golangLAKEHOUSE

profit/golangLAKEHOUSE

Fork 0

Commit Graph

Author	SHA1	Message	Date
root	125e1c80b9	tests: close R-002 / R-003 / R-008 — internal/shared, storeclient, queryd/db.go Audit-driven follow-up to the Rust scrum review on the 3 untested HIGH-risk packages. Both the audit (reports/scrum/risk-register.md) and the scrum (tests/real-world/runs/scrum_mojxb5bw/) independently flagged these files as the highest-leverage missing test coverage. internal/shared/server_test.go — 8 test funcs newListener: valid addr, invalid addr (non-numeric port, port out of range, port-already-in-use surfacing as net.OpError). Empty-addr-is-valid: documents the net.Listen quirk that "" binds an OS-picked port — future readers don't need to relitigate. HealthResponse marshal: JSON shape stable, round-trip clean. /health handler reconstructed via httptest.Server: status 200, Content-Type application/json, body fields stable. RegisterRoutes callback: contract verified (callback is invoked with a real chi.Router, mounted route reachable end-to-end). Run bind-failure surface: synchronous error, not a goroutine swallow — the contract Run depends on per the race-safe-startup comment. internal/shared/config_test.go — 6 test funcs DefaultConfig G0 port pinning: every binary's default bind locked in (3110/3211-3216) so a refactor can't silently flip a port. LoadConfig empty path: returns DefaultConfig, no error. LoadConfig missing file: returns DefaultConfig, logs warn (the warn line shows up in test output, captured-but-not-asserted). LoadConfig valid TOML: partial overrides land, unspecified sections keep defaults (TOML decoder leave-alone behavior). LoadConfig invalid TOML: returns wrapped 'parse config' error. LoadConfig unreadable file: skipped under root (root reads 0000); captures the read-error wrap path for non-root contexts. internal/storeclient/client_test.go — 14 test funcs safeKey table-driven: plain segments, single slash, empty, trailing slash, space (→ %20), apostrophe (→ %27), unicode (→ %C3%A9), deep nesting. Locks URL-escape contract per scrum suggestion. recordingServer helper backs Put/Get/Delete/List against httptest.Server: verifies method, path, body bytes round-trip. ErrKeyNotFound on 404 (errors.Is round-trip). Non-OK status wraps body preview into the error chain. Delete accepts both 200 and 204 (S3 vs compatible-store quirk). List parses JSON shape and surfaces query-string prefix. Context cancellation propagates through Put as context.Canceled. internal/queryd/db_test.go — 5 test funcs (with subtests) sqlEscape table-driven: 8 cases including empty, all-quotes, nested apostrophes (the case from the scrum suggestion). redactCreds table-driven: 6 cases — both keys, single keys, empty, multi-occurrence, placeholder-collision (lossy but safe). buildBootstrap statement order: INSTALL → LOAD → CREATE SECRET. buildBootstrap endpoint schemes: http strips + USE_SSL false, https keeps SSL true, no-scheme defaults SSL true (prod ambient). buildBootstrap URL_STYLE: 'path' vs 'vhost' branch. buildBootstrap escapes credential quotes: future SSO-token-with- apostrophe doesn't break out of the SQL string literal — the belt holds when the suspenders snap. Real finding caught by my own test: net.Listen("tcp", "") succeeds (OS-picked port) — captured as TestNewListener_EmptyAddrIsValid so the quirk is documented. Verified: go test -short ./... — every internal/ package now has tests (no more 'no test files' lines for shared/storeclient). just verify — vet + test + 9 smokes green in 33s. just proof contract — 53/0/1 green (no harness regression). Closes: R-002 internal/shared zero tests HIGH R-003 internal/storeclient zero tests HIGH R-008 queryd/db.go untested MED (sqlEscape, redactCreds, CREATE SECRET formation) Composite scrum score should move from 43 → ~46 / 60 — the three HIGH/MED risks closed, internal/shared and internal/storeclient become "tested + load-bearing" instead of "untested + load-bearing." Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-29 05:51:05 -05:00
root	9e9e4c26a4	G0 D5: queryd DuckDB SELECT over Parquet via httpfs · 4 scrum fixes Phase G0 Day 5 ships queryd: in-memory DuckDB with custom Connector that runs INSTALL httpfs / LOAD httpfs / CREATE OR REPLACE SECRET (TYPE S3) on every new connection, sourced from SecretsProvider + shared.S3Config. SetMaxOpenConns(1) so registrar's CREATE VIEWs and handler's SELECTs serialize through one connection (avoids cross- connection MVCC visibility edge cases). Registrar.Refresh reads catalogd /catalog/list, runs CREATE OR REPLACE VIEW "name" AS SELECT * FROM read_parquet('s3://bucket/key') per manifest, drops views for removed manifests, skips on unchanged updated_at (the implicit etag). Drop pass runs BEFORE create pass so a poison manifest can't block other manifest refreshes (post-scrum C1 fix). POST /sql with JSON body {"sql":"…"} returns {"columns":[{"name":"id","type":"BIGINT"},…], "rows":[[…]], "row_count":N}. []byte → string conversion so VARCHAR rows JSON-encode as text. 30s default refresh ticker, configurable via [queryd].refresh_every. Cross-lineage scrum on shipped code: - Opus 4.7 (opencode): 1 BLOCK + 4 WARN + 4 INFO - Kimi K2-0905 (openrouter): 2 BLOCK + 2 WARN + 1 INFO - Qwen3-coder (openrouter): 2 BLOCK + 1 WARN + 1 INFO Fixed (4): C1 (Opus + Kimi convergent): Refresh aborts on first per-view error → drop pass first, collect errors, errors.Join. Poison manifest no longer blocks the rest of the catalog from re-syncing. B-CTX (Opus BLOCK): bootstrap closure captured OpenDB's ctx → cancelled-ctx silently fails every reconnect. context.Background() inside closure; passed ctx only for initial Ping. B-LEAK (Kimi BLOCK): firstLine(stmt) truncated CREATE SECRET to 80 chars but those 80 chars contained KEY_ID + SECRET prefix → log aggregator captures credentials. Stable per-statement labels + redactCreds() filter on wrapped DuckDB errors. JSON-ERR (Opus WARN): swallowed json.Encode error → silent truncated 200 on unsupported column types. slog.Warn the failure. Dismissed (4 false positives): Qwen BLOCK "bootstrap not transactional" — DuckDB DDL is auto-commit Qwen BLOCK "MaxBytesReader after Decode" — false, applied before Kimi BLOCK "concurrent Refresh + user SELECT deadlock" — not a deadlock, just serialization, by design with 10s timeout retry Kimi WARN "dropView leaves r.known inconsistent" — current code returns before the delete; the entry persists for retry Critical reviewer behavior: 1 convergent BLOCK between Opus + Kimi on the per-view error blocking, plus two independent single-reviewer BLOCKs (B-CTX, B-LEAK) that smoke could never have caught. The B-LEAK fix uses defense-in-depth: never pass SQL into the error path AND redact known cred values from DuckDB's own error message. DuckDB cgo path: github.com/duckdb/duckdb-go/v2 v2.10502.0 (per ADR-001 §1) on Go 1.25 + arrow-go. Smoke 6/6 PASS after every fix round. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-29 00:10:55 -05:00

