feat(dds): squash-on-resubmit for non-tree DDSes

[anthony-murphy]

Summary

Implements reSubmitSquashed across all non-tree DDSes so staging-mode commits (commitChanges({ squash: true })) drop intermediate values before they reach the wire. Values written and removed within a single staging session — e.g. a sensitive string set and then deleted before commit — are no longer transmitted as part of the squashed batch. With this change, the listed DDSes no longer depend on the Fluid.SharedObject.AllowStagingModeWithoutSquashing config flag fallback.

Per-DDS treatment

DDS	Treatment
SharedCell, SharedCounter, SharedMap, SharedDirectory, SharedMatrix	Content-aware per-cell / per-key LWW squash
SharedTaskManager	Explicit override delegating to reSubmitCore (already collapses volunteer/abandon pairs by disconnect semantics)
SharedSequence / intervals	Unchanged — squash was already wired end-to-end via merge-tree's regeneratePendingOp(squash)
Ink, ConsensusRegisterCollection, ConsensusOrderedCollection, PactMap, legacy SharedArray, legacy SharedSignal	Identity squash with documented rationale (append-only, order-preserving, or consensus-bound semantics)

The mixed-lifetime case

For Map/Directory, PendingKeyLifetime groups consecutive sets on the same key with no intervening delete or clear. A pre-staging set(k, A) followed by a staging set(k, B) lands in one lifetime, with keySet A pre-staging and keySet B staging.

replayPendingStates({ committingStagedBatches: true }) only replays staged batches — pre-staging messages remain in flight at the runtime layer. The naive approach of wiping the entire lifetime during squash would lose pre-staging keySet A from kernel state, so when its ACK eventually arrives, the kernel finds the squashed lifetime instead and asserts 0xc07: Got a local set message we weren't expecting.

The fix in MapKernel.squashPendingDataForBatch / SubDirectory.squashPendingStorageForBatch:

1. Locate the staging boundary — either a standalone entry, or a (lifetimeIdx, keySetIdx) pair inside a lifetime.
2. Compute finalKeyOps first, including the mixed lifetime's staging suffix (its last keySet provides the candidate for that key, unless a later clear in the staging slice nullifies it).
3. Then mutate: truncate the mixed lifetime to its pre-staging prefix (splice the lifetime entirely if its prefix is empty); drop the pure-staging entries.
4. Submit the squashed ops.

Order matters — computing before mutating preserves the staging-suffix value needed for LWW.

The same shape (boundary detection, suffix-aware finalKeyOps, mutate-after) is used in both MapKernel and SubDirectory.

Test coverage

• Unit tests: new squash.spec.ts (Map, Directory) and matrix.squash.spec.ts (Matrix), plus inline blocks in cell.spec.ts and counter.spec.ts. Cover set-then-delete, set-then-set chains, clear-in-staging, delete-after-clear, single-pending pass-through.
• Stress: local-server-stress-tests now plumbs squash: random.bool() through ExitStagingMode ops, so the 200-seed default suite exercises end-to-end squash across all wired DDSes. The stress run is what caught the mixed-lifetime bug above — both the disposed-subdirectory guard and the keySet-boundary split were added in response to seeds it generated.
• Test helper: reconnectAndSquash is now exported from @fluid-private/test-dds-utils for per-DDS unit-test use. It was previously internal to the fuzz harness.

Result: 4,440 unit tests across 12 DDS packages pass, plus 200/200 stress seeds in the local-server-stress default workload.

Known scope limitations (intentional)

• SharedDirectory subdir create/delete lifecycle: not squashed (the create/delete ops carry no user content, so this is a future optimization rather than a leak fix). Existing reSubmitCore handles them.
• SharedTaskManager: in-staging abandon for a task volunteered pre-staging isn't propagated by this squash path — reSubmitCore assumes the server has already removed the client from the queue, which is consistent with TaskManager's overall connection-bound design.
• legacy SharedArray: identity squash. The insertEntry op carries the entry's user-supplied value, so an inserted-then-deleted entry within one staging session can still surface its value on commit. A full per-entry squash would mirror SharedMap's complexity in a DDS marked "not intended for use in new code" — left as a future task with a documented caveat in the code.
• ConsensusRegisterCollection: writes participate in version history exposed via readVersions(). Collapsing pending writes would change observable semantics; intentional no-squash.

