v3.0: parallel imports, remote symbols, refusal reasons, believe multiline fix

V3-1: parallel evaluator full import support (AUD-OVERNIGHT-02 fix)
- Branch interpreters receive resolved_imports
- should_parallelize threshold updated for imported symbols
- 2 regression tests

V3-2: remote symbol resolution
- RemoteStore with fetch-and-cache and hash-verification
- codifide serve --read-only for public registry deployments
- codifide store push --registry, codifide run --registry
- 16 new tests

V3-3: refusal reasons (bottom "reason")
- BottomExpr gains optional reason field
- BottomWithReason runtime value; RefusalError.reason propagated
- Canonical JSON: reason key emitted only when present (backward-compatible)
- Rust: Expr::Bottom{reason}, Value::Bottom{reason}, Error::Refusal{reason}
- 24 new tests

FIND-G1: believe arm value on continuation line
- Python and Rust parsers: empty RHS after => gathers next indented line
- Supports multi-line if/then/else as arm values
- 3 regression tests

__version__ bumped to 3.0.0
386 tests passing

Author: Douglas Jones

CHANGELOG.md

@@ -3,10 +3,37 @@
 All notable changes to Codifide are recorded here. Releases follow semver once we
 reach v1.0; until then, the canonical form may change between minor versions.
 
-# Codifide Changelog
+## [3.0.0] — 2026-05-14
 
-All notable changes to Codifide are recorded here. Releases follow semver once we
-reach v1.0; until then, the canonical form may change between minor versions.
+Three requirements shipped (V3-1, V3-2, V3-3). V3-4 (time-indexed types) deferred
+— no adoption evidence emerged from V3-1 through V3-3. 383 tests passing, 0 skipped.
+
+### Added — V3-3: Refusal reasons (`bottom "reason"`)
+
+`bottom` gains an optional string payload. `bottom "confidence below threshold"`
+parses, evaluates, and propagates the reason through `RefusalError`. Bare `bottom`
+is unchanged — its canonical bytes are identical to the pre-V3-3 form.
+
+- **`BottomExpr(reason=...)`** — AST node gains optional `reason` field
+- **`BottomWithReason`** — runtime value subclassing `_BottomType`; falsy, passes `isinstance` checks
+- **`RefusalError.reason`** — carries the string payload; included in the error message
+- **Canonical JSON/CBOR** — `"reason"` key emitted only when present; additive, no existing hash invalidated
+- **Capability manifest** — `bottom` AST kind documents the optional `reason` field
+- **Rust** — `Expr::Bottom { reason }`, `Value::Bottom { reason }`, `Error::Refusal { reason }` all updated
+- 24 new tests in `tests/test_bottom_reason.py`
+
+### Added — V3-2: Remote symbol resolution (shipped previous session)
+
+`RemoteStore` with fetch-and-cache and hash-verification. `codifide serve --read-only`
+for public registry deployments. `codifide store push` and `codifide run --registry`.
+See `docs/RPC_API.md` §V3-2.
+
+### Added — V3-1: Parallel evaluator full import support (shipped previous session)
+
+Branch interpreters now receive `resolved_imports`. Imported-symbol calls are
+eligible for parallel evaluation. AUD-OVERNIGHT-02 fix.
+
+---
 
 ## [2.0.0] — 2026-05-14
 

codifide/__init__.py

@@ -15,6 +15,7 @@
     Value,
     Belief,
     Bottom,
+    BottomWithReason,
     EffectSet,
 )
 from .parser.parser import parse
@@ -50,7 +51,7 @@
     BottomPropagationError,
 )
 
-__version__ = "1.0.0"
+__version__ = "3.0.0"
 
