@git-stunts/git-warp 12.0.0 → 12.2.0

package/src/domain/services/SyncProtocol.js

@@ -37,6 +37,7 @@
  */
 
 import defaultCodec from '../utils/defaultCodec.js';
+import nullLogger from '../utils/nullLogger.js';
 import { decodePatchMessage, assertOpsCompatible, SCHEMA_V3 } from './WarpMessageCodec.js';
 import { join, cloneStateV5 } from './JoinReducer.js';
 import { cloneFrontier, updateFrontier } from './Frontier.js';
@@ -267,11 +268,9 @@ export function computeSyncDelta(localFrontier, remoteFrontier) {
       newWritersForRemote.push(writerId);
     } else if (remoteSha !== localSha) {
       // Different heads - remote might need patches from its head to local head
-      // Only add if not already in needFromRemote (avoid double-counting)
-      // This handles the case where local is ahead of remote
-      if (!needFromRemote.has(writerId)) {
-        needFromLocal.set(writerId, { from: remoteSha, to: localSha });
-      }
+      // Always add both directions — ancestry is verified during loadPatchRange()
+      // which will throw E_SYNC_DIVERGENCE if neither side descends from the other (S3)
+      needFromLocal.set(writerId, { from: remoteSha, to: localSha });
     }
   }
 
@@ -315,6 +314,8 @@ export function computeSyncDelta(localFrontier, remoteFrontier) {
  *   - `writerId`: The writer who created this patch
  *   - `sha`: The commit SHA this patch came from (for frontier updates)
  *   - `patch`: The decoded patch object with ops and context
+ * @property {Array<{writerId: string, reason: string, localSha: string, remoteSha: string|null}>} [skippedWriters] - Writers that were skipped during sync
+ *   (e.g. due to trust gate filtering, divergence, or missing refs)
  */
 
 /**
@@ -375,6 +376,7 @@ export function createSyncRequest(frontier) {
  * @param {string} graphName - Graph name for error messages and logging
  * @param {Object} [options]
  * @param {import('../../ports/CodecPort.js').default} [options.codec] - Codec for deserialization
+ * @param {import('../../ports/LoggerPort.js').default} [options.logger] - Logger for divergence warnings
  * @returns {Promise<SyncResponse>} Response containing local frontier and patches.
  *   Patches are ordered chronologically within each writer.
  * @throws {Error} If patch loading fails for reasons other than divergence
@@ -388,7 +390,9 @@ export function createSyncRequest(frontier) {
  *   res.json(response);
  * });
  */
-export async function processSyncRequest(request, localFrontier, persistence, graphName, { codec } = /** @type {{ codec?: import('../../ports/CodecPort.js').default }} */ ({})) {
+export async function processSyncRequest(request, localFrontier, persistence, graphName, { codec, logger } = /** @type {{ codec?: import('../../ports/CodecPort.js').default, logger?: import('../../ports/LoggerPort.js').default }} */ ({})) {
+  const log = logger || nullLogger;
+
   // Convert incoming frontier from object to Map
   const remoteFrontier = new Map(Object.entries(request.frontier));
 
@@ -397,6 +401,8 @@ export async function processSyncRequest(request, localFrontier, persistence, gr
 
   // Load patches that the requester needs (from local to requester)
   const patches = [];
+  /** @type {Array<{writerId: string, reason: string, localSha: string, remoteSha: string|null}>} */
+  const skippedWriters = [];
 
   for (const [writerId, range] of delta.needFromRemote) {
     try {
@@ -413,9 +419,21 @@ export async function processSyncRequest(request, localFrontier, persistence, gr
         patches.push({ writerId, sha, patch });
       }
     } catch (err) {
-      // If we detect divergence, skip this writer
-      // The requester may need to handle this separately
+      // If we detect divergence, log and skip this writer (B65).
+      // The requester will not receive patches for this writer.
       if ((err instanceof Error && 'code' in err && /** @type {{ code: string }} */ (err).code === 'E_SYNC_DIVERGENCE') || (err instanceof Error && err.message?.includes('Divergence detected'))) {
+        const entry = {
+          writerId,
+          reason: 'E_SYNC_DIVERGENCE',
+          localSha: range.to,
+          remoteSha: range.from ?? '',
+        };
+        skippedWriters.push(entry);
+        log.warn('Sync divergence detected — skipping writer', {
+          code: 'E_SYNC_DIVERGENCE',
+          graphName,
+          ...entry,
+        });
         continue;
       }
       throw err;
@@ -433,6 +451,7 @@ export async function processSyncRequest(request, localFrontier, persistence, gr
     type: /** @type {'sync-response'} */ ('sync-response'),
     frontier: frontierObj,
     patches,
+    skippedWriters,
   };
 }
 

