tla: M1 — HLC.tla + lib + make tla-check (HLC-1..4 invariants + gap counterexample)

[bootjp]

Summary

M1 of the TLA+ safety spec proposal lands:

• tla/lib/Env.tla + tla/lib/Raft.tla (shared scaffolding).
• tla/hlc/HLC.tla with invariants HLC-1..HLC-4 + TypeOK.
  • Precondition (i) bounded clock skew encoded as a TLA+ ASSUME in Env.tla.
  • Precondition (ii) logical-counter handoff — strategy (c) — encoded as a state update inside BecomeLeader_HLC (hlc.Observe(maxAppliedHLC) analogue).
  • Precondition (iii) ceiling fence encoded as an enabling action guard on IssueTimestamp (wallNow[n] < physicalCeiling[n]).
• tla/hlc/MCHLC.tla + MCHLC.cfg (correct design — TLC passes) and MCHLC_gap.cfg (preconditions disabled — TLC produces the HLC-4 counterexample the design doc anticipated).
• make tla-check Makefile target: downloads checksum-pinned tla2tools.jar v1.8.0 (SHA-256 237332bd…) to .cache/tla/ and runs both configurations, inverting the exit code on the gap config so the expected-FAIL counts as PASS for CI.
• tla/README.md covering install / run / what each module proves / reading list / how to map a TLC counterexample back to the implementation, per §7.1 of the design doc.
• Design doc renamed proposed_ → partial_ (per CLAUDE.md lifecycle), header Status: updated, in a dedicated commit.

Verification (local)

$ make tla-check
================================================================
  TLC: tla/hlc/MCHLC.cfg  (correct design, expected PASS)
================================================================
... Model checking completed. No error has been found.
... 61 states generated, 28 distinct states found, 0 states left on queue.

================================================================
  TLC: tla/hlc/MCHLC_gap.cfg  (no preconditions, expected FAIL)
================================================================
... Error: Invariant HLC4_NoRegressionAcrossTerms is violated.
... 44 states generated, 28 distinct states found, 14 states left on queue.
... depth 5

OK: MCHLC_gap.cfg failed as designed (HLC-4 counterexample).

tla-check: all model-check outcomes match the design contract.

The gap-config counterexample (depth 5):

1. BecomeLeader(n1) — n1 elected term 1
2. IssueTimestamp(n1) — commits (wall=0, logical=0) in term 1
3. IssueTimestamp(n1) — commits (0, 1) in term 1 (logical increments)
4. BecomeLeader_HLC(n2) — n2 elected term 2; EnableSafety = FALSE so strategy (c) does NOT raise n2's hlcLast to maxAppliedHLC = (0, 1)
5. IssueTimestamp(n2) — commits (0, 1) in term 2 (same as term 1's last commit; HLC-4 requires strict >)

This is exactly the bug the design doc §5.1 HLC-4 (ii) said the spec would surface.

Self-review (per CLAUDE.md five-lens checklist)

1. Data loss — n/a: spec-only PR, no persistence paths touched.
2. Concurrency / distributed failures — the spec itself models the concurrency bugs (HLC-4 cross-leader regression); both make tla-check configurations explore the full bounded state space.
3. Performance — make tla-check runs in <1s on a developer laptop at default bounds.
4. Data consistency — MCHLC.cfg proves HLC-1..HLC-4 hold under preconditions (i)/(ii)/(iii); MCHLC_gap.cfg proves the preconditions are necessary by surfacing the documented counterexample.
5. Test coverage — Go code untouched, no Go tests added. make tla-check is the new coverage layer; running it is the test.

Out of scope

This PR is spec-only. The Go code changes that strategy (c) and the ceiling fence require (per §5.1 HLC-4 (ii) and (iii)) are not in this PR — they need:

• Add MaxAppliedHLC() to kv/fsm.go (running max across applied write entries).
• Call hlc.Observe(fsm.MaxAppliedHLC()) on new-term detection in kv/sharded_coordinator.go RunHLCLeaseRenewal, before any persistence Next() is served.
• Add wallNow < physicalCeiling fence in kv/hlc.go Next() with a fail-closed return path and operator-visible metrics — caller audits of every site that calls Next() will be required (per the loop-feedback discipline) since Next() changes from infallible to error-returning.

