docs(design): propose hotspot split M2 — migration plane

[bootjp]

Summary

• Propose Hotspot Shard Split Milestone 2 — migration plane as a new design doc under docs/design/.
• Scope: cross-group split with BACKFILL / FENCE / DELTA_COPY / CUTOVER / CLEANUP phases, SplitJob persistence, MVCC range export/import, and ErrRouteWriteFenced defense in depth.
• M3 (auto-detection) and M4 (Jepsen hardening) remain in the parent partial doc and are explicitly non-goals here.
• Per CLAUDE.md design-doc-first workflow, this PR is doc-only; implementation lands in M2-PR1..PR7 after the proposal is accepted.

Key design points

• SplitJob durability under !dist|job|<id> so a default-group leader flap resumes mid-migration without operator action.
• Composed-1 alignment at CUTOVER: reuses the catalog-version bump that PR docs(design): rename Composed-1 docs *_proposed_* → *_partial_* (M5a shipped) #927 / fix(kv): Composed-1 verifyOwnerFromSnapshot must routeKey-normalize before OwnerOf (issue #930) #932 already trust. No new gate work.
• Idempotent ImportRangeVersions via persisted import_cursor — a duplicate gRPC retry is a no-op.
• Internal-key coverage via routeKey() equivalence check on every exported row, so !txn|, !lst|, !ddb|, !redis|, !sqs|, !s3| families all land in the right shard.
• Same-group split path stays byte-for-byte M1: target_group_id == 0 or equal to source short-circuits through the existing fast path.

Open questions for reviewers

7 questions called out at §12 — notably: grace-period sizing, abandon-after-cutover policy, backfill-vs-prepare semantics, and MVCCVersion.key_family strict-enum vs numeric.

Test plan

• Doc-only PR — no test runs required.
• Reviewer sign-off on §12 open questions.
• On acceptance, M2-PR1 starts the implementation chain; this doc renames *_proposed_* → *_partial_* once PR1 lands.

Summary by CodeRabbit

• Documentation
  • Added a proposed design doc for cross-group hotspot shard migration: phased migration lifecycle (planned → backfill → fence → delta copy → cutover → cleanup → done/failed), staged shadow keyspace promotion, resumable MVCC export/import with chunked cursors and idempotent resumes, cutover read/write fencing and monotone timestamp handling, background staged-to-live promotion, coordinator-driven job management with recovery modes, comprehensive test plan (unit/integration/Jepsen), and rolling-upgrade readiness gating.

[coderabbitai]

Important

Review skipped

Review was skipped as selected files did not have any reviewable changes.

💤 Files selected but had no reviewable changes (1)

• docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3541f672-bb6b-4cf1-83a3-6c1b88bae79d

📥 Commits

Reviewing files that changed from the base of the PR and between c029b3c and 5632dc2.

📒 Files selected for processing (1)

• docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Design doc adding a Milestone‑2 migration plane: durable SplitJob state machine and phases, cross-group route/staging semantics, streaming MVCC Export/Import contracts and RPCs, CUTOVER/promote semantics, coordinator/FSM fencing and read-fence, migrator runtime, recovery matrix, test plan, and rollout gating.

Changes

Milestone 2 Migration Design

Layer / File(s)	Summary
Design context and goals docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md (lines 1–41)	Document header, background, M2 goals and explicit non-goals (resumability, atomic cross-group relocation, fenced-write retryable behavior).
SplitJob data model and state machine docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md (lines 42–85)	Durable SplitJob persisted in default raft group with reserved catalog keys, phase enum, pinned HLC/cursor/progress fields, and job retention/GC semantics.
Route state transitions & staging docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md (lines 86–202)	Same-group vs cross-group transitions, catalog non-overlap invariant, staged shadow keyspace, FENCE→DELTA_COPY safety (fence ACK/fence_ts), crash-safety, and CLEANUP GC behavior.
Wire/RPC extensions & job introspection docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md (lines 203–313)	SplitRange RPC extensions (target_group_id, job-return semantics), job RPCs (Get/List/Abandon), and streaming ExportRangeVersions / ImportRangeVersions RPCs.
MVCC export/import mechanics & key coverage docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md (lines 314–475)	KeyFilter contract, snapshot-consistent ExportVersions, cursor-based resumption, intent exclusion, idempotent ImportVersions keyed by (job_id,cursor), target HLC advancement rules, internal-key bracket planning, per-bracket cursors, and scan-budget pacing.
CUTOVER, staged visibility & promotion docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md (lines 476–522)	CUTOVER as a single atomic catalog write enabling staged-to-live MVCC merge semantics, leader-local bounded PromoteStaged proposals with promote_cursor, CLEANUP/DONE gating, and edge-case handling for hot keys and concurrent writes.
Coordinator/FSM fencing and read-fence docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md (lines 523–671)	FENCE write rejection (ErrRouteWriteFenced), apply-time verifyRouteNotFenced pre-gate, post-CUTOVER read_route_version read-fence, authoritative ownership checks (heartbeat watermark, equal-stale fix), and scan-interval ownership gate aligned to Composed-1.
Recovery matrix, tests, and self-review docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md (lines 672–721)	Idempotency/resumability recovery matrix, unit/integration/Jepsen/property testing plan, and five-lens self-review for M2 risks.
Implementation phasing & rolling-upgrade docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md (lines 722–751)	Phased PR touchpoints, cap_migration_v2 capability gating, readiness checks at entry RPCs, and downgrade behavior (pause mid-phase).
Open questions & lifecycle guidance docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md (lines 752–779)	Open questions, acceptance criteria, lifecycle naming and git mv guidance for document renames.

Sequence Diagram(s)

sequenceDiagram
  participant Coordinator
  participant SourceStore
  participant TargetStore
  participant Catalog

  Coordinator->>SourceStore: ExportRangeVersions(job_id, start_cursor, KeyFilter)
  SourceStore->>Coordinator: Stream(versions[], cursor)
  Coordinator->>TargetStore: ImportRangeVersions(job_id, cursor, KeyFilter)
  TargetStore->>TargetStore: persist staged MVCC pages (idempotent by job_id+cursor)
  TargetStore->>Catalog: stage shadow keyspace (not bound in catalog until CUTOVER)
  Coordinator->>Catalog: CUTOVER (atomic catalog rebind, commit route_version)
  Catalog->>Coordinator: ack CUTOVER (route_version increment)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• bootjp/elastickv#905: Jepsen workload and CLI for SplitRange testing referenced by this design.

Poem

A rabbit reads the migration plan with care,
Jobs and cursors hop through MVCC air,
Fences stand firm while chunks drift slow,
Cutover flips the catalog’s glow,
Promoters nudge staged keys to go—🐰

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'docs(design): propose hotspot split M2 — migration plane' clearly and specifically summarizes the main change: proposing a design document for Hotspot Shard Split Milestone 2 focusing on the migration plane.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/hotspot-split-m2-proposal

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request proposes a design document for Milestone 2 of the Hotspot Shard Split feature, focusing on the migration plane. It outlines the data model additions (such as SplitJob), state machine transitions, RPC changes, MVCC range export/import, and coordinator/FSM integration. The review feedback highlights three key areas for improvement: defining a retention or garbage collection policy for completed SplitJob records to prevent unbounded storage growth, decoupling the low-level store package from high-level routing logic by using an interceptor or delegate pattern instead of directly referencing routeKey, and addressing rolling upgrade risks where older M1 nodes might not enforce the WriteFenced state by detailing mitigation strategies such as capability gates.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

The proposed design persists SplitJob records under !dist|job|<job_id> but does not specify a limit or a garbage collection/retention policy for completed (DONE, FAILED, or abandoned) jobs. Over time, as the cluster performs many hotspot splits, this collection can grow unboundedly. This poses a risk of unbounded storage growth and potential OOM issues when listing or scanning jobs (e.g., via ListSplitJobs).

To prevent unbounded memory and storage growth, please define a fixed bound or a retention/cleanup policy to automatically garbage collect or archive historical job records after a certain period or count.

References

1. To prevent unbounded memory growth and potential OOM issues, apply a fixed bound to collections that can grow from external requests, such as pending configuration changes. Reject new requests when the bound is reached.

[gemini-code-assist]

The proposed design has the low-level store package (store/mvcc_store.go) directly referencing and calling routeKey() to filter keys and map them back to the moving range. This introduces tight coupling between the low-level generic storage package and high-level routing/domain logic.

Per the general rules, to prevent tight coupling between low-level generic packages and high-level domain packages, you should use an interceptor or delegate pattern with interfaces (or function values) defined in the low-level package. For example, ExportVersions can accept an optional, nil-safe key-filter function or delegate interface (e.g., func(key []byte) bool) injected from the high-level package, keeping the store package generic and decoupled.

References

1. To prevent tight coupling between low-level generic packages and high-level domain packages, use an interceptor or delegate pattern with interfaces defined in the low-level package. Ensure the interceptor is optional (nil-safe) so that builds or environments with the high-level feature disabled can run without modification.

[gemini-code-assist]

The design introduces a significant operational risk during rolling upgrades. If a migration job is initiated while some nodes in the cluster are still running the older M1 version, those M1 nodes will not enforce the WriteFenced state (since the FENCE rejection logic is introduced in M2-PR5). This could allow writes to be accepted on the source group during the FENCE/DELTA_COPY phases, leading to silent write loss or inconsistency.

Per the general rules, when a design document identifies a significant operational risk like rolling upgrade incompatibility, it must detail potential mitigation strategies. Please update the design (e.g., in the self-review or as a new section) to include layered mitigations, such as using admin RPC capability gates to prevent starting any SplitRange migration jobs until all nodes have upgraded and advertised M2 capability.

References

1. When a design document identifies a significant operational risk, such as the inability to perform rolling upgrades, it must also detail potential mitigation strategies, like implementing a temporary "bridge" or "proxy" mode.

[bootjp]

Already addressed in §11.1 ("Rolling-upgrade compatibility") landed in commit 93de9b2: cluster-readiness gate at the SplitRange entry RPC keyed on the cap_migration_v2 capability bit in the existing distribution heartbeat, with M2-PR5 as the bit-advertise commit so the gate semantics are safe across rollout. Could you confirm this resolves the finding, or point at what's still uncovered?

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3aca90c833

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid publishing overlapping migration routes

When a cross-group job enters BACKFILL, this plan creates the target right child while leaving the full source route Active, so the catalog snapshot contains overlapping ranges for the moving interval. The current engine does not ignore non-Active states when applying snapshots: routesFromCatalog converts every descriptor and validateRouteOrder rejects any prev.End > curr.Start with ErrEngineSnapshotRouteOverlap (distribution/engine.go:468-523). As written, watchers would fail to apply the first migration catalog snapshot, so the migration cannot progress through the proposed visible route states unless the design keeps the target out of the route snapshot or changes the overlap invariant.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Add a read fence for post-cutover stale routes

If a coordinator or source-group leader has not applied the CUTOVER catalog yet, leaving reads unfenced lets it keep routing the moved key to the source while new writes are already accepted on the target. The current read path resolves the group from the local engine and then serves/proxies the read without carrying an observed catalog version (kv/shard_store.go:38-53, kv/shard_store.go:1471-1477), while the Composed-1 guard cited here only checks mutations in verifyOwnerFromSnapshot (kv/fsm.go:753-773). During the CLEANUP grace window this can return the pre-cutover source value after a successful post-cutover target write, so the design needs a read-side route-version fence/redirect or another mechanism that stops stale source reads for the moved range.

Useful? React with 👍 / 👎.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md (2)

108-108: ⚖️ Poor tradeoff

Confirm operational acceptance of one-way CUTOVER.

After CUTOVER completes, the migration cannot be rolled back without implementing a full reverse migration (explicitly out of scope for M2). This means if post-CUTOVER issues arise (e.g., target group instability, data corruption discovered later), the only recovery path is forward through CLEANUP or manual intervention.

Is this operational trade-off acceptable for M2, or should §12 Open Questions include a specific item about post-CUTOVER failure scenarios and operator runbooks?

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md` at
line 108, The document currently states that CUTOVER is one-way and rollback
requires a reverse migration; update the design doc to explicitly capture
operational acceptance by either (A) adding a clear sentence in the CUTOVER
paragraph that the team accepts the one-way behavior for M2 and lists recovery
paths (CLEANUP, manual intervention, reverse migration out-of-scope), or (B) add
a new item under §12 Open Questions titled "Post-CUTOVER failure scenarios and
operator runbooks" that requests acceptance criteria, required runbooks, and
escalation steps for issues like target-group instability or latent data
corruption; reference the terms CUTOVER, PLANNED → BACKFILL, AbandonJob, and
CLEANUP so reviewers can locate and verify the change.

---

258-261: ⚖️ Poor tradeoff

Verify sufficiency of routeKey() assertion failure handling.

