Preflight and Reverse Commit
Preflight validation lets you check a commit without mutating world state. Reverse commit lets you compensate for a prior commit by emitting a new commit derived from the stored reverse plan in the undo sidecar. Both are designed to preserve deterministic replay and the single-writer contract.
Problem this concept solves
Complex systems need two capabilities that are easy to misuse:
- Validate multi-step plans without touching production state.
- Compensate for committed changes without rewriting history.
Preflight and reverse commit provide these capabilities while keeping the commit log authoritative and replay-safe.
Core ideas
Preflight validation
Preflight executes the same L2/L3 logic as a real commit, but runs in a sandbox so there are no mutations, no commit log append, and no observer emissions.
Key properties:
- Commit-equivalent results using the same operation order.
- Fail-fast semantics (first failure ends validation).
- Deterministic output for a given world state.
- Returns
validated_world_seqso clients can coordinate optimistic concurrency. - No state mutation, no log append, no observer emissions.
The output is tied to the world sequence at the time of validation. If new commits land before you submit the real commit, rerun preflight to confirm the plan still holds.
Use preflight when you need to check a plan, schedule, or multi-op sequence before issuing the real commit.
Reverse commit
Reverse commit is a regular write that loads a stored reverse plan from the undo sidecar. The plan is built at commit time from the undo log plus the commit’s post-state, and it is applied as a new commit only if the current state still matches the plan’s expected post-state. It does not rewrite history or delete prior events.
Key properties:
- Uses
commit_idas the external handle for reversal. - Requires an audit reason and loads an undo sidecar entry for the target commit.
- Validates current state against the plan’s expected post-state (captured at commit time) before applying the reverse plan.
- Fails closed if the undo entry is missing or expired.
- Emits a normal commit response with new sequence metadata.
Reversing the most recent commit is usually straightforward because the current state still matches the plan’s expected post-state. Reversing historical commits is conditional: other commits may have moved or removed assets, filled containers, or changed class constraints. The reverse plan fails on those conflicts.
Reverse commit is mechanical: it applies the stored plan or fails. If it succeeds against a changed world, it reflects the stored undo steps applied to the current state, not intent-level undo. If you need to unwind deeper history, plan a compensating commit and preflight it against the current state.
Undo sidecar availability
Reverse commit only works if the undo sidecar is enabled and the target commit is still within retention policy. Availability depends on deployment configuration and namespace governance. If the sidecar is disabled or the entry is pruned, reverse commit must fail closed.
How it fits into the system
Commit request -> Preflight (optional) -> Commit -> Commit log append
Reverse commit request -> Load reverse plan -> Validate post-state -> Compensating commit (if valid) -> Commit log append
Preflight is a validation path; reverse commit is a compensating write path. Both go through the write daemon and must respect auth, quota, and policy rules.
Key invariants and guarantees
Non-mutating validation
Preflight never changes state, never appends to the log, and never emits observers. It is safe for planning and automation.
Append-only history
Reverse commit appends a new commit. The original commit remains in the log and audit trail.
Fail-closed undo
If undo data is missing or expired, reversal is denied. Partial reversals are not allowed.
Explicit authorization
Reverse commit is a distinct operation and is RBAC-gated. Audit reasons are recorded with the reverse commit.