Commit eb371ca
authored
feat(encryption): Stage 6E-2c — dynamic raft envelope wrap on ShardGroup (#922)
## Summary
Stage 6E-2c: install the Stage 6E-2 wrap-on-propose plumbing on every
shard group without yet activating any cipher. Every `ShardGroup` gets
an `atomic.Pointer[RaftPayloadWrapper]` cell; the proposer chain
consults that pointer on every `Propose` / `ProposeAdmin` call;
`SetRaftPayloadWrap` is the hot-swap surface Stage 6E-2d will use when
`EnableRaftEnvelope` commits. The wrap closure factory itself ships in
Stage 6E-2e/2f.
A startup hook reads the sidecar and logs a `WARN` if
`RaftEnvelopeCutoverIndex != 0` — operator-visible refusal of a
deployment that crosses the cutover line under a binary without the
cipher factory wired.
## Pieces
- `dynamicWrappedProposer` (kv/raft_payload_wrapper.go): wraps a
`raftengine.Proposer` with an `atomic.Pointer.Load` on every call.
Mirrors `wrappedProposer`'s Propose / ProposeAdmin routing and wrap
semantics — the wrap layer is NOT a barrier exemption; Propose and
ProposeAdmin apply the same wrap. The cutover marker stays cleartext via
the raw-engine reference at the call site, not at the method level.
- `ShardGroup.raftPayloadWrap` + `SetRaftPayloadWrap` +
`RaftPayloadWrap` (kv/sharded_coordinator.go): the published hot-swap
surface.
- `NewLeaderProxyForShardGroup` + `withDynamicRaftPayloadWrap`
(kv/sharded_coordinator.go, kv/transaction.go): the production wiring
path. `main.go`'s `buildShardGroups` now constructs every shard group's
`LeaderProxy` via this helper so the dynamic wrap chain is universal.
- `noteRaftEnvelopeCutoverStartup` (main_encryption_write_wiring.go):
process-start sidecar read. Silent on the universal pre-cutover case and
on any read error (the Stage 6C-1 startup guard is the authoritative
refuser). Logs `WARN` only when the cutover index is non-zero but the
binary does not (yet) ship the cipher factory.
## Tests (8 new)
- `TestDynamicWrappedProposer_NilPointerReturnsInnerVerbatim` —
defensive degradation for nil `*atomic.Pointer`.
- `TestDynamicWrappedProposer_NilStoredIsPassThrough` — Stage 3 default
(verbatim routing for Propose and ProposeAdmin separately).
- `TestDynamicWrappedProposer_LoadsCurrentWrapEveryCall` — hot-swap
contract (install / clear observed by the next proposal).
- `TestDynamicWrappedProposer_ProposeAdminAppliesCurrentWrap` —
admin-path mirror; confirms `inner.ProposeAdmin` (not `Propose`) is
reached when wrap is active.
- `TestShardGroup_SetRaftPayloadWrap_RoundTrip` — Set/Get round-trip
including the nil-clears semantics.
- `TestNoteRaftEnvelopeCutoverStartup_*` (×4) — empty path / missing
file / zero cutover / non-zero cutover (asserts the hook is read-only).
## Five-lens self-review
- **Data loss**: the dynamic wrap proposer is a pass-through when the
pointer holds nil (the Stage 6E-2c default). Production behaviour is
unchanged today — every proposal still reaches the engine cleartext via
the existing path. No new error swallow, no new fall-through.
- **Concurrency / distributed**: hot-swap uses `atomic.Pointer.Store` /
`Load`; reads are lock-free and observe a fully-published closure
(either nil or non-nil) on every call. Last-writer-wins on concurrent
stores; no torn read.
- **Performance**: one extra `atomic.Pointer.Load` per Propose /
ProposeAdmin on the dynamic path; no allocation, no contention. Wrap
closure invocation cost is paid only when non-nil; matches the existing
`wrappedProposer` profile.
- **Data consistency**: the wrap pointer's lifetime is owned by the
`ShardGroup` that owns the engine; the proposer holds an
`*atomic.Pointer` reference back into `ShardGroup`. No cross-shard
mixing — each shard has its own pointer, so a future per-shard rotation
policy works without changes here.
- **Test coverage**: 8 new tests cover the wrap-proposer mechanics, the
ShardGroup hot-swap surface, and the startup hook input matrix.
## Caller audit (per /loop semantic-change rule)
- `kv.NewLeaderProxyWithEngine` (kept; non-wrap-aware): no behaviour
change. Test fixtures and any shard group that opts out of encryption
continue to use it.
- `kv.NewLeaderProxyForShardGroup` (new; wrap-aware): used by
`main.go`'s `buildShardGroups` for every production shard group. Audit:
the only construction site for production `ShardGroup` instances now
routes through this helper.
- ShardGroup struct literal in `main.go`: switched from one-shot literal
with `Txn` set inline to two-step build (struct literal, then `Txn =
NewLeaderProxyForShardGroup(sg, opts...)`). Necessary because
`NewLeaderProxyForShardGroup` needs the `&sg.raftPayloadWrap` pointer,
which is only addressable after the struct exists.
- `SetRaftPayloadWrap` callers: none in this PR. The surface is
published for Stage 6E-2d's `EnableRaftEnvelope` handler.