Lines 260-261 state that if an exported key fails the routeKey() equivalence check, "an assertion failure aborts the job and surfaces in last_error." Per §4 line 106, this puts the job into FAILED state requiring manual operator intervention.

This safety check protects against a future internal-key family being added without updating the exporter. However, silent job abortion may not provide sufficient visibility for this class of bug.

Consider:

1. Is last_error surfaced prominently enough (e.g., via metrics/alerts) to catch this during development/testing?
2. Should dev/test environments panic on this assertion to fail-fast rather than require operator log inspection?
3. Should this be elevated in §12 Open Questions as a code-maintenance concern?

The defensive check is excellent; the question is whether the failure mode provides adequate feedback.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md` around
lines 258 - 261, The routeKey() assertion currently aborts the exporter job and
writes to last_error leaving the job in FAILED state; enhance visibility and
fail-fast behavior by (1) emitting a dedicated metric/counter and structured
error log whenever routeKey() mismatches occur (include routeKey, key_family,
and chunk id) so monitoring/alerts can catch it, (2) adding a configurable
dev-only mode on the exporter (e.g., Exporter devFailFast flag or ENV) that
panics/throws immediately instead of only setting last_error to ensure fast
feedback in testing, and (3) document this operational choice in the design
notes (add to §12 Open Questions) so maintainers know to update alerting/ops
runbooks; refer to routeKey(), exporter, last_error and the FAILED job state
when making these changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md`:
- Around line 76-86: Add a language specifier to the fenced code block that
contains the migration state diagram (the block starting with "source.Active"
and the listed states BACKFILL/FENCE/DELTA_COPY/CUTOVER/CLEANUP) to satisfy
markdownlint MD040; update the opening fence from ``` to something like ```text
(or ```nohighlight) so the block is explicitly marked as plain text.

---

Nitpick comments:
In `@docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md`:
- Line 108: The document currently states that CUTOVER is one-way and rollback
requires a reverse migration; update the design doc to explicitly capture
operational acceptance by either (A) adding a clear sentence in the CUTOVER
paragraph that the team accepts the one-way behavior for M2 and lists recovery
paths (CLEANUP, manual intervention, reverse migration out-of-scope), or (B) add
a new item under §12 Open Questions titled "Post-CUTOVER failure scenarios and
operator runbooks" that requests acceptance criteria, required runbooks, and
escalation steps for issues like target-group instability or latent data
corruption; reference the terms CUTOVER, PLANNED → BACKFILL, AbandonJob, and
CLEANUP so reviewers can locate and verify the change.
- Around line 258-261: The routeKey() assertion currently aborts the exporter
job and writes to last_error leaving the job in FAILED state; enhance visibility
and fail-fast behavior by (1) emitting a dedicated metric/counter and structured
error log whenever routeKey() mismatches occur (include routeKey, key_family,
and chunk id) so monitoring/alerts can catch it, (2) adding a configurable
dev-only mode on the exporter (e.g., Exporter devFailFast flag or ENV) that
panics/throws immediately instead of only setting last_error to ensure fast
feedback in testing, and (3) document this operational choice in the design
notes (add to §12 Open Questions) so maintainers know to update alerting/ops
runbooks; refer to routeKey(), exporter, last_error and the FAILED job state
when making these changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 70d218ee-479f-4859-864a-0bdc51656929

📥 Commits

Reviewing files that changed from the base of the PR and between f598868 and 3aca90c.

📒 Files selected for processing (1)

• docs/design/2026_06_11_proposed_hotspot_split_milestone2_migration.md

[bootjp]

@claude review — addressed all 6 findings from the gemini / codex / coderabbit reviews in commit 93de9b2:

Codex P1 (line 80, overlapping routes) — §3.2 rewritten so catalog snapshots stay strictly non-overlapping. BACKFILL/DELTA_COPY land in a target-side shadow keyspace (!dist|migstage|<job_id>|<raw_key>); the catalog only gains a NEW WriteFenced route at FENCE-time (split out from source) and the group-rebind is a single atomic CUTOVER write. routesFromCatalog + validateRouteOrder stay green throughout.

Codex P1 (line 277, post-CUTOVER read fence) — added §7.2 with read_route_version on pb.ReadRequest, a parallel verifyReadOwner gate returning ErrRouteMoved{new_route_version, new_group_id}, coordinator-side WatcherRefresh+retry, and a 30s grace window before CLEANUP. Write-side Composed-1 gate untouched (PR #932 Jepsen trust preserved).

Gemini medium (line 51, SplitJob unbounded growth) — added §3.1.1 / §4.2: maxLiveJobs=64 live cap on SplitRange; terminal jobs move to !dist|jobhist|<terminal_at_ms_be>|<id> with maxJobHistory=1k OR historyTTL=7d; once-per-minute sweep.

Gemini medium (line 260, store/routeKey coupling) — store.KeyFilter delegate; ExportVersions takes a nil-safe filter so the store package never imports kv. routeKey() closure built in kv/migrator_filter.go and passed in by the migrator.

Gemini medium (line 346, rolling upgrade) — added §11.1: node_capability_bitfield heartbeat extension; cap_migration_v2 gate at the entry RPC (ErrClusterNotReadyForMigration); bit goes live only at M2-PR5 (the FENCE enforcement commit) so the gate is safe across rollout. Same-group split (M1) unconditionally available.

CodeRabbit minor (line 86, MD040) — all fenced blocks now carry a language tag.

[claude]

Claude finished @bootjp's task in 3m 26s —— View job

---

Review of commit 93de9b2 — addressing 6 prior findings

Todo list

• Load tools
• Read the updated design document
• Verify Codex P1: overlapping routes fix (§3.2 shadow keyspace)
• Verify Codex P1: post-CUTOVER read fence fix (§7.2)
• Verify Gemini medium: SplitJob unbounded growth fix (§3.1.1 / §4.2)
• Verify Gemini medium: store/routeKey coupling fix (KeyFilter delegate)
• Verify Gemini medium: rolling upgrade fix (§11.1 capability gate)
• Verify CodeRabbit minor: MD040 fenced code blocks
• Post comprehensive review

---

Verified: all 6 prior findings are addressed

Finding	Where	Verdict
Codex P1 — overlapping routes	§3.2, shadow keyspace + state diagram	✅ Resolved. Catalog never holds overlapping routes. BACKFILL/DELTA_COPY write only to `!dist
Codex P1 — post-CUTOVER read fence	§7.2 (5 sub-sections)	✅ Resolved. read_route_version stamped on every read, verifyReadOwner gate on source FSM returns ErrRouteMoved, coordinator does WatcherRefresh + one retry, 30 s grace window before CLEANUP. Parallel path from verifyOwnerFromSnapshot preserves Jepsen trust.
Gemini medium — SplitJob unbounded growth	§3.1.1, §4.2	✅ Resolved. maxLiveJobs=64 live cap; terminal jobs moved to `!dist
Gemini medium — store/routeKey coupling	§6.1, §6.3	✅ Resolved. store.KeyFilter nil-safe delegate; ExportVersions takes it as a parameter; kv/migrator_filter.go builds the closure where routeKey() lives; store never imports kv.
Gemini medium — rolling upgrade	§11.1	✅ Resolved. node_capability_bitfield heartbeat extension; cap_migration_v2 bit; cluster-readiness gate at SplitRange entry; mid-migration downgrade pauses the job; bit goes live at M2-PR5 (when FENCE enforcement lands); test plan specified.
CodeRabbit minor — MD040	lines 89, 179, 293, 317, 335	✅ Resolved. All fenced blocks now carry text, proto, or go language tags.

---

New observations on the updated design

P1 — CUTOVER two-step ordering undefined (data-visibility gap)

§3.2 (line 139) says:

CUTOVER promotes the staged data to live keys via a single bulk-rename FSM apply

But the CUTOVER step as described consists of two independent Raft proposals on different groups:

1. Catalog CAS on default group — removes source.WriteFenced(right), inserts target.Active(right), bumps catalog_version.
2. Shadow→live rename on target group — rewrites !dist|migstage|<job_id>|<raw_key> → live keys.

The design does not specify the ordering of these two. If (1) commits before (2), reads routed to the target during the rename window return empty results: the catalog says the target owns the range, but the target's MVCC only has shadow keys. The read fence in §7.2 only redirects stale source reads; it doesn't compensate for the target not yet having live data.

The safe ordering is: (2) commits on the target first, then (1) executes on the default group — by the time routing switches, all data is live on the target. But:

• This ordering must be explicit in the design.
• The migrator must confirm target-group apply before proposing the catalog write.
• If a leader flap occurs between (2) committed and (1) proposed, the new migrator resumes and must re-check whether the target rename already landed (idempotent) before re-proposing the catalog write.

Suggest: add a §7.5 (or a sub-bullet in §4's CUTOVER row) that specifies: "Target bulk-rename commits first (raft.Status().Applied ≥ rename_index observed by migrator), then default-group catalog CAS. Migrator confirms applied index on the target leader before proposing the catalog write; on resume it re-checks whether rename already landed via a sentinel key !dist|migstage|<job_id>|committed."

Medium — Grace window inconsistency (§7.2.4 vs §4 vs Open Question 3)

Three places cite the CLEANUP grace default and they disagree:

Location	Value
§4 table, CLEANUP row (line 158)	60 s
§7.2.4 (line 389)	30 s
Open Question 3 (line 504)	60 s

Pick one and make them consistent. Whichever wins should also answer Open Question 3 (or at least note the reasoning). For reference: hlcPhysicalWindowMs = 3 s, lease TTL is typically ~3 s too; 30 s (10×) is already very conservative. If 30 s wins, Open Question 3 can be closed.

Fix this →

Medium — "Wait until applied" in §7.2.2 under-specified

the FSM treats read_route_version > local as a "wait until applied" (bounded by lease TTL) before answering

How is this wait implemented? Options include an applied-index condition variable, a short retry loop with a timeout, or a channel signalled by the FSM apply goroutine. The choice affects:

• Read latency during CUTOVER propagation (commit CPU, GC pause, etc.)
• What happens if the applied index never catches up within the lease TTL (timeout → ErrRouteMoved? ErrTimeout?)

A one-sentence note (e.g., "implemented as a condition-variable wait on the FSM's appliedIndex, timedout by min(remaining_lease_TTL, 200ms)") would make this reviewable.

Minor — !dist| prefix on target-group import cursor (§6.2)

Line 321 stores the import cursor as !dist|job|<id>|import_cursor in the target group's MVCC, but the !dist| prefix is associated throughout the codebase with the default group's catalog. A reader scanning the target group's MVCC (or a future operator tool) could confuse these for catalog entries. Consider a distinct prefix scoped to the target — e.g., !migstage|cursor|<id> — to avoid confusion and to prevent any future catalog scanner (distribution/catalog.go) from trying to decode them.

---

Summary

All 6 findings from the prior reviews are properly addressed and the design is substantially improved. The main item to resolve before implementation starts is the CUTOVER two-step ordering (target rename must commit before the catalog write; the design should specify this ordering and how it survives a leader flap). The grace-window inconsistency is a quick cleanup. The other two observations are low-risk and can be addressed in the design doc without blocking M2-PR1.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 93de9b2d2e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Advance target HLC when importing versions

When the source range contains commit timestamps higher than the target group's current LastCommitTS/HLC, this import contract only writes versions and an idempotency cursor, but does not require the target to observe the max imported commit_ts. Since the existing FSM observes commit timestamps only after normal pb.Request applies, a migration import path can leave the target clock below the staged data; after CUTOVER the first target write can receive a lower timestamp than an imported older value, causing MVCC time travel where later reads resurrect the pre-cutover value. The import apply needs to atomically advance metaLastCommitTS and the target HLC (or otherwise fence new writes) to at least the max imported timestamp before the route becomes active.

Useful? React with 👍 / 👎.

[bootjp]

Fixed in commit 17b0719 — added §6.2.1 "Target HLC advancement": ImportVersions now atomically advances both metaLastCommitTS and the HLC ceiling (hlc.SetPhysicalCeiling) to max(batch.commit_ts) under the same FSM apply lock as the MVCC writes. SplitJob carries a monotone max_imported_ts witness, and CUTOVER is gated on a final SetPhysicalCeiling(max_imported_ts) proposal on the TARGET group before the catalog CAS — so post-CUTOVER Next() is provably greater than every imported ts. Reuses the existing Composed-1 monotone-ceiling primitive (PR #927) — no new fence.

[chatgpt-codex-connector]

Make the export cursor address MVCC versions

The job cursor is defined as a next-key cursor, but an MVCC export can contain many committed versions for the same raw key. If a hot key's history exceeds chunkBytes, resuming by key alone either has to keep that entire key history in one unbounded chunk or risks skipping/duplicating the remaining versions after a restart; the API should make the cursor opaque over the encoded MVCC position (raw key plus commit timestamp) or explicitly require chunks never split a key's full version history.

Useful? React with 👍 / 👎.

