fix(snapshot): isolate mutated snapshots from the cross-snapshot result cache

fasterthanlime · fasterthanlime · commit 8f61fca5c0d6 · 2026-05-31T18:13:46.000+02:00
Sibling snapshots created from the same database share the parent's
RuntimeId so that concurrent *read-only* snapshots can deduplicate
in-flight work and adopt each other's results from the shared completed-
result cache (keyed by RuntimeId + kind + key, deliberately revision-less).

That sharing is unsound once a snapshot is *mutated*: each snapshot has an
independent revision counter starting from the same base, so two snapshots
that override an input produce colliding, incomparable revision numbers. A
result computed in snapshot A (e.g. `changed_at = 42` in A's space) would be
adopted by snapshot B, whose own override landed at a numerically-lower
revision in B's space, making B's edit look stale. Symptom: a "what-if"
overlay on a snapshot (dodeca's in-browser editor preview) renders a
sibling snapshot's content instead of its own.

Fix: a snapshot becomes "divergent" the first time one of its inputs is
set/removed, at which point it switches from the shared family RuntimeId to
a private cache-scope id for both the in-flight registry and the shared
result cache. Read-only snapshots are unaffected and still dedup.

Adds regression tests covering derived/singleton/transitive/registry-entity
override invalidation on a snapshot, plus two divergent snapshots with
independent overrides.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/picante/src/ingredient/derived.rs b/crates/picante/src/ingredient/derived.rs
@@ -430,7 +430,7 @@ impl DerivedCore {
             // 3) Check shared completed-result cache for cross-snapshot memoization.
             //    Unlike the in-flight registry, this persists after the leader finishes.
             if let Some(record) =
-                inflight::shared_cache_get(db.runtime().id(), self.kind, &requested.key)
+                inflight::shared_cache_get(db.runtime().cache_scope_id(), self.kind, &requested.key)
             {
                 let can_adopt = if record.verified_at == rev {
                     true
@@ -456,7 +456,7 @@ impl DerivedCore {
 
                     // Update the shared cache's verified_at so future lookups can skip revalidation.
                     inflight::shared_cache_put(
-                        db.runtime().id(),
+                        db.runtime().cache_scope_id(),
                         self.kind,
                         requested.key.clone(),
                         SharedCacheRecord {
@@ -484,7 +484,7 @@ impl DerivedCore {
             // 3) Check global in-flight registry for cross-snapshot deduplication.
             //    This allows concurrent queries from different snapshots to share work.
             let inflight_key = InFlightKey {
-                runtime_id: db.runtime().id(),
+                runtime_id: db.runtime().cache_scope_id(),
                 revision: rev,
                 kind: self.kind,
                 key: requested.key.clone(),
@@ -551,7 +551,7 @@ impl DerivedCore {
 
                                 // Store in shared completed-result cache for future snapshots.
                                 inflight::shared_cache_put(
-                                    db.runtime().id(),
+                                    db.runtime().cache_scope_id(),
                                     self.kind,
                                     requested.key.clone(),
                                     SharedCacheRecord {
@@ -677,7 +677,7 @@ impl DerivedCore {
 
                             // Store in shared completed-result cache for future snapshots.
                             inflight::shared_cache_put(
-                                db.runtime().id(),
+                                db.runtime().cache_scope_id(),
                                 self.kind,
                                 requested.key.clone(),
                                 SharedCacheRecord {
diff --git a/crates/picante/src/ingredient/input.rs b/crates/picante/src/ingredient/input.rs
@@ -413,6 +413,10 @@ where
 
         // Value changed, take write lock
         let rev = db.runtime().bump_revision();
+        // r[snapshot.divergent]
+        // Mutating an input makes a snapshot diverge from its family, so it must
+        // stop sharing computed results via the cross-snapshot cache.
+        db.runtime().mark_divergent();
         {
             let mut entries = self.core.entries.write();
             entries.insert(
@@ -466,6 +470,8 @@ where
 
