eventcore-fs: ADR-0044: replica-id copy-trap fingerprint + ReplicaIdentityConflict #392

New issue

Closed

opened 2026-06-12 21:34:03 -07:00 by jwilger · 0 comments

jwilger commented

2026-06-12 21:34:03 -07:00

Owner

Follow-up to PR #390 (eventcore-fs file backend). Covers the remaining replica
identity hardening from ADR-0044.

Context

Each writing working-copy has a machine-local replica_id stored in a
gitignored .eventcore/replica_id, generated lazily on first write. PR #390
added the .gitignore that keeps it out of git, which prevents the copy trap
for the git clone path. The cp -r path (copying a working tree
including .eventcore/) can still duplicate a writer's identity, which would
make forks invisible — silent data corruption, the worst class.

Scope

Bind replica_id to a working-copy fingerprint (e.g. an OS identifier +
the repo absolute path + the .git inode); on open, if the recorded
fingerprint no longer matches the environment, regenerate the id so a naive
cp -r gets a different id on its next write (the safe outcome).
Add a reconcile-time collision check: if two concurrent transactions carry
the same replica_id but cannot have come from one linear writer, fail loud
with ReplicaIdentityConflict rather than guessing.
Allow an explicit replica_id override via config.

Acceptance

A cp -r of a working tree, then a write in the copy, yields a distinct
replica_id (proven by a test that copies a store dir and writes).
Two transactions sharing a replica_id with inconsistent parent sets surface
ReplicaIdentityConflict from reconcile/detect_forks rather than silently
merging.

References: ADR-0044, PR #390.

Follow-up to PR #390 (eventcore-fs file backend). Covers the remaining replica identity hardening from **ADR-0044**. ## Context Each writing working-copy has a machine-local `replica_id` stored in a gitignored `.eventcore/replica_id`, generated lazily on first write. PR #390 added the `.gitignore` that keeps it out of git, which prevents the copy trap for the **`git clone`** path. The **`cp -r`** path (copying a working tree including `.eventcore/`) can still duplicate a writer's identity, which would make forks invisible — silent data corruption, the worst class. ## Scope - Bind `replica_id` to a working-copy **fingerprint** (e.g. an OS identifier + the repo absolute path + the `.git` inode); on open, if the recorded fingerprint no longer matches the environment, regenerate the id so a naive `cp -r` gets a different id on its next write (the safe outcome). - Add a reconcile-time **collision check**: if two concurrent transactions carry the same `replica_id` but cannot have come from one linear writer, fail loud with `ReplicaIdentityConflict` rather than guessing. - Allow an explicit `replica_id` override via config. ## Acceptance - A `cp -r` of a working tree, then a write in the copy, yields a distinct `replica_id` (proven by a test that copies a store dir and writes). - Two transactions sharing a `replica_id` with inconsistent parent sets surface `ReplicaIdentityConflict` from `reconcile`/`detect_forks` rather than silently merging. References: ADR-0044, PR #390.

jwilger added the

enhancement

P2-medium

labels

2026-06-12 21:34:03 -07:00

jwilger referenced this issue from a commit

2026-06-12 21:43:17 -07:00

docs(eventcore-fs): mark ADRs 0038-0046 as Accepted

jwilger added this to the 1.0.0 milestone

2026-06-13 05:44:58 -07:00

jwilger referenced this issue from a commit

2026-06-13 06:35:12 -07:00