Skip to content

docs: post-audit reconciliation — provenance limits, cascade U3/limitations, trace cross-refs#195

Open
dimitri-yatsenko wants to merge 1 commit into
mainfrom
docs/post-audit-provenance-cascade
Open

docs: post-audit reconciliation — provenance limits, cascade U3/limitations, trace cross-refs#195
dimitri-yatsenko wants to merge 1 commit into
mainfrom
docs/post-audit-provenance-cascade

Conversation

@dimitri-yatsenko

Copy link
Copy Markdown
Member

Documentation batch from the comprehensive 2.3 post-release audit of part integrity, provenance, and cascade/trace/upstream (code vs docs). Six files.

Per-file summary

reference/specs/provenance.md

  • Enforcement limits list: added ungated deletes (delete()/delete_quick() inside make()); extended the existence/count-idiom bullet to note Aggregation/Union len/bool share the bypass.
  • Write enforcement: added update1 rows — gated like insert (target must be self/Parts, key-consistent), with the exact blocked-update error message.
  • Key consistency: documented the INSERT … SELECT server-side exception (per-row key check does not apply; target check still governs) and the update1 mismatch message.
  • §2: noted a table's own Parts are not reachable via self.upstream[...] (read them as self.PartName), and added a merge/master-part boundary note — trace does not descend from an ancestor Master into its Parts (Parent → Master.Part → Master → Child: trace reaches Master only).
  • Config wording (connection._config); softened "provenance guarantee" → "provenance model".

reference/specs/cascade.md

  • U3 corrected to child.proj(*attr_map.keys()) (spec had the pre-fix child.proj() form); Worked Example 1 step 3 updated.
  • F1/U1 triggers now require a non-empty attribute set (empty set takes rule 3).
  • New Limitations section: single-FK-path upward walk (nx.shortest_path), materialization memory cost (preview pays it too), empty-match sentinel, and the enforce post-check's table-level granularity (rare false negatives/positives).
  • Refreshed the stale "trace is tracked in Implement Diagram.trace() for upstream restriction propagation datajoint-python#1423" paragraph — trace shipped in 2.3 and reuses U1/U2/U3.

reference/specs/diagram.md — added a Diagram.trace() section (was absent — split-brain with provenance.md) cross-linking the normative spec; corrected the claim that "enforce" makes preview error (preview never errors; enforcement is Table.delete()'s post-check); noted part_integrity value validation.

reference/specs/autopopulate.md — de-staled §4.3 ("a future release may enforce…" → strict_provenance shipped in 2.3, opt-in) and added §4.3.1 documenting self.upstream (lifecycle incl. exception-path cleanup, outside-make() error, laziness/no caching, tripartite availability, ancestors-only scope).

how-to/run-computations.md — new task-oriented section "Provenance-safe make()": reading ancestors via self.upstream[T], staged strict_provenance rollout (staging → fix → production), and what the guardrail does/doesn't catch.

about/whats-new-23.md — "provenance guarantee" → "provenance model".

Companion code PRs (docs written to the post-fix state)

  • fix(strict_provenance): gate update1 inside make() (target + key consistency) datajoint-python#1480update1 strict gate (open): this PR documents update1 as gated, matching that fix.
  • datajoint/datajoint-python fix/cascade-multi-part-master (forthcoming) — fixes the once-per-master under-restriction in part_integrity="cascade" and adds part_integrity value validation to Diagram.cascade(); accordingly this PR does not document the once-per-master behavior as a limitation, and diagram.md's validation note assumes it.

If either companion PR changes shape in review, the corresponding lines here should be adjusted before merge.

…ations, trace cross-refs

Follow-up to the comprehensive 2.3 post-release audit of part integrity,
provenance, and cascade/trace/upstream across code and docs.

provenance.md:
- Enforcement limits: add ungated deletes; extend the existence/count-idiom
  bullet to Aggregation/Union results.
- Write enforcement: update1 rows (gated like insert; exact error messages).
- Key consistency: INSERT ... SELECT server-side exception; update1 mismatch
  message.
- §2: own Parts not reachable via self.upstream (read as self.PartName);
  merge/master-part boundary note (trace does not descend into an ancestor
  Master's Parts).
- Config wording: flag read from connection._config; soften 'provenance
  guarantee' to 'provenance model'.

cascade.md:
- U3 corrected to child.proj(*attr_map.keys()) (and Worked Example 1 step 3).
- F1/U1 triggers: non-empty attribute set required; empty set takes rule 3.
- New Limitations section: single-FK-path upward walk, materialization memory
  cost (preview pays it too), empty-match sentinel, enforce post-check
  table-level granularity.
- Refresh stale trace paragraph: trace shipped in 2.3, reuses U1/U2/U3.

diagram.md:
- Add Diagram.trace() section cross-linking provenance.md §1.
- Correct 'enforce' preview claim (preview never errors; enforcement is
  Table.delete()'s post-check); note part_integrity value validation.

autopopulate.md:
- De-stale §4.3 ('a future release may enforce' -> strict_provenance shipped
  in 2.3, opt-in).
- New §4.3.1 documenting self.upstream (lifecycle, laziness, tripartite
  availability, ancestors-only scope).

run-computations.md:
- New task-oriented section: provenance-safe make() — self.upstream usage,
  staged strict_provenance rollout, what the guardrail does/doesn't catch.

whats-new-23.md: 'provenance guarantee' -> 'provenance model'.
**Upstream-only convention:** Inside `make()`, fetch only from tables that are strictly upstream in the pipeline—tables referenced by foreign keys in the definition, their ancestors, and their part tables. This ensures reproducibility: computed results depend only on their declared dependencies.

This convention is not currently enforced programmatically but is critical for pipeline integrity. Some pipelines violate this rule for operational reasons, which makes them non-reproducible. A future release may programmatically enforce upstream-only fetches inside `make()`.
As of DataJoint 2.3, this convention is checked (opt-in) at runtime: setting `dj.config["strict_provenance"] = True` makes reads from undeclared tables and writes to tables other than `self` (and its Parts) raise `DataJointError` inside `make()`. The check is a best-effort development guardrail; see the [Provenance Specification](provenance.md) for the enforcement model and its documented limits.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading from any table that is not part of the "trace" (all tables above in the DAG and their part tables) will raise an error, not "undeclared tables."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant