Skip to content

distribution: add migration wire contracts#1084

Open
bootjp wants to merge 12 commits into
mainfrom
design/hotspot-split-m2-wire
Open

distribution: add migration wire contracts#1084
bootjp wants to merge 12 commits into
mainfrom
design/hotspot-split-m2-wire

Conversation

@bootjp

@bootjp bootjp commented Jul 13, 2026

Copy link
Copy Markdown
Owner

Summary

  • add M2 migration RPCs and internal export/import wire contracts, with generated protobuf code
  • add RouteDescriptor migration fields to protobuf and durable route codec v2 while preserving v1 encoding for zero-field routes
  • plumb migration route fields through ListRoutes responses and cover the codec/protobuf conversion paths

Tests

  • make -C proto check-tools
  • make -C proto gen
  • go test ./distribution -count=1 -timeout=120s
  • go test ./adapter -run 'TestDistributionServer|TestMilestone1SplitRange' -count=1 -timeout=180s
  • go test ./kv ./proto -count=1 -timeout=180s
  • GOCACHE=$(pwd)/.cache GOLANGCI_LINT_CACHE=$(pwd)/.golangci-cache golangci-lint run ./distribution ./adapter --timeout=5m
  • git diff --check

Note: full adapter-package testing exceeded the local timeout in existing raft/gRPC integration coverage; the targeted distribution adapter tests above passed.

Author: bootjp

Summary by CodeRabbit

  • 新機能
    • ルート分割移行の開始・進捗確認・所有者/交差ルート取得・中止/再試行などを扱うAPIを追加しました。
    • 範囲データのMVCCバージョンをエクスポート/インポートできるAPIを追加しました。
    • 読み取りフェンス付きのRawGet/RawLatestCommitTS/RawScanAtに対応し、整合性のためのルート情報を指定できるようになりました。
  • 改善
    • ルート移行中も、分割後の取得・スキャンで関連メタデータが引き継がれ、一貫して反映されます。
    • ルート境界を指定した逆方向スキャンを強化しました。
    • Redis wide-column系キーをユーザーキーへ正規化し、正しいルーティング結果を返せるようにしました。

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Changes

ルート移行メタデータ

Layer / File(s) Summary
移行APIとルート契約
proto/distribution.proto, proto/internal.proto
分割移行、分割ジョブ、MVCC範囲転送RPCと、移行状態を表すルートフィールドを追加します。
カタログcodecと保存処理
distribution/catalog.go, distribution/catalog_test.go
RouteDescriptorのv1/v2 codec、移行フィールドの検証・比較・clone、MinWriteTSExclusiveの単調保存を追加します。
エンジンとDistributionへの伝播
distribution/engine.go, distribution/engine_test.go, adapter/distribution_server.go, adapter/distribution_server_test.go
移行フィールドをEngine、分割後ルート、Distributionのprotobuf応答へ伝播します。

読み取りフェンス付きルーティング

Layer / File(s) Summary
読み取りフェンスRPC契約
proto/service.proto
Raw読み取りリクエストにread route versionとルート境界情報を追加します。
gRPC Raw読み取り分岐
adapter/grpc.go, adapter/grpc_test.go
read fence対応ストアを優先し、route version・境界の決定とgrouped reverseの検証を行います。
LeaderRoutedStoreのフェンス読み取り
kv/leader_routed_store.go, kv/leader_routed_store_test.go
ローカル読み取りとRaw RPCフォールバックをread fence対応APIへ拡張します。
ShardStoreの境界付きスキャン
kv/shard_store.go, kv/shard_store_test.go, kv/shard_store_txn_lock_test.go
境界付き順方向・逆方向スキャン、ルートフィルタ、ロック走査、read route version伝播を追加します。

Redisキー正規化

Layer / File(s) Summary
Redis wide-columnキーの正規化
kv/shard_key.go, kv/shard_key_test.go
Hash、Set、ZSetの内部キーを共通のユーザーキーへ正規化します。

Estimated code review effort: 5 (Critical) | ~120 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant GRPCServer
  participant LeaderRoutedStore
  participant ShardStore
  Client->>GRPCServer: RawScanAt(read route version, route bounds)
  GRPCServer->>LeaderRoutedStore: ScanAtWithReadFence
  LeaderRoutedStore->>ShardStore: 境界付きローカルスキャンまたはRaw RPC
  ShardStore-->>LeaderRoutedStore: フェンス済みKV結果
  LeaderRoutedStore-->>GRPCServer: ScanAt結果
  GRPCServer-->>Client: RawScanAt応答
Loading
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 1.43% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed 主要な変更である移行関連のワイヤ契約追加を概ね表しており、内容と関連しています。
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown
Contributor

TLA+ spec divergence review (auto-triggered)

This PR touches files that the TLA+ safety spec has an anchor on (per
docs/design/2026_05_28_implemented_tla_safety_spec.md §3),
so an AI review is requested below to verify the implementation has not drifted
from the model.

Anchored files changed in this PR head (72fcc6b):

  • distribution/catalog.go
  • distribution/catalog_test.go

What to check, by subsystem:

  • kv/hlc*.goNext() must respect the HLC-4 preconditions (i)/(ii)/(iii) from the design doc: bounded skew, logical-counter handoff on leader change (strategy (c) Observe(MaxAppliedHLC)), and the commit-time ceiling fence (fail-closed when wall_now >= physicalCeiling). Any change to the bit layout (48/16), the CAS loop, or the ceiling getter/setter is in scope.
  • kv/coordinator.go, kv/sharded_coordinator.goRunHLCLeaseRenewal, hlcRenewalInterval, hlcPhysicalWindowMs constants, and the new-term detection that calls Observe(fsm.MaxAppliedHLC()) (strategy (c)). Any change to renewal cadence, group selection, or fail-closed behaviour is in scope.
  • kv/transaction.go, kv/lock_resolver.go — OCC commit-ts assignment, lock-map encoding (key, lock_ts) -> start_ts, and the LockResolver action OCC-3 depends on. (M2 spec will land OCC-1..OCC-5; until then the spec doc §5.2 is the contract.)
  • kv/fsm.go — FSM apply of HLC lease entries (SetPhysicalCeiling), and any future MaxAppliedHLC() accessor that strategy (c) needs.
  • store/mvcc_store.go — version visibility, snapshot install, and the MVCC-1..MVCC-4 invariants (M3 scope).
  • distribution/** — route catalog versioning, SplitRange atomicity, and CatalogWatcher async fan-out (M4 scope).

If the change is correct but requires a spec update, edit tla/hlc/HLC.tla (or the corresponding M2..M5 module once landed) and the design doc in the same PR. The tla-check workflow runs the TLC model check on the same paths.


@claude review please verify TLA+ spec divergence per the checklist above.

@codex review please verify TLA+ spec divergence per the checklist above.

@bootjp

bootjp commented Jul 13, 2026

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create a Codex account and connect to github.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a V2 codec version for route descriptors in the distribution catalog to support new migration-related fields, including staged visibility, migration job IDs, and exclusive write timestamps. It also updates protobuf definitions and generated gRPC code to add several new RPC methods (such as split migration and range version export/import) and includes read route versions for migration read fences. The review feedback suggests defining an explicit catalogRouteCodecVersionV2 constant instead of using the dynamic catalogRouteCodecVersion directly in encoding and decoding paths, which prevents future codec version bumps from breaking V2-specific logic.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread distribution/catalog.go Outdated
Comment thread distribution/catalog.go
Comment thread distribution/catalog.go Outdated
@bootjp

bootjp commented Jul 13, 2026

Copy link
Copy Markdown
Owner Author

@codex review

@github-actions

Copy link
Copy Markdown
Contributor

TLA+ spec divergence review (auto-triggered)

This PR touches files that the TLA+ safety spec has an anchor on (per
docs/design/2026_05_28_implemented_tla_safety_spec.md §3),
so an AI review is requested below to verify the implementation has not drifted
from the model.

