fix: #25 P2 canonical-identity keying + docstring back-refs + F-1 attestation#31
Merged
Merged
Conversation
…estation Bundles three small things per the runtime-session bundling guidance: 1. **#25 P2 fix — canonical-identity keying** (`crates/ogar-knowable- from/src/lib.rs`). The v1 `register_class_knowable_from(class, store)` keyed registrations by bare `class.name`, conflating two producers that emit a class with the same unqualified name under different OGIT prefixes (`ogit-op/WorkPackage` vs `ogit-erp/Work Package`). Closes the Codex P2 on PR #25. New signature: `register_class_knowable_from(class, class_identity, store)` — caller passes the OGIT-prefixed canonical identity explicitly. Constructed via `ogar_ontology::class_identity(prefix, &class.name)` upstream, or inline `format!("{prefix}/{}", class .name)`. Validation: both `class.name` and `class_identity` are non-empty, both produce `MalformedClass` before any store call. Canonical-form invariant: function does NOT canonicalize; caller's responsibility to use one consistent pipeline across `register` and `knowable_from` lookup sites (otherwise distinct-but-equivalent identities `Ogit-Op/WorkPackage` vs `ogit-op/WorkPackage` register under separate keys — also a collision hazard). Tests: existing 7 passes; one new test `same_class_name_under_different_prefixes_does_not_collide` pins the Codex P2 motivating case; one new test `register_empty_class_identity_rejects_without_storing` covers the new validation. Old `register_empty_class_name_rejects_without_storing` strengthens the assertion to match the new error message. 2. **Docstring back-references** (same crate). The function's docstring now cites the cross-session triangulation surface — runtime-side bardioc PR #18 + lance-graph PR #470 named the same trie-append- keyed-on-`inv.object_instance` pattern; OGAR's registry shape is the producer mirror of that consumer surface. Pins the NiblePath-radix invariant across the OGAR-side registry and the runtime-side membrane. 3. **F-1 attestation in `docs/HEALTHCARE-TRANSCODING.md §3`** — adds §3.3 *Production-instance reference: MedCare-rs's column_mask_ bridge*. Cites by symbol+line (not just file path; per other-session nudge to keep refs resolvable through refactors): - `redaction_mode_for(reason: SensitivityReason) -> RedactionMode` (line 128) - `column_mask_policy_for_table(table: &str)` (line 165) - `build_medcare_column_mask_registry() -> ColumnMaskRegistry` (line 192) - `RedactionMode::{Hash, Constant, Null, Truncate(n)}` — the production-richness delta over §3.1's bare-bitmap sketch. Frames the relationship: §3.1 palette256/Hamming-popcount is the *fast-path inner gate*; MedCare's category-aware RedactionMode is the *plan-rewrite transform layer* on the DataFusion SessionContext — the two compose in the query path. Closes the attestation loop per F-1 in the medcare-rs handover (PR #162). Matches the precedent `ODOO-TRANSCODING.md` sets for Woa-rs. Verified locally: `cargo check --workspace --all-targets` clean; `cargo test --workspace` = 80/80 + 1 net-new + 1 net-new = 82/82 passing. PII abort-guard (case-insensitive, word-boundary on the German PII token set): CLEAN. https://claude.ai/code/session_01PBTGaPCSnnt6u3pjXpbLwY
AdaWorldAPI
added a commit
that referenced
this pull request
Jun 5, 2026
Cross-session companion to the lance-graph splat-native-ultrasound-v1 canonical plan. Names splat-native ultrasound as the explicit downstream customer of OGAR PR #30 §6 FMA bones-rendering litmus + Phase 8 FMA hydration. The §6 litmus transitions from "demo target" to "load path" — splat-native is the contemporary customer of the FMA atlas substrate at the sub-millisecond HHTL traversal claim. The SaMD Class IIa certification track uses ADR-022 (The Firewall) + KnowableFromStore (PR #25/#31) + commit_event audit (callcenter PR #467) as the audit-controls evidence base — no new OGAR architecture for SaMD; only documentation that names what's already true. No code. Spec/narrative only.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bundles three small thematically-related changes per the runtime-session bundling guidance:
register_class_knowable_fromnow takes an OGIT-prefixed canonical identity explicitly (closes the Codex P2 from PR feat: ogar-knowable-from — trait-mediated §10.3 producer seam (ADR-010 OGAR-side close) #25).HEALTHCARE-TRANSCODING.mdciting MedCare-rs'scolumn_mask_bridge.rsas the production instance reference, with symbol+line citations (per other-session nudge for refactor-resilience).1. #25 P2 — canonical-identity keying
The bug (from Codex P2 on PR #25):
register_class_knowable_from(class, store)keyed by bareclass.name. Two producers emitting a class with the same unqualified name under different OGIT prefixes (ogit-op/WorkPackagevsogit-erp/WorkPackage) collide → wrongknowable_fromstamp on join.The fix — new signature:
Caller constructs via
ogar_ontology::class_identity(prefix, &class.name)or inlineformat!("{prefix}/{}", class.name). Bothclass.nameandclass_identityvalidated non-empty.Canonical-form invariant (also documented in the function docstring): the function does NOT canonicalize. Caller's responsibility to use one consistent canonicalization pipeline —
Ogit-Op/WorkPackageandogit-op/WorkPackagewould register under separate keys.Tests (9 total in the crate, all passing):
same_class_name_under_different_prefixes_does_not_collide— pins the Codex P2 motivating case.register_empty_class_identity_rejects_without_storing— covers the new validation.class_identitystrings demonstrating the prefix pattern (ogit-erp/Account,ogit-op/WorkPackage, etc.).2. Docstring back-references
The function's docstring now cites the cross-session triangulation surface (lifted from ADR-022 reception receipts):
3. F-1 attestation in
HEALTHCARE-TRANSCODING.md §3New §3.3 Production-instance reference: MedCare-rs's
column_mask_bridge. Cites by symbol+line:redaction_mode_for(reason: SensitivityReason) -> RedactionMode(line 128)column_mask_policy_for_table(table: &str) -> Option<ColumnMaskPolicy>(line 165)build_medcare_column_mask_registry() -> ColumnMaskRegistry(line 192)RedactionMode::{Hash, Constant, Null, Truncate(n)}Frames the §3.1 palette256/Hamming-popcount as the fast-path inner gate and MedCare's
RedactionModeas the plan-rewrite transform layer — the two compose in the DataFusion query path. Closes the F-1 attestation loop from MedCare PR #162; matches the precedentODOO-TRANSCODING.mdsets for Woa-rs.Verification
cargo check --workspace --all-targets— cleancargo test --workspace— 82/82 passing (80 prior + 2 net-new inogar-knowable-from)Notes on the abort-guard improvement
The pre-push abort-guard now uses word-boundary matching (
\bDiagnose\b) rather than substring matching —Diagnose(German singular PII label) is still blocked, but Englishdiagnoses(plural of "diagnosis", used in §1's FHIR Condition mapping) is correctly allowed. This makes the guard production-ready for the OGAR public docs.Compatibility
register_class_knowable_fromsignature changed (newclass_identity: &strarg). No production callers outside the crate today — the change is contained.https://claude.ai/code/session_01PBTGaPCSnnt6u3pjXpbLwY