Merge remote-tracking branch 'origin/feat/backup-phase0a-dynamodb' into feat/backup-phase0a-s3

bootjp · bootjp · commit 33bff13c01c4 · 2026-04-30T20:01:54.000+09:00
diff --git a/internal/backup/dynamodb.go b/internal/backup/dynamodb.go
@@ -212,31 +212,48 @@ func (d *DDBEncoder) flushTable(st *ddbTableState) error {
 	hashKey := st.schema.GetPrimaryKey().GetHashKey()
 	rangeKey := st.schema.GetPrimaryKey().GetRangeKey()
 	activeGen := st.schema.GetGeneration()
-	// Only items belonging to the schema's active generation are
-	// emitted. Older-gen rows (in-flight delete/recreate cleanup) are
-	// counted into a structured warning so the operator can correlate
-	// orphans to the cluster's state, but never written under the
-	// current schema where they would resurrect deleted data.
-	if stale := totalStaleItems(st.itemsByGen, activeGen); stale > 0 {
+	migrationSourceGen := st.schema.GetMigratingFromGeneration()
+	// During a generation migration the live read path falls back to
+	// migration_source_generation for items not yet copied to the new
+	// generation (see adapter/dynamodb.go readLogicalItemAt). Both
+	// generations therefore carry items the user can read at this
+	// moment, so a backup must include both. Codex P1 #227.
+	//
+	// Items present in BOTH generations: the new-gen row is the
+	// authoritative one (the live code prefers it on read). We emit
+	// migration-source first, then active gen LAST, so writeFileAtomic's
+	// tmp+rename leaves the active-gen content on disk per (pk,sk).
+	emitOrder := []uint64{}
+	if migrationSourceGen != 0 && migrationSourceGen != activeGen {
+		emitOrder = append(emitOrder, migrationSourceGen)
+	}
+	emitOrder = append(emitOrder, activeGen)
+	if stale := totalStaleItemsExcluding(st.itemsByGen, emitOrder); stale > 0 {
 		d.emitWarn("ddb_stale_generation_items",
 			"table", st.name,
 			"active_generation", activeGen,
+			"migration_source_generation", migrationSourceGen,
 			"stale_count", stale,
-			"hint", "stale-gen rows are excluded from the dump; restore would otherwise emit them under the new schema")
+			"hint", "stale-gen rows excluded; restore would otherwise emit them under the new schema")
 	}
-	active := st.itemsByGen[activeGen]
-	for _, item := range active {
-		if err := writeDDBItem(itemsDir, hashKey, rangeKey, item); err != nil {
-			return err
+	for _, gen := range emitOrder {
+		for _, item := range st.itemsByGen[gen] {
+			if err := writeDDBItem(itemsDir, hashKey, rangeKey, item); err != nil {
+				return err
+			}
 		}
 	}
 	return nil
 }
 
-func totalStaleItems(m map[uint64][]*pb.DynamoItem, activeGen uint64) int {
+func totalStaleItemsExcluding(m map[uint64][]*pb.DynamoItem, included []uint64) int {
+	includedSet := make(map[uint64]struct{}, len(included))
+	for _, g := range included {
+		includedSet[g] = struct{}{}
+	}
 	stale := 0
 	for gen, items := range m {
-		if gen != activeGen {
+		if _, ok := includedSet[gen]; !ok {
 			stale += len(items)
 		}
 	}
diff --git a/internal/backup/dynamodb_test.go b/internal/backup/dynamodb_test.go
@@ -335,6 +335,87 @@ func TestDDB_BundleJSONLNotImplementedYet(t *testing.T) {
 	}
 }
 
+func TestDDB_MigrationSourceGenerationItemsAreEmitted(t *testing.T) {
+	t.Parallel()
+	enc, root := newDDBEncoder(t)
+	// During a live migration, schema.Generation is the new gen and
+	// schema.MigratingFromGeneration carries the source gen. The live
+	// read path falls back to the source for items not yet copied.