package/src/domain/services/SyncTrustGate.js

@@ -0,0 +1,146 @@
+/**
+ * SyncTrustGate -- Encapsulates trust evaluation for sync operations.
+ *
+ * Evaluates whether inbound patch authors are trusted according to the
+ * trust record chain. Used by SyncController to validate HTTP sync
+ * responses before applying patches.
+ *
+ * Trust-gates on `writersApplied` (patch authors being ingested), not
+ * frontier keys (which are claims, not effects).
+ *
+ * @module domain/services/SyncTrustGate
+ * @see B1 -- Signed sync ingress
+ */
+
+import nullLogger from '../utils/nullLogger.js';
+
+/**
+ * @typedef {'enforce'|'log-only'|'off'} TrustMode
+ */
+
+/**
+ * @typedef {Object} TrustGateResult
+ * @property {boolean} allowed - Whether the writers are trusted
+ * @property {string[]} untrustedWriters - Writers that failed trust evaluation
+ * @property {string} verdict - Human-readable verdict
+ */
+
+/** @type {() => TrustGateResult} */
+const PASS = () => ({ allowed: true, untrustedWriters: [], verdict: 'pass' });
+
+export default class SyncTrustGate {
+  /**
+   * @param {Object} options
+   * @param {{evaluateWriters: (writerIds: string[]) => Promise<{trusted: Set<string>}>}} [options.trustEvaluator] - Trust evaluator instance
+   * @param {TrustMode} [options.trustMode='off'] - Trust enforcement mode
+   * @param {import('../../ports/LoggerPort.js').default} [options.logger] - Logger
+   */
+  constructor({ trustEvaluator, trustMode = 'off', logger } = {}) {
+    this._evaluator = trustEvaluator || null;
+    this._mode = trustMode;
+    this._logger = logger || nullLogger;
+  }
+
+  /**
+   * Evaluates whether the given patch writers are trusted.
+   *
+   * @param {string[]} writerIds - Writer IDs from patches being applied
+   * @param {Object} [context] - Additional context for logging
+   * @param {string} [context.graphName] - Graph name
+   * @param {string} [context.peerId] - Remote peer identity (if authenticated)
+   * @returns {Promise<TrustGateResult>}
+   */
+  async evaluate(writerIds, context = {}) {
+    if (this._mode === 'off' || !this._evaluator) {
+      return { allowed: true, untrustedWriters: [], verdict: 'trust_disabled' };
+    }
+    if (writerIds.length === 0) {
+      return { allowed: true, untrustedWriters: [], verdict: 'no_writers' };
+    }
+
+    try {
+      const result = await this._evaluator.evaluateWriters(writerIds);
+      const untrusted = writerIds.filter((id) => !result.trusted.has(id));
+      return this._decide(untrusted, writerIds, context);
+    } catch (err) {
+      return this._handleError(err, writerIds, context);
+    }
+  }
+
+  /**
+   * Decides the gate result based on untrusted writers and mode.
+   * @param {string[]} untrusted
+   * @param {string[]} writerIds
+   * @param {Object} context
+   * @returns {TrustGateResult}
+   * @private
+   */
+  _decide(untrusted, writerIds, context) {
+    this._logger.info('Trust gate decision', {
+      code: 'SYNC_TRUST_GATE',
+      mode: this._mode,
+      writersApplied: writerIds,
+      untrustedWriters: untrusted,
+      verdict: untrusted.length === 0 ? 'pass' : 'fail',
+      ...context,
+    });
+
+    if (untrusted.length === 0) {
+      return PASS();
+    }
+
+    if (this._mode === 'enforce') {
+      this._logger.warn('Trust gate rejected untrusted writers', {
+        code: 'SYNC_TRUST_REJECTED',
+        untrustedWriters: untrusted,
+        ...context,
+      });
+      return { allowed: false, untrustedWriters: untrusted, verdict: 'rejected' };
+    }
+
+    this._logger.warn('Trust gate: untrusted writers allowed (log-only mode)', {
+      code: 'SYNC_TRUST_WARN',
+      untrustedWriters: untrusted,
+      ...context,
+    });
+    return { allowed: true, untrustedWriters: untrusted, verdict: 'warn_allowed' };
+  }
+
+  /**
+   * Handles trust evaluation errors with fail-open/fail-closed semantics.
+   * @param {unknown} err
+   * @param {string[]} writerIds
+   * @param {Object} context
+   * @returns {TrustGateResult}
+   * @private
+   */
+  _handleError(err, writerIds, context) {
+    this._logger.error('Trust gate evaluation failed', {
+      code: 'SYNC_TRUST_ERROR',
+      error: err instanceof Error ? err.message : String(err),
+      ...context,
+    });
+
+    if (this._mode === 'enforce') {
+      return { allowed: false, untrustedWriters: writerIds, verdict: 'error_rejected' };
+    }
+    return { allowed: true, untrustedWriters: [], verdict: 'error_allowed' };
+  }
+
+  /**
+   * Extracts writer IDs from patches in a sync response.
+   * These are the actual data authors being ingested — the trust target.
+   *
+   * @param {Array<{writerId: string}>} patches - Patches from sync response
+   * @returns {string[]} Deduplicated writer IDs
+   */
+  static extractWritersFromPatches(patches) {
+    const writers = new Set();
+    for (const { writerId } of patches) {
+      if (writerId) {
+        writers.add(writerId);
+      }
+    }
+    return [...writers];
+  }
+}

