fix(ingest): 26.05.1 critical hardening — 5 criticals + review-pass cleanup

[xe-nvdk]

Summary

Five critical bugs surfaced by a 4-agent post-implementation review of the ingest path; this PR fixes all five plus the consolidated findings from a second 4-agent review of the fix branch (real bugs introduced, plus refactor/test/comment cleanups). All five are 26.05.1 GA blockers; fixing them does not regress the headline number — sustained 60s MessagePack columnar benchmark on this branch shows 19.04M rec/s @ p99 3.13ms vs baseline 18.6M rec/s @ p99 3.68ms (~17% p99 improvement, ~2% throughput uplift, 0 errors).

Critical fixes

• C1 — graceful-shutdown panic: Close() closed flushQueue after cancel(), racing concurrent writers past shard.mu.Unlock(). Fixed: closing atomic.Bool flag set before cancel, channel never closed (workers exit on b.ctx.Done()).
• C2 — schema-evolution corruption under concurrent writes: race window inside flushBufferLocked could install a third schema mid-flight; original caller appended into the racer's buffer. Fixed: bounded loop (8 iterations) re-checks schema after I/O + per-iteration ctx.Err() check.
• C3 — WAL silent backpressure drop: AppendRaw/AppendRawWithMeta returned nil on full channel, making downstream "data preserved in WAL" log lines untrue. Fixed: typed wal.ErrWALDropped sentinel; ingest caller differentiates via errors.Is + sampled Warn + dedicated total_wal_dropped counter; cluster receivers treat as non-fatal (don't advance lastSeq to silent divergence).
• C4 — gzip decompression bomb in LP/TLE handlers: Fiber's c.Body() transparently gunzipped without a size cap. Fixed: c.Request().Body() (raw) + magic-byte detection + pooled bounded decompressor (mirrors msgpack pattern).
• C5 — ingest endpoints missing write-tier auth: read-only token could write data via /api/v1/write/* when RBAC was disabled (OSS default). Fixed: explicit auth.RequireWrite/RequireAdmin middleware on all 9 endpoints via new internal/api/auth_middleware.go helpers; SetAuthAndRBAC takes concrete *auth.AuthManager directly to eliminate silent type-assert misses.

Review-pass refactors and cleanups

• Extract Writer.tryEnqueue (kills 2 copies of the WAL drop pattern).
• Extract ArrowBuffer.tryEnqueueFlush (kills 4 copies of the closing-flag + select-with-ctx-arm + queue-full pattern). Returns a flushSendOutcome enum so callers know queued / closing / ctx-canceled / queue-full distinctly.
• Extract ArrowBuffer.flushOnSchemaChangeLocked (kills 2 copies of the schema-evolution loop).
• Extract withWriteAuth / withAdminAuth + passthroughMiddleware (collapses if/else registration in 4 ingest handlers).

Test plan

• go build ./cmd/... ./internal/... clean
• go vet ./cmd/... ./internal/... clean
• go test ./internal/ingest/... ./internal/wal/... ./internal/api/... ./internal/cluster/... (all green, ~95s)
• Race-detector pass on new tests: go test -race -run "CloseRace|WriteAfterClose|SchemaEvolutionConcurrent|ErrWALDropped" all green
• Sustained 60s MessagePack columnar benchmark: 19.04M rec/s @ p99 3.13ms, 0 errors
• New regression tests are deterministic (no t.Skip on fast machines, no fixed time.Sleep on slow ones)
• Manual: hit /api/v1/write/msgpack with a read-only token, verify 403 (was 200)
• Manual: post a 1MB gzip-bomb to /write with Content-Encoding: gzip, verify rejection (was OOM)

Process notes

• Two rounds of 4-agent internal review (correctness / security / code-quality / perf) ran on the branch before opening this PR; all blocking findings from both rounds are addressed in this single commit.
• Three of the four reviewers in round 2 independently flagged the cluster-receiver fallout from the C3 fix — that's the kind of cross-cutting find the new CLAUDE.md review framework is designed to catch before shipping to gemini.

🤖 Generated with Claude Code

[xe-nvdk]

/gemini review

@gemini-code-assist this is the 26.05.1 GA-blocker hardening PR. Five critical fixes plus the cleanup pass. Two rounds of 4-agent internal review on the branch caught real bugs in the first round of fixes (cluster-receiver fallout from C3, log-spam under WAL backpressure, type-assert silent miss in auth wiring) — all addressed before opening this PR. Looking for any remaining findings before merge.

