.sx` already assert
-against the mock; the host adapter just makes the disk real.
-
----
-
-- **Phase 4 perform-suspension not exercised end-to-end under sx_server.exe (by
-  design, not a bug).** The CEK suspension primitives (`cek-step-loop`,
-  `cek-resume`, `cek-suspended?`, `cek-io-request`) and a settable SX-level IO
-  hook are only bound by the `run_tests` OCaml binary (out of scope: hosts/, and
-  sx_build is forbidden). Under `sx_server.exe`, an unhandled `perform` resolves
-  through the OCaml io-request/io-response stdin bridge (production path) — not
-  callable from the pure-eval conformance harness. Resolution: the durable
-  backend's transport is injectable, so the production path is one line
-  `(perform req)` (kernel-handled) and ALL durable logic is tested through the
-  mock transport (`persist/serve` over an in-memory disk). The single untested
-  line is the kernel primitive itself. No host primitive needed; nothing to fix.
-- **Not a blocker, a testing convention:** `map` returns an array-backed list
-  that is NOT `equal?` to a `(list ...)` cons-literal (two `map` results do
-  compare equal to each other). When asserting list-shaped results against a
-  `(list ...)` literal, build the compared value with `list`/`nth`/`cons`, not
-  `map`. `into`/list-coercion needs the IO bridge and is unusable in the
-  pure-eval harness.
+(loop fills this in)

plans/rose-ash-on-sx-migration.md

@@ -0,0 +1,170 @@
+# Re-implementing rose-ash on SX — migration strategy
+
+Status: **strategy proposal** (drafted by the `radar` loop, 2026-06-07). Not a
+unilateral architecture decision — a starting point for the fleet to refine. Radar's
+role here is detection: the `*-on-sx` subsystems have converged into a host-agnostic
+re-implementation of rose-ash's domain logic, so this doc proposes *when* and *how* to
+wire them to production.
+
+---
+
+## 1. Premise: we are ~70% into a re-implementation already
+
+The fleet of `lib/<x>` SX subsystems is not a set of experiments — it is rose-ash's
+domain logic, re-expressed substrate-by-substrate, deliberately **host-agnostic**:
+
+| SX subsystem (`lib/`) | rose-ash production domain |
+|---|---|
+| content-on-sx (CRDT docs, versioning, `page.sx` HTML render) | **blog** |
+| commerce-on-sx (catalog, pricing, cart, order + refund sagas) | **market + cart + orders** |
+| events-on-sx (calendar, ticketing, booking) | **events** |
+| feed-on-sx (activity streams, AP-shaped, threading) | **federation** |
+| identity-on-sx (OAuth2, sessions, grants, membership) | **account** |
+| acl-on-sx (permissions) | cross-cutting authZ |
+| relations / likes | **relations / likes** (internal) |
+| persist-on-sx (log / kv / snapshot facets) | per-service Postgres layer |
+| flow-on-sx (durable sagas) | order/refund/delivery workflows |
+| mod-on-sx, search-on-sx | new capabilities |
+
+**The architectural enabler:** every core was built with *injected seams* — `permit?`,
+`send-fn`/`fetch-fn`, `transport`, `dispatch`, `backend`. That is ports-and-adapters
+(hexagonal) on purpose. Evidence from the radar backlog (`plans/abstractions.md`):
+W1 (7/7 federation modules inject the fed-sx transport), W4 (content/commerce/events run
+live on `persist/log`), W8 (events+commerce run sagas on `lib/flow`). **The cores do not
+depend on how they're hosted, persisted, or federated.**
+
+**Corollary that makes the whole migration tractable:** because logic is separated from
+rendering and storage, we can hold the **domain logic to parity** while **freely
+redesigning the presentation** — the two are different layers with different rules.
+
+---
+
+## 2. The gating insight: the cores are *ahead of the host*
+
+The domain logic is mature. What is *not* yet production-grade is the **host trio** — and
+that is the real critical path:
+
+- **host-on-sx** — HTTP / request-response / session host (briefing exists; the OCaml SX
+  HTTP server already serves `sx.rose-ash.com`).
+- **host-persist** — durable storage adapter (real disk/pg/ipfs) under `persist`'s
+  facets (content-addressed blob blocker recently closed).
+- **fed-sx** — the real ActivityPub transport every core injects (well into m2).
+
+> **So "when do we start?" answers itself: start when the host trio is production-grade,
+> not when the cores are done — they mostly already are.** Prioritise the host loops over
+> further domain features.
+
+---
+
+## 3. The model: duplicate → cut over → diverge (per slice)
+
+This is the "duplicate first, then change" approach, made precise. Each domain slice goes
+through three phases independently:
+
+**Phase A — Duplicate (hold logic to parity).** Stand the SX implementation of the slice
+up *in parallel*, behind the existing edge, serving no users yet. Get its **domain/data
+behaviour** to match Python (see §4 on how). Presentation can start as a rough port or an
+early new design — it doesn't have to match.
+
+**Phase B — Cut over (strangler flip).** Point the edge route for that slice at the SX
+host. Python stays as instant rollback. The slice is now live on SX.
