The stratt publish command writes to three systems: local filesystem (fingerprint YAML), Cloudflare R2 (object storage), and Git (version control). The original implementation was forward-only — if step 3 failed, steps 1-2 were left in an inconsistent state.
Fix: Design the transaction backwards from every failure point. R2 upload fails → revert the local fingerprint write. Git commit fails → delete the R2 object AND revert the fingerprint. R2 round-trip mismatch → delete the corrupted object. Added putVerified() which uploads, fetches back, and compares content before considering the upload successful. Added idempotency — re-publishing the same fingerprint is a no-op.
The rollback matrix is the real design artifact: a table mapping every failure point to the exact state of each system (local file, R2, Git). This matrix should be written before the code — it makes the error handling paths obvious. Adding rollback doubled the publish code from ~60 to ~120 lines, but made the pipeline trustworthy enough to automate.
Applicable pattern: For any multi-system write operation, draw the rollback matrix first. Each row is a failure point, each column is a system. Every cell must have an explicit state (unchanged, reverted, deleted, committed). If any cell says “unknown” or “depends”, the design is incomplete.