Sustained-load benchmark on this branch:

• 19.04M rec/s, p99 3.13ms, 0 errors over 60s (vs baseline 18.6M @ p99 3.68ms)
• Hot record path is unchanged; all new logic is per-flush or per-shutdown

[gemini-code-assist]

Code Review

This pull request hardens the ingestion pipeline by addressing concurrency races, durability gaps, and security vulnerabilities. It eliminates a shutdown panic in ArrowBuffer, fixes schema-evolution corruption using a bounded re-check loop, and prevents OOMs from gzip bombs by implementing capped decompression on raw request bodies. Additionally, it introduces explicit WAL backpressure handling via an ErrWALDropped sentinel and enforces write-tier authentication across all ingestion endpoints. Review feedback recommends restoring detailed error messages in decompression failure responses and suggests implementing zstd support in Line Protocol and TLE handlers for consistency.

[gemini-code-assist]

Code Review

This pull request hardens the ingestion path by addressing several critical concurrency, durability, and security issues. Key improvements include eliminating a graceful-shutdown panic in ArrowBuffer, preventing schema-evolution corruption during concurrent writes via a bounded retry loop, and protecting against gzip decompression bombs by implementing manual decompression with a hard size cap. Additionally, WAL backpressure is now explicitly handled using a new ErrWALDropped sentinel error, and write-tier authentication has been enforced across all ingestion and import endpoints. Feedback was provided to improve the clarity of the release notes by expanding glob patterns in the endpoint lists.

[xe-nvdk]

/gemini review

@gemini-code-assist round 2 fixes pushed in commit 713bbd3. All four findings addressed:

MEDIUM (×2) — error-detail restore:

• ✅ LP gzip-decompress response now includes err.Error() — line 229.
• ✅ TLE gzip-decompress response now includes err.Error() — line 131.
• Same change applied symmetrically to the new zstd branches in both handlers.

MEDIUM — zstd on LP/TLE (consistency with msgpack):

• ✅ Both handlers now detect zstd via magic bytes (0x28 0xB5 0x2F 0xFD) after the gzip check, with the same 100 MB decompressed-size cap as gzip.
• New helper decompressZstdPooled(data []byte, maxSize int) ([]byte, error) in tle.go reuses the package-level zstdDecoderPool and decompressBufferPool already declared in msgpack.go. Returns a freshly-copied []byte rather than a PooledBuffer — keeps the LP/TLE flat-byte handler shape unchanged. The pooled buffer itself is returned to its pool inside the helper, with the same oversized-buffer discard policy as msgpack (cap > maxPooledBufferSize → fresh small buffer for the pool, decompBufferDiscards counter incremented).
• New release-notes subsection "Line Protocol and TLE: zstd Decompression Support" describes the addition, the magic-byte detection, the 100 MB cap, and the 3–5× speedup over gzip relevant for satellite-fleet TLE senders.

MEDIUM — release-notes prose clarity:

• ✅ Replaced the shell-glob /api/v1/import/{csv,parquet,lp,tle} with the four explicit paths and rephrased the auth bullet for readability per your suggestion.

Build clean (go build ./internal/api/... ./cmd/...) and full api test suite passes (go test ./internal/api/... → ok 5.848s). No new tests added for the zstd helper because it shares the contract and pool with msgpack's already-tested path; if you'd like a dedicated decompressZstdPooled unit test (oversized-payload cap, malformed-magic-bytes-but-valid-stream, etc.), I'm happy to add it.

Looking for any final findings before merge.

[gemini-code-assist]

Code Review

This pull request implements critical-path hardening for the ingestion pipeline, addressing concurrency races, durability gaps during WAL backpressure, and security vulnerabilities related to decompression bombs and missing auth middleware. Key improvements include a graceful shutdown mechanism for ArrowBuffer, a bounded loop to prevent schema-evolution corruption, and the introduction of wal.ErrWALDropped to accurately report backpressure. Review feedback identified a critical data corruption risk in the Line Protocol and TLE handlers where raw request bodies were used without copying, potentially leading to use-after-free issues due to fasthttp's buffer reuse. Additionally, the safety limit for schema-evolution flushes was noted as a potential point for returning errors rather than allowing schema mixing.