package/src/domain/services/TranslationCost.js

@@ -15,28 +15,10 @@
 
 import { orsetElements, orsetContains } from '../crdt/ORSet.js';
 import { decodeEdgeKey, decodePropKey, isEdgePropKey } from './KeyCodec.js';
+import { matchGlob } from '../utils/matchGlob.js';
 
 /** @typedef {import('./JoinReducer.js').WarpStateV5} WarpStateV5 */
 
-/**
- * Tests whether a string matches a glob-style pattern.
- *
- * @param {string} pattern - Glob pattern (e.g. 'user:*', '*:admin', '*')
- * @param {string} str - The string to test
- * @returns {boolean} True if the string matches the pattern
- */
-function matchGlob(pattern, str) {
-  if (pattern === '*') {
-    return true;
-  }
-  if (!pattern.includes('*')) {
-    return pattern === str;
-  }
-  const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, '\\$&');
-  const regex = new RegExp(`^${escaped.replace(/\*/g, '.*')}$`);
-  return regex.test(str);
-}
-
 /**
  * Computes the set of property keys visible under an observer config.
  *
@@ -188,20 +170,22 @@ function computePropLoss(state, { nodesA, nodesBSet, configA, configB }) {
  * A's view to B's view. It is asymmetric: cost(A->B) != cost(B->A) in general.
  *
  * @param {Object} configA - Observer configuration for A
- * @param {string} configA.match - Glob pattern for visible nodes
+ * @param {string|string[]} configA.match - Glob pattern(s) for visible nodes
  * @param {string[]} [configA.expose] - Property keys to include
  * @param {string[]} [configA.redact] - Property keys to exclude
  * @param {Object} configB - Observer configuration for B
- * @param {string} configB.match - Glob pattern for visible nodes
+ * @param {string|string[]} configB.match - Glob pattern(s) for visible nodes
  * @param {string[]} [configB.expose] - Property keys to include
  * @param {string[]} [configB.redact] - Property keys to exclude
  * @param {WarpStateV5} state - WarpStateV5 materialized state
  * @returns {{ cost: number, breakdown: { nodeLoss: number, edgeLoss: number, propLoss: number } }}
  */
 export function computeTranslationCost(configA, configB, state) {
-  if (!configA || typeof configA.match !== 'string' ||
-      !configB || typeof configB.match !== 'string') {
-    throw new Error('configA.match and configB.match must be strings');
+  /** @param {unknown} m */
+  const isValidMatch = (m) => typeof m === 'string' || (Array.isArray(m) && m.length > 0 && m.every(/** @param {unknown} i */ i => typeof i === 'string'));
+  if (!configA || !isValidMatch(configA.match) ||
+      !configB || !isValidMatch(configB.match)) {
+    throw new Error('configA.match and configB.match must be non-empty strings or non-empty arrays of strings');
   }
   const allNodes = [...orsetElements(state.nodeAlive)];
   const nodesA = allNodes.filter((id) => matchGlob(configA.match, id));

