write-path cost gate + opener bypass

[ragnorc]

What & why

Write-path table opens routed through Lance's DatasetBuilder::from_namespace, whose describe_table opened the whole dataset just to return a location and then re-resolved the latest version — an O(commit-history depth) double latest-resolution per table open that missed Lance's O(1) version-hint fast path. On an object store this dominated write/branch latency (~70%, measured; RFC-013 §2.4) and got worse as a graph aged. Reads already bypassed this (PR #268); this completes the same open-by-location migration on the write side.

This PR lands RFC-013 step 1 (the cost gate + shared harness) and step 3a (the opener bypass — the dominant fix).

What's in this PR

perf(engine) — opener bypass + namespace retirement

• TableStore::open_dataset_head_for_write now delegates to the direct opener (Dataset::open by URI + checkout_branch, routed through the tracked opener so cost tests can count it; a no-op in production). ensure_expected_version still validates head == pinned for strict ops.
• With both reads (perf(engine): remove the per-query metadata re-derivation tax on warm reads #268) and now writes bypassing it, nothing in production routes through the per-table Lance namespace. The dead open chain (load_table_from_namespace, open_table_head_for_write) is deleted and the StagedTableNamespace contract apparatus is retired to a #[cfg(test)] mod (kept only to validate the LanceNamespace contract). __manifest commit coordination (GraphNamespacePublisher) is a separate component and is unaffected.

test(engine) — cost-budget gate on a shared, path-classifying harness

• New tests/helpers/cost.rs: a store-agnostic harness (IoCounts/StagedCounts, measure/measure_with_staged, assert_flat/assert_grows, local_graph/s3_graph) — the single home for the IO-counting plumbing. Its data-table wrapper is a PrefixCounter that attributes each read to the opener term (_versions//.manifest) vs the scan term (data//*.lance), so cost tests isolate the opener directly.
• write_cost.rs (local, every-PR): the internal-table scan term flat in depth (a RED #[ignore]'d LOCK — step 2's red→green target) + green guards (bounded data writes; a per-write read-op ceiling; a keyed insert routes through stage_merge_insert once) + a validator proving the opener/scan split (opener flat, scan grows).
• write_cost_s3.rs (bucket-gated, RustFS CI): asserts data_opener_reads flat across depth — the proof of the step-3a win on a real object store. Wired into the rustfs_integration job + path filter.
• warm_read_cost.rs migrated onto the shared harness (removing its duplicate local probes()).

docs — RFC-013 §9 marks step 1 / 3a landed and the namespace retirement; §7.1/§6/§11/§5.5/§10 correct the cross-table write-skew analysis (a prototype proved the scoped fix is a no-op without a shared graph_head contention row → coupled to Phase 7; concurrent-face vs sequential-face split). testing.md documents the harness + the local-vs-S3 backend split.

Measured impact (RFC §2.4 [M]; the S3 gate verifies it in CI)

	per-write depth slope	depth-80ish edge write
Before	O(depth): data + internal	~1618–1720 ops
This PR (step 3a)	data term flat; internal still ~+5/depth	~593 ops (2.7×)
After step 2 (+3b)	flat	~198 ops (~8.7×), flat

• Data-table opener: 31 + 12·depth → flat 4. The key shape change: per-write cost no longer grows with the data table's version history.
• Object-store deployments only (local FS resolves latest with one read_dir either way); the win grows with graph history and with the number of tables a write touches (load/merge/branch amplify it).

Test status

• cargo test --workspace --locked green locally (writes, branch-merge, fork-on-first-write, overwrite, recovery — the paths the namespace open was suspected to be load-bearing on; the suite refutes it).
• write_cost_s3 verified green on RustFS — data_opener_reads flat across commit depth on a real object store (a prior run, pre-fix, failed here with opener grew 20 → 50, empirically confirming the fix is load-bearing).
• PR-gating checks (aws-feature, agents-md, container, Greptile, Cursor Bugbot) all pass. The full Test Workspace + RustFS S3 suites are PR-skipped by deliberate CI design and run post-merge on main.

Follow-on PRs (separate, after this merges)

• Step 2 — internal-table compaction (__manifest/_graph_commits into all_table_keys), which un-ignores write_cost.rs's internal-table LOCK and delivers the remaining ~3× / full flatness. Must land with the Q8 boundary watermark (Lance version-CAS is cleanup-resurrection-vulnerable, RFC §12 Q8).
• Step 3b — WriteTxn (capture-once + pinned-version opens + handle reuse + shared Session), retiring the flat-46 schema-read constant.
• §7.1 write-skew — concurrent face (read-set + shared graph_head, coupled to Phase 7) and sequential face (inbound-RI validation on node removal) — two separate fixes.
• Step 1c — an always-on prod storage.ops span metric (the test gate is the durable guard).

See docs/dev/rfc-013-write-path-latency.md for the full design and sequencing.

---

Note

Medium Risk
Changes the hot write open path and removes production namespace opens; mitigated by full workspace tests, S3 cost gate in CI, and retained test-only namespace contract coverage.

