feat(core): add causal WAL foundation and hardening

[flyingrobots]

Summary

This PR adds Echo's causal WAL foundation and hardening surface through the first runtime ACK integration cut.

Highlights:

• adds Echo-owned causal WAL primitives, transaction commit markers, writer epochs, record authority checks, recovery indexes, checkpoint/materialization/outbox records, recovery certificates, commit evidence projection, and doctor/inspector surfaces;
• adds filesystem WAL recovery gates, canonical segment layout, rotation, manifest publication/readback, and manifest validation;
• adds app-noun guard coverage so WAL/core record schemas remain generic and free of app/editor nouns;
• adds trusted-runtime WAL ACK integration for submission intake: submit_intent_with_runtime_wal_ack(...) commits submission acceptance evidence before returning, backfills exactly one WAL record for legacy duplicate retries, reports missing WAL explicitly, and rolls back intake on pre-ACK WAL failure;
• records the next Runtime WAL ACK slices in docs/BEARING.md and docs/design/causal-wal-hardening-matrix.md.

Current Slice Progress

[####################] [Echo] Causal WAL Foundation [45/45 slices]
[####################] [Echo] WAL Hardening Matrix [20/20 slices]
[####################] [Echo] Segment Layout / Rotation / Manifest Hardening [20/20 slices]
[########------------] [Echo] Runtime WAL ACK Integration [4/10 slices]

Validation

• cargo test -p warp-core --features native_rule_bootstrap,trusted_runtime,host_test --test trusted_runtime_host_loop_tests
• cargo clippy -p warp-core --features native_rule_bootstrap,trusted_runtime,host_test --test trusted_runtime_host_loop_tests -- -D warnings
• cargo test -p warp-core --test causal_wal_tests
• cargo test -p warp-core --test causal_wal_hardening_tests
• cargo check -p warp-core
• scripts/check-no-app-nouns-in-core.sh
• pnpm exec markdownlint-cli2 docs/BEARING.md docs/design/causal-wal-hardening-matrix.md
• git diff --check

Pre-push also ran exact configured slices and passed.

Next PR Boundary

The next PR should continue Runtime WAL ACK Integration with scheduler/tick receipt publication:

• tick receipt transaction wiring;
• tick commit-before-publish guard;
• pure runtime index rebuild contract;
• runtime recovery certificate integration;
• jedit recovery fixture contract;
• runtime ACK drift gate.

[coderabbitai]

Warning

Review limit reached

@flyingrobots, we couldn't start this review because you've used your available PR reviews for now.

Your plan includes 1 review of capacity. Refill in 48 minutes and 16 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2a34f1aa-6862-44c4-bf6a-9f70e726327e

📥 Commits

Reviewing files that changed from the base of the PR and between 1d36ea7 and ef2af6b.

📒 Files selected for processing (20)

• CHANGELOG.md
• crates/warp-cli/src/cli.rs
• crates/warp-cli/src/main.rs
• crates/warp-cli/src/wal.rs
• crates/warp-cli/tests/cli_integration.rs
• crates/warp-cli/tests/golden/echo-cli-help.txt
• crates/warp-core/src/causal_wal.rs
• crates/warp-core/src/lib.rs
• crates/warp-core/src/trusted_runtime_host.rs
• crates/warp-core/tests/causal_wal_hardening_tests.rs
• crates/warp-core/tests/causal_wal_tests.rs
• crates/warp-core/tests/trusted_runtime_host_loop_tests.rs
• docs/BEARING.md
• docs/design/causal-wal-end-to-end.md
• docs/design/causal-wal-hardening-matrix.md
• docs/man/echo-cli-wal-doctor.1
• docs/man/echo-cli-wal.1
• docs/man/echo-cli.1
• scripts/check-no-app-nouns-in-core.sh
• xtask/src/main.rs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch stack/app-hosting-hardening-first-ten

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e7bd734121

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[flyingrobots]

@codex self-audit found the following blocking issues before merge:

Severity	Source	File	Lines	Issue	Required mitigation
P1	PR review	crates/warp-cli/src/wal.rs	22-24	wal doctor doctors a fresh empty InMemoryWalStore, so it reports clean even when the requested WAL would be corrupt or non-empty.	Add a WAL root argument, call doctor_filesystem_store on that root, and add a CLI regression proving JSON output reflects an actual filesystem WAL.
P2	CI/self	docs/man/echo-cli.1, docs/man/echo-cli-wal.1	n/a	Man Pages Freshness is red: echo-cli.1 is stale and echo-cli-wal.1 is missing after adding the wal subcommand.	Regenerate man pages with cargo xtask man-pages and verify cargo xtask man-pages --check.

I am addressing these now with focused tests, fixes, verification, and a follow-up commit.

