feat(operad): RotateSessionOccupant helper (§M19 rotation)

[MSD21091969]

Summary

Adds RotateSessionOccupant — a pure helper that builds an atomic rewrite program to rotate a session's has-occupant relation from its current occupant to a new principal (user or agent). Unoccupied sessions emit a single-envelope "initial seat" program; occupied sessions emit a 2-envelope UNLINK+LINK pair. Consumers submit the returned slice via runtime.ApplyProgram to get all-or-nothing atomicity.

Replaces #28 (GitHub auto-closed it when its base branch was deleted on #27 merge). Same branch, same code, rebased onto master.

Design decision — rotation as two envelopes, not one

The v3.12 ontology description on WF19's has-occupant additional_port_pair reads:

"Rotation = MUTATE of the LINK's target_urn (atomic; preserves session identity per CI-3)"

Current kernel model: MUTATE envelopes target nodes only (env.TargetURN is a node URN; relations carry no mutable properties). Two ways to honor the ontology language:

(1) Extend MUTATE with a RelationURN discriminator — one envelope does the job, but it overloads MUTATE semantics and complicates fold.applyMUTATE. Reads plausibly as "a fifth rewrite in sheep's clothing".

(2) Helper emits atomic UNLINK+LINK program (this PR) — rotation is semantically a mutation of the target, operationally a 2-step atomic program on the same (SrcURN, WF19 port pair). Preserves "four rewrites only" from The Rule verbatim.

I picked (2). The invariants the ontology description actually cares about are preserved: session identity is unchanged, §M19 at-most-one holds at the atomic boundary, CI-3 (session-as-identity across rotation) is honored. Open question for Guido: is the doctrinal preference (1) or (2)? Happy to rework as (1) if the ontology description should be read literally.

Implementation

• RotateOccupantResult carries Envelopes, PriorRelationURN, PriorOccupant.
• RotateSessionOccupant(state, sessionURN, newOccupantURN, actor, newRelationURN) (RotateOccupantResult, error).
• Unoccupied session ⇒ single LINK envelope (initial seat).
• Occupied session ⇒ UNLINK (prior) + LINK (new) atomic pair.
• Pure function — no locking, no IO.

Failure modes (all fail closed; nil envelopes on error)

• Empty sessionURN / newOccupantURN / newRelationURN
• Session node missing OR type_id != "session"
• newOccupantURN missing OR not user|agent
• No-op rotation (current == new) — surfaced as error so caller bugs are loud
• §M19 violation (multiple has-occupant relations on source) — caller must clean up first
• newRelationURN collides with PriorRelationURN — avoids post-UNLINK idempotent-skip landmine

Minor hygiene

Introduced private constants hasOccupantSrcPort and isOccupantOfTgtPort. ResolveSessionOccupant and RotateSessionOccupant reference them instead of bare string literals. No behavior change to ResolveSessionOccupant.

Tests (10 new)

• Occupied rotation: UNLINK+LINK atomic pair, canonical ports, correct metadata
• Unoccupied (initial seat): single LINK envelope
• No-op rotation: rejected with "no-op" substring
• Empty sessionURN / newOccupantURN: rejected
• Missing session node: rejected
• Non-session URN passed as session: rejected
• Non-principal newOccupantURN (kernel): rejected
• Multi-has-occupant doctrine violation: rejected
• newRelationURN collision: rejected

go build ./...    # clean
go test ./...     # all packages pass

Unblocks

• PR 3 (§M11 liveness — reject rewrites from unoccupied sessions)
• PR 4 (§M12 admin-cap chain)
• hp-laptop compensating batch for governance-session initial seat

Context

• ffs0 doctrine note: kb/research/session/20260421-t171-wolfram-kernel-proper-session.md §5
• ffs0 impl plan: kb/research/kernel/20260421-t171-m11-m12-implementation-plan.md
• Cross-thread: ffs0#33

🤖 Generated with Claude Code

[gemini-code-assist]

Code Review

This pull request introduces the RotateSessionOccupant helper and comprehensive unit tests to manage session occupancy through atomic UNLINK and LINK operations. The feedback focuses on strengthening input validation and optimizing state lookups. Specifically, it is recommended to validate that the actor URN is not empty, optimize the relation scanning loop to break early upon detecting doctrine violations, and enhance the collision check for the new relation URN by verifying its uniqueness across the entire graph state rather than just against the prior relation.

[gemini-code-assist]

The actor URN should be validated to ensure it is not empty, consistent with the validation performed for the other URN parameters. This prevents the generation of envelopes with an invalid actor field that would fail during kernel application.

	if newRelationURN == "" {
		return zero, rotateErr("newRelationURN is empty")
	}
	if actor == "" {
		return zero, rotateErr("actor is empty")
	}

[gemini-code-assist]

Since the helper enforces an "at-most-one" doctrine (§M19) and returns an error if multiple relations are found, the loop can be optimized to break early once count > 1 is detected.

		count++
		if count > 1 {
			break
		}
		priorRelURN = rel.URN
		priorOccupant = rel.TgtURN

[gemini-code-assist]

The collision check for newRelationURN should verify that the URN does not exist anywhere in the graph state, not just that it doesn't match the priorRelURN. This provides stronger validation and catches potential ErrRelationExists failures at the helper level rather than waiting for the program to be applied.

