Phase 5: value model, order-preserving key encoding, row/wire encodings, UUIDv7

Author: Thanga-Ganapathy

CHANGELOG.md

@@ -8,6 +8,37 @@ under a category (`Added` / `Changed` / `Fixed` / `Removed` / `Security`).
 
 ## [Unreleased]
 
+### Phase 5 — Types, values & encoding
+
+#### Added
+- `types`: the `Value` model covering every v1 type (`SPEC.md` §3), with the
+  engine's logical total order (`Eq`/`Ord` follow it: nulls first, IEEE-754
+  float total order with one canonical NaN — `DECISIONS.md` D12).
+- The **order-preserving key encoding** (`encode_key`/`decode_key`): bytewise
+  comparison of encoded keys equals logical comparison, for single and
+  composite keys; prefix-free escape-coded text/blob; exactly decodable;
+  `json` is not keyable.
+- The row encoding (`encode_row`/`decode_row`): compact, self-describing,
+  exact round-trip, typed `RowCorrupt` errors on hostile bytes.
+- An in-house, hardened minimal MessagePack codec (`DECISIONS.md` D11): the
+  wire mapping for values (`encode_value`/schema-directed `decode_value`;
+  uuid as canonical string, timestamp as int) and the `json` well-formedness
+  gate (`validate_json`: depth-limited, rejects reserved/ext bytes, trailing
+  bytes, truncation).
+- `UuidV7Gen`: RFC 9562 UUIDv7 over the injected `Clock`/`Rng`, strictly
+  monotonic within a run (counter in `rand_a`, timestamp nudge on overflow),
+  plus canonical-string format/parse.
+- Exit-criteria tests: the order property (`bytewise_cmp(encode(a),encode(b))
+  == logical_cmp(a,b)`) over curated edge cases, seeded random values, and
+  composites; key/row/wire round-trips; malformed-json rejection; decoder
+  no-panic fuzz; UUIDv7 monotonicity under clock stall/backstep.
+- Decision D13: no `u64` value type (SPEC §4.3/§3 inconsistency, raised);
+  `rowversion` will be `i64`.
+
+#### Changed
+- `clippy.toml`: `allow-panic-in-tests = true`, completing the declared
+  "test code may use them freely" scoping of operating rule 3.
+
 ### Phase 4 — Transactions, MVCC & durability
 
 #### Added

DECISIONS.md

@@ -5,6 +5,54 @@ Per `PLAN.md` §1 rule 6, every resolution of an ambiguity or deviation from
 
 ---
 
+## D13 — No `u64` value type; `rowversion` columns are `i64`
+
+**Phase:** 5 · **Status:** accepted (SPEC inconsistency, raised)
+
+`SPEC.md` §4.3's example schema declares `version: { type: u64, rowversion:
+true }`, but §3's authoritative type table has no `u64`.
+
+**Decision:** the `Value` model implements exactly the §3 table; there is no
+`u64`. A `rowversion` counter fits comfortably in `i64` (~9.2 × 10¹⁸ writes),
+so Phase 6 models `rowversion` columns as `i64`. Recorded here rather than
+silently extending the type system.
+
+## D12 — Key-encoding order: nulls first, one canonical NaN above +inf
+
+**Phase:** 5 · **Status:** accepted
+
+`ARCHITECTURE.md` §3.4 mandates `bytewise_cmp(encode(a), encode(b)) ==
+logical_cmp(a, b)` with "a total order over floats" and "defined null
+ordering", but fixes neither choice.
+
+**Decision:**
+- **Nulls sort first**, engine-wide (tag `0x01`, the lowest).
+- **Floats** use the IEEE-754 total order (`-0.0 < +0.0`), with **every NaN
+  canonicalized to the one positive quiet NaN**, sorting above `+inf`. Key
+  equality follows the same total order (`NaN == NaN`), so NaN keys are
+  well-behaved rather than unmatchable.
+- **Variable-length components** (`text`/`blob`) are escape-coded
+  (`0x00` → `0x00 0xFF`, terminator `0x00 0x00`): prefix-free, so composite
+  keys are plain concatenation and prefixes sort first.
+- The encoding is **decodable** (exact round-trip): Phase 7 recovers PK
+  suffixes from non-unique index entries instead of storing the PK twice.
+- `json` is opaque in v1 and **not keyable** (typed `NotKeyable` error).
+
+## D11 — In-house minimal MessagePack codec
+
+**Phase:** 5 · **Status:** accepted
+
+The wire mapping, `json` storage, and Phase 8's AST decode all need
+MessagePack. `rmp`/`rmpv` would be the first unvetted external dependencies
+(D4 keeps the graph at `thiserror` only), and the engine needs a *hardened*
+decoder (depth limits, no panics on hostile bytes) more than a featureful one.
+
+**Decision:** implement the needed subset in `types::msgpack`: compact int /
+str / bin / array / map encode, schema-directed value decode, and a
+well-formedness walk with `MAX_JSON_DEPTH = 64`, rejecting the reserved byte
+`0xC1` and all ext types in v1 documents. Phase 8 builds its AST decoding on
+this module.
+
 ## D10 — Pager commit releases the state lock across fsyncs
 