[bootjp]

Fixed in commit 17b0719 — added §6.1.1 "Cursor granularity": the cursor now encodes (raw_key, commit_ts) and the exporter iterates (raw_key ASC, commit_ts DESC) with exclusive-resume semantics. Chunks may contain only versions of one raw key without an all-or-nothing constraint on the history — the next chunk continues at the next-older commit_ts of the same key. The SplitJob row was updated accordingly. Opaque encoding so the store-side type stays []byte and the exporter alone owns the codec (preserves the §6.1 store/kv decoupling seam).

[bootjp]

@claude review — round 2:

• codex P1 line 323 (HLC target advancement) — fixed in commit 17b0719 / §6.2.1. ImportVersions atomically advances metaLastCommitTS + hlc.SetPhysicalCeiling under the FSM apply lock; SplitJob carries max_imported_ts; CUTOVER is gated on a final SetPhysicalCeiling proposal on the target group before the catalog CAS. Reuses the Composed-1 monotone-ceiling primitive (PR docs(design): rename Composed-1 docs *_proposed_* → *_partial_* (M5a shipped) #927).
• codex P2 line 66 (cursor MVCC granularity) — fixed in commit 17b0719 / §6.1.1. Cursor encodes (raw_key, commit_ts) with exclusive-resume semantics, so a hot key's history can span chunks safely.
• gemini medium line 467 (rolling upgrade) — already covered by §11.1 (commit 93de9b2). Asked the reviewer to confirm via inline reply.

[claude]

Claude finished @bootjp's task in 2m 51s —— View job

---

Review — Round 2

Todo list

• Load tools
• Read the updated design document (commit 17b0719)
• Verify Codex P1 (§6.2.1): HLC target advancement during ImportVersions
• Verify Codex P2 (§6.1.1): Cursor MVCC granularity (raw_key, commit_ts)
• Confirm Gemini medium (§11.1): rolling upgrade capability gate
• Check status of P1 (CUTOVER two-step ordering) from prior review
• Check status of medium findings from prior review (grace window inconsistency, wait-until-applied, !dist| prefix)
• Post comprehensive review

---

Round-2 items — all three verified

Finding	Section	Verdict
Codex P1 — HLC target advancement	§6.2.1 (lines 357–371)	✅ Fully resolved. Per-batch SetPhysicalCeiling under FSM apply lock, max_imported_ts witness in SplitJob, CUTOVER precondition proposal on target, and the post-CUTOVER Next() invariant are all explicit. Reuses the Composed-1 monotone-ceiling primitive cleanly. Test plan in kv/migrator_hlc_advance_test.go covers the three necessary assertions.
Codex P2 — cursor MVCC granularity	§6.1.1 (lines 325–337)	✅ Fully resolved. Cursor encodes (raw_key, commit_ts) as opaque bytes, iterates (raw_key ASC, commit_ts DESC), exclusive-resume semantics. Hot-key safe, resume-safe, encoding is forward-extensible. store type stays []byte; decoupling seam from §6.1 preserved.
Gemini medium — rolling upgrade	§11.1 (lines 531–543)	✅ Fully resolved. node_capability_bitfield + cap_migration_v2 gate, cluster-readiness check at SplitRange entry, mid-migration downgrade pause, PR1–PR5 ordering constraint to prevent premature bit advertisement, test plan in distribution/capability_test.go. Confirmed.

---

Remaining items from prior review

P1 — CUTOVER bulk-rename ordering still implicit (unresolved)

The prior review flagged that the CUTOVER step on two different Raft groups must be sequenced: target bulk-rename first, then catalog CAS — otherwise there is a window where the catalog says the target owns the range but the target's MVCC only has shadow keys, making reads to the target return empty results.

The current doc has moved closer but the ordering is still not stated explicitly in the §3.2 CUTOVER description. §6.2.1 (line 367) says SetPhysicalCeiling is "the last target-side write before CUTOVER" — this implies the bulk-rename happened earlier, but the §3.2 diagram only lists:

DELTA_COPY → CUTOVER:
  1. SetPhysicalCeiling on TARGET (last target-side write)
  2. Catalog CAS on default group

It does not list (0) bulk-rename migstage → live keys on TARGET. The two-line note on line 147 ("CUTOVER promotes the staged data to live keys via a single bulk-rename FSM apply") is the only mention of this step, and it's detached from the CUTOVER phase breakdown.

The safe and intended ordering is:

1. Bulk-rename (!dist|migstage|<job_id>|* → live keys) on target group — must complete and be observed by migrator before step 2
2. SetPhysicalCeiling(max_imported_ts) on target group
3. Catalog CAS on default group

Steps 2 and 3 are specified, step 1 is not. Without step 1 appearing in the CUTOVER sequence, an implementer working from §3.2 alone could issue the catalog CAS before the rename is applied, creating the data-availability gap. The leader-flap resume case (new migrator checking whether rename already landed before re-proposing the catalog write) also needs to be specced.

Suggested fix: add a (0) bullet to the §3.2 CUTOVER diagram, and add one sentence in §4's CUTOVER crash-safety row covering how the migrator confirms the target rename was applied before issuing the catalog CAS on resume.

Fix this →

Medium — Grace window inconsistency (still unresolved)

Three locations cite the CLEANUP grace default and they still disagree after commit 17b0719:

Location	Line	Value
§4 table, CLEANUP row	166	60 s
§7.2.4	434	30 s
§12 Open Question 3	549	60 s

§7.2.4 was updated with a rationale ("comfortably exceed both lease TTL and watcher tick × 2") but the value there (30 s) still disagrees with the other two (60 s). Pick one and update all three; if 30 s wins, close Open Question 3 with the chosen rationale.

Fix this →

Minor — !dist| prefix on target-group import cursor (still unresolved)

Line 347 stores the import cursor as !dist|job|<id>|import_cursor in the target group's MVCC store, but !dist| is the convention for default-group catalog keys throughout the codebase. A future operator tool scanning the default-group catalog, or distribution/catalog.go's key parsers, could misparse these. Suggest a target-scoped prefix such as !migstage|cursor|<id> to avoid confusion. Low risk, quick rename.

Fix this →

Medium — "Wait until applied" still a one-liner

§7.2.2 (line 426) still reads only: "the FSM treats read_route_version > local as a 'wait until applied' (bounded by lease TTL) before answering". The implementation mechanism (condition variable on applied index? retry loop? channel?) and the timeout semantics (what error surfaces if the timeout fires — ErrRouteMoved or ErrTimeout?) remain unspecified. Given how much implementation detail the rest of the doc provides, a single sentence here under-specs the read-path hot case. A one-line elaboration (e.g., "condition-variable wait on the FSM's appliedIndex, timed out by min(remaining_lease_TTL, 200ms); on timeout, re-evaluate ownership and return ErrRouteMoved if still not owned") would make this reviewable.

---

Summary

All three round-2 items are properly verified. Two of the four items from the prior review remain open: the CUTOVER bulk-rename ordering (P1 — needs an explicit step in the §3.2 diagram + resume semantics in §4) and the grace window inconsistency (medium — three locations cite different defaults). The !dist| prefix collision and the wait-until-applied spec are low-risk and can be addressed in the same pass.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 17b0719055

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Reject fenced writes even when the route version is unpinned

This FSM-side fence is described as an extension of verifyOwnerFromSnapshot, but today verifyComposed1 returns before that helper when ObservedRouteVersion == 0. There are still intentional zero-version write paths (for example read/write txns with ReadKeys, caller-supplied StartTS, or resolver-claimed keys in kv/sharded_coordinator.go:694-754), so a stale coordinator in those contexts can forward a write to the source during FENCE and the proposed FSM defense will not run. The fence check needs to be on an unconditional apply path, or the design needs to require all mutation flows to carry a nonzero observed route version before cross-group split is enabled.

Useful? React with 👍 / 👎.

[bootjp]

Fixed in commit c16e1c4. §7.1 now introduces verifyRouteNotFenced as a SEPARATE, unconditional pre-gate ahead of verifyComposed1 — not an extension of verifyOwnerFromSnapshot. It scans mutations with routeKey() against the current catalog snapshot and rejects ErrRouteWriteFenced for any key whose route is WriteFenced, with the same Phase_ABORT bypass and NO dependency on ObservedRouteVersion. So the zero-version write flows in kv/sharded_coordinator.go:694-754 (ReadKeys, caller-supplied StartTS, resolver-claimed keys) are covered — the gate runs on every applied write request unconditionally. The two gates stay independent so a future change to one cannot regress the other.

[chatgpt-codex-connector]

Avoid an unbounded CUTOVER bulk rename

Staging every imported row under !dist|migstage|... and then promoting the whole range via a single FSM apply makes CUTOVER proportional to the entire migrated range. For any split larger than the Raft proposal/apply budget, this defeats the chunked BACKFILL/DELTA_COPY design and can block or fail exactly when the catalog must switch atomically. The design should avoid a per-key bulk move at cutover, or make the staged-to-live promotion incremental while preserving the visibility fence.

Useful? React with 👍 / 👎.

[bootjp]

Fixed in commit c16e1c4. New §6.4 "Incremental staged-to-live promotion": CUTOVER is O(1) — just a catalog version bump + route swap + set staged_visibility_active on the new target route, NO per-key work. Reads use a staged-fallback through the per-route bit so imported data is visible the instant CUTOVER lands. A leader-local promoter on the target group walks !dist|migstage|<job_id>|* in cursor-resumable chunks (same chunkBytes / pacing as BACKFILL) and proposes one bounded PromoteStaged Raft entry per batch — never a single oversized apply. CLEANUP → DONE waits for the promoter to drain AND the grace window AND the staged_visibility_active flag clear. SplitJob picks up promote_cursor + promotion_completed_ts for resumability and audit.

[bootjp]

@claude review — round 3 (2 codex findings on commit 17b0719):

• codex P1 line 407 (FENCE on unconditional path) — fixed in commit c16e1c4. §7.1 introduces verifyRouteNotFenced as a SEPARATE pre-gate ahead of verifyComposed1, with NO dependency on ObservedRouteVersion — so the zero-version write paths in kv/sharded_coordinator.go:694-754 (ReadKeys / caller-supplied StartTS / resolver-claimed keys) are covered.
• codex P2 line 147 (unbounded CUTOVER bulk rename) — fixed in commit c16e1c4. New §6.4 "Incremental staged-to-live promotion": CUTOVER is O(1) — catalog version bump + route swap + flag set, no per-key work. Reads use a staged-fallback through the per-route staged_visibility_active bit; a leader-local promoter on the target group drains the staged prefix in cursor-resumable chunks. CLEANUP waits for the promoter to drain. SplitJob picks up promote_cursor + promotion_completed_ts.

[claude]

Claude finished @bootjp's task in 3m 56s —— View job

---

Review — Round 3

Todo list

• Load tools
• Read updated design document (commit c16e1c4)
• Verify Codex P1 (§7.1): verifyRouteNotFenced unconditional pre-gate
• Verify Codex P2 (§6.4): Incremental staged-to-live promotion / O(1) CUTOVER
• Check remaining items from round 2 (CUTOVER ordering, grace window, !dist| prefix, wait-until-applied)
• Post comprehensive review

---

Round-3 items — both verified

Finding	Section	Verdict
Codex P1 — FENCE on unconditional path	§7.1 (lines 440–445)	✅ Resolved. verifyRouteNotFenced is explicitly a separate pre-gate that runs before verifyComposed1 with no dependency on ObservedRouteVersion. The apply path is verifyRouteNotFenced → verifyComposed1 → existing handlers. The zero-version write flows (ReadKeys, caller-supplied StartTS, resolver-claimed keys in kv/sharded_coordinator.go:694-754) are covered. The gates are kept independent so a future change to one cannot regress the other. The M3 path to eventually collapse the ObservedRouteVersion == 0 short-circuit is also called out.
Codex P2 — unbounded CUTOVER bulk rename	§6.4 (lines 396–427)	✅ Resolved. CUTOVER is explicitly O(1) — a single catalog write that sets staged_visibility_active = true and swaps routes. No iteration over migrated data. Background incremental promoter on the target group drains the staged prefix in cursor-resumable chunks using the same chunking/pacing/cursor codec as BACKFILL. CLEANUP → DONE requires promoter drain + staged_visibility_active cleared. The staged-fallback read path provides correct visibility during promotion.

---

Prior round-2 P1 — CUTOVER two-step ordering: resolved by §6.4

The round-2 P1 flagged that "target bulk-rename must commit before the catalog CAS" to avoid a data-availability gap. §6.4 eliminates the bulk-rename entirely: CUTOVER sets staged_visibility_active on the target route, and reads immediately use the staged-fallback path for any key not yet promoted. There is no window where the catalog says the target owns the range but data is unavailable — the staged prefix is there from the moment staged_visibility_active is set.