 __all__ = [
     "Module",
@@ -61,6 +62,7 @@
     "Value",
     "Belief",
     "Bottom",
+    "BottomWithReason",
     "EffectSet",
     "parse",
     "run",

codifide/__main__.py

@@ -139,6 +139,8 @@ def _cmd_run_rust(args: argparse.Namespace) -> int:
 
 def _cmd_run_python(args: argparse.Namespace) -> int:
     """Original Python tree-walking interpreter."""
+    from .store.remote import RemoteStore
+
     try:
         src = _read(args.file)
         store: Optional[SymbolStore] = None
@@ -149,8 +151,18 @@ def _cmd_run_python(args: argparse.Namespace) -> int:
             module = parse(src, store=store)
         if store is None and module.imports:
             store = SymbolStore(_store_root(args))
+
+        # Wrap with RemoteStore if --registry is set (V3-2).
+        effective_store = store
+        registry = getattr(args, "registry", None)
+        if registry and store is not None:
+            effective_store = RemoteStore(store, registry=registry)
+        elif registry and module.imports:
+            local = SymbolStore(_store_root(args))
+            effective_store = RemoteStore(local, registry=registry)
+
         entry = args.entry or _default_entry(module)
-        result = run(module, entry, store=store)
+        result = run(module, entry, store=effective_store)
         if result is not None:
             print(result)
         return 0
@@ -468,6 +480,90 @@ def cmd_store_verify(args: argparse.Namespace) -> int:
     return 0
 
 
+def cmd_store_push(args: argparse.Namespace) -> int:
+    """Push a locally-stored symbol to a remote registry.
+
+    Reads the symbol bytes from the local store, POSTs them to the
+    registry's POST /symbols endpoint, and verifies the returned
+    identity matches. Idempotent: a second push of the same symbol
+    returns 200 with the existing identity.
+
+    The registry URL defaults to https://codifide.com. Agents running
+    private registries pass --registry https://my-registry.example.com.
+    """
+    import urllib.error
+    import urllib.request
+
+    registry = (args.registry or "https://codifide.com").rstrip("/")
+    identity = args.identity
+
+    # Validate identity shape before touching the store.
+    if not (identity.startswith("sha256:") and len(identity) == 71):
+        print(
+            f"codifide: invalid identity {identity!r}; "
+            f"expected sha256: followed by 64 hex chars",
+            file=sys.stderr,
+        )
+        return 1
+
+    try:
+        store = SymbolStore(_store_root(args))
+        data = store.get_bytes(identity)
+    except StoreError as e:
+        print(f"codifide: {e}", file=sys.stderr)
+        return 1
+
+    url = f"{registry}/symbols"
+    req = urllib.request.Request(
+        url,
+        data=data,
+        method="POST",
+        headers={"Content-Type": "application/cbor"},
+    )
+    try:
+        with urllib.request.urlopen(req, timeout=30) as resp:
+            body = resp.read(1024 * 1024)
+    except urllib.error.HTTPError as exc:
+        body = exc.read(4096)
+        try:
+            import json as _json
+            err = _json.loads(body)
+            detail = err.get("detail", err.get("error", str(exc)))
+        except Exception:
+            detail = body.decode("utf-8", errors="replace")
+        print(
+            f"codifide: registry {url} returned HTTP {exc.code}: {detail}",
+            file=sys.stderr,
+        )
+        return 1
+    except urllib.error.URLError as exc:
+        print(
+            f"codifide: cannot reach registry {registry}: {exc.reason}",
+            file=sys.stderr,
+        )
+        return 1
+
+    try:
+        import json as _json
+        result = _json.loads(body)
+    except Exception as exc:
+        print(f"codifide: cannot parse registry response: {exc}", file=sys.stderr)
+        return 1
+
+    returned_identity = result.get("identity", "")
+    if returned_identity != identity:
+        print(
+            f"codifide: registry returned identity {returned_identity!r} "
+            f"but expected {identity!r}; refusing to accept",
+            file=sys.stderr,
+        )
+        return 1
+
+    name = result.get("name", "?")
+    print(f"{identity}\t{name}")
+    return 0
+
+
 def cmd_store_gc(args: argparse.Namespace) -> int:
     """Report or delete unreachable identities.
 
