Per-table writer queues + per-actor admission + op-kind-aware version check

[ragnorc]

Summary

• Remove the server-global engine write lock by moving the server to a shared engine handle; engine-owned per-(table, branch) queues now serialize only conflicting writers while disjoint writers can progress concurrently.
• Add per-actor admission control across mutating HTTP handlers, including 429 too_many_requests responses with Retry-After, injectable workload state for tests/benches, and actor-isolation benchmark coverage.
• Add op-kind-aware manifest drift checks: append-like inserts stay permissive for safe concurrency, while strict update/delete work compares read-time pins against the manifest snapshot captured under queue ownership.
• Add failpoint-backed and HTTP/server regression coverage for same-key inserts, update read-your-writes under concurrency, disjoint /change concurrency, /ingest admission, branch-operation races, branch-op matrix behavior, and inline-delete sidecar conflicts.
• Harden branch workflows: branch create avoids coordinator swap-restore races, branch merges are serialized by a merge mutex, and merge publish revalidates target table versions under target queue ownership.
• Fix recovery/schema refresh locking by releasing the refresh write guard before schema reload.
• Remove the unwired global rewrite admission / 503 surface from code, docs, CLI bench args, and regenerated OpenAPI; keep the public server surface aligned to wired behavior only.
• Prepare the v0.4.2 release: bump workspace crate versions and OpenAPI metadata, add expanded public release notes covering the full PR scope, scrub private ticket references from release docs, and add OSS documentation/release/versioning guidance to AGENTS.md.
• Address Devin Review's docs finding by correcting docs/server.md to say admission gates every mutating handler and removing stale global-rewrite-gate wording.
• Add a concise AGENTS.md rule to keep the always-loaded guide short because added lines carry recurring context-window cost.

Review & Testing Checklist for Human

• Review the queue/admission split: server admission handles per-actor fairness; engine queues handle per-(table, branch) write serialization.
• Review the strict mutation and branch-merge SI fences in staging.rs and merge.rs; both intentionally prefer safe 409 over silent overwrite under concurrent target movement.
• Review inline-delete sidecar ordering in staging.rs; sidecars are now written before the inline manifest-version check can reject after Lance HEAD moved.
• Confirm matrix cell d's 200-or-409 contract is acceptable for concurrent merge × change on the same target branch.
• Confirm deleting OMNIGRAPH_GLOBAL_REWRITE_MAX / service_unavailable matches the intended public API for this PR.
• Review docs/releases/v0.4.2.md as the public v0.4.2 release notes and confirm it now covers the full branch/PR scope without private tracker references.
• Review the new AGENTS.md context-budget rule and confirm it is concise enough for always-loaded guidance.

Notes

Local verification run:

• cargo check --workspace --all-targets
• cargo test -p omnigraph-engine --features failpoints --test failpoints inline_delete_conflict_writes_sidecar_before_rejecting -- --nocapture (red state was first confirmed with the old sidecar ordering: missing sidecar under __recovery/; green state passes after this fix)
• cargo test -p omnigraph-engine --features failpoints --test failpoints
• cargo test -p omnigraph-engine --test runs
• cargo test -p omnigraph-server --test server change_concurrent_updates_same_key_serialize_via_publisher_cas
• cargo test -p omnigraph-server --test server change_concurrent_inserts_same_key_serialize_without_409
• cargo test -p omnigraph-server --test server change_disjoint_table_concurrency_succeeds_at_http_level
• cargo test -p omnigraph-server --test server change_conflict_returns_manifest_conflict_409
• cargo test -p omnigraph-server --test server matrix
• cargo test -p omnigraph-engine --test branching
• cargo test -p omnigraph-engine --test composite_flow
• cargo test -p omnigraph-server --test server concurrent_branch_merges_distinct_targets_do_not_swap_into_each_other
• cargo build -p omnigraph-server --examples
• cargo test -p omnigraph-server
• OMNIGRAPH_UPDATE_OPENAPI=1 cargo test -p omnigraph-server --test openapi
• cargo test --workspace --tests --no-fail-fast
• scripts/check-agents-md.sh

Additional v0.4.2 release verification:

• grep -R "MR-|Linear|linear|INT-" docs/releases returned no matches after cleanup.
• OMNIGRAPH_UPDATE_OPENAPI=1 cargo test -p omnigraph-server --test openapi passed.
• cargo test -p omnigraph-engine --features failpoints --test failpoints inline_delete_conflict_writes_sidecar_before_rejecting passed.
• cargo test -p omnigraph-server --test server change_conflict_returns_manifest_conflict_409 passed.

Devin Review docs-finding verification:

• scripts/check-agents-md.sh passed.
• cargo check -p omnigraph-server --all-targets passed.
• git diff --check passed.

