RayforceDB · singaraiona · Apr 24, 2026 · Apr 18, 2026 · Apr 18, 2026 · Apr 18, 2026
diff --git a/docs/plans/2026-04-18-datalog-aggregates-and-onboarding.md b/docs/plans/2026-04-18-datalog-aggregates-and-onboarding.md
diff --git a/include/rayforce.h b/include/rayforce.h
@@ -156,6 +156,11 @@ ray_t* ray_error(const char* code, const char* fmt, ...);
 const char* ray_err_code_str(ray_err_t e);
 ray_err_t ray_err_from_obj(ray_t* err);
 const char* ray_err_code(ray_t* err);
+/* Free a RAY_ERROR object.  ray_release() is a deliberate no-op for
+ * error ray_t* (see src/mem/cow.c), so callers that hold the sole
+ * reference and want the block reclaimed must use this helper instead —
+ * otherwise the error leaks until heap teardown. */
+void ray_error_free(ray_t* err);
 
 /* ===== Accessor Macros ===== */
 

diff --git a/src/core/runtime.c b/src/core/runtime.c
@@ -27,6 +27,8 @@
 #include <stdarg.h>
 #include <stdio.h>
 #include <string.h>
+#include <sys/stat.h>
+#include <errno.h>
 #ifdef RAY_OS_WINDOWS
 #include <windows.h>
 #else
@@ -137,6 +139,21 @@ ray_t* ray_error(const char* code, const char* fmt, ...) {
     return err;
 }
 
+void ray_error_free(ray_t* err) {
+    /* Skip NULL and anything that isn't actually a RAY_ERROR — callers
+     * often pass a result that might be either an error or a real value. */
+    if (!err || !RAY_IS_ERR(err)) return;
+    /* Both ray_free and ray_release_owned_refs short-circuit on RAY_IS_ERR
+     * as a safety default (the refcount system deliberately does not track
+     * error objects).  Retype the block to a leaf atom (-RAY_I64) so those
+     * guards don't fire — an atom with no owned children is the safest
+     * shape to pass through the standard free path.  The rc was already
+     * 1 from ray_alloc, so ray_free will reclaim the block via the buddy
+     * allocator.  From this point the caller must not touch err again. */
+    err->type = -RAY_I64;
+    ray_free(err);
+}
+
 const char* ray_err_code(ray_t* err) {
     if (!err || err->type != RAY_ERROR) return NULL;
     /* sdata is 7 bytes and may not be null-terminated when full */
@@ -157,14 +174,17 @@ void ray_error_clear(void) {
 
 /* ===== Lifecycle ===== */
 
-ray_runtime_t* ray_runtime_create(int argc, char** argv) {
-    (void)argc; (void)argv;
+static ray_runtime_t* runtime_create_impl(const char* sym_path,
+                                           ray_err_t* out_sym_err) {
+    if (out_sym_err) *out_sym_err = RAY_OK;
 
     /* Init subsystems */
     ray_heap_init();
     ray_sym_init();
 
-    /* Allocate runtime via system allocator */
+    /* Allocate runtime and set __VM + mem_budget BEFORE any file I/O so
+     * that ray_error() has a live VM to record diagnostics against and
+     * allocations are bounded by the budget. */
     ray_runtime_t* rt = (ray_runtime_t*)ray_sys_alloc(sizeof(ray_runtime_t));
     if (!rt) return NULL;
     memset(rt, 0, sizeof(*rt));
@@ -196,13 +216,70 @@ ray_runtime_t* ray_runtime_create(int argc, char** argv) {
         rt->mem_budget = (int64_t)(4ULL << 30);
 #endif
 
