backup: reject Add after WriteTo on snapshotBuilder (claude review)

claude review on PR #825 found a silent-data-loss footgun: after
WriteTo set b.written, Add still passed its checks and appended to
b.entries, but those records could never be flushed (the second
WriteTo fails closed before re-sorting). For the M2-M5 adapter feed
loops this would silently drop records on builder reuse.

Add now guards on b.written at the top and returns the same
ErrSnapshotBuilderReused sentinel WriteTo uses, so a caller reusing an
exhausted builder gets one consistent signal regardless of method.
Caller audit: the only Add callers are tests; the production callers
(per-adapter encoders) land in M2-M5, so no existing call site relies
on post-WriteTo Add.

Test: TestSnapshotBuilderRejectsAddAfterWriteTo.

Author: bootjp

internal/backup/encode.go

@@ -150,6 +150,16 @@ func newSnapshotBuilder(commitTS uint64) *snapshotBuilder {
 // order-dependent `.fsm`. userKey/userValue are copied — callers may
 // reuse their buffers after Add returns.
 func (b *snapshotBuilder) Add(userKey, userValue []byte, expireAt uint64) error {
+	// A builder is single-use. Once WriteTo has flushed, any further
+	// Add would stage entries that can never be written (the second
+	// WriteTo fails closed before re-sorting), silently dropping
+	// records. Reject with the same sentinel WriteTo uses so a caller
+	// reusing an exhausted builder gets one consistent signal
+	// regardless of which method it calls (claude review on PR #825 —
+	// a silent-data-loss footgun for the M2-M5 adapter feed loops).
+	if b.written {
+		return errors.WithStack(ErrSnapshotBuilderReused)
+	}
 	// Size-check from the user-buffer lengths before allocating the
 	// framed buffers — encKey = userKey + snapshotTSSize, encVal =
 	// snapshotValueHeaderSize + userValue — so an oversize record

internal/backup/encode_test.go

@@ -269,6 +269,26 @@ func TestSnapshotBuilderRejectsReuse(t *testing.T) {
 	}
 }
 
+// TestSnapshotBuilderRejectsAddAfterWriteTo pins that Add fails closed
+// after WriteTo rather than silently staging records that can never be
+// flushed (the second WriteTo would reject before re-sorting). Guards
+// the M2-M5 adapter feed loops against a silent-data-loss reuse bug.
+func TestSnapshotBuilderRejectsAddAfterWriteTo(t *testing.T) {
+	t.Parallel()
+	b := newSnapshotBuilder(encodeFixtureTS)
+	if err := b.Add([]byte("!redis|str|first"), []byte("v"), 0); err != nil {
+		t.Fatalf("Add: %v", err)
+	}
+	var buf bytes.Buffer
+	if _, err := b.WriteTo(&buf); err != nil {
+		t.Fatalf("WriteTo: %v", err)
+	}
+	err := b.Add([]byte("!redis|str|second"), []byte("v"), 0)
+	if !errors.Is(err, ErrSnapshotBuilderReused) {
+		t.Fatalf("Add-after-WriteTo err = %v, want ErrSnapshotBuilderReused", err)
+	}
+}
+
 // TestResolveCommitTS pins the --last-commit-ts override semantics
 // (design §"MVCC re-encoding"): no override yields the manifest value;
 // an override >= manifest is accepted; an override < manifest fails