feat(engine): Stage the delete path; retire the inline-delete residual

[ragnorc]

Summary

Migrates row delete from omnigraph's last inline-commit residual to the staged two-phase write path, so delete never advances Lance HEAD before the manifest publish. Closes MR-A (iss-950).

This fixes a deterministic, every-version drift bug: a node delete cascades into every incident edge type, and a zero-row cascade still committed a Lance version (Lance's Dataset::delete always commits) while the cascade skipped recording it — leaving edge:<T> HEAD ahead of the manifest, which wedged the next strict write and that repair refused. Reproduced down to init → load → delete → delete.

What changed

• Step 0 — TableStore::stage_delete two-phase primitive (Lance 7.0 DeleteBuilder::execute_uncommitted, #6658); a 0-row delete is a true no-op (None, no version).
• Step 1 — all 5 delete sites migrated to the staged path (3 in exec/mutation.rs: delete-node, cascade, delete-edge; 2 in exec/merge.rs). affected_* now counted via count_rows at record time.
• Retired scaffolding (no caller left): record_inline, inline_committed, the commit_all inline special-casing, open_table_for_mutation's post-inline-commit reopen branch, InlineCommitResidual::delete_where + its impl, the orphaned TableStore::delete_where, and DeleteState. InlineCommitResidual now carries only create_vector_index (Lance #6666 still open).
• Docs — delete reframed from inline residual to staged write across the always-loaded + dev + user docs.

D₂ stays — as a deliberate boundary

D₂ (a mutation query is insert/update-only or delete-only) was framed as temporary "until Lance ships two-phase delete." Lance shipped it and we used it for the inline-commit fix, so D₂'s original justification is gone. It's kept for a different, permanent reason: a single query staying one-kind keeps its read-your-writes unambiguous and each table to one version per query. Full retirement (mixed insert+delete in one atomic mutation) was declined — it would add an in-query delete view, pending pruning, edge id-resolution, and two-commit-per-table ordering to the hot mutation path, for a capability with a cheap workaround (split into two mutations, or a branch for one atomic commit). The error message and docs now state this boundary rather than promising it lifts.

Test plan

• New/flipped: staged_writes::stage_delete_does_not_advance_head_and_reads_through_staged (deletion-vector read-your-writes proof), the lance_surface_guards delete guard, and the red→green regression writes::node_delete_with_no_incident_edges_leaves_no_edge_table_drift.
• Green: cargo test --workspace (writes, consistency, validators, end_to_end, composite_flow, merge_truth_table, maintenance, recovery, staged_writes, forbidden_apis, lance_surface_guards, changes, point_in_time) + --features failpoints. Engine builds warning-free; check-agents-md OK.

🤖 Generated with Claude Code

---

Note

High Risk
Changes the core mutation and merge commit protocol and manifest–Lance HEAD invariants; also breaks the exported TableStore::commit_staged call shape for downstream Rust users.

Overview
Deletes no longer advance Lance HEAD mid-query. Mutations and branch merges record delete predicates (with dedup for overlapping statements and SQL IS NOT TRUE for NULL-safe counts), then stage_delete via Lance 7.0 DeleteBuilder::execute_uncommitted commits with inserts/updates at the end-of-query boundary. The inline path (InlineCommitResidual::delete_where, inline_committed, post-delete reopen logic) is removed.

StagedWrite / commit_staged now carry Lance affected_rows through staged deletes and merge-inserts so commits can rebase correctly; commit_staged takes a full StagedWrite instead of a bare Transaction (public table_store surface change).

D₂ (no mixed insert/update and delete in one query) stays, documented as a permanent semantic boundary rather than a Lance workaround. Docs and guards are updated; create_vector_index remains the sole inline-commit residual.

^{Reviewed by Cursor Bugbot for commit 457f09d. Bugbot is set up for automated code reviews on this repo. Configure here.}

Greptile Summary

This PR moves row deletes onto the staged write path. The main changes are:

• Adds staged Lance delete support through stage_delete and commit_staged.
• Records mutation deletes as predicates and commits them at the query boundary.
• Updates branch-merge delete phases to use staged deletes.
• Removes the inline-delete residual surface and updates the related docs and tests.

Confidence Score: 5/5

This looks safe to merge.

• No blocking issues found in the changed code.