Full-scope release-note and AGENTS follow-up:

• Expanded docs/releases/v0.4.2.md to cover the earlier queue/admission/branch-race/deadlock work as well as the later correctness fixes and release prep.
• Added a short AGENTS.md rule to keep the always-loaded guide concise for context-window reasons.
• grep -R "MR-|Linear|linear|INT-" docs/releases passed.
• scripts/check-agents-md.sh passed.
• git diff --check passed.

cargo test -p omnigraph-server --test server was rerun after one transient matrix-cell sentinel 409 and passed on retry; cargo test --workspace --tests --no-fail-fast also passed the full server test suite. OMNIGRAPH_S3_TEST_BUCKET was unset in this session, so the optional S3 test was not run.

Link to Devin session: https://app.devin.ai/sessions/eeb5028a6e554c388af5f2dc5a307db5
Requested by: @ragnorc

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f925ad1739

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve strict version checks for update-backed staged merges

stage_all now maps every PendingMode::Merge table to MutationOpKind::Merge, which disables the strict pre-stage version check. Update mutations are accumulated as PendingMode::Merge (see execute_update), so an update can be planned on an older snapshot and then reopened/staged against a newer table head without a 409. In concurrent same-branch writes (especially cross-process), this can silently overwrite newer values instead of surfacing a manifest conflict.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Reject stale target heads before applying branch-merge rewrites

This rewrite path now opens target tables with MutationOpKind::Merge, which skips ensure_expected_version. Because branch-merge publishes via commit_manifest_updates (no per-table expected-version fence), a concurrent external write that advances the target table between merge planning and this open can be merged over silently instead of failing fast. That turns a detectable stale-target race into non-deterministic merge results.

Useful? React with 👍 / 👎.

[cubic-dev-ai]

cubic analysis

5 issues found across 29 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="crates/omnigraph-server/tests/server.rs">

<violation number="1" location="crates/omnigraph-server/tests/server.rs:2194">
P2: Custom agent: **Flag AI Slop and Fabricated Changes**

Regression test claims to assert final row count, but only checks HTTP status codes and never verifies the inserts actually landed.</violation>
</file>

<file name="crates/omnigraph-server/src/api.rs">

<violation number="1" location="crates/omnigraph-server/src/api.rs:343">
P2: The doc comment promises a `Retry-After` header that is never actually set in the HTTP response. According to linked Linear issue MR-686, the 429 response should include `Retry-After` so clients can implement proper backoff. Currently the `IntoResponse` impl only emits `(StatusCode, Json(ErrorOutput))` with no extra headers.</violation>
</file>

<file name="docs/server.md">

<violation number="1" location="docs/server.md:58">
P2: The file's existing "Not implemented" section still states "Rate limiting — none" (line 102), which contradicts this new admission-control section that documents 429 responses for per-actor concurrency caps. Update or remove that bullet to avoid confusing readers (the project's maintenance contract in AGENTS.md requires marking stale text).</violation>
</file>

<file name="crates/omnigraph/src/db/omnigraph/schema_apply.rs">

<violation number="1" location="crates/omnigraph/src/db/omnigraph/schema_apply.rs:446">
P2: TOCTOU: `db.version().await` is called twice — once for the condition check and once inside the error format string. Under interior mutability, a concurrent writer could advance the version between the two calls, producing a misleading error message. Store the first result in a local variable.</violation>
</file>

<file name="crates/omnigraph/src/db/omnigraph.rs">

<violation number="1" location="crates/omnigraph/src/db/omnigraph.rs:360">
P1: Swapping the shared coordinator and restoring it in separate lock acquisitions is racy under concurrent `&self` callers. Another branch operation can interleave between those steps, run against the wrong branch coordinator, and then have its coordinator state overwritten by the later restore.</violation>
</file>

Linked issue analysis

Linked issue: MR-686: Replace global server RwLock with per-table writer queues and per-actor concurrency caps