Tracked as a follow-up issue; this PR lands the design contract that the follow-up must satisfy.

Test plan

• CI runs make tla-check (CI integration is deferred to a future PR per §7.3 of the design doc — local invocation is the contract for now)
• Reviewer runs make tla-check locally and confirms the safe pass + gap-config counterexample
• Reviewer cross-checks each invariant in HLC.tla against the corresponding entry in §5.1 of the design doc
• Reviewer cross-checks the implementation anchors in tla/README.md "How to interpret a TLC failure" against the current Go source

[coderabbitai]

Warning

Review limit reached

@bootjp, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 8 minutes and 27 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c2f771a7-8716-475d-8e51-673ef52a21b4

📥 Commits

Reviewing files that changed from the base of the PR and between fc8e4bd and 2a2238a.

📒 Files selected for processing (11)

• .github/workflows/tla-check.yml
• .gitignore
• Makefile
• docs/design/2026_05_28_partial_tla_safety_spec.md
• tla/README.md
• tla/hlc/HLC.tla
• tla/hlc/MCHLC.cfg
• tla/hlc/MCHLC.tla
• tla/hlc/MCHLC_gap.cfg
• tla/lib/Env.tla
• tla/lib/Raft.tla

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/tla-m1-hlc-spec

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces the TLA+ safety specification for the Hybrid Logical Clock (HLC) as part of Milestone 1, including the core specification files, model-checking configurations, and a Makefile target to automate TLC verification. The review feedback highlights two key improvements: rewriting subtraction-based inequalities in the TLA+ specification to addition to prevent evaluation errors when clock skew is enabled, and updating the Makefile to support both sha256sum and shasum for better portability across different environments.

[gemini-code-assist]

In TLA+, subtraction on natural numbers (Naturals) is only defined when the left operand is greater than or equal to the right operand. If MaxClockSkewMs is configured to be greater than 0 (which is the core scenario for verifying clock skew safety), a state can be reached where wallNow[m] > wallNow[n] + 1. In this state, evaluating (wallNow[n] + 1) - wallNow[m] will result in a negative number, causing TLC to halt with an evaluation error.

To prevent this, we can rewrite the inequalities using addition instead of subtraction, which is always safe and closed under Naturals.

    /\ \\A m \\in Nodes : wallNow[n] + 1 <= wallNow[m] + MaxClockSkewMs
                     /\ wallNow[m] <= wallNow[n] + 1 + MaxClockSkewMs

[gemini-code-assist]

The shasum command is not installed by default on many Linux distributions (such as Ubuntu/Debian), whereas sha256sum is part of GNU coreutils and is universally available. To ensure the Makefile is portable and robust across both macOS and Linux environments (especially in minimal CI runners), we should check for the availability of both commands and use whichever is present.

	@if command -v sha256sum >/dev/null 2>&1; then \
		actual=$$(sha256sum $(TLA_JAR).tmp | awk '{print $$1}'); \
	elif command -v shasum >/dev/null 2>&1; then \
		actual=$$(shasum -a 256 $(TLA_JAR).tmp | awk '{print $$1}'); \
	else \
		echo "ERROR: neither sha256sum nor shasum found."; \
		rm -f $(TLA_JAR).tmp; \
		exit 1; \
	fi; \
	if [ "$$actual" != "$(TLA_SHA256)" ]; then \
		echo "ERROR: tla2tools.jar SHA-256 mismatch."; \
		echo "  expected: $(TLA_SHA256)"; \
		echo "  actual:   $$actual"; \
		rm -f $(TLA_JAR).tmp; \
		exit 1; \
	fi

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 66b515392e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Track issuance order for HLC-1

In this spec, committedTS is a set and HLCLE is a total lexicographic order, so this invariant is true for any two timestamps from the same node regardless of which one was issued first. For example, if a later change allowed a node to commit (5,0) and then regress to (4,0), the reversed disjunct HLCLE(r2.ts, r1.ts) would still make HLC-1 pass. Since the design doc says HLC-1 proves monotonicity across Next/Observe, the model needs to record issuance order/history or assert the monotonicity in the actions rather than just comparability.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Encode actual ceiling monotonicity

This invariant only checks that each ceiling is a natural number, which is already implied by TypeOK, so TLC would still pass if a future action lowered physicalCeiling[n] to any smaller non-negative value or made nodes diverge after applying the same ceiling entry. Because HLC-2 is meant to prove per-node monotonicity and same-entry equality, this needs history/action-level checking (or previous values in the state) rather than >= 0.