-    /* Init language (env + builtins) — must be after __VM is set */
+    /* __RUNTIME must be visible before ray_sym_load so mem_budget checks
+     * and ray_error() both operate against the live runtime. */
+    __RUNTIME = rt;
+
+    /* Load persisted symbol table BEFORE ray_lang_init interns builtins.
+     * Ordering: __VM + mem_budget are live so file I/O errors surface via
+     * ray_error() and allocations are budget-bounded.  Still before
+     * ray_lang_init so persisted user symbol IDs keep their slots and
+     * builtins append afterwards. */
+    if (sym_path) {
+        /* Pre-flight size check: reject files that would blow past the
+         * memory budget before ever touching ray_col_load.
+         *
+         * errno handling: ENOENT is the normal first-run case and stays
+         * RAY_OK; any *other* stat failure (EACCES, ENOTDIR, EIO, …) is
+         * a real problem and must be surfaced as RAY_ERR_IO, otherwise
+         * the caller would silently continue with an empty sym table
+         * and later hit the "divergence" class of bugs this entrypoint
+         * was added to avoid. */
+        struct stat st;
+        if (stat(sym_path, &st) == 0) {
+            /* Allow the sym file itself plus some working headroom (2x).
+             * A well-formed sym file is a list of interned strings; the
+             * in-memory footprint is bounded by file size within a small
+             * constant factor. */
+            if (st.st_size > 0 &&
+                (int64_t)st.st_size > rt->mem_budget / 2) {
+                if (out_sym_err) *out_sym_err = RAY_ERR_OOM;
+                /* Continue startup with empty sym table; caller decides
+                 * whether to treat this as fatal. */
+            } else {
+                ray_err_t sym_err = ray_sym_load(sym_path);
+                if (out_sym_err) *out_sym_err = sym_err;
+                /* RAY_ERR_CORRUPT and I/O errors are non-fatal here:
+                 * caller inspects out_sym_err to decide recovery. */
+            }
+        } else if (errno != ENOENT) {
+            if (out_sym_err) *out_sym_err = RAY_ERR_IO;
+        }
+        /* ENOENT: leave out_sym_err = RAY_OK — absent sym file is the
+         * normal first-run case. */
+    }
+
+    /* Init language (env + builtins) — must be after __VM is set and
+     * after sym_load so persisted user IDs keep their slots. */
     ray_lang_init();
 
-    __RUNTIME = rt;
     return rt;
 }
 
+ray_runtime_t* ray_runtime_create(int argc, char** argv) {
+    (void)argc; (void)argv;
+    return runtime_create_impl(NULL, NULL);
+}
+
+ray_runtime_t* ray_runtime_create_with_sym(const char* sym_path) {
+    return runtime_create_impl(sym_path, NULL);
+}
+
+ray_runtime_t* ray_runtime_create_with_sym_err(const char* sym_path,
+                                               ray_err_t* out_sym_err) {
+    return runtime_create_impl(sym_path, out_sym_err);
+}
+
-
+
+/* NOTE: These public entrypoints must also be declared in src/core/runtime.h
+ * and include/rayforce.h to keep the API surface synchronized.
+ */
-
+
+/* NOTE: These public entrypoints must also be declared in src/core/runtime.h
+ * and include/rayforce.h to keep the API surface synchronized.
+ */
 /* ===== Memory Budget API ===== */
 
 int64_t ray_mem_budget(void) {

diff --git a/src/core/runtime.h b/src/core/runtime.h
@@ -103,10 +103,20 @@ extern _Thread_local ray_vm_t *__VM;
 ray_runtime_t* ray_runtime_create(int argc, char** argv);
 void           ray_runtime_destroy(ray_runtime_t* rt);
 
+/* Persistent-consumer lifecycle: load the sym table from `sym_path` (if
+ * present) before builtins register, so user-interned IDs keep the same
+ * slots across process restarts.  The _err variant surfaces the load
+ * result via `out_sym_err` (RAY_OK / RAY_ERR_CORRUPT / I/O errors) so
+ * callers can decide recovery policy; the plain variant discards it. */
+ray_runtime_t* ray_runtime_create_with_sym(const char* sym_path);
+ray_runtime_t* ray_runtime_create_with_sym_err(const char* sym_path,
+                                               ray_err_t* out_sym_err);
+
 /* Error API — allocates ray_t with type=RAY_ERROR, sets __VM->err.msg */
 ray_t* ray_error(const char* code, const char* fmt, ...);
 /* Read error code from a RAY_ERROR object (returns pointer to sdata) */
 const char* ray_err_code(ray_t* err);
+/* ray_error_free() is published in include/rayforce.h */
 
 /* Read VM error detail message (NULL if empty) */
 const char* ray_error_msg(void);