nearai · henrypark133 · Jun 25, 2026 · Jun 25, 2026 · Jun 25, 2026 · Jun 25, 2026
diff --git a/.claude/rules/database.md b/.claude/rules/database.md
@@ -82,6 +82,8 @@ Don't just translate `CREATE TABLE`. Also check:
 
 Multi-step operations (INSERT+INSERT, UPDATE+DELETE, read-modify-write) MUST be wrapped in a transaction. Ask: "If this crashes between step N and N+1, is the database consistent?" If not, wrap in a transaction. Applies to both backends.
 
+For the `RootFilesystem`/`ScopedFilesystem` mount plane, a filesystem read-modify-write MUST go through `ironclaw_filesystem::cas_update` (the one shared bounded-CAS-retry helper). Never wrap it in a per-record `tokio::sync::Mutex` held across the backend `.await` — it is a redundant serializer over a backend that already does versioned CAS and convoys/wedges the runtime under burst. See `crates/ironclaw_filesystem/CLAUDE.md` invariant 2 and `docs/plans/2026-06-25-cas-migration.md`.
+
 ## libSQL Connection Model
 
 `LibSqlBackend::connect()` creates a fresh connection per operation with `PRAGMA busy_timeout = 5000`. This is intentional -- no pool exists. Never hold connections open across `await` points. Satellite stores (`LibSqlSecretsStore`, `LibSqlWasmToolStore`) receive `Arc<LibSqlDatabase>` via `shared_db()` and call `.connect()` themselves -- never pass a live `Connection`.

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/ironclaw_capabilities/src/helpers.rs b/crates/ironclaw_capabilities/src/helpers.rs
@@ -276,6 +276,7 @@ pub(crate) fn approval_not_approved_error_kind(status: ApprovalStatus) -> &'stat
         ApprovalStatus::Approved => "ApprovalApproved",
         ApprovalStatus::Denied => "ApprovalDenied",
         ApprovalStatus::Expired => "ApprovalExpired",
+        ApprovalStatus::Discarded => "ApprovalDiscarded",
     }
 }
 
@@ -409,4 +410,15 @@ mod tests {
             CapabilityRunStateTransition::BlockAuth { .. }
         ));
     }
+
+    /// Regression for the `ApprovalStatus::Discarded` arm added to
+    /// `approval_not_approved_error_kind`: ensures the arm maps to the
+    /// correct string constant and does not silently drift to another value.
+    #[test]
+    fn approval_not_approved_error_kind_maps_discarded_status() {
+        assert_eq!(
+            approval_not_approved_error_kind(ApprovalStatus::Discarded),
+            "ApprovalDiscarded",
+        );
+    }
 }
diff --git a/crates/ironclaw_filesystem/CLAUDE.md b/crates/ironclaw_filesystem/CLAUDE.md
@@ -62,6 +62,34 @@ codified in `docs/reborn/2026-05-14-universal-fs-dispatch.md` (the new ADR).
    retry on `FilesystemError::VersionMismatch`. Consumers must never assume
    `begin`/`StorageTxn` is available; backends that don't expose it return
    `Unsupported` and that must be a working path.
+
+   **Use the shared `cas_update` helper — never a per-record mutex.** Every
+   filesystem read-modify-write MUST go through
+   [`ironclaw_filesystem::cas_update`](src/cas.rs) (bounded CAS-retry +
+   jittered backoff + overall timeout + fail-closed capability gate). Do NOT
+   wrap a filesystem RMW in a per-record `tokio::sync::Mutex`
+   (`FILESYSTEM_RECORD_LOCKS`-style) held across the backend `get`/`put`
+   `.await`: it is a redundant in-process serializer over a backend that
+   already does versioned CAS, and under burst it convoys every same-scope
+   writer behind one stalled writer (the 2026-06-24 runtime wedge). It also
+   tends to leak (a strong-`Arc` map that is never pruned). There is exactly
+   ONE CAS implementation — `cas_update`; do not re-copy the retry/backoff
+   loop into a store. `cas_update` fails **closed** on a non-CAS backend
+   (`CasUpdateError::CasUnsupported`) rather than falling back to a blind
+   `CasExpectation::Any` overwrite; all production store mounts resolve to
+   CAS-capable db/in-memory backends (`LocalFilesystem` is byte-only and is
+   structurally unreachable from those mounts), so fail-closed is correct.
+   See `docs/plans/2026-06-25-cas-migration.md`.
+
+   **Known scoped exception (tracked):** the `ironclaw_turns` runner-lease
+   sidecar (`filesystem_store/runner_lease.rs`, landed independently in
+   #5232) still drives its per-run lease records through a local
+   `put_with_cas` + `cas_retry_backoff` retry loop rather than
+   `cas_update`. This predates the migration on this branch and is not yet
+   re-homed; the main turn-state snapshot RMW *does* go through
+   `cas_update`. Do not copy the sidecar's loop as a precedent — migrate
+   it onto `cas_update` per follow-up #5274 (runner-lease CAS
+   consolidation). New stores must still use `cas_update` directly.
 3. **Capabilities are declared, not discovered.** A backend that cannot
    serve an `IndexKind::Vector` or a `Filter::Range` declares so up front
    via `BackendCapabilities`; mount-time validation refuses the attachment.

diff --git a/crates/ironclaw_filesystem/Cargo.toml b/crates/ironclaw_filesystem/Cargo.toml
@@ -31,6 +31,6 @@ tracing = "0.1"
 
 [dev-dependencies]
 tempfile = "3"
-tokio = { version = "1", features = ["macros", "rt"] }
+tokio = { version = "1", features = ["macros", "rt", "test-util"] }
 tracing-test = { version = "0.2", features = ["no-env-filter"] }
 uuid = { version = "1", features = ["v4"] }