All observable operations on a view (input reads, input mutations, snapshot creation, and derived-query accesses) MUST be linearizable:

• For each operation call, there MUST exist a single linearization point between invocation and completion.
• There MUST exist a total order of all completed operations consistent with real-time ordering (if A completes before B starts, then A appears before B in that order).
• Each operation’s result MUST be the same as if operations executed sequentially in that total order.

This requirement forbids “torn” observations: callers MUST NOT observe partial application of an operation.

This specification primarily defines safety properties for completed operations (what results are permitted). It does not guarantee liveness: an operation is permitted to block indefinitely (for example due to user-level deadlocks, executor starvation, or infinite recursion), except where explicitly stated otherwise.

A revision is an opaque token that identifies a database state within a view.

Within a view, revisions MUST form a total order consistent with the “happens-after” ordering of successful input mutations that change observable state in that view.

Any successful input mutation that changes observable input state MUST advance the view to a fresh revision that is greater than the prior revision.

Each read or derived-query access on a view MUST be associated with a specific revision R of that view. The revision R is the view’s current revision at the operation’s linearization point (see r[concurrency.linearizable]).

A kind MUST uniquely identify a specific ingredient definition within a database type. Two distinct ingredient definitions MUST NOT share the same kind.

The mapping from Rust constructs (types/functions) to kinds is implementation-defined, but it MUST be deterministic within a single view and MUST preserve r[kind.identity].

Reading an input record by key MUST:

• Return Ok(Some(value)) if the record exists in the database state associated with db.
• Return Ok(None) if the record does not exist in that database state.

If called during derived query evaluation, it MUST record a dependency on that input record (see r[dep.recording]).

For purposes of dependency tracking and invalidation, each input kind defines an input slot for every possible key. The observable value of an input slot is either None (absent) or Some(value) (present).

A derived query that reads an input via get(db, key) MUST be treated as depending on that slot’s value (including absence). Therefore, changing a slot from None to Some(...), from Some(...) to None, or from Some(v1) to Some(v2) MUST be observable via invalidation and revalidation.

Input reads and input mutations on the same view MUST compose according to r[concurrency.linearizable]:

• A concurrent get racing with a set/remove MUST behave as if either the get happened before the mutation (returning the old value) or after the mutation (returning the new value).
• A get MUST NOT observe partial effects of a mutation.

For each input kind, derived kind, and interned kind, the implementation MUST define an equality relation ≈ over that kind’s relevant values such that ≈ is an equivalence relation (reflexive, symmetric, transitive).

The relation MUST be deterministic: for any two values a and b, whether a ≈ b holds MUST NOT depend on timing, concurrency, global mutable state, or external state.

The specific relation is otherwise implementation-defined (e.g., deep structural equality), but it MUST be consistent for the lifetime of the process.

Setting an input record MUST behave as follows:

1. If the record did not previously exist, it is created with the provided value.
2. If the record exists and the new value is equal to the current value (per r[equality.relation]), the operation MUST be a no-op.
3. If the record exists and the value differs from the current value, the value MUST be replaced.
4. The view revision MUST advance to a fresh later revision iff the operation is not a no-op.

Removing an input record MUST behave as follows:

1. If the record does not exist, the operation MUST be a no-op.
2. If the record exists, it MUST be removed and the view revision MUST advance to a fresh later revision.

If the public API provides a “required” read of an input record (i.e., an operation that does not return Option/None for absence), then attempting to read a missing/removed input slot MUST return an explicit error indicating a missing input value.

This error MUST be stable and deterministic, and MUST NOT be silently mapped to a default value.

Picante MUST provide a batch input-mutation operation that applies multiple set/remove mutations as one operation. The operation MUST be atomic with respect to observable database state:

• There MUST exist a single revision boundary such that observers see either all batch mutations applied or none.
• No observer MAY observe a state in which only a strict subset of the batch mutations have been applied.
• The batch MUST have the same final effect as applying its component mutations sequentially in the order provided, and then committing the resulting state atomically at the batch’s revision boundary.
• The view MUST advance to a fresh later revision iff at least one mutation in the batch changes observable input state; otherwise the batch is a no-op.

