perf(engine): halve per-write __manifest scans

[ragnorc]

What & why

Cuts a same-branch write from ~4 to ~2 __manifest scans (measured 50→25 reads at depth 10, 410→205 at depth 100) — the per-open scan-cost half of RFC-013's write-path latency work — with snapshot isolation and the OCC contract preserved. #1a probe-gates the commit-time OCC re-capture to reuse the warm coordinator when a cheap incarnation probe proves it current; #1b folds the post-publish known_state in-memory (byte-identical to a re-scan via a shared assemble_manifest_state, proven by a new fold-equals-reopen test) instead of an O(fragments) re-scan; #1c projects read_manifest_scan to the columns it actually reads. The two remaining publish scans stay O(fragments), bounded by compaction/version-GC (RFC-013 PR1, a follow-up).

Backing issue / RFC

• Implements / is an accepted RFC: docs/dev/rfc-013-write-path-latency.md

Checklist

• Change is focused (one logical change) — RFC-013 PR2, the per-open scan-cost work
• Tests added/updated for behavior changes — post_publish_fold_matches_fresh_reopen (fold byte-identity) and internal_table_scans_grow_without_compaction (served-regime cost tripwire)
• Public docs updated if user-facing surface changed — N/A (internal write-path perf; no user-facing surface change)
• Reviewed against docs/dev/invariants.md — no Hard Invariant weakened: snapshot isolation (§3), manifest-atomic visibility (§2), and OCC strict-conflict all preserved; the warm-reuse mirrors the read path's existing probe idiom, and this removes a deny-listed "cold re-derivation on the hot path"

Notes for reviewers

• #1b is the correctness-critical piece: the in-memory fold must be byte-identical to read_manifest_state or the warm coordinator silently desyncs. The shared assemble_manifest_state removes any dedup/filter/sort divergence; post_publish_fold_matches_fresh_reopen guards the existing ∪ pending == new rows assumption, including the table_locations union for newly-registered tables.
• #1a only engages on same-branch writes (cross-branch falls through to the cold read — no regression); it keeps the "OCC re-capture must be fresh" contract because probe-match ⟺ warm == fresh, and the publish CAS remains the final arbiter.
• Verified green locally: writes, consistency, composite_flow, write_cost.
• Follow-ups (not in this PR): RFC-013 PR1 (bring __manifest into version-GC — bounds the remaining O(fragments) scans and fixes the RustFS open-failure), and PR3 (branch-op de-amplification).

---

Note

Medium Risk
Changes the write-path manifest snapshot source (in-memory fold + warm OCC reuse); correctness depends on byte-identical fold vs re-scan, but that is centralized in assemble_manifest_state and covered by targeted regression tests, with cold paths and publish CAS unchanged on mismatch.

Overview
RFC-013 PR2 reduces per-write __manifest work (~4 → ~2 full scans; ground-truth IO counts roughly halve and growth slope drops) while keeping OCC and snapshot isolation: publish CAS and cold fallbacks stay the safety net.

#1a — probe-gated OCC re-capture: Transactional commits in commit_all call occ_snapshot_for_branch instead of always cold-opening too fresh_snapshot_for_branch_unchecked`. When the bound branch matches and an incarnation probe says the warm coordinator is current, the warm snapshot is reused; any drift falls back to a full re-read.

#1b — in-memory post-publish state: After publish, ManifestCoordinator adopts PublishOutcome.known_state from fold_inputs (pre-publish state ∪ pending rows) run through shared assemble_manifest_state, skipping the post-commit read_manifest_state re-scan. Same-version owner-branch handoff rows replace existing entries by (table_key, table_version) so the fold matches merge-insert UpdateAll.

#1c — scan projection: read_manifest_scan projects only columns the reducer uses (drops base_objects; object_id only when lineage is collected).

Tests & harness: cost_harness / GraphIoMeter attach one __manifest tracker before graph open so manifest_reads includes warm-handle probe RPCs; new fold-vs-reopen, handoff, warm-probe, and served-regime growth tripwire tests. Dev-only lance-io test-util for read-log diagnostics.

^{Reviewed by Cursor Bugbot for commit 4abf0dd. Bugbot is set up for automated code reviews on this repo. Configure here.}

Greptile Summary

This PR lowers per-write manifest scan cost in the engine.

• Reuses a warm OCC snapshot after a matching manifest incarnation probe.
• Folds post-publish manifest state in memory through the shared state reducer.
• Narrows manifest scan projection to the columns the scan reads.
• Adds write-cost and fold-vs-reopen coverage.

Confidence Score: 5/5

This looks safe to merge.

• No blocking issues found in the changed code.
• The fold path now uses the same reducer as fresh manifest scans.
• The changed test-only IO accounting is isolated to test helpers.