Anchored files changed in this PR head (7dd2e6d):

  • distribution/catalog.go
  • distribution/catalog_test.go

What to check, by subsystem:

  • kv/hlc*.goNext() must respect the HLC-4 preconditions (i)/(ii)/(iii) from the design doc: bounded skew, logical-counter handoff on leader change (strategy (c) Observe(MaxAppliedHLC)), and the commit-time ceiling fence (fail-closed when wall_now >= physicalCeiling). Any change to the bit layout (48/16), the CAS loop, or the ceiling getter/setter is in scope.
  • kv/coordinator.go, kv/sharded_coordinator.goRunHLCLeaseRenewal, hlcRenewalInterval, hlcPhysicalWindowMs constants, and the new-term detection that calls Observe(fsm.MaxAppliedHLC()) (strategy (c)). Any change to renewal cadence, group selection, or fail-closed behaviour is in scope.
  • kv/transaction.go, kv/lock_resolver.go — OCC commit-ts assignment, lock-map encoding (key, lock_ts) -> start_ts, and the LockResolver action OCC-3 depends on. (M2 spec will land OCC-1..OCC-5; until then the spec doc §5.2 is the contract.)
  • kv/fsm.go — FSM apply of HLC lease entries (SetPhysicalCeiling), and any future MaxAppliedHLC() accessor that strategy (c) needs.
  • store/mvcc_store.go — version visibility, snapshot install, and the MVCC-1..MVCC-4 invariants (M3 scope).
  • distribution/** — route catalog versioning, SplitRange atomicity, and CatalogWatcher async fan-out (M4 scope).

If the change is correct but requires a spec update, edit tla/hlc/HLC.tla (or the corresponding M2..M5 module once landed) and the design doc in the same PR. The tla-check workflow runs the TLC model check on the same paths.


@claude review please verify TLA+ spec divergence per the checklist above.

@codex review please verify TLA+ spec divergence per the checklist above.

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create a Codex account and connect to github.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7dd2e6d48a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread distribution/catalog.go
Comment thread proto/service.proto
Comment thread distribution/catalog.go
@bootjp

bootjp commented Jul 13, 2026

Copy link
Copy Markdown
Owner Author

@codex review

Addressed current-head blockers in ef2ba76:

  • preserved MinWriteTSExclusive and migration fields when splitting/catalog snapshotting routes
  • carried migration fields into distribution.Route snapshots and stats/intersection paths
  • forwarded read_route_version and scan route bounds through raw read proxy hops

Validation:

  • go test ./adapter -run 'TestDistributionServerSplitRange_Success|TestDistributionServerListRoutes_ReadsDurableCatalog' -count=1
  • go test ./distribution -count=1
  • go test ./kv -count=1
  • go test ./adapter ./distribution ./kv -run '^$' -count=1
  • golangci-lint --config=.golangci.yaml run ./adapter ./distribution ./kv --timeout=5m
  • git diff --check HEAD~1..HEAD

@github-actions

Copy link
Copy Markdown
Contributor

TLA+ spec divergence review (auto-triggered)

This PR touches files that the TLA+ safety spec has an anchor on (per
docs/design/2026_05_28_implemented_tla_safety_spec.md §3),
so an AI review is requested below to verify the implementation has not drifted
from the model.

Anchored files changed in this PR head (ef2ba76):

  • distribution/catalog.go
  • distribution/catalog_test.go
  • distribution/engine.go
  • distribution/engine_test.go

What to check, by subsystem:

  • kv/hlc*.goNext() must respect the HLC-4 preconditions (i)/(ii)/(iii) from the design doc: bounded skew, logical-counter handoff on leader change (strategy (c) Observe(MaxAppliedHLC)), and the commit-time ceiling fence (fail-closed when wall_now >= physicalCeiling). Any change to the bit layout (48/16), the CAS loop, or the ceiling getter/setter is in scope.
  • kv/coordinator.go, kv/sharded_coordinator.goRunHLCLeaseRenewal, hlcRenewalInterval, hlcPhysicalWindowMs constants, and the new-term detection that calls Observe(fsm.MaxAppliedHLC()) (strategy (c)). Any change to renewal cadence, group selection, or fail-closed behaviour is in scope.
  • kv/transaction.go, kv/lock_resolver.go — OCC commit-ts assignment, lock-map encoding (key, lock_ts) -> start_ts, and the LockResolver action OCC-3 depends on. (M2 spec will land OCC-1..OCC-5; until then the spec doc §5.2 is the contract.)
  • kv/fsm.go — FSM apply of HLC lease entries (SetPhysicalCeiling), and any future MaxAppliedHLC() accessor that strategy (c) needs.
  • store/mvcc_store.go — version visibility, snapshot install, and the MVCC-1..MVCC-4 invariants (M3 scope).
  • distribution/** — route catalog versioning, SplitRange atomicity, and CatalogWatcher async fan-out (M4 scope).

If the change is correct but requires a spec update, edit tla/hlc/HLC.tla (or the corresponding M2..M5 module once landed) and the design doc in the same PR. The tla-check workflow runs the TLC model check on the same paths.


@claude review please verify TLA+ spec divergence per the checklist above.

@codex review please verify TLA+ spec divergence per the checklist above.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ef2ba76416

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread kv/shard_store.go
Comment thread distribution/catalog.go
Comment thread adapter/grpc.go Outdated
var err error
if groupID := req.GetGroupId(); groupID != 0 {
if fenceGetter, ok := r.store.(rawReadFenceGetter); ok {
v, err = fenceGetter.GetAtWithReadFence(ctx, req.Key, readTS, req.GetGroupId(), req.GetReadRouteVersion())

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Stamp raw reads before using the fence helper

External RawKV callers leave read_route_version unset, but this branch passes that zero straight into the fenced store path instead of stamping the catalog version observed while routing the request. When this server is a follower and proxies the read during a split migration, the internal RawGet still carries version 0, so the source-side cutover fence either treats a fresh routed read as a broken legacy hop once zero-version rejection is active or cannot distinguish it from a stale coordinator request; stamp the current route/catalog version before invoking the fence helper.

Useful? React with 👍 / 👎.

@github-actions

Copy link
Copy Markdown
Contributor

TLA+ spec divergence review (auto-triggered)

This PR touches files that the TLA+ safety spec has an anchor on (per
docs/design/2026_05_28_implemented_tla_safety_spec.md §3),
so an AI review is requested below to verify the implementation has not drifted
from the model.

Anchored files changed in this PR head (2388b3e):

  • distribution/catalog.go
  • distribution/catalog_test.go
  • distribution/engine.go
  • distribution/engine_test.go

What to check, by subsystem:

  • kv/hlc*.goNext() must respect the HLC-4 preconditions (i)/(ii)/(iii) from the design doc: bounded skew, logical-counter handoff on leader change (strategy (c) Observe(MaxAppliedHLC)), and the commit-time ceiling fence (fail-closed when wall_now >= physicalCeiling). Any change to the bit layout (48/16), the CAS loop, or the ceiling getter/setter is in scope.
  • kv/coordinator.go, kv/sharded_coordinator.goRunHLCLeaseRenewal, hlcRenewalInterval, hlcPhysicalWindowMs constants, and the new-term detection that calls Observe(fsm.MaxAppliedHLC()) (strategy (c)). Any change to renewal cadence, group selection, or fail-closed behaviour is in scope.
  • kv/transaction.go, kv/lock_resolver.go — OCC commit-ts assignment, lock-map encoding (key, lock_ts) -> start_ts, and the LockResolver action OCC-3 depends on. (M2 spec will land OCC-1..OCC-5; until then the spec doc §5.2 is the contract.)
  • kv/fsm.go — FSM apply of HLC lease entries (SetPhysicalCeiling), and any future MaxAppliedHLC() accessor that strategy (c) needs.
  • store/mvcc_store.go — version visibility, snapshot install, and the MVCC-1..MVCC-4 invariants (M3 scope).
  • distribution/** — route catalog versioning, SplitRange atomicity, and CatalogWatcher async fan-out (M4 scope).

If the change is correct but requires a spec update, edit tla/hlc/HLC.tla (or the corresponding M2..M5 module once landed) and the design doc in the same PR. The tla-check workflow runs the TLC model check on the same paths.


