fix: resume-scope-claim レビュー指摘対応 (deny セマンティクス doc・破損 snapshot の警告ログ)

2026-05-03 18:56:21 +09:00 · 2026-05-03 18:56:21 +09:00 · b90291d5a0
commit b90291d5a0
parent 364f936ed1
4 changed files with 21 additions and 1 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -2941,6 +2941,7 @@ dependencies = [
 "tempfile",
 "thiserror 2.0.18",
 "tokio",
+ "tracing",
 "uuid",
 ]

--- a/crates/pod-registry/src/mutate.rs
+++ b/crates/pod-registry/src/mutate.rs
@ -39,6 +39,16 @@ pub fn register_pod(

 /// Register a top-level Pod with explicit deny rules that reduce the
 /// claimed effective write scope.
+///
+/// Conflict semantics: if every Pod overlapping a requested allow rule
+/// is fully covered by one of `scope_deny`, the conflict is suppressed
+/// and the registration proceeds. The check is structural (deny ⊇
+/// competitor.rule), not relational — it does not verify that the
+/// competitor actually descends from this Pod's prior delegations.
+/// In practice this is safe because the canonical caller is `restore`,
+/// which derives `scope_deny` from the session's own snapshot, so any
+/// covered competitor is guaranteed to be a descendant of the original
+/// allocation. Direct callers must uphold the same invariant.
 pub fn register_pod_with_deny(
    guard: &mut LockFileGuard,
    pod_name: String,
--- a/crates/session-store/Cargo.toml
+++ b/crates/session-store/Cargo.toml
@ -16,6 +16,7 @@ thiserror = { workspace = true }
 sha2 = { workspace = true }
 hex = "0.4.3"
 protocol = { workspace = true }
+tracing.workspace = true

 [dev-dependencies]
 tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
--- a/crates/session-store/src/session_log.rs
+++ b/crates/session-store/src/session_log.rs
@ -311,7 +311,15 @@ pub fn collect_state(entries: &[HashedEntry]) -> RestoredState {
                domain, payload, ..
            } => {
                if domain == POD_SCOPE_EXTENSION_DOMAIN {
-                    state.pod_scope = serde_json::from_value(payload.clone()).ok();
+                    match serde_json::from_value::<PodScopeSnapshot>(payload.clone()) {
+                        Ok(snapshot) => state.pod_scope = Some(snapshot),
+                        Err(err) => {
+                            tracing::warn!(
+                                error = %err,
+                                "discarding malformed pod.scope snapshot from session log"
+                            );
+                        }
+                    }
                }
                state.extensions.push((domain.clone(), payload.clone()));
            }