backup: Phase 0b M4-2b impl - S3 collision-rename reversal

[bootjp]

Summary

Phase 0b M4-2b implementation — S3 collision-rename reversal. The design
doc landed via PR #913 (merged 2026-06-03). This PR carries the
implementation that the doc described, in 3 commits:

• Commit A (c4e87440): keymap loader + per-record invariant validator +
  orphan detector. New file encode_s3_collision.go plus 9 unit tests.
• Commit B (2de1c94b): integration — drop ErrS3EncodeUnsupportedCollision,
  thread the loaded keymap through walkObjects → walkObjectEntry →
  encodeObject. Update the now-stale sentinel reference in
  encode_snapshot.go:655.
• Commit C (92b14f56): 8 end-to-end tests covering the design doc's
  test plan table, asserting at the !s3|obj|head|<original-key>
  record-byte level via DecodeLiveEntries.

Three kinds reversed

Kind	Decoder wrote	M4-2b recovers
KindS3LeafData	shorter key → <key>.elastickv-leaf-data	original <key>
KindMetaCollision	*.elastickv-meta.json user key → renamed	original *.elastickv-meta.json key
KindSHAFallback	filename-length overflow → <sha>__<truncated>	full-rel-path lookup honors it (forward-compat)

Fail-closed invariants (design §"Error contract")

Invariant	Sentinel chain
Malformed JSONL	ErrInvalidKeymapRecord
Duplicate Encoded (diverges from LoadKeymap last-wins)	ErrInvalidKeymapRecord (claude v913 v2)
KindS3LeafData encoded missing .elastickv-leaf-data	ErrInvalidKeymapRecord
KindMetaCollision original missing .elastickv-meta.json	ErrInvalidKeymapRecord
Unknown Kind (closed-set forward-compat)	ErrInvalidKeymapRecord (claude v913 v2)
Original targets _orphans/ or _incomplete_uploads/ (narrow rule)	ErrInvalidKeymapRecord (codex P2 v913 v1)
Orphan keymap entry	ErrInvalidKeymapRecord

Every gate wraps to ErrS3EncodeInvalidBucket at encodeBucketObjects,
which runAdapterEncoders marks with ErrEncodeAdapterData for CLI
exit-2 routing.

Read-side safety (codex P2 v913 v3)

loadBucketKeymap opens KEYMAP.jsonl via root.Lstat → refuseHardLink
→ root.Open. NOT OpenSidecarFile, which is write-side on every
platform and would truncate the file before reading.

Legitimacy gate preserved (codex P2 v913 v2)

isKeymapCollisionTracker continues to distinguish the tracker file from
a legitimate user object literally named KEYMAP.jsonl. When tracker == false (sidecar present), loadBucketKeymap is not invoked — the file
takes the normal object-body path. TestS3EncodeKeymapObjectRoundTrip
(preserved unchanged from M4-2a) pins this.

5-lens self-review

1. Data loss — Every renamed object recovers its original S3 key.
   Orphan detection runs at load time; fail-closed prevents partial
   restore.
2. Concurrency — Offline encoder; no goroutines / locks / shared state.
3. Performance — Load-once per bucket; O(records-in-keymap) memory,
   O(1) lookup per walked body. Matches the Redis loadKeymap precedent.
4. Data consistency — Object key bytes recovered byte-equal to the
   decoder's input. Errors fail-closed via existing sentinels routed to
   exit-2.
5. Test coverage — 9 unit + 8 end-to-end + 2 preserved legitimacy
   regressions. All gate predicates pinned by ≥1 regression test.

Test plan

• go test ./internal/backup/ passes
• golangci-lint run --config=.golangci.yaml ./internal/backup/ 0 issues
• Bot review cycle

[coderabbitai]

Warning

Review limit reached

@bootjp, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 50 minutes and 22 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 59f2239c-848c-46ed-9a90-7ef61c8a317a

📥 Commits

Reviewing files that changed from the base of the PR and between 0ed19ec and f033e46.