Useful? React with 👍 / 👎.

[bootjp]

Addressed PR #856 round 1 review in 791c65b3. Four findings:

1. gemini HIGH (HLC.tla line 97) — Nat subtraction underflow. Rewrote the TickWall skew check using addition instead of subtraction. The old form (wallNow[n] + 1) - wallNow[m] <= MaxClockSkewMs would underflow in TLA+ Naturals the moment MaxClockSkewMs > 0 admitted an out-of-order tick, halting TLC. The equivalent additive form stays inside Nat.

2. gemini MEDIUM (Makefile) — sha256sum portability. Prefer GNU sha256sum (universal on Linux), fall back to macOS shasum -a 256, error out if neither is available. Without this make tla-check failed on minimal Linux CI images.

3. codex P2 (HLC.tla line 180) — HLC-1 was vacuously true. Old form HLCLE(r1, r2) \/ HLCLE(r2, r1) is just totality on a totally ordered set, so a regression (5, 0) → (4, 0) would have passed. Added a per-commit seq ordinal (= global opCount at issuance time) and changed the invariant to r1.node = r2.node /\ r1.seq < r2.seq => HLCLT(r1.ts, r2.ts). Also added the transition-level HLC1_Action property to pin "hlcLast weakly increases on every step" so future actions cannot silently regress.

4. codex P2 (HLC.tla line 186) — HLC-2 was vacuously implied by TypeOK. Old form physicalCeiling[n] >= 0 was just type non-negativity. Replaced with HLC2_NonNeg (the residual TypeOK content; harmless) plus the real HLC2_Action == [][\A n: physicalCeiling[n] <= physicalCeiling'[n]]_vars transition property registered under PROPERTIES.

The TLA+ "same set of ceiling entries → equal across nodes" half of HLC-2 is structurally satisfied in M1 because ApplyCeiling propagates atomically (per the action comment); per-node async propagation is an M5 concern when route-catalog/HLC interactions cross multiple groups.

Verification. make tla-check still PASSES on MCHLC.cfg (now also exercising the two action properties) and FAILS on MCHLC_gap.cfg as designed, with the HLC-4 counterexample at depth 5 unchanged. No Go code semantics changed — spec-only PR, no caller audit required.

@claude review

[claude]

Claude finished @bootjp's task in 5m 31s —— View job

---

Review of Round 2 (791c65b)

Todo list:

• Load tools and start review
• Read HLC.tla — verify Nat subtraction fix, HLC-1 fix (seq ordinal), HLC-2 fix (action property)
• Read Env.tla — verify skew check rewrite
• Read Raft.tla — general review
• Read MCHLC.tla / .cfg / gap.cfg — verify action properties are registered
• Read Makefile — verify sha256sum portability fix
• Read tla/README.md and design doc — consistency check
• Synthesize and post findings

---

Round-1 fixes: all correct ✓

Fix 1 — Nat subtraction underflow (TickWall HLC.tla:100-101)
The rewrite from (wallNow[n]+1) - wallNow[m] <= MaxClockSkewMs to:

/\ \A m \in Nodes : /\ wallNow[n] + 1 <= wallNow[m] + MaxClockSkewMs
                    /\ wallNow[m] <= wallNow[n] + 1 + MaxClockSkewMs

is semantically equivalent and stays inside Nat. Confirmed correct.

Fix 2 — sha256sum portability (Makefile:39-54)
The if sha256sum...elif shasum...else error fallback chain is correct Make syntax (single @if block with \ continuations, proper $$ escaping). Works on both Linux (sha256sum) and macOS (shasum -a 256).

Fix 3 — HLC-1 was vacuous (HLC.tla:193-195)
Adding seq = opCount at issuance and changing the invariant to r1.node = r2.node /\ r1.seq < r2.seq => HLCLT(r1.ts, r2.ts) is correct. Since only the active leader can call IssueTimestamp, the global opCount faithfully captures per-node temporal ordering. Combined with HLC1_Action (PROPERTIES), this pins both the per-commit set invariant and the per-step transition. Confirmed non-vacuous.