@claude review please verify TLA+ spec divergence per the checklist above.

@codex review please verify TLA+ spec divergence per the checklist above.

@bootjp

bootjp commented Jul 13, 2026

Copy link
Copy Markdown
Owner Author

@codex review

Addressed the current-head blockers in 2388b3e:

  • routed fenced ShardStore scans using supplied route_start/route_end while keeping the raw scan bounds for storage reads
  • kept CatalogStore MinWriteTSExclusive monotone by merging existing and desired descriptors with max(existing, desired)
  • stamped zero read_route_version at the RawKV gRPC entrypoint before invoking read-fence helper paths, while preserving caller-supplied stamps

Validation:

  • go test ./kv ./distribution ./adapter -run 'TestShardStoreScanAtWithReadFence_RoutesUsingSuppliedBounds|TestCatalogStoreSaveKeepsMinWriteTSExclusiveMonotone|TestGRPCServer_RawReadFenceHelpersStampCurrentRouteVersion|TestGRPCServer_RawReadFenceHelpersKeepCallerRouteVersion' -count=1
  • git diff --check
  • golangci-lint run ./... --timeout=5m --allow-serial-runners
  • commit hook: golangci-lint --config=.golangci.yaml run --fix (0 issues)
  • go test ./... was run: the initial parallel run failed with no space left on device; the retry with TMPDIR=.tmp GOTMPDIR=.tmp GOCACHE=.gocache go test -p=1 ./... passed root/distribution/kv/store and remaining packages, but adapter timed out at 600s

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create a Codex account and connect to github.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2388b3e665

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread kv/shard_store.go
Comment thread adapter/grpc.go
@github-actions

Copy link
Copy Markdown
Contributor

TLA+ spec divergence review (auto-triggered)

This PR touches files that the TLA+ safety spec has an anchor on (per
docs/design/2026_05_28_implemented_tla_safety_spec.md §3),
so an AI review is requested below to verify the implementation has not drifted
from the model.

Anchored files changed in this PR head (781dc36):

  • distribution/catalog.go
  • distribution/catalog_test.go
  • distribution/engine.go
  • distribution/engine_test.go

What to check, by subsystem:

  • kv/hlc*.goNext() must respect the HLC-4 preconditions (i)/(ii)/(iii) from the design doc: bounded skew, logical-counter handoff on leader change (strategy (c) Observe(MaxAppliedHLC)), and the commit-time ceiling fence (fail-closed when wall_now >= physicalCeiling). Any change to the bit layout (48/16), the CAS loop, or the ceiling getter/setter is in scope.
  • kv/coordinator.go, kv/sharded_coordinator.goRunHLCLeaseRenewal, hlcRenewalInterval, hlcPhysicalWindowMs constants, and the new-term detection that calls Observe(fsm.MaxAppliedHLC()) (strategy (c)). Any change to renewal cadence, group selection, or fail-closed behaviour is in scope.
  • kv/transaction.go, kv/lock_resolver.go — OCC commit-ts assignment, lock-map encoding (key, lock_ts) -> start_ts, and the LockResolver action OCC-3 depends on. (M2 spec will land OCC-1..OCC-5; until then the spec doc §5.2 is the contract.)
  • kv/fsm.go — FSM apply of HLC lease entries (SetPhysicalCeiling), and any future MaxAppliedHLC() accessor that strategy (c) needs.
  • store/mvcc_store.go — version visibility, snapshot install, and the MVCC-1..MVCC-4 invariants (M3 scope).
  • distribution/** — route catalog versioning, SplitRange atomicity, and CatalogWatcher async fan-out (M4 scope).

If the change is correct but requires a spec update, edit tla/hlc/HLC.tla (or the corresponding M2..M5 module once landed) and the design doc in the same PR. The tla-check workflow runs the TLC model check on the same paths.


@claude review please verify TLA+ spec divergence per the checklist above.

@codex review please verify TLA+ spec divergence per the checklist above.

@bootjp

bootjp commented Jul 13, 2026

Copy link
Copy Markdown
Owner Author

@codex review

Addressed the current-head fenced raw scan findings in 781dc36:

  • preserved InvalidArgument for RawScanAt requests that combine group_id and reverse before the read-fence helper path can handle them
  • deduplicated same-group ShardStore read-fence scans only when supplied route_start/route_end causes raw storage bounds to be reused across adjacent descriptors

Validation:

  • go test ./adapter ./kv -run TestGRPCServer_RawScanAt_GroupedReverseStaysInvalidArgumentWithReadFenceStore|TestShardStoreScanAtWithReadFence_DeduplicatesSameGroupSuppliedBounds|TestShardStoreScanAtWithReadFence_RoutesUsingSuppliedBounds|TestGRPCServer_RawReadFenceHelpersStampCurrentRouteVersion|TestGRPCServer_RawReadFenceHelpersKeepCallerRouteVersion -count=1
  • golangci-lint --config=.golangci.yaml run ./adapter ./kv --timeout=5m
  • git diff --check HEAD~1..HEAD
  • commit hook: golangci-lint --config=.golangci.yaml run --fix (0 issues)

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create a Codex account and connect to github.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 781dc362ec

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread kv/shard_store.go
Comment thread kv/shard_store.go
@github-actions

Copy link
Copy Markdown
Contributor

TLA+ spec divergence review (auto-triggered)

This PR touches files that the TLA+ safety spec has an anchor on (per
docs/design/2026_05_28_implemented_tla_safety_spec.md §3),
so an AI review is requested below to verify the implementation has not drifted
from the model.

Anchored files changed in this PR head (1afde8f):

  • distribution/catalog.go
  • distribution/catalog_test.go
  • distribution/engine.go
  • distribution/engine_test.go

What to check, by subsystem:

  • kv/hlc*.goNext() must respect the HLC-4 preconditions (i)/(ii)/(iii) from the design doc: bounded skew, logical-counter handoff on leader change (strategy (c) Observe(MaxAppliedHLC)), and the commit-time ceiling fence (fail-closed when wall_now >= physicalCeiling). Any change to the bit layout (48/16), the CAS loop, or the ceiling getter/setter is in scope.
  • kv/coordinator.go, kv/sharded_coordinator.goRunHLCLeaseRenewal, hlcRenewalInterval, hlcPhysicalWindowMs constants, and the new-term detection that calls Observe(fsm.MaxAppliedHLC()) (strategy (c)). Any change to renewal cadence, group selection, or fail-closed behaviour is in scope.
  • kv/transaction.go, kv/lock_resolver.go — OCC commit-ts assignment, lock-map encoding (key, lock_ts) -> start_ts, and the LockResolver action OCC-3 depends on. (M2 spec will land OCC-1..OCC-5; until then the spec doc §5.2 is the contract.)
  • kv/fsm.go — FSM apply of HLC lease entries (SetPhysicalCeiling), and any future MaxAppliedHLC() accessor that strategy (c) needs.
  • store/mvcc_store.go — version visibility, snapshot install, and the MVCC-1..MVCC-4 invariants (M3 scope).
  • distribution/** — route catalog versioning, SplitRange atomicity, and CatalogWatcher async fan-out (M4 scope).

If the change is correct but requires a spec update, edit tla/hlc/HLC.tla (or the corresponding M2..M5 module once landed) and the design doc in the same PR. The tla-check workflow runs the TLC model check on the same paths.


@claude review please verify TLA+ spec divergence per the checklist above.

@codex review please verify TLA+ spec divergence per the checklist above.

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create a Codex account and connect to github.

@bootjp

bootjp commented Jul 14, 2026

Copy link
Copy Markdown
Owner Author

Fixed the two RawScanAt fence findings:

  • Added explicit route-bound presence on RawScanAt and threaded it through ShardStore/LeaderRoutedStore proxy requests so the logical ["", +infinity) range survives proto3 empty bytes.
  • Added route-key-filtered pagination for supplied-bound scans so same-group sibling route rows are skipped without leaking rows or short-filling pages.

Caller audit:

  • rg "ScanAtWithReadFence\(" only finds the adapter RawScanAt path, ShardStore/LeaderRoutedStore proxy paths, and tests; no broader call sites required API changes.