The CUTOVER sequence (§3.2, lines 120–134) now correctly specifies: SetPhysicalCeiling(max_imported_ts) on target → catalog CAS. This ordering is resilient to leader flap: max_imported_ts is persisted in SplitJob, so a new migrator can re-issue the SetPhysicalCeiling (idempotent — monotone) and then the catalog CAS. Round-2 P1 is closed. ✅

---

New P1 — §6.4 step 3 "no-op when a later live write has shadowed it" can lose MVCC history

§6.4 step 3 (line 411) says the PromoteStaged apply is a "no-op when a later live write has already shadowed it". This is incorrect for MVCC correctness.

Scenario:

• Staged key K at commit_ts = 3 (imported from source).
• Live write K at commit_ts = 10 (post-CUTOVER client write, guaranteed > max_imported_ts by §6.2.1).
• PromoteStaged runs and sees the live version at ts=10 → skips copy → deletes staged version at ts=3.
• staged_visibility_active is later cleared (CLEANUP → DONE).
• Client reads K at read_ts = 5: staged-fallback is gone; live namespace only has ts=10 (newer than read_ts); MVCC snapshot read at ts=5 returns not found — the ts=3 value has been permanently dropped.

The "shadow" optimization is safe only for a last-write-wins (non-MVCC) store. In an MVCC store with snapshot read semantics, every version of a key must be preserved across its valid range. The correct guard is idempotency: "no-op if the staged version has already been copied to the live namespace (checked by the presence of a live version at the same commit_ts)."

The fix is two parts:

1. Replace the "shadowed" clause: "no-op if a live version at the same commit_ts already exists (idempotent resume after a leader flap)."
2. Clarify that PromoteStaged must always copy the staged version to live, regardless of whether a newer live version exists — the MVCC store naturally holds both versions without conflict.

The MVCC compaction GC (kv/compactor.go) will eventually prune versions older than its configured retention horizon; that is the correct place for history pruning, not the promoter.

Fix this →

---

Remaining from round 2 (three items still open)

Medium — Grace window inconsistency (unresolved, 3rd flag)

Three locations still disagree after commit c16e1c4:

Location	Line	Value
§4 table, CLEANUP row	168	60 s
§7.2.4	472	30 s (with rationale: "comfortably exceed both lease TTL and watcher tick × 2")
§12 Open Question 3	587	60 s

§7.2.4 has a clear rationale for 30 s. If 30 s is the chosen value: update §4 line 168 to 30 s and close Open Question 3 with the chosen value + rationale. If 60 s is the chosen value: update §7.2.4 to 60 s and reconcile the rationale. Either way, one pass to make all three locations consistent and close OQ3.

Fix this →

Minor — !dist| prefix on target-group import cursor (unresolved, 3rd flag)

Line 348 stores the import cursor as !dist|job|<id>|import_cursor in the target group's MVCC store, but !dist| is the default-group catalog namespace throughout the codebase. A future operator tool scanning the default-group catalog or distribution/catalog.go's key parsers would misparse this as a catalog entry. Suggest renaming to a target-scoped prefix such as !migstage|cursor|<id> — requires a one-line change in the spec.

Fix this →

Medium — "Wait until applied" still a one-liner (unresolved, 3rd flag)

§7.2.2 (line 464) still reads: "the FSM treats read_route_version > local as a 'wait until applied' (bounded by lease TTL) before answering." The implementation mechanism (condition variable on applied index? channel from FSM apply goroutine? short retry loop?) and the timeout error type (is it ErrRouteMoved or a distinct ErrTimeout?) remain unspecified. Given the level of implementation detail elsewhere in the doc, one sentence would close this: e.g., "condition-variable wait on the FSM's appliedIndex signalled by the apply goroutine, timedout by min(remaining_lease_TTL, 200ms); on timeout, re-evaluate ownership — if still not owned, return ErrRouteMoved."

---

Summary

Both round-3 items are verified and properly addressed. The §6.4 incremental promotion design is a clean solution to the codex P2 bulk-rename concern and the round-2 CUTOVER ordering concern — both are closed as side effects of the redesign.

One new P1 emerges from §6.4: the PromoteStaged "no-op when shadowed" clause loses MVCC history versions that older snapshot reads still need — requires a targeted wording fix (change "shadowed" to "already at same commit_ts in live"). Three items from round 2 remain open (grace window, !dist| prefix, wait-until-applied). All are quick editorial fixes that can go in one commit.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c16e1c4335

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Scan internal families outside raw route bounds

For splits whose logical range is a normal user-key interval such as [foo, bar), this raw [start, end) MVCC iterator never visits keys like !redis|str|foo, !lst|...foo, or !txn|lock|foo, because those prefixes sort outside the user-key range before the routeKey() filter can accept them. That means the proposed migration can cut over without copying internal state that routes to the moved key, causing data loss or broken adapter invariants; the export needs to scan the relevant internal-family prefixes or use a route-key-indexed traversal rather than relying on a raw-range scan plus filter.

Useful? React with 👍 / 👎.

[bootjp]

Fixed in commit 231e9a5. New §6.3.1 "Internal-family brackets": migration now runs MULTIPLE parallel exports per phase, one per relevant raw-key family (user-key, !txn|lock|, !txn|cmt|, !txn|rb|, !txn|meta|, !txn|int|, !lst|meta|, !lst|itm|, !redis|, !ddb|item|, !ddb|gsi|, !sqs|, !s3|), each driven by the same KeyFilter so routeKey() remains the single source of truth. PlanExportBrackets() returns the bracket list; per-bracket opaque cursors + done flags on the SplitJob allow independent resumability. Bracket count is small (~12 today) and fan-out parameter caps parallelism. A future adapter MUST add its bracket at the same PR that teaches routeKey() its family.

[chatgpt-codex-connector]

Reject reads when both caller and source are stale

This condition only rejects when the request version is older than the source FSM's local catalog version, so it misses the common post-CUTOVER case where both the coordinator and the source group have only applied the pre-CUTOVER/FENCE version. In that window another coordinator that has refreshed can already write the key on the target, while this stale coordinator routes a read to the stale source and the source serves the old value because read_route_version == local_version; the read fence needs an authoritative cutover/ownership check that also catches equal-stale source reads during the grace window.

Useful? React with 👍 / 👎.

[bootjp]

Fixed in commit 231e9a5. §6.4 step 2 rewritten: the staged area now participates in MVCC MERGE — newest commit_ts wins. The read takes the newest live version with commit_ts ≤ read_ts AND the newest staged version with commit_ts ≤ read_ts and returns whichever has the greater commit_ts. Four read_ts cases enumerated to prove correctness (live_write.ts > max_imported_ts > staged.ts; merge correctly surfaces live for read_ts ≥ live.ts and staged for read_ts ∈ (max_imported_ts, live.ts)). Per-family adapter invariants preserved via the key_family dispatch.

[chatgpt-codex-connector]

Merge staged and live MVCC versions on reads

Looking in the staged keyspace first and falling back to live only when staged is absent makes post-CUTOVER reads return stale imported versions after any live write to the same key, until promotion deletes the staged entry. For a read timestamp after the live write's commit timestamp, both staged and live versions exist and the newest live version must win, so the read path needs to merge/compare the staged and live MVCC candidates by commit timestamp instead of treating staged presence as authoritative.

Useful? React with 👍 / 👎.

[bootjp]

Fixed in commit 231e9a5. §7.2.2 replaces the strict-less-than version check with an authoritative ownership check. When source has applied CUTOVER → unconditional ErrRouteMoved. When source has NOT applied CUTOVER but the heartbeat-piggybacked max_cutover_version_seen indicates a possible stale read → run GetRouteOwnership(routeKey(K), max_cutover_version_seen) against the default-group leader (cached one second). New §7.2.2a walks through the exact 7-step equal-stale scenario (t=0..6) showing the watermark + ownership-query path catches the case the original rule missed.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 231e9a5729

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Convert HLC timestamps before setting the physical ceiling

This passes batchMax/max_imported_ts as a full HLC commit timestamp into hlc.SetPhysicalCeiling, but the current HLC stores that field as Unix milliseconds and Next() later shifts it as the physical part (kv/hlc.go). For any imported timestamp with logical bits set or even a normal ms<<16 encoding, this advances the target ceiling to an artificial far-future millisecond, causing subsequent writes to jump to roughly commit_ts<<16 and weakening the lease-ceiling fence until wall time catches up. The import path should either Observe the full HLC timestamp or pass only its physical millisecond component to SetPhysicalCeiling.

Useful? React with 👍 / 👎.

[bootjp]

Fixed in commit 44e6125. §6.2.1 step 1 now passes hlcPhysicalMs(batchMax) = int64(batchMax >> 16) to SetPhysicalCeiling (the same shift HLC.Next() uses to extract the physical half, kv/hlc.go:128-145) AND calls hlc.Observe(batchMax) for the local clock's last-issued value. Step 3 (CUTOVER precondition) uses the same conversion. Both functions are monotone so duplicates/out-of-order are safe.

[chatgpt-codex-connector]

Bound sparse internal-family export scans

This claims an internal-family bracket with no matching keys returns immediately, but the proposed brackets are family-wide and the only narrowing happens after iteration through routeKey(). In a cluster with a large SQS/Redis/etc. prefix outside the moving range, an export for a range with no accepted keys must scan that whole raw prefix to prove done=true because rejected rows do not count toward chunkBytes, making a single chunk unbounded in CPU/I/O and defeating the migration pacing guarantees. The exporter needs a route-key-indexed traversal or a separate scan budget that advances the cursor over rejected rows.

Useful? React with 👍 / 👎.

[bootjp]

Fixed in commit 44e6125. §6.3.1 ships two layers: (1) Scan-budget pacing — each ExportVersions call carries a separate maxScannedBytes (default 4× chunkBytes) that counts both accepted and rejected rows; iterator returns at the budget with cursor advanced over the rejected tail. (2) Per-family EncodeBracketStart hook tightens family-wide bounds to the moving-slice band where the family layout allows it. Layer (1) alone is sufficient for correctness; (2) is the optimization per adapter PR. New metrics: keys per bracket + rejected_rows per bracket.

[bootjp]

@claude review — round 4 (3 codex P1 on commit c16e1c4):

• line 310 (internal families outside raw bounds) — fixed in 231e9a5. New §6.3.1: per-family export brackets driven by the same KeyFilter; PlanExportBrackets() returns the list; per-bracket cursors + done flags. Adapter follow-ons MUST add their bracket at the same PR that teaches routeKey() the new family.
• line 408 (staged + live MVCC merge) — fixed in 231e9a5. §6.4 step 2 rewritten: staged participates in MVCC merge by commit_ts. Four read_ts cases enumerated to prove correctness.
• line 459 (equal-stale read fence) — fixed in 231e9a5. §7.2.2 now uses authoritative ownership check + heartbeat-piggybacked max_cutover_version_seen watermark + GetRouteOwnership RPC (1s cache). §7.2.2a walks through the exact 7-step equal-stale scenario.

[claude]

Claude finished @bootjp's task in 5m 5s —— View job

---

Claude finished @bootjp's task in 3m — View job

---

Review — Round 4

Todo list

• Load tools
• Read updated design document (commit 231e9a5)
• Verify line 310 fix (§6.3.1): internal-family export brackets
• Verify line 408 fix (§6.4 step 2): staged + live MVCC merge by commit_ts
• Verify line 459 fix (§7.2.2): authoritative ownership check + watermark
• Check new Codex findings on commit 231e9a5 (HLC physical ceiling, sparse scan bound)
• Check remaining items from round 3 (PromoteStaged shadow clause, grace window, !dist| prefix, wait-until-applied)
• Post comprehensive review

---

Round-4 items — all three verified

Finding	Section	Verdict
Codex P1 — internal families outside raw bounds	§6.3.1 (lines 394–447)	✅ Resolved. PlanExportBrackets() returns one ExportBracket per key family (~12 total); each bracket is a family-wide raw-key band and the KeyFilter delegate narrows it to the moving range. Per-bracket opaque cursors + done flags on the SplitJob allow independent resumability. Phase advances only when every bracket is done=true. The "adapter MUST add bracket at the same PR that teaches routeKey() the new family" enforcement invariant is explicit. Safety assertion (every exported key maps back via routeKey()) still runs per-row.
Codex P1 — staged + live MVCC merge	§6.4 step 2 (lines 461–474)	✅ Resolved. Staged area participates as a second MVCC source; newest commit_ts wins. Four read_ts cases are enumerated and each is proven correct. The earlier "staged-first-then-live-fallback" is explicitly called out as wrong and replaced. Per-family adapter helpers follow the same merge rule.
Codex P1 — equal-stale read fence	§7.2.2 + §7.2.2a (lines 523–558)	✅ Resolved. Authoritative ownership check via heartbeat-piggybacked max_cutover_version_seen watermark + GetRouteOwnership RPC (1 s cache). §7.2.2a walks through the exact 7-step equal-stale scenario proving the watermark + ownership-query path catches what the strict-less-than form missed.