Fix 4 — HLC-2 was vacuous (HLC.tla:203-221)
HLC2_NonNeg is a residual TypeOK subsumption (harmless, noted in the comment). The load-bearing HLC2_Action == [][\A n \in Nodes : physicalCeiling[n] <= physicalCeiling'[n]]_vars is the real monotonicity claim, registered under PROPERTIES in both .cfg files. Confirmed the gap config correctly keeps both action properties (they don't fail in the gap scenario — only HLC4 does).

---

New findings

1. Stale proposed_ path in TLA module headers and Makefile — medium

Four files still reference docs/design/2026_05_28_proposed_tla_safety_spec.md after the rename:

File	Line
tla/hlc/HLC.tla	4
tla/lib/Env.tla	4
tla/lib/Raft.tla	4
Makefile	17

tla/README.md already has the correct partial_ path. The referenced file no longer exists under the old name — the links are broken.

Fix this →

2. README invariant table names HLC-2 incorrectly — low

tla/README.md:114 lists HLC2_CeilingMonotonic in the "What each module proves" table, but that operator does not exist in HLC.tla. The actual operators are HLC2_NonNeg (INVARIANTS) and HLC2_Action (PROPERTIES).

Fix this →

3. TickWall is unreachable with MaxClockSkewMs = 0 — informational

The skew guard \A m \in Nodes : wallNow[n] + 1 <= wallNow[m] + MaxClockSkewMs includes m = n. For m = n, condition 1 reduces to wallNow[n] + 1 <= wallNow[n] + 0 = 1 <= 0, which is always false. So with MaxClockSkewMs = 0 (both current configs), TickWall is never enabled, all wallNow[n] stay at 0 throughout the model check, and MaxWallTime = 3 is never exercised.

Physical-time advancement is modeled exclusively via ApplyCeiling → physicalCeiling. The invariants still hold under this restriction, so the M1 model check is not unsound — but the wall-clock ticking path is untested. A future config with MaxClockSkewMs >= 1 (and the corresponding tighter ASSUME MaxClockSkewMs < HlcPhysicalWindowMs) would exercise TickWall.

No fix needed for M1; worth tracking as a follow-up config for deeper clock-skew exploration.

---

Summary

The round-1 fixes are all correctly implemented. The spec is sound for M1. Two doc-consistency issues (stale proposed_ paths, wrong invariant name in README) should be fixed before merging. The TickWall/MaxClockSkewMs=0 observation is informational and out of scope for this PR.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 791c65b31b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Exclude self from skew check

With the checked configs setting MaxClockSkewMs = 0, this universal quantifier also evaluates the m = n case, which requires wallNow[n] + 1 <= wallNow[n] + 0 before any tick can occur. That is impossible, so TickWall is never enabled and the model never explores wall-clock advancement, ceiling expiry, or skew schedules despite the MaxWallTime bounds. Exclude the ticking node from this comparison or compare it against its updated self value.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Validate the gap failure reason

In this tla-check target, every non-zero exit from the gap TLC run is accepted as the expected HLC-4 counterexample. If MCHLC_gap.cfg starts failing because of a parse/type error, a different invariant, a deadlock, or a JVM/tooling crash, CI will still print OK and pass, masking regressions in the newly added model-check harness. Check the TLC output for the specific HLC4_NoRegressionAcrossTerms invariant violation before treating the failure as success.

Useful? React with 👍 / 👎.

[bootjp]

PR #856 round 2 review (codex P2 ×2 on 791c65b3) addressed in 1123a0e1:

1. codex P2 (HLC.tla line 101) — TickWall self-skew block. The \A m \in Nodes: quantifier included m = n, so under MaxClockSkewMs = 0 the constraint became wallNow[n] + 1 <= wallNow[n] + 0 (unsatisfiable). TickWall was never enabled and the model never explored wall-clock advancement, ceiling expiry, or skew schedules — the safe config was passing on a degenerate 28-state subspace. Excluded self from the universal: \A m \in Nodes \ {n}: ….

