Independent Risk Review
Audited scope:
- V1.1 closeout at
1a199b3 release: gate v1.1 contract.
- Recent V1.1 hardening areas: kernel boundary contract, plan-version invariants, scoped runtime snapshots, storage contract behavior groups, receipt semantics, diagnostics values, bounded recovery controls, and the release gate.
- Public API compatibility surface: require entry points,
DAG::VERSION, documented public value objects, storage port signatures, README examples, and effect/workflow documentation.
API compatibility constraint: this review keeps the V1.1 public API stable. It does not change DAG::VERSION, public require entry points, public class/module names, documented method signatures, required arguments, return shapes, or workflow schema.
Risk Findings
High
- None found that required an API-stable code change in this pass.
Medium
- Mutable boundary values could leak into durable in-memory state or immutable value objects:
DAG::Adapters::Memory::StorageState#create_workflow, #append_revision, and #begin_attempt accepted caller-owned mutable workflow id strings before storing internal keys/attempt records.DAG::Event accepted caller-owned mutable coordinate strings for workflow_id, node_id, and attempt_id.DAG::RuntimeProfile accepted a string event_bus_kind for YAML compatibility but did not defensively copy/freeze it.
Low
- Effect key examples in README and the Delphi execution plan used colon-delimited key segments even though effect
type and key already reject : to keep type:key refs unambiguous.
- Some public docs referenced internal repo guidance for port-extension rationale instead of being self-contained.
- The execution plan still had historical "run today" wording and a concrete provider-name example in public gates.
- API-stability guards were missing for legacy storage adapters that implement
append_revision but not the newer state-aware helper.
What the PR Fixes
- Adds defensive copying/freezing for runtime profile event-bus kind, event coordinate fields, and memory-storage workflow id boundaries.
- Adds storage contract coverage for mutable workflow ids across workflow creation, revision append, and attempt creation.
- Adds value-object immutability regression tests for event coordinates and runtime profile YAML-compatible string event-bus kind values.
- Adds release-gate tests for effect key examples, public contract self-containment, and historical execution-plan wording.
- Preserves legacy mutation storage adapter compatibility when only
append_revision is available.
- Updates README, CHANGELOG, CONTRACT, and execution-plan text without changing public API requirements.
Remaining Non-Blocking Follow-ups
- After the PR is opened, verify GitHub Actions results and leave the PR open/unmerged for maintainer review.
- Durable consumer adapters should continue to run
DAG::Testing::StorageContract::All as part of S0 integration work.
Independent Risk Review
Audited scope:
1a199b3 release: gate v1.1 contract.DAG::VERSION, documented public value objects, storage port signatures, README examples, and effect/workflow documentation.API compatibility constraint: this review keeps the V1.1 public API stable. It does not change
DAG::VERSION, public require entry points, public class/module names, documented method signatures, required arguments, return shapes, or workflow schema.Risk Findings
High
Medium
DAG::Adapters::Memory::StorageState#create_workflow,#append_revision, and#begin_attemptaccepted caller-owned mutable workflow id strings before storing internal keys/attempt records.DAG::Eventaccepted caller-owned mutable coordinate strings forworkflow_id,node_id, andattempt_id.DAG::RuntimeProfileaccepted a stringevent_bus_kindfor YAML compatibility but did not defensively copy/freeze it.Low
typeandkeyalready reject:to keeptype:keyrefs unambiguous.append_revisionbut not the newer state-aware helper.What the PR Fixes
append_revisionis available.Remaining Non-Blocking Follow-ups
DAG::Testing::StorageContract::Allas part of S0 integration work.