Important Files Changed

Filename	Overview
crates/omnigraph/src/exec/mutation.rs	Delete execution now counts committed matches, deduplicates prior predicates, and records staged delete predicates.
crates/omnigraph/src/exec/staging.rs	Mutation staging now combines delete predicates into one staged delete per table.
crates/omnigraph/src/table_store.rs	The table store now stages deletes with Lance and carries commit metadata through staged commits.
crates/omnigraph/src/exec/merge.rs	Branch merge delete phases now use staged deletes before the manifest publish.
crates/omnigraph/src/storage_layer.rs	The storage trait now exposes staged deletes and removes the inline delete residual.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
  A[Delete statement] --> B[Open strict mutation table]
  B --> C[Count committed rows with dedup filter]
  C -->|new matches| D[Record original delete predicate]
  C -->|zero new matches| E[Skip predicate]
  D --> F[MutationStaging stage_all]
  F --> G[Combine table predicates with OR]
  G --> H[TableStorage stage_delete]
  H -->|zero rows| I[No staged write and no HEAD advance]
  H -->|rows deleted| J[Staged write with deletion fragments]
  J --> K[commit_staged advances Lance HEAD]
  K --> L[Manifest publish records table version]

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
  A[Delete statement] --> B[Open strict mutation table]
  B --> C[Count committed rows with dedup filter]
  C -->|new matches| D[Record original delete predicate]
  C -->|zero new matches| E[Skip predicate]
  D --> F[MutationStaging stage_all]
  F --> G[Combine table predicates with OR]
  G --> H[TableStorage stage_delete]
  H -->|zero rows| I[No staged write and no HEAD advance]
  H -->|rows deleted| J[Staged write with deletion fragments]
  J --> K[commit_staged advances Lance HEAD]
  K --> L[Manifest publish records table version]

Loading

_{Reviews (6): Last reviewed commit: "Merge origin/main into fix/staged-delete..." | Re-trigger Greptile}

Context used:

• Context used - AGENTS.md (source)
• Context used - CLAUDE.md (source)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bfe679f416

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid double-counting staged deletes

When a destructive query has two delete statements whose predicates overlap on the same table, this now records the first predicate without making it visible to the second statement, so the later committed-snapshot scan/count sees rows that are already scheduled for deletion. For example delete Person where name = $x followed by the same delete reports affected_nodes = 2 even though the combined staged delete removes one row; a node cascade followed by an explicit edge delete for the same edges similarly over-reports affected_edges. The old inline delete path counted after each committed delete, so overlapping statements did not double-count; the staged path needs to count from the combined delete view or de-duplicate affected IDs before returning the mutation result.

Useful? React with 👍 / 👎.

[ragnorc]

Both review bots flagged the same real issue — thanks. Valid and fixed.

Because deletes now stage (instead of inline-committing), two delete statements in one query both scan the same unchanged committed snapshot, so counting each predicate independently over-reported affected_* on overlap. The old inline path committed each delete before the next ran, so it counted distinct. Data deletion was always correct (the combined (p1) OR (p2) staged delete removes the union once) — only the returned counts were wrong.

Fix (212d5d1 red test → 92b33c0): count each statement against the committed snapshot minus the predicates a prior statement on the same table already recorded — (pred) AND NOT ((prior1) OR …). Summed over statements this is inclusion-exclusion (Σ |pₙ \ (p₁ ∪ …)| = |p₁ ∪ p₂ ∪ …|), exactly the distinct count the combined staged delete removes. Works for nodes and edges with no edge identity needed; the node ID scan uses the same exclusion so a later statement also doesn't re-cascade already-deleted nodes. Common single-delete path unchanged.

Regression test overlapping_delete_predicates_do_not_double_count_affected: delete Person where name = "Alice" then delete Person where age > 29 now reports 2 nodes / 3 edges (was 3 / 6).

[ragnorc]

Re: Greptile's "Nullable Deletes Can Skip" (the dedup_delete_filter NULL case) — valid and serious, and a regression my previous fix introduced (worse than the count bug it fixed, since it could leave a node undeleted or orphan its edges). Thanks for catching it.

Root cause: SQL three-valued logic. (base) AND NOT (prior) — if a prior predicate references a NULLable column (e.g. age > 30 on a row with NULL age), it evaluates to UNKNOWN, NOT UNKNOWN is UNKNOWN, and WHERE drops the row even though the prior delete never matched it. That row vanishes from deleted_ids → its cascade is skipped, or (sole match) the node is never recorded for deletion.

Fix (598bec5 red test → 8e6d8cc): (base) AND ((prior) IS NOT TRUE). IS NOT TRUE keeps both FALSE and UNKNOWN rows, so only rows a prior predicate matched as definitely TRUE are excluded; distinct-count semantics are unchanged for non-NULL data.

Regression test delete_dedup_filter_does_not_drop_null_column_rows: Charlie(age 35), Zoe(age NULL), Knows Zoe→Charlie; delete … age > 30 then delete … name = "Zoe". Verified RED under the old NOT (Zoe survived, Person count 1≠0) → GREEN with IS NOT TRUE (both deleted, edge cascaded).

The earlier Codex/Greptile double-count comments (now re-anchored to lines 1419/1529) are the original issue, already addressed in 92b33c0.

[greptile-apps]

Public API Break
TableStore::commit_staged is exported through omnigraph::table_store, and this change makes it require a StagedWrite instead of the Transaction that callers could previously pass from staged.transaction. The same change also makes StagedWrite.transaction private without adding a replacement accessor, so downstream Rust code that stages a write and then commits it with the old call shape can no longer compile. If this module remains public, keep a compatibility path for the old transaction-based commit or provide an explicit migration surface.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!