Validation:

  • go test ./kv
  • go test ./adapter -run "TestGRPCServer_RawScanAt_PreservesFullRangeRouteBoundsPresence|TestGRPCServer_RawReadFenceHelpersKeepCallerRouteVersion|TestGRPCServer_RawScanAt_GroupedReverseStaysInvalidArgumentWithReadFenceStore" -count=1
  • golangci-lint run ./adapter ./kv --timeout=5m
  • git diff --check
  • buf generate

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1afde8f1ba

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread kv/leader_routed_store.go Outdated
Comment on lines +222 to +226
if reverse {
kvs, err := s.local.ReverseScanAt(ctx, start, end, limit, max(ts, fenceTS))
return kvs, errors.WithStack(err)
}
kvs, err := s.local.ScanAt(ctx, start, end, limit, max(ts, fenceTS))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Honor route bounds on local leader scans

When this store is the verified local leader and a RawScanAt/ScanAtWithReadFence call supplies routeStart/routeEnd, these branches read the local MVCC store directly and never apply the route-key filter/pagination that the ShardStore path uses. In a leader-routed deployment receiving a supplied-bound scan over an internal raw prefix, rows from same-group sibling route intervals can be returned or consume the page limit, while the non-leader proxy path preserves the bounds.

Useful? React with 👍 / 👎.

Comment thread kv/shard_store.go Outdated
scanEnd := end
for len(out) < limit {
batchLimit := routeFilteredScanBatchLimit(limit - len(out))
kvs, err := s.scanRouteAtDirectionWithReadFenceOnce(ctx, route, scanStart, scanEnd, batchLimit, ts, reverse, explicitGroup, readRouteVersion, routeStart, routeEnd)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Filter route keys before resolving scan locks

For supplied-bound scans on a local ShardStore leader, this call resolves MVCC/txn locks for the raw batch before appendRouteFilteredKVs drops rows whose routeKey is outside routeStart/routeEnd. If a same-group sibling route has a pending lock under the scanned raw prefix, the bounded scan can return ErrTxnLocked or hit the lock budget even though that sibling row should be skipped by the route filter.

Useful? React with 👍 / 👎.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 33c793f03d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread kv/shard_store.go Outdated
Comment on lines +544 to +548
var groupID uint64
if explicitGroup {
groupID = route.GroupID
}
kvs, err := s.proxyRawScanAt(ctx, g, start, end, limit, ts, reverse, groupID, readRouteVersion, routeStart, routeEnd)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve the target group on proxied route-bound scans

When a supplied route-bound scan falls into this follower branch with explicitGroup == false, groupID remains zero, so the RawScanAt sent to this route's leader is re-routed there as a multi-route scan using the supplied route bounds. On nodes that host or know multiple shard groups, that leader can return sibling-group rows; the caller then scans those sibling routes again in scanRoutesAtWithReadFence, producing duplicates and applying the page limit to the wrong combined set. The proxied route-bounded request needs to stay scoped to route.GroupID instead of relying on the receiver to rediscover routes.

Useful? React with 👍 / 👎.

@github-actions

Copy link
Copy Markdown
Contributor

TLA+ spec divergence review (auto-triggered)

This PR touches files that the TLA+ safety spec has an anchor on (per
docs/design/2026_05_28_implemented_tla_safety_spec.md §3),
so an AI review is requested below to verify the implementation has not drifted
from the model.

Anchored files changed in this PR head (a456f48):

  • distribution/catalog.go
  • distribution/catalog_test.go
  • distribution/engine.go
  • distribution/engine_test.go

What to check, by subsystem:

  • kv/hlc*.goNext() must respect the HLC-4 preconditions (i)/(ii)/(iii) from the design doc: bounded skew, logical-counter handoff on leader change (strategy (c) Observe(MaxAppliedHLC)), and the commit-time ceiling fence (fail-closed when wall_now >= physicalCeiling). Any change to the bit layout (48/16), the CAS loop, or the ceiling getter/setter is in scope.
  • kv/coordinator.go, kv/sharded_coordinator.goRunHLCLeaseRenewal, hlcRenewalInterval, hlcPhysicalWindowMs constants, and the new-term detection that calls Observe(fsm.MaxAppliedHLC()) (strategy (c)). Any change to renewal cadence, group selection, or fail-closed behaviour is in scope.
  • kv/transaction.go, kv/lock_resolver.go — OCC commit-ts assignment, lock-map encoding (key, lock_ts) -> start_ts, and the LockResolver action OCC-3 depends on. (M2 spec will land OCC-1..OCC-5; until then the spec doc §5.2 is the contract.)
  • kv/fsm.go — FSM apply of HLC lease entries (SetPhysicalCeiling), and any future MaxAppliedHLC() accessor that strategy (c) needs.
  • store/mvcc_store.go — version visibility, snapshot install, and the MVCC-1..MVCC-4 invariants (M3 scope).
  • distribution/** — route catalog versioning, SplitRange atomicity, and CatalogWatcher async fan-out (M4 scope).

If the change is correct but requires a spec update, edit tla/hlc/HLC.tla (or the corresponding M2..M5 module once landed) and the design doc in the same PR. The tla-check workflow runs the TLC model check on the same paths.


@claude review please verify TLA+ spec divergence per the checklist above.

@codex review please verify TLA+ spec divergence per the checklist above.

@bootjp

bootjp commented Jul 14, 2026

Copy link
Copy Markdown
Owner Author

Addressed the current-head route-bound scan proxy finding in a456f48.

Changes:

  • preserve route.GroupID on proxied RawScanAt requests whenever route bounds are present
  • keep ordinary non-route-bound scans using group_id=0 as before
  • add regression coverage for both route-bound and non-route-bound read-fence scans

Validation:

  • go test ./kv -run 'TestShardStore_ForwardsReadFenceStamps|TestShardStoreScanAtWithReadFence|TestLeaderRoutedStore_ScanAtWithReadFence' -count=1 -timeout=180s
  • go test ./kv -count=1 -timeout=240s
  • golangci-lint --config=.golangci.yaml run ./kv --timeout=5m
  • git diff --check

Caller audit:

  • checked ScanAtWithReadFence, routeScanBoundsPresent, scanRouteAtDirectionWithReadFence page/once paths, proxyRawScanAt, and RawScanAt request handling; behavior changes only the proxy group_id selected for route-bound scans.

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create a Codex account and connect to github.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a456f48092

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread kv/shard_store.go
Comment thread kv/shard_store.go
@bootjp

bootjp commented Jul 14, 2026

Copy link
Copy Markdown
Owner Author

Addressed the latest current-head route-bound scan findings in bcdee5b.

Changes:

  • RawScanAt now permits reverse scans with an explicit group only when route bounds are present and the read-fence scan path can enforce them. The existing no-route-bounds grouped reverse request remains InvalidArgument.
  • route-filtered txn-lock scans now count scanned lock rows against the lock-scan budget, so out-of-route locks cannot make a bounded route scan walk the whole lock namespace.
  • added regression coverage for route-bound grouped reverse RawScanAt and for budget exhaustion by out-of-route lock rows.

Validation:

  • go test ./adapter -run 'TestGRPCServer_RawScanAt_(GroupedReverseStaysInvalidArgumentWithReadFenceStore|AllowsRouteBoundGroupedReverseWithReadFenceStore|PreservesFullRangeRouteBoundsPresence)|TestGRPCServer_RawReadFenceHelpers' -count=1 -timeout=180s\n- go test ./kv -run 'TestShardStoreScanAtWithReadFence_(SkipsOutOfRoutePendingLock|BoundsOutOfRouteLockScan|FiltersSuppliedBoundsByRouteKey|RoutesUsingSuppliedBounds)|TestShardStore_ForwardsReadFenceStamps|TestLeaderRoutedStore_ScanAtWithReadFence' -count=1 -timeout=240s\n- go test ./adapter -run 'TestGRPCServer_RawScanAt|TestGRPCServer_RawReadFenceHelpers|Test_grpc_scan' -count=1 -timeout=180s\n- go test ./kv -count=1 -timeout=240s\n- golangci-lint --config=.golangci.yaml run ./adapter ./kv --timeout=5m\n- git diff --check\n- git diff --check HEAD~1..HEAD\n\nCaller audit:\n- RawScanAt is entered through adapter/grpc.go and the LeaderRoutedStore/ShardStore proxy raw-scan paths; the compatibility change is limited to route-bounded read-fence scans.\n- scanTxnLockPagesAtWithRouteFilter is only called from the route-filtered scan-lock planning path, after boundedTxnLockScanLimit is applied.\n\n@codex review

@github-actions

Copy link
Copy Markdown
Contributor

TLA+ spec divergence review (auto-triggered)

This PR touches files that the TLA+ safety spec has an anchor on (per
docs/design/2026_05_28_implemented_tla_safety_spec.md §3),
so an AI review is requested below to verify the implementation has not drifted
from the model.