Important Files Changed

Filename	Overview
crates/omnigraph/src/db/manifest.rs	Adopts the publisher-provided manifest state after a successful publish instead of rescanning.
crates/omnigraph/src/db/manifest/publisher.rs	Builds the post-publish manifest state from the loaded state plus committed rows.
crates/omnigraph/src/db/manifest/state.rs	Shares manifest-state assembly between scan and fold paths and projects scans to the needed columns.
crates/omnigraph/src/db/omnigraph.rs	Adds the warm OCC snapshot reuse helper guarded by a manifest incarnation probe.
crates/omnigraph/src/exec/staging.rs	Routes transaction-backed OCC recapture through the warm snapshot helper.
crates/omnigraph/tests/helpers/cost.rs	Adds persistent manifest IO metering for cost tests.
crates/omnigraph/tests/write_cost.rs	Updates write-path cost checks for the new manifest accounting.
crates/omnigraph/tests/writes.rs	Adds coverage comparing folded manifest state with a fresh reopen.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
  A[Write transaction commit] --> B[Probe manifest incarnation]
  B -->|matches warm coordinator| C[Reuse warm snapshot]
  B -->|mismatch or other branch| D[Open fresh snapshot]
  C --> E[Check expected table versions]
  D --> E
  E --> F[Build pending manifest rows]
  F --> G[Fold existing state with pending rows]
  G --> H[Publish manifest rows]
  H --> I[Adopt folded known_state]

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
  A[Write transaction commit] --> B[Probe manifest incarnation]
  B -->|matches warm coordinator| C[Reuse warm snapshot]
  B -->|mismatch or other branch| D[Open fresh snapshot]
  C --> E[Check expected table versions]
  D --> E
  E --> F[Build pending manifest rows]
  F --> G[Fold existing state with pending rows]
  G --> H[Publish manifest rows]
  H --> I[Adopt folded known_state]

Loading

_{Reviews (4): Last reviewed commit: "docs(rfc-013): refresh PR307 handoff sta..." | Re-trigger Greptile}

Context used:

• Context used - AGENTS.md (source)
• Context used - CLAUDE.md (source)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4ac3cde485

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Prefer pending owner handoff in folded state

When a publish updates an existing table_version row without changing the version (the owner-branch handoff explicitly allowed above, e.g. moving a table from an inherited branch to the active branch at the same Lance version), this fold appends the pending row after existing_versions. assemble_manifest_state keeps the first entry when table_version is equal, so the live coordinator retains the old table_branch even though the merge-insert updated the row; a fresh reopen is correct, but same-handle snapshots and subsequent writes on that branch stay stale until refresh. Please replace/remove the existing (table_key, table_version) entry before folding, or otherwise make equal-version handoff rows prefer the pending value.

Useful? React with 👍 / 👎.

[ragnorc]

Valid and fixed in 245cb26 (regression test in 5537cd9, confirmed red→green).

Root cause exactly as described: version_object_id(table_key, version) is deterministic, so an owner-branch handoff is an in-place merge-insert UpdateAll (one row in __manifest), but the fold appended the pending row after existing_versions and assemble_manifest_state kept the first equal-version entry, leaving the warm coordinator on the stale table_branch.

Fix: fold_inputs now keys version entries by (table_key, table_version) (the merge-insert identity) so a pending row replaces the pre-publish entry, mirroring UpdateAll on disk. The fold input now carries the same one-row-per-version uniqueness a fresh scan does, so both feed assemble_manifest_state equivalent inputs. New test test_post_publish_fold_reflects_owner_branch_handoff commits a handoff through the coordinator (exercising the fold) and asserts the warm snapshot equals a fresh reopen.

[greptile-apps]

Require strong incarnation

This fast path reuses the warm snapshot whenever matches(&held) returns true, but the incarnation comparison can fall back to version-only when the store does not provide an ETag or timestamp. In that state, a branch that is deleted and recreated at the same manifest version can compare equal even though its manifest rows are different. The old path always rebuilt the snapshot from the current manifest; this path can instead derive OCC expectations and table locations from the old branch state. Please fall back to the cold read unless the probe includes a strong identity for the manifest contents.

Context Used: AGENTS.md (source)

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit eac7872. Configure here.}

[cursor]

Weak incarnation reuses OCC snapshot

Medium Severity

occ_snapshot_for_branch reuses the warm coordinator snapshot when probe_latest_incarnation matches the held incarnation, but ManifestIncarnation::matches treats equal manifest version as sufficient when ETag and timestamp are unavailable. After a branch delete/recreate or other same-version manifest change, commit-time OCC can skip the cold rescan and derive table pins from stale known_state instead of current rows.

 

^{Reviewed by Cursor Bugbot for commit eac7872. Configure here.}