RFC 0001: expand memory model to decision-ready proposal

[proofmancer]

Pushes RFC 0001 (memory model) from "open design, here are options" to "specific proposal, here are answers." Open questions reduced from 10 to 3. Concrete syntax. Counterargument section. Implementation roadmap split into 5 phases.

This is the load-bearing language decision. The original RFC laid out the design space; this revision commits to specifics so the design can be reviewed, objected to, and (if accepted) implemented without further bikeshedding.

What changed

Added

• Summary: one-paragraph TL;DR at the top
• Concrete syntax section with code examples showing move semantics, borrows, RAII drop, what existing counter.cv looks like under ownership
• Resolutions to 7 of 10 open questions as DECIDED with rationale:
  1. Stack vs heap distinction
  2. String representation (UTF-8, length-prefixed, owned vs borrowed)
  3. Collection types (stdlib with compiler-known intrinsics until self-hosting)
  4. Move vs copy semantics (move by default, primitives auto-Copy)
  5. References / borrows (yes, scope-local lifetimes, no explicit 'a in v0)
  6. Drop semantics (end-of-scope RAII)
  7. Persistent state types (Serialize trait, derive on user types)
• Counterargument section steelmanning rejected positions:
  • "GC is fine, just use it"
  • "Add an unsafe escape hatch"
  • "Why not C++-with-extra-steps?"
  • "Borrow-checker friction will hurt adoption"
  • "Pick GC for speed-of-shipping"
• Migration path: existing examples compile unchanged; impact is on future heap-allocated types
• 5-phase implementation roadmap totaling ~3,700 LoC across 5 PRs:
  1. Type system: linearity tracking (~700 LoC)
  2. Grammar + AST extensions (~400 LoC)
  3. Codegen + heap allocation (~1200 LoC)
  4. Stdlib types (Vec, String, HashMap, Bytes) (~900 LoC)
  5. `extern host` ABI wiring (~500 LoC, RFC 0002 details)
• Decision criteria so the RFC has a bar for graduating from `draft` to `accepted`

Reduced from 10 to 3 open questions

Question	Resolution
Stack vs heap	decided: primitives + small fixed arrays on stack, everything else heap
String layout	decided: UTF-8, length-prefixed, owned String vs borrowed &str
Collection types	decided: stdlib, compiler-known intrinsics
Move vs copy	decided: move by default, primitives auto-Copy
References	decided: yes, scope-local only in v0
Drop	decided: end-of-scope RAII
Persistent state	decided: Serialize trait with derive
Cross-engine memory	deferred to RFC 0004
OOM behavior	decided: default trap, fallible-alloc opt-in
extern host security	decided (this RFC) + full ABI in RFC 0002
Lifetime annotations	OPEN: never, or v1?
Custom allocators	OPEN: maybe v1+
async + memory model	OPEN: separate RFC if async lands

Why now

Three downstream RFCs and several implementation issues wait on this:

• Sum types end-to-end: Result, Option, user-declared enums #48 sum types (Result, Option, enums) needs an allocator decided
• Self-hosting: compiler compiles itself #20 self-hosting needs collections, which need an allocator
• Paper: design sketch / position paper for arxiv (defer active drafting) #67 design paper makes claims about resource safety that depend on the model
• Implementation issues for stdlib (stdlib: ConsensusProtocol implementation (Tendermint or HotStuff as default) #53 consensus, stdlib: StateProtocol implementation (SparseMerkle or similar as default) #54 state) reference collection types that this RFC pins

Letting this sit in "open design" indefinitely costs more than committing to a specific proposal that can be objected to.

What this PR does NOT do

• Not a decision. The RFC stays in `draft` status. A maintainer review pass is what moves it to `accepted`. This PR makes the proposal concrete enough that reviewers can object to specifics rather than wave at a comparison table.
• Not implementation. Phase 1 (linearity tracking in the type checker) cannot start until the RFC is accepted.
• Not the `extern host` ABI. RFC 0002 covers that surface. This RFC just commits to the shape (host functions exist; declared with `extern host fn`; chain manifest allow-lists them).

What unblocks next

Once accepted: Phase 1 implementation begins, with the type-system work landing first. Other RFCs (#48 sum types, #20 self-hosting) can start sketching their dependencies on the memory model with confidence.

If rejected: the next-most-likely path is per-tx arena (option C from the design space) as a stopgap, deferring full ownership to v1. The RFC body sketches that fallback.