Status	Acceptance criteria	Notes
✅	Replace global Arc> with engine: Arc + WorkloadController in AppState	AppState changed to engine + workload fields
✅	Implement WorkloadController with per-actor in-flight count and byte budget; return 429/503 and env vars	New workload module and API error codes added
✅	Remove db.read_owned()/write_owned() callsites and adjust handlers to use engine APIs and workload.try_admit after authorize_request	Lib and callsites refactored to use &Omnigraph and workload
✅	Implement WriteQueueManager with per-(table_key,branch) mutex and acquire_many sorting/dedup; include unit tests	New write_queue module added with mutex per key and tests
✅	Convert Omnigraph write APIs from &mut self to &self and use interior mutability (ArcSwap, tokio::RwLock for coordinator)	Omnigraph refactored to interior mutability and &self APIs
⚠️	Remove audit_actor_id field and pass audit actor id per-call (kill swap-and-restore pattern)	Refs to audit_actor_id removal implied but not explicit in diffs shown
✅	Add MutationOpKind enum and op-kind-aware pre-stage version checks (Insert/Merge skip strict check)	MutationOpKind added and threaded through mutation call sites
⚠️	Split staged writes into two-phase: write_fragments (no manifest) then commit under per-table queue (staging API changes)	Staging refactor present but full table_store two-phase split not visible
⚠️	Refactor loader to write fragments in parallel, then do a single cross-table commit via ManifestBatchPublisher	Loader adjusted for &self and staging but cross-table commit wiring unclear
✅	Schema-apply lock still serializes schema applies (existing test preserved)	apply_schema still acquires schema-apply lock and code preserved
✅	Manifest conflicts still surface as existing manifest_conflict (HTTP 409) and remain retryable	Conflict sentinel preserved and docs note preservation
❌	Integration test: two /change requests targeting different (table_key, branch) execute concurrently end-to-end (integration test)	No HTTP integration test found proving disjoint `/change` concurrency
⚠️	A misbehaving actor exceeding its concurrency cap receives 429; other actors are unaffected (test)	Workload unit tests likely exist, but no HTTP-level 429 integration sentinel present
✅	Bench: single-table append throughput is no worse than today; cross-table append throughput scales with cores (bench harness & results)	Bench harness added and PR includes bench comparison results
❌	After the two-phase split: time holding any per-(table,branch) queue lock is <50ms p99 under 16-actor ingest	No p99 queue-hold measurement or test shown in diffs
✅	OpenAPI and docs updated for 429/503 error codes and server/invariants/architecture docs updated	OpenAPI and docs updated with new error codes and docs sections
⚠️	Cedar policy enforcement runs before the queue lookup so denials short-circuit admission	PR notes enforce-before-admission but explicit wiring not visible in diffs shown
⚠️	Per-table queue acquisition wired into branch_merge, apply_schema_with_lock, ensure_indices (prepare for recovery MR-870)	MutationStaging.commit_all acquires queues, but other wiring partial/unclear

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

P2: The doc comment promises a Retry-After header that is never actually set in the HTTP response. According to linked Linear issue MR-686, the 429 response should include Retry-After so clients can implement proper backoff. Currently the IntoResponse impl only emits (StatusCode, Json(ErrorOutput)) with no extra headers.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At crates/omnigraph-server/src/api.rs, line 343:

<comment>The doc comment promises a `Retry-After` header that is never actually set in the HTTP response. According to linked Linear issue MR-686, the 429 response should include `Retry-After` so clients can implement proper backoff. Currently the `IntoResponse` impl only emits `(StatusCode, Json(ErrorOutput))` with no extra headers.</comment>

<file context>
@@ -339,6 +339,12 @@ pub enum ErrorCode {
     NotFound,
     Conflict,
+    /// 429 Too Many Requests — per-actor admission cap exceeded.
+    /// Clients should respect the `Retry-After` header.
+    TooManyRequests,
+    /// 503 Service Unavailable — global rewrite pool exhausted
</file context>

[cursor]

Byte budget check uses saturating_add masking overflow

Low Severity

The byte budget gate uses prior.saturating_add(est_bytes) to compute attempted, but the underlying AtomicU64::fetch_add wraps on overflow rather than saturating. If the counter is near u64::MAX (e.g., due to a bug or extreme load), fetch_add wraps to a small value while saturating_add produces u64::MAX. The cap check passes on the wrapped value, but the actual counter and the checked value diverge, potentially allowing admission when the real budget is exceeded, or preventing the rollback fetch_sub from restoring the correct state.

 

^{Reviewed by Cursor Bugbot for commit 8bd9a5f. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

There are 3 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit f9a0f31. Configure here.}

[cursor]

Unused try_admit_rewrite not wired into any handler

Low Severity

WorkloadController::try_admit_rewrite is exported as pub and tested, but never called from any HTTP handler. The PR description claims a "Global rewrite semaphore for compaction/index-build paths" but the optimize and ensure_indices engine methods aren't gated by it. The 503 ServiceUnavailable error variant and RejectReason::GlobalRewriteExhausted are dead code in production — only exercised by unit tests.

 

^{Reviewed by Cursor Bugbot for commit f9a0f31. Configure here.}

[cursor]

new_with_workload hardcodes policy_engine to None

Low Severity

AppState::new_with_workload always sets policy_engine: None, unlike AppState::new which accepts an Option<PolicyEngine> parameter. This makes the constructor unsuitable for any use case that needs both custom workload configuration and Cedar policy enforcement. A future caller reusing this constructor in a production context would silently lose authorization checks.

 

^{Reviewed by Cursor Bugbot for commit f9a0f31. Configure here.}

[ragnorc]

PR description refreshed for the current branch state.

Status as of the current HEAD:

• GitHub checks are green: AGENTS link check, workspace tests, server AWS-feature tests, RustFS S3 integration, and cubic.
• Older automated-review findings from cubic / Cursor around coordinator swap-restore, Retry-After, stale server docs, schema-apply TOCTOU, actor-isolation bench setup, and OpenAPI 429 coverage were addressed by later commits.
• The description now explicitly separates this PR from the two main follow-ups:
  • normal mutation deletes can still advance Lance HEAD before a recovery sidecar exists.
  • disjoint-table / cross-branch throughput is still capped by graph-wide publisher serialization.
• The description no longer claims global rewrite 503s are wired into the current admission-gated endpoint behavior. The WorkloadController primitive exists, but route-level rewrite admission is not this PR's delivered endpoint behavior.