Anchored files changed in this PR head (bcdee5b):

  • distribution/catalog.go
  • distribution/catalog_test.go
  • distribution/engine.go
  • distribution/engine_test.go

What to check, by subsystem:

  • kv/hlc*.goNext() must respect the HLC-4 preconditions (i)/(ii)/(iii) from the design doc: bounded skew, logical-counter handoff on leader change (strategy (c) Observe(MaxAppliedHLC)), and the commit-time ceiling fence (fail-closed when wall_now >= physicalCeiling). Any change to the bit layout (48/16), the CAS loop, or the ceiling getter/setter is in scope.
  • kv/coordinator.go, kv/sharded_coordinator.goRunHLCLeaseRenewal, hlcRenewalInterval, hlcPhysicalWindowMs constants, and the new-term detection that calls Observe(fsm.MaxAppliedHLC()) (strategy (c)). Any change to renewal cadence, group selection, or fail-closed behaviour is in scope.
  • kv/transaction.go, kv/lock_resolver.go — OCC commit-ts assignment, lock-map encoding (key, lock_ts) -> start_ts, and the LockResolver action OCC-3 depends on. (M2 spec will land OCC-1..OCC-5; until then the spec doc §5.2 is the contract.)
  • kv/fsm.go — FSM apply of HLC lease entries (SetPhysicalCeiling), and any future MaxAppliedHLC() accessor that strategy (c) needs.
  • store/mvcc_store.go — version visibility, snapshot install, and the MVCC-1..MVCC-4 invariants (M3 scope).
  • distribution/** — route catalog versioning, SplitRange atomicity, and CatalogWatcher async fan-out (M4 scope).

If the change is correct but requires a spec update, edit tla/hlc/HLC.tla (or the corresponding M2..M5 module once landed) and the design doc in the same PR. The tla-check workflow runs the TLC model check on the same paths.


@claude review please verify TLA+ spec divergence per the checklist above.

@codex review please verify TLA+ spec divergence per the checklist above.

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create a Codex account and connect to github.

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Caution

Review failed

An error occurred during the review process. Please try again later.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bcdee5b5d8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread adapter/grpc.go
Base automatically changed from design/hotspot-split-m2-job-catalog to main July 14, 2026 06:36
@github-actions

Copy link
Copy Markdown
Contributor

TLA+ spec divergence review (auto-triggered)

This PR touches files that the TLA+ safety spec has an anchor on (per
docs/design/2026_05_28_implemented_tla_safety_spec.md §3),
so an AI review is requested below to verify the implementation has not drifted
from the model.

Anchored files changed in this PR head (5994c04):

  • distribution/catalog.go
  • distribution/catalog_test.go
  • distribution/engine.go
  • distribution/engine_test.go

What to check, by subsystem:

  • kv/hlc*.goNext() must respect the HLC-4 preconditions (i)/(ii)/(iii) from the design doc: bounded skew, logical-counter handoff on leader change (strategy (c) Observe(MaxAppliedHLC)), and the commit-time ceiling fence (fail-closed when wall_now >= physicalCeiling). Any change to the bit layout (48/16), the CAS loop, or the ceiling getter/setter is in scope.
  • kv/coordinator.go, kv/sharded_coordinator.goRunHLCLeaseRenewal, hlcRenewalInterval, hlcPhysicalWindowMs constants, and the new-term detection that calls Observe(fsm.MaxAppliedHLC()) (strategy (c)). Any change to renewal cadence, group selection, or fail-closed behaviour is in scope.
  • kv/transaction.go, kv/lock_resolver.go — OCC commit-ts assignment, lock-map encoding (key, lock_ts) -> start_ts, and the LockResolver action OCC-3 depends on. (M2 spec will land OCC-1..OCC-5; until then the spec doc §5.2 is the contract.)
  • kv/fsm.go — FSM apply of HLC lease entries (SetPhysicalCeiling), and any future MaxAppliedHLC() accessor that strategy (c) needs.
  • store/mvcc_store.go — version visibility, snapshot install, and the MVCC-1..MVCC-4 invariants (M3 scope).
  • distribution/** — route catalog versioning, SplitRange atomicity, and CatalogWatcher async fan-out (M4 scope).

If the change is correct but requires a spec update, edit tla/hlc/HLC.tla (or the corresponding M2..M5 module once landed) and the design doc in the same PR. The tla-check workflow runs the TLC model check on the same paths.


@claude review please verify TLA+ spec divergence per the checklist above.

@codex review please verify TLA+ spec divergence per the checklist above.

@bootjp

bootjp commented Jul 14, 2026

Copy link
Copy Markdown
Owner Author

Addressed the current route-bound grouped reverse scan blocker in 5994c04.

Changes:

  • ShardStore.ScanAtWithReadFence now allows explicit-group reverse scans only when route bounds are present, dispatching them through the route-filtered read-fence path.
  • grouped reverse scans without route bounds continue to fail closed as unsupported/InvalidArgument at the gRPC boundary.
  • added production-path regression coverage for explicit-group route-bound reverse scans.

Validation:

  • go test ./adapter -run 'TestGRPCServer_RawScanAt_(GroupedReverseStaysInvalidArgumentWithReadFenceStore|AllowsRouteBoundGroupedReverseWithReadFenceStore|PreservesFullRangeRouteBoundsPresence)|TestGRPCServer_RawReadFenceHelpers' -count=1 -timeout=180s\n- go test ./kv -run 'TestShardStoreScanAtWithReadFence_(AllowsExplicitGroupRouteBoundReverse|SkipsOutOfRoutePendingLock|BoundsOutOfRouteLockScan|FiltersSuppliedBoundsByRouteKey|RoutesUsingSuppliedBounds|DeduplicatesSameGroupSuppliedBounds)|TestShardStore_ForwardsReadFenceStamps|TestLeaderRoutedStore_ScanAtWithReadFence' -count=1 -timeout=240s\n- go test ./adapter -run 'TestGRPCServer_RawScanAt|TestGRPCServer_RawReadFenceHelpers|Test_grpc_scan' -count=1 -timeout=180s\n- go test ./kv -count=1 -timeout=240s\n- golangci-lint --config=.golangci.yaml run ./adapter ./kv --timeout=5m\n- git diff --check\n- git diff --check HEAD~1..HEAD\n\nCaller audit:\n- RawScanAt remains the gRPC entrypoint; only route-bounded read-fence scans can reach the grouped reverse ShardStore path.\n- ShardStore explicit-group reverse without route bounds still returns ErrNotSupported, preserving the existing unsupported scanner behavior.\n\n@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create a Codex account and connect to github.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5994c0428a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread kv/shard_store.go Outdated
if err != nil {
return nil, nil, errors.WithStack(err)
}
lockStart, lockEnd := scanLockBoundsForKVs(kvs, start, end, limit)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Use reverse-aware lock bounds for routed scans

When this route-filtered path is used for the newly allowed explicit-group reverse scans, this call still computes forward scan lock bounds: for a reverse page containing the highest key (e.g. z) with limit=1, it scans transaction locks from start through z rather than only the reverse page/window. A pending lock on a lower key that would not affect the first reverse result can therefore make the scan return ErrTxnLocked, so route-bound grouped reverse scans can fail incorrectly whenever older/lower keys in the same route are locked.