📒 Files selected for processing (6)

• internal/backup/encode_s3_collision.go
• internal/backup/encode_s3_collision_roundtrip_test.go
• internal/backup/encode_s3_collision_test.go
• internal/backup/encode_s3_objects.go
• internal/backup/encode_s3_objects_test.go
• internal/backup/encode_snapshot.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/m4-2b-collision-impl

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request implements the M4-2b helper to reverse S3 decoder collision-rename writes by parsing and strictly validating the KEYMAP.jsonl file. It replaces the previous behavior of failing closed upon encountering a collision tracker with a robust recovery mechanism that maps renamed on-disk files back to their original S3 keys. The review feedback suggests two key improvements to validation: ensuring that rec.Encoded does not contain path traversal segments like . or .. to prevent out-of-bucket file probing, and validating that the decoded original key is non-empty to fail closed earlier with a clear error.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

To prevent path traversal or out-of-bucket file probing, validate that rec.Encoded is a clean, relative path that does not contain any ., .., or empty segments.

func validateKeymapRecord(rec KeymapRecord) error {
	if _, ok := keymapAllowedKinds[rec.Kind]; !ok {
		return errors.Wrapf(ErrInvalidKeymapRecord,
			"unknown kind %q for encoded segment %q", rec.Kind, rec.Encoded)
	}
	for _, seg := range strings.Split(rec.Encoded, "/") {
		if seg == "." || seg == ".." || seg == "" {
			return errors.Wrapf(ErrInvalidKeymapRecord, "encoded path %q contains invalid segment %q", rec.Encoded, seg)
		}
	}
	originalBytes, err := rec.Original()

[gemini-code-assist]

S3 keys cannot be empty. Validating that the decoded original key is non-empty during keymap loading allows the encoder to fail closed earlier with a clear error message, rather than waiting until the object body assembly phase.

	originalBytes, err := rec.Original()
	if err != nil {
		return err
	}
	original := string(originalBytes)
	if original == "" {
		return errors.Wrap(ErrInvalidKeymapRecord, "empty original key")
	}
	if err := validateKeymapReservedRoot(rec, original); err != nil {
		return err
	}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 92b14f56c5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Require a regular sidecar before skipping keymap load

When a bucket has a collision tracker and also contains a valid user object under the prefix KEYMAP.jsonl.elastickv-meta.json/, isKeymapCollisionTracker treats that directory as the companion sidecar for a literal KEYMAP.jsonl object, so tracker is false and this new keymap-loading branch is skipped. The walk then tries to encode KEYMAP.jsonl as an object and fails on the directory sidecar, rejecting an otherwise valid collision dump; the sidecar disambiguator needs to require a regular file, not just any entry, before bypassing the tracker path.

Useful? React with 👍 / 👎.

[bootjp]

@claude review

Addresses all 3 review findings on this PR:

1. Gemini medium (encode_s3_collision.go:136) — path traversal guard. New validateKeymapEncodedPath rejects any rec.Encoded containing ., .., or empty segments. Pinned by TestValidateKeymapRecord_PathTraversal (6 boundary cases).

2. Gemini medium (encode_s3_collision.go:143) — non-empty original. Reject keymap records with empty decoded original key at load time. Pinned by TestValidateKeymapRecord_EmptyOriginal.

3. Codex P2 (encode_s3_objects.go:94) — regular-file sidecar. isKeymapCollisionTracker now requires the sidecar to be a regular file. A directory at KEYMAP.jsonl.elastickv-meta.json/ (from a user key prefix collision) no longer misclassifies the tracker as a user object. Pinned by TestS3EncodeTrackerWithDirectorySidecar.

Caller audit: validateKeymapRecord split into 3 helpers to keep cyclop under 10. rootEntryExists had a single caller and was inlined.

[claude]

Claude finished @bootjp's task in 3m 4s —— View job

---

PR #928 Review — M4-2b S3 collision-rename reversal

Tasks:

• Load GitHub comment tool
• Read changed files
• Review: path traversal guard (validateKeymapEncodedPath)
• Review: non-empty original key validation
• Review: regular-file sidecar check in isKeymapCollisionTracker
• Review: overall code quality, invariants, test coverage
• Post final review

---

All three review findings are correctly addressed. Details below.

