ENG-3593: Eliminate redundant System fetches in /system/upsert

[adamsachs]

Ticket ENG-3593

Description Of Changes

Reduces per-row get_resource calls in /system/upsert from 4 → 1 on the UPDATE path, and adds per-axis change-detection logging in _audit_system_changes so we can quantify the steady-state no-op rate before considering a "skip-unchanged" optimization.

Each updated system on the UPDATE path was previously issuing four Fetching resource round-trips:

1. upsert_system — existence check
2. update_system — re-fetch with relationships
3. update_resource — pre-UPDATE sanity (inside crud.update_resource)
4. update_resource — post-UPDATE return (inside crud.update_resource)

Three are pure dedup: none of them inspect the row for anything except "does it exist" or "what is its current state," both of which the caller already has by step (1).

This was identified as a contributor to the system memory baseline during the recent system/upsert perf investigation; reducing fetches lowers both wall time and peak memory on this endpoint.

Code Changes

• upsert_system keeps the System returned by its existence check and threads it to update_system via a new optional existing_system= parameter. The direct PUT /system endpoint caller (no pre-loaded System) continues to work — the parameter defaults to None and falls back to the original fetch.
• update_system replaces its call to crud.update_resource with an inline sql_update(System.__table__).where(...).values(resource_dict) plus db.refresh(existing_system). The refresh re-reads the row so DB-side coercions (timestamps, JSONB normalization, etc.) are still picked up; the _audit_system_changes comparison stays equivalent to the prior behavior.
• _audit_system_changes captures each DeepDiff once into named variables (general_diff, privacy_diff, data_flow_diff) and emits a structured System change detection debug log per system with general_changed, privacy_declarations_changed, data_flow_changed, any_changed, plus affected-paths counts per axis. No behavior change — same if-gates, same SystemHistory writes; this is purely observability.
• db.refresh() does not flow through crud.get_resource, so it does not emit a Fetching resource log line. The Fetching resource count on the same payload drops from ~4N to ~N (the remaining one is upsert_system's existence check, which a follow-up could batch).

Performance verification (local benchmark)

reproduce_upsert_perf.py

Methodology: build a payload of N Systems × M declarations, prime once (INSERT path), then upsert the same payload three times to exercise the UPDATE path on every row with zero data drift. Run on main and this branch in turn against the same local backend / DB. Backend at DEBUG log level so Fetching resource / Updating resource lines emit. Reproduction script will be attached as a comment on this PR.

Payload: 180 systems × 3 declarations each.

Metric	main	This PR	Δ
Wall time min	2.92s	1.51s	−48%
Wall time avg (n=3)	3.05s	1.65s	−46%
Wall time max	3.19s	1.83s	−43%
Fetching resource per call	720	180	−75% (4N → N, exactly as predicted)
Updating resource per call	180	180	unchanged ✓
System change detection per call	0	180	new observability ✓

The fetch reduction matches the call-graph trace exactly. The wall-time reduction (~46%) is less than the fetch-count reduction (~75%), meaning roughly half of the original UPDATE-path wall time is non-fetch work (DeepDiff, model_dump, deepcopy of existing snapshot) — which is exactly the headroom available for the higher-risk "skip-unchanged" follow-up.

Steps to Confirm

1. Run tests/ctl/core/test_system_history.py — covers update_system + _audit_system_changes directly. The critical case is test_no_changes (idempotent upsert ⇒ zero SystemHistory rows). All six cases should pass: test_system_information_changes, test_privacy_declaration_changes, test_ingress_egress_changes, test_multiple_changes, test_no_changes, test_automatic_system_update.
2. Run tests/ctl/core/test_system.py and tests/ops/api/v1/endpoints/test_system.py for broader coverage and to exercise the PUT /system path (which uses the existing_system=None fallback).
3. Reproduce the perf measurement above using the script attached as a PR comment. With 180 systems × 3 declarations × 3 measure runs, expect ~180 Fetching resource logs per measure call (down from ~720), wall time roughly halved on local Postgres, and one System change detection line per row with any_changed=False on idempotent payloads.

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

Followups

• Replace upsert_system's per-row existence check with a single batched SELECT ... WHERE fides_key IN (...) plus selectinload(System.privacy_declarations). Collapses the remaining N fetches to ~1.
• Skip the UPDATE + audit pipeline entirely for unchanged systems. Higher correctness risk (equivalence checks, updated_at semantics) — the System change detection logs added here will quantify the opportunity first. The benchmark above shows ~1.65s/call of non-fetch wall time still on the table.
• Add automated regression tests: (1) functional coverage on the upsert/update endpoints (mostly already present in test_system_history.py), and (2) DB-call-count assertions to prevent silent regression of the fetch-count reduction.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	May 4, 2026 2:59pm
fides-privacy-center	Ignored		May 4, 2026 2:59pm

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.99%. Comparing base (5496449) to head (f447f65).
⚠️ Report is 6 commits behind head on main.

