docs: add admin UI and key visualizer design

[bootjp]

Proposes a standalone cmd/elastickv-admin binary and a TiKV-style key visualizer heatmap. Avoids the Prometheus client dependency in the initial phases by adding an in-process LiveSummary alongside the existing observers, and keeps sampler hot-path overhead below the benchmark noise floor via adaptive 1-in-N sampling with a ≥95% capture SLO.

Summary by CodeRabbit

• Documentation

  • Added a comprehensive design spec for the admin Web UI and Key Visualizer (architecture, sampling, persistence, UI interactions, phased plan).

• New Features

  • Standalone admin HTTP server with cluster-overview API, membership discovery, CLI controls, and graceful shutdown.
  • Token-protected Admin gRPC API exposing cluster, raft, adapter, key-visualizer, route detail, and live event streams.
  • Key Visualizer: sampled heatmap, live column updates, drill-down, uncertainty/hatched rendering, and continuity across splits/merges.

• Tests

  • Extensive unit and integration tests covering admin HTTP/gRPC, discovery/fanout, auth, client caching, token loading, and startup wiring.

• Chores

  • Protobuf generation updated to include the new admin service.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new admin subsystem: a standalone elastickv-admin HTTP frontend that fans out to per-node, token-protected, read-only Admin gRPC endpoints; a node-side Admin gRPC server and auth interceptors; new admin protobufs and generation; CLI/server wiring and tests; and a Key Visualizer design document defining sampling, storage, and UI behavior.

Changes

Cohort / File(s)	Summary
Design doc docs/admin_ui_key_visualizer_design.md	New comprehensive design for an operator-facing admin Web UI and Key Visualizer: sampler placement, adaptive sampling, leadership semantics, split/merge continuity, phased persistence into Raft groups, namespace isolation, adapter summaries, frontend UX/WS behaviors, testing matrix, and delivery phases.
Admin protobufs & generation proto/admin.proto, proto/Makefile	Adds Admin gRPC service with RPCs (GetClusterOverview, GetRaftGroups, GetAdapterSummary, GetKeyVizMatrix, GetRouteDetail, StreamEvents), messages/enums, and updates proto/Makefile to generate Go/gRPC code for admin.proto.
Node-side gRPC server adapter/admin_grpc.go, adapter/admin_grpc_test.go	New AdminServer, AdminGroup interface and NodeIdentity; registration API; GetClusterOverview and GetRaftGroups implementations with deterministic sorted responses and merged member logic; AdminTokenAuth unary/stream interceptors and comprehensive unit tests covering auth, ordering, concurrency, and timing semantics.
Admin CLI / frontend server cmd/elastickv-admin/main.go, cmd/elastickv-admin/main_test.go	New elastickv-admin binary: CLI flags (bind, seeds, token file, TLS/insecure), membership cache with singleflight refresh, concurrent fan-out to node Admin gRPCs with client leasing and eviction, /api/cluster/overview and /healthz handlers, proto→JSON marshaling with size caps, graceful shutdown, and extensive tests for parsing, token loading, transport credentials, discovery/fanout, caching, and HTTP behavior.
Node integration & flags main.go, main_admin_test.go	Node startup gains admin token-file / insecure-no-auth flags, token loading and validation, deterministic self-address derivation, conditional per-raft Admin service registration, and interceptor chaining; tests validate wiring, token enforcement, and bootstrap member computation.
Helpers: gRPC & tokens internal/grpc.go, internal/tokenfile.go, internal/tokenfile_test.go	Adds GRPCCallOptions() to set per-call max message sizes; LoadBearerTokenFile to read/validate token files with max-size enforcement; and tests covering trim, empty, oversize, and missing-file cases.
Proto-generated integration proto/...	Build rules updated to include admin.proto in Go/GRPC generation.
Minor refactor internal/raftengine/etcd/fsm_snapshot_file.go	Replaced hardcoded .snap literals with a shared snapFileExt constant for snapshot filename parsing/enumeration.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Browser as Admin UI (browser)
    participant Fanout as elastickv-admin (HTTP)
    participant Node as elastickv node (Admin gRPC)
    participant Engine as Raft Group Engine

    Browser->>Fanout: GET /api/cluster/overview
    Fanout->>Node: GetClusterOverview (gRPC, Bearer token)
    Node->>Engine: Configuration()/Status() per registered group
    Engine-->>Node: group status/configuration
    Node-->>Fanout: GetClusterOverviewResponse
    Fanout-->>Browser: aggregated JSON { nodes: [...] }

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 I hopped through bytes and counted each route,

I sampled warm keys and marked the shout,
Heatmaps hum, tokens guard the gate,
Fans spin out nodes and stitch the state,
A rabbit cheers — clusters look great!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 46.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main changes: it describes the primary deliverable (admin UI and key visualizer design) being added to the documentation.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/admin_ui_key_visualizer

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request proposes a design for a standalone Admin UI and Key Visualizer for Elastickv, utilizing a low-overhead sampler and a Svelte-based frontend to provide cluster insights. The review feedback identifies several critical areas for refinement, including potential concurrency bugs in the sampler's map access, scalability concerns regarding memory usage for high route counts, and the operational risk of centralizing data persistence in the default Raft group. Furthermore, the feedback suggests re-evaluating the mathematical definition of the capture rate SLO, the performance overhead of T-Digests on the hot path, and the necessity of a cluster-wide aggregation strategy to ensure a complete view of traffic.

[bootjp]

/gemini review

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[bootjp]

/gemini review

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[bootjp]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive design document for a new Admin UI and Key Visualizer for Elastickv, featuring a standalone admin binary and a low-overhead sampling mechanism for traffic heatmaps. The review feedback highlights several critical improvements: ensuring historical data continuity by using stable identifiers for persistence instead of volatile route IDs, optimizing the hot-path sampling logic with a lock-free map to reduce cache line contention, and correcting the mathematical formula for the estimator's relative error to ensure accurate sampling statistics.

[bootjp]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive design for a built-in Admin UI and a Key Visualizer for Elastickv, featuring a standalone admin binary and a high-performance traffic sampler. The design includes strategies for adaptive sub-sampling, memory management, and a phased implementation. The review feedback identifies several critical design gaps and operational risks, such as potential unbounded data growth due to storage layer limitations, the risk of exposing internal metadata to user operations, and potential data loss during leadership transitions. It also emphasizes the need for unique ID generation and state recovery mechanisms to ensure historical continuity.

[gemini-code-assist]

The design relies on HLC-based expiry for a 7-day TTL, but the pebbleStore.Compact implementation in store/lsm_store.go (lines 1115-1138) only removes old MVCC versions and does not check ExpireAt for the latest version. This poses an operational risk of unbounded data growth; the design should detail mitigation strategies, such as updating the store's GC logic, to ensure data is correctly evicted.

References

1. When a design document identifies a significant operational risk, it must also detail potential mitigation strategies.

[gemini-code-assist]

The !admin| prefix for internal KeyViz data is not currently filtered by ShardedCoordinator.maxLatestCommitTS or pebbleStore.ScanAt. This could expose internal metadata to user-plane operations or cause user transactions to receive unnecessarily advanced StartTS values.

[bootjp]

/gemini review

[gemini-code-assist]

Code Review

This pull request outlines the design for a standalone Admin UI and Key Visualizer for Elastickv, introducing a heatmap-based traffic monitor and cluster overview. The design focuses on high-performance sampling and distributed persistence. Feedback highlights the need for earlier authentication to secure node-level metadata, the inclusion of follower-local read sampling to avoid incomplete traffic views, and API enhancements to clarify when route data has been coarsened for the UI.