---

New P1 — SetPhysicalCeiling receives a full HLC timestamp, not Unix ms (confirmed by code)

I read kv/hlc.go to verify the codex P1 finding on commit 231e9a5 (line 367):

// SetPhysicalCeiling atomically advances the Raft-agreed physical ceiling.
// ...
func (h *HLC) SetPhysicalCeiling(ms int64) {
    for {
        prev := h.physicalCeiling.Load()
        if ms <= prev {
            return
        }
        ...
    }
}

SetPhysicalCeiling takes Unix milliseconds (int64), and physicalCeiling is stored and compared directly against time.Now().UnixMilli() inside nextLocked. The HLC commit timestamp layout is (unix_ms << 16) | logical_counter — the same shift constant the code calls hlcLogicalBits = 16.

§6.2.1 (line 367) says:

calls hlc.SetPhysicalCeiling(batchMax) … batchMax = max(versions[i].commit_ts)

batchMax is a full HLC timestamp with format ms<<16 | logical. Passing it directly to SetPhysicalCeiling sets the ceiling to (ms<<16 | logical) milliseconds, which is on the order of ms × 65536 — roughly 3.5 billion years in the future. Subsequently, nextLocked clamps nowMs = ceiling because wall time is always below this, producing:

next = (batchMax_as_ms_value << 16) | 0

which is an astronomically wrong timestamp — a total corruption of the HLC.

Fix: extract the physical component before calling SetPhysicalCeiling:

hlc.SetPhysicalCeiling(int64(batchMax >> hlcLogicalBits))

Alternatively, use the existing Observe(ts uint64) method (which already bumps last correctly for full HLC values) if the goal is just to bump the logical counter, then separately call SetPhysicalCeiling(int64(batchMax >> hlcLogicalBits)) to advance the Raft-agreed ceiling. This affects every call site in §6.2.1: the per-batch advance, the CUTOVER precondition proposal, and the max_imported_ts witness.

Fix this →

---

Remaining P1 from round 3 — PromoteStaged "no-op when shadowed" still drops MVCC history (unresolved)

§6.4 step 3 (line 477) still reads:

copies the staged key into its live position (no-op when a later live write has already shadowed it; the FSM applies metaLastCommitTS-respecting MVCC put)

This was flagged as wrong in round 3 and has not been corrected. The problem has two horns and both are wrong:

Horn 1 (skip copy but delete staged): PromoteStaged sees staged K at ts=3 and live K at ts=10, declares it "shadowed", skips the copy, but deletes staged K ts=3 (otherwise CLEANUP never reaches done). After deletion, the staged-fallback merge (step 2) finds nothing for K at read_ts < 10, and the live namespace also has nothing ≤ read_ts since live K ts=10 > read_ts — result: "not found" for a snapshot read at read_ts=5. Incorrect: the imported ts=3 value should be visible at ts=5.

Horn 2 (skip copy AND skip delete): PromoteStaged skips the entry entirely. The staged key K ts=3 remains forever. The CLEANUP precondition "no staged keys remain" is never satisfied — job stuck in CLEANUP forever.

Neither interpretation is MVCC-correct. The fix from round 3 stands unchanged:

1. Always copy the staged version to the live namespace, regardless of whether a newer live version exists. The MVCC store holds both K@ts=3 and K@ts=10 naturally at different commit timestamps.
2. No-op only on true idempotent resume: "no-op if a live version at the same commit_ts already exists" — the promoter already ran this batch before a leader flap.
3. History pruning is kv/compactor.go's job, not the promoter's.

Fix this →

---

New P2 — Sparse internal-family brackets scan unboundedly (from codex, commit 231e9a5)

§6.3.1 line 445 claims:

A bracket whose family doesn't actually intersect the moving range (e.g. an SQS migration on a Redis-only deployment) returns its first chunk empty and done=true immediately — no wasted scan work.

This is over-stated. The exporter iterates the raw key range [start, end) and applies the KeyFilter to every row it encounters. Rejected rows do not count toward chunkBytes (§6.1 line 325: "rejected rows do not advance the chunk-bytes budget"). A deployment with a large SQS prefix (!sqs|...) but no SQS keys in the moving range must scan the entire !sqs|* family prefix before it can set done=true — not one row returned, but potentially millions of rows visited, unbounded in CPU and I/O, and all in a single "chunk" because no row ever increments the budget counter. This defeats the pacing guarantees §8 establishes.

The claim "returns immediately" is only true if the family prefix is empty for the cluster entirely. A simple fix: add a separate scan counter (e.g. maxScannedBytes int passed to ExportVersions alongside chunkBytes) that advances on every iterated row regardless of the filter result. When maxScannedBytes is hit, the exporter checkpoints the cursor (even though chunkBytes is still zero for that call) and returns, allowing the migrator to re-enter and continue scanning on the next tick. This gives bounded CPU/IO per ExportVersions call even over a completely non-intersecting bracket.

Fix this →

---

Remaining from round 2 — three items still open (4th flag)

Medium — Grace window inconsistency

Three locations still disagree:

Location	Line	Value
§4 table, CLEANUP row	168	60 s
§7.2.4	566	30 s (with rationale: "comfortably exceed both lease TTL and watcher tick × 2")
§12 Open Question 3	681	60 s

§7.2.4 has the rationale for 30 s. Pick one value, update all three locations, and close Open Question 3.

Fix this →

Minor — !dist| prefix on target-group import cursor

Line 349 stores the import cursor as !dist|job|<id>|import_cursor in the target group's MVCC store. !dist| is the default-group catalog namespace throughout the codebase. Future operator tools and distribution/catalog.go's key parsers would treat this as a catalog entry. Rename to a target-scoped prefix: !migstage|cursor|<id>.

Fix this →

Medium — "Wait until applied" still a one-liner

Line 544: "the FSM treats read_route_version > source_local_version as a 'wait until applied' (bounded by lease TTL) before answering" — still unspecified. The implementation mechanism (condition variable on appliedIndex signalled by the apply goroutine? short retry loop?) and the timeout error type (does the timeout surface as ErrRouteMoved or a distinct ErrTimeout?) remain unspecified. A one-sentence elaboration would close this: e.g., "condition-variable wait on the FSM's appliedIndex signalled by the apply goroutine, timedout by min(remaining_lease_TTL, 200ms); on timeout, re-evaluate ownership — if still not owned, return ErrRouteMoved."

---

Summary

All three round-4 items (codex P1s on commit c16e1c4) are properly verified as resolved. One new P1 emerges from the latest codex review on commit 231e9a5: SetPhysicalCeiling(batchMax) receives a full HLC timestamp instead of Unix ms, confirmed by reading kv/hlc.go — passing a full HLC value would set the ceiling ~3.5 billion years ahead and corrupt every subsequent Next() call. The correct call is SetPhysicalCeiling(int64(batchMax >> hlcLogicalBits)).

The round-3 P1 (PromoteStaged "no-op when shadowed" drops MVCC history) remains unresolved for the fourth consecutive round — the "shadowed" clause on line 477 still exists and is still wrong. Three editorial items from round 2 (grace window inconsistency, !dist| prefix, wait-until-applied spec) and one new P2 (sparse family bracket scan unbounded) round out the remaining work before implementation can start cleanly.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 44e6125daf

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Wait for source to enforce the fence before fixing fence_ts

When the catalog enters WriteFenced, the source FSM only learns that through its local route engine, which is refreshed asynchronously by the catalog watcher (distribution/watcher.go:11, distribution/watcher.go:87-98), and the proposed FSM fence checks the current local snapshot. If the migrator records fence_ts and starts copying (snapshot_ts, fence_ts] immediately, a stale source leader can still accept writes for the moved keys after fence_ts but before its watcher applies the fenced route; those versions are above the DELTA_COPY upper bound and will be left on the source at CUTOVER. The phase needs a source-side barrier/ack that the fenced route is applied, or fence_ts must be chosen after writes are actually rejected on the source.

Useful? React with 👍 / 👎.

[bootjp]

Fixed in commit 9fa5931. New §3.2a 'Source-side fence-apply barrier': migrator advances FENCE → DELTA_COPY only after every voter of the source-group Raft membership has reported catalog_version_applied >= fence_catalog_version (via the cap_migration_v2 heartbeat or a per-node GetCatalogVersion RPC). Only after the unanimous voter-ACK does the migrator query source.LastCommitTS() and pin fence_ts. Unanimous (not quorum) is required for fence safety — any voter could become the leader later and re-serve writes for the moved range in the pre-FENCE state if its catalog hadn't applied. fence_ack_cursor is durable in the SplitJob for restart-safety. State machine diagram (§3.2) updated.

[bootjp]

@claude review — round 5 (1 P1 + 1 P2 on commit 231e9a5):

• line 367 (HLC SetPhysicalCeiling units) — fixed in 44e6125. §6.2.1 now uses hlcPhysicalMs(ts) = int64(ts >> 16) for the physical-ms component, and additionally calls hlc.Observe(batchMax) for the full HLC ts. Closes the 65 536× far-future advance regression.
• line 445 (sparse internal-family scans) — fixed in 44e6125. §6.3.1 adds scan-budget pacing (maxScannedBytes counts accepted+rejected) + per-family EncodeBracketStart hook for sub-prefix indexing where the family layout allows. Cursor advances over rejected rows.

[claude]

Claude finished @bootjp's task in 4m 52s —— View job

---

Review — Round 5

Todo list

• Load tools
• Read updated design document (commit 44e6125)
• Verify line 367 fix (§6.2.1): HLC SetPhysicalCeiling units — hlcPhysicalMs(ts) = int64(ts >> 16) + hlc.Observe(batchMax)
• Verify line 445 fix (§6.3.1): Sparse internal-family scan budget (maxScannedBytes + EncodeBracketStart hook)
• Check remaining items from round 4 (PromoteStaged shadow clause P1, grace window, !dist| prefix, wait-until-applied)
• Post comprehensive review

---

Round-5 items — both verified

Finding	Section	Verdict
Codex P1 — HLC SetPhysicalCeiling units	§6.2.1 (lines 365–376)	✅ Resolved. Confirmed against kv/hlc.go: SetPhysicalCeiling(ms int64) takes Unix milliseconds, physicalCeiling is compared to time.Now().UnixMilli() in nextLocked, and the physical part of a commit_ts is extracted with >> hlcLogicalBits (16). §6.2.1 now specifies hlcPhysicalMs(ts) = int64(ts >> 16) for every SetPhysicalCeiling call site (per-batch advance, CUTOVER precondition), and additionally calls hlc.Observe(batchMax) for the full HLC high-water mark. Both functions are monotone so out-of-order/duplicate batches are safe. The CUTOVER precondition and the max_imported_ts witness are updated consistently.
Codex P2 — Sparse internal-family scan budget	§6.3.1 (lines 448–453)	✅ Resolved. Two layers specified: (1) maxScannedBytes (default 4×chunkBytes) advances on every iterated row — accepted or rejected — and causes a partial-chunk return + cursor advance when hit, so the next call resumes past the already-scanned window. This alone bounds per-call wall-clock cost regardless of intersection. (2) Per-family EncodeBracketStart(routeStart/End) hook tightens bracket bounds to the moving slice within the family prefix where the family layout allows, reducing the scan budget from "full family" to "moving slice within family" as a per-adapter optimization. keys_per_bracket and rejected_rows_per_bracket metrics named so operators can spot a runaway family scan and prioritize encoder hooks.

---

New P1 — fence_ts set before source FSM enforces the fence (from codex review of 44e6125)

The latest codex review (line 115) identifies a data-loss window that is not addressed in the current doc. Looking at the §3.2 state diagram and §7.1 together:

1. Migrator issues the FENCE catalog write on the default group. Catalog commits at version v+1.
2. Migrator reads the committed write, records fence_ts, and advances to DELTA_COPY (copying (snapshot_ts, fence_ts] from source to target).
3. The source-group leader's catalog watcher has not yet applied version v+1. The watcher is an async polling loop; its tick interval is on the order of seconds (referenced in §7.2.4 as "watcher tick × 2" in the 30 s grace rationale).
4. In the window [T_catalog_commit, T_catalog_commit + watcher_lag], both the coordinator (if also stale) and the source FSM (verifyRouteNotFenced consults "the current catalog snapshot" from the watcher — §7.1 line 517) still have no WriteFenced route in their local view.
5. A write for the fenced range in this window is accepted by the source at a commit_ts that may be above fence_ts (depending on HLC skew and timing). DELTA_COPY's upper bound is fence_ts; those writes are outside the window and are never copied to the target. At CUTOVER the target's MVCC lacks them — silent data loss.

§7.1's FSM defense in depth is the right idea but it reads the local catalog snapshot, so it is subject to the same watcher lag. The gap exists unless the design specifies a barrier between recording fence_ts and starting DELTA_COPY that ensures the source FSM has applied the WriteFenced route.