Finding 1: Path traversal guard — validateKeymapEncodedPath ✅

encode_s3_collision.go:162–170 correctly splits rec.Encoded on / and rejects empty segments (catches leading /, trailing /, and //), ., and ... The check runs before rec.Original() decoding, giving a fast-fail on obviously malformed records. All 6 boundary cases in TestValidateKeymapRecord_PathTraversal are handled correctly:

• "../escape…" → .. segment caught ✅
• "./still-bad…" → . segment caught ✅
• "path//to…" → empty segment from // caught ✅
• "path/to…/" → trailing empty segment caught ✅
• "/path/to…" → leading empty segment caught ✅
• "path/../escape…" → middle .. caught ✅

Finding 2: Non-empty original key — encode_s3_collision.go:147–150 ✅

Empty original is rejected immediately after rec.Original() decodes, before validateKeymapReservedRoot or validateKeymapKindSuffix are called. Error message includes "empty original" as checked by TestValidateKeymapRecord_EmptyOriginal. Early rejection gives a readable diagnostic at load time rather than at object-body assembly.

Finding 3: Regular-file sidecar — isKeymapCollisionTracker ✅

encode_s3_objects.go:143–145 now checks sinfo.Mode().IsRegular() after the sidecar Lstat. A directory at KEYMAP.jsonl.elastickv-meta.json/ (created by a user key prefix collision) no longer falsely classifies the tracker as a user object. TestS3EncodeTrackerWithDirectorySidecar creates exactly this scenario and confirms the tracker is still loaded, recovering "path/to" from the keymap.

encode_snapshot.go sentinel reference ✅

The comment at line 655 now lists ErrS3EncodeReservedPrefixCollision, ErrS3EncodeInvalidBucket in place of the dropped ErrS3EncodeUnsupportedCollision. Clean housekeeping.

---

Minor observations (not blocking)

1. Dual-invalid test fixture — TestS3EncodeRejectsKeymapTargetingReservedSubtree uses leafRecord("renamed-body", reserved+"/forbidden/key"). The encoded value "renamed-body" lacks the .elastickv-leaf-data suffix that validateKeymapKindSuffix requires for KindS3LeafData. The test still passes correctly because validateKeymapReservedRoot fires first and returns ErrInvalidKeymapRecord. The assertion (ErrS3EncodeInvalidBucket) is correct, but the fixture is accidentally "double-invalid." This is not a bug — the test pins the intended gate — but it's slightly misleading.

2. Redundant empty-check in validateKeymapReservedRoot — encode_s3_collision.go:209–211 re-checks original == "" even though validateKeymapRecord already rejects empty before calling it. The TestValidateKeymapReservedRoot "empty key" case (wantErr: false) confirms the intent — the function is designed to be callable standalone with empty input. Harmless and documented.

3. TOCTOU window in loadBucketKeymap — The function re-Lstats KEYMAP.jsonl after isKeymapCollisionTracker already did so. A race where the file disappears between the two calls returns (nil, nil) rather than failing. The comment at line 74–76 documents this explicitly as defensive behavior. Reasonable for an offline encoder.

4. Original is not path-traversal-validated — Correct: S3 object keys are arbitrary unicode strings and may legitimately contain ../. The original key is stored as a KV record key, not materialized as a filesystem path by this encoder.

---

Overall: All three review findings are correctly addressed. Implementation is clean, decomposed well (validateKeymapRecord split into 3 helpers under the cyclop limit), and test coverage is thorough (9 unit + 8 end-to-end + 2 preserved legitimacy regressions). No blocking concerns.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f033e469c5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Require keymap targets to be object bodies

When a corrupt KEYMAP entry names an existing directory (for example a prefix created by another object) instead of the renamed object body, this Lstat succeeds and the verifier treats the record as valid. The object walk then recurses into that directory and never calls resolveObjectKeyFromRel for the encoded path, so Encode can finish while silently ignoring the keymap entry; fail closed here by requiring the target to be a regular file/body, not just any existing filesystem entry.

Useful? React with 👍 / 👎.