Test plan

• pnpm install + fluid-build for every touched package
• Unit tests pass for cell, counter, task-manager, map (Map + Directory), matrix, sequence, ink, register-collection, ordered-collection, pact-map, legacy-dds
• local-server-stress-tests 200-seed default workload passes with randomized squash on every staging commit
• CI typecheck / lint / API-extractor across all affected packages

🤖 Generated with Claude Code

[github-actions]

Hi! Thank you for opening this PR. Want me to review it?

Based on the diff (3375 lines, 41 files), I've queued these reviewers:

• Correctness — logic errors, race conditions, lifecycle issues
• Security — vulnerabilities, secret exposure, injection
• API Compatibility — breaking changes, release tags, type design
• Performance — algorithmic regressions, memory leaks
• Testing — coverage gaps, hollow tests

How this works

• Adjust the reviewer set by ticking/unticking boxes above. Reviewer toggles alone don't trigger anything.

• Tick Start review below to dispatch the review fleet.

• After review finishes, tick Start review again to request another run — it auto-resets after each dispatch.

• This comment updates as new commits land; your reviewer selections are preserved.

• Start review

[anthony-murphy]

Claude here, following up on the algorithmic-complexity concern.

Inner-walk audit per DDS

DDS	Inner work per reSubmitSquashed call	Degenerate input	Per call	Total
SharedCounter	identity — delegates to reSubmitCore	—	O(1)	O(N) ✓
SharedCell	pendingMessageIds.indexOf + splice	many staged sets on one cell	O(N)	O(N²)
SharedMap / SharedDirectory	walk pendingData to locate metadata, walk again for subsumption, nested keySets.indexOf inside the locate	many staged sets on one key (all in one PendingKeyLifetime)	O(N) — and O(K²) inside the lifetime	O(N²)
SharedMatrix	per-cell local.findIndex + splice	many staged sets on one cell	O(K)	O(K²) per cell
SharedTaskManager	per-task latestPendingOps[].findIndex	many staged volunteer/abandon on one task	O(P)	O(P²) per task
SharedSequence	merge-tree internal	—	already amortized via merge-tree	—

Small change in 0d5957c

PendingKeySet now has a lifetime: PendingKeyLifetime back-pointer. dropIfSubsumed jumps to the containing lifetime in O(1) via metadata.lifetime and does the tip check by reference comparison (metadata === lifetime.keySets[length - 1]). No pendingData walk and no nested keySets.indexOf in the common non-tip case.

That collapses the locate phase for the "many sets on one key" pattern (everything in one lifetime) from O(K²) to O(K). The tip case and standalone clear / delete metadata still scan pendingData once (a single indexOf), and the subsumption walk for "any later entry affecting this key" remains O(N-i).

Remaining O(N²) risk and possible follow-ups (intentionally not in this PR)

The current code is still O(N²) in two narrower worst cases:

1. Many staged ops with mixed types in pendingData — the pendingData.indexOf for standalone metadata and the subsumption walk for "later entry affecting this key" are still O(N) per call. The fix would be either generation tracking (lastEntryGenerationByKey: Map<string, number> + lastClearGeneration: number, updated on push) or a per-key doubly-linked chain through pendingData entries. Both add maintenance overhead on every set/delete/clear submit, so I'd want signal that it's worth taking before doing it.

2. Many sets on one key — splice within lifetime.keySets — even with the back-pointer, dropping a non-tip keySet is still keySets.splice(idx, 1), which is O(K) for the shift. Total O(K²) for K drops in a row. The fix is either a linked-list keysets or a head-offset trick (keySetsHead: number + lazy compaction). Both are more invasive than the back-pointer because the existing iterator API also reads from keySets.