If a batch contains multiple mutations to the same input slot (kind, key), the sequential “apply in order” rule in r[input.batch] determines the outcome:

• Later mutations in the batch override earlier ones.
• The final state of that slot after the batch MUST be the result of applying all of its mutations in order.

A derived-query access MUST be evaluated at its associated revision R (see r[revision.choose]):

• All input reads and derived-query reads performed as part of that access MUST behave as reads at revision R.
• If the view advances to a later revision while evaluation is in progress, that MUST NOT change the results of the in-progress access; it remains an evaluation at revision R.
• A later access to the same derived query at a later associated revision R' > R is a distinct access and MAY yield a different result.

Derived-query accesses and input mutations on the same view MUST compose according to r[concurrency.linearizable] and the revision-binding rules:

• If a derived-query access linearizes at revision R, it MUST evaluate as-of R even if the view advances to R+1 while the access is in progress.
• Therefore, an input mutation that linearizes after the derived-query access MUST NOT affect the in-progress access.

During evaluation of a derived query, each read of an input record or derived query result MUST be recorded as a dependency of the evaluating query for the purpose of future revalidation.

Dependencies MUST be recorded with enough precision to revalidate: at minimum, the dependency’s (kind, key) identity.

Implementations MAY omit recording dependencies on records whose values are immutable for the lifetime of the process (for example, interned records addressed by an ID), since such dependencies can never affect revalidation.

For any dependency record (kind, key) that participates in dependency tracking, the implementation MUST define a changed_at revision value with the following meaning:

• If the record’s observable value has not changed between two revisions, its changed_at MUST be the same at both revisions.
• If the record’s observable value changes at some revision R, then for all later revisions R' >= R, the record’s changed_at MUST be >= R.

changed_at MUST always be <= the view revision at which it is observed.

Implementations MAY represent changed_at implicitly (e.g., via monotonic counters) as long as it satisfies the ordering properties above.

For an input slot (kind, key), changed_at MUST advance to the view’s new revision exactly when a set/remove operation changes the slot’s observable value (per r[equality.relation] for set, and existence/absence for remove). No-op mutations MUST NOT change changed_at.

For a derived record, changed_at MUST be updated according to early-cutoff (r[revision.early-cutoff]):

• If a recomputation at revision R produces a value equal to the previous cached value (per r[equality.relation]), changed_at MUST NOT advance.
• If a recomputation at revision R produces a value not equal to the previous cached value, changed_at MUST become R.

For interned records addressed by an intern ID, the record’s observable value is immutable once created. Therefore, for purposes of dependency tracking, implementations MAY treat interned records as having a constant changed_at that never advances.

Creation of new intern IDs MUST NOT change the observable value of any previously created interned record, and MUST NOT invalidate derived queries that depend only on existing intern IDs.

A derived record’s failure state (poison) is revision-scoped (see r[cell.poison]). Therefore, if (kind, key) failed at revision R and a later access occurs at revision R' > R, the earlier failure MUST NOT be treated as a valid cached result for R'.

Implementations MUST ensure that dependents are not “stuck” on an earlier failure: when a dependent revalidates against a dependency that is only known to have failed at an earlier revision, revalidation MUST fail (causing recomputation) unless the dependency has been successfully recomputed/validated at the dependent’s revision.

Picante MUST define three durability levels LOW, MEDIUM, and HIGH with a total order LOW < MEDIUM < HIGH. Higher durability means “expected to change less frequently”.

Each input kind MUST have an associated durability level. Every input slot (kind, key) of that kind inherits the kind’s durability level.

The durability level for an input kind MUST be specified as part of the ingredient definition (for example via a macro attribute parameter), and defaults to LOW if unspecified.

Interned records MUST be treated as HIGH durability, since they are immutable once created. Creating new intern IDs MUST NOT reduce the durability of existing interned records.

Durability MUST be non-observable: changing durability annotations MUST NOT change which values/errors are returned by inputs, derived queries, or snapshots. Durability MAY affect performance by enabling the implementation to skip some revalidation work, but only in ways that are conservative with respect to correctness.