[bootjp]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a design document for an Admin UI and Key Visualizer for Elastickv, proposing a standalone admin binary and a hot-path-safe sampler for per-route traffic. The review feedback identifies several operational risks that require mitigation strategies, such as the I/O overhead of the garbage collection pass, potential collisions in UUIDv7 generation, and the risk of data loss due to hourly batching. Additionally, the reviewer suggests improving data isolation by rejecting user-plane writes to the internal admin namespace and updating store-level metadata checks to support prefix-based filtering.

[gemini-code-assist]

The design proposes a KeyViz-specific GC pass that either updates pebbleStore.Compact or adds a maintenance delete. Since KeyViz data can be high-volume, performing a full scan-and-delete GC pass might introduce significant I/O and CPU overhead. As this represents a significant operational risk, the design must detail mitigation strategies per repository guidelines. Leveraging a CompactionFilter to drop expired versions during background compactions is a recommended mitigation to avoid manual scan overhead.

References

1. When a design document identifies a significant operational risk, it must also detail potential mitigation strategies.

[gemini-code-assist]

The design mentions generating lineageID as a UUIDv7 using the route transition HLC. Truncating the 64-bit HLC to the 48-bit UUIDv7 timestamp field might lead to collisions or loss of ordering precision, which is a significant operational risk. Per repository guidelines, the design must detail mitigation strategies. Please specify how the 64-bit HLC is mapped into the UUIDv7 structure (e.g., by using the physical part for the timestamp and the logical part for the sequence/random bits) to mitigate this risk.

References

1. When a design document identifies a significant operational risk, it must also detail potential mitigation strategies.

[gemini-code-assist]

Batching KeyViz writes hourly per group minimizes Raft overhead but introduces a risk of losing up to one hour of historical heatmap data if a node crashes before the batch is persisted. This is a significant operational risk. According to repository rules, the design must detail potential mitigation strategies. For Phase 3, or even as a configurable option now, the design should specify a more frequent persistence interval or a recovery strategy to ensure operational continuity.

References

1. When a design document identifies a significant operational risk, it must also detail potential mitigation strategies.

[gemini-code-assist]

The design specifies filtering !admin|* records from user-plane scans and timestamp selection. To ensure complete isolation and prevent accidental or malicious interference with internal metadata, the data-plane adapters (gRPC, Redis, etc.) should also be updated to reject user-plane write requests (PUT, DELETE) that target keys starting with the !admin| prefix.

[gemini-code-assist]

In the current implementation of store/lsm_store.go, the isPebbleMetaKey function (line 299) only checks for exact matches with specific metadata keys. To support the !admin|* namespace filtering mentioned in the design, this function (or its equivalent in Phase 3) should be updated to perform prefix checks. This will ensure that nextScannableUserKey and prevScannableUserKey correctly skip all internal KeyViz records during user-plane scans.

[bootjp]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a design for a built-in Admin UI and Key Visualizer for Elastickv, featuring a standalone admin binary and a sampling-based heatmap for traffic analysis. Feedback highlights several technical concerns: the potential for node startup delays due to WAL replay, a security gap where point reads could bypass system namespace isolation, and a risk of ID collisions when mapping 16-bit HLC counters to 12-bit UUIDv7 fields. Additionally, it is recommended to use dynamic membership refresh with caching for the admin binary's fan-out logic to ensure heatmap completeness during cluster scaling.

[gemini-code-assist]

Replaying a 5-minute WAL into the in-memory ring buffer on every restart could significantly delay node startup under high QPS. This presents a significant operational risk, particularly for rolling upgrades where nodes must return to service quickly. Per repository guidelines, the design must detail mitigation strategies, such as more frequent persistence (checkpointing) or a mechanism to bound the WAL size/replay time, to ensure the node remains responsive during recovery.

References

1. When a design document identifies a significant operational risk, such as the inability to perform rolling upgrades, it must also detail potential mitigation strategies, like implementing a temporary 'bridge' or 'proxy' mode.

[gemini-code-assist]

The namespace isolation logic for !admin|* keys should also be applied to GetAt and ExistsAt operations in the ShardedCoordinator. Currently, the design specifies filtering for ScanAt, ReverseScanAt, and maxLatestCommitTS, and rejecting user-plane writes. However, if point reads are not also restricted, a user could potentially read internal KeyViz metadata or lineage records by discovering the keys, which undermines the intended isolation of the system namespace.

[gemini-code-assist]

Mapping the HLC logical counter to the 12-bit rand_a field in UUIDv7 is problematic for high-throughput clusters. Standard HLC implementations often use a 16-bit logical counter to handle high-concurrency bursts within a single millisecond. Truncating this to 12 bits will cause collisions and break the monotonic ordering guarantee for events occurring within the same millisecond if the logical counter exceeds 4095. Since lineageID is used to track continuity across split/merge events, losing ordering could lead to incorrect history reconstruction in the UI.

[gemini-code-assist]

Regarding the open question on fan-out membership: dynamic refresh is strongly recommended over pinning to a seed list. Relying on a pinned list will lead to incomplete heatmaps as the cluster scales out or as nodes are replaced. To avoid stampedes on the seed nodes, the admin binary can cache the membership for a short duration (e.g., 10-30 seconds) rather than refreshing on every single request.

[bootjp]

/gemini review

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (2)

docs/admin_ui_key_visualizer_design.md (2)

252-262: Fix table formatting in the Integration Points section.

Static analysis flags table column count mismatches at lines 257 and 260. Reviewing the table structure at lines 252-262, the two-column layout (File | Change) has rows where the Change cell contains inline code spans with spaces (e.g., `Put`/`Delete`), which the Markdown linter interprets as additional columns.

To fix the linting warnings and improve readability:

1. Remove spaces inside inline code spans: `Put`/`Delete` should be `Put` / `Delete` or `Put`/`Delete` (no spaces around the slash).
2. Ensure each table row has exactly two pipe-separated cells.

Also, the code block at line 167 is missing a language identifier (flagged by MD040). Tag it as text or leave it untagged if it's intentionally pseudo-code:

-```
+```text
 Sampler
  ├─ routes atomic.Pointer[routeTable]
  └─ history *ringBuffer[matrixColumn]

These are minor formatting issues that don't affect technical correctness but improve documentation quality.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/admin_ui_key_visualizer_design.md` around lines 252 - 262, The
Integration Points table has rows where the "Change" column contains inline code
spans that include spaces around slashes which the Markdown linter treats as
extra columns (breaks the two-column `File | Change` table); edit the table so
each row has exactly two pipe-separated cells and normalize inline code spans
like `Put`/`Delete` (remove surrounding spaces or use `Put / Delete`) and any
other backticked phrases to avoid introducing additional pipes, and add a
language tag (e.g., text) to the standalone code block containing the Sampler
snippet (the block starting with "Sampler ├─ routes atomic.Pointer[routeTable]")
so MD040 is resolved.

---

85-86: Consider documenting token lifecycle and rotation strategy.