Also raised MaxClockSkewMs from 0 to 1 and HlcPhysicalWindowMs from 1 to 2 (so the ASSUME MaxClockSkewMs < HlcPhysicalWindowMs still holds) in both .cfg files so the skew dimension is actually part of the explored space.

2. codex P2 (Makefile line 81) — Validate gap failure reason. tla-check previously accepted any non-zero exit from the gap TLC run as the expected HLC-4 counterexample. Capture stdout/stderr, print it, then grep for Invariant HLC4_NoRegressionAcrossTerms is violated before declaring the gap evidence intact. A parse error, deadlock, JVM crash, or different invariant violation now correctly fails the target instead of masking a harness regression.

Verification. Safe config explores 3,594 distinct states (vs 28 previously) and completes without invariant violation. Gap config still surfaces the HLC-4 counterexample at depth 5; the Makefile correctly identifies it by string match.

Spec/Makefile-only change, no Go code touched. No caller audit required.

@claude review

[claude]

Claude finished @bootjp's task in 2m 9s —— View job

---

Review of Round 3 (1123a0e)

Todo list:

• Load tools
• Read HLC.tla — verify TickWall self-exclusion fix, MaxClockSkewMs=1 bump
• Read Makefile — verify gap failure reason validation
• Read MCHLC.cfg + MCHLC_gap.cfg — verify constant updates
• Check round-2 Claude findings (stale proposed_ paths, wrong README invariant name)
• Read tla/README.md and Env.tla, Raft.tla — consistency check
• Synthesize and post findings

---

Round-3 fixes: both correct ✓

Fix 1 — TickWall self-exclusion (HLC.tla:107)

/\ \A m \in Nodes \ {n} :
    /\ wallNow[n] + 1 <= wallNow[m] + MaxClockSkewMs
    /\ wallNow[m] <= wallNow[n] + 1 + MaxClockSkewMs

Nodes \ {n} is the correct fix. Under MaxClockSkewMs = 0, \A m \in {} : ... is vacuously true, so TickWall is now enabled up to MaxWallTime. With the new MaxClockSkewMs = 1, condition 1 reduces to wallNow[n] <= wallNow[m] for each peer — n can only tick forward if it's not already ahead of any other node. This is a symmetric skew model and correct for the design intent. The in-comment explanation at lines 100–106 is clear.

Both .cfg files now carry MaxClockSkewMs = 1 and HlcPhysicalWindowMs = 2, keeping the Env.tla ASSUME MaxClockSkewMs < HlcPhysicalWindowMs (1 < 2) intact. State space goes from 28 to 3,594 distinct states — the wall-clock and skew dimensions are now genuinely exercised. Confirmed correct.

Fix 2 — Gap failure reason validation (Makefile:69-102)

The implementation is correct and well-structured:

1. Captures both stdout+stderr via 2>&1 into out=.
2. Separates the "unexpected clean pass" check (exit code 0 → error) from the "wrong failure reason" check (grep miss → error).
3. Uses grep -qF (fixed-string, not regex) — the right tool for matching a literal TLC error message.
4. Prints the full TLC output before the checks so the failure reason is always visible in CI logs regardless of which path is taken.

A JVM crash, parse error, deadlock, or wrong invariant violation will now correctly fail make tla-check instead of silently masking itself as expected gap evidence. Confirmed correct.

---

Outstanding from round-2 Claude review (still not addressed)

These two were raised in round 2 and remain unfixed after round 3.

1. Stale proposed_ path in four files — medium

All four files still reference the pre-rename path docs/design/2026_05_28_proposed_tla_safety_spec.md, which was renamed to 2026_05_28_partial_tla_safety_spec.md in the M1 commit. The file no longer exists under the old name — the references are broken dead links.

File	Line	Current (broken)	Should be
tla/hlc/HLC.tla	4	…proposed_tla_safety_spec.md §5.1	…partial_tla_safety_spec.md §5.1
tla/lib/Env.tla	4	…proposed_tla_safety_spec.md §6.1	…partial_tla_safety_spec.md §6.1
tla/lib/Raft.tla	4	…proposed_tla_safety_spec.md §3 / §6.1	…partial_tla_safety_spec.md §3 / §6.1
Makefile	17	…proposed_tla_safety_spec.md §7.2	…partial_tla_safety_spec.md §7.2

tla/README.md already uses the correct partial_ path.