Suggested fix: add a FENCE → DELTA_COPY transition precondition — "before recording fence_ts and advancing to DELTA_COPY, the migrator polls the source-group leader (via the existing distribution heartbeat or a lightweight GetCatalogVersion RPC) until it reports catalog_version ≥ fence_catalog_version; fence_ts is then taken from HLC.Next() on the source-group leader or from max_imported_ts at that moment, ensuring the source's FSM snapshot already includes the WriteFenced route when DELTA_COPY begins." Alternatively, widen the DELTA_COPY upper bound to fence_ts + some_safe_watcher_lag and guarantee that any write accepted in the lag window is included — but the poll approach is cleaner.

[Fix this →](https://claude.ai/code?q=In%20docs%2Fdesign%2F2026_06_11_proposed_hotspot_split_milestone2_migration.md%20(branch%20docs%2Fhotspot-split-m2-proposal)%2C%20%C2%A73.2%20and%20%C2%A77.1%3A%20the%20migrator%20records%20fence_ts%20and%20starts%20DELTA_COPY%20as%20soon%20as%20the%20FENCE%20catalog%20write%20commits%20on%20the%20default%20group%2C%20but%20the%20source%20FSM's%20verifyRouteNotFenced%20gate%20reads%20the%20local%20catalog%20snapshot%20(refreshed%20by%20the%20watcher%2C%20which%20has%20a%20seconds-scale%20polling%20lag).%20Writes%20accepted%20by%20the%20source%20in%20the%20watcher-lag%20window%20with%20commit_ts%20%3E%20fence_ts%20are%20outside%20DELTA_COPY's%20(snapshot_ts%2C%20fence_ts%5D%20window%20and%20will%20be%20lost%20at%20CUTOVER.%20Add%20a%20FENCE%20%E2%86%92%20DELTA_COPY%20precondition%3A%20before%20recording%20fence_ts%20and%20advancing%2C%20the%20migrator%20polls%20the%20source-group%20leader%20until%20it%20reports%20catalog_version%20%3E%3D%20fence_catalog_version%2C%20then%20takes%20fence_ts%20from%20that%20point.%20Update%20%C2%A73.2%20FENCE%20row%2C%20%C2%A74%20FENCE%20crash-safety%20row%2C%20and%20%C2%A78%20migrator%20runtime%20to%20document%20this%20barrier.&repo=bootjp/elastickv)

---

Remaining P1 from round 3 — PromoteStaged "no-op when shadowed" still drops MVCC history (5th flag)

§6.4 step 3 (line 485) still reads:

copies the staged key into its live position (no-op when a later live write has already shadowed it; the FSM applies metaLastCommitTS-respecting MVCC put)

This has been flagged in rounds 3, 4, and now again as the 5th flag. The §6.4 step 2 MVCC merge (added in round 4) does not rescue this: the merge is only active while staged_visibility_active = true. Step 3 deletes the staged key; once all staged keys are deleted and CLEANUP completes, staged_visibility_active is cleared. At that point:

• Staged K@ts=3 was not copied to live (declared "shadowed" by live K@ts=10) and was deleted.
• Live namespace holds only K@ts=10.
• A snapshot read at read_ts=5 now returns "not found" — the imported value at ts=3 is permanently gone.

The issue is the same two horns from round 3. There is no interpretation of "no-op when shadowed" that is both MVCC-correct and satisfies the CLEANUP drain precondition:

• Skip copy + delete staged: ts=3 version disappears from MVCC — snapshot reads at read_ts ∈ (3, 10) silently return wrong results.
• Skip copy + skip delete: CLEANUP drain ("no staged keys remain") never completes — job stuck forever.

The correct idempotency guard for the copy is: "no-op if a live version at the same commit_ts already exists" (meaning this exact staged version was already promoted in a prior batch, before a leader flap). The MVCC store naturally holds both K@ts=3 and K@ts=10 at different commit timestamps — there is no conflict. History pruning belongs to kv/compactor.go, not the promoter.

Note: §6.4 step 6 bullet "Concurrent writes during promotion" (line 496) says "the FSM's per-key metaLastCommitTS check applied by step 3's PromoteStaged keeps the staged copy from overwriting a fresher live value" — this confirms the copy should always happen (the MVCC put is idempotent on same-ts, and does not overwrite a newer-ts version by design). The "no-op when shadowed" clause on line 485 contradicts this intent.

Fix this →

---

Remaining from prior rounds

Medium — Grace window inconsistency (5th flag)

Three locations still disagree after commit 44e6125:

Location	Line	Value
§4 table, CLEANUP row	168	60 s
§7.2.4	574	30 s (with rationale: "comfortably exceed both lease TTL and watcher tick × 2")
§12 Open Question 3	689	60 s

§7.2.4 has the rationale for 30 s. Picking 30 s: update lines 168 and 689 to match, and close Open Question 3 with the §7.2.4 rationale. Five rounds of flagging — this is a one-line fix.

Fix this →

Minor — !dist| prefix on target-group import cursor (5th flag)

Line 350, inside the ImportVersions doc comment: !dist|job|<id>|import_cursor is stored in the target group's MVCC store. !dist| is the default-group catalog namespace throughout the codebase (distribution/catalog.go). An operator tool or the catalog's key parsers scanning the default-group catalog would misparse these as catalog entries. Rename to a target-scoped prefix such as !migstage|cursor|<id> — one-line change.

Fix this →

Medium — "Wait until applied" spec (4th flag, slightly improved)

Line 552 (§7.2.2 sub-case 2): "the FSM treats this as 'wait until applied' (bounded by lease TTL) before answering, then re-evaluates ownership; if still not owned, returns ErrRouteMoved."

The round-4 addition of "then re-evaluates ownership; if still not owned, returns ErrRouteMoved" is an improvement. What remains unspecified: the implementation mechanism for "wait until applied" (condition variable on appliedIndex signalled by the apply goroutine? a retry loop with time.Sleep? a channel?) and the timeout value within the lease TTL (200 ms? 500 ms?). Given the level of implementation detail elsewhere in the doc, one sentence would close this: e.g., "condition-variable wait on the FSM's appliedIndex signalled by the apply goroutine, timedout by min(remaining_lease_TTL, 200ms); on timeout, re-evaluate ownership — if still not owned, return ErrRouteMoved."

---

Summary

Both round-5 items are verified and properly resolved. hlcPhysicalMs(ts) = int64(ts >> 16) is correct per kv/hlc.go (confirmed hlcLogicalBits = 16, SetPhysicalCeiling takes Unix ms, Observe takes a full HLC value). The scan-budget pacing correctly bounds per-call cost for sparse family brackets.

One new P1 emerges from the codex review of commit 44e6125: fence_ts is recorded before the source-group FSM has applied the WriteFenced route — writes accepted in the watcher-lag window after fence_ts are outside DELTA_COPY's range and would be lost at CUTOVER. The fix is a source-group catalog-version poll before DELTA_COPY begins.

The round-3 P1 (PromoteStaged "no-op when shadowed") has now been flagged five consecutive rounds without resolution; it is a correctness bug that causes MVCC history versions to vanish. Three editorial items from round 2 remain (grace window, !dist| prefix, wait-until-applied).

[bootjp]

@claude review — round 6 (1 P1 on commit 44e6125):

• line 115 (fence_ts pinned before source rejects writes) — fixed in 9fa5931. New §3.2a barrier: FENCE → DELTA_COPY waits for unanimous voter-ACK that catalog_version_applied >= fence_catalog_version before pinning fence_ts. Closes the write-loss window where the source FSM hasn't applied WriteFenced yet but the migrator has already started counting (snapshot_ts, fence_ts].

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[bootjp]

@claude review — round 15 (4 substantive design changes from codex round-14 P1/P2 + coderabbit Major on commit 22dca9b):

• §3.2a step 0b: post-fence second drain closes the catalog-write race (L171)
• §6.1.0: snapshot_ts must dominate every in-flight prepare (L405)
• §6.1.1: cursor redefined as (raw_key, commit_ts, scanned_position_tag) for sparse brackets (L429+L540)
• §6.1.1: importer idempotency key = (job_id, bracket_id, batch_seq) for parallel brackets (L439)
• §6.4 step 2a: range-scan merged iterator for staged+live during pre-promotion window (L562)

SplitJob fields extended: snapshot_min_prepared_ts, post_fence_drain_completed, BracketProgress.{bracket_id, last_acked_batch_seq}.

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 22dca9bbc2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Carry scan-budget limits on export RPCs

§6.3.1 relies on each export call carrying maxScannedBytes so sparse family brackets can stop after rejected rows and return a cursor, but the wire request only exposes chunk_bytes; the store sketch similarly lacks a scan-budget argument. Fresh evidence after the prior sparse-scan fix is that there is still no field in this RPC contract for the budget, so an implementation following this proto cannot enforce the bounded-scan guarantee and can still spend an unbounded call scanning a large unrelated internal-family prefix.

Useful? React with 👍 / 👎.

[bootjp]

Fixed in 2b4faf1. §5.1 ExportRangeVersionsRequest carries 'uint64 max_scanned_bytes = 9;' — the scan-budget the source-side iterator honors per §6.3.1 (sparse brackets stop after rejected rows, return cursor with the last-scanned position + tag from §6.1.1). The store-side ExportVersions signature gains 'maxScannedBytes int' alongside the existing chunkBytes.

[chatgpt-codex-connector]

Add bracket and batch identity to imports

The corrected idempotency design in §6.1.1 says the importer deduplicates by (job_id, bracket_id, batch_seq), but ImportRangeVersionsRequest still carries only job_id, versions, and cursor. Fresh evidence after the previous bracket-idempotency comment is that the wire contract has no way to send the bracket or per-bracket sequence, so parallel bracket retries can still collide or be impossible to dedupe as specified.

Useful? React with 👍 / 👎.

[bootjp]

Fixed in 2b4faf1. §5.1 ImportRangeVersionsRequest carries 'uint64 bracket_id = 4; uint64 batch_seq = 5;' — the wire fields the importer needs to dedupe by (job_id, bracket_id, batch_seq) per §6.1.1. The importer persists max_applied_batch_seq under !migstage|ack|<job_id>|<bracket_id>; bracket A's retry no longer collides with bracket B's progress.

[bootjp]

Addressed both codex P2 findings on the M2 migration-plane wire contract in 2b4faf1 (doc-only, Status: Proposed and section numbering unchanged).

P2-A — "Carry scan-budget limits on export RPCs" (FIXED): §6.3.1's scan-budget pacing referenced a maxScannedBytes cap that did not exist on the contract — ExportRangeVersionsRequest only had chunk_bytes and the store-layer ExportVersions sketch had only chunkBytes int. So the bounded-scan guarantee was unimplementable from the proto/store contract as written.

• Added uint64 max_scanned_bytes = 9 to ExportRangeVersionsRequest (§5.2) — counts accepted + rejected rows; 0 means "use the server default (4 × chunk_bytes)", consistent with how the doc's other tuning fields default-on-unset.
• Threaded a maxScannedBytes int param into the ExportVersions store-layer signature (§6.1) and documented it in the method comment (rejected rows advance this budget but not chunkBytes).
• §6.3.1's "Scan-budget pacing" bullet now names the wire field ExportRangeVersionsRequest.max_scanned_bytes and the store param, states the default/0-means semantics, and ties the rejected-tail resume to §6.1.1's scanned_position_tag = 1 case.
• §10.1 test plan: mvcc_store_export_test.go now covers a maxScannedBytes-bounded sparse-bracket call.

P2-B — "Add bracket and batch identity to imports" (FIXED): §6.1.1's dedup keys on (job_id, bracket_id, batch_seq), but ImportRangeVersionsRequest carried only job_id/versions/cursor, so parallel-bracket retries had no wire identity to dedup on — and the §6.2 store sketch still described (job_id, cursor) dedup under !migstage|cursor|<id>, contradicting §6.1.1.

• Added uint64 bracket_id = 4 and uint64 batch_seq = 5 to ImportRangeVersionsRequest (§5.2), with the cursor field re-documented as the exporter resume token, not the dedup key.
• Rewrote the §6.2 ImportVersions store-layer signature to ImportVersions(ctx, jobID, bracketID, batchSeq uint64, versions, cursor) and its idempotency text to persist (jobID, bracketID) → max_applied_batch_seq under !migstage|ack|<jobID>|<bracketID> — the bracket-dimensioned key §6.1.1 already specified. The old single-cursor !migstage|cursor|<id> record is retired (it was the un-bracketed key that parallel brackets would clobber, exactly the finding's concern).
• Swept the other references for consistency: §6.2.1 step 2 (max_imported_ts advance now tied to per-bracket ack), §9 resumability matrix (duplicate-import row now dedups by (bracket_id, batch_seq)), and §10.1 import test (idempotency under duplicate (bracket_id, batch_seq) + no cross-bracket clobber).

Internal consistency verified across §3.1 (bracket_progress / last_acked_batch_seq), §5.2 message sketches, §6.1/§6.1.1/§6.2/§6.2.1/§6.3.1 store sketches, §9 matrix, and §10.1 test plan. No stale (job_id, cursor)-as-dedup-key claims or old method arities remain. No Go changes.