Useful? React with 👍 / 👎.

Comment thread kv/shard_store.go Outdated
if err != nil {
return nil, err
}
out = appendRouteFilteredKVs(out, kvs, limit, routeStart, routeEnd)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Filter route-bound scans by each route

When supplied route bounds span multiple current route descriptors, each group scan is filtered only by the overall routeStart/routeEnd, not by the specific descriptor being scanned. For an internal-prefix scan over [a,z) after a split such as group1 [a,m) and group2 [m,z), group1 is allowed to return stale raw rows whose normalized route key is in [m,z) because those keys still pass this global filter, so migrated/out-of-route data can leak into route-bound scan results.

Useful? React with 👍 / 👎.

Comment thread distribution/catalog.go

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
adapter/grpc.go (1)

117-127: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

明示的 GroupId 指定時のエラーステータスが後退している。

rawReadFenceGetter/rawReadFenceScanner を実装するストア(例: LeaderRoutedStore)が優先されるようになったため、GroupId != 0 のケースでも従来の「group-aware store が必要」という codes.FailedPrecondition 判定を経由しなくなりました。LeaderRoutedStore.GetAtWithReadFence/ScanAtWithReadFencegroupID != 0 のとき素の store.ErrNotSupported を返すため、errors.WithStack(err) でラップされるだけとなり、クライアントには codes.Unknown 相当の不明瞭なエラーが返ります。

GroupId != 0 の場合はフェンス経路に渡す前に group サポートの有無を確認し、非対応なら以前と同じ FailedPrecondition を返すよう分岐順序を調整することを推奨します。

🐛 修正案 (RawGet)
 	var v []byte
 	var err error
-	if fenceGetter, ok := r.store.(rawReadFenceGetter); ok {
+	groupID := req.GetGroupId()
+	if fenceGetter, ok := r.store.(rawReadFenceGetter); ok && (groupID == 0 || supportsExplicitGroup(r.store)) {
 		v, err = fenceGetter.GetAtWithReadFence(ctx, req.Key, readTS, req.GetGroupId(), r.readRouteVersion(req.GetReadRouteVersion()))
-	} else if groupID := req.GetGroupId(); groupID != 0 {
+	} else if groupID != 0 {
 		groupGetter, ok := r.store.(rawGroupGetter)
 		if !ok {
 			return nil, errors.WithStack(status.Error(codes.FailedPrecondition, "raw get with explicit group requires a group-aware store"))
 		}
 		v, err = groupGetter.GetGroupAt(ctx, groupID, req.Key, readTS)
 	} else {
 		v, err = r.store.GetAt(ctx, req.Key, readTS)
 	}

(rawScanAt にも同様の判定を追加してください)

Also applies to: 198-224

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@adapter/grpc.go` around lines 117 - 127, Update the RawGet branching around
rawReadFenceGetter and the corresponding rawScanAt path so explicit nonzero
GroupId requests validate rawGroupGetter support before entering the read-fence
route. Return the existing FailedPrecondition status when group support is
unavailable, while preserving fence handling for supported stores and current
behavior for requests without an explicit group.
kv/leader_routed_store.go (1)

77-99: 🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win

LeaderRoutedStore の proxy 系 read-fence 呼び出しに context timeout が無い。

proxyRawGetWithReadFence/proxyRawLatestCommitTSWithReadFence/proxyRawScanAtWithReadFence はいずれも呼び出し元の ctx をそのまま gRPC 呼び出しに使用しており、context.WithTimeout が設定されていません。リモートリーダーが応答しない場合、呼び出しが無期限にブロックし続けます。

同じ kv パッケージの kv/shard_store.go にある proxyRawGet/proxyLatestCommitTS/proxyRawScanAtcontext.WithTimeout(ctx, proxyForwardTimeout) を用いて同種のリスクに対処しています。同じ回避策をここにも適用してください。

🔒️ 修正案(3関数共通のパターン)
 func (s *LeaderRoutedStore) proxyRawGetWithReadFence(ctx context.Context, key []byte, ts uint64, readRouteVersion uint64) ([]byte, error) {
 	addr := s.leaderAddrForKey(key)
 	if addr == "" {
 		return nil, errors.WithStack(ErrLeaderNotFound)
 	}
 
 	conn, err := s.connCache.ConnFor(addr)
 	if err != nil {
 		return nil, err
 	}
 
+	ctx, cancel := context.WithTimeout(ctx, proxyForwardTimeout)
+	defer cancel()
 	cli := pb.NewRawKVClient(conn)
 	resp, err := cli.RawGet(ctx, &pb.RawGetRequest{Key: key, Ts: ts, ReadRouteVersion: readRouteVersion})

(proxyRawLatestCommitTSWithReadFenceproxyRawScanAtWithReadFence にも同様に追加)

Also applies to: 120-137, 161-206

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kv/leader_routed_store.go` around lines 77 - 99, LeaderRoutedStore の
read-fence 付き proxy
呼び出しが無期限に待機しないよう、proxyRawGetWithReadFence、proxyRawLatestCommitTSWithReadFence、proxyRawScanAtWithReadFence
の各 gRPC 呼び出し前に proxyForwardTimeout を使った context.WithTimeout を設定し、生成した context
を呼び出しと適切な解放処理に使用してください。
🧹 Nitpick comments (2)
distribution/catalog.go (1)

785-822: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

新規追加のエラーラップがpkg/errorsを使用しています(ガイドライン上はcockroachdb/errors)。

decodeRouteDescriptorTaildecodeRouteDescriptorV2Tailerrors.WithStack/errors.Wrapfgithub.com/pkg/errors)でラップしています。コーディングガイドラインでは境界部のエラーはgithub.com/cockroachdb/errorsでラップすることが求められています。ただし本ファイル全体が既にpkg/errorsで統一されている既存の傾向であるため、本PR単独での部分的な移行は同一ファイル内で2つの規約が混在する結果になりかねません。ファイル全体の移行が必要な広範な変更であることを踏まえて優先度を判断してください。
As per coding guidelines, "Wrap errors with github.com/cockroachdb/errors at boundaries in Go code".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@distribution/catalog.go` around lines 785 - 822, Update
decodeRouteDescriptorTail and decodeRouteDescriptorV2Tail to use
github.com/cockroachdb/errors for boundary error wrapping, while migrating all
existing error wrapping in distribution/catalog.go consistently so pkg/errors
and cockroachdb/errors do not remain mixed. Preserve the current error
conditions and messages.

Source: Coding guidelines

distribution/catalog_test.go (1)

172-215: 🗄️ Data Integrity & Integration | 🔵 Trivial | ⚡ Quick win

デコード側での不整合な移行フィールド組み合わせのテスト追加を検討してください。

現行のテストはEncodeRouteDescriptor経由(validateRouteDescriptorによりエンコード前に無効な組み合わせが弾かれる)のみを検証しています。DecodeRouteDescriptorが破損したV2テール(例: staged=1だがmigration_job_id=0)を読み込んだ際にErrCatalogInvalidRouteRecordを返すケースは未検証です。TestRouteDescriptorCodecRejectsV2TrailingBytesのように生バイト列を手動構築して検証を追加すると、永続化データの破損検知の信頼性が高まります。

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@distribution/catalog_test.go` around lines 172 - 215,
DecodeRouteDescriptorの破損V2テール検証を追加し、EncodeRouteDescriptorを経由せず生バイト列を手動構築して、staged=1かつmigration_job_id=0など移行フィールドの不整合な組み合わせを読み込ませるテストを作成してください。DecodeRouteDescriptorがErrCatalogInvalidRouteRecordを返すことを確認し、既存のTestRouteDescriptorCodecRejectsV2TrailingBytesと同様の検証形式にしてください。
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@kv/shard_store.go`:
- Around line 209-220: Update ScanAtWithReadFence to return early for limit <= 0
before entering the reverse/group/bounds route-scan branch, matching the guards
used by other scan paths and preventing negative-capacity allocation in route
filtering.