         // Need to remove, take write lock
         let rev = db.runtime().bump_revision();
+        // r[snapshot.divergent]
+        db.runtime().mark_divergent();
         {
             let mut entries = self.core.entries.write();
             entries.insert(
diff --git a/crates/picante/src/runtime.rs b/crates/picante/src/runtime.rs
@@ -34,6 +34,18 @@ impl RuntimeId {
 pub struct Runtime {
     /// Unique identifier for this runtime family (shared with snapshots).
     id: RuntimeId,
+    /// Whether this runtime backs a snapshot (vs. a live database).
+    is_snapshot: bool,
+    // r[snapshot.divergent]
+    /// A cross-snapshot cache scope id, assigned lazily the first time an input
+    /// is mutated on a *snapshot* runtime. `0` means "not divergent": the runtime
+    /// uses the shared family `id` for the inflight registry and shared result
+    /// cache (so read-only snapshots still dedup). Once a snapshot is mutated its
+    /// state diverges from its siblings/parent, so it switches to this private id
+    /// and stops sharing computed results — which would otherwise be unsound,
+    /// since sibling snapshots have independent revision counters from the same
+    /// base and thus produce colliding, incomparable revisions.
+    divergent_scope: AtomicU64,
     current_revision: AtomicU64,
     // r[event.channel]
     revision_tx: watch::Sender<Revision>,
@@ -63,6 +75,8 @@ impl Runtime {
         let (events_tx, _) = broadcast::channel(1024);
         Self {
             id: parent_id,
+            is_snapshot: true,
+            divergent_scope: AtomicU64::new(0),
             current_revision: AtomicU64::new(0),
             revision_tx,
             events_tx,
@@ -78,6 +92,38 @@ impl Runtime {
         self.id
     }
 
+    // r[snapshot.divergent]
+    /// The scope id used to key the inflight registry and shared result cache.
+    ///
+    /// Returns the shared family [`id`](Self::id) unless this is a snapshot that
+    /// has been mutated, in which case it returns a private id so the snapshot's
+    /// computed results neither leak into nor adopt from its siblings/parent.
+    pub fn cache_scope_id(&self) -> RuntimeId {
+        let scope = self.divergent_scope.load(Ordering::Acquire);
+        if scope != 0 {
+            RuntimeId(scope)
+        } else {
+            self.id
+        }
+    }
+
+    /// Mark this runtime as divergent (an input was mutated). No-op for a live
+    /// database — only snapshots diverge from their family. Assigns a private
+    /// cache scope id exactly once.
+    pub fn mark_divergent(&self) {
+        if !self.is_snapshot {
+            return;
+        }
+        if self.divergent_scope.load(Ordering::Acquire) != 0 {
+            return;
+        }
+        let fresh = RUNTIME_ID_COUNTER.fetch_add(1, Ordering::Relaxed);
+        // First writer wins; a concurrent caller may have set it already.
+        let _ =
+            self.divergent_scope
+                .compare_exchange(0, fresh, Ordering::AcqRel, Ordering::Acquire);
+    }
+
     /// Read the current revision.
     pub fn current_revision(&self) -> Revision {
         Revision(self.current_revision.load(Ordering::Acquire))
@@ -269,6 +315,8 @@ impl Default for Runtime {
         let (events_tx, _) = broadcast::channel(1024);
         Self {
             id: RuntimeId::new_unique(),
+            is_snapshot: false,
+            divergent_scope: AtomicU64::new(0),
             current_revision: AtomicU64::new(0),
             revision_tx,
             events_tx,
diff --git a/crates/picante/tests/snapshot.rs b/crates/picante/tests/snapshot.rs
@@ -276,3 +276,30 @@ async fn snapshot_override_registry_entity_invalidates_outer() -> PicanteResult<
     assert_eq!(total_len(&db).await?, 2); // host untouched
     Ok(())
 }
+
+/// Two snapshots derived from the same db share a RuntimeId (for inflight dedup)
+/// but have independent revision counters starting from the same base. A query
+/// result computed in snapshot A must NOT leak into snapshot B and make B's own
+/// override look stale. This mirrors dodeca's editor: an auto-preview snapshot
+/// followed by a user-edit snapshot.
+#[tokio_test_lite::test]
+async fn two_snapshots_independent_overrides() -> PicanteResult<()> {
+    let db = Database::new();
+    Config::set(&db, "base".into())?; // len 4
+    assert_eq!(config_len(&db).await?, 4); // compute on host
+
+    // Snapshot A: override + compute (this is the "auto-preview").
+    let snap_a = DatabaseSnapshot::from_database(&db).await;
+    Config::set(&snap_a, "AAAAAAAAAAAAAAAAAAAA".into())?; // len 20
+    assert_eq!(config_len(&snap_a).await?, 20);
+
+    // Snapshot B: a DIFFERENT override. Must reflect B's value, not A's.
+    let snap_b = DatabaseSnapshot::from_database(&db).await;
+    Config::set(&snap_b, "BBB".into())?; // len 3
+    assert_eq!(
+        config_len(&snap_b).await?,
+        3,
+        "snapshot B must see its own override, not snapshot A's leaked result"
+    );
+    Ok(())
+}