package/src/domain/trust/TrustRecordService.js

@@ -14,6 +14,13 @@ import { TrustRecordSchema } from './schemas.js';
 import { verifyRecordId } from './TrustCanonical.js';
 import TrustError from '../errors/TrustError.js';
 
+/**
+ * Maximum CAS attempts for _persistRecord before giving up.
+ * Handles transient failures (lock contention, I/O race).
+ * @type {number}
+ */
+const MAX_CAS_ATTEMPTS = 3;
+
 /**
  * @typedef {Object} AppendOptions
  * @property {boolean} [skipSignatureVerify=false] - Skip signature verification (for testing)
@@ -104,8 +111,15 @@ export class TrustRecordService {
     if (!tip) {
       try {
         tip = await this._persistence.readRef(ref);
-      } catch {
-        return [];
+      } catch (err) {
+        // Distinguish "ref not found" from operational error (J15)
+        if (err instanceof Error && (err.message?.includes('not found') || err.message?.includes('does not exist'))) {
+          return [];
+        }
+        throw new TrustError(
+          `Failed to read trust chain ref: ${err instanceof Error ? err.message : String(err)}`,
+          { code: 'E_TRUST_READ_FAILED' },
+        );
       }
       if (!tip) {
         return [];
@@ -196,6 +210,62 @@ export class TrustRecordService {
     return { valid: errors.length === 0, errors };
   }
 
+  /**
+   * Appends a trust record with automatic retry on CAS conflict.
+   *
+   * On E_TRUST_CAS_CONFLICT, re-reads the chain tip, rebuilds the record
+   * with the new prev pointer, re-signs if a signer is provided, and
+   * retries. This is the higher-level API callers should use when they
+   * want automatic convergence under concurrent appenders.
+   *
+   * @param {string} graphName
+   * @param {Record<string, unknown>} record - Complete signed trust record
+   * @param {Object} [options]
+   * @param {number} [options.maxRetries=3] - Maximum rebuild-and-retry attempts
+   * @param {((record: Record<string, unknown>) => Promise<Record<string, unknown>>)|null} [options.resign] - Function to re-sign a rebuilt record (null for unsigned)
+   * @param {boolean} [options.skipSignatureVerify=false] - Skip signature verification
+   * @returns {Promise<{commitSha: string, ref: string, attempts: number}>}
+   * @throws {TrustError} E_TRUST_CAS_EXHAUSTED if all retries fail
+   */
+  async appendRecordWithRetry(graphName, record, options = {}) {
+    const { maxRetries = 3, resign = null, skipSignatureVerify = false } = options;
+    let currentRecord = record;
+    let attempts = 0;
+
+    for (let i = 0; i <= maxRetries; i++) {
+      attempts++;
+      try {
+        const result = await this.appendRecord(graphName, currentRecord, { skipSignatureVerify });
+        return { ...result, attempts };
+      } catch (err) {
+        if (!(err instanceof TrustError) || err.code !== 'E_TRUST_CAS_CONFLICT') {
+          throw err;
+        }
+
+        if (i === maxRetries) {
+          throw new TrustError(
+            `Trust CAS exhausted after ${attempts} attempts (with retry)`,
+            { code: 'E_TRUST_CAS_EXHAUSTED' },
+          );
+        }
+
+        // Rebuild: re-read chain tip, update prev pointer
+        const freshTipRecordId = err.context?.actualTipRecordId ?? null;
+
+        // Update prev to the new chain tip's recordId
+        currentRecord = { ...currentRecord, prev: freshTipRecordId };
+
+        // Re-sign if signer is provided
+        if (resign) {
+          currentRecord = await resign(currentRecord);
+        }
+      }
+    }
+
+    // Unreachable
+    throw new TrustError('Trust CAS failed', { code: 'E_TRUST_CAS_EXHAUSTED' });
+  }
+
   /**
    * Validates that a record's signature envelope is structurally complete.
    *
@@ -246,7 +316,15 @@ export class TrustRecordService {
   }
 
