Summary
When a replace_subtree mutation supplies a replacement node that reuses an id from the removed set (the target id, or any exclusive descendant of the target), that node silently inherits the removed node's committed result projection in the appended revision and is never re-executed — even though replace_subtree has just rewired new predecessors into it. The caller asked to replace the subtree and got inheritance instead.
Where
DefinitionEditor#plan_replace_subtree (lib/dag/definition_editor.rb:54-75, current main @ v1.5.0; behaviour also present in the v1.4 contract):
removed = definition.exclusive_descendants_of(target, include_self: true)
impacted = definition.descendants_of(target, include_self: true) - removed
kept_nodes = definition.nodes - removed
conflicts = kept_nodes & replacement_nodes
raise ArgumentError, "replacement nodes collide with preserved nodes: ..." unless conflicts.empty?
...
DAG::PlanResult.valid(new_definition:, invalidated_node_ids: impacted)
- The collision guard only rejects replacement ids that collide with
kept_nodes (preserved). A replacement id that equals the target (or any other id in removed) is not a conflict and is allowed.
invalidated_node_ids = impacted = descendants_of(target) - removed. The reused target id is in removed, so it is not in invalidated_node_ids.- On revision append, a node id that existed before, exists after, and is not in
invalidated_node_ids carries its committed node-state / committed-result projection forward. So the "replacement" node keeps the stale result and is treated as already done.
Net effect: the replacement graph is spliced in, the new entry edges feed the reused-id node, but the kernel never schedules it because it looks already-committed.
Why this is surprising
replace_subtree is the "throw this subtree away and run this other graph in its place" primitive. A replacement node that happens to reuse the target's id is, intuitively, a fresh node (new inbound edges, possibly new config) — not a continuation of the committed one. Inheriting committed state for it is almost never what the caller wants, and it fails silently (status stays success, the workflow finalizes with the pre-replacement output).
Minimal repro (conceptual)
- Build a workflow
A -> B, where B is a model/tool node. Run to completion; B commits with result R0.
- Apply a
replace_subtree with target = B and a replacement graph { C (new tool node), B (same id, new config) }, edges C -> B, entry = [C], exit = [B].
C runs and commits. B is not re-executed — it keeps R0 (its pre-mutation committed result) instead of running against C's output.
(Real-world hit: in Delphi a claim_verifier correction replan injected file_read(missing_file) -> synthesis reusing the synthesis id. The read ran, the synthesis never re-ran, and the run finalized with the un-corrected answer while reporting success.)
Proposals (any one resolves it; not mutually exclusive)
- Re-execute reused removed ids (recommended). Treat replacement node ids that intersect
removed as fresh: add replacement_nodes & removed to invalidated_node_ids (and/or reset their committed projection) so they re-run. A removed-then-re-added id is a replacement, not a continuation.
- Reject the collision loudly. Extend the existing conflict guard to also raise when
replacement_nodes & removed is non-empty, mirroring the kept_nodes guard. This would have surfaced the bug as an error at mutation time rather than a silent no-op, forcing callers to use fresh ids.
- At minimum, document the contract: replacement node ids must be disjoint from
exclusive_descendants_of(target, include_self: true); reusing them yields committed-state inheritance.
Option 1 is the least surprising for callers; option 2 is the safest (fail-fast). Option 3 alone leaves the silent footgun in place.
Current workaround (caller side)
Use a fresh id for any replacement node that should re-run, and make it the exit_node, so the target's successors rewire to it. Delphi does this in both replan paths (native-tool-call replan uses <node>_rerun; the claim-verifier replan now uses <target>_reverify). Documenting/enforcing this in the kernel would remove a sharp edge that's easy to hit.
Version
Observed against the v1.4.0 contract (the tag Delphi pins); plan_replace_subtree/build_replaced_graph are unchanged on main @ v1.5.0.
Summary
When a
replace_subtreemutation supplies a replacement node that reuses an id from the removed set (the target id, or any exclusive descendant of the target), that node silently inherits the removed node's committed result projection in the appended revision and is never re-executed — even thoughreplace_subtreehas just rewired new predecessors into it. The caller asked to replace the subtree and got inheritance instead.Where
DefinitionEditor#plan_replace_subtree(lib/dag/definition_editor.rb:54-75, currentmain@ v1.5.0; behaviour also present in the v1.4 contract):kept_nodes(preserved). A replacement id that equals the target (or any other id inremoved) is not a conflict and is allowed.invalidated_node_ids=impacted=descendants_of(target) - removed. The reused target id is inremoved, so it is not ininvalidated_node_ids.invalidated_node_idscarries its committed node-state / committed-result projection forward. So the "replacement" node keeps the stale result and is treated as already done.Net effect: the replacement graph is spliced in, the new entry edges feed the reused-id node, but the kernel never schedules it because it looks already-committed.
Why this is surprising
replace_subtreeis the "throw this subtree away and run this other graph in its place" primitive. A replacement node that happens to reuse the target's id is, intuitively, a fresh node (new inbound edges, possibly new config) — not a continuation of the committed one. Inheriting committed state for it is almost never what the caller wants, and it fails silently (status stayssuccess, the workflow finalizes with the pre-replacement output).Minimal repro (conceptual)
A -> B, whereBis a model/tool node. Run to completion;Bcommits with resultR0.replace_subtreewithtarget = Band a replacement graph{ C (new tool node), B (same id, new config) }, edgesC -> B,entry = [C],exit = [B].Cruns and commits.Bis not re-executed — it keepsR0(its pre-mutation committed result) instead of running againstC's output.(Real-world hit: in Delphi a
claim_verifiercorrection replan injectedfile_read(missing_file) -> synthesisreusing thesynthesisid. The read ran, the synthesis never re-ran, and the run finalized with the un-corrected answer while reportingsuccess.)Proposals (any one resolves it; not mutually exclusive)
removedas fresh: addreplacement_nodes & removedtoinvalidated_node_ids(and/or reset their committed projection) so they re-run. A removed-then-re-added id is a replacement, not a continuation.replacement_nodes & removedis non-empty, mirroring thekept_nodesguard. This would have surfaced the bug as an error at mutation time rather than a silent no-op, forcing callers to use fresh ids.exclusive_descendants_of(target, include_self: true); reusing them yields committed-state inheritance.Option 1 is the least surprising for callers; option 2 is the safest (fail-fast). Option 3 alone leaves the silent footgun in place.
Current workaround (caller side)
Use a fresh id for any replacement node that should re-run, and make it the
exit_node, so the target's successors rewire to it. Delphi does this in both replan paths (native-tool-call replan uses<node>_rerun; the claim-verifier replan now uses<target>_reverify). Documenting/enforcing this in the kernel would remove a sharp edge that's easy to hit.Version
Observed against the v1.4.0 contract (the tag Delphi pins);
plan_replace_subtree/build_replaced_graphare unchanged onmain@ v1.5.0.