Implementations MAY use durability to optimize revalidation as follows:

• Track, for each durability level D, a per-view revision watermark last_changed_at_at_or_above[D] equal to the most recent revision at which any input slot whose input kind has durability >= D changed.
• For each cached derived value, track an effective durability eff_dur equal to the minimum durability of all input kinds it (transitively) depends on.
• When revalidating a derived value whose cached verified_at >= last_changed_at_at_or_above[eff_dur], the implementation MAY treat revalidation as having succeeded without checking individual dependencies.

If these conditions are not met (or the implementation does not track them), it MUST fall back to dependency-based revalidation (r[cell.revalidate]).

When a derived query is recomputed at revision R and produces a value equal to the previously cached value (per r[equality.relation]), changed_at MUST NOT advance (it remains the prior changed_at), while verified_at MUST advance to R.

When accessing a cached derived value at revision R, if the cached value is not known-valid at R, the runtime MUST revalidate it by checking the stored dependencies:

• If every dependency’s changed_at is <= the cached value’s verified_at, revalidation succeeds and the cached value MUST be returned (with verified_at updated to R).
• Otherwise, revalidation fails and the query MUST be recomputed.

If a dependency’s ingredient is not available (e.g., the kind is not registered in the current database), revalidation MUST fail and recomputation MUST be attempted.

If computation fails (returns an error or panics), the runtime MUST record a failure for that (kind, key, revision) such that:

• Subsequent accesses at the same revision return the same error without rerunning the computation.
• After the revision advances due to an input change, a new access MAY attempt recomputation.

Failures propagate through dependency edges: if a derived query attempts to read another derived query and that dependency fails, the read MUST return an error and the dependent query’s evaluation MUST fail (unless user code explicitly handles the error as data).

If an in-progress derived-query evaluation at revision R is cancelled before it produces a successful value or an error (e.g., the future is dropped), the implementation MUST treat it as not having produced a result:

• It MUST NOT update the cached value for (kind, key) based on the cancelled evaluation.
• It MUST NOT record a failure for revision R solely due to cancellation.
• A subsequent access at the same revision R MAY retry evaluation and complete successfully or with an error.

Cancellation of one caller MUST NOT force other concurrent callers to observe a cancellation error; other callers MAY still obtain a normal value or error according to the semantics above.

Cancellation MUST NOT permanently block progress for the affected (kind, key, revision): after a cancellation, a subsequent access at the same revision MUST be able to either (a) observe a completed value/error from some other in-progress evaluation, or (b) start a fresh evaluation.

Whenever an input record changes at revision R, any derived query whose dependency set includes that input record MUST be treated as stale for revisions >= R.

Staleness is a logical property: implementations MAY propagate invalidation eagerly or lazily, but MUST ensure the revalidation rules above are upheld.

If, within a single logical derived-query evaluation (i.e., along one evaluation stack in one view), evaluation would (directly or indirectly) require evaluating the same (kind, key) again at the same revision, the runtime MUST report a dependency cycle error rather than deadlocking or waiting indefinitely.

This requirement does not mandate detection of cross-task/cross-evaluation cycles. (Those may still deadlock and are considered a usage hazard; see r[sharing.nonobservable] for the “sharing is non-observable” boundary.)

Interning MUST be value-deduplicating: if two calls intern values v1 and v2 such that v1 ≈ v2 (per r[equality.relation] for that interned kind), they MUST return the same intern ID.

If interning a value would require creating a new unique intern entry and doing so would exceed the configured state-byte limit (see r[limit.enforced]), the intern operation MUST fail with LimitExceeded and MUST have no observable effects.

If the value is already present in the intern table, the intern operation MUST succeed and return the existing intern ID regardless of the current state-byte usage.

The observable value of an interned record addressed by an intern ID MUST be immutable for the lifetime of the process. Reads through an intern ID MUST always return the same value.

Interning and reading interned values MUST NOT advance a view’s revision and MUST NOT invalidate derived queries that depend only on existing intern IDs.

The intern table for a database MUST be shared across all views of that database (primary and snapshots). Intern operations performed through any view MUST append to this shared table. Newly created interns MUST be immediately visible and usable from all views.

Interning operations across views of the same database MUST be linearizable with respect to one another: there MUST exist a single total order of successful intern operations such that each operation returns the intern ID that would result from applying them sequentially in that order.

In particular, concurrent attempts to intern equal values MUST always return the same intern ID (per r[intern.dedup]).