Still worth an explicit reviewer decision before merge:

• Codex left two P1 comments on op-kind policy. The normal update path appears guarded by MutationStaging::op_kinds plus commit_all strict revalidation under the queue; the branch-merge stale-target case deserves a closer pass or a targeted follow-up before treating the PR as ready.
• Cursor still has low-severity notes around byte-budget overflow behavior, new_with_workload policy handling, and unused rewrite-admission plumbing. These are not hidden in the updated PR body.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[cubic-dev-ai]

3 issues found across 9 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="crates/omnigraph-server/src/workload.rs">

<violation number="1" location="crates/omnigraph-server/src/workload.rs:119">
P1: Removing rewrite-cap wiring from `WorkloadController` drops global admission control for expensive rewrite paths, which can cause cluster-wide resource saturation under concurrent rewrites.</violation>
</file>

<file name="crates/omnigraph/src/exec/merge.rs">

<violation number="1" location="crates/omnigraph/src/exec/merge.rs:1247">
P1: Post-queue merge revalidation only checks `table_version` and ignores `table_branch`, so branch-state drift can slip through and execute merge logic against stale assumptions.</violation>
</file>

<file name="crates/omnigraph/src/exec/staging.rs">

<violation number="1" location="crates/omnigraph/src/exec/staging.rs:568">
P1: The new inline-committed version-mismatch return happens before sidecar creation, so a conflict can abort after `delete_where` has already advanced HEAD and leave no recovery sidecar for that inline delete.</violation>
</file>

_{Tip: Review your code locally with the cubic CLI to iterate faster.}

Linked issue analysis

Linked issue: MR-686: Replace global server RwLock with per-table writer queues and per-actor concurrency caps

Status	Acceptance criteria	Notes
✅	Two `/change` requests targeting different `(table_key, branch)` pairs execute concurrently end-to-end, demonstrated by an integration test.	Added server-level integration test for disjoint /change concurrency
✅	A misbehaving actor exceeding its concurrency cap receives 429; other actors are unaffected.	WorkloadController implemented and 429 mapped in API/OpenAPI
✅	The schema-apply lock still serializes schema applies (existing test must still pass).	Schema-apply lock still acquired and lock branch constant preserved
✅	Manifest conflicts (concurrent same-(table,branch) writes that race past the queue) still surface as the existing `manifest_conflict` error and are retryable by the client.	Manifest-conflict test retained and docs describe 409 behavior
⚠️	Bench: single-table append throughput is no worse than today; cross-table append throughput scales with cores.	Benchmark examples added but no measured results or comparisons provided
❌	After the two-phase split: time spent holding any per-(table, branch) queue lock is < 50ms p99 under a 16-actor concurrent ingest load.	No p99 measurements or clear two-phase split instrumentation/results included

[cubic-dev-ai]

P1: Removing rewrite-cap wiring from WorkloadController drops global admission control for expensive rewrite paths, which can cause cluster-wide resource saturation under concurrent rewrites.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At crates/omnigraph-server/src/workload.rs, line 119:

<comment>Removing rewrite-cap wiring from `WorkloadController` drops global admission control for expensive rewrite paths, which can cause cluster-wide resource saturation under concurrent rewrites.</comment>

<file context>
@@ -126,19 +112,15 @@ pub struct WorkloadController {
 impl WorkloadController {
     /// Construct from explicit caps. Tests can override.
-    pub fn new(inflight_cap: u32, byte_cap: u64, global_rewrite_cap: u32) -> Self {
+    pub fn new(inflight_cap: u32, byte_cap: u64) -> Self {
         Self {
             per_actor: DashMap::new(),
</file context>

_{Tip: Review your code locally with the cubic CLI to iterate faster.}

[cubic-dev-ai]

P1: Post-queue merge revalidation only checks table_version and ignores table_branch, so branch-state drift can slip through and execute merge logic against stale assumptions.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At crates/omnigraph/src/exec/merge.rs, line 1247:

<comment>Post-queue merge revalidation only checks `table_version` and ignores `table_branch`, so branch-state drift can slip through and execute merge logic against stale assumptions.</comment>

<file context>
@@ -1233,6 +1233,30 @@ impl Omnigraph {
+            ) {
+                continue;
+            }
+            let expected = target_snapshot.entry(table_key).map(|e| e.table_version);
+            let current = post_queue_snapshot
+                .entry(table_key)
</file context>

[cubic-dev-ai]

You're iterating quickly on this pull request. To help protect your rate limits, cubic has paused automatic reviews on new pushes for now—when you're ready for another review, comment @cubic-dev-ai review.

[ragnorc]

@cubic-dev-ai review

[cubic-dev-ai]

@cubic-dev-ai review

@ragnorc I have started the AI code review. It will take a few minutes to complete.

[ragnorc]

@cubic-dev-ai review

[cubic-dev-ai]

@cubic-dev-ai review

@ragnorc I have started the AI code review. It will take a few minutes to complete.