[chatgpt-codex-connector]

Summary

• Updated wal doctor to take a WAL root path and run the filesystem doctor (doctor_filesystem_store) instead of creating a fresh in-memory store. This fixes the core wiring issue where CLI doctoring was disconnected from on-disk WAL state. crates/warp-cli/src/wal.rsL7-L25
• Extended CLI command shape so wal doctor now requires a root argument, and updated command dispatch accordingly in main.rs. crates/warp-cli/src/cli.rsL83-L90 crates/warp-cli/src/main.rsL48-L50
• Added CLI coverage for the new wal doctor <root> parse contract and a regression integration test that runs JSON doctor against a filesystem WAL root path argument. crates/warp-cli/src/cli.rsL231-L238 crates/warp-cli/tests/cli_integration.rsL163-L184
• Regenerated man pages, including the missing echo-cli-wal.1, and refreshed top-level echo-cli.1 subcommand listings for wal. docs/man/echo-cli-wal.1L1-L20 docs/man/echo-cli.1L20-L32

PR / Commit

• Committed on current branch: 57f4240 with message fix(cli): doctor filesystem wal root and refresh man pages.
• Created follow-up PR metadata via make_pr:
  • Title: fix(cli): wire wal doctor to filesystem root and refresh man pages

Testing

• ✅ cargo test -p warp-cli --test cli_integration wal_doctor_json_reports_filesystem_wal_posture -- --nocapture
• ✅ cargo test -p warp-cli parse_wal_doctor_with_root -- --nocapture
• ✅ cargo xtask man-pages
• ✅ cargo xtask man-pages --check
• ✅ cargo check -p warp-cli

View task →

[flyingrobots]

@codex Self-audit addendum before pushing fixes:

Severity	Source	File	Issue	Recommended mitigation
P3	Self	xtask/src/main.rs, docs/man/echo-cli-wal.1	The generated echo-cli-wal.1 references echo-cli-wal-doctor(1), but cargo xtask man-pages only emits first-level subcommand pages, so the nested wal doctor root argument is not documented by a man page.	Teach the man-page generator to emit nested subcommand pages recursively, regenerate docs/man/echo-cli-wal-doctor.1, and keep cargo xtask man-pages --check green.

[chatgpt-codex-connector]

Summary

• Updated the man-page generator to emit subcommand pages recursively (not just first-level commands), which now produces nested pages like echo-cli-wal-doctor.1. xtask/src/main.rsL6176-L6215
• Extended the xtask man-page rendering test to assert both echo-cli-wal.1 and echo-cli-wal-doctor.1 are present, guarding against regressions in nested generation. xtask/src/main.rsL6295-L6309
• Regenerated man pages so the echo-cli-wal(1) reference to echo-cli-wal-doctor(1) is now backed by an actual generated page, and top-level echo-cli(1) includes wal in subcommands. docs/man/echo-cli-wal.1L14-L20 docs/man/echo-cli-wal-doctor.1L1-L13 docs/man/echo-cli.1L20-L33

Commit / PR

• Committed on current branch: 09bf244 with message fix(xtask): generate nested cli man pages recursively.
• Created follow-up PR metadata via make_pr:
  • Title: fix(xtask): emit nested wal doctor man page recursively

Testing

• ✅ cargo test -p xtask man_pages_render_top_level_and_subcommands -- --nocapture
• ✅ cargo xtask man-pages
• ✅ cargo xtask man-pages --check

View task →

[flyingrobots]

@codex Activity Summary for PR #378 feedback pass:

Severity	Source	File	Commit	Outcome
P1	PR review	crates/warp-cli/src/wal.rs	ef2af6b	echo-cli wal doctor [ROOT] now opens the requested filesystem WAL root through doctor_filesystem_store instead of reporting a fresh empty in-memory store. Added a regression that writes a real filesystem WAL with one committed submission and verifies JSON reports one replayed transaction.
P2	CI/self	docs/man/echo-cli.1, docs/man/echo-cli-wal.1, docs/man/echo-cli-wal-doctor.1	ef2af6b	Regenerated man pages so the new wal subcommand and wal doctor page are current.
P3	Self	xtask/src/main.rs	ef2af6b	Man-page generation now walks nested subcommands recursively, so future nested CLI surfaces produce matching man pages instead of dangling references.

Validation run before push:

• cargo fmt --all
• cargo test -p warp-cli
• cargo clippy -p warp-cli --all-targets -- -D warnings
• cargo clippy -p xtask -- -D warnings
• cargo xtask man-pages --check
• pnpm exec markdownlint-cli2 CHANGELOG.md
• git diff --check
• pre-push exact Rust slices for warp-cli passed

Resolved the review thread for the stale WAL doctor behavior after pushing ef2af6b.

[chatgpt-codex-connector]

Understood — based on the trigger and PR context, there are no additional code follow-ups required from me right now.

The activity summary indicates the blocking items were already addressed in commit ef2af6b (P1 CLI WAL doctor wiring fix, P2 man pages refresh, P3 recursive nested man-page generation), with validation already run and the review thread resolved.

I also checked the branch state locally:

Testing / Checks

• ⚠️ git status --short (shows a pre-existing local modification: pnpm-lock.yaml, unrelated to the summarized fixes)
• ✅ git log -n 3 --oneline

I did not make any new repository changes, so I did not create a commit and did not call make_pr (per your constraints).

View task →