[xe-nvdk]

/gemini review

@gemini-code-assist round 3 fixes pushed in commit 3c79ea1. Both findings addressed:

CRITICAL — body-aliasing footgun (LP and TLE):

• ✅ Both handlers now copy the raw fasthttp body at localProcessing entry: body := append([]byte(nil), c.Request().Body()...).
• Verified: the LP and TLE parsers already produce fresh strings (string(...) copies in unescape / parseFieldValue), so today's behavior was actually safe — but the no-aliasing contract was undocumented, brittle, and the silent-aliasing footgun would surface as silent data corruption if anyone ever added a fast-path that retained a sub-slice. The defensive copy is one memcpy per request, dwarfed by per-record allocations.
• The decompression branches already returned fresh slices, so they're symmetric. msgpack handler is unchanged: its decoder.Decode(payload) is synchronous and consumes payload before returning, so fasthttp body reuse is fine there.

MEDIUM — schema-evolution cap behavior:

• ✅ flushOnSchemaChangeLocked now returns a typed ingest.ErrSchemaChurnExceeded sentinel when schemaEvolutionMaxIters is reached (was: log + return nil, allowing wide schema-mixed buffers to land on disk).
• ✅ LP and TLE write handlers map errors.Is(err, ingest.ErrSchemaChurnExceeded) → HTTP 503 so upstream senders treat it as retryable backpressure rather than permanent server error.
• ✅ New totalSchemaChurnExceeded atomic counter surfaced in ArrowBuffer.Stats() as total_schema_churn_exceeded so operators can alert on a non-zero rate.
• Important: the per-iteration flushes inside the loop already wrote older schemas' rows to durable Parquet — only the current request fails. No data loss.

New regression tests:

• TestArrowBuffer_SchemaChurnExceededErrorContract — runs 16 writers × 200 iterations with 12 rotating distinct schemas against a single shard, asserts that (a) every non-nil write error must be errors.Is(err, ErrSchemaChurnExceeded) (catches a regression to "return nil") and (b) totalSchemaChurnExceeded counter delta == churn-error count (catches counter/error decoupling). Test passes deterministically; under steady-state runs the cap doesn't fire (0 errors), the contract still holds.
• TestArrowBuffer_ErrSchemaChurnExceeded_IsExported — pins the sentinel as exported and unwrappable via errors.Is.

Full ingest + api suites pass (go test ./internal/ingest/... ./internal/api/... → ok 66s + 5s); build clean.

Looking for any final findings before merge.

[gemini-code-assist]

Code Review

This pull request implements critical-path hardening for the ingestion pipeline, addressing concurrency races, schema-evolution corruption, and WAL backpressure handling. Key changes include a new shutdown protocol for ArrowBuffer to prevent panics, a bounded loop for schema changes to ensure data integrity, and the introduction of the wal.ErrWALDropped sentinel to accurately report durability status. Additionally, the PR adds zstd decompression support for Line Protocol and TLE, enforces stricter write-tier authentication across all ingestion endpoints, and mitigates decompression bomb vulnerabilities. Feedback focuses on correcting a docstring mismatch in the schema-evolution logic, optimizing memory usage by deferring defensive body copies until after compression checks, and ensuring consistent 503 error reporting for schema churn in the MessagePack handler.

[xe-nvdk]

/gemini review

@gemini-code-assist round 4 fixes pushed in commit 0822793. All four NEW findings from round 3 addressed (the 2 earlier-rounds re-flags at lineprotocol.go:231 / arrow_writer.go:1440 were stale — already addressed by 713bbd3 / 3c79ea1 respectively, just gemini re-flagging them on shifted line numbers):

MEDIUM — defensive body copy now deferred (LP and TLE):

• ✅ Both handlers switched from "unconditional copy + compression detection" to a single switch over magic bytes. Gzip and zstd branches return fresh slices directly (decompression already produces a fresh allocation); only the uncompressed default branch makes the defensive append([]byte(nil), rawBody...) copy.
• This eliminates the doubled-memory case for large compressed payloads while preserving the silent-aliasing footgun fix from round 2.