The design specifies a shared read-only admin token loaded from --adminTokenFile, but doesn't address token rotation, minimum entropy requirements, or compromise recovery. For production deployment, operators need guidance on:

• Token generation (e.g., require minimum 256-bit entropy)
• Safe distribution mechanism
• Rotation procedure without downtime (e.g., dual-token grace period)
• Monitoring for unauthorized access attempts

Add a "Security Considerations" subsection under §4 that specifies:

### 4.2 Token Security

- Generate admin tokens with at least 256 bits of cryptographic entropy (e.g., `openssl rand -base64 32`).
- Distribute via secure channels (sealed secrets, key management systems).
- Support dual-token mode: `--adminTokenFile` may contain multiple newline-separated tokens; nodes accept any valid token, enabling zero-downtime rotation.
- Log failed authentication attempts to the audit stream for monitoring.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/admin_ui_key_visualizer_design.md` around lines 85 - 86, Add a "Security
Considerations" subsection under §4 that documents admin token lifecycle and
rotation for the Admin service (registered alongside RawKV), specifying that
admin tokens loaded via --adminTokenFile (and sent from admin binary using
--nodeTokenFile) must be generated with >=256-bit entropy (example: openssl rand
-base64 32), should be distributed via secure channels (sealed secrets / KMS),
support dual-token mode by allowing --adminTokenFile to contain multiple
newline-separated tokens so nodes accept any valid token for zero-downtime
rotation, require logging of failed authentication attempts to the audit stream,
and include a brief compromise-recovery procedure and guidance on using
--adminInsecureNoAuth only for local development (with startup warning).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/admin_ui_key_visualizer_design.md`:
- Line 161: Clarify how CPU attributed to Observe is measured: update the text
around "sampleRate" and the adaptive controller (and add a brief note in §5.2)
to state the chosen measurement approach explicitly—preferably Option 1
(synthetic cost model), e.g., compute Observe cost as total flush-window
duration or routeCount × benchmarkedCostPerObserve to avoid hot-path profiling;
if Option 2 is chosen instead, state using runtime.SetCPUProfileRate with a low
sampling rate (e.g., ~10Hz) and that attribution is approximate and
low-overhead. Mention both options briefly and mark which one the design uses.
Ensure references to "sampleRate" and "Observe" remain consistent.
- Around line 206-207: The text around lineageID and "route transition HLC" must
explicitly state the timestamp source to ensure leader-issued timestamps are
used: clarify that the "route transition HLC" used to derive lineageID (and
populate validFromHLC/validToHLC) is the Raft-leader-issued HLC/timestamp
attached to the SplitRange/MergeRange Raft proposal (or otherwise derived
deterministically from the Raft log index), not a node-local HLC snapshot;
update the wording for lineageID, validFromHLC, validToHLC and any references to
split/merge events to require leader-issued timestamps or a deterministic
Raft-index-based derivation to avoid violating timestamp safety.
- Around line 206-207: The lineageID UUIDv7 mapping drops the top 4 bits of the
16-bit HLC logical counter (rand_a only takes 12 bits) and uses crypto/rand for
rand_b making IDs non-deterministic across nodes; fix the lineageID generation
by encoding the full 16-bit HLC logical into the UUIDv7 fields (for example,
keep unix_ts_ms from the 48-bit HLC physical, place all 16 logical bits by using
the remaining bits of rand_a plus the high bits of rand_b as a deterministic
prefix) and derive the rest of rand_b deterministically (e.g., from a secure
hash of the HLC or node-specific stable ID + HLC) instead of crypto/rand so
identical HLCs produce identical lineageID values; update the mapping logic used
where lineageID is produced and anywhere rand_a/rand_b are referenced to ensure
deterministic, full-precision encoding.
- Line 143: Add a note in §5.1 or §5.6 describing behavior on leadership loss:
when a node's lease-loss callback for a Raft group fires, the sampler should
mark all leaderWrite samples for that group in the current and previous step
window with staleLeader=true (or optionally clear them immediately), and
document that the admin binary's fan-out/merge logic (§9.1) must exclude
staleLeader samples so they aren't double-counted; reference the sampler,
leaderWrite, staleLeader flag, lease-loss callback, and the admin fan-out merge
in the text.

---

Nitpick comments:
In `@docs/admin_ui_key_visualizer_design.md`:
- Around line 252-262: The Integration Points table has rows where the "Change"
column contains inline code spans that include spaces around slashes which the
Markdown linter treats as extra columns (breaks the two-column `File | Change`
table); edit the table so each row has exactly two pipe-separated cells and
normalize inline code spans like `Put`/`Delete` (remove surrounding spaces or
use `Put / Delete`) and any other backticked phrases to avoid introducing
additional pipes, and add a language tag (e.g., text) to the standalone code
block containing the Sampler snippet (the block starting with "Sampler ├─ routes
atomic.Pointer[routeTable]") so MD040 is resolved.
- Around line 85-86: Add a "Security Considerations" subsection under §4 that
documents admin token lifecycle and rotation for the Admin service (registered
alongside RawKV), specifying that admin tokens loaded via --adminTokenFile (and
sent from admin binary using --nodeTokenFile) must be generated with >=256-bit
entropy (example: openssl rand -base64 32), should be distributed via secure
channels (sealed secrets / KMS), support dual-token mode by allowing
--adminTokenFile to contain multiple newline-separated tokens so nodes accept
any valid token for zero-downtime rotation, require logging of failed
authentication attempts to the audit stream, and include a brief
compromise-recovery procedure and guidance on using --adminInsecureNoAuth only
for local development (with startup warning).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 012e9477-bf60-4387-b012-93c49d94c8eb

📥 Commits

Reviewing files that changed from the base of the PR and between f1dcc14 and 6a88d26.

📒 Files selected for processing (1)

• docs/admin_ui_key_visualizer_design.md

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive design for an Admin UI and Key Visualizer for Elastickv, featuring a standalone binary, a Svelte-based frontend, and a sophisticated sampling and persistence mechanism for traffic heatmaps. The review feedback highlights several critical areas for refinement in the Phase 3 persistence and recovery logic, including the need for a WAL corruption strategy, clarification on how follower-local reads are persisted to avoid data loss during rebalancing, and the necessity of restricting lineage record creation to Raft leaders to prevent conflicting IDs. Additionally, the feedback suggests jittering persistence intervals to prevent cluster-wide load spikes and ensuring that namespace isolation is consistently applied to point reads as well as scans.

[gemini-code-assist]

The design gates node readiness on WAL replay completion. While this ensures data continuity, the design should specify how to handle a corrupted WAL file. Without a defined "ignore and continue" or "move aside" strategy, a single corrupted KeyViz WAL segment could prevent a node from joining the cluster or passing health checks, turning a monitoring feature into an availability risk.

References

1. When a design document identifies a significant operational risk, such as the inability to perform rolling upgrades, it must also detail potential mitigation strategies, like implementing a temporary "bridge" or "proxy" mode.

[gemini-code-assist]

The design for Phase 3 persistence should clarify whether follower-local read samples are proposed to the Raft leader or stored only in the node's local Pebble instance. Section 5.1 states that pointing the admin binary at a single node produces a "partial view" because reads are spread across followers, which suggests the data is not aggregated in the Raft log. However, Section 5.6 describes persistence via "Raft proposal per group" into a namespace that is part of the FSM. If follower reads are not replicated via Raft, they will be lost if a group is rebalanced to a new node, contradicting the goal of preserving 7 days of history across cluster changes.

[gemini-code-assist]

The design states that point reads targeting !admin|* keys should return NotFound. However, the integration points in Section 8 only mention widening the isPebbleMetaKey check for scans. To ensure full isolation, the pebbleStore.getAt and latestCommitTS methods (and their public counterparts) must also be updated to explicitly reject or skip keys with the !admin| prefix, as they do not use the scannable key helpers.