## Test plan
- [x] `go build ./...` clean
- [x] `go vet ./...` clean
- [x] `golangci-lint run` clean (pre-commit hook ran)
- [x] `go test -race -run
'DynamicWrappedProposer|ShardGroup_Set|WrappedProposer|NoteRaftEnvelopeCutover'
.` passes
- [x] `go test -race ./kv/` scoped tests pass
Refs: `docs/design/2026_05_31_partial_6e_enable_raft_envelope.md`
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Introduced runtime-swappable raft payload envelope wrapping with
dynamic wrapper support across all proposal types and shard groups.
* **Chores**
* Added startup validation to detect and prevent incompatible payload
envelope cutover states with clear operator guidance.
* **Tests**
* Expanded test coverage for dynamic payload wrapper behavior, atomic
pointer runtime swapping, integration with shard groups, and startup
safety checks.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->7 files changed
Lines changed: 732 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
| 5 | + | |
5 | 6 | | |
6 | 7 | | |
7 | 8 | | |
| |||
108 | 109 | | |
109 | 110 | | |
110 | 111 | | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
| 157 | + | |
| 158 | + | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
| 185 | + | |
| 186 | + | |
| 187 | + | |
| 188 | + | |
| 189 | + | |
| 190 | + | |
| 191 | + | |
| 192 | + | |
| 193 | + | |
| 194 | + | |
| 195 | + | |
| 196 | + | |
| 197 | + | |
| 198 | + | |
| 199 | + | |
| 200 | + | |
| 201 | + | |
| 202 | + | |
| 203 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
223 | 223 | | |
224 | 224 | | |
225 | 225 | | |
| 226 | + | |
| 227 | + | |
| 228 | + | |
| 229 | + | |
| 230 | + | |
| 231 | + | |
| 232 | + | |
| 233 | + | |
| 234 | + | |
| 235 | + | |
| 236 | + | |
| 237 | + | |
| 238 | + | |
| 239 | + | |
| 240 | + | |
| 241 | + | |
| 242 | + | |
| 243 | + | |
| 244 | + | |
| 245 | + | |
| 246 | + | |
| 247 | + | |
| 248 | + | |
| 249 | + | |
| 250 | + | |
| 251 | + | |
| 252 | + | |
| 253 | + | |
| 254 | + | |
| 255 | + | |
| 256 | + | |
| 257 | + | |
| 258 | + | |
| 259 | + | |
| 260 | + | |
| 261 | + | |
| 262 | + | |
| 263 | + | |
| 264 | + | |
| 265 | + | |
| 266 | + | |
| 267 | + | |
| 268 | + | |
| 269 | + | |
| 270 | + | |
| 271 | + | |
| 272 | + | |
| 273 | + | |
| 274 | + | |
| 275 | + | |
| 276 | + | |
| 277 | + | |
| 278 | + | |
| 279 | + | |
| 280 | + | |
| 281 | + | |
| 282 | + | |
| 283 | + | |
| 284 | + | |
| 285 | + | |
| 286 | + | |
| 287 | + | |
| 288 | + | |
| 289 | + | |
| 290 | + | |
| 291 | + | |
| 292 | + | |
| 293 | + | |
| 294 | + | |
| 295 | + | |
| 296 | + | |
| 297 | + | |
| 298 | + | |
| 299 | + | |
| 300 | + | |
| 301 | + | |
| 302 | + | |
| 303 | + | |
| 304 | + | |
| 305 | + | |
| 306 | + | |
| 307 | + | |
| 308 | + | |
| 309 | + | |
| 310 | + | |
| 311 | + | |
| 312 | + | |
| 313 | + | |
| 314 | + | |
| 315 | + | |
| 316 | + | |
| 317 | + | |
| 318 | + | |
| 319 | + | |
| 320 | + | |
| 321 | + | |
| 322 | + | |
| 323 | + | |
| 324 | + | |
| 325 | + | |
| 326 | + | |
| 327 | + | |
| 328 | + | |
| 329 | + | |
| 330 | + | |
| 331 | + | |
| 332 | + | |
| 333 | + | |
| 334 | + | |
| 335 | + | |
| 336 | + | |
| 337 | + | |
| 338 | + | |
| 339 | + | |
| 340 | + | |
| 341 | + | |
| 342 | + | |
| 343 | + | |
| 344 | + | |
| 345 | + | |
| 346 | + | |
| 347 | + | |
| 348 | + | |
| 349 | + | |
| 350 | + | |
| 351 | + | |
| 352 | + | |
| 353 | + | |
| 354 | + | |
| 355 | + | |
| 356 | + | |
| 357 | + | |
| 358 | + | |
| 359 | + | |
| 360 | + | |
| 361 | + | |
| 362 | + | |
| 363 | + | |
| 364 | + | |
| 365 | + | |
| 366 | + | |
| 367 | + | |
| 368 | + | |
| 369 | + | |
| 370 | + | |
| 371 | + | |
| 372 | + | |
| 373 | + | |
| 374 | + | |
| 375 | + | |
| 376 | + | |
| 377 | + | |
| 378 | + | |
| 379 | + | |
| 380 | + | |
| 381 | + | |
| 382 | + | |
| 383 | + | |
| 384 | + | |
| 385 | + | |
| 386 | + | |
| 387 | + | |
| 388 | + | |
0 commit comments