MEDIUM — ErrSchemaChurnExceeded → 503 in msgpack handler:

• ✅ writeMsgPack now mirrors LP/TLE — errors.Is(err, ingest.ErrSchemaChurnExceeded) maps to HTTP 503 with retryable-backpressure semantics.
• ✅ Generic-error path also restored err.Error() in the response body for client-side diagnosis (was previously a hard-coded "Failed to write records" with no detail). Now consistent with the gzip-decompress responses.

MEDIUM — flushOnSchemaChangeLocked docstring stale:

• ✅ Updated comment block to match implementation: "schemaEvolutionMaxIters reached — return ErrSchemaChurnExceeded so the caller can reject the write with a retryable status (HTTP 503). The per-iteration flushes inside the loop already wrote older schemas' rows to durable Parquet, so there is no data loss — only the current request fails under sustained schema-rotation churn."

Build clean, full ingest + api suites pass (go test ./internal/ingest/... ./internal/api/... → ok 67s + 5s).

Looking for any final findings before merge.

[gemini-code-assist]

Code Review

This pull request hardens the ingestion pipeline by addressing concurrency races during shutdown and schema evolution, improving WAL backpressure visibility, and enforcing stricter authentication. It also adds zstd support for Line Protocol and TLE endpoints and implements defensive body copies to prevent memory aliasing. Review feedback identifies a potential OOM vulnerability in the zstd decompression path and suggests consolidating redundant decompression logic and magic-byte detection across handlers to improve maintainability.

[gemini-code-assist]

The use of decoder.DecodeAll is vulnerable to decompression bombs. While zstd.WithDecoderMaxMemory limits the decoder's internal window memory, DecodeAll will continue to grow the output buffer as long as the input payload provides valid compressed data, potentially leading to an Out-Of-Memory (OOM) condition before the length check at line 326 is reached. To properly harden this path, consider using the io.Reader interface with an io.LimitReader to bound the decompressed output size during the decoding process.

[gemini-code-assist]

The logic for detecting compression magic bytes and performing decompression is identical between the Line Protocol and TLE handlers. Consider extracting this switch block into a shared helper function within the api package (e.g., func decompressRequest(rawBody []byte, maxSize int) ([]byte, string, error)) to ensure consistent behavior and simplify the handler implementations.

[gemini-code-assist]

This call uses the LineProtocolHandler.decompressGzip method, which duplicates logic found in the package-level decompressGzipPooled function (defined in tle.go). Both use the same underlying pool. To reduce code duplication and improve maintainability, consider using the shared function here.

Suggested change

	decompressed, err := h.decompressGzip(rawBody)
	decompressed, err := decompressGzipPooled(rawBody, 0)

[xe-nvdk]

/gemini review

@gemini-code-assist round 5 fixes pushed in commit 1aca1e8. All three NEW findings from round 4 addressed (the 2 earlier-rounds re-flags at arrow_writer.go:1440 / msgpack.go:168 were stale — already fixed in 3c79ea1 and 0822793 respectively, gemini's grep just landed on shifted lines):

🚨 HIGH/security-high — zstd decompression bomb in all three handlers:

• ✅ Confirmed real vulnerability in BOTH the new LP/TLE zstd path (added 713bbd3) AND the pre-existing msgpack zstd path. zstd.Decoder.DecodeAll grows its output buffer to fit the entire decompressed stream regardless of WithDecoderMaxMemory (which bounds only the per-frame window, not output growth).
• ✅ All three switched to streaming decoder.Reset(bytes.NewReader(data)) + io.LimitReader(decoder, max+1) + io.ReadAll. Bound is enforced during decoding so the bomb is rejected with a bounded len(maxSize)+1 allocation. Same shape as the existing gzip path.
• ✅ Pool semantics preserved: decoder is still pooled (the per-frame state is the expensive part); output is now a fresh slice on the streaming path because io.ReadAll's growth pattern fights decompressBufferPool's fixed-capacity contract. msgpack's PooledBuffer returned with bufPtr=nil so Release() is a safe no-op for the new path.
• ✅ New regression tests in internal/api/decompress_bomb_test.go:
  • TestDecompressZstdPooled_BombRejected_WithoutOOM — 256 MB plaintext compresses to 28 KB (ratio 9361×); decompressZstdPooled correctly rejects with "exceeds 100MB limit".
  • TestDecompressZstdPooled_RejectsBenignOversizedPayload — non-adversarial cap-exceeded path.
  • TestDecompressZstdPooled_HappyPath_RoundTrip — pin against regression in normal-sized requests.

