Fix case-arm shadowing UB, tail-loop preemption, and OOM diagnostics

Makefile

@@ -223,6 +223,7 @@ examples: swc libswarmrt
 # pass/fail counts across all files. See tests/sw/run_tests.sh.
 test-sw: swc libswarmrt
 	@./tests/sw/run_tests.sh
+	@./tests/sw/run_conform.sh
 
 # Security regression: the curl-backed HTTP builtins must not pass
 # caller-supplied URLs / headers through a shell. Builds the injection

README.md

@@ -305,7 +305,7 @@ The [`lib/`](lib/) directory ships modules that auto-resolve via `import` — no
 
 | Module | What it gives you |
 |---|---|
-| `Std` | List / map / string helpers (range, take, drop, nth/at, zip, partition, sort, unique, find, any, all, sum, product, group_by, chunk_every, intersperse, …) — see `lib/Std.sw` for the full list. |
+| `Std` | List / map / string helpers (map, filter, join, range, take, drop, nth/at, zip, partition, sort, unique, find, any, all, sum, product, group_by, chunk_every, intersperse, string_join, …) — see `lib/Std.sw` for the full list. `map`/`filter`/`reduce` also exist as global builtins; `Std.map`/`Std.filter`/`Std.join` work too. |
 | `Mcp` | Model Context Protocol client + server (JSON-RPC over stdio) |
 | `Embed` | Embeddings client for any OpenAI-compatible `/v1/embeddings` endpoint |
 | `Vec` | ETS-backed cosine-similarity vector store (`Vec.new / add / search / size`) |
@@ -351,7 +351,7 @@ make test-full       # the comprehensive gate: core + OTP + phases 2-10 + search
 - **Compiled** — each `test_*.sw` is compiled with `swc build` and the resulting binary is run.
 - **Interpreter** — `tests/sw/repl/test_*.sw` files are run via `swc test` (tree-walking interpreter). Guards against the REPL/codegen builtin drift that the May 2026 marathon closed.
 
-Together the suite reports `all sw tests passed — 53 files, 475 assertions`.
+Together the suite reports `all sw tests passed — 56 files, 493 assertions`, and `make test-sw` then runs the **dual-path conformance gate**: every program in `tests/sw/conform/` executes under BOTH `swc run` (interpreter) and `swc build` (compiled) and must produce byte-identical stdout and exit codes — the structural guard against the two paths drifting apart.
 
 Add a `test_<topic>.sw` file in either directory and it'll be picked up automatically.
 
@@ -428,7 +428,7 @@ Stable enough to be the substrate for [swarm-code](https://github.com/skyblanket
 **What CI gates on, every push:**
 - README quickstart (`counter.sw`) + a few more example programs (`hello.sw`, `lambda.sw`)
 - `bash scripts/check_sw_docs.sh` — **doc-compile tripwire**: every complete ```sw block in the docs and every runnable `examples/*.sw` must still compile with this `swc`
-- `make test-sw` — **53 files, 475 assertions** (`.sw` language: compiled + interpreter + `swc run` paths)
+- `make test-sw` — **56 files, 493 assertions** (`.sw` language: compiled + interpreter + `swc run` paths) **plus the dual-path conformance gate** (`tests/sw/conform/` — interpreter and compiled output must be byte-identical per program)
 - `make test-phase$p` for `p` in **2 through 10** — C-side runtime tests: GenServer/Supervisor (phase 2), ETS (phase 3), Agent/App/DynSup (phase 4), StateMachine/ProcessGroup (phase 5), TCP (phase 6), hot reload (phase 7), GC scaffolding (phase 8), distribution (phase 9), language frontend (phase 10); the **deadlock watchdog** runs automatically in every test (active by default in the runtime)
 - `make stress` — high-process-count race guard (multi-scheduler + single-scheduler spawn storm); every run must complete
 - `make gc-stress` — GC v1 copy-on-escape correctness: the value-arena stress harness compiled with ASAN + `-DSW_ARENA_POISON`; a missed deep-copy on any send/spawn/ETS boundary surfaces as a use-after-free or a `0xDE`-garbage content assert