   /**
-   * Persists a trust record as a Git commit.
+   * Persists a trust record as a Git commit with CAS retry.
+   *
+   * On transient CAS failures (ref unchanged, e.g. lock contention), retries
+   * up to MAX_CAS_ATTEMPTS total. On real concurrent appends (ref advanced),
+   * throws E_TRUST_CAS_CONFLICT so the caller can rebuild + re-sign the record.
+   *
+   * The record's prev, recordId, and signature form a cryptographic chain.
+   * Only the original signer can rebuild, so we never silently rebase.
+   *
    * @param {string} ref
    * @param {Record<string, unknown>} record
    * @param {string|null} parentSha - Resolved tip SHA (null for genesis)
@@ -273,9 +351,44 @@ export class TrustRecordService {
       message,
     });
 
-    // CAS update ref — fails atomically if a concurrent append changed the tip
-    await this._persistence.compareAndSwapRef(ref, commitSha, parentSha);
+    // CAS update ref with retry for transient failures
+    for (let attempt = 1; attempt <= MAX_CAS_ATTEMPTS; attempt++) {
+      try {
+        await this._persistence.compareAndSwapRef(ref, commitSha, parentSha);
+        return commitSha;
+      } catch {
+        // Read fresh tip to distinguish transient vs real conflict
+        const { tipSha: freshTipSha, recordId: freshRecordId } = await this._readTip(ref);
+
+        if (freshTipSha === parentSha) {
+          // Ref unchanged — transient failure (lock contention, I/O race).
+          // Retry the same CAS with same commit.
+          if (attempt === MAX_CAS_ATTEMPTS) {
+            throw new TrustError(
+              `Trust CAS exhausted after ${MAX_CAS_ATTEMPTS} attempts`,
+              { code: 'E_TRUST_CAS_EXHAUSTED' },
+            );
+          }
+          continue;
+        }
+
+        // Ref changed — real concurrent append. Our record's prev no longer
+        // matches the chain tip. The caller must rebuild, re-sign, and retry.
+        throw new TrustError(
+          `Trust CAS conflict: chain advanced from ${parentSha} to ${freshTipSha}`,
+          {
+            code: 'E_TRUST_CAS_CONFLICT',
+            context: {
+              expectedTipSha: parentSha,
+              actualTipSha: freshTipSha,
+              actualTipRecordId: freshRecordId,
+            },
+          },
+        );
+      }
+    }
 
-    return commitSha;
+    // Unreachable, but satisfies type checker
+    throw new TrustError('Trust CAS failed', { code: 'E_TRUST_CAS_EXHAUSTED' });
   }
 }

package/src/domain/utils/matchGlob.js

@@ -0,0 +1,51 @@
+/** @type {Map<string, RegExp>} Module-level cache for compiled glob regexes. */
+const globRegexCache = new Map();
+
+/**
+ * Escapes special regex characters in a string so it can be used as a literal match.
+ *
+ * @param {string} value - The string to escape
+ * @returns {string} The escaped string safe for use in a RegExp
+ * @private
+ */
+function escapeRegex(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+/**
+ * Tests whether a string matches a glob-style pattern or an array of patterns.
+ *
+ * Supports:
+ * - `*` as the default pattern, matching all strings
+ * - Wildcard `*` anywhere in the pattern, matching zero or more characters
+ * - Literal match when pattern contains no wildcards
+ * - Array of patterns: returns true if ANY pattern matches (OR semantics)
+ *
+ * @param {string|string[]} pattern - The glob pattern(s) to match against
+ * @param {string} str - The string to test
+ * @returns {boolean} True if the string matches any of the patterns
+ */
+export function matchGlob(pattern, str) {
+  if (Array.isArray(pattern)) {
+    return pattern.some((p) => matchGlob(p, str));
+  }
+
+  if (pattern === '*') {
+    return true;
+  }
+
+  if (typeof pattern !== 'string') {
+    return false;
+  }
+
+  if (!pattern.includes('*')) {
+    return pattern === str;
+  }
+
+  let regex = globRegexCache.get(pattern);
+  if (!regex) {
+    regex = new RegExp(`^${escapeRegex(pattern).replace(/\\\*/g, '.*')}$`);
+    globRegexCache.set(pattern, regex);
+  }
+  return regex.test(str);
+}