Author

SHA1

Message

Date

root

125e1c80b9

tests: close R-002 / R-003 / R-008 — internal/shared, storeclient, queryd/db.go

Audit-driven follow-up to the Rust scrum review on the 3 untested
HIGH-risk packages. Both the audit (reports/scrum/risk-register.md)
and the scrum (tests/real-world/runs/scrum_mojxb5bw/) independently
flagged these files as the highest-leverage missing test coverage.

internal/shared/server_test.go — 8 test funcs
  newListener: valid addr, invalid addr (non-numeric port, port
    out of range, port-already-in-use surfacing as net.OpError).
  Empty-addr-is-valid: documents the net.Listen quirk that "" binds
    an OS-picked port — future readers don't need to relitigate.
  HealthResponse marshal: JSON shape stable, round-trip clean.
  /health handler reconstructed via httptest.Server: status 200,
    Content-Type application/json, body fields stable.
  RegisterRoutes callback: contract verified (callback is invoked
    with a real chi.Router, mounted route reachable end-to-end).
  Run bind-failure surface: synchronous error, not a goroutine swallow
    — the contract Run depends on per the race-safe-startup comment.

internal/shared/config_test.go — 6 test funcs
  DefaultConfig G0 port pinning: every binary's default bind locked
    in (3110/3211-3216) so a refactor can't silently flip a port.
  LoadConfig empty path: returns DefaultConfig, no error.
  LoadConfig missing file: returns DefaultConfig, logs warn (the warn
    line shows up in test output, captured-but-not-asserted).
  LoadConfig valid TOML: partial overrides land, unspecified sections
    keep defaults (TOML decoder leave-alone behavior).
  LoadConfig invalid TOML: returns wrapped 'parse config' error.
  LoadConfig unreadable file: skipped under root (root reads 0000);
    captures the read-error wrap path for non-root contexts.

internal/storeclient/client_test.go — 14 test funcs
  safeKey table-driven: plain segments, single slash, empty, trailing
    slash, space (→ %20), apostrophe (→ %27), unicode (→ %C3%A9),
    deep nesting. Locks URL-escape contract per scrum suggestion.
  recordingServer helper backs Put/Get/Delete/List against
    httptest.Server: verifies method, path, body bytes round-trip.
  ErrKeyNotFound on 404 (errors.Is round-trip).
  Non-OK status wraps body preview into the error chain.
  Delete accepts both 200 and 204 (S3 vs compatible-store quirk).
  List parses JSON shape and surfaces query-string prefix.
  Context cancellation propagates through Put as context.Canceled.

internal/queryd/db_test.go — 5 test funcs (with subtests)
  sqlEscape table-driven: 8 cases including empty, all-quotes,
    nested apostrophes (the case from the scrum suggestion).
  redactCreds table-driven: 6 cases — both keys, single keys,
    empty, multi-occurrence, placeholder-collision (lossy but safe).
  buildBootstrap statement order: INSTALL → LOAD → CREATE SECRET.
  buildBootstrap endpoint schemes: http strips + USE_SSL false,
    https keeps SSL true, no-scheme defaults SSL true (prod ambient).
  buildBootstrap URL_STYLE: 'path' vs 'vhost' branch.
  buildBootstrap escapes credential quotes: future SSO-token-with-
    apostrophe doesn't break out of the SQL string literal — the
    belt holds when the suspenders snap.