Creating a snapshot MUST bind it to a single revision R of the source database such that:

• For every input record, reads from the snapshot behave exactly as reads from the source database at revision R.
• For derived queries, evaluations performed against the snapshot MUST be consistent with the snapshot’s view of inputs and the derived-query semantics in this document.

Snapshot creation MUST be linearizable with respect to input mutations on the source view:

• There MUST exist a single revision R between invocation and completion of snapshot creation such that the snapshot is bound to R.
• Any input mutation that completes before R MUST be visible in the snapshot.
• Any input mutation that completes after R MUST NOT be visible in the snapshot.

In particular, the snapshot MUST NOT observe a “torn” state that could not exist at any single revision (i.e., different input records MUST NOT reflect different revisions).

A snapshot view has its own independent revision timeline:

• Mutations performed on a snapshot view MUST advance the snapshot view’s revision (per r[revision.advance]).
• Revisions of a snapshot view MUST NOT be compared to revisions of the source view for correctness.

The snapshot’s binding to the source revision R is defined by the snapshot creation requirements above; after creation, the snapshot evolves independently.

After snapshot creation, subsequent input changes in the source database MUST NOT be visible in the snapshot, and subsequent input changes in the snapshot MUST NOT be visible in the source database.

Derived query memoization MUST be non-observable across views: memoization activity in one view MUST NOT change the values or errors returned by another view. Implementations MAY share work or reuse completed results across views as an optimization, provided it remains non-observable per r[sharing.nonobservable].

Interned ingredients are exempt from snapshot isolation: the intern table is append-only and is shared across all views of a database. Newly interned values become visible to both the source view and snapshot views.

Such sharing MUST NOT change observable behavior: the values and errors returned MUST be indistinguishable from a correct, non-sharing implementation that evaluates each view independently under the semantics above.

The implementation MUST define a byte accounting scheme for the non-evictable state (“state bytes”). The accounting is implementation-defined but MUST be deterministic and conservative:

• If an operation would increase the implementation’s actual retained memory for non-evictable state, it MUST NOT decrease the accounted state bytes.
• State bytes MUST be measured per database (shared across views).

The accounting MUST include keys and values (or their retained representations) for input slots and interned values.

The implementation MUST allow configuring a maximum number of state bytes per database. If a mutation would cause state bytes to exceed the configured maximum, the mutation MUST fail with a LimitExceeded error and MUST have no observable effects:

• No partial state changes are permitted.
• The view revision MUST NOT advance.
• No invalidation or events may be emitted as a result of the failed mutation.

This applies equally to single mutations and batches.

Implementations MUST NOT implicitly evict or forget input records as a result of memory pressure or cache policy. The only way an input record becomes absent is via explicit user-visible mutation (e.g., remove or a batch that removes it).

Implementations MAY evict cached derived-query entries (values and associated metadata) at any time, provided eviction is non-observable:

• Eviction MUST NOT change the values or errors returned for any subsequent operations; it MAY only increase recomputation work.
• If a cached value has been evicted, a subsequent access MUST behave as if the value was not yet computed at that revision, and MUST recompute (subject to r[derived.revision-binding]).

Implementations MAY evict dependency metadata, but eviction MUST be conservative with respect to correctness:

• If dependency metadata needed for revalidation is missing, revalidation MUST fail and recomputation MUST be attempted (equivalent to treating the cached entry as stale).
• If reverse-dependency metadata used for eager invalidation is missing, implementations MAY fall back to lazy invalidation, but MUST still satisfy r[cell.revalidate] and r[dep.invalidation].

If (kind, key) is in a poisoned/failed state for revision R (per r[cell.poison]), the implementation MUST NOT evict that failure information while the view remains at revision R.

Equivalently: once an access has failed at revision R for (kind, key, R), subsequent accesses at revision R MUST continue to return that same failure even under eviction pressure.

After the view advances to a later revision due to an input change, the implementation MAY drop prior poisoned state consistent with r[cell.poison].

Intern tables are part of the non-evictable state and MUST NOT be evicted or compacted in a way that changes the meaning of an existing intern ID.

Intern tables MAY still be bounded via r[limit.enforced] by refusing to create new unique intern entries once the configured state-byte limit would be exceeded.