[gemini-code-assist]

The logic for creating new lineage records on startup should be restricted to the Raft leader of the group. If multiple nodes in a group detect a missing lineage record simultaneously and use the proposed UUIDv7 generation (which includes 58 random bits), they will propose conflicting lineage IDs for the same key range. While Raft will linearize these, it results in redundant records and potential confusion in the lineage tree.

[gemini-code-assist]

To avoid synchronized load spikes across the cluster, the 5-minute persistence interval (--keyvizPersistInterval) should be jittered or staggered per Raft group. If all groups on all nodes attempt to propose their compacted KeyViz columns simultaneously, it could lead to transient Raft election timeouts or increased latency on the data plane hot path.

References

1. When a design document identifies a significant operational risk, such as the inability to perform rolling upgrades, it must also detail potential mitigation strategies, like implementing a temporary "bridge" or "proxy" mode.

[bootjp]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive design document for a new Admin UI and Key Visualizer for Elastickv, featuring a standalone admin binary, a high-performance traffic sampler, and a distributed persistence model. The review feedback highlights several critical areas for improvement: addressing potential performance bottlenecks in the cluster-wide fan-out mechanism as the cluster scales, extending write protections to all internal metadata prefixes (such as _meta_), and mitigating a race condition in the lock-free counter flush logic to ensure data accuracy.

[gemini-code-assist]

The cluster-wide fan-out mode for the admin binary (querying every node) may become a performance bottleneck as the cluster scales to hundreds or thousands of nodes. This represents a significant operational risk for large-scale deployments. While acceptable for an MVP, the design must detail potential mitigation strategies for Phase 3, such as querying only the leaders of the relevant Raft groups or implementing a hierarchical aggregation layer to reduce the fan-out pressure.

References

1. When a design document identifies a significant operational risk, such as performance bottlenecks at scale, it must also detail potential mitigation strategies.

[gemini-code-assist]

The design mentions widening isPebbleMetaKey to a prefix check on !admin| to protect internal KeyViz records from user-plane scans. However, the existing meta keys (e.g., _meta_last_commit_ts) are also sensitive and should be protected from user-plane writes. To mitigate the operational risk of metadata corruption, the design should explicitly state that all internal prefixes (including _meta_) must be rejected by the ShardedCoordinator for user-plane writes.

References

1. When a design document identifies a significant operational risk, such as metadata corruption, it must also detail potential mitigation strategies.

[gemini-code-assist]

The lock-free pointer swap scheme for routeCounters is efficient, but there is a potential race condition during the flush. If the flush goroutine reads the old counters immediately after the swap, it might miss increments from Observe calls that loaded the old pointer just before the swap but haven't executed atomic.AddUint64 yet. To ensure no counts are lost as claimed, the flush mechanism should include a small grace period or a double-buffering strategy to allow pending increments to settle before harvesting the frozen values.

[gemini-code-assist]

Code Review

This pull request implements Phase 0 of the Elastickv admin Web UI, introducing a standalone elastickv-admin binary and a node-side Admin gRPC service. The changes include cluster membership discovery, connection caching, and token-based authentication for administrative RPCs. Review feedback suggests enhancing operational visibility by logging errors during the closure of network connections and files, and recommends increasing the aggregate response body size limit to support larger cluster configurations.

[gemini-code-assist]

The error from conn.Close() is silently ignored here. Per the general rules, errors from Close() methods on resources like network connections should be logged to ensure resource leaks or cleanup problems are visible.

if err := conn.Close(); err != nil {
	log.Printf("elastickv-admin: close orphaned connection for %s: %v", addr, err)
}

References

1. Do not silently ignore errors from Close() methods on resources like network connections. Log them to ensure resource leaks or other cleanup problems are visible.

[gemini-code-assist]

The 32 MiB cap for the aggregated response body might be too restrictive for large clusters. As noted in the comments, a 512-node cluster overview can reach ~75 MiB. Consider increasing this limit or making it a configurable flag to avoid 500 errors on legitimate large responses.

Suggested change

	const maxResponseBodyBytes = 32 << 20
	const maxResponseBodyBytes = 128 << 20

[gemini-code-assist]

While this is a file resource rather than a network connection, it is still good practice to log errors from Close() to maintain visibility into potential resource leaks or filesystem issues, aligning with the project's general rules for resource cleanup.

Suggested change

	defer func() { _ = f.Close() }()
	defer func() {
	if err := f.Close(); err != nil {
	log.Printf("internal: close %s file %s: %v", humanName, abs, err)
	}
	}()

References

1. Do not silently ignore errors from Close() methods on resources like network connections. Log them to ensure resource leaks or other cleanup problems are visible.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4488ba55d0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Drop removed seed members from cluster overview

GetClusterOverview is documented to pick up scale-in events, but mergeSeedMembers re-adds any bootstrap seed whose NodeID is missing from live Raft configuration. In a real scale-in (node removed from all groups), that node stays in Members forever, so the admin fan-out keeps dialing a decommissioned peer and reporting persistent false errors instead of converging to current membership.

Useful? React with 👍 / 👎.

[bootjp]

/gemini review @codex review

[gemini-code-assist]

Code Review

This pull request implements Phase 0 of the Admin UI and Key Visualizer design. It introduces a new standalone binary, cmd/elastickv-admin, which serves as an HTTP gateway that fans out requests to cluster nodes using a newly defined Admin gRPC service. Key features include a connection caching mechanism with eviction logic, bearer token authentication for the gRPC service, and detailed design documentation. My feedback focuses on a performance optimization in the connection eviction path to avoid redundant map allocations while holding a global mutex.

[gemini-code-assist]

The seeds map is rebuilt on every call to evictOneLocked, which occurs under the global fanout.mu lock whenever the client cache is full. Since the seed list is immutable after construction, consider pre-calculating this map in newFanout and storing it in the fanout struct to avoid redundant allocations and work on the eviction path.

[bootjp]

/gemini review @codex review

[gemini-code-assist]

Code Review

This pull request implements Phase 0 of the Elastickv Admin UI and Key Visualizer, introducing a node-side Admin gRPC service with token-based authentication and a standalone admin binary for cluster-wide query fan-out. The changes include a connection cache for gRPC clients, membership discovery logic, and detailed design documentation. Feedback suggests several improvements for robustness and security: enforcing request body size limits on all HTTP handlers to prevent DoS, using a worker pool or semaphore to bound concurrent goroutines during gRPC fan-out, and ensuring that background goroutines in configuration polling are properly synchronized or terminated upon context cancellation to avoid resource leaks.

[gemini-code-assist]

The HTTP server handlers for /healthz, /api/, and / do not currently enforce a request body size limit. While these endpoints are not expected to receive large payloads, applying a global limit via middleware or http.MaxBytesReader in each handler is a recommended security practice to prevent potential Denial of Service (DoS) attacks from oversized request bodies.

References

1. When handling HTTP requests, always limit the size of the request body (e.g., using http.MaxBytesReader) to prevent Denial of Service attacks from oversized payloads.

[gemini-code-assist]

The fan-out logic in handleOverview spawns a goroutine for every target node (up to 512). To prevent unbounded memory growth and potential OOM issues from external requests, apply a fixed bound to these concurrent operations (e.g., using a worker pool or semaphore) and consider rejecting new requests when the bound is reached.

References

1. To prevent unbounded memory growth and potential OOM issues, apply a fixed bound to collections or resources that can grow from external requests. Reject new requests when the bound is reached.

