feat: Allow toggling event flag during auto-migration for empty tables

[Ludv1gL]

Summary

Currently, toggling #[spacetimedb::table(event)] on an existing table
fails auto-migration with AutoMigrateError::ChangeTableEventFlag and
forces a manual migration. This PR allows the flip in either direction
as a live auto-migration step when the table has zero committed
rows. Non-empty tables fail with an actionable error telling the user
to clear the table first. Clients are disconnected on the flip because
the change is observable to subscribers (event tables have no committed
state; v2 subscribers see a different message variant; v1 subscribers
stop seeing updates).

Changes

• crates/datastore/src/locking_tx_datastore/tx_state.rs: new
  PendingSchemaChange::TableAlterEventFlag(TableId, bool) variant
  storing the old is_event value for rollback.
• crates/datastore/src/locking_tx_datastore/committed_state.rs:
  rollback branch restoring the old value on the live schema.
• crates/datastore/src/locking_tx_datastore/mut_tx.rs: new
  alter_table_event_flag(table_id, is_event) mirroring
  alter_table_access — dual-writes to the tx + commit table schemas
  via with_mut_schema_and_clone, and to st_event_table via
  insert_via_serialize_bsatn / delete_col_eq. Idempotent no-op
  early-returns before pushing a pending change. New
  delete_st_event_table_row helper.
• crates/datastore/src/locking_tx_datastore/replay.rs: new hooks on
  ST_EVENT_TABLE_ID insert/delete that flip is_event on the
  referenced user-table's cached schema, mirroring
  reschema_table_for_st_table_update. This is load-bearing for cold
  replay across the flip — without it, a snapshot predating the flip
  plus commitlog replay would leave the cached schema stale, and
  post-flip inserts would incorrectly land in committed state.
• crates/core/src/db/relational_db.rs: thin
  alter_table_event_flag wrapper analogous to alter_table_access.
• crates/schema/src/auto_migrate.rs: event_ok error branch
  replaced with AutoMigrateStep::ChangeEventFlag +
  plan.ensure_disconnect_all_users(). Removed the now-unused
  AutoMigrateError::ChangeTableEventFlag variant. Replaced
  test_change_event_flag_rejected with three new tests asserting the
  plan shape in both directions and confirming no orphan sub-object
  steps.
• crates/schema/src/auto_migrate/formatter.rs /
  termcolor_formatter.rs: new format_change_event_flag +
  EventFlagChangeInfo mirroring format_change_access.
• crates/core/src/db/update.rs: new ChangeEventFlag handler with
  an O(1) row-count precheck via table_row_count_mut before any
  mutation. Fails with a clear message if the table has data.

Safety

• Transaction safety: the precheck (row count) and all three writes
  (st_event_table row, tx table schema, commit table schema) run in
  the same MutTx. No window for concurrent inserts between check and
  flip.
• Rollback: TableAlterEventFlag stores the pre-flip flag value so
  failed transactions revert is_event on the live schema via the
  existing rollback_pending_schema_change path. Idempotent flips do
  not push a pending change and thus require no rollback work.
• Replay correctness: the new st_event_table reschema hook is the
  piece with no prior analog. st_event_table was already in the
  commitlog, but the existing reschema path only covered st_table and
  st_column, so flipping is_event mid-life would have been invisible
  to cold replay. Added hooks in both replay_insert and
  replay_delete_by_rel call the same helper, reusing the existing
  Self::read_table_id(row) pattern (no new unsafe code).
• Client contract: flipping event changes what subscribers see —
  v1 subscribers stop receiving updates (event tables aren't in default
  subscriptions); v2 subscribers receive a different message variant
  (TableUpdateRows::EventTable). ensure_disconnect_all_users forces
  reconnection so clients observe a consistent state.

Example error output

Cannot change `event` flag on table `my_table`: table contains data.
Clear the table's rows (e.g. via a reducer) before toggling the
`event` annotation.

Test plan

• cargo test -p spacetimedb-datastore --features test — 87 pass,
  including four new alter_table_event_flag_* tests covering both
  directions, rollback, and the idempotent no-op case
• cargo test -p spacetimedb-schema — 103 pass, including three new
  plan-shape tests (both directions + "no orphan sub-object steps")
• cargo test -p spacetimedb-core — 192 pass, including two new
  end-to-end update-execution tests (empty succeeds, non-empty fails)
• cargo clippy -p spacetimedb-datastore -p spacetimedb-schema -p spacetimedb-core --tests clean
• All 10 pre-existing event-table tests still pass
• Verified live on a development deployment — flipped the
  event flag on an empty user table via spacetime publish; clients
  disconnected as expected, subsequent inserts correctly routed to the
  commitlog only.

[Centril]

The only difference is the bool, so please make a closure out out of this, called twice, that takes a parameter is_event where `is_event: bool.

[Ludv1gL]

Done in ead511c3f4. Merged the two test_change_event_flag_produces_step_* tests into one test_change_event_flag_produces_step that defines a build = |is_event: bool| ... closure and an assert_flip = |old_is_event, new_is_event| ... closure, then calls assert_flip(false, true) and assert_flip(true, false).

[Centril]

Only difference here is the parameter to .with_event(is_event) with an implicit .with_event(false) in the old case. Let's introduce a closure here too with a single parameter is_event.

[Ludv1gL]

Done in ead511c3f4. test_change_event_flag_does_not_produce_orphan_sub_object_steps now uses the same build = |is_event: bool| ... closure pattern, with an explicit .with_event(is_event) in both the old and new branches — no more implicit-false asymmetry.

[Centril]

Suggested change

	if let Ok((table, ..)) = self.get_table_and_blob_store_mut(table_id) {
	if let Ok((table, ..)) = self.get_table_and_blob_store_mut(table_id) {
	assert_eq!(table.num_rows(), 0);

[Ludv1gL]

Applied in ead511c3f4.