❌ Your project status has failed because the head coverage (84.99%) is below the target coverage (85.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8080   +/-   ##
=======================================
  Coverage   84.98%   84.99%           
=======================================
  Files         633      633           
  Lines       41737    41753   +16     
  Branches     4886     4887    +1     
=======================================
+ Hits        35471    35487   +16     
- Misses       5157     5158    +1     
+ Partials     1109     1108    -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[adamsachs]

/code-review

[claude]

Code Review: Eliminate redundant System fetches in /system/upsert

The optimization goal is clear and well-motivated. The existing_system pass-through in upsert_system is correct, and pre-computing the three DeepDiff results in _audit_system_changes (avoiding triple re-computation) is a nice cleanup. The test coverage is a good addition.

A few items to address before merge:

Bug — test fixture teardown is a no-op (both fixtures)

delete(System).where(...) in both system fixtures (line 37 pre-existing, line 164 new) constructs but never executes the delete statement — rows accumulate in the test DB across runs. See inline comment on line 164.

Atomicity gap between UPDATE and audit write

The system data UPDATE and the SystemHistory audit entries commit in separate transactions. A failure between them leaves the system updated with no history record. This was structurally the same before, but since the UPDATE is now inlined it would be straightforward to merge both operations into one async with db.begin() block. See inline comment on lines 239–251.

Missing SQLAlchemyError guard on inline UPDATE

The removed update_resource caught SQLAlchemyError and raised a domain-level QueryError. The inlined replacement lets raw SQLAlchemy errors propagate. See inline comment on lines 239–248.

Log-string coupling in regression test

test_upsert_system_emits_one_fetch_per_updated_system infers fetch counts by scanning for "Fetching resource" in logs. If the log message changes this gives a false pass. Patching get_resource and counting calls is a more reliable approach. See inline comment on line 247.

Minor: return type annotation improvement

update_system now correctly returns Tuple[System, bool] (was Tuple[Dict, bool]). The route handler at src/fides/api/v1/endpoints/system.py:277 still annotates -> Dict but returns the System ORM object — that inconsistency predates this PR, but it's worth a follow-up cleanup.

---

🔬 Codegraph: unavailable

---

💡 Write /code-review in a comment to re-run this review.

[claude]

src/fides/api/db/system.py:239-248

The old update_resource wrapped the execute() in a try/except SQLAlchemyError and re-raised a domain-level QueryError with a structured log message. The inlined version lets raw SQLAlchemy exceptions propagate to callers unchecked. Worth adding the same guard:

from sqlalchemy.exc import SQLAlchemyError
from fides.api.util import errors

try:
    await db.execute(
        sql_update(System.__table__)
        .where(System.fides_key == resource.fides_key)
        .values(resource_dict)
    )
except SQLAlchemyError as e:
    log.exception(f"Failed to update System with error: '{e}'")
    raise errors.QueryError()

[adamsachs]

updated in 618c8d7

[claude]

tests/ctl/core/test_system_history.py:247

test_upsert_system_emits_one_fetch_per_updated_system relies on the literal string "Fetching resource" appearing in log output to count DB fetches. This is a fragile coupling to crud.get_resource's internal log message — if that string ever changes or the log level is raised, the assertion len(matching) == 1 will always pass even if the regression is re-introduced.

A more robust approach would be to patch get_resource itself and count invocations:

with patch("fides.api.db.system.get_resource", wraps=get_resource) as mock_get:
    await upsert_system(resources=build_payload(), db=async_session, ...)

# Each system should only be fetched once (existence check in upsert_system).
assert mock_get.call_count == len(fides_keys)

This directly measures what the optimization is meant to guarantee rather than inferring it through log messages.

[adamsachs]

adjusted to use the mocking in 618c8d7

[erosselli]

Approved with an ask

[erosselli]

these lines are uncovered by tests, can we add a test for the exception case ?

[adamsachs]

[Claude]: added in f447f65941 — test_update_system_raises_query_error_on_sqlalchemy_error patches async_session.execute to raise SQLAlchemyError only on the System UPDATE and asserts errors.QueryError propagates.