Cross-Cutting Synthesis · Deeper Track

Idempotency everywhere

Why every write in the system is safe to apply twice — and the four ways it gets there. ~13 min.

Synthesizes: L7 · L9 · L15 · L33 Anchor: replay a day, get the same graph New: at-least-once ⇒ idempotent

MERGE not CREATE (L4). Dedup an alert by msg-id (L15). A graphwrite IdemKey (L9). An anti-join before a bridge edge (L27). Create-then-mark a Linear ticket (L33). A replay-safe AT_RISK supersede (L19). Six lessons, one defense — against a single fact about the system. This is the third synthesis: after what to combine (L46) and how to combine it reproducibly (L47), here's how to write the result safely when the same write may happen many times.

Your anchor: replay a day, get the same graph

Two things you've seen the system promise: you can replay a day of blocks and the graph comes out identical (L8), and a consumer can crash mid-batch, have its work redelivered, and nothing doubles (L7). Both promises require the same property: applying a write a second time must change nothing. That property is idempotency, and it's not optional here — it's forced by how the pipeline moves data.

1 · The root cause: at-least-once delivery

The pipeline runs on Redis Streams with consumer groups (L7). The delivery guarantee there — and in essentially every durable queue — is at-least-once: an entry isn't considered done until the consumer XACKs it, so a crash, a timeout, or backpressure between processing and ack means the entry is redelivered. You cannot buy exactly-once delivery in a distributed stream — it's a well-known impossibility.

So "exactly-once" is bought on the write side

The trick the whole industry uses, and this codebase with it: at-least-once delivery + idempotent processing = effectively-once (L15's exact phrase). You let the message arrive one-or-more times, and you make handling it twice indistinguishable from handling it once. Every write you've studied is built to survive its own redelivery — that's why idempotency is everywhere, not a feature of one subsystem.

2 · The four techniques

Idempotency always reduces to the same goal — make the write a pure function of a stable key and current state — but it's reached four ways depending on what you're writing.

A · Stable-key upsert — "address the effect by a key, hit the same slot"

Write	The key	Why a replay is a no-op
`MERGE` a node/edge (L4)	the node/edge `id`	match-or-create on a stable id → second write matches, doesn't duplicate
alert → OpenSearch (L15)	`doc-id = msg-id`	redelivered alert overwrites the same doc → one stored alert
graphwrite request (L9)	`IdemKey`	the writer dedups a request with a key it's already applied

The shape is always "name the effect by a key so the second occurrence lands on the first." CREATE, by contrast, duplicates on replay — which is why you almost never see it on the hot path (L42).

B · Monotonic guard — "a stale replay loses to the newer truth"

SET r.foo = $v WHERE coalesce(r.updated_block, 0) <= $block   // newer-block-wins

Re-applying an old write (a replay, or a reconcile heal racing an event) matches zero rows because the stored updated_block is already newer. You saw this as the write-path's monotonic guard (L4) and as the reconcile transport's temporal fence (L31, behind a WITH). It buys idempotency and ordering at once: the same write twice is a no-op, and an out-of-order write can't clobber fresher state.

C · Existence guard — "only act if not already done"

The oracle bridger's anti-join (L27): WHERE NOT EXISTS { MATCH (market)-[:ORACLE_DEP]->(oracle) } MERGE …. Once the edge exists, the pass creates nothing — so running it every 30 min converges and then idles. The interval-bucketed IdemKey (L27) is the same instinct at the request level.

D · Whole-set recompute — "the output is a pure function of current inputs"

The AT_RISK edge supersede (L19): MERGE the current cells' edges and unconditionally delete any inbound AT_RISK edge not in this run, both keyed on the same $runAt. The final edge set is a pure function of the current cell set, regardless of apply order or how many times it runs. Genesis's balance rebuild (L37) is the same idea at startup — re-derive the whole cache from the graph; safe to run every boot.

