mirror of
https://github.com/ModernRelay/omnigraph.git
synced 2026-06-09 01:35:18 +02:00
3ea7a1fd50
Cursor flagged that if `roll_forward_all` succeeds (manifest pin advances) but `record_audit` then fails, the sidecar persists. On the next open, every table classifies as NoMovement (lance_head == manifest_pinned, both already reflect the prior roll-forward) → `decide` returns RollBack → `roll_back_sidecar` records a RolledBack audit row with empty per-table outcomes. Operators reading `_graph_commit_recoveries.lance` see "RolledBack" for an operation whose actual outcome was a successful roll-forward. `process_sidecar`'s RollBack arm now distinguishes "stale-after- success" from a legitimate rollback: when every classification is NoMovement AND any pin's `manifest_pinned > expected_version` (the manifest already advanced past the writer's CAS target), recovery dispatches to `record_audit_recovery_rollforward` which writes a RolledForward audit row with reconstructed outcomes (`from_version = expected_version`, `to_version = manifest_pinned`) and deletes the sidecar. No Lance writes — the substrate is already in the post-roll-forward state. Safe in `RollForwardOnly` mode (refresh-time recovery) because no `Dataset::restore` is involved; the legitimate-rollback path stays deferred to the next ReadWrite open as before. Added `recovery_records_rolled_forward_for_stale_sidecar_after_successful_roll_forward` integration test that synthesizes the state by writing a sidecar whose `expected_version < manifest_pin` and asserts: - audit row records `RolledForward` (not `RolledBack`) - per-table outcome reports the correct `from_version` / `to_version` pair - sidecar is deleted Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| omnigraph | ||
| omnigraph-cli | ||
| omnigraph-compiler | ||
| omnigraph-server | ||