SharedCell, SharedMatrix, SharedTaskManager have analogous O(N) inner walks but their N is bounded per cell / per task in practice — happy to look at any of them if you'd like the same treatment.

The headline guarantee — staged inserted-then-deleted secrets don't reach the wire — is unchanged by these complexity considerations. Pushed in 0d5957c; 932/932 SharedMap+SharedDirectory unit tests pass, 199/199 stress seeds pass.

[anthony-murphy]

Claude here — preemptive cross-DDS audit while deep review runs. Ran an op-type-by-op-type sweep across every DDS in scope: enumerate each operation interface, find every submit / process / resubmit site, and verify the squash decision against each op type. Pushed in 542ed4d.

Verdicts per DDS

DDS	Op types audited	Verdict
SharedCell	setCell, deleteCell	✓ correct; both op types covered by LWW tip-check
SharedCounter	increment	✓ correct; only op type; identity squash sound
SharedMap	set, delete, clear	✓ correct; subsumption rules cover all three
SharedDirectory storage	set, delete, clear	✓ correct; same as Map plus subdir-reachability guard
SharedDirectory subdir lifecycle	createSubDirectory, deleteSubDirectory	✓ no leak (only subdirName string is on the wire); intentionally not squashed (idempotent server-side)
SharedMatrix	setCell, row/col vector ops	✓ correct; setCell per-cell LWW; vector ops delegate to merge-tree's squash=true
SharedTaskManager	volunteer, abandon, complete	✓ correct; reSubmitCore already collapses pairs by design
PactMap	set, accept	✓ safe via refSeq filtering in reSubmitCore
Ink	createStroke, stylus, clear	✓ documented intentional leak
legacy SharedArray	insertEntry, deleteEntry, moveEntry, toggle, toggleMove	✓ insertEntry leak documented; the other four carry only ids
legacy SharedSignal	signal	✓ documented intentional leak
SharedSequence text / intervals (text + endpoint channels)	INSERT, REMOVE, ANNOTATE, OBLITERATE, GROUP, interval ADD/CHANGE/DELETE	✓ correct for text and endpoints via merge-tree's regeneratePendingOp(squash)

Actionable findings, addressed in 542ed4d

1. SharedCell lacked a pre-staging-in-flight regression test (Counter/Map/Directory had one). Added: pre-staging set(\"pre\") → disconnect → set(\"secret\") + delete during staging → commit-squash → assert \"secret\" never reaches the peer. Per-op squash logic was already correct; the test closes a coverage gap.

2. ConsensusOrderedCollection.add leak was undocumented. Identity squash transmits the add op on commit, so add(secret) → acquire → complete inside a staging session sends secret. Comment updated to call this out alongside the SharedSignal / SharedArray / RegisterCollection callouts. No code change (the leak is intentional given the queue's order-dependent semantics — same logic as the others).

Known limitations, documented as not addressed in this PR

3. SharedSequence property channel is not squashed by merge-tree. Text content + interval endpoints squash correctly: insertText(0, \"secret\") → removeRange(0, ...) → squash drops the insert via squashInsertion() (merge-tree client.ts:1423-1442). But the property channel does not get the same treatment:

   • annotateRange(0, 1, {foo: \"secret\"}) → annotateRange(0, 1, {foo: \"public\"}) — both ops resubmit; the squash flag is unused inside merge-tree's annotate handling.
   • insertText(0, \"x\", {handle: poison}) with no later removal — the insert's properties resubmit verbatim (correct — the user committed them); but the inserted-then-removed case where squashInsertion() fires does suppress the segment data including its properties (no leak).
   • Interval CHANGE ops with property-only changes bypass squash logic entirely (endpointChangesNode === undefined short-circuits in rebaseLocalInterval).