[ragnorc]

@cubic-dev-ai review

[cubic-dev-ai]

@cubic-dev-ai review

@ragnorc I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

cubic analysis

12 issues found across 38 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="crates/omnigraph/src/db/omnigraph/schema_apply.rs">

<violation number="1" location="crates/omnigraph/src/db/omnigraph/schema_apply.rs:480">
P2: Schema apply drops authenticated actor attribution by hardcoding `None` for commit/sidecar actor fields.

According to linked Linear issue MR-686, actor identity should be propagated into engine writes; this path loses that attribution.</violation>
</file>

<file name="crates/omnigraph-server/examples/bench_actor_isolation.rs">

<violation number="1" location="crates/omnigraph-server/examples/bench_actor_isolation.rs:249">
P3: `--heavy-batches=0` is currently blocked, but the following error text explicitly tells users to use it to disable heavy traffic.</violation>
</file>

<file name="docs/releases/v0.4.2.md">

<violation number="1" location="docs/releases/v0.4.2.md:26">
P1: According to linked Linear issue MR-686, per-actor admission must cover in-flight queries, but this change documents that read-only endpoints are not admission-gated. That indicates the ticket’s query-admission requirement is not implemented (or the release notes are incorrect), leaving noisy read workloads unthrottled.</violation>
</file>

<file name="docs/architecture.md">

<violation number="1" location="docs/architecture.md:278">
P3: The new server flow diagram implies every HTTP request is admission-gated, but admission is only applied to mutating handlers. This can mislead readers about read-path behavior.</violation>
</file>

<file name="crates/omnigraph/src/db/write_queue.rs">

<violation number="1" location="crates/omnigraph/src/db/write_queue.rs:166">
P2: This test does not validate sorted acquisition order; it will pass even if `acquire_many` stops sorting keys. That leaves a critical deadlock-prevention contract effectively untested.</violation>
</file>

<file name="crates/omnigraph-server/examples/bench_concurrent_http.rs">

<violation number="1" location="crates/omnigraph-server/examples/bench_concurrent_http.rs:106">
P2: According to linked Linear issue MR-686, disjoint-key concurrency must be validated, but `disjoint` mode can silently collide actors onto the same table when `actors > tables`, producing misleading results.</violation>
</file>

<file name="crates/omnigraph/tests/failpoints.rs">

<violation number="1" location="crates/omnigraph/tests/failpoints.rs:354">
P2: This assertion is too weak to prove the delete advanced HEAD; the concurrent update already guarantees `person_head > pre_person_pin`.</violation>
</file>

<file name="crates/omnigraph-server/src/lib.rs">

<violation number="1" location="crates/omnigraph-server/src/lib.rs:745">
P2: According to linked Linear issue MR-686, per-actor admission should cap in-flight queries, but `/read` and `/export` still run without `workload.try_admit`, so heavy actors can bypass admission and continue starving shared resources.</violation>
</file>

<file name="crates/omnigraph-server/tests/server.rs">

<violation number="1" location="crates/omnigraph-server/tests/server.rs:2210">
P2: This test expects all updates to race from the same starting version, but the tasks are not synchronized before sending `/change`. That makes the `ok_count == 1` assertion timing-dependent and flaky.</violation>

<violation number="2" location="crates/omnigraph-server/tests/server.rs:3211">
P2: According to linked Linear issue MR-686, this should demonstrate disjoint writes executing concurrently, but the test only asserts 200 responses and final row counts. It can pass even if writes are serialized, so it will miss regressions back to global write-lock behavior.</violation>
</file>

<file name="crates/omnigraph/src/db/omnigraph/table_ops.rs">

<violation number="1" location="crates/omnigraph/src/db/omnigraph/table_ops.rs:164">
P1: ensure_indices can write to tables that were never queued if they become non-empty after precheck, which breaks per-(table,branch) serialization and recovery coverage under concurrency (MR-686).</violation>
</file>

<file name="docs/invariants.md">

<violation number="1" location="docs/invariants.md:108">
P2: This status text overstates current concurrency safety: delete-only mutations still advance Lance HEAD via inline `delete_where` before queue ownership, so queue+revalidation does not yet fully prevent all same-key concurrent interleavings.</violation>
</file>

Linked issue analysis

Linked issue: MR-686: Replace global server RwLock with per-table writer queues and per-actor concurrency caps

Status	Acceptance criteria	Notes
✅	Two `/change` requests targeting different `(table_key, branch)` pairs execute concurrently end-to-end, demonstrated by an integration test.	Added server-level integration test for disjoint /change concurrency
✅	A misbehaving actor exceeding its concurrency cap receives 429; other actors are unaffected.	WorkloadController implemented and 429 mapped in API/OpenAPI
✅	The schema-apply lock still serializes schema applies (existing test must still pass).	Schema-apply lock still acquired and lock branch constant preserved
✅	Manifest conflicts (concurrent same-(table,branch) writes that race past the queue) still surface as the existing `manifest_conflict` error and are retryable by the client.	Manifest-conflict test retained and docs describe 409 behavior
⚠️	Bench: single-table append throughput is no worse than today; cross-table append throughput scales with cores.	Benchmark examples added but no measured results or comparisons provided
❌	After the two-phase split: time spent holding any per-(table, branch) queue lock is < 50ms p99 under a 16-actor concurrent ingest load.	No p99 measurements or clear two-phase split instrumentation/results included

