protocol: non-atomic multi-store writes in handoff and bounty paths

[windoliver]

Summary

Two critical protocol paths write to multiple stores without transactional guarantees, risking inconsistent state on partial failure.

1. Handoff creation on non-SQLite stores

contributeOperation in src/core/operations/contribute.ts has two code paths for handoff creation:

• Atomic path: When the store supports putWithCowrite (duck-typed SQLite), handoff creation runs inside the same transaction as the contribution write. Safe.
• Non-atomic path: When putWithCowrite is not available (e.g., Nexus HTTP stores), the contribution is written first, then handoff creation runs separately. If handoff creation fails, the contribution exists but downstream agents never get notified.

The non-atomic path also writes debug output to /tmp/grove-debug.log — operational noise in library code.

2. Bounty claim is two separate store calls

claimBountyOperation in src/core/operations/bounty.ts calls:

1. claimStore.claimOrRenew(claim) — creates the claim
2. bountyStore.claimBounty(bountyId, claim.claimId) — updates the bounty

If step 2 fails, we have a dangling claim with no corresponding bounty update. Manual repair required.

Proposed fixes

Short term

• Wrap the non-atomic handoff path in try/catch with rollback (delete the contribution if handoff creation fails)
• Add a claimBountyAtomic that either wraps both calls in a single SQLite transaction or uses a compensating action pattern
• Remove the /tmp/grove-debug.log write

Long term

• Consider a saga pattern for multi-store operations
• Or ensure all store combinations support a "co-write" primitive

Files

• src/core/operations/contribute.ts — non-atomic handoff branch
• src/core/operations/bounty.ts — claimBountyOperation

[windoliver]

Closing — consolidating into #240.

What landed (handoff half)

PR #239 / commit `bc0a945` addresses the handoff portion of this issue's scope:

• Parallel fan-out with per-failure logging — `contributeOperation.writeSerial` in `src/core/operations/contribute.ts` now uses `Promise.allSettled` instead of a serial loop + silent catch. One handoff failure no longer aborts the remaining handoffs, and each failure is surfaced via `console.warn` with the target role and contribution CID.
• `/tmp/grove-debug.log` noise removed — the unconditional inline `appendFileSync` calls in `nexus-handoff-store.ts` and `nexus-contribution-store.ts` are replaced with a shared `debugLog()` helper gated behind `GROVE_DEBUG=1` (default: no-op).

The contribution rollback on handoff failure recommendation from this issue's short-term section was deliberately not implemented. Rolling back committed agent work on a transient downstream notification failure is strictly worse than leaving the contribution committed with a logged warning. The correct fix is a handoff reconciler, which is now tracked in #240.

What's still outstanding

Both remaining concerns from this issue — the handoff reconciler and the bounty claim atomicity — are tracked under #240, which has been re-titled to reflect the consolidated scope:

bounty multi-store atomicity + saga (absorbs #227): compensation bugs, handoff reconciler, settle-before-pay

#240 has the full analysis of the bounty-side bugs (3 codex-flagged correctness issues in the WIP compensation), the capture-idempotency insight that makes main's current ordering retryable, three design options with effort estimates, and a recommended execution order (option c revert first, then handoff reconciler, then optional saga).

Follow-up work should reference #240, not this issue.