MEDIUM — extract shared decompressRequest helper:

• ✅ New decompressRequest(rawBody []byte, maxSize int) (body []byte, codec string, err error) in tle.go. Returns the fresh-decoded slice plus a codec label ("gzip", "zstd", or "") for structured logging.
• ✅ LP and TLE handlers reduced from a 30-line inline switch each to a 3-line body, codec, err := decompressRequest(rawBody, 0) call. All three CRITICAL invariants (no fasthttp gunzip, streaming-bounded zstd, defensive copy on uncompressed) are preserved inside the helper.

MEDIUM — remove duplicated gzip helper:

• ✅ LineProtocolHandler.decompressGzip method (lineprotocol.go:373) was a near-clone of decompressGzipPooled (tle.go) and pulled from the same lpGzipReaderPool. Method removed; all routes go through decompressRequest → decompressGzipPooled. Removed now-unused bytes/io/gzip imports from lineprotocol.go.

Build clean, full suites pass (go test ./internal/api/... → 2.886s, ./internal/ingest/... → 66.912s); 3 new bomb-regression tests included.

Looking for any final findings before merge.

[gemini-code-assist]

Code Review

This pull request hardens the ingestion path by fixing concurrency races during shutdown and schema evolution, mitigating decompression bomb vulnerabilities with streaming decoders, and enforcing explicit authentication across all write and import endpoints. It also improves durability tracking by surfacing WAL backpressure as a distinct error state. Feedback focuses on standardizing error messages with formatBytes and implementing log sampling for WAL drop warnings in the replication and sharding receivers to prevent log spam under load.

[xe-nvdk]

/gemini review

@gemini-code-assist round 6 fixes pushed in commit 4a05cfb. All 5 NEW round-5 findings addressed (the recurring arrow_writer.go:1440 and msgpack.go:168 re-flags remain stale — already fixed in 3c79ea1 and 0822793; gemini's grep just keeps landing on shifted lines):

MEDIUM × 4 — sampled Warn for follower-side WAL backpressure:

• ✅ Added walDropLastLogNano atomic.Int64 field to both replication.Receiver and sharding.ShardReceiver.
• ✅ Added walDropLogIntervalNano = int64(time.Second) const next to each receiver type.
• ✅ Wrapped both Warn emissions in the same atomic-CAS sampling guard used by ArrowBuffer.recordWALError — at most one log line per second per receiver, suppression keyed on (now - last) < interval && CompareAndSwap(last, now).
• ✅ Both Warn payloads now also emit the running total_dropped counter so operators can read the rate from a single line if they grep for it.
• ✅ The non-fatal/applied semantics from the 26.05.1 fix are unchanged — only the log shape changed.

MEDIUM — formatBytes consistency:

• ✅ decompressZstdPooled and decompressGzipPooled cap-error messages now use formatBytes(int64(maxSize)) instead of %dMB. Matches msgpack's decompressZstd / decompressGzip exactly.

Build clean, full suites pass: go test ./internal/api/... ./internal/cluster/replication/... ./internal/cluster/sharding/... → ok 4.7s + 0.8s + 3.0s.

Looking for any final findings before merge.

[gemini-code-assist]

Code Review

This pull request implements critical hardening of the ingestion path, addressing concurrency races, durability gaps, and security vulnerabilities. Key improvements include a safe shutdown mechanism for the ArrowBuffer, a bounded loop for schema evolution to prevent corruption, and protection against decompression bombs. It also introduces explicit write-tier authentication and improves WAL backpressure observability. Feedback highlights a missing size check for uncompressed payloads in the shared decompression utility and a potential data corruption risk in the MessagePack handler due to the lack of a defensive body copy.