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: According to linked Linear issue MR-686, per-actor admission must cover in-flight queries, but this change documents that read-only endpoints are not admission-gated. That indicates the ticket’s query-admission requirement is not implemented (or the release notes are incorrect), leaving noisy read workloads unthrottled.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At docs/releases/v0.4.2.md, line 26:

<comment>According to linked Linear issue MR-686, per-actor admission must cover in-flight queries, but this change documents that read-only endpoints are not admission-gated. That indicates the ticket’s query-admission requirement is not implemented (or the release notes are incorrect), leaving noisy read workloads unthrottled.</comment>

<file context>
@@ -0,0 +1,115 @@
+  actors.
+- **Admission coverage for all mutating handlers**: `/change`, `/ingest`,
+  `/schema/apply`, branch create/delete, and branch merge now flow through the
+  admission controller. Read-only endpoints are not admission-gated.
+- **Op-kind-aware version checks**: mutation commit-time drift checks distinguish
+  append-like inserts from strict update/delete work. Inserts remain permissive
</file context>

[cubic-dev-ai]

P1: ensure_indices can write to tables that were never queued if they become non-empty after precheck, which breaks per-(table,branch) serialization and recovery coverage under concurrency (MR-686).

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At crates/omnigraph/src/db/omnigraph/table_ops.rs, line 164:

<comment>ensure_indices can write to tables that were never queued if they become non-empty after precheck, which breaks per-(table,branch) serialization and recovery coverage under concurrency (MR-686).</comment>

<file context>
@@ -147,13 +154,28 @@ pub(super) async fn ensure_indices_for_branch(
+    // multi-table writers (mutation finalize, branch_merge, future
+    // MR-870 recovery). Under PR 1b's intermediate state (global server
+    // RwLock still in place), this acquisition is uncontended.
+    let queue_keys: Vec<(String, Option<String>)> = recovery_pins
+        .iter()
+        .map(|pin| (pin.table_key.clone(), pin.table_branch.clone()))
</file context>

[cubic-dev-ai]

P2: Schema apply drops authenticated actor attribution by hardcoding None for commit/sidecar actor fields.

According to linked Linear issue MR-686, actor identity should be propagated into engine writes; this path loses that attribution.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At crates/omnigraph/src/db/omnigraph/schema_apply.rs, line 480:

<comment>Schema apply drops authenticated actor attribution by hardcoding `None` for commit/sidecar actor fields.

According to linked Linear issue MR-686, actor identity should be propagated into engine writes; this path loses that attribution.</comment>

<file context>
@@ -444,13 +469,15 @@ pub(super) async fn apply_schema_with_lock(
-        .commit_changes_with_actor(&manifest_changes, actor_id.as_deref())
+        .write()
+        .await
+        .commit_changes_with_actor(&manifest_changes, None)
         .await?;
 
</file context>

[cubic-dev-ai]

P2: This test does not validate sorted acquisition order; it will pass even if acquire_many stops sorting keys. That leaves a critical deadlock-prevention contract effectively untested.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At crates/omnigraph/src/db/write_queue.rs, line 166:

<comment>This test does not validate sorted acquisition order; it will pass even if `acquire_many` stops sorting keys. That leaves a critical deadlock-prevention contract effectively untested.</comment>

<file context>
@@ -0,0 +1,231 @@
+        let qm2 = Arc::clone(&qm);
+        let z_clone = z.clone();
+        let a_clone = a.clone();
+        let result = timeout(Duration::from_millis(200), async move {
+            qm2.acquire_many(&[z_clone, a_clone]).await
+        })
</file context>

[cubic-dev-ai]

P2: According to linked Linear issue MR-686, disjoint-key concurrency must be validated, but disjoint mode can silently collide actors onto the same table when actors > tables, producing misleading results.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At crates/omnigraph-server/examples/bench_concurrent_http.rs, line 106:

<comment>According to linked Linear issue MR-686, disjoint-key concurrency must be validated, but `disjoint` mode can silently collide actors onto the same table when `actors > tables`, producing misleading results.</comment>

<file context>
@@ -0,0 +1,267 @@
+
+fn pick_table(actor_idx: usize, op_idx: usize, mode: Mode, num_tables: usize) -> usize {
+    match mode {
+        Mode::Disjoint => actor_idx % num_tables,
+        Mode::SameKey => 0,
+        Mode::Mixed => (actor_idx.wrapping_mul(7919) ^ op_idx) % num_tables,
</file context>

[cubic-dev-ai]

P2: This test expects all updates to race from the same starting version, but the tasks are not synchronized before sending /change. That makes the ok_count == 1 assertion timing-dependent and flaky.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At crates/omnigraph-server/tests/server.rs, line 2210:

