plan: correct grounded errors + harden async streams (post-metatype review)

Fold the adversarial-review corrections into the program plan + design-of-record:
- atomics is 100% net-new (no scaffolding; lower.zig 'ordering' is comparison-only)
- context is already an implicit *Context param (not TLS) — B1.1 rescoped
- abi(.pure) exists but is inert (no naked emission) — B1.0 rescoped
- B1.3 switch-stress harness is the first deliverable + mandatory stack guards
- Stream C gated on a named TSan/ASan + run-N stress harness, not a footnote

design/execution-evolution-roadmap.md

@@ -74,7 +74,7 @@ is `<host>`").
 
 | ID | Piece | State | Size |
 |----|-------|-------|------|
-| **N1** | **Atomics — NET-NEW compiler feature.** Atomic load/store/RMW (`add/sub/and/or/xor/swap` + `fetch_min`/`fetch_max`; no `nand`), `compare_exchange`/`_weak` (→ `?T`, **null = success**), and fences, with orderings (relaxed/acquire/release/acq_rel/seq_cst). LLVM provides all — an **emit** feature, not a runtime library. **Surface LOCKED = `Atomic($T)` wrapper + `Ordering` enum** (not `@atomic_*` — `@` is address-of in sx). | **lowering absent** — zero LLVM `atomicrmw`/`cmpxchg`/`fence` emission today; some IR/inference scaffolding exists | M |
+| **N1** | **Atomics — NET-NEW compiler feature.** Atomic load/store/RMW (`add/sub/and/or/xor/swap` + `fetch_min`/`fetch_max`; no `nand`), `compare_exchange`/`_weak` (→ `?T`, **null = success**), and fences, with orderings (relaxed/acquire/release/acq_rel/seq_cst). LLVM provides all — an **emit** feature, not a runtime library. **Surface LOCKED = `Atomic($T)` wrapper + `Ordering` enum** (not `@atomic_*` — `@` is address-of in sx). | **fully net-new** — zero LLVM `atomicrmw`/`cmpxchg`/`fence` emission **and no atomics scaffolding**: `Atomic`/`Ordering` exist nowhere in `library/`, and the only "ordering" in `lower.zig:1400` is *comparison* ordering (`< <= >=`), unrelated to memory ordering | M |
 | **N2** | **OS threads + pthread Mutex/Cond + worker Pool** | **landed** — [std/thread.sx](../library/modules/std/thread.sx) (`pthread_create`/`join`/`detach`, in-place `Mutex`/`Cond`, bounded `Pool`). NOTE: pthread mutex **blocks the OS thread** — it is *not* fiber-aware (it would park every fiber on that thread); fiber-aware sync is N3, built on N1. | — |
 | **N3** | **Fiber-aware sync** — mutex / channel / waitgroup that **suspend the fiber**, not the OS thread. Hybrid: atomic fast-path (N1) + fiber-suspend slow-path (A2/A5). Distinct from the pthread primitives in N2. | new library | M |
 