[gemini-code-assist]

The uncompressed branch in decompressRequest is missing a size check against maxSize. While the gzip and zstd paths are capped at 100MB (by default), an uncompressed request is currently only limited by the server's global body limit. This creates an inconsistency and a potential OOM vector if a large uncompressed payload is defensively copied. It should enforce the same maxSize limit as the compressed paths.

if maxSize <= 0 {
			maxSize = 100 * 1024 * 1024 // 100MB default
		}
		if len(rawBody) > maxSize {
			return nil, "", fmt.Errorf("payload exceeds %s limit", formatBytes(int64(maxSize)))
		}
		out := append([]byte(nil), rawBody...)
		return out, "", nil

[gemini-code-assist]

The MessagePack handler is missing the defensive copy for uncompressed payloads that was added to the Line Protocol and TLE handlers in this PR. Since c.Request().Body() returns a buffer that fasthttp reuses immediately after the handler returns, and arrowBuffer.Write processes data asynchronously, any sub-slices (like strings) retained by the decoder will point to invalid memory once the next request arrives. This is a significant data corruption risk. Consider refactoring writeMsgPack to use the decompressRequest helper or adding a manual copy for the uncompressed path.

[xe-nvdk]

/gemini review

@gemini-code-assist round 7 fixes pushed in commit 6561c86. Both NEW HIGH findings addressed; the 6 recurring re-flags (arrow_writer.go:1440, msgpack.go:168, replication/receiver.go:91+386, sharding/shard_receiver.go:81+494) remain stale — those code shapes were already fixed in 3c79ea1 / 0822793 / 4a05cfb and your grep just keeps landing on shifted lines.

🚨 HIGH/security-high — decompressRequest uncompressed branch missing maxSize cap:

• ✅ Helper now defaults maxSize <= 0 to 100MB up front and applies the cap to all three branches symmetrically. The uncompressed path rejects over-cap input before the defensive copy, closing the OOM vector you flagged.
• ✅ New regression tests:
  • TestDecompressRequest_UncompressedRejectsOverCap — cap+1 raw bytes → "exceeds 100MB limit" error, codec="".
  • TestDecompressRequest_UncompressedAcceptsAtCap — exactly cap bytes accepted; mutates body[0] and verifies rawBody[0] is unchanged, locking in the defensive-copy no-aliasing invariant.

🚨 HIGH — msgpack handler missing defensive body copy:

• ✅ writeMsgPack now routes through the shared decompressRequest(rawBody, int(h.maxPayloadSize)) helper, just like LP and TLE. The defensive copy + new uncompressed-cap apply automatically.
• ✅ Deleted MsgPackHandler.decompressGzip and decompressZstd (240 lines of per-handler pooled-buffer codecs replaced by the package-level streaming helpers in tle.go). PooledBuffer itself remains for TestPooledBufferRelease.
• ✅ Removed unused bytes/io/gzip/zstd imports from msgpack.go.
• ✅ Error message shape unified: when codec is empty (uncompressed-rejection), the response is now "Failed to read request body: <err>" instead of the awkward "Failed to decompress data: <err>". When codec is gzip/zstd, the existing decoder-error message format is preserved.

Verification of the round-2 conclusion (no current data corruption):

• The Basekick-Labs/msgpack/v6 fork was inspected: string fields go through string(b) (always allocates), and []byte fields go through io.ReadFull into a fresh slice (also always allocates). So today's msgpack handler was technically safe even without the defensive copy. But the contract was undocumented and brittle, and the inconsistency with LP/TLE was a real maintenance hazard — your finding to defensively copy is the right call regardless.

Build clean, full suites pass: go test ./internal/api/... ./internal/cluster/replication/... ./internal/cluster/sharding/... → ok 4.8s + 0.9s + 2.5s. 5 decompress regression tests (3 round-4 bomb + 2 round-6 cap/aliasing) pass deterministically.

Looking for any final findings before merge.

[gemini-code-assist]

Code Review

This pull request hardens the ingestion pipeline by addressing critical concurrency, durability, and security issues. Key improvements include fixing a graceful-shutdown panic in ArrowBuffer, preventing schema-evolution corruption through a bounded retry loop, and introducing explicit wal.ErrWALDropped handling to distinguish backpressure from I/O errors. The PR also mitigates decompression bomb vulnerabilities across all ingestion handlers and enforces stricter authentication for write and import endpoints. Feedback highlights a potential risk in reusing decoders after a failed decompression, suggesting they should be dropped from the pool to avoid state corruption.

[gemini-code-assist]

Returning a decoder to the pool after a failed io.ReadAll might be risky if the decoder's internal state is corrupted. While Reset(nil) is called, it may be safer to drop the instance and let the pool allocate a fresh one if the error is not io.EOF or a simple limit exceeded error.