package/src/domain/warp/Writer.js

@@ -128,12 +128,14 @@ export class Writer {
       const commitMessage = await this._persistence.showNode(expectedOldHead);
       const kind = detectMessageKind(commitMessage);
       if (kind === 'patch') {
-        try {
-          const patchInfo = decodePatchMessage(commitMessage);
-          lamport = patchInfo.lamport + 1;
-        } catch {
-          // Malformed message, start at 1
+        const patchInfo = decodePatchMessage(commitMessage);
+        if (typeof patchInfo.lamport !== 'number' || !Number.isFinite(patchInfo.lamport) || patchInfo.lamport < 1) {
+          throw new WriterError(
+            'E_LAMPORT_CORRUPT',
+            `Malformed Lamport timestamp in commit ${expectedOldHead}: ${JSON.stringify(patchInfo.lamport)}`,
+          );
         }
+        lamport = patchInfo.lamport + 1;
       }
     }
 

package/src/domain/warp/checkpoint.methods.js

@@ -9,12 +9,13 @@
 
 import { QueryError, E_NO_STATE_MSG } from './_internal.js';
 import { buildWriterRef, buildCheckpointRef, buildCoverageRef } from '../utils/RefLayout.js';
-import { createFrontier, updateFrontier } from '../services/Frontier.js';
+import { createFrontier, updateFrontier, frontierFingerprint } from '../services/Frontier.js';
 import { loadCheckpoint, create as createCheckpointCommit } from '../services/CheckpointService.js';
 import { decodePatchMessage, detectMessageKind, encodeAnchorMessage } from '../services/WarpMessageCodec.js';
 import { shouldRunGC, executeGC } from '../services/GCPolicy.js';
 import { collectGCMetrics } from '../services/GCMetrics.js';
 import { computeAppliedVV } from '../services/CheckpointSerializerV5.js';
+import { cloneStateV5 } from '../services/JoinReducer.js';
 
 /** @typedef {import('../types/WarpPersistence.js').CorePersistence} CorePersistence */
 
@@ -267,6 +268,12 @@ export async function _hasSchema1Patches() {
  * Post-materialize GC check. Warn by default; execute only when enabled.
  * GC failure never breaks materialize.
  *
+ * Uses clone-then-swap pattern for snapshot isolation (B63):
+ * 1. Snapshot frontier fingerprint before GC
+ * 2. Clone state, run executeGC on clone
+ * 3. Compare frontier after GC — if changed, discard clone + mark dirty
+ * 4. If unchanged, swap compacted clone into _cachedState
+ *
  * @this {import('../WarpGraph.js').default}
  * @param {import('../services/JoinReducer.js').WarpStateV5} state
  * @private
@@ -287,8 +294,35 @@ export function _maybeRunGC(state) {
     }
 