 **Phase:** 4 · **Status:** accepted

clippy.toml

@@ -3,3 +3,4 @@
 # (set in Cargo.toml) to non-test code.
 allow-unwrap-in-tests = true
 allow-expect-in-tests = true
+allow-panic-in-tests = true

crates/dbms/src/lib.rs

@@ -50,7 +50,7 @@ impl Error {
     /// use otf_dbms::{Error, ErrorCategory};
     ///
     /// // A type error surfaces as a `Validation` category error.
-    /// let err: Error = types::TypeError::Invalid.into();
+    /// let err: Error = types::TypeError::BadUuid.into();
     /// assert_eq!(err.category(), ErrorCategory::Validation);
     /// ```
     pub fn category(&self) -> ErrorCategory {

crates/types/src/key.rs

@@ -0,0 +1,240 @@
+//! The order-preserving key encoding.
+//!
+//! For any two keyable values (and any two composite keys),
+//! `bytewise_cmp(encode(a), encode(b)) == logical_cmp(a, b)`. Every encoded
+//! value is **prefix-free**, so composite keys are plain concatenation and the
+//! encoding decodes back exactly — Phase 7 relies on that to recover PK
+//! suffixes from index entries.
+//!
+//! Layout per value: one tag byte (fixing the cross-type rank, nulls first),
+//! then a payload:
+//!
+//! | type | payload |
+//! |---|---|
+//! | `null` | none |
+//! | `bool` | `0x00` / `0x01` |
+//! | `i64`, `timestamp` | 8 bytes big-endian, sign bit flipped |
+//! | `f64` | 8 bytes big-endian IEEE-754 total-order mapping |
+//! | `text`, `blob` | bytes with `0x00` → `0x00 0xFF`, terminated `0x00 0x00` |
+//! | `uuid` | 16 raw bytes |
+//!
+//! `json` is opaque in v1 and cannot be a key component.
+
+use crate::value::{f64_from_total_key, f64_total_key, Value};
+use crate::{KeyCorruption, Result, TypeError};
+
+const TAG_NULL: u8 = 0x01;
+const TAG_BOOL: u8 = 0x02;
+const TAG_I64: u8 = 0x03;
+const TAG_F64: u8 = 0x04;
+const TAG_TEXT: u8 = 0x05;
+const TAG_BLOB: u8 = 0x06;
+const TAG_UUID: u8 = 0x07;
+const TAG_TIMESTAMP: u8 = 0x08;
+
+/// Encode a composite key (one or more components) into its order-preserving
+/// byte form. A single-column key is a one-element slice.
+///
+/// Returns [`TypeError::NotKeyable`] if a component is `json` (opaque in v1).
+///
+/// # Examples
+///
+/// ```
+/// use types::{encode_key, Value};
+///
+/// let lo = encode_key(&[Value::I64(-5)]).unwrap();
+/// let hi = encode_key(&[Value::I64(3)]).unwrap();
+/// assert!(lo < hi);
+/// ```
+pub fn encode_key(components: &[Value]) -> Result<Vec<u8>> {
+    let mut out = Vec::new();
+    for value in components {
+        encode_into(&mut out, value)?;
+    }
+    Ok(out)
+}
+
+fn encode_into(out: &mut Vec<u8>, value: &Value) -> Result<()> {
+    match value {
+        Value::Null => out.push(TAG_NULL),
+        Value::Bool(b) => {
+            out.push(TAG_BOOL);
+            out.push(u8::from(*b));
+        }
+        Value::I64(v) => {
+            out.push(TAG_I64);
+            out.extend_from_slice(&flip_sign(*v).to_be_bytes());
+        }
+        Value::F64(v) => {
+            out.push(TAG_F64);
+            out.extend_from_slice(&f64_total_key(*v).to_be_bytes());
+        }
+        Value::Text(s) => {
+            out.push(TAG_TEXT);
+            escape_into(out, s.as_bytes());
+        }
+        Value::Blob(b) => {
+            out.push(TAG_BLOB);
+            escape_into(out, b);
+        }
+        Value::Uuid(u) => {
+            out.push(TAG_UUID);
+            out.extend_from_slice(u);
+        }
+        Value::Timestamp(v) => {
+            out.push(TAG_TIMESTAMP);
+            out.extend_from_slice(&flip_sign(*v).to_be_bytes());
+        }
+        Value::Json(_) => return Err(TypeError::NotKeyable { kind: "json" }),
+    }
+    Ok(())
+}
+
+/// Decode a key produced by [`encode_key`] back into its components.
+///
+/// The input is stored bytes, so every malformation is a typed
+/// [`TypeError::KeyCorrupt`] — never a panic.
+pub fn decode_key(bytes: &[u8]) -> Result<Vec<Value>> {
+    let mut components = Vec::new();
+    let mut rest = bytes;
+    while let Some((&tag, after_tag)) = rest.split_first() {
+        let (value, after_value) = decode_one(tag, after_tag)?;
+        components.push(value);
+        rest = after_value;
+    }
+    Ok(components)
+}
+
+fn decode_one(tag: u8, rest: &[u8]) -> Result<(Value, &[u8])> {
+    match tag {
+        TAG_NULL => Ok((Value::Null, rest)),
+        TAG_BOOL => {