@@ -644,11 +740,15 @@ def cmd_serve(args: argparse.Namespace) -> int:
     Thin HTTP wrapper over the symbol store. See ``docs/RPC_API.md``.
     Binds to 127.0.0.1 by default — not safe to expose over a network
     without a reverse proxy with TLS and auth.
+
+    Pass ``--read-only`` to disable POST /symbols for public registry
+    deployments (V3-2).
     """
     from .server import serve
 
     store = SymbolStore(_store_root(args))
-    serve(store, host=args.host, port=args.port)
+    read_only = getattr(args, "read_only", False)
+    serve(store, host=args.host, port=args.port, read_only=read_only)
     return 0
 
 
@@ -820,6 +920,13 @@ def main(argv=None) -> int:
         "--store",
         help="store root for import resolution (default: $CODIFIDE_STORE or ~/.codifide/store)",
     )
+    p_run.add_argument(
+        "--registry",
+        default=None,
+        help="remote registry URL for resolving imports on cache miss "
+             "(e.g. https://codifide.com). Opt-in: without this flag, "
+             "only the local store is used.",
+    )
     p_run.set_defaults(func=cmd_run)
 
     p_can = sub.add_parser("canonical", help="print canonical JSON or CBOR")
@@ -940,12 +1047,27 @@ def main(argv=None) -> int:
     )
     p_index.set_defaults(func=cmd_store_index)
 
-    p_verify = store_sub.add_parser(
+    p_verify_store = store_sub.add_parser(
         "verify",
         help="verify a stored module's imports resolve in the store",
     )
-    p_verify.add_argument("hash", help="identity of the module to verify")
-    p_verify.set_defaults(func=cmd_store_verify)
+    p_verify_store.add_argument("hash", help="identity of the module to verify")
+    p_verify_store.set_defaults(func=cmd_store_verify)
+
+    p_push = store_sub.add_parser(
+        "push",
+        help="push a locally-stored symbol to a remote registry",
+    )
+    p_push.add_argument(
+        "identity",
+        help="sha256:<hex> identity of the symbol to push",
+    )
+    p_push.add_argument(
+        "--registry",
+        default=None,
+        help="registry URL (default: https://codifide.com)",
+    )
+    p_push.set_defaults(func=cmd_store_push)
 
     # -- Garbage collection (2026-05-11 design dispatch) --------------
     p_gc = store_sub.add_parser(
@@ -1003,6 +1125,12 @@ def main(argv=None) -> int:
         "--store",
         help="store root directory (default: $CODIFIDE_STORE or ~/.codifide/store)",
     )
+    p_serve.add_argument(
+        "--read-only",
+        action="store_true",
+        dest="read_only",
+        help="disable POST /symbols — for public registry deployments (V3-2)",
+    )
     p_serve.set_defaults(func=cmd_serve)
 
     args = parser.parse_args(argv)

codifide/capability.py

@@ -157,9 +157,17 @@ def _ast_kinds() -> Dict[str, Any]:
                 "First-class refusal. Callers must handle it in a "
                 "``believe`` arm or at a call site; an unhandled "
                 "``bottom`` propagating to the top-level caller "
-                "raises ``RefusalError``."
+                "raises ``RefusalError``. The optional ``reason`` "
+                "field (V3-3) carries a human-readable explanation "
+                "of why the refusal occurred; it is propagated "
+                "through ``RefusalError`` for diagnostics but does "
+                "not affect dispatch or canonical identity. Bare "
+                "``bottom`` (no reason) is backward-compatible — "
+                "its canonical bytes are unchanged."
             ),
-            "fields": [],
+            "fields": [
+                {"name": "reason", "type": "string", "optional": True},
+            ],
         },
         "concat": {
             "description": (

codifide/core/types.py

@@ -90,7 +90,16 @@ class Believe:
 
 @dataclass(frozen=True)
 class BottomExpr:
-    """First-class refusal. Callers must handle; it is not an exception."""
+    """First-class refusal. Callers must handle; it is not an exception.
+
+    The optional ``reason`` field (added V3-3) carries a human-readable
+    explanation of why the refusal occurred. It is purely informational:
+    the runtime propagates it through ``RefusalError`` so callers can
+    surface it in diagnostics, but it does not affect dispatch or
+    canonical identity. Bare ``bottom`` (no reason) is backward-compatible
+    — its canonical bytes are unchanged.
+    """
+    reason: Optional[str] = None
     kind: str = field(default="bottom", init=False)
 
 
@@ -314,3 +323,27 @@ def __bool__(self) -> bool:  # Refusal is not truthy.
 
