crtx-store 0.1.1

SQLite persistence: migrations, repositories, transactions.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229

//! Persistence layer for SQLite migrations and repositories.
#![warn(missing_docs)]

use std::path::Path;

use cortex_core::{CoreError, CoreResult};
use rusqlite::{Connection, OpenFlags};

pub mod migrate;
pub mod migrate_v2;
pub mod mirror;
pub mod proof;
pub mod repo;
pub mod semantic_diff;
pub mod verify;

pub use proof::{temporal_authority_proof_report, verify_memory_proof_closure};
pub use semantic_diff::{
    semantic_snapshot_from_store, ArtifactKind, ContradictionState, DoctrineForce, DoctrineState,
    KeyLifecycleState, KeyState, MemoryKind, MemoryState, PrincipalTrustState, PrincipleState,
    ProofState as SemanticProofState, RestoreDecision, RuntimeMode as SemanticRuntimeMode,
    SalienceDistribution, SalienceScore, SemanticChange, SemanticChangeKind, SemanticDiff,
    SemanticSeverity, SemanticSnapshot, TrustKeyState, TrustTier, TruthCeiling, TruthCeilingState,
    TruthState,
};

/// Initial SQLite schema for the MVP store (LANES T-2.A.1).
pub const INITIAL_MIGRATION_SQL: &str = include_str!("../migrations/001_init.sql");

/// Synchronous SQLite connection used by the store crate.
pub type Pool = Connection;

/// Crate-wide store result type.
pub type StoreResult<T> = Result<T, StoreError>;

/// Errors raised by the SQLite store boundary.
#[derive(Debug, thiserror::Error)]
pub enum StoreError {
    /// SQLite operation failed.
    #[error("sqlite error: {0}")]
    Sqlite(#[from] rusqlite::Error),
    /// JSON encoding or decoding failed.
    #[error("json error: {0}")]
    Json(#[from] serde_json::Error),
    /// Timestamp parsing failed.
    #[error("time parse error: {0}")]
    Time(#[from] chrono::ParseError),
    /// Filesystem operation failed.
    #[error("io error: {0}")]
    Io(#[from] std::io::Error),
    /// Core type validation failed.
    #[error("core error: {0}")]
    Core(#[from] CoreError),
    /// Store-specific validation failed.
    #[error("validation failed: {0}")]
    Validation(String),
    /// Post-migrate row-count verification refused because
    /// `pre.events.checked_add(SCHEMA_V1_TO_V2_EVENT_BOUNDARY_DELTA)` overflowed
    /// `u64`. A pre-migrate count at the saturation boundary is itself a bug;
    /// the verifier refuses honestly rather than masking the overflow with
    /// `saturating_add`. Surfaces stable invariant
    /// `verify.row_counts.checked_add_overflow` (RED_TEAM_FINDINGS phase B,
    /// finding B3).
    #[error(
        "verify.row_counts.checked_add_overflow: table {table} pre-migrate row count {pre} plus boundary-append delta {delta} overflows u64"
    )]
    RowCountCheckedAddOverflow {
        /// Counted table that overflowed (currently always `events`).
        table: &'static str,
        /// Pre-migrate row count from the backup manifest.
        pre: u64,
        /// Documented v1 -> v2 boundary-append delta that triggered overflow.
        delta: u64,
    },
}

impl StoreError {
    /// Returns the stable invariant name for this error variant when one is
    /// defined. Stable invariant names are how operators and tests match on
    /// refusal classes without parsing free text.
    #[must_use]
    pub fn invariant(&self) -> Option<&'static str> {
        match self {
            StoreError::RowCountCheckedAddOverflow { .. } => {
                Some(VERIFY_ROW_COUNTS_CHECKED_ADD_OVERFLOW_INVARIANT)
            }
            _ => None,
        }
    }
}

/// Stable invariant name surfaced by [`StoreError::RowCountCheckedAddOverflow`].
///
/// RED_TEAM_FINDINGS phase B, finding B3: a pre-migrate `events` count plus the
/// documented v1 -> v2 boundary-append delta that overflows `u64` is itself an
/// upstream bug. The verifier refuses with this stable invariant rather than
/// `saturating_add`-ing back to `u64::MAX` and silently agreeing with a store
/// that happens to share that count.
pub const VERIFY_ROW_COUNTS_CHECKED_ADD_OVERFLOW_INVARIANT: &str =
    "verify.row_counts.checked_add_overflow";