@@ -99,7 +99,7 @@ suspends is decided by the `Io` *implementation*, transparently.
 | ID | Piece | Notes | Size |
 |----|-------|-------|------|
 | **A1** | **`Io` interface + `context.io`** — a protocol/vtable threaded like `Allocator`. `io.async(fn,args) → Future`, `future.await`, cancellation. | leverages protocols + context | M |
-| **A2** | **Stackful coroutine runtime — in sx lib, NOT a compiler builtin.** The context-switch is a `callconv(.naked)` sx fn with an inline-asm body (save callee-saved + SP/LR into `*from`, load from `*to`, `ret`); fiber bootstrap + stack alloc (`mmap`+guard via `extern`) also sx. The **compiler's** job is only (a) the general primitives — inline asm, `callconv(.naked)`, atomics — and (b) **fiber-safe codegen**: `context` lowered as a *repointable indirection* (never raw TLS) so the switch can repoint it, and stack-limit guards (if emitted) read from a swappable per-fiber location. Most arch-delicate sx in the tree (must match the platform callee-saved set + the compiler ABI), but it's inspectable sx, not a black box. | per-arch, arch-gated; co-validate vs codegen | M |
+| **A2** | **Stackful coroutine runtime — in sx lib, NOT a compiler builtin.** The context-switch is a `callconv(.naked)` sx fn with an inline-asm body (save callee-saved + SP/LR into `*from`, load from `*to`, `ret`); fiber bootstrap + stack alloc (`mmap`+guard via `extern`) also sx. The **compiler's** job is only (a) the general primitives — inline asm, `abi(.naked)`, atomics — and (b) **fiber-safe codegen**: `context` is **already an implicit `*Context` param** (not TLS — see §7 step 5), so the switch repoints it for free by swapping the per-fiber root; the open work is the per-fiber root + push-stack storage, and stack-limit guards (**mandatory, not optional** — fixed mmap stacks without a guard corrupt neighbors silently) reading from a swappable per-fiber location. Most arch-delicate sx in the tree (must match the platform callee-saved set + the compiler ABI), but it's inspectable sx, not a black box. | per-arch, arch-gated; co-validate vs codegen | M |
 | **A3** | **Event-loop `Io` impls** — kqueue / epoll / io_uring drive readiness, then the (now-ready) syscall via C1. Plus a trivial **blocking `Io`**. | pure sx around syscall `extern`s | L |
 | **A4** | **Stdlib I/O rework** — fs/socket/process take/use `context.io` instead of raw blocking syscalls, so existing calls participate in async. | mirrors the allocator-threading rule | M |
 | **A5** | **Schedulers — M:1 → N×(M:1) → M:N, all sx std-lib `Io` vtables (committed; M:N last, not deferred).** M:1 first (minimal vehicle to validate the colorblind stack; covers I/O-bound). N×(M:1) = first parallel step (per-thread M:1 loops + `std/thread.sx` spawn; shared state uses N1 atomics — expected under parallelism, not a wart). M:N work-stealing last (most machinery: thread-safe steal queues + migration + errno/TLS discipline). All over N1 atomics + the A2 asm context-switch + `extern` syscalls. **pinning** API for thread-affine work (UI main thread, GL context). | see §4.3 | M (M:1) / M (N×M:1) / L (M:N) |
@@ -395,12 +395,21 @@ grounding) are explicit steps, not buried.
      construct `TypeInfo` programmatically + `intern()`. **Residual = plumbing, not
      capability:** name minted results by the instantiation's mangled name + input
      validation.
-4. **`callconv(.naked)`** — extend `CallConv {default, c}` (types.zig:169) + skip
+4. **`abi(.naked)`** — *correction:* `CallConv` was renamed `ABI` and **already carries
+   `.pure`** (ast.zig:142, "pure/naked, no prologue/epilogue") during the compiler-API
+   stream — so this is NOT "extend the enum." `.pure` is an **inert label today**:
+   `type_resolver.zig:237` maps it to `.default` CC and emit_llvm emits **no** naked
+   attribute. The net-new work is making `.pure` actually emit LLVM `naked` + skip
    prologue/epilogue lowering. Gates A2.
-5. **Repointable-`context` codegen** — lower `context` as a swappable indirection
-   (never raw TLS) + per-fiber stack-limit. Compiler obligation; gates A2 *and*
-   cross-fiber `context.io` correctness. (Reviewer note: this is a **prerequisite**
-   of A2, not a successor.)
+5. **Per-fiber `context` root + push-stack storage** — *correction:* `context` is
+   **already an implicit `*Context` parameter** (comptime_vm.zig:392, lower.zig:257
+   "Implicit Context parameter machinery"), **not raw TLS** — so the "lower as swappable
+   indirection, never raw TLS" framing guards a non-problem; it already rides the fiber
+   stack. The real, **currently-unsized** obligation is (a) where a freshly-spawned
+   fiber's *root* `Context` comes from and (b) where `push Context` frames live (caller
+   stack ⇒ fiber-local for free; a global root ⇒ must become per-fiber) + per-fiber
+   stack-limit. **Ground the current mechanism before sizing this.** Prerequisite of
+   A2, not a successor.
 
 **Async runtime — sx lib over the primitives:**
 6. **A1 — `Io` interface + `context.io` + `Future` + `cancel()` API.**