docs/SW_LANGUAGE.md

@@ -103,7 +103,7 @@ fun greet(name) {
 - Body is one or more expressions; the last expression's value is the return value.
 - Parameters are positional; default values: `fun greet(name = "world") { ... }`.
 - No explicit `return` — Erlang-style trailing-expression-is-the-value.
-- Recursion is the loop construct (no `for`/`while`). Tail calls are detected and optimised by the codegen, so unbounded tail recursion doesn't blow the stack.
+- Recursion is the loop construct (no `for`/`while`). **Self**-tail-calls are detected and optimised by the codegen, so unbounded `f -> f` tail recursion doesn't blow the stack. **Mutual** tail recursion (`a -> b -> a`, e.g. two state functions calling each other) is NOT yet optimised — each hop costs a C stack frame and deep chains overflow the 128KB process stack. Keep the recursive call in the same function (dispatch on an argument instead of bouncing between functions) for unbounded loops.
 
 ```sw
 fun count_down(n) {
@@ -256,7 +256,7 @@ receive {
 - Each arm is `pattern -> body`.
 - `_` matches anything; specific tuples / atoms / values match exactly.
 - Bound names (`prompt`, `reply_to`) capture parts of the message.
-- `after MS { body }` fires if no message arrives within MS milliseconds.
+- `after MS { body }` fires if no message arrives within MS milliseconds. The Erlang-style arrow form `after MS -> body` is accepted too (the body runs to the receive's closing brace — `after` is always the last clause).
 - Selective receive: messages that don't match any arm STAY in the mailbox for the next `receive`.
 
 Inside receive arm bodies, `;` DOES separate statements (it's a recognised statement separator within arm bodies).
@@ -267,6 +267,20 @@ Inside receive arm bodies, `;` DOES separate statements (it's a recognised state
 
 Patterns appear in `receive` arms, `case` expressions, and some other binding contexts. Supported:
 
+### Tuple-destructuring assignment
+
+A statement may bind several names from a tuple at once:
+
+```sw
+{a, b} = {1, 2}                 # a=1, b=2
+{x, _, z} = three_tuple()       # `_` skips an element
+{'ok', body} = http_fetch(url)  # literal positions ASSERT-match (panic on
+                                # {'error', _}), ident positions bind
+{200, html} = fetch_page()      # ints/strings/floats assert too
+```
+
+Statement position only (not inside a larger expression). Elements may be identifiers (bind), `_` (skip), or literal atoms/ints/floats/strings (match-assert with a `destructuring mismatch` panic — the Erlang `=` contract for the `{'ok', v}` idiom). A too-short or non-tuple right side panics through `elem`'s existing range/type check; extra trailing elements are tolerated. It desugars at parse time (temp + `elem()` binds + `expect()` asserts), so `swc run` and compiled binaries behave identically. List and nested-tuple left sides are not supported — use `case` for those.
+
 | Pattern | Matches |
 |---|---|
 | `42`, `"foo"`, `'ok'`, `nil` | exact literal |
@@ -346,6 +360,16 @@ fun main() {
 
 `with` desugars at parse time into nested `case`, so it has the same pattern-matching power (tuples, maps, lists, literals) and the exact same behavior in `swc run` and a compiled binary. There are no per-bind `when` guards — match a pattern instead. A single bind (`with p <- e { ... } else { o -> ... }`) is fine; it's just a one-arm chain.
 
+The `else` block takes one or more `pattern [when guard] -> body` arms, exactly like `case` — the first non-`{'ok', _}` value falls through them in order:
+
+```sw
+} else {
+    {'error', k} when k == 'host' -> "no host configured"
+    {'error', k} -> f"missing: {k}"
+    _ -> "unknown failure"
+}
+```
+
 ---
 
 ## 8. Processes and message passing
@@ -801,7 +825,7 @@ r = try {
 }
 ```
 
-`error(msg)` sets a thread-local error sentinel that `try { ... } catch e { ... }` catches. Outside a `try`, `error()` is silent (the calling code continues with `nil`), which makes try/catch the explicit "I want to handle failure" marker.
+`error(msg)` aborts the rest of the `try` body and lands in the nearest enclosing `catch` — through function calls too: an `error()` raised inside a callee unwinds to the caller's `catch`, and the statements after the raise do not run. Outside any `try`, `error()` is silent (the calling code continues with `nil`), which makes try/catch the explicit "I want to handle failure" marker. Identical in `swc run` and compiled binaries (gated by `tests/sw/run_conform.sh`).
 