3 · The hard case — idempotency for an external side effect

MERGE works because you control the database. But you can't MERGE a Linear ticket or a sent notification — the effect lives in someone else's system. L33's promoter is the template for that case:

Record the key yourself, and own the window

Since there's no upsert, the promoter creates the ticket, then stamps its id back (SetLinearIssueID); the next fetch excludes already-stamped findings, so it files exactly once. But the two writes (Linear + your store) can't be atomic, so there's an unavoidable failure window (created-but-not-stamped → a possible dupe). You don't eliminate it; you choose the order whose failure is recoverable (a visible duplicate, caught by a counter) over the silent one (a dropped finding). External-effect idempotency = a recorded key + a deliberately-chosen failure mode.

4 · The trilogy, and the deeper tie

Idempotency is the write-side twin of determinism (L47). Both are "same inputs → same result": determinism is same computation → same value; idempotency is same write applied N times → same final state. And block-determinism (L8) — "state at cursor N is a pure function of blocks 0..N" — needs both: a replayed block must re-compute the same values (L47) and re-apply them without doubling (here). The three syntheses line up:

Synthesis	The question it answers
Combinators (L46)	What number to produce (collapse vs add, worst vs best)
Float-determinism (L47)	How to produce it reproducibly
Idempotency (this)	How to write it safely when the write may repeat

One fact, one discipline

Because delivery is at-least-once, every write must be a no-op on replay — so the system reaches for a stable key, a monotonic guard, an existence check, or a whole-set recompute, and for external effects, a recorded key with a chosen failure window. Now any write you read, you can ask "what makes this idempotent?" and find the answer — and a CREATE where a MERGE belongs, or a dedup key that isn't stable, jumps out at you in review.

Check yourself

1. Why must essentially every write in the system be idempotent?

2. The system can't guarantee exactly-once delivery. How does it get "effectively-once" anyway?

3. Alerts are stored with doc-id = msg-id in OpenSearch. What does that achieve on a redelivered alert?

4. The write-path guard WHERE coalesce(r.updated_block, 0) <= $block gives idempotency plus one more property. Which?

5. The oracle bridger runs every 30 min with WHERE NOT EXISTS { (market)-[:ORACLE_DEP]->(oracle) } MERGE …. Which idempotency technique is this?

6. The AT_RISK supersede MERGEs current edges and deletes any inbound AT_RISK edge not in this run, both keyed on $runAt. Why does that make the edge set replay-safe?

7. Why can't the Linear promoter (L33) just MERGE its ticket the way the graph writes do?

8. How do determinism (L47) and idempotency (this lesson) relate?

↳ Ask your teacher

Try: "Walk the exactly-once-delivery impossibility argument in one paragraph." · "Where could a non-idempotent write still sneak in — a CREATE on the hot path?" · "How is the graphwrite IdemKey computed, and what's its dedup window?" · "Is the alert msg-id stable across a full pipeline replay?" · "What's the recoverable-vs-silent failure choice in create-then-mark, exactly?"

What you can now do

Explain why at-least-once delivery makes idempotency mandatory, and what "effectively-once" means.
Classify any write into one of the four techniques: stable-key upsert, monotonic guard, existence guard, whole-set recompute.
Explain external-effect idempotency (recorded key + chosen failure window) and why MERGE doesn't apply.
Relate idempotency to determinism (L47) and block-determinism (L8) as the write face of reproducibility.
Spot a non-idempotent write — a CREATE where MERGE belongs, or an unstable dedup key — in review.

The synthesis trilogy is complete

L46 (what to combine) · L47 (how to compute it reproducibly) · L48 (how to write it safely under redelivery). Three lenses that turn the codebase's scattered conventions — MAX/SUM/MIN, KeyedSum/×1.001, MERGE/IdemKey — into three coherent disciplines. This is the level at which you could change the system and know you hadn't broken an invariant — exactly what the mission set out to build.

← PreviousLesson 47 · Cross-Cutting Synthesis · Deeper Track Next →Cross-Cutting Synthesis · Deeper Track

Synthesizes code already cited in: Redis Streams consumer groups / at-least-once (L7), MERGE + monotonic updated_block guard (L4), graphwrite IdemKey + replay-idempotent recorder (L9), alert doc-id = msg-id dedup (L15), AT_RISK $runAt supersede (L19), oracle-bridger anti-join + interval-bucketed IdemKey (L27), reconcile temporal fence (L31), Linear create-then-mark + SetLinearIssueID (L33), genesis idempotent rebuild (L37); block-determinism (L8). Verify against source — the code is the truth.