   This is a pre-existing merge-tree gap, not introduced by this PR. The existing sharedString.squash.fuzz.spec.ts already notes "once we support squashing property changes, we should record additional information in poisonedHandleLocations" (line 156-158), confirming this was already known as future work. Adding it to the changeset's known-limitations list so it's explicit at release.

4. Subdir create+delete collapse: a staged deleteSubDirectory(x) → createSubDirectory(x) (same name) sends both ops. They're idempotent server-side and the wire ops only carry subdirName — no data-leak surface. Left as a future optimization rather than a correctness fix.

Test posture after this commit

• 932 + 13 + 217 + 791 + 23 + 217 + 234 + 14 + 94 + 260 + 1664 = 4,459 unit tests across 12 DDS packages, all green
• 199/199 stress seeds pass
• All three deep-review threads resolved

[anthony-murphy]

Correction to my own audit comment above. @anthony-murphy pointed out that subdirName is a leak, and they're right — user-supplied content can absolutely live in subdirectory names (user ids, tenant slugs, etc.). My earlier "no leak (only subdirName string is on the wire)" framing was wrong.

Fixed in d2bb799. New SubDirectory.dropIfSubsumedSubdirOp(subdirName, opType):

• A staged createSubDirectory(name) is subsumed if any later pending entry for the same name exists. If the subsumer is a deleteSubDirectory(name), both entries are spliced so the matching delete call also drops itself — neither op reaches the wire.
• A deleteSubDirectory(name) whose entry was already spliced (as part of a paired create) drops itself.
• A deleteSubDirectory(name) whose entry is still present (the pre-existing-subdir case) falls through to reSubmitCore; the name was already on the wire pre-staging, so no new leak.

Three regression tests in squash.spec.ts:

✔ drops a staged createSubDirectory + deleteSubDirectory pair so the subdir name doesn't leak
✔ keeps the final create when staged ops are create+delete+create on the same name
✔ preserves a delete of a pre-existing subdirectory (no leak, no false subsumption)

The first test sets up a peer listener on subDirectoryCreated / subDirectoryDeleted and asserts zero events fire for the squashed pair on a name like "secret-id".

935/935 SharedMap+SharedDirectory unit tests pass (was 932 before this fix). Stress re-run in progress.

[anthony-murphy]

Deep Review: dropIfSubsumedSubdirOp matches pending subdir entries by name + opType only — there is no entry identity and no staging-slice scoping, and the callers (SharedDirectory.reSubmitSquashed, pr.diff 441-461) pass only message.subdirName / message.type, never the originating PendingSubDirectoryEntry from SubDirLocalOpMetadata (the ICreateSubDirLocalOpMetadata / IDeleteSubDirLocalOpMetadata types at directory.ts:1127-1138 carry no pending-entry identity). Two independent repros converge on wrong-pair splicing:

Repro A — pre-existing subdir x, staged delete → create → delete. pendingSubDirectoryData = [delete-x #1, create-x #2, delete-x #3]. Squashing oldest→newest: when op #2 (create) runs, findIndex(... e.type === "deleteSubDirectory") returns delete-x #3 as the pair and splices both — leaving delete-x #1 in the array. Op #3 (delete) then findLast(... "deleteSubDirectory" ...) inside resubmitSubDirectoryMessage re-finds delete-x #1 and emits a second delete-x on the wire. On ACK: assert(pendingEntry !== undefined && pendingEntry.type === "deleteSubDirectory" && ..., 0xc31 /* Got a local deleteSubDirectory message we weren't expecting */).

Repro B — unacked pre-staging createSubDirectory("x"), staged delete + create. The staged create's findIndex returns the pre-staging create-x as the first same-name match, pairs it with the staged delete, and splices both — leaving the actual staged create unsent and corrupting pendingSubDirectoryData. The pre-staging entry's eventual ACK will then assert.

The sibling MapKernel.dropIfSubsumed plumbs a PendingKeySet.lifetime back-pointer for exactly this problem (pr.diff 415-421); the subdir lifecycle channel did not get the same treatment. PR #15493 / Abe27342 specifically flagged repeated same-name create/delete cycles as a pending-state correctness hazard in this exact file.