Fix this →

2. README invariant table names HLC2_CeilingMonotonic — low

tla/README.md:114 lists HLC2_CeilingMonotonic in the "What each module proves" table, but that operator name does not exist in HLC.tla. The correct names are HLC2_NonNeg (in INVARIANTS) and HLC2_Action (in PROPERTIES). A reviewer cross-checking the README against the spec file — as the PR test plan requests — will not find the stated name.

Fix this →

---

Summary

Both round-3 codex P2 fixes are correctly implemented. The spec is now sound and the make tla-check harness is robust. The two doc-consistency issues from round 2 (stale proposed_ paths in four module headers, wrong invariant name in the README table) remain open and should be fixed before merge — particularly finding 1, since the linked design doc is the primary reference a reviewer uses to cross-check the invariants.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[bootjp]

Addressed claude bot's round 2 review (on 791c65b3) in 9901e6ca.

1. MEDIUM (stale proposed_ path): Updated 4 broken references to the design doc path that became invalid after the proposed_ → partial_ rename in 66b51539:

   • tla/hlc/HLC.tla line 4
   • tla/lib/Env.tla line 4
   • tla/lib/Raft.tla line 4
   • Makefile line 17

2. LOW (README invariant table): tla/README.md listed HLC2_CeilingMonotonic, which no longer exists after round 1's rework. Replaced with the actual operators: HLC1_PerNodeMonotonic, HLC1_Action (PROPERTY), HLC2_NonNeg, HLC2_Action (PROPERTY); also clarified HLC-1's state form uses the strict seq ordering, not the earlier vacuous total-order form.

3. INFO (TickWall MaxClockSkewMs = 0): claude bot was reviewing round-1 commit 791c65b3; this finding is already addressed in round-2 commit 1123a0e1 (TickWall now excludes self, MaxClockSkewMs raised to 1, safe config explores 3,594 distinct states).

Docs-only changes. make tla-check still passes on MCHLC.cfg (3,594 distinct states) and fails on MCHLC_gap.cfg as designed.

@claude review

[claude]

Claude finished @bootjp's task in 3m 55s —— View job

---

Review of Round 3 (9901e6c)

Todo list:

• Load tools
• Read HLC.tla — verify proposed_ → partial_ path fix
• Read Env.tla — verify proposed_ → partial_ path fix
• Read Raft.tla — verify proposed_ → partial_ path fix
• Read Makefile — verify proposed_ → partial_ path fix
• Read tla/README.md — verify invariant table fix (HLC2_CeilingMonotonic → correct names)
• Read MCHLC.cfg + MCHLC_gap.cfg — verify constant updates still correct
• Read MCHLC.tla — general review
• Synthesize and post findings

---

Round-2 fixes: both correct ✓

Fix 1 — Stale proposed_ path in four files

All four broken references are now updated:

File	Line	Confirmed
tla/hlc/HLC.tla	4	…partial_tla_safety_spec.md §5.1 ✓
tla/lib/Env.tla	4	…partial_tla_safety_spec.md §6.1 ✓
tla/lib/Raft.tla	3	…partial_tla_safety_spec.md §3 / §6.1 ✓
Makefile	17	…partial_tla_safety_spec.md §7.2 ✓

docs/design/2026_05_28_partial_tla_safety_spec.md exists on disk; the old proposed_ path is gone. All links are live.

Fix 2 — README invariant table (tla/README.md:108-118)

The table now correctly lists all operators that exist in HLC.tla:

README entry	Exists in HLC.tla	Correct
HLC1_PerNodeMonotonic	line 201 ✓	✓
HLC1_Action (PROPERTY)	line 223 ✓	✓
HLC2_NonNeg	line 211 ✓	✓
HLC2_Action (PROPERTY)	line 228 ✓	✓
HLC3_LeaderOnly	line 234 ✓	✓
HLC4_NoRegressionAcrossTerms	line 242 ✓	✓

No more phantom HLC2_CeilingMonotonic. The note about "strict-seq ordering, not the earlier vacuous total-order form" is accurate.