+
+**Phase C — Diverge (change freely).** With the slice live and validated, evolve the
+look/feel and functionality on the SX side. The validated domain logic underneath is
+untouched, so UX/feature changes can't silently corrupt data.
+
+You never rewrite the whole platform at once; you walk slices through A→B→C, oldest tree
+strangled last.
+
+---
+
+## 4. The two techniques, and how "we'll change things" reshapes them
+
+### Strangler edge
+The edge (Caddy) is the front door every request hits. Add routing rules so **one route
+at a time** goes to the SX host while everything else still goes to Python. Properties:
+the site is never half-broken; any single route flips back to Python instantly; the old
+app is strangled route-by-route. (Opposite of big-bang swap, which is how these die.)
+
+### Shadow diff — split by layer
+Run the new version on real traffic in the background, discard its output, and **log how
+it differs** from Python. Flip the edge only when diffs are zero/intended.
+
+But because we *intend* to change look/feel + functionality, parity is a tool we apply
+**only where we want sameness**, not a straitjacket:
+
+| Layer | Want parity? | Oracle |
+|---|---|---|
+| **Domain/data** (totals, tax, permissions, what's stored, who-sees-what) | **YES — silent difference = data corruption** | shadow-diff at the *core* boundary; deterministic cores → replay real request logs through the harness and diff |
+| **Presentation/UX** (HTML, layout, look, feel, flows) | **NO — this is what we're changing** | manual QA + design review; this is the Phase-C divergence |
+
+Practical shape: shadow-diff hits the **domain core's output** (the computed order, the
+visible-activity set, the permission decision) — not the rendered HTML. The deterministic,
+harness-replayable cores are the single biggest advantage we have here; it's the same
+parity discipline that made the A1 conformance migration safe (one reference slice, hard
+parity gate, revert on mismatch).
+
+---
+
+## 5. Readiness gates (start the production migration when ALL hold)
+
+1. **Host trio production-grade** — host-on-sx (HTTP/session), host-persist (durable
+   adapter), fed-sx (AP transport) — each conformance-green.
+2. **Data-migration story exists** — a way to get existing production Postgres state into
+   `persist` event streams (event-source the current state, or dual-write during overlap).
+   This is the honest long-pole; it is *not* domain logic and nobody has built it yet.
+3. **One vertical slice proven end-to-end** at data-parity in production — the reference
+   migration, the way the conformance loop migrated one subsystem before the rest.
+
+---
+
+## 6. Sequencing
+
+1. **Host trio first** (critical path — it's behind the cores).
+2. **Build the strangler edge + shadow-diff harness** as first-class tooling: edge routing
+   rules + a dual-run logger that diffs *core outputs* (not HTML) and stores discrepancies.
+3. **First slice = lowest risk × highest readiness × cleanest data oracle.**
+   Recommended: **the blog read path (content-on-sx)** or **the feed read path**
+   — read-heavy, no money, CRDT/versioning + `page.sx` HTML already exist, and the data
+   oracle is clean. *Avoid cart/orders/payments first* (transactional + SumUp webhooks =
+   highest blast radius).
+4. **Persistence-first, federation-last.** Land host-persist + migrate per-domain event
+   stores before any cutover. Do fed-sx federation as a *coordinated* cut near the end —
+   W1 shows all 7 cores light up federation together once the shared transport ships.
+5. **Walk the remaining slices A→B→C**, retiring Python routes as each cuts over.
+
+---
+
+## 7. The honest long tail (mostly host + adapters, not cores)
+
+The cores are pure domain logic; the production *tail* is not in them yet and is most of
+the remaining real effort:
+
+- Auth: first-party cookies / Safari-ITP, CSRF, silent SSO, grant caching.
+- Cross-cutting: rate limiting, observability/metrics, error pages, caching.
+- Integrations: SumUp payment + webhooks, Ghost CMS sync.
+- Presentation: the actual HTMX templates + CSS (this is also where the redesign happens).
+- **Live data migration** — the single biggest non-core workstream.
+
+---
+
+## 8. Concrete next steps
+
+1. Treat the **host trio** as the fleet's critical path; prioritise over more domain features.
+2. Stand up the **strangler edge + core-level shadow-diff harness** as a tool.
+3. Prove **one slice** (blog/content read path) end-to-end in production as the reference.
+4. **Spec the Postgres → persist data migration** (the long-pole nobody has started).
+5. Then walk slices through duplicate → cut over → diverge, redesigning UX in Phase C.
+
+---
+
+## 9. Why this is low-risk despite being a platform rewrite
+
+- It's **wiring host-agnostic cores to a host**, not rewriting domain logic from scratch.
+- The **strangler edge** means the site always works and any route reverts in seconds.
+- **Deterministic cores** make data-parity *mechanically checkable* (replay + diff), so
+  correctness isn't a matter of faith.
+- **Logic/presentation separation** lets us change look/feel + functionality (Phase C)
+  *without* re-risking the validated domain logic.
+- It's the **same discipline that just shipped A1**: one reference migration, a hard
+  parity gate, honest exclusions, verify-before-merge.