[gemini-code-assist]

In fanoutConfigurationCalls, if the parent ctx is cancelled, the function returns immediately with a partial got slice. However, the goroutines spawned for each group will continue to run in the background until they either finish their gRPC call or observe the cancellation themselves. While the resultsCh is buffered to prevent blocking, these 'orphaned' goroutines still consume resources. Consider using a sync.WaitGroup or a derived context to ensure all spawned goroutines are accounted for or terminated before the function returns, especially if this pattern is reused for more expensive operations.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 968c041af7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid pruning seed nodes after partial config failures

mergeSeedMembers drops any seed node not seen in live config when live.authoritative is true, but collectLiveMembers sets authoritative after any single successful Configuration call. If one group succeeds and another group’s Configuration errors, nodes that are only visible in the failed group are incorrectly treated as removed and omitted from GetClusterOverview, so admin fan-out can stop querying healthy peers. This should only prune unseen seeds when live membership is complete (or otherwise proven authoritative across groups), not on partial results.

Useful? React with 👍 / 👎.

[bootjp]

/gemini review

[bootjp]

/gemini review @codex review

[gemini-code-assist]

Code Review

This pull request introduces a node-side Admin gRPC service and a standalone elastickv-admin binary for cluster management and traffic visualization, featuring token-based authentication and a connection-cached fan-out mechanism. Review feedback highlighted a bug in the membership authority logic that could lead to erroneous node removal during transient failures and recommended implementing concurrency limits for per-group configuration polling to prevent potential resource exhaustion.

[gemini-code-assist]

The authoritative flag logic is too aggressive. Currently, it is set to true if at least one Raft group returns its configuration successfully. In a multi-raft system, a single group only knows its own members, not the entire cluster. If some groups fail to respond (e.g., due to a timeout), the aggregated membership list will be incomplete. Marking this partial list as authoritative causes mergeSeedMembers to incorrectly drop seed nodes that might still be active members of the groups that didn't respond. This can lead to nodes being erroneously removed from the cluster overview during transient failures. To ensure the persisted peer list remains complete and consistent, the server must have successfully received responses from all registered groups before claiming authority.

	live := liveMembers{
		addrByID:      map[string]string{},
		seenID:        map[string]struct{}{},
		order:         []string{},
		authoritative: len(got) == len(groups) && len(groups) > 0,
	}
	for _, res := range got {
		if res.err != nil {
			live.authoritative = false
			continue
		}

References

1. Raft membership operations must ensure the persisted peer list remains complete and consistent to prevent erroneous node removal during restarts or transient failures.

[gemini-code-assist]

The fanoutConfigurationCalls function spawns a goroutine for every registered Raft group without any concurrency control. While the number of groups per node is typically manageable, a node participating in a very large number of groups could experience a significant burst of goroutines and concurrent gRPC calls for every GetClusterOverview request. To prevent unbounded resource growth and potential OOM issues, consider using a worker pool or a semaphore to bound the maximum number of concurrent configuration polls, rejecting or queuing new requests when the bound is reached.

References

1. To prevent unbounded memory growth and potential OOM issues, apply a fixed bound to collections or processes that can grow from external requests.

[bootjp]

/gemini review @codex review

[gemini-code-assist]

Code Review

This pull request introduces a new Admin gRPC service and a standalone admin binary (cmd/elastickv-admin) to provide cluster observability, including a key visualizer. The changes include implementing the Admin gRPC service on nodes, adding authentication via bearer tokens, and creating a fan-out mechanism in the admin binary to aggregate cluster-wide data. My feedback suggests making the maxDiscoveredNodes constant configurable to better support larger clusters.

[gemini-code-assist]

The maxDiscoveredNodes constant is set to 512. This fixed bound prevents unbounded memory growth from external requests. Consider making this configurable via a flag for scalability in larger clusters.

References

1. To prevent unbounded memory growth and potential OOM issues, apply a fixed bound to collections that can grow from external requests.

[gemini-code-assist]

Code Review

This pull request implements Phase 0 of the Elastickv Admin UI, introducing a node-side Admin gRPC service and a standalone elastickv-admin proxy binary. The proxy facilitates cluster-wide data aggregation and membership discovery, serving a JSON API for operational insights while enforcing bearer-token authentication. The PR also includes the design specification for the Key Visualizer and internal helpers for secure token management. Feedback indicates that a custom itoa helper in the test suite should be replaced with the standard library's strconv.Itoa for better maintainability.

[gemini-code-assist]

This custom implementation of itoa is not necessary. The standard library's strconv.Itoa should be used instead for code clarity, maintainability, and idiomatic Go. The reason given in the comment (to avoid an import) is not a standard Go practice, as strconv is a core package that is very likely already part of the test binary's dependencies.

[bootjp]

/gemini review @codex review

[gemini-code-assist]

Code Review

This pull request implements Phase 0 of the Admin UI and Key Visualizer design, introducing a new node-side Admin gRPC service and a standalone elastickv-admin binary. The changes provide cluster membership discovery, Raft group status reporting, and a bearer-token authentication mechanism. Feedback suggests increasing the fan-out concurrency limit to better support larger clusters and refactoring tests to use context-based polling instead of time.Sleep to improve reliability and reduce flakiness.

[gemini-code-assist]

The constant configFanoutMaxConcurrency is defined as 64. While maintaining a fixed bound is consistent with repository rules to prevent OOM, this limit may be too restrictive given defaultMaxDiscoveredNodes is 512. Consider increasing this bound to reduce latency in large clusters while still maintaining a fixed memory limit.

References

1. Apply a fixed bound to collections that can grow from external requests to prevent unbounded memory growth and OOM issues.

[gemini-code-assist]

Avoid using time.Sleep for polling in tests as it can be flaky. Instead, use context.Context for managing deadlines and cancellation, and consider centralizing this retry logic into a shared helper function to improve maintainability.

References

1. Use context.Context for managing deadlines and cancellation instead of separate timeout parameters.
2. Centralize common complex logic, such as retry/backoff mechanisms, into shared helper functions.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 501b0173bb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Enforce maxDiscoveredNodes when falling back to seed targets

When every discovery RPC fails, this path returns the full f.seeds list without applying maxDiscoveredNodes. That bypasses the fan-out bound enforced in membersFrom, so /api/cluster/overview can suddenly launch far more concurrent RPCs than configured (one per seed) during outages or with oversized seed lists, causing avoidable CPU/memory pressure exactly when the system is already degraded. Clamp/dedupe the seed fallback to f.maxNodes before returning.

Useful? React with 👍 / 👎.

[bootjp]

/gemini review @codex review

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (4)

internal/grpc.go (1)

30-42: Optional: deduplicate the per-call options block.

GRPCDialOptions() (lines 21–29) defines the same WithDefaultCallOptions(MaxCallRecvMsgSize/MaxCallSendMsgSize) block. Consider folding it through the new helper to keep a single source of truth for the message-size cap.

♻️ Proposed refactor

 func GRPCDialOptions() []grpc.DialOption {
 	return []grpc.DialOption{
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
-		grpc.WithDefaultCallOptions(
-			grpc.MaxCallRecvMsgSize(GRPCMaxMessageBytes),
-			grpc.MaxCallSendMsgSize(GRPCMaxMessageBytes),
-		),
+		GRPCCallOptions(),
 	}
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/grpc.go` around lines 30 - 42, The per-call message-size options are
duplicated between GRPCCallOptions() and GRPCDialOptions(); refactor so the two
share a single source of truth by having GRPCDialOptions() reuse
GRPCCallOptions() (or extract a tiny helper that returns the grpc.CallOption
slice used by both), ensuring both the MaxCallRecvMsgSize and MaxCallSendMsgSize
(GRPCMaxMessageBytes) are set only once; update GRPCDialOptions() to incorporate
the shared options instead of repeating the WithDefaultCallOptions block.

cmd/elastickv-admin/main.go (1)

694-715: cap shadows the Go builtin; bound check uses f.maxNodes instead of the local.

