feat(router): entity caching with L1/L2, shadow mode, and per-request cache controls (3/6)

[SkArchon]

Part 2 of 4 — split out from #2777 (jensneuse/entity-caching-v2). Stacked on #2944.

What's included

• router/pkg/entitycache: in-memory L1, Redis L2, circuit breaker
• router/core: factoryresolver mapping of proto cache config to planner metadata, graph server wiring, per-request cache-control headers (graphql_handler), plan generator nil guard, config schema + defaults
• metrics/otel: entity cache metrics (opt-in telemetry) and attributes
• graphql-go-tools bumped to PR feat: add caching to loader graphql-go-tools#1259 HEAD (resolver/planner side of the feature) — the two must land together
• router-tests/entity_caching: full integration suite with self-contained gqlgen subgraphs, Redis tests, and a compose tool for testdata/config.json
• demo: cachegraph/cachegraph_ext/viewer subgraphs, cache-demo runner, latency injector, router cache configs (demo go.mod moves in lockstep with router deps; demo is path-replaced into router-tests builds)

Excluded

router/internal/graphiql/graphiql.html (playground embed) ships in part 3/4 — this PR runs with the previous embedded playground.

Verification

go build ./... passes in router/ and demo/; go vet ./entity_caching/... passes in router-tests/.

🤖 Generated with Claude Code

Update: test subgraphs coupled to demo

The six entity_caching test subgraphs were moved into demo/pkg/subgraphs/cachetest/ and are imported by the suite — same coupling pattern as the main suite (testenv → demo/pkg/subgraphs). router-tests no longer carries subgraph implementations. Pure move: schemas/resolvers/data unchanged, make compose reproduces an identical testdata/config.json, full suite green.

Diff cleanup

• The no-op-tracer-provider optimization (HasNonDefaultExporter + bootstrap guard) moved to the benchmark/tooling PR (6/6) — it is a general tracing perf change motivated by benchmarking, not entity caching.
• Reverted ~1.5k lines of demo/pkg/subgraphs/projects/generated proto churn — leftover reserved markers from fields added and removed during development; the GraphQL schema is unchanged.
• Dropped router/entity-caching.config.yaml (unreferenced sample) and router-tests/entity_caching/graph.yaml (duplicated the subgraph list that cmd/compose owns; nothing consumed it).
• The gqlgen generate target moved to demo/Makefile (generate-cachetest) next to the subgraphs it regenerates.

Rebased onto main (2026-06-10)

• graphql-go-tools re-pinned to 63fa1c88 — PR feat: add caching to loader graphql-go-tools#1259 with v2.4.4 merged in (branch entity-caching-v244-merge; conflicts in resolve/context.go + resolve/resolvable.go resolved keeping caching fields + the actualListSizes → typeNameStats rename). Needed because main's router uses v2.4.4 APIs (TypeNameStats) that the PR head lacked.
• All subscription-overhaul adaptation shims dropped in favor of main's versions (websocket, flushwriter, executor, updater, mocks, errors, operation_processor, plan_generator, headers_test).
• One astjson adaptation the other way: the caching arena rework makes MergeValuesWithPath return 2 values; main's flushwriter call site adapted.
• cmd/compose replaced with a wgc-based Makefile target (+ restored graph.yaml input) since composition-go was removed on main (chore: remove composition-go #2830); testdata/config.json regenerated with main's composition.
• entity_caching suite green throughout (incl. the WS subscription populate/invalidate tests, which depend on ExecutionOptions.Caching wiring in the WS path).

[github-actions]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)

See the Details below.

Vulnerabilities

demo/go.mod

Name	Version	Vulnerability	Severity
go.opentelemetry.io/otel/sdk	1.28.0	OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking	high
		opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking	high