<comment>This test expects all updates to race from the same starting version, but the tasks are not synchronized before sending `/change`. That makes the `ok_count == 1` assertion timing-dependent and flaky.</comment>

<file context>
@@ -2177,6 +2178,1287 @@ async fn change_conflict_returns_manifest_conflict_409() {
+    const SEED_PERSON_ROWS: u64 = 4;
+    const N: usize = 12;
+
+    let mut handles = Vec::with_capacity(N);
+    for i in 0..N {
+        let app = app.clone();
</file context>

[cubic-dev-ai]

P2: According to linked Linear issue MR-686, this should demonstrate disjoint writes executing concurrently, but the test only asserts 200 responses and final row counts. It can pass even if writes are serialized, so it will miss regressions back to global write-lock behavior.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At crates/omnigraph-server/tests/server.rs, line 3211:

<comment>According to linked Linear issue MR-686, this should demonstrate disjoint writes executing concurrently, but the test only asserts 200 responses and final row counts. It can pass even if writes are serialized, so it will miss regressions back to global write-lock behavior.</comment>

<file context>
@@ -2177,6 +2178,1287 @@ async fn change_conflict_returns_manifest_conflict_409() {
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 4)]
+async fn change_disjoint_table_concurrency_succeeds_at_http_level() {
+    // HTTP-level pin for MR-686's disjoint-table promise: concurrent /change
+    // requests touching different node types must coexist without admission
</file context>

[cubic-dev-ai]

P2: This status text overstates current concurrency safety: delete-only mutations still advance Lance HEAD via inline delete_where before queue ownership, so queue+revalidation does not yet fully prevent all same-key concurrent interleavings.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At docs/invariants.md, line 108:

<comment>This status text overstates current concurrency safety: delete-only mutations still advance Lance HEAD via inline `delete_where` before queue ownership, so queue+revalidation does not yet fully prevent all same-key concurrent interleavings.</comment>

<file context>
@@ -105,7 +105,7 @@ These are user-visible commitments. They state what the engine guarantees and wh
 
 23. **Atomicity is per-query.** Every `.gq` query is atomic — multi-statement mutations are all-or-nothing via the substrate's atomic-commit primitive. No cross-query `BEGIN`/`COMMIT`; branches and merges fill that role for agent workflows.
-    *Status: upheld at the writer-trait surface, across process boundaries, AND in-process for the common case — the sealed `TableStorage` trait routes inserts / updates / scalar-index builds / merge_insert / overwrite through `stage_*` + `commit_staged` (Phase A is drift-free); the open-time recovery sweep in `db/manifest/recovery.rs` (sidecars at `__recovery/{ulid}.json` written by `MutationStaging::finalize`, `schema_apply`, `branch_merge`, `ensure_indices`) closes the per-table commit_staged → manifest publish residual on the next `Omnigraph::open`; and `Omnigraph::refresh` runs roll-forward-only recovery in-process so long-running servers close the common case (mutation/load finalize → publisher failure) without restart. The "Lance HEAD ahead of `__manifest`" drift class is unreachable for op-execution failures, recoverable across process boundaries for all writer kinds, and recoverable in-process for roll-forward-eligible sidecars. Sidecars that would require `Dataset::restore` are deferred to the next ReadWrite open (restore unsafe under concurrency); continuous in-process recovery for that case requires per-(table, branch) writer-queue acquisition and is the goal of a future background reconciler. Two writer paths still inline-commit pending upstream Lance work: `delete_where` (lance-format/lance#6658) and `create_vector_index` (lance-format/lance#6666).*
+    *Status: upheld at the writer-trait surface, across process boundaries, AND in-process for the common case under concurrent writers (PR 2 / MR-686) — the sealed `TableStorage` trait routes inserts / updates / scalar-index builds / merge_insert / overwrite through `stage_*` + `commit_staged` (Phase A is drift-free); the open-time recovery sweep in `db/manifest/recovery.rs` (sidecars at `__recovery/{ulid}.json` written by `MutationStaging::finalize`, `schema_apply`, `branch_merge`, `ensure_indices`) closes the per-table commit_staged → manifest publish residual on the next `Omnigraph::open`; `Omnigraph::refresh` runs roll-forward-only recovery in-process so long-running servers close the common case without restart; and the per-(table, branch) writer-queue (`db/write_queue.rs`) + revalidation under the queue (`MutationStaging::commit_all`) prevents concurrent writers on the same key from corrupting each other once the HTTP server's global `RwLock<Omnigraph>` is removed (PR 2 Step F). The "Lance HEAD ahead of `__manifest`" drift class is unreachable for op-execution failures, recoverable across process boundaries for all writer kinds, and recoverable in-process for roll-forward-eligible sidecars. Sidecars that would require `Dataset::restore` are deferred to the next ReadWrite open (restore unsafe under concurrency); continuous in-process rollback recovery is the goal of a future background reconciler (MR-870). Two writer paths still inline-commit pending upstream Lance work: `delete_where` (lance-format/lance#6658) and `create_vector_index` (lance-format/lance#6666).*
 