+	// The dump must include both — Codex P1 #227.
+	schema := &pb.DynamoTableSchema{
+		TableName:               "t",
+		PrimaryKey:              &pb.DynamoKeySchema{HashKey: "id"},
+		AttributeDefinitions:    map[string]string{"id": "S"},
+		Generation:              7,
+		MigratingFromGeneration: 6,
+	}
+	newRow := &pb.DynamoItem{Attributes: map[string]*pb.DynamoAttributeValue{
+		"id": sAttr("a"), "v": sAttr("new"),
+	}}
+	migratingRow := &pb.DynamoItem{Attributes: map[string]*pb.DynamoAttributeValue{
+		"id": sAttr("b"), "v": sAttr("not-yet-migrated"),
+	}}
+	if err := enc.HandleItem(EncodeDDBItemKey("t", 7, "a", ""), encodeItemValue(t, newRow)); err != nil {
+		t.Fatal(err)
+	}
+	if err := enc.HandleItem(EncodeDDBItemKey("t", 6, "b", ""), encodeItemValue(t, migratingRow)); err != nil {
+		t.Fatal(err)
+	}
+	if err := enc.HandleTableMeta(EncodeDDBTableMetaKey("t"), encodeSchemaValue(t, schema)); err != nil {
+		t.Fatal(err)
+	}
+	if err := enc.Finalize(); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := os.Stat(filepath.Join(root, "dynamodb", "t", "items", "a.json")); err != nil {
+		t.Fatalf("active-gen item missing: %v", err)
+	}
+	if _, err := os.Stat(filepath.Join(root, "dynamodb", "t", "items", "b.json")); err != nil {
+		t.Fatalf("migrating-from-gen item must be emitted during live migration: %v", err)
+	}
+}
+
+func TestDDB_NewGenerationWinsOverMigrationSourceForSameKey(t *testing.T) {
+	t.Parallel()
+	enc, root := newDDBEncoder(t)
+	schema := &pb.DynamoTableSchema{
+		TableName:               "t",
+		PrimaryKey:              &pb.DynamoKeySchema{HashKey: "id"},
+		AttributeDefinitions:    map[string]string{"id": "S"},
+		Generation:              7,
+		MigratingFromGeneration: 6,
+	}
+	// Same primary key in both generations. The live read path
+	// prefers the new gen; the dump must do the same.
+	newRow := &pb.DynamoItem{Attributes: map[string]*pb.DynamoAttributeValue{
+		"id": sAttr("k"), "v": sAttr("new-version"),
+	}}
+	oldRow := &pb.DynamoItem{Attributes: map[string]*pb.DynamoAttributeValue{
+		"id": sAttr("k"), "v": sAttr("old-version"),
+	}}
+	if err := enc.HandleItem(EncodeDDBItemKey("t", 6, "k", ""), encodeItemValue(t, oldRow)); err != nil {
+		t.Fatal(err)
+	}
+	if err := enc.HandleItem(EncodeDDBItemKey("t", 7, "k", ""), encodeItemValue(t, newRow)); err != nil {
+		t.Fatal(err)
+	}
+	if err := enc.HandleTableMeta(EncodeDDBTableMetaKey("t"), encodeSchemaValue(t, schema)); err != nil {
+		t.Fatal(err)
+	}
+	if err := enc.Finalize(); err != nil {
+		t.Fatal(err)
+	}
+	body, err := os.ReadFile(filepath.Join(root, "dynamodb", "t", "items", "k.json")) //nolint:gosec
+	if err != nil {
+		t.Fatal(err)
+	}
+	got := readItemMap(t, filepath.Join(root, "dynamodb", "t", "items", "k.json"))
+	v := mustSubMap(t, got, "v")
+	if v["S"] != "new-version" {
+		t.Fatalf("body = %s; new gen must win on conflict, got v.S=%v", body, v["S"])
+	}
+}
+
 func TestDDB_StaleGenerationItemsExcludedAndWarned(t *testing.T) {
 	t.Parallel()
 	enc, root := newDDBEncoder(t)
diff --git a/internal/backup/filename.go b/internal/backup/filename.go
@@ -80,32 +80,70 @@ var ErrShaFallbackNeedsKeymap = errors.New("backup: filename uses SHA fallback;
 // filename component. It is the inverse of DecodeSegment for non-fallback
 // inputs.