---

Outside diff comments:
In `@adapter/grpc.go`:
- Around line 117-127: Update the RawGet branching around rawReadFenceGetter and
the corresponding rawScanAt path so explicit nonzero GroupId requests validate
rawGroupGetter support before entering the read-fence route. Return the existing
FailedPrecondition status when group support is unavailable, while preserving
fence handling for supported stores and current behavior for requests without an
explicit group.

In `@kv/leader_routed_store.go`:
- Around line 77-99: LeaderRoutedStore の read-fence 付き proxy
呼び出しが無期限に待機しないよう、proxyRawGetWithReadFence、proxyRawLatestCommitTSWithReadFence、proxyRawScanAtWithReadFence
の各 gRPC 呼び出し前に proxyForwardTimeout を使った context.WithTimeout を設定し、生成した context
を呼び出しと適切な解放処理に使用してください。

---

Nitpick comments:
In `@distribution/catalog_test.go`:
- Around line 172-215:
DecodeRouteDescriptorの破損V2テール検証を追加し、EncodeRouteDescriptorを経由せず生バイト列を手動構築して、staged=1かつmigration_job_id=0など移行フィールドの不整合な組み合わせを読み込ませるテストを作成してください。DecodeRouteDescriptorがErrCatalogInvalidRouteRecordを返すことを確認し、既存のTestRouteDescriptorCodecRejectsV2TrailingBytesと同様の検証形式にしてください。

In `@distribution/catalog.go`:
- Around line 785-822: Update decodeRouteDescriptorTail and
decodeRouteDescriptorV2Tail to use github.com/cockroachdb/errors for boundary
error wrapping, while migrating all existing error wrapping in
distribution/catalog.go consistently so pkg/errors and cockroachdb/errors do not
remain mixed. Preserve the current error conditions and messages.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6b05f09e-f4a9-4b9c-8478-326612490eae

📥 Commits

Reviewing files that changed from the base of the PR and between c9f0d53 and 5994c04.

⛔ Files ignored due to path filters (5)
  • proto/distribution.pb.go is excluded by !**/*.pb.go
  • proto/distribution_grpc.pb.go is excluded by !**/*.pb.go
  • proto/internal.pb.go is excluded by !**/*.pb.go
  • proto/internal_grpc.pb.go is excluded by !**/*.pb.go
  • proto/service.pb.go is excluded by !**/*.pb.go
📒 Files selected for processing (16)
  • adapter/distribution_server.go
  • adapter/distribution_server_test.go
  • adapter/grpc.go
  • adapter/grpc_test.go
  • distribution/catalog.go
  • distribution/catalog_test.go
  • distribution/engine.go
  • distribution/engine_test.go
  • kv/leader_routed_store.go
  • kv/leader_routed_store_test.go
  • kv/shard_store.go
  • kv/shard_store_test.go
  • kv/shard_store_txn_lock_test.go
  • proto/distribution.proto
  • proto/internal.proto
  • proto/service.proto

Comment thread kv/shard_store.go
@github-actions

Copy link
Copy Markdown
Contributor

TLA+ spec divergence review (auto-triggered)

This PR touches files that the TLA+ safety spec has an anchor on (per
docs/design/2026_05_28_implemented_tla_safety_spec.md §3),
so an AI review is requested below to verify the implementation has not drifted
from the model.

Anchored files changed in this PR head (c88f654):

  • distribution/catalog.go
  • distribution/catalog_test.go
  • distribution/engine.go
  • distribution/engine_test.go

What to check, by subsystem:

  • kv/hlc*.goNext() must respect the HLC-4 preconditions (i)/(ii)/(iii) from the design doc: bounded skew, logical-counter handoff on leader change (strategy (c) Observe(MaxAppliedHLC)), and the commit-time ceiling fence (fail-closed when wall_now >= physicalCeiling). Any change to the bit layout (48/16), the CAS loop, or the ceiling getter/setter is in scope.
  • kv/coordinator.go, kv/sharded_coordinator.goRunHLCLeaseRenewal, hlcRenewalInterval, hlcPhysicalWindowMs constants, and the new-term detection that calls Observe(fsm.MaxAppliedHLC()) (strategy (c)). Any change to renewal cadence, group selection, or fail-closed behaviour is in scope.
  • kv/transaction.go, kv/lock_resolver.go — OCC commit-ts assignment, lock-map encoding (key, lock_ts) -> start_ts, and the LockResolver action OCC-3 depends on. (M2 spec will land OCC-1..OCC-5; until then the spec doc §5.2 is the contract.)
  • kv/fsm.go — FSM apply of HLC lease entries (SetPhysicalCeiling), and any future MaxAppliedHLC() accessor that strategy (c) needs.
  • store/mvcc_store.go — version visibility, snapshot install, and the MVCC-1..MVCC-4 invariants (M3 scope).
  • distribution/** — route catalog versioning, SplitRange atomicity, and CatalogWatcher async fan-out (M4 scope).

If the change is correct but requires a spec update, edit tla/hlc/HLC.tla (or the corresponding M2..M5 module once landed) and the design doc in the same PR. The tla-check workflow runs the TLC model check on the same paths.


@claude review please verify TLA+ spec divergence per the checklist above.

@codex review please verify TLA+ spec divergence per the checklist above.

@bootjp

bootjp commented Jul 14, 2026

Copy link
Copy Markdown
Owner Author

レビュー指摘に対応しました。

対応内容:

  • route-filter scan の lock scan 範囲を reverse と可視 limit に合わせて制限
  • route ごとの descriptor 境界で route-filter scan を絞り込み
  • rollout 中の catalog route descriptor v2 書き込みを明示 gate
  • reverse explicit-group route-bound scan の limit<=0 を空結果で扱う

確認:

  • go test ./kv -count=1 -timeout=240s
  • go test ./distribution -count=1 -timeout=180s
  • go test ./adapter -run 'TestDistributionServer|TestGRPCServer_RawScanAt|TestGRPCServer_RawReadFenceHelpers|Test_grpc_scan' -count=1 -timeout=240s\n- golangci-lint --config=.golangci.yaml run ./adapter ./distribution ./kv --timeout=5m\n- git diff --check\n\n@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create a Codex account and connect to github.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c88f654018

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread kv/shard_store.go Outdated
return nil, nil, errors.WithStack(err)
}
filteredKVs := filterRouteScanKVs(kvs, routeStart, routeEnd)
lockStart, lockEnd := scanLockBoundsForKVsDirection(filteredKVs, start, end, visibleLimit, reverse)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Bound route-filtered lock scans to the fetched page

For route-bound scans whose raw storage page is full but filtering leaves fewer than visibleLimit in-route rows, this falls back to the original [start,end) lock range even though the caller is only processing the current raw page. If the scan later would find enough committed in-route rows before a farther pending lock, that farther lock is still scanned here and can make the bounded page return ErrTxnLocked incorrectly; compute the lock window from the raw page/cursor as well as the filtered rows.

Useful? React with 👍 / 👎.

Comment thread kv/shard_store.go
Comment on lines +358 to +360
if _, seen := seenGroups[route.GroupID]; seen {
continue
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Scan every same-group route interval

When supplied route bounds span multiple descriptors that share a GroupID (for example after a same-group split), this de-duplication now skips the later descriptor after the first scan has already narrowed its route filter to only the first descriptor's interval. Keys whose normalized route key falls in the skipped sibling interval are therefore omitted from route-bound forward scans; the reverse path has the same seenGroups pattern and drops the opposite side. Since the current code filters by each descriptor before this skip, same-group routes need either separate descriptor scans or a combined per-group interval filter rather than skipping all later descriptors.

Useful? React with 👍 / 👎.

Comment thread kv/shard_store.go
}

func routeKeyInScanBounds(key []byte, routeStart []byte, routeEnd []byte) bool {
key = routeKey(key)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Normalize wide Redis keys before filtering

For route-bound scans over the wide Redis families (!hs|, !st|, or !zs|), this filter compares the raw internal key because routeKey does not decode the hash/set/zset helper layouts. In a moving range such as [m,z), a row like !hs|meta|...z... sorts before m as raw bytes and is dropped, so migration/read-fence scans miss hash/set/zset state even though the embedded user key is in range; add those family extractors to the route-key normalization used here.