@claude review

[claude]

Claude finished @bootjp's task in 3m 47s —— View job

---

Review — Round 16

Todo list

• Load tools
• Read updated design document (commit 2b4faf1)
• Verify P2-A: max_scanned_bytes on ExportRangeVersionsRequest + store sketch threaded through
• Verify P2-B: bracket_id/batch_seq on ImportRangeVersionsRequest + idempotency rewrite
• Check cross-references for consistency (§3.1, §6.1, §6.1.1, §6.2, §6.2.1, §6.3.1, §9, §10.1)
• Check for new issues
• Post comprehensive review

---

Round-16 items — both verified

Finding	Section	Verdict
P2-A — max_scanned_bytes scan budget on wire + store	§5.2 (line 364), §6.1 (lines 457–467), §6.3.1 (lines 610–615), §10.1 (line 846)	✅ Resolved.
P2-B — bracket_id/batch_seq on ImportRangeVersionsRequest	§5.2 (lines 391–401), §6.1.1 (lines 489–494), §6.2 (lines 503–519), §9 (line 836), §10.1 (line 847)	✅ Resolved.

P2-A analysis — max_scanned_bytes:

• Wire: uint64 max_scanned_bytes = 9 in ExportRangeVersionsRequest (§5.2 line 364) with a clear comment explaining the contract: counts accepted + rejected rows, 0 = "use server default (4×chunk_bytes)".
• Store: maxScannedBytes int parameter threaded through ExportVersions (§6.1 lines 466–467). The store-layer comment correctly distinguishes the two cases: 0 = "no scan cap (dense default path)"; migrator passes 4×chunkBytes for sparse brackets.
• §6.3.1 (lines 610–613) ties the wire field name, the default semantics, and the scanned_position_tag = 1 sparse-bracket resume case together explicitly.
• §10.1 test plan gains a targeted test: store/mvcc_store_export_test.go now covers "maxScannedBytes budget bounds a sparse-bracket call (returns partial/empty chunk + advancing cursor at done=false instead of scanning the full prefix)."
• The three properties that motivated the P2 finding — no runaway scan of a large unrelated family prefix, cursor advances through rejected windows, bounded per-call cost — are all addressed.

P2-B analysis — bracket identity on imports:

• Wire: bracket_id = 4, batch_seq = 5 added to ImportRangeVersionsRequest (§5.2 lines 391–400). cursor = 3 is now explicitly documented as "the exporter's resume token, NOT the idempotency key."
• Store: ImportVersions(ctx, jobID, bracketID, batchSeq uint64, versions, cursor) (§6.2 lines 515–516). Idempotency key is (job_id, bracket_id, batch_seq) keyed under !migstage|ack|<jobID>|<bracketID> — not the old single-cursor !migstage|cursor|<id> that parallel brackets would clobber. Old key explicitly retired (§6.2 line 519).
• §6.1.1 (lines 489–494) proves why (job_id, cursor) alone was unsafe and why (job_id, bracket_id, batch_seq) is the correct dedup key. The cursor is separated from idempotency with a clear rationale.
• §9 (line 836) now correctly cites (bracket_id, batch_seq) for the duplicate-import resumability case.
• §10.1 (line 847) gains explicit coverage: "idempotency under duplicate (bracket_id, batch_seq) (a replayed batch at or below the per-bracket high-water mark is a no-op; parallel brackets do not clobber each other's ack record)."
• §3.1 bracket_progress (line 74) already carries last_acked_batch_seq — consistent.
• §6.2.1 (line 533) correctly references "advances a bracket's cursor / last_acked_batch_seq in bracket_progress on ack" — consistent.

All prior round items (rounds 3–15) remain resolved in commit 2b4faf1. No prior fix is regressed.

---

New observations

Both are minor and non-blocking for M2-PR1.

Minor — max_scanned_bytes = 0 semantics differ between wire and store contracts (clarification)

§5.2 (line 363): 0 on the wire means "use the server default" (4 × chunk_bytes).
§6.1 (lines 462–464): 0 at the store level means "no scan cap (the dense default path)".

These two 0-semantics live at different layers, but an implementer wiring the RPC handler needs to know the translation rule: "wire 0 → handler substitutes 4 × chunk_bytes before calling the store; the maxScannedBytes = 0 no-cap path in the store is not reachable via the RPC — it exists for direct store callers (tests, offline tools)."

Without this note, an implementer could wire rpcRequest.MaxScannedBytes → store.ExportVersions(maxScannedBytes=0) directly, bypassing the default cap entirely for sparse brackets and re-introducing the unbounded-scan hazard the P2 fix was supposed to close.

Suggested fix: add one sentence to §5.2 or §6.1: "The RPC handler MUST substitute 4 × chunk_bytes when the wire field is 0; the maxScannedBytes = 0 (no-cap) store path is not exposed via the RPC."

Fix this →

Minor — !migstage|ack|<job_id>|<bracket_id> keys have no CLEANUP path

§6.2 (lines 507–519) persists per-bracket ack records under !migstage|ack|<jobID>|<bracketID> on the target group's MVCC store. The §6.4 promoter drains the staged prefix !dist|migstage|<job_id>|* before CLEANUP → DONE, and the §6.4 step 5 CLEANUP precondition requires "no staged keys remain." But neither step 5 nor the §9 resumability matrix mention deleting the !migstage|ack|<job_id>|* keys at CLEANUP → DONE. Over many migrations, these accumulate on target groups.

Unlike the staged data, the ack records are small (one 8-byte max_applied_batch_seq per bracket per job — ~12 entries per job). But they are never deleted, and the job retention GC (§3.1.1) sweeps !dist|jobhist|* on the default group, not !migstage|ack|* on the target group — so they accumulate indefinitely. A target group that absorbs many shards via many migrations would silently collect ack records from every past job.

Suggested fix: add to §6.4 step 5's CLEANUP → DONE precondition: "(d) one bounded proposal on the target group deletes !migstage|ack|<job_id>|* (at most ~12 keys, one per bracket)."

Fix this →

---

Summary

Both round-16 items are verified and properly resolved. The max_scanned_bytes field is correctly specified on both the wire and store layers. The bracket_id/batch_seq idempotency rewrite is internally consistent across all cross-references (§3.1, §5.2, §6.1.1, §6.2, §6.2.1, §9, §10.1), and the old single-cursor !migstage|cursor|<id> approach is cleanly retired.

Two new minor observations: a one-sentence clarification needed between the wire 0 and store 0 semantics for max_scanned_bytes (to prevent an implementer accidentally passing the no-cap value to the store for sparse brackets), and missing CLEANUP of !migstage|ack|* ack records on the target group. Neither blocks M2-PR1. The design is implementation-ready.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2b4faf1182

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Filter txn-lock drains by routeKey

For adapter/internal routes whose routing key differs from the raw storage key, this raw !txn|lock|<encoded>[routeStart, routeEnd) scan can report empty while prepared locks still exist. I checked txnLockKey (kv/txn_keys.go) and routeKey (kv/shard_key.go): a DynamoDB item lock is stored as !txn|lock|!ddb|item|... but routes as !ddb|route|table|..., so it sorts outside a drain bounded by txnLockKey(routeStart)/txnLockKey(routeEnd). In that case the pre/post-fence drains (and the matching snapshot prepare scan later in the doc) miss the lock, allowing the migration to strand a prepared transaction or choose a snapshot boundary that drops its eventual committed version; the drain needs to scan the txn-lock family and apply the same route-key filter/bracket logic used for export.

Useful? React with 👍 / 👎.

[bootjp]

@claude review

codex P1 "Filter txn-lock drains by routeKey" — fixed (ce3865f).

Verified the claim against kv/txn_keys.go and kv/shard_key.go:

• txnLockKey(userKey) = !txn|lock| || raw userKey — the lock sorts by its raw user key.
• routeKey() → dynamoRouteFromTablePrefixedKey → dynamoRouteTableKey maps a DynamoDB item key !ddb|item|<table>|... to routing key !ddb|route|table|<table>. Since !ddb|item|... sorts before !ddb|route|table|... (i < r), a DynamoDB item lock at !txn|lock|!ddb|item|... falls outside a drain bracketed by [txnLockKey(routeStart), txnLockKey(routeEnd)) whose bounds are !ddb|route|table|.... Same raw-vs-routing split for SQS (!sqs|... → !sqs|route|global), Redis/list, S3. Confirmed: the raw-bracketed drain reports empty while a prepared lock is still live → cutover with an unresolved prepare. This is the same routing-vs-raw split that rebutted the coderabbit finding on adapter: wrap DynamoDB query/scan/transactGetItems in LeaseRead #952 (many raw keys collapse to one route key); here it cuts the other way — raw brackets are not route-faithful.

Fix (doc-only, reuses the doc's own §6.3.1 export mechanism): the drains/scan are now specified as a full !txn|lock| family scan ([txnLockPrefix(), txnLockPrefixEnd()), the §6.3.1 familyTxnLock bracket) filtered per-row by routeKey(lockedKey) ∈ [routeStart, routeEnd) — the same RouteKeyFilter predicate the data export already uses — never a raw [txnLockKey(routeStart), txnLockKey(routeEnd)) bracket.

Sections updated:

• New §3.2a.0a defines the route-faithful lock drain (with the DynamoDB worked example + scan-cost note: lock keyspace is small/transient, so a full-family scan per tick is cheap, unlike the data scan §6.3.1's budget guards).
• §3.2a step 0 (pre-fence drain), step 0b (post-fence drain), §6.1.0 step 1 (snapshot prepare scan), the §3.2 diagram, the §3.1 snapshot_min_prepared_ts field, and §12 OQ-6 all now reference §3.2a.0a and explicitly reject the raw bracket.
• §10.1 test plan adds kv/migrator_lock_drain_test.go with a required DynamoDB-item-lock case (lock at !txn|lock|!ddb|item|<table>|<pk> counted by a drain over [!ddb|route|table|<table>, ...\xff)) plus SQS/Redis/list/user + negative cases; §11 PR table wires it to M2-PR5.

Status: Proposed kept; doc-only.

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[bootjp]

@claude review — round 16 (2 P2 wire-contract fixes on commit 2b4faf1 + ce3865f follow-up route-faithful drain wording).

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ce3865f20d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Fence new prepares before fixing the snapshot boundary

This only scans prepares that already exist before BACKFILL, but the source route remains Active until the later FENCE transition, so a coordinator can prepare a transaction after this scan with a commit timestamp <= snapshot_ts (for example from a lagging/caller-provided HLC), then commit after the BACKFILL iterator has passed its key. That version is not in the initial scan result and is excluded from DELTA_COPY's (snapshot_ts, fence_ts] window, so the target can miss a committed write; the design needs to block/drain prepares before choosing this boundary or make post-scan resolutions get copied regardless of their commit timestamp.

Useful? React with 👍 / 👎.

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[bootjp]

@claude review

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[bootjp]

@claude review

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[bootjp]

@claude review

Addressed codex P1 "Fence new prepares before fixing the snapshot boundary" in 722c8a6 (doc-only).

Finding: §6.1.0's snapshot prepare scan ran once before BACKFILL and was trusted as the DELTA_COPY lower bound. The source route stays Active until the much-later FENCE transition, so a coordinator can prepare a new txn after the scan with commit_ts <= snapshot_ts, commit it after the BACKFILL iterator passed its key, and have it excluded from a (snapshot_ts, fence_ts] window — lost prepared write. Reviewer's suggested remedy: block/drain prepares before choosing the boundary, or make post-scan resolutions get copied regardless of commit_ts.

Chosen mechanism — fence-then-floor (reviewer remedy #1): the pre-BACKFILL scan is downgraded to a provisional snapshot for the early bulk copy; the authoritative DELTA_COPY lower bound delta_floor is finalised only after §3.2a step 1's unanimous verifyRouteNotFenced apply + step 0b's post-fence drain, i.e. after no new prepare can land. snapshot_min_prepared_ts becomes a monotone-down running minimum sampled over both the live !txn|lock| family and the durable !txn|cmt| commit-record family (so an inter-tick prepare-then-commit is still observed). DELTA_COPY exports (delta_floor, fence_ts] where delta_floor = min(snapshot_ts, snapshot_min_prepared_ts - 1), so any late low-ts prepare's committed version is > delta_floor and is captured.

This fits the existing phases best: the post-fence drain (§3.2a step 0b) already establishes the "no new prepare can land" point; I anchored boundary finalisation there rather than reordering BACKFILL after FENCE (which would fence writes for the whole bulk copy).

Code claims verified (PR branch): caller-supplied commit_ts used as-is in resolveDispatchCommitTS (kv/coordinator.go:872-876, HLC.Observe is monotone-up-only); caller-supplied StartTS/CommitTS path live for S3/SQS/DynamoDB (kv/sharded_coordinator.go:638-665); NextFenced floors only the physical half (kv/hlc.go:171-176), logical 16 bits are a free in-memory counter (kv/hlc.go:181-190); durable commit record txnCommitKey (kv/txn_keys.go:50).

