Is this solved by introducing a Clock as an intrinsic? The Auth rule takes a Clock input and re-auths at T-safety-margin. Races where the margin isn't enough are just like RPC failures - next time, probably works.

Maybe… Ignoring revocation which may require retries outside of the clock… But I think it still leaves us in a weird place where the auth needs to be a field embedded in another node, rather than a node by its own right, because its invalidation doesn’t invalidate the things which depend on it

Yeah, that really means a error return type or exception type is needed that allows a rule to signal an input was invalid.

Yeah; unwind-and-retry is interesting

And then, for niceness, an extra layer of re-running nodes in the current run. But that bit is not strictly needed.

Also handles things like “transient network failure” or “My input file disappeared, can you re-compile it?”