Fix options (either works):

• (a) Plumb a PendingSubDirectoryEntry back-pointer through SubDirLocalOpMetadata so the resubmit callsites carry the originating entry, and use reference equality here. Mirrors PendingKeySet.lifetime for symmetry.
• (b) Restrict matching to the staged slice (e.g., a known start index), and splice the matched entry out of pendingSubDirectoryData on the false/subsumed return so resubmitSubDirectoryMessage's findLast cannot re-find it.

This needs to land before merge — the failure surface (assert + lost staged ops + corrupted pending state) is worse than the leak the helper was added to close.

[anthony-murphy]

Deep Review: The new subdir-lifecycle suite covers create+delete (l.389), create+delete+create (l.421), delete pre-existing (l.442), and set+deleteSubDirectory (l.466), but does not enumerate the two permutations that trip the bug flagged on directory.ts (dropIfSubsumedSubdirOp):

1. Pre-existing (sequenced) subdir + staged delete → create → delete on the same name within one staging batch.
2. Unacked pre-staging createSubDirectory("x") + staged delete + create.

Both deterministically produce wrong-pair splicing under the current name-only match. The PR description acknowledges the disposed-subdir guard and the keySet-boundary split were "added in response to seeds the stress run generated" — i.e., the team is relying on randomized 200-seed stress to find these patterns, but the deterministic suite doesn't enumerate them, so regressions in the fix would be intermittently observable at best.

Add:

• (a) A test where a pre-existing (sequenced) subdir undergoes staged delete → create → delete on the same name; assert the squashed batch contains exactly one delete and no 0xc31 assert fires on ACK.
• (b) A permutation where an unacked pre-staging createSubDirectory("x") is followed by staged delete + create; assert the staged create is transmitted and the pre-staging tracking entry is preserved through its ACK.

Land alongside the directory.ts fix — the two are inseparable.

[anthony-murphy]

Closing the property-channel gap the audit identified.

What changed

merge-tree (40760b2)

SegmentGroupCollection.keysAnnotatedLaterThan(localSeq) returns the keys touched by later annotates on a given segment — derived from each later `SegmentGroup`'s `previousProps[i]` (whose keys are exactly the keys the annotate touched, by construction of `propertyManager.handleProperties`).

In `Client.resetPendingDeltaToOps` under `squash=true`:

• ANNOTATE case: `resetOp.props` is filtered against `keysAnnotatedLaterThan(segmentGroup.localSeq)`. If every key is overridden, the op is dropped entirely (no `createAnnotateRangeOp` call). Adjust ops (`resetOp.adjust`) are unchanged — different semantics.
• INSERT case: `segInsertOp.properties` is filtered the same way. The segment text still flows; only the per-key values later overwritten by a staged annotate are stripped. If the filter leaves no keys, `properties` becomes `undefined`.

sequence (interval collection) (8c68884)

`IntervalAddLocalMetadata` and `IntervalChangeLocalMetadata` now carry a `propertyKeys?: ReadonlySet` populated at submit time from the `props` arg.

In `IntervalCollection.resubmitMessage` under `squash=true` for ADD or CHANGE:

• If a later pending op for the same interval id is a DELETE, the entire ADD/CHANGE is dropped.
• Otherwise `value.properties` is filtered against the union of `propertyKeys` from later pending ADD/CHANGE ops on the same interval. Filtering is non-destructive (spread, not mutation). If the filter empties the property set, `properties` becomes `undefined`.

The prior `endpointChangesNode === undefined` bypass that skipped `rebaseLocalInterval` entirely for property-only CHANGE ops is still in place for the rebase path, but the property filter now runs before that branch, so property-only changes get squash treatment.