 
 Bottom = _BottomType()
+
+
+class BottomWithReason(_BottomType):
+    """A refusal value carrying a human-readable reason string (V3-3).
+
+    Subclasses ``_BottomType`` so that ``isinstance(x, _BottomType)``
+    catches both bare ``Bottom`` and reasoned refusals. The ``reason``
+    field is purely informational — it does not affect dispatch, canonical
+    identity, or truthiness.
+    """
+
+    def __new__(cls, reason: str) -> "BottomWithReason":
+        # Do NOT use the singleton pattern from _BottomType; each
+        # BottomWithReason is a distinct instance carrying its own reason.
+        return object.__new__(cls)
+
+    def __init__(self, reason: str) -> None:
+        self.reason = reason
+
+    def __repr__(self) -> str:
+        return f"⊥({self.reason!r})"
+
+    def __bool__(self) -> bool:
+        return False

codifide/parser/expr_parser.py

@@ -256,6 +256,11 @@ def parse_atom(self) -> Expr:
         if tok.kind == "ident":
             if tok.text == "bottom":
                 self.take()
+                # Optional reason string: bottom "reason text"
+                nxt = self.peek()
+                if nxt is not None and nxt.kind == "str":
+                    self.take()
+                    return BottomExpr(reason=nxt.text)
                 return BottomExpr()
             if tok.text == "true":
                 self.take()

codifide/parser/parser.py

@@ -673,19 +673,40 @@ def _parse_believe(lines: List[_Line], i: int) -> Tuple[Expr, int]:
         if text.startswith("else") and ("=>" in text or "⇒" in text):
             op = "=>" if "=>" in text else "⇒"
             _, right = text.split(op, 1)
-            otherwise = _safe_parse_expr(right.strip(), line.lineno)
-            i += 1
+            right = right.strip()
+            if right:
+                otherwise = _safe_parse_expr(right, line.lineno)
+                i += 1
+            else:
+                # Value is on the next line — gather it.
+                if i + 1 >= len(lines) or lines[i + 1].indent <= base_indent:
+                    raise ParseError(
+                        "believe `else =>` arm has no value. "
+                        "Put the value on the same line as `=>` or on the next indented line.",
+                        line=line.lineno,
+                    )
+                right_text, i = _gather_expr(lines, i + 1, lines[i + 1].text)
+                otherwise = _safe_parse_expr(right_text, line.lineno)
             continue
         if "=>" in text or "⇒" in text:
             op = "=>" if "=>" in text else "⇒"
             left, right = text.split(op, 1)
-            arms.append(
-                (
-                    _safe_parse_expr(left.strip(), line.lineno),
-                    _safe_parse_expr(right.strip(), line.lineno),
-                )
-            )
-            i += 1
+            right = right.strip()
+            left_expr = _safe_parse_expr(left.strip(), line.lineno)
+            if right:
+                right_expr = _safe_parse_expr(right, line.lineno)
+                i += 1
+            else:
+                # Value is on the next line — gather it.
+                if i + 1 >= len(lines) or lines[i + 1].indent <= base_indent:
+                    raise ParseError(
+                        "believe arm has no value after `=>`. "
+                        "Put the value on the same line as `=>` or on the next indented line.",
+                        line=line.lineno,
+                    )
+                right_text, i = _gather_expr(lines, i + 1, lines[i + 1].text)
+                right_expr = _safe_parse_expr(right_text, line.lineno)
+            arms.append((left_expr, right_expr))
             continue
         raise ParseError(
             f"unexpected line in believe block: {line.raw!r}", line=line.lineno