Only included vulnerabilities with severity high or higher.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
gomod/go.opentelemetry.io/otel/sdk	1.28.0	🟢 9.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 42 contributing companies or organizations
gomod/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	1.23.1	🟢 9.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 42 contributing companies or organizations
gomod/github.com/rogpeppe/go-internal	1.14.1	Unknown	Unknown
gomod/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	0.46.1	🟢 9.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases 🟢 8 4 out of the last 4 releases have a total of 4 signed artifacts. SAST 🟢 10 SAST tool is run on all commits Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
gomod/go.opentelemetry.io/otel	1.28.0	🟢 9.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 42 contributing companies or organizations
gomod/go.opentelemetry.io/otel/exporters/otlp/otlptrace	1.23.1	🟢 9.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 42 contributing companies or organizations
gomod/go.opentelemetry.io/otel/metric	1.28.0	Unknown	Unknown
gomod/go.opentelemetry.io/otel/sdk/metric	1.28.0	🟢 9.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 42 contributing companies or organizations
gomod/go.opentelemetry.io/otel/trace	1.28.0	Unknown	Unknown
gomod/go.opentelemetry.io/proto/otlp	1.1.0	🟢 7.8	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ -1 Found no human activity in the last 30 changesets Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 8 contributing companies or organizations
gomod/golang.org/x/sys	0.39.0	Unknown	Unknown
gomod/../composition-go	0.0.0-20250820135159-bf8852195d3f	Unknown	Unknown
gomod/../demo	0.0.0-20260319123623-f186a0f724f6	Unknown	Unknown
gomod/../router	0.0.0-20260319123623-f186a0f724f6	Unknown	Unknown
gomod/github.com/alicebob/gopher-json	0.0.0-20230218143504-906a9b012302	Unknown	Unknown
gomod/github.com/alicebob/miniredis/v2	2.34.0	Unknown	Unknown
gomod/github.com/coder/websocket	1.8.14	Unknown	Unknown
gomod/github.com/dlclark/regexp2	1.11.0	Unknown	Unknown
gomod/github.com/dop251/goja	0.0.0-20230906160731-9410bcaa81d2	🟢 3.9	Details Check Score Reason Code-Review ⚠️ 1 Found 4/23 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 9 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/go-sourcemap/sourcemap	2.1.3+incompatible	Unknown	Unknown
gomod/github.com/google/pprof	0.0.0-20230207041349-798e818bf904	🟢 7.3	Details Check Score Reason Maintained 🟢 5 5 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 5 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST 🟢 5 SAST tool is not run on all commits -- score normalized to 5
gomod/github.com/rs/xid	1.6.0	Unknown	Unknown
gomod/github.com/wundergraph/astjson	1.1.1-0.20260419105127-f600d161463f	Unknown	Unknown
gomod/github.com/wundergraph/go-arena	1.2.0	Unknown	Unknown
gomod/github.com/wundergraph/graphql-go-tools/v2	2.4.1-0.20260523190154-590f67798262	🟢 5.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/yuin/gopher-lua	1.1.1	Unknown	Unknown
gomod/rogchap.com/v8go	0.9.0	🟢 3.7	Details Check Score Reason Code-Review 🟢 9 Found 25/26 approved changesets -- score normalized to 9 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 6 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/coder/websocket	1.8.14	Unknown	Unknown
gomod/github.com/rs/xid	1.6.0	Unknown	Unknown
gomod/github.com/wundergraph/astjson	1.1.1-0.20260419105127-f600d161463f	Unknown	Unknown
gomod/github.com/wundergraph/go-arena	1.2.0	Unknown	Unknown
gomod/github.com/wundergraph/graphql-go-tools/v2	2.4.1-0.20260523190154-590f67798262	🟢 5.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• demo/go.mod
• router-tests/go.mod
• router/go.mod

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4a2de5a7-ba8c-4b2f-bb87-04a9a9d19343

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Router-nonroot image scan failed

❌ Security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-7f2e9a1ab15e3feea08e00e30f9625bd4c03f27c-nonroot

Please check the security vulnerabilities found in the PR.

If you believe this is a false positive, please add the vulnerability to the .trivyignore file and re-run the scan.

[codecov]

Codecov Report

❌ Patch coverage is 10.36907% with 510 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.64%. Comparing base (ba77a82) to head (1ee462b).

Files with missing lines	Patch %	Lines
router/core/factoryresolver.go	5.50%	98 Missing and 5 partials ⚠️
router/pkg/entitycache/circuit_breaker.go	0.00%	78 Missing ⚠️
router/core/graph_server.go	12.94%	69 Missing and 5 partials ⚠️
router/core/router.go	8.97%	68 Missing and 3 partials ⚠️
router/pkg/entitycache/memory.go	0.00%	65 Missing ⚠️
router/pkg/entitycache/redis.go	0.00%	44 Missing ⚠️
router/core/executor.go	31.70%	28 Missing ⚠️
router/pkg/config/config.go	12.50%	26 Missing and 2 partials ⚠️
router/core/graphql_handler.go	47.05%	13 Missing and 5 partials ⚠️
router/core/supervisor_instance.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@                         Coverage Diff                         @@
##           milinda/entity-caching-1b-demo    #2945       +/-   ##
===================================================================
+ Coverage                           41.43%   57.64%   +16.21%     
===================================================================
  Files                                 241      245        +4     
  Lines                               27142    27734      +592     
===================================================================
+ Hits                                11247    15988     +4741     
+ Misses                              14636    10165     -4471     
- Partials                             1259     1581      +322     

Files with missing lines	Coverage Δ
router/core/flushwriter.go	78.84% <100.00%> (+8.33%)	⬆️
router/core/modules.go	47.72% <ø> (+31.81%)	⬆️
router/core/router_config.go	93.82% <ø> (+5.55%)	⬆️
router/core/websocket.go	77.00% <100.00%> (+1.10%)	⬆️
router/core/supervisor_instance.go	0.00% <0.00%> (ø)
router/core/graphql_handler.go	63.42% <47.05%> (+18.04%)	⬆️
router/core/executor.go	74.69% <31.70%> (-4.83%)	⬇️
router/pkg/config/config.go	42.96% <12.50%> (+15.88%)	⬆️
router/pkg/entitycache/redis.go	0.00% <0.00%> (ø)
router/pkg/entitycache/memory.go	0.00% <0.00%> (ø)
... and 4 more

... and 118 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[SkArchon]

Auto-closed as merged by a force-push mishap (stack branches momentarily collapsed onto one commit). Replaced by #2955 — same content and stack position.