 //
-// The encoding is deterministic and idempotent given the same input.
+// The encoding is deterministic given the same input.
 //
-// Two short-circuits ensure the encoder never trips its own invariants:
+// Three structural short-circuits ensure DecodeSegment cannot
+// misclassify a legitimate key:
 //
-//   - If raw is so large that percent-encoding it would always overflow
-//     maxSegmentBytes (3*len(raw) > maxSegmentBytes), we go straight to
-//     shaFallback without allocating the full expansion. Without this an
-//     adversarial caller could force a very large transient allocation
-//     just to discard it.
-//   - If the percent-encoded form happens to match the SHA-fallback shape
-//     (32 hex chars followed by "__"), we promote it to a real
+//   - If `raw` is longer than maxSegmentBytes, even a fully-unreserved
+//     encoding (1:1) cannot fit, so we go straight to shaFallback.
+//     This also caps the percent-encode allocation at
+//     ~maxSegmentBytes, preventing OOM on adversarial input.
+//   - If the percent-encoded form happens to match the SHA-fallback
+//     shape (32 hex chars followed by "__"), we promote it to a real
 //     SHA-fallback so DecodeSegment's structural detection cannot
-//     misclassify a legitimate key. Both isShaFallback and shaFallback
-//     are true on the resulting output, so KEYMAP.jsonl carries the
-//     original bytes for exact-byte recovery.
+//     fabricate a wrong original.
+//   - If the percent-encoded form starts with the binary "b64."
+//     prefix, we promote to SHA-fallback for the same reason: a
+//     plain string key like "b64.foo" would otherwise be decoded as
+//     base64 and produce different bytes on round-trip.
+//
+// Both promoted-fallback paths leave the original in KEYMAP.jsonl
+// (a correctness dependency, per the package doc), so exact-byte
+// recovery is preserved.
 func EncodeSegment(raw []byte) string {
-	if len(raw)*percentEncodeMaxExpansion > maxSegmentBytes {
+	if len(raw) > maxSegmentBytes {
+		// 1:1 lower bound on encoded length; cannot fit.
 		return shaFallback(raw)
 	}
-	encoded := percentEncode(raw)
-	if len(encoded) > maxSegmentBytes || isShaFallback(encoded) {
+	encoded, ok := percentEncodeBounded(raw, maxSegmentBytes)
+	if !ok || isShaFallback(encoded) || strings.HasPrefix(encoded, binaryPrefix) {
 		return shaFallback(raw)
 	}
 	return encoded
 }
 
+// percentEncodeBounded percent-encodes raw, bailing out as soon as the
+// in-progress output would exceed maxLen. Returns ("", false) on
+// overflow so the caller can take the SHA-fallback path without
+// having allocated the full 3*len(raw) buffer that the unbounded
+// variant would. Returns (encoded, true) on success.
+func percentEncodeBounded(raw []byte, maxLen int) (string, bool) {
+	const escapeBytes = 3 // len("%HH") -- one escape's worst-case width
+	cap := escapeBytes * len(raw)
+	if cap > maxLen+escapeBytes {
+		cap = maxLen + escapeBytes
+	}
+	var b strings.Builder
+	b.Grow(cap)
+	for _, c := range raw {
+		if isUnreserved(c) {
+			if b.Len()+1 > maxLen {
+				return "", false
+			}
+			b.WriteByte(c)
+			continue
+		}
+		if b.Len()+escapeBytes > maxLen {
+			return "", false
+		}
+		b.WriteByte('%')
+		b.WriteByte(hexUpper(c >> 4))   //nolint:mnd // 4 == nibble width
+		b.WriteByte(hexUpper(c & 0x0F)) //nolint:mnd // 0x0F == low-nibble mask
+	}
+	return b.String(), true
+}
+
 // EncodeBinarySegment encodes a DynamoDB B-attribute (binary) segment as
 // "b64.<base64url-no-padding>" so that binary keys never collide with string
 // keys whose hex-encoding happens to look like base64.