Useful? React with 👍 / 👎.

@github-actions

Copy link
Copy Markdown
Contributor

TLA+ spec divergence review (auto-triggered)

This PR touches files that the TLA+ safety spec has an anchor on (per
docs/design/2026_05_28_implemented_tla_safety_spec.md §3),
so an AI review is requested below to verify the implementation has not drifted
from the model.

Anchored files changed in this PR head (0d130ad):

  • distribution/catalog.go
  • distribution/catalog_test.go
  • distribution/engine.go
  • distribution/engine_test.go

What to check, by subsystem:

  • kv/hlc*.goNext() must respect the HLC-4 preconditions (i)/(ii)/(iii) from the design doc: bounded skew, logical-counter handoff on leader change (strategy (c) Observe(MaxAppliedHLC)), and the commit-time ceiling fence (fail-closed when wall_now >= physicalCeiling). Any change to the bit layout (48/16), the CAS loop, or the ceiling getter/setter is in scope.
  • kv/coordinator.go, kv/sharded_coordinator.goRunHLCLeaseRenewal, hlcRenewalInterval, hlcPhysicalWindowMs constants, and the new-term detection that calls Observe(fsm.MaxAppliedHLC()) (strategy (c)). Any change to renewal cadence, group selection, or fail-closed behaviour is in scope.
  • kv/transaction.go, kv/lock_resolver.go — OCC commit-ts assignment, lock-map encoding (key, lock_ts) -> start_ts, and the LockResolver action OCC-3 depends on. (M2 spec will land OCC-1..OCC-5; until then the spec doc §5.2 is the contract.)
  • kv/fsm.go — FSM apply of HLC lease entries (SetPhysicalCeiling), and any future MaxAppliedHLC() accessor that strategy (c) needs.
  • store/mvcc_store.go — version visibility, snapshot install, and the MVCC-1..MVCC-4 invariants (M3 scope).
  • distribution/** — route catalog versioning, SplitRange atomicity, and CatalogWatcher async fan-out (M4 scope).

If the change is correct but requires a spec update, edit tla/hlc/HLC.tla (or the corresponding M2..M5 module once landed) and the design doc in the same PR. The tla-check workflow runs the TLC model check on the same paths.


@claude review please verify TLA+ spec divergence per the checklist above.

@codex review please verify TLA+ spec divergence per the checklist above.

@bootjp

bootjp commented Jul 14, 2026

Copy link
Copy Markdown
Owner Author

Addressed current-head route-filtered scan blockers in 0d130ad:

  • scan every descriptor when route bounds are present, including adjacent descriptors that share a GroupID
  • normalize Redis hash/set/zset wide-column keys to their logical user key before route-bound filtering
  • bound route-filtered txn lock scans to the fetched raw page before scanning route-filtered locks

Caller audit:

  • routeKey callers checked in sharded coordinator, shard router, FSM routing, and route-filter scan paths; the new normalization is limited to Redis wide-column internal keys and txn-wrapped forms
  • scanLockBoundsForKVsDirection remains unchanged for normal scan/physical-limit paths; page intersection is only used by the route-filtered leader scan path

Validation:

  • go test ./kv -run 'TestRouteKey_NormalizesRedisWideColumnKeys|TestShardStoreScanAtWithReadFence_(ScansSameGroupSuppliedBoundsAcrossRouteIntervals|FiltersWideRedisKeysByUserKey|FiltersSuppliedBoundsByRouteKey|FiltersByEachRouteBounds|AllowsExplicitGroupRouteBoundReverse|SkipsOutOfRoutePendingLock|BoundsOutOfRouteLockScan|BoundsLockScanToCurrentRawPage|ReverseBoundsLockScanToPage)' -count=1 -timeout=240s
  • go test ./kv -count=1 -timeout=300s
  • go test ./adapter -run 'TestGRPCServer_RawScanAt|TestGRPCServer_RawReadFenceHelpers|Test.*Raw.*ReadFence|Test.*RawScan' -count=1 -timeout=240s
  • golangci-lint --config=.golangci.yaml run ./kv ./adapter --timeout=5m
  • git diff --check HEAD~1..HEAD

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create a Codex account and connect to github.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
kv/shard_store_txn_lock_test.go (1)

421-422: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

コンテキストの再利用

402行目で宣言済みの ctx 変数があるため、新たに context.Background() を呼び出すのではなく、既存の変数を再利用することをお勧めします。

♻️ 修正案
 	startTS := uint64(2)
-	_, err := groups[1].Txn.Commit(context.Background(), []*pb.Request{makePrepareRequest(startTS, left, []byte("left"), left)})
+	_, err := groups[1].Txn.Commit(ctx, []*pb.Request{makePrepareRequest(startTS, left, []byte("left"), left)})
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kv/shard_store_txn_lock_test.go` around lines 421 - 422, Update the
Txn.Commit call in the test to reuse the existing ctx variable declared earlier
instead of creating a new context.Background() value; leave the surrounding
transaction setup unchanged.
kv/shard_store_test.go (1)

218-254: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

テーブル駆動テストへのリファクタリング(コーディングガイドライン)

コーディングガイドラインにて「*_test.go ではテーブル駆動テストの利用を推奨する」と規定されています。現状、両ファイルに渡って追加された複数のテストは独立した関数(フラットテスト)として実装されています。テストの重複コードを削減し保守性を高めるため、以下の箇所においてテーブル駆動テストへの統合をご検討ください。

  • kv/shard_store_test.go#L218-L254: これらの類似した ScanAtWithReadFence テストを1つのテーブル駆動テストに統合することをご検討ください。
  • kv/shard_store_txn_lock_test.go#L357-L397: ロック境界の走査に関する一連のテストをテーブル駆動テストにまとめることをご検討ください。

As per coding guidelines: **/*_test.go: Unit tests should be co-located with packages in *_test.go files; prefer table-driven test cases.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kv/shard_store_test.go` around lines 218 - 254,
テストの重複を減らすため、kv/shard_store_test.go の218-254行にある
TestShardStoreScanAtWithReadFence_ScansSameGroupSuppliedBoundsAcrossRouteIntervals
を、入力条件・期待キー・逆順指定などをケース化したテーブル駆動テストへ統合してください。kv/shard_store_txn_lock_test.go
の357-397行にあるロック境界走査テスト群も同様に1つのテーブル駆動テストへまとめ、各ケースの既存の期待結果と検証内容は維持してください。

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@kv/shard_store_test.go`:
- Around line 218-254: テストの重複を減らすため、kv/shard_store_test.go の218-254行にある
TestShardStoreScanAtWithReadFence_ScansSameGroupSuppliedBoundsAcrossRouteIntervals
を、入力条件・期待キー・逆順指定などをケース化したテーブル駆動テストへ統合してください。kv/shard_store_txn_lock_test.go
の357-397行にあるロック境界走査テスト群も同様に1つのテーブル駆動テストへまとめ、各ケースの既存の期待結果と検証内容は維持してください。

In `@kv/shard_store_txn_lock_test.go`:
- Around line 421-422: Update the Txn.Commit call in the test to reuse the
existing ctx variable declared earlier instead of creating a new
context.Background() value; leave the surrounding transaction setup unchanged.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8b905ea6-55e7-46b7-8d7e-d484e764847f

📥 Commits

Reviewing files that changed from the base of the PR and between 5994c04 and 0d130ad.

📒 Files selected for processing (9)
  • adapter/distribution_server.go
  • adapter/distribution_server_test.go
  • distribution/catalog.go
  • distribution/catalog_test.go
  • kv/shard_key.go
  • kv/shard_key_test.go
  • kv/shard_store.go
  • kv/shard_store_test.go
  • kv/shard_store_txn_lock_test.go
🚧 Files skipped from review as they are similar to previous changes (3)
  • adapter/distribution_server_test.go
  • distribution/catalog_test.go
  • kv/shard_store.go

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Keep them coming!

Reviewed commit: 0d130ad955

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant