Summary
External review surfaced an atomic commit boundary gap now captured by regression tests.
The current v1 gate treats proof validation, nonce consumption, mutation, rollback, and audit as separate operations rather than one atomic commit boundary.
Failure class
Atomic commit boundary.
Problem
If proof, nonce, mutation, and audit are not one atomic operation, partial failure can create consequence without guarantee.
This weakens the stronger invariant:
no consequence is reachable without passing a proof-bound, payload-bound, atomic commit boundary across all paths
Evidence
Regression test added in commit 7a8591032e32d8242a830302a452bbe4fee8ec6a:
tests/test_beau_failure_classes.pytest_atomic_commit_boundary_gap_when_audit_fails_after_nonce_and_mutation
The test shows mutation can occur, nonce handling can roll back, and audit failure can still leave the system without one atomic commit proof.
Expected direction
Define the atomic commit semantics required for v2, including whether proof, nonce, mutation, and audit must be committed inside one transaction, or whether v1 remains explicitly scoped as a non-atomic primitive.
Claim boundary
This issue does not claim production failure.
It records an implementation hardening gap in the v1 primitive.
Summary
External review surfaced an atomic commit boundary gap now captured by regression tests.
The current v1 gate treats proof validation, nonce consumption, mutation, rollback, and audit as separate operations rather than one atomic commit boundary.
Failure class
Atomic commit boundary.
Problem
If proof, nonce, mutation, and audit are not one atomic operation, partial failure can create consequence without guarantee.
This weakens the stronger invariant:
Evidence
Regression test added in commit
7a8591032e32d8242a830302a452bbe4fee8ec6a:tests/test_beau_failure_classes.pytest_atomic_commit_boundary_gap_when_audit_fails_after_nonce_and_mutationThe test shows mutation can occur, nonce handling can roll back, and audit failure can still leave the system without one atomic commit proof.
Expected direction
Define the atomic commit semantics required for v2, including whether proof, nonce, mutation, and audit must be committed inside one transaction, or whether v1 remains explicitly scoped as a non-atomic primitive.
Claim boundary
This issue does not claim production failure.
It records an implementation hardening gap in the v1 primitive.