revert: drop commit-confirmed apply from 2.3.0 (defer to 2.4.0)#17
Merged
Conversation
Removes the commit-confirm wire surface added in a85a5cd (per-write ?confirm, /confirm endpoints, uapi:confirm scope, apply-confirm integration, OpenAPI confirm surface, tests). Keeps the scope-tree, per-token rate/burst, and platform-fidelity work. The mechanism works (built, shipped in 2.3.0-rc1, soaked on live hardware), but shipping it stable would freeze an unsettled confirm authz model into the permanent v2 contract: per-write arming rides the write's own resource :rw with no uapi:confirm requirement, ack/rollback are window-agnostic, and the package-granularity escalation analysis suggests these may need to change. With no first-party consumer (the Terraform provider ships 2.3.0 as Option A), deferring lets the whole feature ship once in 2.4.0 with one reviewed authz model rather than locking in a contract changeable only with a major bump. (apply-confirm 0.1.0 is released on the feed, so the dependency is not the blocker; the wire contract is.) Design and decision preserved in docs/commit-confirm.md and docs/roadmap.md; full implementation recoverable from a85a5cd. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Removes the commit-confirm wire surface (added in a85a5cd / PR #11) from 2.3.0: per-write
?confirm, the/confirmendpoints, theuapi:confirmscope, the apply-confirm integration lib, the OpenAPI confirm surface, and the confirm tests. Keeps the three clean, consumed wins for 2.3.0: scope-tree (#5), per-token rate/burst, and the platform-fidelity fixes.Why
The mechanism works (built, shipped in 2.3.0-rc1, soaked end-to-end on live hardware). It is deferred, not abandoned, for contract-commitment reasons:
:rwwith nouapi:confirmrequirement; ack/rollback are window-agnostic; and the package-granularity escalation analysis (a per-write arm snapshots and reverts the whole uci package, not just the resource written) suggests these may need to change. Freezing them into v2 now forecloses fixing them without a 3.0.0.The dependency is not the blocker:
apply-confirm0.1.0 is released and on the apk feed. The hold is the wire-contract commitment. Deferring lets the whole feature ship once, coherently, in a 2.4.0 (per-write + the standalonePOST /confirmarm, with one reviewed authz model), gated on a settled authz model and a concrete consumer.Decision documented
docs/commit-confirm.mdrewritten as the deferral decision record + 2.4.0 design reference.docs/roadmap.md"commit-confirmed timed rollback" section updated to "built, deferred from 2.3.0" with the rationale and the bring-back plan.CHANGELOG.mdnotes the deferral under the 2.3.0 entry.a85a5cd.Gates
lint, 756 unit tests, openapi-check all green locally. Zero confirm references remain in
src/,tests/, orbuild/.🤖 Generated with Claude Code