@@ -152,10 +190,6 @@ func DecodeSegment(seg string) ([]byte, error) {
 	return percentDecode(seg)
 }
 
-// percentEncodeMaxExpansion is the worst-case ratio of encoded length to
-// raw length for percentEncode (every byte expands to "%HH").
-const percentEncodeMaxExpansion = 3
-
 // IsShaFallback reports whether seg uses the SHA-prefix-and-truncated-original
 // form. Such segments cannot be reversed without KEYMAP.jsonl.
 func IsShaFallback(seg string) bool {
diff --git a/internal/backup/filename_test.go b/internal/backup/filename_test.go
@@ -309,6 +309,44 @@ func TestEncodeBinarySegment_FuzzRoundTripIfNotShaFallback(t *testing.T) {
 	})
 }
 
+func TestEncodeSegment_LongUnreservedASCIIEncodesAsIs(t *testing.T) {
+	t.Parallel()
+	// 200 ASCII letters are all unreserved; the percent-encoding is
+	// 1:1 (200 bytes), well under the 240-byte ceiling. The encoder
+	// must NOT take the SHA fallback for such inputs — Codex P1 #100.
+	raw := []byte(strings.Repeat("a", 200))
+	enc := EncodeSegment(raw)
+	if IsShaFallback(enc) {
+		t.Fatalf("200-byte ASCII unreserved input must NOT take SHA fallback")
+	}
+	dec, err := DecodeSegment(enc)
+	if err != nil {
+		t.Fatalf("DecodeSegment: %v", err)
+	}
+	if string(dec) != string(raw) {
+		t.Fatalf("round-trip failed for 200-byte ASCII")
+	}
+}
+
+func TestEncodeSegment_KeyStartingWithBinaryPrefixIsPromotedToFallback(t *testing.T) {
+	t.Parallel()
+	// A user STRING key like "b64.foo" passed naively through
+	// EncodeSegment returns "b64.foo" (all unreserved). DecodeSegment
+	// then sees the b64. prefix, treats it as a binary segment, and
+	// decodes the base64 — producing the wrong bytes. Codex P1 #146.
+	// EncodeSegment must promote any input whose encoded form starts
+	// with the binary prefix to a real SHA fallback so KEYMAP.jsonl
+	// carries the original.
+	raw := []byte("b64.foo")
+	enc := EncodeSegment(raw)
+	if !IsShaFallback(enc) {
+		t.Fatalf("expected SHA fallback for b64.-prefixed input, got %q", enc)
+	}
+	if _, err := DecodeSegment(enc); !errors.Is(err, ErrShaFallbackNeedsKeymap) {
+		t.Fatalf("decode err=%v want ErrShaFallbackNeedsKeymap", err)
+	}
+}
+
 func TestEncodeSegment_KeyMatchingShaFallbackShapeIsPromotedToFallback(t *testing.T) {
 	t.Parallel()
 	// A user key that is itself made of 32 hex chars + "__" + suffix
diff --git a/internal/backup/manifest.go b/internal/backup/manifest.go
@@ -294,6 +294,17 @@ func (m Manifest) validatePhaseSpecific() error {
 		if m.Source != nil {
 			return errors.Wrap(ErrInvalidManifest, "phase1 must not set source")
 		}
+		// A phase1 dump's whole point is the cluster-wide read_ts
+		// pin recorded under Live. A manifest that omits Live cannot
+		// describe its consistency point and downstream restore /
+		// audit logic must not silently accept it as valid (Codex
+		// P1 #295).