+            let (&byte, rest) = rest
+                .split_first()
+                .ok_or_else(|| corrupt(KeyCorruption::Truncated))?;
+            match byte {
+                0 => Ok((Value::Bool(false), rest)),
+                1 => Ok((Value::Bool(true), rest)),
+                _ => Err(corrupt(KeyCorruption::BadBool { byte })),
+            }
+        }
+        TAG_I64 => {
+            let (word, rest) = take_u64(rest)?;
+            Ok((Value::I64(unflip_sign(word)), rest))
+        }
+        TAG_F64 => {
+            let (word, rest) = take_u64(rest)?;
+            Ok((Value::F64(f64_from_total_key(word)), rest))
+        }
+        TAG_TEXT => {
+            let (bytes, rest) = unescape(rest)?;
+            let text = String::from_utf8(bytes).map_err(|_| corrupt(KeyCorruption::InvalidUtf8))?;
+            Ok((Value::Text(text), rest))
+        }
+        TAG_BLOB => {
+            let (bytes, rest) = unescape(rest)?;
+            Ok((Value::Blob(bytes), rest))
+        }
+        TAG_UUID => {
+            if rest.len() < 16 {
+                return Err(corrupt(KeyCorruption::Truncated));
+            }
+            let (head, rest) = rest.split_at(16);
+            let mut uuid = [0u8; 16];
+            uuid.copy_from_slice(head);
+            Ok((Value::Uuid(uuid), rest))
+        }
+        TAG_TIMESTAMP => {
+            let (word, rest) = take_u64(rest)?;
+            Ok((Value::Timestamp(unflip_sign(word)), rest))
+        }
+        _ => Err(corrupt(KeyCorruption::BadTag { tag })),
+    }
+}
+
+/// Map an `i64` to a `u64` whose unsigned (big-endian byte) order matches the
+/// signed order: flip the sign bit.
+fn flip_sign(v: i64) -> u64 {
+    (v as u64) ^ (1 << 63)
+}
+
+fn unflip_sign(word: u64) -> i64 {
+    (word ^ (1 << 63)) as i64
+}
+
+fn take_u64(rest: &[u8]) -> Result<(u64, &[u8])> {
+    if rest.len() < 8 {
+        return Err(corrupt(KeyCorruption::Truncated));
+    }
+    let (head, rest) = rest.split_at(8);
+    let mut word = [0u8; 8];
+    word.copy_from_slice(head);
+    Ok((u64::from_be_bytes(word), rest))
+}
+
+/// Escape variable-length bytes so they are prefix-free yet order-preserving:
+/// every `0x00` becomes `0x00 0xFF`, and the value ends with `0x00 0x00`.
+/// A proper prefix then terminates (`0x00 0x00`) exactly where the longer
+/// value continues with either an escaped zero (`0x00 0xFF`, larger) or any
+/// other byte (`0x01..`, larger) — so prefixes sort first, matching the
+/// logical bytewise order.
+fn escape_into(out: &mut Vec<u8>, bytes: &[u8]) {
+    for &b in bytes {
+        out.push(b);
+        if b == 0x00 {
+            out.push(0xFF);
+        }
+    }
+    out.extend_from_slice(&[0x00, 0x00]);
+}
+
+fn unescape(mut rest: &[u8]) -> Result<(Vec<u8>, &[u8])> {
+    let mut out = Vec::new();
+    while let Some((&b, tail)) = rest.split_first() {
+        if b != 0x00 {
+            out.push(b);
+            rest = tail;
+            continue;
+        }
+        match tail.split_first() {
+            Some((&0x00, after)) => return Ok((out, after)),
+            Some((&0xFF, after)) => {
+                out.push(0x00);
+                rest = after;
+            }
+            Some((&escape, _)) => return Err(corrupt(KeyCorruption::BadEscape { escape })),
+            None => return Err(corrupt(KeyCorruption::Truncated)),
+        }
+    }
+    Err(corrupt(KeyCorruption::Truncated))
+}
+
+fn corrupt(kind: KeyCorruption) -> TypeError {
+    TypeError::KeyCorrupt(kind)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn prefix_sorts_before_extension() {
+        let a = encode_key(&[Value::Text("ab".into())]).unwrap();
+        let b = encode_key(&[Value::Text("ab\u{0}".into())]).unwrap();
+        let c = encode_key(&[Value::Text("abc".into())]).unwrap();
+        assert!(a < b && b < c);
+    }
+
+    #[test]
+    fn composite_orders_component_wise() {
+        let a = encode_key(&[Value::Text("a".into()), Value::I64(9)]).unwrap();
+        let b = encode_key(&[Value::Text("ab".into()), Value::I64(0)]).unwrap();
+        assert!(a < b, "shorter first component must dominate");
+    }
+
+    #[test]
+    fn json_is_not_keyable() {
+        let err = encode_key(&[Value::Json(vec![0xC0])]).unwrap_err();
+        assert!(matches!(err, TypeError::NotKeyable { kind: "json" }));
+    }
+}