The OFS-delta base-offset predicate landed in three sites in the fix
for the off-by-one: the scanner header decode and the on-demand mmap
object's two delta-resolution paths. Each carried a duplicated copy
of the canonical-Git citation and the same boundary condition.
Consolidate them behind one exported helper, ValidateOFSDeltaBase,
so a future audit reads the canonical condition once.

Assisted-by: Claude Opus 4.7
Signed-off-by: Hidde Beydals <[email protected]>

Parse() resolved all REF-deltas in one loop and OFS-deltas in
another, processing the two delta types as independent sets. A
REF-delta whose base is an in-pack OFS-delta therefore failed to
resolve: the REF pass looked up its base hash before the OFS-delta
had been applied, since the OFS-delta's hash is unknown at scan
time. The lookup misclassified the in-pack base as a thin-pack
external reference and the chain never produced a real parent.

Canonical Git's `threaded_second_pass` in builtin/index-pack.c[1]
walks the delta DAG from non-delta bases, advancing the REF and
OFS children of every parent together rather than in two sweeps.
Port that shape: index the pending delta lists by parent offset
and parent hash, then visit every reachable delta depth-first
from each non-delta base. REF-deltas not reached by the walk
fall through to the existing thin-pack placeholder path; an
OFS-delta whose recorded negative offset matches no in-pack
object header is reported as malformed input.

A child reachable through more than one parent (two non-deltas
with identical content, or an OFS-delta resolving to the same
hash as a non-delta in the pack) is processed only on the first
visit.

Cover the case with a parser test that constructs a pack with
the shape `[base blob, OFS-delta(base=blob), REF-delta(base=
OFS-delta-hash)]` and asserts all three objects resolve, plus a
fuzz corpus seed of the same probe.

[1]: https://github.com/git/git/blob/94f057755b/builtin/index-pack.c#L1103

Assisted-by: Claude Opus 4.7
Signed-off-by: Hidde Beydals <[email protected]>

Parser.Parse mutates state owned by the Parser: the per-delta parent
pointers it links during depth-first delta resolution, and the cache
maps that index resolved objects by hash and offset. Neither is reset
on entry. A second call against the same Parser would see the prior
call's state — whether that call succeeded or failed mid-walk — and
produce undefined results.

The constraint is not new; the new `c.parent != nil` skip guard in
resolveDeltas makes its consequences slightly more visible. Spell it
out in the type's godoc so callers don't reach for Parse a second
time and silently hit the leftover state.

Assisted-by: Claude Opus 4.7
Signed-off-by: Hidde Beydals <[email protected]>

The encoder emits every delta in a single pack with the same kind:
all OFS_DELTA by default, all REF_DELTA when useRefDeltas is set.
The parser now resolves packs that mix the two kinds in one chain,
because mixed-kind packs occur in the wild — repacks across servers
with differing --delta-base-offset settings, thin-pack splices, and
third-party tooling all produce them. Add a short comment at the
write site so the next reader of writeDeltaHeader doesn't file the
asymmetry between read- and write-side delta-kind support as a
defect.

Assisted-by: Claude Opus 4.7
Signed-off-by: Hidde Beydals <[email protected]>