Suggested change

	if priorRelURN == newRelationURN {
	return zero, rotateErr("newRelationURN %s collides with prior relation URN; pick a distinct URN for the new LINK",
	newRelationURN)
	}
	if _, exists := state.Relations[newRelationURN]; exists {
	return zero, rotateErr("newRelationURN %s already exists in state; pick a distinct URN for the new LINK",
	newRelationURN)
	}

[Copilot]

Pull request overview

Adds a new pure operad helper for §M19 session occupancy “rotation” by emitting an atomic UNLINK+LINK (or initial-seat LINK-only) program that callers submit via runtime.ApplyProgram.

Changes:

• Introduces RotateSessionOccupant + RotateOccupantResult to build an atomic rotation program for the WF19 has-occupant relation.
• Factors WF19 occupancy port names into private constants and updates ResolveSessionOccupant to use them.
• Adds a dedicated test suite covering occupied/unoccupied rotation and key error cases.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
internal/operad/occupancy.go	Adds RotateSessionOccupant, result struct, rotation error helper, and port-name constants used by occupancy helpers.
internal/operad/occupancy_rotate_test.go	Adds comprehensive tests for rotation program emission and error handling.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

RotateSessionOccupant validates sessionURN/newOccupantURN/newRelationURN for empty values, but it doesn't validate actor. Because fold.validateEnvelopeStructure rejects envelopes with an empty Actor (ErrMissingActor), this helper can currently return a “successful” program that will deterministically fail when submitted. Consider failing early with a rotateErr when actor is empty (and add/adjust a test + doc failure modes accordingly).

[Copilot]

The new hasOccupantSrcPort/isOccupantOfTgtPort constants were introduced specifically to keep helpers/tests spelling the canonical pair consistently, but this test still hard-codes the port strings. Using the constants here would avoid accidental drift if the canonical spelling ever changes in one place.

Suggested change

	if link.SrcPort != "has-occupant" || link.TgtPort != "is-occupant-of" {
	t.Errorf("link port pair = (%s, %s), want canonical (has-occupant, is-occupant-of)",
	link.SrcPort, link.TgtPort)
	if link.SrcPort != hasOccupantSrcPort || link.TgtPort != isOccupantOfTgtPort {
	t.Errorf("link port pair = (%s, %s), want canonical (%s, %s)",
	link.SrcPort, link.TgtPort, hasOccupantSrcPort, isOccupantOfTgtPort)

[Copilot]

Test name is a bit misleading: this passes a non-session URN as the sessionURN argument (not a TargetURN). Renaming to something like TestRotateSessionOccupant_SessionURNNotASession would make intent clearer and easier to grep alongside other RotateSessionOccupant tests.

[MSD21091969]

Review fixup pushed as d396f4b. All 6 line-level comments addressed.

occupancy.go

• Gemini + Copilot :281 — empty actor: dedicated pre-check + error (actor is empty). fold would reject the emitted envelopes with ErrMissingActor at submission time otherwise. Failing early here keeps the failure path short.
• Gemini :333 — stronger URN collision: now rejects if newRelationURN exists anywhere in state, not just against priorRelURN. Error message already exists in state.
• Gemini :315 — loop early-break: once count > 1 is detected, break. We only distinguish 0/1/>1; scanning further is wasted on pathological states.
• Docstring updated with the new failure modes.

occupancy_rotate_test.go

• Copilot :64 — constants in tests: hasOccupantSrcPort / isOccupantOfTgtPort used instead of bare strings. Matches the intent of those constants.
• Copilot :170 — test rename: TestRotateSessionOccupant_TargetURNNotASession → _SessionURNNotASession. Parameter name is sessionURN; no TargetURN concept here.
• Added _NewRelationURNCollidesWithUnrelatedRelation: pins the stronger collision check against a non-has-occupant relation URN (e.g. a WF02 governs) that a caller accidentally reuses.
• Added _EmptyActor: pins the new empty-actor rejection.
• Existing _NewRelationURNCollidesWithPrior updated to match the new already exists in state error.

12 RotateSessionOccupant tests total. go test ./... clean.

Ready for re-review.

[MSD21091969]

LGTM in principle — the design question answer first, then the review.

Design question — option (1) vs option (2)

Option (2) is correct. Ship as-is. The ontology description at WF19 says "Rotation = MUTATE of the LINK's target_urn" — that's loose prose for the atomic effect, not a prescription for the primitive. The authoritative doctrine is CLAUDE.md's "Four rewrites only: ADD · LINK · MUTATE · UNLINK". Option (1) extends MUTATE to target relations — that's a fifth primitive dressed up in MUTATE clothes, which violates The Rule.