[xe-nvdk]

/gemini review

@gemini-code-assist round 8 fixes pushed in commit 04e64cc. One NEW round-7 finding addressed plus a perf restoration:

MEDIUM — drop poisoned zstd decoder on partial-decode error:

• ✅ decompressZstdPooled now calls decoder.Close() on the io.ReadAll error path instead of Reset(nil) + returning to the pool. After a mid-stream corruption a poisoned internal frame state is not safely recoverable; closing the decoder lets the next request's pool.Get() allocate a fresh one. Cheap and defensive.

Perf restoration — msgpack uncompressed fast-path:

• After round-6 unified all three handlers behind the shared decompressRequest helper (which copies on the uncompressed branch), the 60-second sustained MessagePack-columnar bench dropped from 19.04M rec/s (baseline) → 18.04M rec/s (~5% regression). At 18M rec/s × ~50KB batches, the new per-request defensive memcpy becomes a real allocation storm.
• msgpack now inlines its codec dispatch: gzip/zstd still go through the shared helpers (those need the bomb cap and produce fresh slices anyway), but the uncompressed branch hands rawBody directly to h.decoder.Decode. The decoder is synchronous and the Basekick-Labs/msgpack/v6 fork copies every string via string(b) and every []byte via io.ReadFull — so by the time Decode returns, no decoded value still aliases rawBody.
• LP and TLE keep the defensive copy in the shared helper — their throughput targets don't justify diverging.

New regression test — TestMessagePackDecoder_CopiesStringFields_NoBodyAliasing decodes a row-format payload, mutates the source bytes to 0xFF, and asserts the decoded Measurement and Tags["region"] values are unchanged. Locks in the no-aliasing invariant: if a future fork update introduces zero-copy aliasing, the test fails loudly before production sees corruption. This is the load-bearing safety net for the bypass-the-copy decision.

Perf result with this commit: 19.13M rec/s @ p99 3.06ms over 60s — slightly above the post-round-1 baseline (19.04M / p99 3.13ms).

Bumped Basekick-Labs/msgpack/v6 from v6.0.0 to v6.1.0 (user-released; verified the no-aliasing regression test still passes).

The 7 other comments in round 7 are stale re-flag noise on code shapes already fixed in 3c79ea1 / 0822793 / 4a05cfb / 6561c86.

Build clean, full suites pass, no-aliasing invariant locked in test.

Looking for any final findings before merge.

[gemini-code-assist]

Code Review

This pull request significantly hardens the ingestion path by addressing critical concurrency, durability, and security vulnerabilities. Key improvements include eliminating graceful-shutdown panics in the ArrowBuffer, preventing data corruption during concurrent schema evolution via a bounded retry loop, and improving WAL durability transparency by introducing an explicit ErrWALDropped sentinel. Security is bolstered by mitigating decompression-bomb vectors through streaming decoders with hard caps and enforcing write-tier authentication across all ingestion endpoints. Additionally, Line Protocol and TLE now support zstd decompression. Feedback is provided regarding an inconsistency in the MessagePack handler where a zero-valued maximum payload size would incorrectly reject all requests instead of falling back to the system default.

[gemini-code-assist]

This check will reject all non-empty payloads if h.maxPayloadSize is 0 (e.g., if not explicitly configured). However, the downstream decompression helpers (decompressGzipPooled and decompressZstdPooled) treat a 0 limit as a signal to use the default 100MB cap. This check should be updated to handle 0 consistently with the rest of the pipeline to avoid unexpected rejections when using default settings.

Suggested change

	if int64(len(rawBody)) > h.maxPayloadSize {
	return c.Status(fiber.StatusRequestEntityTooLarge).JSON(fiber.Map{
	"error": fmt.Sprintf("Payload too large (max %s). Consider batching into smaller requests.", formatBytes(h.maxPayloadSize)),
	})
	}
	effectiveLimit := h.maxPayloadSize
	if effectiveLimit <= 0 {
	effectiveLimit = 100 * 1024 * 1024 // Match default in decompressRequest
	}
	if int64(len(rawBody)) > effectiveLimit {
	return c.Status(fiber.StatusRequestEntityTooLarge).JSON(fiber.Map{
	"error": fmt.Sprintf("Payload too large (max %s). Consider batching into smaller requests.", formatBytes(effectiveLimit)),
	})
	}