Overview
This PR lands RFC-013 step 3a: write-path table opens no longer go through DatasetBuilder::from_namespace (which did O(commit-depth) latest-version resolution). TableStore::open_dataset_head_for_write now delegates to a direct open_dataset_head (Dataset::open by URI + branch checkout), routed through open_dataset_tracked so cost tests can count opens (no-op when probes are unset in production).

With reads already opening by location, production no longer uses the per-table Lance namespace. The dead chain (load_table_from_namespace, open_table_head_for_write) is removed; StagedTableNamespace and related manifest namespace wiring move behind #[cfg(test)] for contract tests only. GraphNamespacePublisher for __manifest is unchanged.

Testing: New tests/helpers/cost.rs centralizes measure / IoCounts / PrefixCounter (opener vs scan reads). write_cost.rs runs on local FS (green guards + a RED #[ignore] internal-table flatness lock for step 2). write_cost_s3.rs asserts data_opener_reads stay flat on S3. warm_read_cost.rs drops duplicate probe wiring. CI path filters and the RustFS job run write_cost_s3.

Docs: RFC-013 §9 marks steps 1/3a landed; testing.md and index.md document the harness and backend split.

^{Reviewed by Cursor Bugbot for commit c9183b3. Bugbot is set up for automated code reviews on this repo. Configure here.}

Greptile Summary

Completes RFC-013 steps 1 and 3a: the write path's O(depth) DatasetBuilder::from_namespace open is replaced by a direct Dataset::open-by-URI call (O(1)), and the Lance namespace layer is retired to #[cfg(test)]-only contract validation since nothing in production routes through it anymore.

• table_store.rs: open_dataset_head_for_write now calls open_dataset_head (tracked direct open) instead of the namespace builder; table_key is retained for signature stability but silently discarded.
• namespace.rs / manifest.rs: load_table_from_namespace and open_table_head_for_write deleted; entire namespace module gated to #[cfg(test)], leaving GraphNamespacePublisher as the only production path through the manifest layer.
• Test harness: PrefixCounter splits data-table reads into opener vs scan terms; write_cost.rs runs every-PR on local FS; write_cost_s3.rs asserts data_opener_reads flat across depth on a real object store — the step 3a acceptance test.

Confidence Score: 5/5

Safe to merge — the write-path change is a drop-in open strategy swap backed by a passing test suite and an S3 cost gate confirming the fix is load-bearing.

The core change replaces the namespace-builder open with a direct URI open that already existed and was proven on the read side; the namespace retirement is mechanical and consistently gated at the module level. The test harness provides both local every-PR guards and a real-S3 acceptance test.

No files require special attention.

Important Files Changed

Filename	Overview
crates/omnigraph/src/table_store.rs	Core fix: open_dataset_head_for_write now delegates to open_dataset_head (direct URI, O(1)) instead of the lance-namespace builder. table_key retained as a dead param for signature stability.
crates/omnigraph/src/db/manifest/namespace.rs	Dead load_table_from_namespace and open_table_head_for_write functions removed; per-item #[cfg(test)] guards dropped since the whole module is now #[cfg(test)] in manifest.rs. Logically consistent.
crates/omnigraph/tests/helpers/cost.rs	New shared cost-test harness: PrefixCounter wrapper splits reads into opener vs scan terms; measure/assert_flat/assert_grows/local_graph/s3_graph give all cost tests a single vocabulary. S3 init/seed failures now panic when bucket is configured.
crates/omnigraph/tests/write_cost.rs	New local write cost gate: green guards (ceiling, bounded writes, merge-insert routing) + opener/scan split validator + a #[ignore]'d RED LOCK for the step-2 internal-table flatness target.
crates/omnigraph/tests/write_cost_s3.rs	S3 opener gate: asserts data_opener_reads flat across depth [10, 50] — the RFC-013 step 3a acceptance test. Skips when bucket unset; panics on misconfigured bucket.
.github/workflows/ci.yml	Adds write_cost_s3.rs and table_store.rs/instrumentation.rs to the RustFS CI path filter and wires in the new S3 cost-gate step.

_{Reviews (6): Last reviewed commit: "Merge branch 'main' into rfc-013-write-p..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 65195c9903

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Isolate opener IO before asserting flatness

With this insert_person/commit_many fixture, data_reads is not opener-only: the table wrapper is attached to the Dataset used by stage_merge_insert, so reads from scanning unoptimized fragments are included as history grows. In the S3 RustFS gate this assertion can fail (or misattribute fragment-scan growth to the opener) even when the direct opener is flat; isolate _versions/open IO, compact the fixture, or use an append-only operation if the intent is to gate only the opener term.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Fail configured S3 setup errors instead of skipping

When OMNIGRAPH_S3_TEST_BUCKET is set (the RustFS CI job this PR wires up), these .ok()? conversions turn any real Omnigraph::init or seed-load failure into None, so write_cost_s3 logs a skip and passes without exercising the new gate. The existing s3_storage pattern only skips when the bucket env var is absent and then unwraps setup failures; this helper should likewise return a Result or panic once the bucket is configured.

Useful? React with 👍 / 👎.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit a966271. Configure here.}