be get's worktree update atomic — stage-to-temp + atomic swap (or journal+rollback) so a mid-write failure leaves ref/wtlog/tree all unchanged
Split from GET-016 Part 1. be get's COMMIT POINT (sniff/GET.c:1338-1429) advances the local branch ref + wtlog BEFORE the non-crash-safe worktree write (WALKTreeLazy + drains + sub loop), deliberately — the comment documents replay-via-be get --force ?<cur> as the recovery, and test/get/09-refuse-no-commit + test/get/10-partial-recovery pin that model (get/10 asserts the wtlog GROWS after a failing write and that --force replay is the fix). So the literal "advance the ref only after the write succeeds" reorder is rejected: it breaks that documented crash-safety model and both tests. True all-or-nothing atomicity needs a redesign — stage the wt mutation to a scratch area then atomically swap + advance the ref, or journal each mutation and roll back on failure. GET-016 Part 2 (the --force full-reset that makes the replay recovery actually work) landed separately. See GET, GET-016, CLAUDE.
WALKTreeLazy write failure during be get onto a new tip; today the ref + wtlog advance while the tree is left partial (recoverable only by a manual be get --force ?<cur>).test/get/10's documented "wtlog grows on failure → --force replay recovery" model; only viable if that model is deliberately abandoned and 09/10 rewritten.
Must not regress the crash-safety property test/get/09/10 protect — either preserve replay-recovery as a fallback, or migrate those tests to the new no-drift model as a deliberate, reviewed step.
test/get/09 + 10 to the chosen model.