Regression tests

Four new tests in the existing `squash property channel` describe block:

```
✔ drops a staged annotate value overridden by a later staged annotate on the same range
✔ drops a staged insert's property value overridden by a later staged annotate
✔ drops a staged interval add subsumed by a later staged delete
✔ drops a staged interval change's property value overridden by a later staged change
```

Each test sets up a peer listener (segment `sequenceDelta` or interval `addInterval`/`propertyChanged`) and asserts the secret value never appears in the captured stream while the final value lands correctly.

Test posture

• 1555/1555 merge-tree tests pass
• 1668/1668 sequence tests pass (4 new)
• 935/935 SharedMap+SharedDirectory tests pass
• 200/200 stress seeds pass

Remaining audit gaps (documented, not in this PR)

The audit also flagged user-content leaks on identity-squashed DDSes where the op itself carries the leaked value and the DDS's semantics make true squash structurally harder than per-key filtering:

• `ConsensusOrderedCollection.add(value)`: the queue's `acquireId` is server-assigned, so a client can't tell at squash time whether a staged `add → acquire → complete` chain actually resolves to its own add. Documented in the override.
• legacy `SharedArray.insertEntry(value)`: insert-then-delete on the same `entryId` could be squashed but the DDS's internal pending state (counters per entry + a doubly-linked skip list) makes the change non-trivial. Documented.
• `ConsensusRegisterCollection` writes participate in `readVersions()` history; intentional.
• `Ink` and legacy `SharedSignal` ops are fire-and-forget user-event content; intentional.

If any of these blocks ship, I can prioritize them next.

[github-actions]

🔗 No broken links found! ✅

Your attention to detail is admirable.

linkcheck output

> fluid-framework-docs-site@0.0.0 ci:check-links /home/runner/work/FluidFramework/FluidFramework/docs
> start-server-and-test "npm run serve -- --no-open" 3000 check-links

1: starting server using command "npm run serve -- --no-open"
and when url "[ 'http://127.0.0.1:3000' ]" is responding with HTTP status code 200
running tests using command "npm run check-links"


> fluid-framework-docs-site@0.0.0 serve
> docusaurus serve --no-open

[SUCCESS] Serving "build" directory at: http://localhost:3000/

> fluid-framework-docs-site@0.0.0 check-links
> linkcheck http://localhost:3000 --skip-file skipped-urls.txt

Crawling...

Stats:
  288859 links
    1925 destination URLs
    2175 URLs ignored
       0 warnings
       0 errors

[anthony-murphy]

Deep Review

Reviewed commit 9a28475 on 2026-05-18.

Readiness: 5/10 — MAKING PROGRESS

Not ready for sign-off. Two Tier 2 issues remain open on this commit. The previously-flagged SubDirectory.dropIfSubsumedSubdirOp name+opType-only matching bug (thread on directory.ts:2562, coupled test gap on squash.spec.ts:440) is still unresolved on this head. A second Tier 2 surfaces this round: cell.spec.ts "preserves pre-staging set" cannot fail when the squash invariant breaks, because the shared reconnectAndSquash harness in test-dds-utils/src/utils.ts:42-43 forces squash=true for every pending op — the same harness limitation already addressed for Counter (thread 3245894861) but not extended to Cell. The fix (option (a) — patch the harness to apply squash=true only to the staged subset) also closes the analogous fidelity gap in the Matrix/Map/Directory pre-staging tests that piggyback on the same helper. Held Tier 3 polish (PR-body / changeset documentation drift, wireBlacklist unbounded growth, orphan interval DELETE, silent out-of-tree AllowStagingModeWithoutSquashing fallback, Ink rationale) is queued behind the Tier 2 set.