 ### Unrecoverable failures: `panic` + `expect`
 
@@ -825,7 +849,7 @@ panic: hit the bottom
     [3] Trace.main at src/Trace.sw:16
 ```
 
-`expect(value, msg)` is the idiomatic "unwrap" pattern — passes the value through if non-nil, otherwise panics with `msg`. Saves the explicit `if (x == nil) { panic(...) }` boilerplate.
+`expect(value, msg)` is the idiomatic "unwrap" pattern — passes the value through unless it is **nil or `'false'`**, in which case it panics with `msg`. Saves the explicit `if (x == nil) { panic(...) }` boilerplate, and `expect(a == b, msg)` works as an assert (comparisons return `'true'`/`'false'`).
 
 ### Builtins that panic (instead of returning nil silently)
 

docs/notes/KNOWN_ISSUES.md

@@ -19,6 +19,30 @@ the divergence is the issue.
 when compiled. **Workaround:** add an explicit `after MS -> ...` clause to any
 `receive` that might not match, so compiled and interpreted runs behave the same.
 
+### Interpreter recursion depth is bounded (no TCO in the tree-walker)
+
+The interpreter (`swc run` / REPL / `swc test`) evaluates on the C stack with
+a stack-margin guard and no tail-call optimisation; deep recursion raises a
+clean, uncatchable `interpreter recursion depth exceeded` panic (exit 1). The
+exact ceiling is environment-dependent (real stack headroom is measured);
+assume a few hundred frames. Compiled binaries TCO self-tail-calls to
+unbounded depth (gated by `tests/sw/test_tco_depth.sw`).
+
+**Impact:** recursion-heavy programs must be compiled. **Workaround:**
+`swc build` — the interpreter is for short scripts, tests, and the REPL.
+
+### Mutual tail recursion is not TCO'd; deep chains overflow silently
+
+Only **self** tail calls are optimised. Two functions tail-calling each other
+(the natural state-machine shape) consume a C stack frame per hop and overflow
+the 128KB fiber stack at depth ~10^4–10^5 — currently as a raw SIGSEGV without
+even the crash banner (the handler runs on the overflowed fiber stack; needs
+`sigaltstack`). See [REVIEW_FABLE_2026-06.md](REVIEW_FABLE_2026-06.md), O2.
+
+**Impact:** mutually recursive FSMs die at depth in compiled binaries.
+**Workaround:** keep the loop in one function and dispatch on an argument
+(`fun fsm(state, n) { case state { ... } }`).
+
 ### No static type or shape checking
 
 `sw` is dynamically typed by design — there is no compile-time type or arity
@@ -35,12 +59,32 @@ model), recorded here so the behavior is not a surprise.
 
 ## Recently cleared
 
+### `try/catch` caught builtin panics in the interpreter but not compiled
+
+Cleared on 2026-06-09 (Round-7 follow-up). The error model is now identical
+on both paths and gated by the dual-path conformance runner
+(`tests/sw/run_conform.sh`, wired into `make test-sw`):
+
+- `error()` unwinds the full dynamic extent to the nearest `try` — an
+  `error()` raised inside a callee lands in the caller's `catch`, and the
+  statements after the raise do NOT run. (Compiled: per-process
+  setjmp/longjmp chain, `sw_self_try_chain`; the old codegen ran the whole
+  try body and tested the sentinel once at the end, so the statement after
+  an `error()` still executed — and could panic the process before the
+  catch was consulted.)
+- `error()` outside any `try` stays the documented silent
+  continue-with-nil on both paths (the interpreter previously unwound the
+  entire rest of the program, silently).
+- Panics (builtin panics, `panic()`, failed `expect()`) are uncatchable on
+  both paths: `try/catch` does not absorb them, the run exits 1.
+  `assert_raises` remains the sanctioned test-only interceptor.
+
 ### No `swc run` subcommand
 
-Cleared. `swc run file.sw` exists (parse → codegen → `cc` → run the resulting
-binary in one shot; see `run_file` in `src/swc.c`). The interpreter path
-(`swc run`, REPL, `swc test`) shares the runtime's builtins with the compiled
-path.
+Cleared. `swc run file.sw` exists and runs the tree-walking interpreter
+(parse → merge imports → interpret `main()`; see `run_file` in `src/swc.c`).
+The interpreter path (`swc run`, REPL, `swc test`) shares the runtime's
+builtins with the compiled path.
 
 ### Multi-head cons patterns are unimplemented