 24. **Schema integrity is strict at commit.** Type validation, required-field presence (auto-filled from `@default` if declared), uniqueness across batches and versions, and referential integrity — all enforced before commit succeeds. Per-write softening flags are opt-in, never default.
</file context>

Suggested change

*Status: upheld at the writer-trait surface, across process boundaries, AND in-process for the common case under concurrent writers (PR 2 / MR-686) — the sealed `TableStorage` trait routes inserts / updates / scalar-index builds / merge_insert / overwrite through `stage_*` + `commit_staged` (Phase A is drift-free); the open-time recovery sweep in `db/manifest/recovery.rs` (sidecars at `__recovery/{ulid}.json` written by `MutationStaging::finalize`, `schema_apply`, `branch_merge`, `ensure_indices`) closes the per-table commit_staged → manifest publish residual on the next `Omnigraph::open`; `Omnigraph::refresh` runs roll-forward-only recovery in-process so long-running servers close the common case without restart; and the per-(table, branch) writer-queue (`db/write_queue.rs`) + revalidation under the queue (`MutationStaging::commit_all`) prevents concurrent writers on the same key from corrupting each other once the HTTP server's global `RwLock<Omnigraph>` is removed (PR 2 Step F). The "Lance HEAD ahead of `__manifest`" drift class is unreachable for op-execution failures, recoverable across process boundaries for all writer kinds, and recoverable in-process for roll-forward-eligible sidecars. Sidecars that would require `Dataset::restore` are deferred to the next ReadWrite open (restore unsafe under concurrency); continuous in-process rollback recovery is the goal of a future background reconciler (MR-870). Two writer paths still inline-commit pending upstream Lance work: `delete_where` (lance-format/lance#6658) and `create_vector_index` (lance-format/lance#6666).*

*Status: upheld at the writer-trait surface, across process boundaries, AND in-process for the common case under concurrent writers (PR 2 / MR-686) — the sealed `TableStorage` trait routes inserts / updates / scalar-index builds / merge_insert / overwrite through `stage_*` + `commit_staged` (Phase A is drift-free); the open-time recovery sweep in `db/manifest/recovery.rs` (sidecars at `__recovery/{ulid}.json` written by `MutationStaging::finalize`, `schema_apply`, `branch_merge`, `ensure_indices`) closes the per-table commit_staged → manifest publish residual on the next `Omnigraph::open`; `Omnigraph::refresh` runs roll-forward-only recovery in-process so long-running servers close the common case without restart; and the per-(table, branch) writer-queue (`db/write_queue.rs`) + revalidation under the queue (`MutationStaging::commit_all`) protects staged-write same-key concurrency once the HTTP server's global `RwLock<Omnigraph>` is removed (PR 2 Step F). Delete-only paths still inline-commit via `delete_where` before queue ownership and remain a tracked residual until staged delete support lands. The "Lance HEAD ahead of `__manifest`" drift class is unreachable for op-execution failures, recoverable across process boundaries for all writer kinds, and recoverable in-process for roll-forward-eligible sidecars. Sidecars that would require `Dataset::restore` are deferred to the next ReadWrite open (restore unsafe under concurrency); continuous in-process rollback recovery is the goal of a future background reconciler (MR-870). Two writer paths still inline-commit pending upstream Lance work: `delete_where` (lance-format/lance#6658) and `create_vector_index` (lance-format/lance#6666).*

[cubic-dev-ai]

P3: --heavy-batches=0 is currently blocked, but the following error text explicitly tells users to use it to disable heavy traffic.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At crates/omnigraph-server/examples/bench_actor_isolation.rs, line 249:

<comment>`--heavy-batches=0` is currently blocked, but the following error text explicitly tells users to use it to disable heavy traffic.</comment>

<file context>
@@ -0,0 +1,392 @@
+#[tokio::main]
+async fn main() {
+    let args = Args::parse();
+    if args.light_actors == 0 || args.light_ops_per_actor == 0 || args.heavy_batches == 0 {
+        eprintln!("--light-actors, --light-ops-per-actor, --heavy-batches must all be > 0");
+        std::process::exit(2);
</file context>

[cubic-dev-ai]

P3: The new server flow diagram implies every HTTP request is admission-gated, but admission is only applied to mutating handlers. This can mislead readers about read-path behavior.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At docs/architecture.md, line 278:

<comment>The new server flow diagram implies every HTTP request is admission-gated, but admission is only applied to mutating handlers. This can mislead readers about read-path behavior.</comment>

<file context>
@@ -270,13 +270,16 @@ flowchart LR
 
     cli -.-> eng
-    srv_in --> auth --> pol --> eng
+    srv_in --> auth --> pol --> wl --> eng
+    eng --> wq

</file context>

</details>

```suggestion
    srv_in --> auth --> pol
    pol -->|mutating| wl --> eng
    pol -->|read-only| eng