Real finding caught by my own test:
  net.Listen("tcp", "") succeeds (OS-picked port) — captured as
  TestNewListener_EmptyAddrIsValid so the quirk is documented.

Verified:
  go test -short ./... — every internal/ package now has tests
    (no more 'no test files' lines for shared/storeclient).
  just verify — vet + test + 9 smokes green in 33s.
  just proof contract — 53/0/1 green (no harness regression).

Closes:
  R-002 internal/shared zero tests        HIGH
  R-003 internal/storeclient zero tests   HIGH
  R-008 queryd/db.go untested             MED (sqlEscape, redactCreds,
                                              CREATE SECRET formation)

Composite scrum score should move from 43 → ~46 / 60 — the three
HIGH/MED risks closed, internal/shared and internal/storeclient
become "tested + load-bearing" instead of "untested + load-bearing."

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-29 05:51:05 -05:00

root

9e9e4c26a4

G0 D5: queryd DuckDB SELECT over Parquet via httpfs · 4 scrum fixes

Phase G0 Day 5 ships queryd: in-memory DuckDB with custom Connector
that runs INSTALL httpfs / LOAD httpfs / CREATE OR REPLACE SECRET
(TYPE S3) on every new connection, sourced from SecretsProvider +
shared.S3Config. SetMaxOpenConns(1) so registrar's CREATE VIEWs and
handler's SELECTs serialize through one connection (avoids cross-
connection MVCC visibility edge cases).

Registrar.Refresh reads catalogd /catalog/list, runs CREATE OR
REPLACE VIEW "name" AS SELECT * FROM read_parquet('s3://bucket/key')
per manifest, drops views for removed manifests, skips on unchanged
updated_at (the implicit etag). Drop pass runs BEFORE create pass so
a poison manifest can't block other manifest refreshes (post-scrum
C1 fix).

POST /sql with JSON body {"sql":"…"} returns
{"columns":[{"name":"id","type":"BIGINT"},…], "rows":[[…]],
"row_count":N}. []byte → string conversion so VARCHAR rows
JSON-encode as text. 30s default refresh ticker, configurable via
[queryd].refresh_every.

Cross-lineage scrum on shipped code:
  - Opus 4.7 (opencode):                      1 BLOCK + 4 WARN + 4 INFO
  - Kimi K2-0905 (openrouter):                2 BLOCK + 2 WARN + 1 INFO
  - Qwen3-coder (openrouter):                 2 BLOCK + 1 WARN + 1 INFO

Fixed (4):
  C1 (Opus + Kimi convergent): Refresh aborts on first per-view error
    → drop pass first, collect errors, errors.Join. Poison manifest
    no longer blocks the rest of the catalog from re-syncing.
  B-CTX (Opus BLOCK): bootstrap closure captured OpenDB's ctx →
    cancelled-ctx silently fails every reconnect. context.Background()
    inside closure; passed ctx only for initial Ping.
  B-LEAK (Kimi BLOCK): firstLine(stmt) truncated CREATE SECRET to 80
    chars but those 80 chars contained KEY_ID + SECRET prefix → log
    aggregator captures credentials. Stable per-statement labels +
    redactCreds() filter on wrapped DuckDB errors.
  JSON-ERR (Opus WARN): swallowed json.Encode error → silent
    truncated 200 on unsupported column types. slog.Warn the failure.

Dismissed (4 false positives):
  Qwen BLOCK "bootstrap not transactional" — DuckDB DDL is auto-commit
  Qwen BLOCK "MaxBytesReader after Decode" — false, applied before
  Kimi BLOCK "concurrent Refresh + user SELECT deadlock" — not a
    deadlock, just serialization, by design with 10s timeout retry
  Kimi WARN "dropView leaves r.known inconsistent" — current code
    returns before the delete; the entry persists for retry

Critical reviewer behavior: 1 convergent BLOCK between Opus + Kimi
on the per-view error blocking, plus two independent single-reviewer
BLOCKs (B-CTX, B-LEAK) that smoke could never have caught. The
B-LEAK fix uses defense-in-depth: never pass SQL into the error
path AND redact known cred values from DuckDB's own error message.

DuckDB cgo path: github.com/duckdb/duckdb-go/v2 v2.10502.0 (per
ADR-001 §1) on Go 1.25 + arrow-go. Smoke 6/6 PASS after every
fix round.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-29 00:10:55 -05:00

2 Commits