Two small issues in seedTargets:

1. cap := f.maxNodes shadows the predeclared cap builtin. golangci-lint's predeclared linter will flag this; the project style is to not shadow builtins.
2. The slice/map are sized using local cap, but the loop break at line 708 uses f.maxNodes directly. They're equivalent today (newFanout normalizes maxNodes to >0), but the inconsistency is a future-refactor footgun.

♻️ Proposed refactor

 func (f *fanout) seedTargets() []string {
-	cap := f.maxNodes
-	if cap <= 0 {
-		cap = defaultMaxDiscoveredNodes
-	}
-	if len(f.seeds) < cap {
-		cap = len(f.seeds)
-	}
-	out := make([]string, 0, cap)
-	seen := make(map[string]struct{}, cap)
+	limit := f.maxNodes
+	if limit <= 0 {
+		limit = defaultMaxDiscoveredNodes
+	}
+	hint := limit
+	if len(f.seeds) < hint {
+		hint = len(f.seeds)
+	}
+	out := make([]string, 0, hint)
+	seen := make(map[string]struct{}, hint)
 	for _, s := range f.seeds {
 		if _, dup := seen[s]; dup {
 			continue
 		}
-		if len(out) >= f.maxNodes && f.maxNodes > 0 {
+		if len(out) >= limit {
 			break
 		}
 		seen[s] = struct{}{}
 		out = append(out, s)
 	}
 	return out
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/elastickv-admin/main.go` around lines 694 - 715, The variable named cap
in seedTargets shadows the predeclared cap builtin and the loop break uses
f.maxNodes instead of the local computed bound; rename that local to something
like limit (or maxCount), compute limit := f.maxNodes; if limit <= 0 { limit =
defaultMaxDiscoveredNodes }; if len(f.seeds) < limit { limit = len(f.seeds) };
use limit when sizing out and seen and when checking the loop break (e.g., if
len(out) >= limit { break }), keeping all references consistent and avoiding
builtin shadowing.

internal/tokenfile_test.go (1)

10-59: Consider consolidating into a table-driven test.

The four TestLoadBearerTokenFile* functions all set up a temp file then assert (return value, error substring) — a classic table-driven shape. As per coding guidelines: "prefer table-driven test cases".

♻️ Proposed refactor (sketch)

func TestLoadBearerTokenFile(t *testing.T) {
	t.Parallel()
	cases := []struct {
		name        string
		contents    string // empty string + missing=true means no file
		missing     bool
		maxBytes    int64
		want        string
		wantErrSub  string
	}{
		{name: "happy path", contents: "\n  s3cret \n", maxBytes: 4 << 10, want: "s3cret"},
		{name: "rejects empty", contents: "   \n", maxBytes: 4 << 10, wantErrSub: "is empty"},
		{name: "rejects oversize", contents: strings.Repeat("x", 65), maxBytes: 64, wantErrSub: "exceeds maximum"},
		{name: "missing file", missing: true, maxBytes: 4 << 10, wantErrSub: ""}, // any error acceptable
	}
	for _, tc := range cases {
		t.Run(tc.name, func(t *testing.T) {
			t.Parallel()
			path := "/definitely/not/there"
			if !tc.missing {
				path = filepath.Join(t.TempDir(), "tok")
				if err := os.WriteFile(path, []byte(tc.contents), 0o600); err != nil {
					t.Fatal(err)
				}
			}
			got, err := LoadBearerTokenFile(path, tc.maxBytes, "admin token")
			// ... assert tc.want / tc.wantErrSub ...
		})
	}
}

As per coding guidelines: "Unit tests must be co-located with packages in *_test.go files; prefer table-driven test cases".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/tokenfile_test.go` around lines 10 - 59, Consolidate the four tests
into a single table-driven test (e.g., TestLoadBearerTokenFile) that defines
cases for "happy path", "rejects empty", "rejects oversize", and "missing file";
for each case use t.Run and t.Parallel, create the temp file only when missing
is false, call LoadBearerTokenFile(path, maxBytes, "admin token"), and assert
either the expected want string or that the error contains wantErrSub (for
missing-file case accept any non-nil error). Reference the existing test names
(TestLoadBearerTokenFileHappyPath, TestLoadBearerTokenFileRejectsEmpty,
TestLoadBearerTokenFileRejectsOversize, TestLoadBearerTokenFileMissingFile) and
the target function LoadBearerTokenFile to locate and replace the current tests
with the single table-driven implementation.

adapter/admin_grpc.go (1)

162-209: Doc comments for collectLiveMembers and fanoutConfigurationCalls are misattributed.

The two narrative blocks are contiguous with the doc comments for the next declaration, so godoc/golint will attach them to the wrong symbol:

• Lines 162–179 (about collectLiveMembers) flow without a blank line into 180–182, so the entire 162–182 block becomes the doc for type configResult (and collectLiveMembers at line 264 ends up with no doc).
• Lines 188–199 (about fanoutConfigurationCalls) flow without a blank line into 200–206, so the entire 188–206 block becomes the doc for const configFanoutMaxConcurrency (and fanoutConfigurationCalls at line 209 ends up with no doc).

Move each narrative block to immediately above its target declaration, separated from unrelated declarations by a blank line.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@adapter/admin_grpc.go` around lines 162 - 209, The narrative doc comments are
misattached: move the comment block describing collectLiveMembers so it sits
immediately above the collectLiveMembers function declaration (not above type
configResult) and ensure there's a blank line between that comment and the
unrelated type configResult; likewise move the comment describing
fanoutConfigurationCalls to immediately precede the fanoutConfigurationCalls
function (not above const configFanoutMaxConcurrency) and add a blank line
separating it from the const declaration; this ensures godoc/golint attach docs
to collectLiveMembers and fanoutConfigurationCalls rather than to configResult
or configFanoutMaxConcurrency.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@adapter/admin_grpc.go`:
- Around line 329-346: In mergeSeedMembers, skip seed entries with an empty
GRPCAddress so a blank seed can't shadow a usable address: when iterating seeds
in mergeSeedMembers, add a guard that continues if m.GRPCAddress == "" (similar
to the srv.Address == "" check in collectLiveMembers) before inserting into
live.addrByID or live.order; keep the existing checks for m.NodeID == "" and
selfID, and preserve behavior around live.seenID and live.authoritative.

In `@cmd/elastickv-admin/main_test.go`:
- Around line 369-411: Test TestFanoutClientForOrphanedDialClosed never hits
installOrAttach's orphan branch (the shouldClose := c.conn != conn path); fix by
injecting a test-only dial hook into fanout so clientFor can produce a different
conn and trigger the orphan-close logic. Add a dialDeduped func field to the
fanout type (used by clientFor instead of calling grpc.NewClient directly when
non-nil), update clientFor/installOrAttach to use that hook, and in
TestFanoutClientForOrphanedDialClosed set f.dialDeduped to return a distinct
*grpc.ClientConn (then close it as the test intends) so the installOrAttach
branch where c.conn != conn executes deterministically. Ensure cleanup by
calling rel1() and asserting no panic/leak.