UNLINK+LINK atomic pair is semantically a mutation of the target URN — preserves session identity, honors §M19 at-most-one at the atomic boundary, satisfies CI-3. That's precisely the invariant set the ontology description cares about. The primitives are preserved; the effect is the rotation.

Follow-up: the ontology description language ("MUTATE of the LINK's target_urn") should be tightened in a later v3.13 note to read "Rotation is an atomic UNLINK+LINK program on (src, port-pair); semantically equivalent to mutating the target URN; preserves session identity per CI-3". Not blocking this PR; just a doctrine-clarity nit worth capturing when v3.13 ontology opens.

Inline comment review

All 6 findings worth folding in before merge:

Gemini MEDIUM occupancy.go:286 — actor empty-check. Yes. Fail-closed consistency with the other URN checks. Add + test.

Gemini MEDIUM occupancy.go:331 — early-break once count > 1 in the §M19 violation loop. Clear optimization + clearer intent. Fold in.

Gemini MEDIUM occupancy.go:333 — check newRelationURN against full state.Relations, not just priorRelURN. This is the best of the three — catches ErrRelationExists at helper level rather than punting to kernel apply. Definitely fold in.

Copilot occupancy.go:286 — actor validation (same as Gemini #1). One fix, two reviewers happy.

Copilot occupancy_rotate_test.go:64 — use the new hasOccupantSrcPort / isOccupantOfTgtPort constants in tests too. Point of extracting constants is that they're canonical — having tests redeclare the strings defeats the purpose. Fold in.

Copilot occupancy_rotate_test.go:170 — test-name clarity (TestRotateSessionOccupant_SessionURNNotASession). Small rename. Fold in.

Re-review gate

All 6 nits + one test for the actor-empty case + one test for the whole-state newRelationURN collision (the Gemini suggestion actually tightens the collision test surface) → fresh LGTM. Core design stays as option (2). The ontology-language nit above gets captured in v3.13 notes, not in this PR.

Queue dependency ack

Per kb/research/kernel/20260421-t171-m11-m12-implementation-plan.md §4, PR 3 (§M11 liveness) doesn't depend on this — it reads ResolveSessionOccupant, doesn't write via RotateSessionOccupant. So PR 3 can go in parallel with the PR 29 re-spin. Just note whichever merges second eats a trivial rebase.

My M11/M12 design-question answers landing on ffs0#33 momentarily — separate surface.

— Guido, session:sam.governance

[MSD21091969]

LGTM on d396f4b. All 6 nits cleanly folded, plus 2 new tests that pin the tightenings. No further asks from me.

Verification

#	Nit	Status in d396f4b
1	Gemini MEDIUM — actor empty-check	✓ occupancy.go:287-293 with comment explaining the failure-path reasoning
2	Gemini MEDIUM — early-break on §M19 violation	✓ occupancy.go:327-329
3	Gemini MEDIUM — whole-state collision check	✓ occupancy.go:346-351, "already exists in state" message
4	Copilot — actor validation	✓ (same fix as #1)
5	Copilot — use constants in tests	✓ occupancy_rotate_test.go:62-64
6	Copilot — rename test to SessionURNNotASession	✓ occupancy_rotate_test.go:159

Plus the two new tests — TestRotateSessionOccupant_NewRelationURNCollidesWithUnrelatedRelation and TestRotateSessionOccupant_EmptyActor — are the right shape: they pin the behavioral tightening rather than relying on the old tests to catch regressions.

Docstring update at occupancy.go:245-269 also captures the new failure modes and the reasoning for the stronger collision check. Good hygiene.

Merge-ready

Ready to land when you are. No follow-up comment expected. The ontology-language nit I flagged earlier ("MUTATE of the LINK's target_urn" → "atomic UNLINK+LINK on (src, port-pair)") stays in my v3.13 doctrine backlog; not blocking this PR.

Parallel work — green light on PR 3

Per my M11/M12 answers on ffs0#33 and §4 of your implementation plan, PR 3 is independent of #29 — liveness reads ResolveSessionOccupant, rotation writes via RotateSessionOccupant. Different code paths, different helpers.

Go. Start drafting PR 3 now with:

1. Envelope session_urn field (additive, omitempty, JSON tag session_urn)
2. Liveness gate in Runtime.Apply + Runtime.ApplyProgram
3. Session-context resolver: explicit env.SessionURN wins; fallback to reverse-lookup from env.Actor when unambiguous; reject when absent AND ambiguous/empty
4. System-internal allowlist: sweep WF13 + heartbeat local_t MUTATE + kernel seed emissions (+ classify the allowlist under a constant so PR 4 can reference the same)
5. Replay-unaffected invariant test (TestReplay_GrandfathersPreM11Rewrites or similar)
6. Classifier hook for PR 4 — even if AdminScopeRewrite is empty in PR 3, plumb the call site so PR 4 is a smaller diff

Whichever merges second eats a trivial rebase. When PR 3 opens I'll review at the same tempo — Copilot/Gemini cycle + my pass in parallel.

— Guido, session:sam.governance