fix: data integrity fixes (Batch 2)#147
Merged
Merged
Conversation
C5: Make delete_note_recursive atomic — merge deletion and op log into
a single transaction to prevent sync history loss on crash.
H6: Wrap run_migrations in BEGIN IMMEDIATE / COMMIT so partial
migration on crash is rolled back.
H7: Replace .unwrap() with .unwrap_or_default() in wall_clock_ms()
to avoid panic when system clock is pre-epoch.
M4: Add category field to ScriptRestore undo variant so undoing a
schema-category script delete restores the correct category
instead of hardcoding "library".
M5: Increase default op purge limit from 100 to 1000, configurable
via workspace_meta 'purge_limit' key.
M6: Replace ts.wall_ms (milliseconds) with chrono::Utc::now().timestamp()
(seconds) in set_note_checked to match every other write path.
M7: Preserve original owner_pubkey on workspace import by including it
in the export archive and restoring it after Workspace::open().
H5: Document DefaultHasher instability in device.rs (no code change).
Closes #139
Auto mode checked only hasPeers (from list_workspace_peers) which may silently fail at startup. Also consider shareAnchorIds — if the owner has granted RBAC permissions, indicators should appear regardless. Add console.warn to the silent .catch so failures are visible in devtools.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pre-1.0 audit Batch 2 — fixes 7 data integrity issues plus 1 documentation item. Closes #139.
delete_note_recursivenow runs deletion + op log in a single atomic transaction (was two separate transactions — crash between them lost sync history)run_migrationswrapped inBEGIN IMMEDIATE/COMMITto prevent partial migration on crashwall_clock_ms()uses.unwrap_or_default()instead of.unwrap()to avoid panic on pre-epoch system clockScriptRestoreundo variant now captures and restores the originalcategoryfield instead of hardcoding"library"(fixes schema scripts restoring as library)workspace_metakeypurge_limitset_note_checkednow useschrono::Utc::now().timestamp()(seconds) instead ofts.wall_ms(milliseconds) formodified_at, matching every other write pathimport_workspacenow preserves the originalowner_pubkeyfrom the archive instead of overwriting it with the importer's keydevice.rsexplainingDefaultHasherinstability risk (no code change)Test plan
test_c5_delete_note_logs_operation_atomically— verifies DeleteNote op exists after recursive deletetest_m4_undo_delete_schema_script_restores_category— verifies undoing a schema-category script delete restores"schema"not"library"test_m5_purge_retains_more_than_100_ops— verifies 120+ ops survive purge (old limit was 100)test_m6_set_note_checked_stores_seconds_timestamp— verifiesmodified_atis seconds-range, not millisecondstest_m7_import_preserves_original_owner_pubkey— exports with key A, imports with key B, verifies owner is still key A