Iter 44. Pins the gate's saturating_sub-based debounce as safe under
clock perturbation. NTP rollback, system-clock adjustment, monotonic-
source switch — all can produce a backward `timestamp_ns` between
calls. The gate must NOT promote spuriously on backward jumps and
MUST NOT panic on identical / zero / u64::MAX-ish timestamps.
Added (in tests/gate_clock_skew.rs, no_std-compatible):
- 7 named tests, all green:
backward_jump_after_pending_does_not_promote_prematurely
Pending at t = DEBOUNCE_NS + 100; backward jump to t = 0.
saturating_sub(0, DEBOUNCE_NS+100) = 0 < DEBOUNCE_NS → no promotion.
forward_recovery_after_backward_jump_still_promotes_correctly
Backward jump doesn't corrupt the pending `since` stamp; once wall
time advances past since + DEBOUNCE_NS, promotion fires normally.
identical_timestamps_across_repeated_polls_do_not_progress_state
Five identical timestamps in a row — gate never promotes; both
current and pending remain stable. Important for HA dashboards
polling at >1Hz: the polling itself must not cause transitions.
backward_jump_with_no_pending_is_a_noop
Edge: no pending in flight, backward jump — gate stays clean.
very_large_forward_jump_promotes_but_does_not_panic
Stress: t = u64::MAX/2 jump. No overflow, no panic, promotes.
backward_then_forward_into_different_action_band_resets_pending_correctly
More subtle: pending PredictOnly → backward jump WITH a different
score (recalibrate-grade) — pending target changes, debounce
clock resets to the new (smaller) timestamp; forward by DEBOUNCE_NS
promotes to Recalibrate.
no_panic_on_zero_timestamp_with_predict_only_pending
Regression guard: a poorly-initialized monotonic clock could
deliver t=0 as the first sample. Gate must not panic.
ADR-124 status (iter step 0 sibling check):
- docs/adr/ADR-124-rvagent-mcp-ruvector-npm-integration.md unchanged
at 431 lines. SENSE-BRIDGE scope remains orthogonal.
ACs progressed:
- ADR-121 §2.5 debounce property — saturating_sub usage now has a
regression test. A future PR that swaps to plain `-` (panic on
underflow) fires `no_panic_on_zero_timestamp_with_predict_only_pending`.
- ADR-118 §2.1 operator-facing diagnostic safety — current_gate_action
polled at the same timestamp from a Prometheus exporter or HA
dashboard cannot cause unintended state transitions.
Test config:
- cargo test --no-default-features → 97 passed (90 + 7 no_std-compat)
- cargo test → 303 passed (296 + 7)
Out of scope (next iter target):
- PR-readiness pivot still pending: CHANGELOG, witness bundle,
AC closeout table. External-resource-gated work (KIT BFId,
Pi5/Nexmon) still skipped.
Co-Authored-By: claude-flow <ruv@ruv.net>
6aa5eb17e1