/// Opens the SQLite database under `data_dir` and applies pending migrations.
pub fn open(data_dir: &Path) -> StoreResult<Pool> {
    std::fs::create_dir_all(data_dir)?;
    let pool = Connection::open(data_dir.join("cortex.sqlite3"))?;
    verify_sqlite_load_extension_disabled(&pool)?;
    migrate::apply_pending(&pool)?;
    Ok(pool)
}

/// Returns SQLite compile-time options reported by the active library.
pub fn sqlite_compile_options(pool: &Pool) -> StoreResult<Vec<String>> {
    let mut stmt = pool.prepare("PRAGMA compile_options;")?;
    let options = stmt
        .query_map([], |row| row.get(0))?
        .collect::<Result<Vec<String>, _>>()?;
    Ok(options)
}

/// Fails closed when SQLite was compiled with loadable-extension support.
pub fn verify_sqlite_compile_options<I, S>(compile_options: I) -> StoreResult<()>
where
    I: IntoIterator<Item = S>,
    S: AsRef<str>,
{
    for option in compile_options {
        if is_load_extension_enabled_compile_option(option.as_ref()) {
            return Err(StoreError::Validation(format!(
                "sqlite compile option {option} is forbidden; Cortex refuses SQLite builds with loadable extension support",
                option = option.as_ref()
            )));
        }
    }
    Ok(())
}

fn is_load_extension_enabled_compile_option(option: &str) -> bool {
    let normalized = option
        .trim()
        .strip_prefix("SQLITE_")
        .unwrap_or(option.trim());
    let key = normalized
        .split_once('=')
        .map_or(normalized, |(key, _)| key);
    key.eq_ignore_ascii_case("ENABLE_LOAD_EXTENSION")
}

/// Verifies SQL-level extension loading is not authorized on this connection.
///
/// The pinned bundled `libsqlite3-sys` build advertises
/// `ENABLE_LOAD_EXTENSION`, but `rusqlite` does not enable its
/// `load_extension` feature in this workspace and SQLite keeps SQL extension
/// loading disabled by default. Cortex checks that runtime state before
/// migrations instead of accepting compile options as proof of active authority.
pub fn verify_sqlite_load_extension_disabled(pool: &Pool) -> StoreResult<()> {
    match pool.query_row(
        "SELECT load_extension('cortex_extension_loading_must_remain_disabled');",
        [],
        |row| row.get::<_, String>(0),
    ) {
        Ok(_) => Err(StoreError::Validation(
            "sqlite load_extension unexpectedly executed".to_string(),
        )),
        Err(err) if sqlite_load_extension_is_disabled_error(&err) => Ok(()),
        Err(err) => Err(StoreError::Validation(format!(
            "sqlite load_extension preflight returned an unexpected error: {err}"
        ))),
    }
}

fn sqlite_load_extension_is_disabled_error(err: &rusqlite::Error) -> bool {
    let message = err.to_string().to_ascii_lowercase();
    message.contains("not authorized") || message.contains("no such function: load_extension")
}

/// Opens an existing SQLite database read-only.
///
/// Restore verification uses this to inspect candidate backup state without
/// applying migrations or otherwise changing the artifact under review.
pub fn open_existing_readonly(path: &Path) -> StoreResult<Pool> {
    Ok(Connection::open_with_flags(
        path,
        OpenFlags::SQLITE_OPEN_READ_ONLY,
    )?)
}

/// Compatibility stub retained for callers not yet moved to [`open`].
pub fn open_stub(data_dir: &Path) -> CoreResult<()> {
    open(data_dir).map_err(|err| CoreError::Validation(err.to_string()))?;
    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn initial_migration_runs_cleanly_on_empty_db() {
        let pool = Connection::open_in_memory().expect("open in-memory sqlite");
        pool.execute_batch(INITIAL_MIGRATION_SQL)
            .expect("initial migration runs");

        let mut stmt = pool
            .prepare(
                "SELECT name FROM sqlite_master \
                 WHERE type = 'table' \
                 ORDER BY name;",
            )
            .expect("prepare table query");
        let actual: Vec<String> = stmt
            .query_map([], |row| row.get(0))
            .expect("list tables")
            .collect::<Result<_, _>>()
            .expect("read table rows");
        let expected = [
            "audit_records",
            "context_packs",
            "contradictions",
            "doctrine",
            "episodes",
            "events",
            "memories",
            "principles",
            "trace_events",
            "traces",
        ];
        assert_eq!(actual, expected);
    }
}