s3keys: export ParseBlobKey for offline blob-key consumers

[bootjp]

Summary

Tiny addition to internal/s3keys. Exports ParseBlobKey so the offline Phase 0a logical-backup decoder (next stacked PR) can route !s3|blob| records to their assembled object without holding a live cluster.

The package already exports parsers for object manifests and upload parts; blob keys are constructable via BlobKey / VersionedBlobKey but were not parseable from the outside.

What ParseBlobKey does

Returns all components: bucket, generation, object, uploadID, partNo, chunkNo, partVersion. Both the 6-component (un-versioned) and 7-component (versioned) shapes are decoded. partVersion=0 reverts to the un-versioned shape, matching VersionedBlobKey's documented fallback. Truncated keys, malformed segments, and trailers that aren't either zero bytes or exactly one u64 are rejected with ok=false.

Test plan

• go test -race ./internal/s3keys/... — pass.
• golangci-lint run ./internal/s3keys/... — clean.
• 5 new tests: un-versioned round-trip, versioned round-trip, partVersion=0 fallback, rejection of bucket-meta / object-manifest / upload-part / junk inputs, rejection of trailing-garbage keys.
• Implementation split into parseBlobKeyHead + parseOptionalPartVersion so cyclomatic complexity stays under the package cap (no //nolint).

Why this is its own PR

Branch stack discipline. The S3 backup encoder uses this; landing the parser separately keeps the encoder PR focused on the dump-format mapping.

[coderabbitai]

Warning

Rate limit exceeded

@bootjp has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 31 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 39385143-fc71-418d-a11b-89c3efe0b1d8

📥 Commits

Reviewing files that changed from the base of the PR and between 2dda2cb and 0e15f02.

📒 Files selected for processing (14)

• internal/backup/dynamodb.go
• internal/backup/dynamodb_test.go
• internal/backup/filename.go
• internal/backup/filename_test.go
• internal/backup/keymap.go
• internal/backup/keymap_test.go
• internal/backup/manifest.go
• internal/backup/manifest_test.go
• internal/backup/redis_string.go
• internal/backup/redis_string_test.go
• internal/backup/sqs.go
• internal/backup/sqs_test.go
• internal/s3keys/keys.go
• internal/s3keys/keys_test.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/s3keys-parse-blob-key

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 14 minutes and 31 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive logical backup framework for DynamoDB, Redis, and SQS adapters, featuring filename encoding with SHA-fallback for long keys, manifest management, and a key mapping system for original key recovery. The review feedback highlights opportunities to improve maintainability by centralizing shared utility functions—such as atomic file writing and JSONL handling—into a common utility file to reduce coupling across encoder-specific implementations. Additionally, it is recommended to remove or correct the unused and inconsistently documented retry logic found in the Redis encoder.

[gemini-code-assist]

General-purpose helper functions (e.g., writeFileAtomic, openJSONL, stripPrefixSegment, and mustMarshalIndent) are currently spread across encoder-specific files like redis_string.go and sqs.go. This creates unnecessary coupling. These shared utilities should be centralized into a common file within the backup package, such as util.go or fs.go, to improve maintainability and follow the repository's practice of centralizing common logic.

References

1. Centralize common complex logic into shared helper functions to avoid code duplication and improve maintainability.

[gemini-code-assist]

The function IsBlobAtomicWriteRetriable should be addressed for the following reasons:

1. Dead Code: The function is currently unused in this PR and should be removed to improve code clarity.
2. Centralization: If this logic were required, it should be moved to a shared utility file (e.g., util.go) rather than residing in an encoder-specific file.
3. Logic/Documentation: The implementation returns true for io.ErrShortWrite while the comment states it returns false for any error. Note that io.ErrShortWrite is typically not a transient error suitable for automatic retries.

References

1. Remove dead or unreachable code paths to improve code clarity and maintainability.
2. Centralize common complex logic into shared helper functions to avoid code duplication.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0e15f02c18

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Validate and retain DynamoDB item generation

parseDDBItemKey only extracts the encoded table segment and discards the <gen> field from !ddb|item|<encTable>|<gen>|..., so later stages cannot filter items to the active schema generation. If a snapshot still contains rows from older table generations (e.g., after recreate/purge before cleanup), those stale rows will be mixed into the export and can overwrite valid items or fail encoding against the current key schema. Parse the generation and gate buffered items against the table schema generation at finalize time.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Flush SQS side records for queues without messages

When WithIncludeSideRecords(true) is enabled, flushQueue returns immediately when len(st.messages) == 0, which skips the _internals/side_records.jsonl write path entirely. Queues that have side records but no message payloads in this snapshot lose the opted-in internal data, so the dump is incomplete for the side-record mode.

Useful? React with 👍 / 👎.