In `@cmd/elastickv-admin/main.go`:
- Around line 1-1024: Replace the std log usage with slog: swap the import "log"
for "log/slog" and update every log.Printf/log.Printf-like call to structured
slog calls (slog.Info/Warn/Error) across the file (examples to change: run’s
startup log, Close, dialDeduped, installOrAttach orphan-close logs,
refreshMembership seed/unreachable logs, membersFrom truncation log,
invalidateClient/invalidate-close, releaseFunc deferred close, writeJSON
encode/write errors, and any other log.Printf uses). For each call, move the
formatted message into a short message string and add structured fields such as
slog.String("addr", addr), slog.String("error", err.Error()) or slog.Any("err",
err), and when logging numeric caps use keys like slog.Int("maxNodes", maxNodes)
or slog.Int("bytes", maxResponseBodyBytes) so logs follow the project’s
structured key conventions.

In `@internal/tokenfile.go`:
- Around line 40-44: Replace the log.Printf call in the deferred close handler
with structured slog logging: when the deferred func that runs cerr := f.Close()
detects an error, call slog.Error (or slog.Log with level Error) and include the
error and structured keys such as "humanName" (humanName) and "path" (abs)
instead of formatting a message string; update the deferred closure around
f.Close() to use those symbols (f, cerr, humanName, abs) to produce structured
logs consistent with the codebase.

In `@main.go`:
- Around line 724-726: The warning for insecure admin mode currently uses
log.Printf; replace that with structured slog logging to match the rest of
main.go: where the flag adminInsecureNoAuth is checked, call slog.Warn (or the
package's logger) instead of log.Printf and include a clear message plus
structured key(s) such as "flag"="adminInsecureNoAuth" and "warning" or "reason"
to maintain consistency with other slog calls (see existing slog usage in
main.go) so the insecure-mode warning is emitted via slog with structured
fields.
- Around line 625-633: The block comment describing setupAdminService is
misplaced above type serversInput; move that entire comment so it sits
immediately above the func setupAdminService(...) declaration (the definition
around line ~697) so godoc links it to the function, and replace or add an
appropriate comment for serversInput where that struct is defined; ensure the
moved comment still begins with "setupAdminService" to satisfy Go doc
conventions.

---

Nitpick comments:
In `@adapter/admin_grpc.go`:
- Around line 162-209: The narrative doc comments are misattached: move the
comment block describing collectLiveMembers so it sits immediately above the
collectLiveMembers function declaration (not above type configResult) and ensure
there's a blank line between that comment and the unrelated type configResult;
likewise move the comment describing fanoutConfigurationCalls to immediately
precede the fanoutConfigurationCalls function (not above const
configFanoutMaxConcurrency) and add a blank line separating it from the const
declaration; this ensures godoc/golint attach docs to collectLiveMembers and
fanoutConfigurationCalls rather than to configResult or
configFanoutMaxConcurrency.

In `@cmd/elastickv-admin/main.go`:
- Around line 694-715: The variable named cap in seedTargets shadows the
predeclared cap builtin and the loop break uses f.maxNodes instead of the local
computed bound; rename that local to something like limit (or maxCount), compute
limit := f.maxNodes; if limit <= 0 { limit = defaultMaxDiscoveredNodes }; if
len(f.seeds) < limit { limit = len(f.seeds) }; use limit when sizing out and
seen and when checking the loop break (e.g., if len(out) >= limit { break }),
keeping all references consistent and avoiding builtin shadowing.

In `@internal/grpc.go`:
- Around line 30-42: The per-call message-size options are duplicated between
GRPCCallOptions() and GRPCDialOptions(); refactor so the two share a single
source of truth by having GRPCDialOptions() reuse GRPCCallOptions() (or extract
a tiny helper that returns the grpc.CallOption slice used by both), ensuring
both the MaxCallRecvMsgSize and MaxCallSendMsgSize (GRPCMaxMessageBytes) are set
only once; update GRPCDialOptions() to incorporate the shared options instead of
repeating the WithDefaultCallOptions block.

In `@internal/tokenfile_test.go`:
- Around line 10-59: Consolidate the four tests into a single table-driven test
(e.g., TestLoadBearerTokenFile) that defines cases for "happy path", "rejects
empty", "rejects oversize", and "missing file"; for each case use t.Run and
t.Parallel, create the temp file only when missing is false, call
LoadBearerTokenFile(path, maxBytes, "admin token"), and assert either the
expected want string or that the error contains wantErrSub (for missing-file
case accept any non-nil error). Reference the existing test names
(TestLoadBearerTokenFileHappyPath, TestLoadBearerTokenFileRejectsEmpty,
TestLoadBearerTokenFileRejectsOversize, TestLoadBearerTokenFileMissingFile) and
the target function LoadBearerTokenFile to locate and replace the current tests
with the single table-driven implementation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 51324863-667b-4e13-8345-f439d9eda19f

📥 Commits

Reviewing files that changed from the base of the PR and between a126e71 and 492b22d.

⛔ Files ignored due to path filters (1)

• proto/admin.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (11)

• adapter/admin_grpc.go
• adapter/admin_grpc_test.go
• cmd/elastickv-admin/main.go
• cmd/elastickv-admin/main_test.go
• docs/admin_ui_key_visualizer_design.md
• internal/grpc.go
• internal/tokenfile.go
• internal/tokenfile_test.go
• main.go
• main_admin_test.go
• proto/admin.proto

🚧 Files skipped from review as they are similar to previous changes (2)

• adapter/admin_grpc_test.go
• main_admin_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Mirror the empty-address skip on the seed path.

collectLiveMembers deliberately drops live entries with srv.Address == "" (line 292) so a blank address can't shadow a usable one. The seed path has no symmetric guard: a seed entry with GRPCAddress == "" (e.g., misconfigured operator input) flows through line 343 and ends up in the response, after which the admin binary would attempt to dial an empty target. Worth a one-line check for safety.

Proposed fix

 	for _, m := range seeds {
 		if m.NodeID == "" || m.NodeID == selfID {
 			continue
 		}
+		if m.GRPCAddress == "" {
+			continue
+		}
 		if _, hasAddr := live.addrByID[m.NodeID]; hasAddr {
 			continue
 		}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@adapter/admin_grpc.go` around lines 329 - 346, In mergeSeedMembers, skip seed
entries with an empty GRPCAddress so a blank seed can't shadow a usable address:
when iterating seeds in mergeSeedMembers, add a guard that continues if
m.GRPCAddress == "" (similar to the srv.Address == "" check in
collectLiveMembers) before inserting into live.addrByID or live.order; keep the
existing checks for m.NodeID == "" and selfID, and preserve behavior around
live.seenID and live.authoritative.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

TestFanoutClientForOrphanedDialClosed does not exercise the orphan branch.

The test name promises coverage of installOrAttach's shouldClose := c.conn != conn path, but the body comment is explicit: "Stuff conn2 into the singleflight cache slot via the public API path is not feasible; instead, verify the live path...". As written, the test:

1. Calls clientFor(addr) once → installs c1 in cache.
2. Dials conn2 separately and closes it itself (never touches the fanout).
3. Calls clientFor(addr) again → simple cache hit, returns c1.

The orphan-conn-close path (line 510–516 in cmd/elastickv-admin/main.go) is never reached. This gives false coverage signal — a regression that leaks the orphaned conn would not fail this test.