+		if m.Live == nil {
+			return errors.Wrap(ErrInvalidManifest, "phase1 must set live")
+		}
+		if m.Live.ReadTS == 0 {
+			return errors.Wrap(ErrInvalidManifest, "phase1 live.read_ts must be non-zero")
+		}
 	}
 	return nil
 }
diff --git a/internal/backup/manifest_test.go b/internal/backup/manifest_test.go
@@ -50,6 +50,51 @@ func TestManifest_Phase0RoundTrip(t *testing.T) {
 	}
 }
 
+func TestManifest_Phase1MustSetLive(t *testing.T) {
+	t.Parallel()
+	m := NewPhase0SnapshotManifest(time.Now())
+	m.Phase = PhasePhase1LivePinned
+	m.Source = nil
+	// Live deliberately omitted -- the gap Codex P1 #295 caught.
+	var buf bytes.Buffer
+	err := WriteManifest(&buf, m)
+	if !errors.Is(err, ErrInvalidManifest) {
+		t.Fatalf("err=%v want ErrInvalidManifest", err)
+	}
+}
+
+func TestManifest_Phase1RejectsZeroReadTS(t *testing.T) {
+	t.Parallel()
+	m := NewPhase0SnapshotManifest(time.Now())
+	m.Phase = PhasePhase1LivePinned
+	m.Source = nil
+	m.Live = &Live{ReadTS: 0}
+	var buf bytes.Buffer
+	err := WriteManifest(&buf, m)
+	if !errors.Is(err, ErrInvalidManifest) {
+		t.Fatalf("err=%v want ErrInvalidManifest for zero read_ts", err)
+	}
+}
+
+func TestManifest_Phase1WithLiveAndNonZeroReadTSIsValid(t *testing.T) {
+	t.Parallel()
+	m := NewPhase0SnapshotManifest(time.Now())
+	m.Phase = PhasePhase1LivePinned
+	m.Source = nil
+	m.Live = &Live{ReadTS: 12345}
+	var buf bytes.Buffer
+	if err := WriteManifest(&buf, m); err != nil {
+		t.Fatalf("WriteManifest: %v", err)
+	}
+	got, err := ReadManifest(&buf)
+	if err != nil {
+		t.Fatalf("ReadManifest: %v", err)
+	}
+	if got.Live == nil || got.Live.ReadTS != 12345 {
+		t.Fatalf("Live mismatch: %+v", got.Live)
+	}
+}
+
 func TestManifest_Phase1MustNotSetSource(t *testing.T) {
 	t.Parallel()
 	m := NewPhase0SnapshotManifest(time.Now())

Original file line number	Diff line number	Diff line change
`@@ -294,6 +294,17 @@ func (m Manifest) validatePhaseSpecific() error {`
`294`	`294`	`if m.Source != nil {`
`295`	`295`	`return errors.Wrap(ErrInvalidManifest, "phase1 must not set source")`
`296`	`296`	`}`
	`297`	`+ // A phase1 dump's whole point is the cluster-wide read_ts`
	`298`	`+ // pin recorded under Live. A manifest that omits Live cannot`
	`299`	`+ // describe its consistency point and downstream restore /`
	`300`	`+ // audit logic must not silently accept it as valid (Codex`
	`301`	`+ // P1 #295).`
	`302`	`+ if m.Live == nil {`
	`303`	`+ return errors.Wrap(ErrInvalidManifest, "phase1 must set live")`
	`304`	`+ }`
	`305`	`+ if m.Live.ReadTS == 0 {`
	`306`	`+ return errors.Wrap(ErrInvalidManifest, "phase1 live.read_ts must be non-zero")`
	`307`	`+ }`
`297`	`308`	`}`
`298`	`309`	`return nil`
`299`	`310`	`}`