---

Spec correctness pass — no issues found

TickWall skew model (HLC.tla:107-109)

With MaxClockSkewMs = 1:

• Condition 1: wallNow[n] + 1 <= wallNow[m] + 1 = wallNow[n] <= wallNow[m] — n can tick only if not ahead of any peer.
• Condition 2: wallNow[m] <= wallNow[n] + 2 — no peer is more than MaxClockSkewMs+1 ahead (post-tick skew ≤ MaxClockSkewMs).

Together: |wallNow[n]+1 − wallNow[m]| ≤ 1 for all peers — correct symmetric bounded-skew model. State space is non-degenerate (verified: 3,594 distinct states).

HLC1_Action holds on all actions

• TickWall: UNCHANGED hlcLast → HLCLE(hlcLast[n], hlcLast[n]) trivially TRUE.
• ApplyCeiling: UNCHANGED hlcLast → trivially TRUE.
• BecomeLeader_HLC: either raises hlcLast[n] to maxAppliedHLC (HLCLT precondition guarantees > → HLCLE TRUE) or leaves it unchanged.
• IssueTimestamp(n): ComputeNextHLC(prev, FlooredNow(n)) is always >= prev across all three branches (wall advance, logical increment, logical overflow). hlcLast[m] for m ≠ n is UNCHANGED.

HLC2_Action holds on all actions

• Only ApplyCeiling modifies physicalCeiling, and it uses IF physicalCeiling[m] < newC THEN newC ELSE physicalCeiling[m] — strict max(), never decreases. All other actions UNCHANGED physicalCeiling.

HLC4_NoRegressionAcrossTerms with EnableSafety = TRUE

New leader n via BecomeLeader_HLC:

1. hlcLast[n] raised to maxAppliedHLC (≥ every previous commit across all terms).
2. IssueTimestamp gated on wallNow[n] < physicalCeiling[n], so FlooredNow(n) = physicalCeiling[n].
3. ComputeNextHLC(hlcLast[n], physicalCeiling[n]) produces a value strictly above maxAppliedHLC (either the ceiling is larger than hlcLast[n].wall, or the logical counter increments above maxAppliedHLC.logical). Every new-term commit is therefore strictly above every prior-term commit.

Both .cfg files register HLC1_Action + HLC2_Action under PROPERTIES — correctly separating temporal properties from state invariants. Both configs share MaxClockSkewMs = 1, HlcPhysicalWindowMs = 2, maintaining ASSUME 1 < 2 from Env.tla.

HLC3_LeaderOnly: IssueTimestamp(n) is gated on IsLeader(n), which guarantees activeTerm > 0 /\ leaderOf[activeTerm] = n. The committed record stores term = activeTerm and node = n, so the invariant trivially holds.

TypeOK: committedTS records carry seq \in 0..MaxOps via opCount at issuance time. The constraint opCount < MaxOps before IssueTimestamp and the increment opCount' = opCount + 1 after ensure seq stays in range.

MCHLC.tla: Clean module — just EXTENDS HLC, TLC with a symmetry hint Permutations(Nodes). Correct to share one module file between both configs.

---

Summary

All four rounds of review findings have been fully addressed:

• Round 1 (gemini HIGH + MEDIUM, codex P2 ×2): Nat subtraction, sha256sum portability, vacuous HLC-1 and HLC-2.
• Round 2 (codex P2 ×2): TickWall self-exclusion, gap failure reason validation.
• Round 3 (claude MEDIUM + LOW): stale proposed_ paths, wrong invariant name in README.

The spec is sound and internally consistent. No new findings. Ready to merge.

[bootjp]

Wired make tla-check into GitHub Actions in ca0ecfc0.

New file: .github/workflows/tla-check.yml

• Triggers on PR (opened / synchronize / reopened) and push to main, with a path filter matching §7.3 of the design doc (tla/**, Makefile, the HLC/coordinator/transaction/fsm/lock_resolver Go files, store/mvcc_store.go, distribution/**, and the workflow file).
• Temurin JDK 21 (consistent with jepsen-test.yml).
• Caches .cache/tla/tla2tools.jar keyed on Makefile hash so any TLA_VERSION / TLA_SHA256 change invalidates the cache automatically.
• Pre-fetches the jar via make tla-tools so the download is logged separately from the model check.
• Runs make tla-check, which keeps the round-2 gap-config validation: a non-zero TLC exit on MCHLC_gap.cfg only counts as success if the output contains the exact Invariant HLC4_NoRegressionAcrossTerms is violated string.