Either (a) delete this test (the dedup test at 311–362 already covers the singleflight collapse case, and the race test at 815–859 covers concurrency), or (b) introduce a test-only hook (e.g., a dialDeduped injection point) so the orphan branch can be deterministically driven.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/elastickv-admin/main_test.go` around lines 369 - 411, Test
TestFanoutClientForOrphanedDialClosed never hits installOrAttach's orphan branch
(the shouldClose := c.conn != conn path); fix by injecting a test-only dial hook
into fanout so clientFor can produce a different conn and trigger the
orphan-close logic. Add a dialDeduped func field to the fanout type (used by
clientFor instead of calling grpc.NewClient directly when non-nil), update
clientFor/installOrAttach to use that hook, and in
TestFanoutClientForOrphanedDialClosed set f.dialDeduped to return a distinct
*grpc.ClientConn (then close it as the test intends) so the installOrAttach
branch where c.conn != conn executes deterministically. Ensure cleanup by
calling rel1() and asserting no panic/leak.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use slog instead of log.Printf throughout this binary.

This entire file (lines 172, 418, 497, 514, 529, 559, 627, 671, 724, 735, 745, 792, 976, 978, 984, 991) uses the standard log package, but the project standard is slog with structured keys (addr, error, etc.). New binary, no migration cost — please switch before this lands so future log scraping doesn't have to special-case elastickv-admin. Replace log "log" with "log/slog" in the import set and convert each call to slog.Info/Warn/Error with structured fields.

As per coding guidelines: "Use slog for logging and maintain structured logging keys (e.g., key, commit_ts)".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/elastickv-admin/main.go` around lines 1 - 1024, Replace the std log usage
with slog: swap the import "log" for "log/slog" and update every
log.Printf/log.Printf-like call to structured slog calls (slog.Info/Warn/Error)
across the file (examples to change: run’s startup log, Close, dialDeduped,
installOrAttach orphan-close logs, refreshMembership seed/unreachable logs,
membersFrom truncation log, invalidateClient/invalidate-close, releaseFunc
deferred close, writeJSON encode/write errors, and any other log.Printf uses).
For each call, move the formatted message into a short message string and add
structured fields such as slog.String("addr", addr), slog.String("error",
err.Error()) or slog.Any("err", err), and when logging numeric caps use keys
like slog.Int("maxNodes", maxNodes) or slog.Int("bytes", maxResponseBodyBytes)
so logs follow the project’s structured key conventions.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use slog for the close-error log.

The package uses log.Printf to surface a deferred-close failure; the rest of the codebase logs through slog with structured keys, and this is new code so there's no compatibility cost in switching.

🔧 Proposed fix

 import (
 	"fmt"
 	"io"
-	"log"
+	"log/slog"
 	"os"
 	"path/filepath"
 	"strings"
 
 	"github.com/cockroachdb/errors"
 )
@@
 	defer func() {
 		if cerr := f.Close(); cerr != nil {
-			log.Printf("internal: close %s file %s: %v", humanName, abs, cerr)
+			slog.Warn("close token file failed",
+				"kind", humanName, "path", abs, "error", cerr)
 		}
 	}()

As per coding guidelines: "Use slog for logging and maintain structured logging keys".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	defer func() {
	if cerr := f.Close(); cerr != nil {
	log.Printf("internal: close %s file %s: %v", humanName, abs, cerr)
	}
	}()
	import (
	"fmt"
	"io"
	"log/slog"
	"os"
	"path/filepath"
	"strings"
	"github.com/cockroachdb/errors"
	)
	defer func() {
	if cerr := f.Close(); cerr != nil {
	slog.Warn("close token file failed",
	"kind", humanName, "path", abs, "error", cerr)
	}
	}()

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/tokenfile.go` around lines 40 - 44, Replace the log.Printf call in
the deferred close handler with structured slog logging: when the deferred func
that runs cerr := f.Close() detects an error, call slog.Error (or slog.Log with
level Error) and include the error and structured keys such as "humanName"
(humanName) and "path" (abs) instead of formatting a message string; update the
deferred closure around f.Close() to use those symbols (f, cerr, humanName, abs)
to produce structured logs consistent with the codebase.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Misplaced doc comment for setupAdminService.

Lines 625–630 document setupAdminService, but they sit immediately above type serversInput struct (line 633). The actual setupAdminService function is defined at line 697. go doc will attribute this comment to neither. Move the block to immediately above func setupAdminService(...).

🔧 Proposed fix

-// setupAdminService is a thin wrapper around configureAdminService that also
-// binds each Raft runtime to the server and logs an operator warning when
-// running without authentication. Keeping this out of run() preserves run's
-// cyclomatic-complexity budget. Members are seeded from the bootstrap
-// configuration so GetClusterOverview advertises peer node addresses to the
-// admin binary's fan-out discovery path.
 // serversInput bundles the values run() passes to startServers so the
 // signature stays compact and run() stays under the cyclop budget.
 type serversInput struct {
@@
+// setupAdminService is a thin wrapper around configureAdminService that also
+// binds each Raft runtime to the server and logs an operator warning when
+// running without authentication. Keeping this out of run() preserves run's
+// cyclomatic-complexity budget. Members are seeded from the bootstrap
+// configuration so GetClusterOverview advertises peer node addresses to the
+// admin binary's fan-out discovery path.
 func setupAdminService(

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// setupAdminService is a thin wrapper around configureAdminService that also
	// binds each Raft runtime to the server and logs an operator warning when
	// running without authentication. Keeping this out of run() preserves run's
	// cyclomatic-complexity budget. Members are seeded from the bootstrap
	// configuration so GetClusterOverview advertises peer node addresses to the
	// admin binary's fan-out discovery path.
	// serversInput bundles the values run() passes to startServers so the
	// signature stays compact and run() stays under the cyclop budget.
	type serversInput struct {
	// serversInput bundles the values run() passes to startServers so the
	// signature stays compact and run() stays under the cyclop budget.
	type serversInput struct {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@main.go` around lines 625 - 633, The block comment describing
setupAdminService is misplaced above type serversInput; move that entire comment
so it sits immediately above the func setupAdminService(...) declaration (the
definition around line ~697) so godoc links it to the function, and replace or
add an appropriate comment for serversInput where that struct is defined; ensure
the moved comment still begins with "setupAdminService" to satisfy Go doc
conventions.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use slog.Warn for the insecure-mode warning.

This is new code path; the rest of main.go already uses slog for warnings (e.g., line 167, 188, 200, 858), so this log.Printf stands out and is a coding guideline violation.

🔧 Proposed fix

 	if *adminInsecureNoAuth {
-		log.Printf("WARNING: --adminInsecureNoAuth is set; Admin gRPC service exposed without authentication")
+		slog.Warn("Admin gRPC service exposed without authentication",
+			"flag", "--adminInsecureNoAuth")
 	}

As per coding guidelines: "Use slog for logging and maintain structured logging keys".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if *adminInsecureNoAuth {
	log.Printf("WARNING: --adminInsecureNoAuth is set; Admin gRPC service exposed without authentication")
	}
	if *adminInsecureNoAuth {
	slog.Warn("Admin gRPC service exposed without authentication",
	"flag", "--adminInsecureNoAuth")
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@main.go` around lines 724 - 726, The warning for insecure admin mode
currently uses log.Printf; replace that with structured slog logging to match
the rest of main.go: where the flag adminInsecureNoAuth is checked, call
slog.Warn (or the package's logger) instead of log.Printf and include a clear
message plus structured key(s) such as "flag"="adminInsecureNoAuth" and
"warning" or "reason" to maintain consistency with other slog calls (see
existing slog usage in main.go) so the insecure-mode warning is emitted via slog
with structured fields.

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. What shall we delve into next?

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".