[Centril]

Hmm, feels like this should really be a AutoMigratePrecheck::CheckTableEmpty(...) so that we do all validation before we do any mutations.

[Ludv1gL]

Acknowledged — per our offline discussion, deferring this to a follow-up PR that adds AutoMigratePrecheck::CheckTableEmpty and moves the row-count check into the precheck pass alongside the existing CheckAddSequenceRangeValid etc.

[Centril]

Suggested change

	let t = builder.build_table_with_new_type("events", [("id", U64)], true);
	let t = if is_event { t.with_event(true) } else { t };
	t.finish();
	builder.build_table_with_new_type("events", [("id", U64)], true)
	.with_event(is_event)
	.finish();

[Ludv1gL]

Done in ead511c3f4: single_event_table_module_v10 now chains .build_table_with_new_type(...).with_event(is_event).finish() directly, no more intermediate if is_event { ... } else { ... } rebind.

[Centril]

Here again is the test helper function I asked about for update.rs. The function should probably live in crates/datastore and be used in update.rs too.

[Ludv1gL]

Done in ead511c3f4. The helpers live in the new crates/datastore/src/locking_tx_datastore/test_helpers.rs module (pub, gated by #[cfg(any(test, feature = "test"))], re-exported from locking_tx_datastore::mod). spacetimedb-core's update.rs tests import them via the existing features = ["test"] dev-dep already in Cargo.toml.

[Centril]

Repeated 3x; Let's make a function out of this: check_table_event_flag_altered(&tx, table_id, state: bool)

[Ludv1gL]

Done in ead511c3f4. The new check_table_event_flag_altered(datastore, tx, table_id, expected_is_event) helper in test_helpers.rs bundles the schema is_event check with the st_event_table row-presence check. The 4 test_alter_table_event_flag_* tests each call it in lieu of the inline pattern.

[Centril]

Suggested change

	assert!(
	tx.pending_schema_changes().is_empty(),
	"rollback should clear pending schema changes"
	);
	assert_eq!(tx.pending_schema_changes(), []);

[Ludv1gL]

Done in ead511c3f4.

[Centril]

In these tests, I'd like to see some assertions about what happens to TxData when committing changes that successfully altered the system tables.

[Ludv1gL]

Done in ead511c3f4. test_alter_table_event_flag_non_event_to_event now captures TxData from commit(&datastore, tx)? and asserts tx_data.inserts_for_table(ST_EVENT_TABLE_ID).map(<[_]>::len) == Some(1) plus the user-table has None inserts and None deletes. The event→non test does the symmetric deletes_for_table assertion.

[Centril]

Suggested change

	assert_matches!(tx.pending_schema_changes(), &[]);
	assert_eq!(tx.pending_schema_changes(), []);

[Ludv1gL]

Done in ead511c3f4.

[Ludv1gL]

Thanks for the review! Addressed all 16 actionable items — the deferred AutoMigratePrecheck::CheckTableEmpty refactor (your update.rs:298 comment) is sitting out of scope for this PR per our offline agreement and will follow in a separate PR.

Rebased onto current upstream/master (includes #4850 replay extraction, #4666 primary-key migration, etc.). The branch is now two commits:

SHA	Subject
667dfd5401	feat: Allow toggling event flag during auto-migration for empty tables (the original, re-based)
ead511c3f4	refactor(event-flag): apply Centril 2026-04-23 review feedback (this round)

Summary of changes in ead511c3f4

• schema/auto_migrate.rs — merged the two test_change_event_flag_produces_step_* tests into one that calls a build = |is_event: bool| ... closure twice. test_change_event_flag_does_not_produce_orphan_sub_object_steps uses the same closure pattern with an explicit .with_event(is_event) in both branches (no more implicit-false asymmetry).
• datastore/replay.rs — assert_eq!(table.num_rows(), 0) inside the reschema_table_for_st_event_table_update hook. Enforces the feature's empty-table invariant on cold replay.
• datastore/committed_state.rs — same assertion on the TableAlterEventFlag rollback arm.
• datastore/mut_tx.rs — extracted insert_st_event_table_row(table_id) shared by create_table and alter_table_event_flag.
• datastore/locking_tx_datastore/test_helpers.rs (new) — assert_is_event_state, st_event_table_has_row, check_table_event_flag_altered. Gated by #[cfg(any(test, feature = "test"))], re-exported from locking_tx_datastore::mod so spacetimedb-core's test module can import it.
• datastore/datastore.rs — the 4 test_alter_table_event_flag_* tests now use check_table_event_flag_altered (was the 3× repeated inline pattern). Successful commits now assert TxData reflects exactly the st_event_table insert/delete and leaves the user-table row data untouched. is_empty() / assert_matches!(&[]) → assert_eq!(tx.pending_schema_changes(), []).
• core/update.rs — cleaner v10 builder (.with_event(is_event) chain); extracted setup_events_table() returning TableId; insert moved to a separate tx in the non-empty-fails test; .any(|c| matches!(...)) → assert_matches!([pat, ..]); .is_empty() → assert_eq!([]); adopt the shared assert_is_event_state helper.

Validation

• cargo test -p spacetimedb-datastore --features test --lib — 87 pass (incl. all 4 test_alter_table_event_flag_*)
• cargo test -p spacetimedb-schema — 102 pass (incl. 3 refactored event-flag tests)
• cargo test -p spacetimedb-core --lib -- update — 16 pass (incl. both change_event_flag_*)
• cargo clippy --tests on touched crates — clean
• cargo build -j32 -p spacetimedb-standalone --release — clean

Per-thread replies incoming with the specific commit SHA for each item.