Updated §7.3 of the design doc: removed the (deferred) qualifier and named the workflow file as the now-active CI binding.

actionlint clean. The workflow is already running on this PR (ca0ecfc0): https://github.com/bootjp/elastickv/actions/runs/26591495196

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ca0ecfc0e7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Verify restored TLA jar before use

When TLA_VERSION or TLA_SHA256 changes, the primary cache key misses, and GitHub's cache docs say restore-keys are checked for partial matches; this can restore an older .cache/tla/tla2tools.jar. Because make tla-tools only depends on the existing file target and the checksum recipe in the Makefile is skipped when that file already exists, CI can run an old/unverified TLC jar despite the checksum pin. Drop the prefix restore or make the target always verify/remove stale jars after cache restore.

Useful? React with 👍 / 👎.

[bootjp]

Addressed codex P2 on ca0ecfc0 in 2a2238af.

Finding: .github/workflows/tla-check.yml cache restore-keys could bring back an older tla2tools.jar after a TLA_VERSION / TLA_SHA256 bump in the Makefile. Because the Makefile's $(TLA_JAR) target is gated on file existence, the restored stale jar would skip the checksum verification entirely — defeating the pin.

Fix: Dropped the restore-keys block. A full cache miss is the correct behaviour on a version-pin change: the recipe runs, downloads from GitHub, and verifies the SHA-256 before serving the jar to TLC. Documented inline so the next reviewer doesn't re-add it.

This is a workflow-only change. The Makefile's checksum verification path is unchanged — and is now load-bearing for every version-pin bump.

@claude review

[claude]

Claude finished @bootjp's task in 1m 24s —— View job

---

Todo list:

• Load tools
• Read .github/workflows/tla-check.yml — verify restore-keys removal
• Read Makefile — confirm tla-tools / TLA_JAR target is still the verification gatekeeper
• Check overall workflow correctness after the change
• Post findings

---

Review of Round 4 (2a2238a)

The diff is a 7-line addition (explanatory comment) + 2-line deletion (restore-keys block). The fix is correct.

The root cause and fix

The $(TLA_JAR) Make target is a standard file-existence guard:

$(TLA_JAR):
    @curl -fsSL -o $(TLA_JAR).tmp $(TLA_URL)
    @# ... SHA-256 verification ...
    @mv $(TLA_JAR).tmp $(TLA_JAR)

This recipe only runs when .cache/tla/tla2tools.jar does not exist. With the old restore-keys: ${{ runner.os }}-tla-tools-, a prefix match after a TLA_VERSION/TLA_SHA256 bump would restore an older jar (file now exists), the Make target would skip entirely, and TLC would silently run against the wrong version — with no checksum verification. Removing restore-keys means the only non-miss path is an exact hashFiles('Makefile') match, which guarantees the jar on disk is exactly the one the current Makefile specifies.

Correctness verified

Scenario	Cache behaviour	make tla-tools	Result
Same Makefile hash as last run	Exact hit → jar restored	no-op (file exists)	correct jar, no download
Makefile changed (e.g. TLA_VERSION bump)	Miss (no restore-keys)	downloads + SHA-256 verified	correct jar, download logged separately
First run ever	Miss	downloads + SHA-256 verified	correct jar

Comment quality

The inline comment (lines 70-75 of the final file) names the codex P2 finding, explains the $(TLA_JAR) file-existence mechanism, and states the correct semantics. This is sufficient to stop a future reviewer from re-adding restore-keys thinking it's a free performance win. Good.

Everything else unchanged and correct

• key: ${{ runner.os }}-tla-tools-${{ hashFiles('Makefile') }} — both TLA_VERSION and TLA_SHA256 are in the Makefile, so bumping either one rotates the key.
• cancel-in-progress: false — correct for a correctness check (don't abandon a running TLC invocation on push).
• make tla-tools pre-fetch step still present — separates download logs from model-check logs, making failure attribution straightforward.
• make tla-check still greps for the specific Invariant HLC4_NoRegressionAcrossTerms is violated string from round 2, so the gap evidence is validated by content, not just exit code.

No new findings. All five rounds of review findings are now fully addressed. Ready to merge.