Path to Ready

• Resolve inline threads
• Complete the last CI box in the test plan (typecheck / lint / API-extractor) and confirm 200/200 stress seeds remain green on 9a28475
• Refresh PR body's "mixed-lifetime case" section to describe tryResubmitSquashedMessage / dropIfSubsumed instead of the nonexistent squashPendingDataForBatch algorithm
• Update PR body's per-DDS treatment table: move legacy SharedArray out of the "Identity squash" row, and add subdir create/delete pair squash to the SharedDirectory row
• Un-draft once the above land

Context for Reviewers

• packages/dds/map/src/directory.ts is the highest-churn file in this PR. PR Fix eventual consistency issues in Shared Directory regarding Reconnection #15493 (jatgarg, 2023-05-26) fixed eventual-consistency bugs in SubDirectory reconnect-resubmit; reviewer Abe27342 specifically flagged repeated same-name create/delete cycles as a pending-state hazard there — the exact pattern that trips S1. Tag Abe27342 and jatgarg for the S1 fix shape.
• Runtime ↔ DDS contract — the per-op subsumption model and both proposed fix shapes (S1 back-pointer; S2 harness patch) depend on the invariant that pre-staging ops still in flight are never passed to reSubmitSquashed. Tag markfields.
• The sibling MapKernel.dropIfSubsumed already plumbs a PendingKeySet.lifetime back-pointer for the storage path (pr.diff 415-421); the subdir lifecycle channel did not get the same treatment. Natural symmetry for one of the S1 fix options.
• Lands the squash-rebase work deferred from staging-mode introduction in PR Add experimental "Staging Mode" for holding changes locally to be either committed all at once, or discarded #23783; reSubmitSquashed mirrors the resubmit pipeline contract from PR Align apply stashed ops with re-submit #19518.
• Counter and Ink identity-squash semantics: tag ChumpChief (original author of both) for a sanity check that an inserted-then-deleted Ink stroke or zero-net Counter increment surfacing on the wire is acceptable under staging-mode squash. SharedCell.reSubmitSquashed relaxes the pendingMessageIds-FIFO invariant from PR Local Rollback for Cell #12273 — worth an ack from scarlettjlee.

For human reviewer

• Runtime ↔ DDS contract — does the runtime guarantee that pre-staging ops still in flight are never passed to reSubmitSquashed? Load-bearing for the per-op subsumption model and for both Tier 2 fix shapes. (markfields)
• S1 fix shape — PendingSubDirectoryEntry back-pointer through SubDirLocalOpMetadata (mirroring PendingKeySet.lifetime) vs. staged-slice scoping with splice-on-false. Either resolves the bug; choice is a maintainability/symmetry call best made by the SubDirectory pending-state owners. (Abe27342 / jatgarg)
• Counter identity-squash semantics — preserving per-op incremented events through squash rather than algebraic coalescing to net sum is defensible but worth a sanity check. Both blind design reviewers independently flagged coalescing as the natural approach. (ChumpChief)
• Ink clear-as-barrier — both blind reviewers flagged that a staged clear could subsume earlier staged strokes; left as identity squash. Semantic call. (ChumpChief)
• AllowStagingModeWithoutSquashing default — keeping silent fallback as the default for out-of-tree DDSes is defensible back-compat but contradicts the PR's stated privacy goal for third-party DDSes. Default flip vs. one-time telemetry/warning is a deprecation policy call.
• Stress runtime characteristics — author cites 200/200 stress seeds passing, but the perf cost of dropIfSubsumedByLaterStorageOp over long lifetimes and the staged-slice scan in any S1 fix cannot be assessed by static review.
• Cross-fork compatibility — whether out-of-tree DDS implementers should be notified of the staging-mode squash override contract ahead of any future default flip on AllowStagingModeWithoutSquashing.

Review history (3 prior reviews)

• 887e66b 2026-05-15 · 5/10 — SubDirectory.dropIfSubsumedSubdirOp matches by name+opType only; wrong-pair splicing on same-name delete→create→delete and on pre-staging-create + staged cycle
• 600ec6d 2026-05-15 · 5/10 — Counter and MapKernel fixes resolved prior Tier 2 threads; SharedDirectory disposed-subdir set + deleteSubDirectory leak flagged
• 65c8a84 2026-05-15 · 4/10 — Counter and MapKernel correctness bugs flagged inline (both now resolved by author push)