Edits: §3.1 (snapshot_ts/snapshot_min_prepared_ts docs + new delta_floor field), §3.2 diagram, §3.2a step 0b net-effect + boundary-finalisation note + step 2, §4 failure-semantics table, §6.1.0 (rewritten), §9 resumability matrix (new row), §10.1 + §10.2 test plan (new migrator_snapshot_boundary_test + integration case with red control), OQ-6.

Status: Proposed unchanged. Doc-only.

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 722c8a689a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Track prepares for moved keys, not only moved primaries

This still misses a multi-shard transaction whose secondary key is in the moving range but whose primary key is outside it. I checked kv/fsm.go:1136-1140 and kv/txn_keys.go:50-53: the durable !txn|cmt|... record is written only when committing the primary and is keyed by primaryKey, so a secondary prepare that lands and resolves between migrator ticks leaves no commit-record row whose routeKey() falls in the moved range. If its commit_ts <= snapshot_ts after BACKFILL passed that secondary key, delta_floor is not lowered and DELTA_COPY can still skip the committed secondary version.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Use delta_floor as DELTA_COPY lower bound

This wire contract still says DELTA_COPY sends min_commit_ts = snapshot_ts, which contradicts the later delta_floor fix in §6.1.0. If the implementation follows this proto comment, a prepare that commits after BACKFILL passed its key with commit_ts <= snapshot_ts is again excluded from (snapshot_ts, fence_ts], even though the design now computes delta_floor specifically to include that version in DELTA_COPY.

Useful? React with 👍 / 👎.

[bootjp]

@claude review

Addressed both codex round-16 P1s on this doc-only PR. Pushed 5632dc20 (doc-only, Status: Proposed preserved).

---

P1 "Track prepares for moved keys, not only moved primaries" — accepted, fixed.

Reviewer's argument (verified): the running-minimum's inter-tick backstop relied on the !txn|cmt| commit-record family, but that record is written only when committing the primary and is keyed by primaryKey (kv/fsm.go:1136-1142 — if committingPrimary; kv/txn_keys.go:50-58 — txnCommitKey(primaryKey, startTS)). For a multi-shard txn whose secondary key is in the moving range but whose primary is outside it, the commit record's routeKey() falls outside [routeStart, routeEnd), so a route-faithful commit-record-family scan never sees it. If that secondary prepare lands and resolves between two migrator ticks, the live !txn|lock| row is also gone, so neither side observes it; snapshot_min_prepared_ts is not lowered and DELTA_COPY skips the committed secondary version — silent data loss. Correct.

Fix (§3.1 field def, §6.1.0 step 2/3 header + body, OQ-6, §10.1/§10.2 tests):

• Running minimum is now keyed on any locked key whose routeKey() falls in the moving range — primary or secondary — not only the txn's primary.
• Inter-tick backstop no longer depends on the primary-keyed commit-record scan. Instead: (a) each live secondary lock in the moving range carries (PrimaryKey, StartTS) (txnLock, kv/txn_codec.go:223-245), and its commit_ts is resolved by a direct point lookup of !txn|cmt|<PrimaryKey>|<startTS> (the migrator holds the exact primary, so it doesn't need the record to route in-range); (b) a route-faithful committed-MVCC-version scan over the moving range (the §6.3.1 brackets + routeKey() filter) backstops the same-tick land-and-resolve case where the secondary lock was never sampled — the secondary's committed version routes into [routeStart, routeEnd) by construction.
• Added red-control assertions: scoping the running minimum to moved primaries only must drop the moved-secondary version. New integration case for outside-primary / moved-secondary multi-shard prepare.

P1 "Use delta_floor as DELTA_COPY lower bound" — accepted, fixed.

Reviewer's argument (verified): the ExportRangeVersionsRequest wire-contract comment still said min_commit_ts = 4; // ... snapshot_ts for DELTA_COPY (proto.internal §5.2), contradicting the delta_floor finalisation in §3.1/§6.1.0. An implementation following the proto comment would re-exclude exactly the post-scan commit_ts ≤ snapshot_ts prepares that delta_floor was computed to capture. Correct.

Fix (§5.2): min_commit_ts for DELTA_COPY is now delta_floor (not snapshot_ts), with an inline rationale tying it to delta_floor = min(snapshot_ts, snapshot_min_prepared_ts - 1). Swept the whole doc — every authoritative window/bound is now (delta_floor, fence_ts]; the remaining (snapshot_ts, fence_ts] mentions are explicitly the naïve/wrong form being argued against (§3.2a, §6.1.0 narrative). The store-side ExportVersions signature comment stays generic (minCommitTS, maxCommitTS] (it is the migrator that supplies delta_floor), and §10.2's BACKFILL/DELTA_COPY test note already used (delta_floor, fence_ts].

[claude]

Claude finished @bootjp's task in 8m 3s —— View job

---

Round 17 Review — commit 5632dc20

Reviewed both codex round-16 P1 fixes. Both are fully resolved. Four minor editorial items follow (two new, two carryover from round 16).

---

P1-A — Track prepares for moved keys, not only moved primaries ✅ Resolved

§3.1 (snapshot_min_prepared_ts): definition now reads "running minimum commit_ts of any prepare on any locked key whose routeKey() falls in the moving range — primary or secondary."

§6.1.0 step 2 (lines 457-463): the fix is mechanically sound across all three paths:

1. Live !txn|lock| family scan + direct commit-record lookup. The filter is routeKey(lockedKey) ∈ [routeStart, routeEnd) on the raw lock key itself — a secondary lock with a storage key inside the moving range passes the filter regardless of where the primary routes. The migrator then resolves commit_ts via a direct point lookup of !txn|cmt|<PrimaryKey>|<startTS> (using PrimaryKey decoded from the lock value), bypassing any route-faithful commit-record scan entirely. This correctly handles the failure mode: kv/fsm.go:1136-1142 confirms the !txn|cmt| record is written only when committingPrimary = true and is keyed by primaryKey, so a primary-keyed record whose routeKey() falls outside the moving range can never be found by a route-filtered commit-record scan — but it's found trivially by the direct address derived from the secondary lock.

2. Committed-MVCC-version backstop. A secondary key in the moving range writes its committed MVCC version into [routeStart, routeEnd) by construction, so a route-faithful ExportVersions scan with commit_ts ≤ snapshot_ts observes it directly, closing the same-tick land-and-resolve gap where the live lock was never sampled.

3. Final post-fence drain. Step 3 re-runs both paths after step 0b returns empty, guaranteeing the running minimum is final.

§10.1 assertion (e) and §10.2 moved-secondary integration case (with "must fail" red controls on moved-primary-only scoping) lock down the fix as a regression gate.

---

P1-B — Use delta_floor as DELTA_COPY lower bound on the wire ✅ Resolved

§5.2 ExportRangeVersionsRequest.min_commit_ts (field 4, lines 357-364): the field comment now says explicitly:

// DELTA_COPY's lower bound is delta_floor (§3.1 / §6.1.0 step 3), NOT snapshot_ts: a post-scan prepare that committed with commit_ts ≤ snapshot_ts must still land in (delta_floor, fence_ts], and delta_floor = min(snapshot_ts, snapshot_min_prepared_ts − 1) is finalised after the fence so that delta_floor < every such commit_ts. Sending snapshot_ts here would re-exclude exactly the versions delta_floor was computed to capture
uint64 min_commit_ts = 4; // 0 for BACKFILL; delta_floor for DELTA_COPY

Doc sweep confirmed clean: §3.1 field table, §3.2 state diagram ((delta_floor, fence_ts] window), §4 phase table DELTA_COPY row, §6.1.0 step 3 finalisation, §9 resumability row — all say (delta_floor, fence_ts], not (snapshot_ts, fence_ts]. The two-value distinction (snapshot_ts provisional; delta_floor authoritative) is correctly maintained throughout.

---

Minor-1 — "M2-PR0" wire change not in §11 PR table

§6.1.0 step 1 (line 456) and step 2 (lines 460, 463) refer to "the M2-PR0 wire change" that adds commit_ts to the lock value. The §11 implementation table (lines 921-929) starts at M2-PR1 — M2-PR0 has no row. Because steps 1 and 2 depend on the lock value carrying commit_ts (step 1 uses it to seed min_prepared_commit_ts; step 2's live-lock path decodes it before doing the point lookup), omitting it from the table leaves it unanchored: there is no associated PR, scope, or test row.

Suggested fix: add a row for M2-PR0 to the §11 table, e.g.:

PR	Scope	Tests
M2-PR0	Add commit_ts field to the txnLock wire value (Raft-applied lock-write path); decoder backward-compat for existing locks without the field (zero → fallback to commit-record lookup)	kv/txn_codec_test.go round-trip + backward-compat case

or absorb it into M2-PR1 if it fits that scope.

---

Minor-2 — §6.1.0 step 2: priority between lock-value commit_ts and commit-record point lookup is ambiguous

Step 2 (lines 460): "the commit_ts itself is added by the M2-PR0 wire change" and "It then resolves the txn's commit_ts by a direct point lookup of the commit record at !txn|cmt|<PrimaryKey>|<startTS>." Two sources are named for the same value; the relationship between them is not stated.

A reader is left to guess:

• (a) Read commit_ts from the lock value (fast path, M2-PR0); fall back to commit-record point lookup when the field is absent (existing lock written before M2-PR0)?
• (b) Always do the commit-record point lookup; the lock-value commit_ts is mentioned as context only?
• (c) Read both and take the minimum/maximum?

If (a) (which seems most likely given the M2-PR0 framing), the fallback rule should be stated explicitly — especially because backward-compat for existing locks without the field needs to be defined somewhere.

Suggested fix: one sentence in step 2 clarifying the priority, e.g.: "The migrator reads commit_ts from the lock value (M2-PR0 field); for locks written before M2-PR0 where the field is absent (zero), it falls back to a direct point lookup of !txn|cmt|<PrimaryKey>|<startTS>."

---

Minor-3 (carryover round-16) — !migstage|ack|<job_id>|* cleanup not in §6.4 step 5

§6.2 (line 528) documents that the importer persists (job_id, bracket_id) → max_applied_batch_seq under !migstage|ack|<job_id>|<bracket_id>. §6.4 step 5 (line 697) lists the CLEANUP→DONE preconditions as: (a) grace window elapsed, (b) no staged keys remain, (c) staged_visibility_active cleared. The ack records are not mentioned.

These records are only needed during DELTA_COPY for import dedup; retaining them after DONE is GC debt. The CLEANUP→DONE condition in step 5 should either explicitly delete !migstage|ack|<job_id>|* in the same apply that clears staged_visibility_active, or note the cleanup is deferred (and where).

---

Minor-4 (carryover round-16) — max_scanned_bytes = 0 translation not documented at the store layer

§5.2 proto (line 384): "0 means 'use the server default (4 × chunk_bytes, §6.3.1)'." The server handler must therefore translate 0 → 4 × chunkBytes before passing maxScannedBytes to store.ExportVersions. The ExportVersions store signature doc (lines 493-496) describes maxScannedBytes as "a hard cap" with no mention of a 0 sentinel.

If 0 reaches the store layer and is interpreted there as "no cap" (a natural reading of an unsigned zero), the proto-level default is silently discarded and the sparse-bracket scan is unbounded. The server handler translation rule should be called out explicitly in the store API doc comment (or the store layer should define the sentinel itself so the translation is in one place).

---

Summary

Finding	Severity	Status
P1-A: secondary-key prepare tracking	P1	✅ Resolved (§3.1, §6.1.0 steps 1-3, §10.1/10.2)
P1-B: delta_floor as DELTA_COPY wire lower bound	P1	✅ Resolved (§5.2 field 4, doc sweep)
M2-PR0 absent from §11 PR table	Minor	New
§6.1.0 step 2 lock-value vs commit-record priority	Minor	New
`!migstage	ack` cleanup missing from §6.4 step 5	Minor
max_scanned_bytes = 0 store translation undocumented	Minor	Carryover round-16

Both round-17 P1 items are fully resolved. The design is implementation-ready for M2-PR1. The four minor items above are editorial; they do not block implementation but should be addressed before or alongside the PRs that touch those sections (M2-PR0/PR3 for Minors 1-2; M2-PR7 for Minor-3; M2-PR3 for Minor-4).

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5632dc20dd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Close the admitted post-cutover stale-read window

Fresh evidence in the current text is that this paragraph explicitly says the source has neither applied the CUTOVER catalog nor received max_cutover_version_seen for ~100 ms, so neither Branch 1 nor Branch 2 can reject stale reads. In that window, a refreshed coordinator can already route a write/read to the target while a stale coordinator still sends a read or cross-boundary scan to the source, which will serve pre-cutover data and violates the goal of atomic reader/writer cutover; the design needs a synchronous source-side cutover signal/barrier or must delay target visibility/writes until sources can fence reads.

Useful? React with 👍 / 👎.