     if (/** @type {import('../services/GCPolicy.js').GCPolicy} */ (this._gcPolicy).enabled) {
-      const appliedVV = computeAppliedVV(state);
-      const result = executeGC(state, appliedVV);
+      // Snapshot frontier before GC
+      const preGcFingerprint = this._lastFrontier
+        ? frontierFingerprint(this._lastFrontier)
+        : null;
+
+      // Clone state so executeGC doesn't mutate live state
+      const clonedState = cloneStateV5(state);
+      const appliedVV = computeAppliedVV(clonedState);
+      const result = executeGC(clonedState, appliedVV);
+
+      // Check if frontier changed during GC (concurrent write)
+      const postGcFingerprint = this._lastFrontier
+        ? frontierFingerprint(this._lastFrontier)
+        : null;
+
+      if (preGcFingerprint !== postGcFingerprint) {
+        // Frontier changed — discard compacted state, mark dirty
+        this._stateDirty = true;
+        if (this._logger) {
+          this._logger.warn(
+            'Auto-GC discarded: frontier changed during compaction (concurrent write)',
+            { reasons, preGcFingerprint, postGcFingerprint },
+          );
+        }
+        return;
+      }
+
+      // Frontier unchanged — swap in compacted state
+      this._cachedState = clonedState;
       this._lastGCTime = this._clock.now();
       this._patchesSinceGC = 0;
       if (this._logger) {
@@ -348,11 +382,17 @@ export function maybeRunGC() {
  * Explicitly runs GC on the cached state.
  * Compacts tombstoned dots that are covered by the appliedVV.
  *
+ * Uses clone-then-swap pattern for snapshot isolation (B63):
+ * clones state, runs executeGC on clone, verifies frontier unchanged,
+ * then swaps in compacted clone. If frontier changed during GC,
+ * throws E_GC_STALE so the caller can retry after re-materializing.
+ *
  * **Requires a cached state.**
  *
  * @this {import('../WarpGraph.js').default}
  * @returns {{nodesCompacted: number, edgesCompacted: number, tombstonesRemoved: number, durationMs: number}}
  * @throws {QueryError} If no cached state exists (code: `E_NO_STATE`)
+ * @throws {QueryError} If frontier changed during GC (code: `E_GC_STALE`)
  *
  * @example
  * await graph.materialize();
@@ -368,13 +408,30 @@ export function runGC() {
       });
     }
 
-    // Compute appliedVV from current state
-    const appliedVV = computeAppliedVV(this._cachedState);
-
-    // Execute GC (mutates cached state)
-    const result = executeGC(this._cachedState, appliedVV);
+    // Snapshot frontier before GC
+    const preGcFingerprint = this._lastFrontier
+      ? frontierFingerprint(this._lastFrontier)
+      : null;
+
+    // Clone state so executeGC doesn't mutate live state until verified
+    const clonedState = cloneStateV5(this._cachedState);
+    const appliedVV = computeAppliedVV(clonedState);
+    const result = executeGC(clonedState, appliedVV);
+
+    // Verify frontier unchanged (concurrent write detection)
+    const postGcFingerprint = this._lastFrontier
+      ? frontierFingerprint(this._lastFrontier)
+      : null;
+
+    if (preGcFingerprint !== postGcFingerprint) {
+      throw new QueryError(
+        'GC aborted: frontier changed during compaction (concurrent write detected)',
+        { code: 'E_GC_STALE' },
+      );
+    }
 
-    // Update GC tracking
+    // Frontier unchanged — swap in compacted state
+    this._cachedState = clonedState;
     this._lastGCTime = this._clock.now();
     this._patchesSinceGC = 0;
 

package/src/domain/warp/materialize.methods.js

@@ -242,6 +242,9 @@ export async function materialize(options) {
  * @private
  */
 export async function _materializeGraph() {
+  if (!this._stateDirty && this._materializedGraph) {
+    return this._materializedGraph;
+  }
   const state = await this.materialize();
   if (!this._materializedGraph || this._materializedGraph.state !== state) {
     await this._setMaterializedState(/** @type {import('../services/JoinReducer.js').WarpStateV5} */ (state));

package/src/domain/warp/materializeAdvanced.methods.js

@@ -167,6 +167,7 @@ export function _buildView(state, stateHash, diff) {
     this._propertyReader = result.propertyReader;
     this._cachedViewHash = stateHash;
     this._cachedIndexTree = result.tree;
+    this._indexDegraded = false;
 
     const provider = new BitmapNeighborProvider({ logicalIndex: result.logicalIndex });
     if (this._materializedGraph) {
@@ -176,6 +177,7 @@ export function _buildView(state, stateHash, diff) {
     this._logger?.warn('[warp] index build failed, falling back to linear scan', {
       error: /** @type {Error} */ (err).message,
     });
+    this._indexDegraded = true;
     this._logicalIndex = null;
     this._propertyReader = null;
     this._cachedIndexTree = null;