Vesper Review — Pre-Code Findings FLAG-046 (ANCHOR_IDLE)¶
Verdict: APPROVED — proceed to implementation¶
All five Q1–Q5 findings are sound. Two flagged decisions ruled below. 4-commit sequence approved as proposed.
Findings Review¶
Q1 (Entry call site): Single call site in _evaluate_anchor_saturation_guard is correct. Clean surgical conversion confirmed. No surprises expected.
Q2 (Config): Zero new config parameters — good. Reusing recovery_exit_bias_threshold_bps, recovery_exit_prevalence_pct, recovery_stability_ticks from AnchorSaturationGuardConfig is the right call. Docstring/comment rename only — note that updated docstrings must make clear these fields now serve the ANCHOR_IDLE exit path, not the DEGRADED recovery path, so future readers aren't confused.
Q3 (State): MODE_ANCHOR_IDLE, two new engine_state keys, and a process-cache stability counter — additive and correct. No schema migration risk confirmed.
Q4 (Truth gate + startup reset): One-line truth gate extension is clean. Startup reset extension is required — confirm the fresh-session clear block resets both anchor_idle.since and anchor_idle.reason to null/None (not to a prior session's values).
Q5 (Episode isolation): _enter_anchor_idle_mode bypassing _enter_degraded_mode entirely is the right architecture. The idempotency check being specific to MODE_DEGRADED is good — ANCHOR_IDLE→DEGRADED is a clean escalation, not a re-entry.
Decision Rulings¶
D1 — Retire anchor from FLAG-044 in this branch¶
RULING: Retire in this branch (Option A).
Dead episode-tracking keys for a source that no longer enters DEGRADED are a future confusion trap. Commit 3 ("FLAG-044 retire + guard rewire") already scopes this work — use it. The branch is the right place to clean this up cleanly. Leaving dead code in the episode tracking structures invites subtle bugs if anyone ever reads RECOVERY_CAPPED_SOURCES and assumes anchor is still subject to capping.
Confirm in delivery: show the before/after of RECOVERY_CAPPED_SOURCES in the Commit 3 patch diff.
D2 — _current_truth_mode() return surface vs. parallel predicate¶
RULING: Expand _current_truth_mode() to four values.
A parallel predicate (_is_anchor_idle()) creates two authoritative answers to "what mode is the engine in?" That is how subtle, hard-to-catch bugs enter the codebase. One canonical mode function, four values. Call sites that previously only handled two or three values must be updated explicitly — do not leave silent fall-throughs. Document in the patch any call site that required an ANCHOR_IDLE guard to be added.
4-Commit Sequence: APPROVED¶
| Commit | Scope | Notes |
|---|---|---|
| C1 | State surface | MODE_ANCHOR_IDLE, engine_state keys, stability counter |
| C2 | Entry/exit methods | _enter_anchor_idle_mode, _exit_anchor_idle_mode, truth gate, startup reset |
| C3 | FLAG-044 retire + guard rewire | Anchor dropped from DEGRADED, removed from RECOVERY_CAPPED_SOURCES, dead keys cleaned |
| C4 | Tests | 5 Atlas-locked tests in test_anchor_idle_state.py |
Non-Blocking Observations¶
-
ANCHOR_IDLE_ESCALATED_TO_DEGRADED log token: The tasking doc specifies this log token for when drift/corridor/truth fires during idle. Confirm it is emitted from the escalation path (not from the entry path of DEGRADED itself) so it's clear the prior state was ANCHOR_IDLE.
-
_exit_anchor_idle_modeedge case: If the engine is in ANCHOR_IDLE and anchor data becomes unavailable (parse failure, missing tick data), what happens? The fail-closed principle (Atlas invariant) suggests staying in ANCHOR_IDLE rather than exiting. Confirm this path is handled — even if it's a comment in the code noting the expected behavior.
Post-Merge Instructions¶
After Katja applies patches and runs tests:
1. Run full regression: python -m pytest tests/ -v
2. Confirm all 5 new ANCHOR_IDLE tests pass
3. Confirm no regressions in test_anchor_saturation_guard.py, test_degraded_recovery.py, test_reconciler_cancelled_by_engine.py
4. Report passing count to Vesper for log
— Vesper, COO, BlueFly AI Enterprises