[bootjp]

PR #717 itself is internal/s3keys/keys.go + its tests (the ParseBlobKey addition). The 4 review comments above target code that lives in other stacked PRs:

• Gemini Configure Renovate #1 (writeFileAtomic, openJSONL, stripPrefixSegment, mustMarshalIndent should be centralised) — those are in PRs backup: Redis simple-type encoders (strings, HLL, TTL routing) #713 (Redis) and backup: SQS encoder for queue meta and messages.jsonl (Phase 0a) #714 (SQS). The "centralise into util.go" suggestion is a structural cleanup that's better as a follow-up PR after the per-adapter stack lands; doing it now creates merge churn across every branch in the stack.
• Gemini [WIP] Implement one-phase commit for single-group transactions #383 (IsBlobAtomicWriteRetriable) — that function lives in PR backup: Redis simple-type encoders (strings, HLL, TTL routing) #713; the dead-code / ENOSPC concern is addressed there in 945d73c9 (added IsBlobAtomicWriteOutOfSpace, kept retriable as the explicit short-write path).
• Codex P1 Track range load and split hotspots #227 (DynamoDB generation filter) — addressed in PR backup: DynamoDB encoder for tables and items (Phase 0a) #716 in fdc9b36b.
• Codex P2 Remove Uint64ToInt64 function #285 (SQS side records when zero messages) — addressed in PR backup: SQS encoder for queue meta and messages.jsonl (Phase 0a) #714 in 3455ba7f.

PR #717's actual code (s3keys.ParseBlobKey + 5 tests) has no outstanding feedback. Will land a follow-up backup: centralise file/JSONL helpers into util.go once the stack lands.

@claude review

[claude]

Claude finished @bootjp's task in 2m 38s —— View job

---

Review of PR #717: s3keys: export ParseBlobKey

• Reading internal/s3keys/keys.go and internal/s3keys/keys_test.go
• Reviewing implementation correctness and edge cases
• Reviewing API design and consistency with existing package exports
• Reviewing test coverage

---

Summary

The implementation is correct and well-structured. The two-function split (parseBlobKeyHead + parseOptionalPartVersion) is the right call for keeping cyclomatic complexity in check, the API is consistent with ParseUploadPartKey and ParseObjectManifestKey, and the core contracts (6-component vs 7-component, partVersion=0 fallback, trailer rejection) are all correctly handled. A few minor observations below.

---

Minor observations

1. Dead branches in parseOptionalPartVersion (keys.go:312-324)

case len(key)-offset == u64Bytes:
    v, next, ok := readU64(key, offset)
    if !ok || next != len(key) {   // both branches are unreachable
        return 0, false
    }
    return v, true

When we enter this case, len(key)-offset == u64Bytes is guaranteed, so readU64's bounds check (len(src)-offset < u64Bytes) always succeeds (ok=true), and next = offset + u64Bytes = len(key) always holds. Both guards in if !ok || next != len(key) are dead code.

This is harmless defensive programming and mirrors the guard style used in ParseUploadPartKey's final if !valid || next != len(key) check. No action needed — just flagging it as an observation so a future reader doesn't wonder whether there's a real failure path there. Fix this →

2. No round-trip test for segments containing embedded null bytes (keys_test.go)

TestParseUploadPartKey_ZeroBytesInSegments already exists (line 107 in the test file) and exercises the \x00 escape codec for ParseUploadPartKey. ParseBlobKey has two additional escaped-segment fields (object, uploadID) relative to that parser, so a parallel test — e.g. using bucket = "my\x00bucket", object = "path/\x00file" — would confirm the escape codec round-trips correctly through the new parser's additional decode paths.

Not a bug (the escape codec is shared with ParseUploadPartKey and is well-tested), but would match the precedent set by the existing null-byte test. Fix this →

3. No test for truncated keys (keys_test.go)

The "trailing garbage" test (TestParseBlobKey_RejectsTrailingGarbage) covers oversized trailers, but there's no corresponding test for undersized keys — e.g. a key truncated mid-u64 after the prefix, or one that terminates before the uploadID segment terminator. The readU64/decodeSegment helpers already handle these cases defensively, but a truncation test would lock down the regression (and matches the pattern of TestParseUploadPartKey_ZeroBytesInSegments catching the zero-byte edge case). Fix this →

---

What's correct

• Prefix guard before delegation: checking blobPrefixBytes in ParseBlobKey before calling parseBlobKeyHead avoids any ambiguity with other key families.
• partVersion=0 fallback contract: parseOptionalPartVersion at offset == len(key) returns (0, true), which matches VersionedBlobKey's documented partVersion=0 → same bytes as BlobKey invariant, and TestParseBlobKey_VersionedZeroFallsBackToUnversioned verifies both directions of that contract explicitly.
• Non-blob rejection test uses the four distinct key-family constructors (BucketMetaKey, ObjectManifestKey, UploadPartKey, plus a junk string) — good coverage of the prefix dispatch.
• Struct out-parameter parsedBlobHead cleanly avoids a long parameter list while keeping next offset visible to ParseBlobKey without exposing it in the public API.
• Named return ok in ParseBlobKey: the := in parts, ok := parseBlobKeyHead(key) correctly reuses the named ok (not a shadow) because parts is new — Go's short-declaration rules apply correctly here.

---

Verdict

LGTM. The three points above are minor (two are "add a test", one is a clarifying comment). None block landing. The core parser is correct and the split into parseBlobKeyHead + parseOptionalPartVersion is a good structural choice.