Skip to content

Add language-agnostic conformance suite for credit lease semantics#147

Draft
bpapillon wants to merge 1 commit into
mainfrom
bpapillon/sch-6531-lease-conformance-suite
Draft

Add language-agnostic conformance suite for credit lease semantics#147
bpapillon wants to merge 1 commit into
mainfrom
bpapillon/sch-6531-lease-conformance-suite

Conversation

@bpapillon

Copy link
Copy Markdown
Contributor

Precursor to SCH-6531 (lease support in other SDKs): extracts the credit lease/reservation semantics from this SDK — the reference implementation — into a language-agnostic conformance suite, so the upcoming Python/Go ports can prove "implements the same semantics" instead of approximating it.

  • conformance/SPEC.md — the semantics spec (state machine, store-op contracts, check/track flows, config knobs, bounded-leak contract table, and the invariants that can't be vectors), written for implementing from scratch without reading the Node source.
  • conformance/vectors/*.json — 48 deterministic test vectors (plain JSON, snake_case, virtual clock): reservation lifecycle 7, lease lifecycle 9, expiry 4, crash windows 5, lease manager 10, check flow 10, track/settle 3.
  • tests/conformance/runner.test.ts — runs every vector against both store backends (in-memory + the existing fake-redis Lua interpreter): 95 passing runs. The runner is the only language-specific piece a port reimplements.

Behaviors worth calling out (vectors follow the code):

  • Over-use on settle is asymmetric: the local consume clamps to credits_reserved, but the Track event bills the unclamped actual quantity (server is source of truth).
  • fail-open is not blanket allow — the engine re-runs with a substituted max balance, so an unentitled company stays denied while the lease backend is down.
  • replace keeps a live lease even under a different lease id; the losing acquire releases its redundant lease only when the server minted a different id.
  • Store extend reconciles to the server's absolute total (lower/equal totals are no-ops) and expiry only moves forward; both extend and refund are pinned to the originating lease id and silently dropped if a successor holds the slot.
  • Crash windows are direction-locked: the debit/claim is durable first, so crashes leak bounded, lease-expiry-reclaimed credits and can never double-spend or double-refund.

Not capturable as vectors (documented as prose invariants in SPEC.md): single-flight/concurrent-race schedules, Redis server-clock TTL authority and single-key Lua atomicity, NaN guards (JSON can't encode NaN), Track idempotency-key dedupe, the background sweep timer, and offline/unconfigured wrapper degradation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant