docs: KeyViz cluster fan-out proposal (Phase 2-C)

[bootjp]

Summary

Phase 2-C proposal — cluster-wide KeyViz heatmaps via fan-out.

Phase 2-A and 2-B ship a heatmap that only renders the local node's view. Per parent design §5.1, reads are recorded by the follower that serves them and writes by the leader, so a single-node SPA shows a partial picture by construction. This proposal scopes a minimum-viable fan-out that ships the operator-visible value without yet requiring the proto extension parent §9.1 calls for.

Key design decisions worth a careful read

• Static --keyvizFanoutNodes flag instead of GetClusterOverview discovery for the MVP (§3). The membership cache lands when clusters grow beyond hand-configured size.
• Conservative max-merge for writes with a conflict flag instead of the canonical (bucketID, raftGroupID, leaderTerm, windowStart) rule (§4.2). The canonical rule needs proto/JSON extensions and lands in Phase 2-C+. The MVP rule never overcounts (operators react badly to phantom hotspots) but may undercount during a leadership flip — surfaced via conflict=true.
• Embedded internal/admin aggregator instead of a standalone cmd/elastickv-admin binary (§2.2). The standalone binary was deferred indefinitely; the embedded path is the go-forward.
• Forward-compatible wire format (§5). Old SPA against fan-out server keeps working — the new fields are additive.

What this proposal does NOT do

Listed in §2.2 to keep the PR-1 scope reviewable: no membership discovery, no proto extension, no standalone binary, no response caching. Each gets its own follow-up if and when needed.

Implementation plan (per §7)

• PR 1 — server-side aggregator + flag plumbing + table-driven test
• PR 2 — SPA degraded banner + conflict hatching + header counter
• PR 3 (Phase 2-C+) — proto/JSON extension; replace max-merge with the canonical rule; promote conflict from per-row to per-cell

Test plan

• Design review: confirm the §4.2 conservative max-merge trade is acceptable, or push back with the alternative (e.g., always sum + always conflict-flag if multiple nodes report > 0)
• Confirm --keyvizFanoutNodes flag shape (host:port list, self-included) is the right contract for now
• Confirm the timeout shape in §9 open question 2 (proposed: fixed 2 s with operator override)

[coderabbitai]

Warning

Rate limit exceeded

@bootjp has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 5 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 775cdd0c-e3fa-4d39-86e1-9133f09c7fa2

📥 Commits

Reviewing files that changed from the base of the PR and between df5ea5e and 9ec6ca2.

📒 Files selected for processing (8)

• docs/design/2026_04_27_proposed_keyviz_cluster_fanout.md
• internal/admin/keyviz_fanout.go
• internal/admin/keyviz_fanout_test.go
• internal/admin/keyviz_handler.go
• internal/admin/server.go
• main.go
• main_admin.go
• main_admin_test.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/keyviz-fanout-phase2c

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5064129ec4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Define a wire field for catalog-divergence warnings

Section 4.4 says Start/End mismatches should be surfaced as a warning in the per-node status payload, but the wire format in §5 only defines node, ok, and error for each fanout.nodes item. Without a dedicated warning field, implementations either cannot report this divergence at all or must overload error (which incorrectly implies node failure), so operators can miss a real consistency issue or see false degraded-state signals.

Useful? React with 👍 / 👎.

[gemini-code-assist]

Code Review

This pull request proposes a design for KeyViz Cluster Fan-out (Phase 2-C), enabling a cluster-wide heatmap view by aggregating data from multiple nodes. The design includes merge rules for metrics, a static node configuration, and a phased implementation plan. Feedback on the design suggests detailing rolling upgrade and zero-downtime migration strategies, resolving internal inconsistencies regarding the 'conflict' flag, and clarifying inter-node authentication. Further recommendations include rounding timestamps to handle clock skew, limiting response sizes to prevent OOM, and caching DNS lookups to improve performance.

[gemini-code-assist]

The design for cluster fanout introduces significant operational changes to node communication. To comply with repository standards, the document must detail a strategy for rolling upgrades, including mitigation strategies like a temporary 'bridge' or 'proxy' mode to handle communication between upgraded and non-upgraded nodes.

References

1. Design documents identifying significant operational risks, such as rolling upgrade issues, must detail mitigation strategies like bridge or proxy modes.

[gemini-code-assist]

As this proposal outlines a migration to a new production-grade cluster aggregation model, the plan must include specific strategies for live or zero-downtime cutovers (e.g., blue/green deployment or dual-write proxy) to ensure no service interruption occurs during the transition.

References

1. Production-grade system migrations must detail strategies for zero-downtime cutovers to avoid service interruption.

[gemini-code-assist]

The definition of conflict=true is inconsistent across the document. Section 2.1 describes it as being per-cell and triggered by any disagreement, while Section 5 and Section 6 specify it as per-row and intended for cases where multiple nodes report non-zero values (e.g., during a leadership flip). Clarifying this to be per-row and based on multiple non-zero reports will ensure the implementation matches the intended MVP behavior and remains usable.

[gemini-code-assist]

The authentication mechanism for fan-out requests is unclear. The text mentions both replaying the browser's session cookie and minting a short-lived inter-node token. Replaying user cookies between nodes is generally discouraged. It would be better to clarify that the aggregator uses a dedicated inter-node token for peer requests, as suggested by the mention of the shared admin secret.

[gemini-code-assist]

Pivoting on exact column_unix_ms values is fragile in a distributed system. Even with NTP, slight offsets or different start times can cause nodes to produce slightly different timestamps for the same logical window, leading to a sparse or jagged heatmap. Consider rounding timestamps to the nearest keyvizStep boundary during aggregation to ensure columns are correctly merged.

[gemini-code-assist]

While the aggregator cost is estimated to be low, the design should explicitly require limiting the size of the response bodies accepted from peer nodes (e.g., using http.MaxBytesReader). This prevents a single misconfigured or compromised node from sending an oversized payload that could cause an OOM on the aggregator node.

[gemini-code-assist]

Performing a DNS lookup for every node on every fan-out request can introduce significant latency and load on the DNS infrastructure. Even for small clusters, transient DNS issues would directly impact the responsiveness of the Admin UI. It is recommended to resolve hostnames once at configuration load or use a short-lived cache for the resolutions.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[bootjp]

@claude review

Round-1 follow-ups (1cd6ed5):

Codex P2 — added per-node warnings array with catalog_divergence code in §5; gives the §4.4 catalog-mismatch signal an actual wire field.

Gemini medium / consistency — conflict flag scope now stated up front in §2.1 as row-level (with the per-cell upgrade explicitly tied to Phase 2-C+); removes the §2.1 vs §5/§6 mismatch.

Gemini security-medium / auth — rewrote §3 with a clean two-tier story:

• Phase 2-C MVP: anonymous fan-out on a private network with an explicit "do NOT enable across an untrusted network" warning.
• Phase 2-C+: signed inter-node token derived from the existing admin session-signing key, NOT a replay of the browser cookie. The earlier draft conflated the two; this paragraph supersedes it.

Gemini medium / column drift — §4.5 now bucket-aligns column timestamps to keyvizStep boundaries before merging, so sub-step NTP jitter does not split each window into two adjacent merged columns.

Gemini security-medium / body cap — §8 lens 3 documents the 64 MiB io.LimitReader cap (matches what PR #686 implements).

Gemini medium / DNS — §9 Q1 resolved: resolution rides the stdlib resolver and nscd cache; no aggregator-local cache. Per-call deadline already protects against transient DNS hangs. Operators on flaky DNS colocate a caching resolver — same answer for every short-lived HTTP client, not unique to this feature.

Gemini high / rollout strategy — pushed back in §1 "Rollout notes". This feature:

• Is off by default (--keyvizFanoutNodes empty)
• Lives entirely on the admin path (no data-plane impact)
• Stores nothing on disk (no schema migration)
• Has a forwards-compatible wire format (old SPA + new server, and old node + new aggregator, both work)

A dual-write proxy / blue-green isn't a fit for this scope; mixed-version rollout is correct by construction. The worst-case partial deploy surfaces as a per-node ok=false in the response, not data loss.

Open to pushback on any of these calls if the trade-offs aren't right.

[claude]

Claude finished @bootjp's task in 3m 25s —— View job

---

Round-2 Review

Summary: All round-1 issues are resolved. There are a few targeted follow-up items, mostly around the body-cap math, a 5s/2s timeout discrepancy, and one behavioral precision issue with io.LimitReader.

---

Round-1 follow-ups: addressed ✓

Issue	Resolution
Codex P2 — missing warnings wire field	§5 adds per-node warnings array with catalog_divergence code ✓
Gemini — conflict scope inconsistency	§2.1 now states row-level up front, per-cell tied to Phase 2-C+ ✓
Gemini — auth conflation (cookie vs. inter-node token)	§3 two-tier story is clear; Phase 2-C MVP anonymous + warning, Phase 2-C+ signed token from session-signing key ✓
Gemini — column timestamp drift	§4.5 bucket-aligns to keyvizStep boundary before pivot ✓
Gemini — no body cap	§8 lens 3 documents 64 MiB io.LimitReader cap ✓
Gemini — DNS resolution strategy	§9 Q1 resolved: rides stdlib/nscd, per-call deadline protects against hangs ✓
Gemini — rolling upgrade / zero-downtime	§1 "Rollout notes" justifies why mixed-version rollout is correct by construction ✓

---

Round-2 findings

1. §8 lens 3 — body-cap arithmetic is internally inconsistent (medium)

The current prose:

1024 rows × 4096 columns × ~32 B per uint64 ≈ 128 MiB raw, ~32 MiB JSON-encoded

The math doesn't add up in two ways:

• "32 B per uint64" × 1024 × 4096 = 128 MiB — but then it claims the JSON-encoded result is only 32 MiB, implying 4× compression. JSON doesn't compress; a uint64 serialized as a decimal string is smaller than 8 bytes raw for small values (e.g. "5," is 2 bytes vs 8 bytes binary), not larger.
• The actual raw binary size is 1024 × 4096 × 8 B = 32 MiB; the JSON representation of the same data would be roughly similar (small traffic counters encode shorter than 8 chars), not 4× larger.

The cap itself (64 MiB) is likely fine for typical deployments, but the prose math should be corrected so a future reader can trust it. Suggested rewording:

1024 rows × 4096 columns × 8 B/uint64 ≈ 32 MiB raw binary; JSON-encoded text is similar in size for small counters. The 64 MiB cap provides ≥2× headroom.

2. §8 lens 3 — 4096 is not MaxHistoryColumns (minor, same section)

The design uses 4096 columns as the example ceiling, but the actual upper bound in the sampler is MaxHistoryColumns = 100_000 (keyviz/sampler.go:92). At 100k columns × 1024 rows × 8 B, a single peer response is ~800 MiB raw — well above the 64 MiB cap. The cap will fire for any request spanning roughly 13,000+ columns at default config (or fewer with sub-second steps), returning a partial/error result.

The document should either:

• Reference MaxHistoryColumns and acknowledge the cap fires at extreme column counts (treating this as the intended operator contract), or
• Add a server-side column cap on the fan-out path (analogous to keyVizRowBudgetCap) so a broad time-range query doesn't surprise the aggregator.

Neither path is wrong — but leaving it implicit means the first operator who queries a node with a large ring buffer will get a confusing ok=false without knowing why.

3. §8 lens 2 vs. §3 — timeout value mismatch (minor)

§8 lens 2 says "5-second ceiling per node" but §3 says "Per-call timeout: 2 s default, override via --keyvizFanoutTimeout". These should agree. If the 2 s default is correct (matching §9 Q2's recommendation), §8 should say "per-call timeout (default 2 s, configurable via --keyvizFanoutTimeout)" rather than "5-second ceiling".

4. §9 Q2 still written as open but §3 already resolved it (minor)

§3 already commits to "2 s default, override via --keyvizFanoutTimeout". §9 Q2 still reads as a proposal ("probably the right shape — proposing this"). Mark it resolved the same way Q1 was, e.g.:

Resolved: Fixed 2 s default, operator override via --keyvizFanoutTimeout. See §3.

5. §4.4 — "first non-empty, deterministic by node order" needs precision (minor)

Nodes are fanned out in parallel, so responses arrive in non-deterministic wall-clock order. The "deterministic by node order in --keyvizFanoutNodes" guarantee requires the aggregator to collect all results first and then pick by config-list position — not by arrival order. If the implementation picks on first arrival it's non-deterministic, which means Start/End could change between polls for the same bucket. Worth making the sequential-selection invariant explicit:

After all per-node results are collected, Start/End/... are taken from the lowest-indexed node in --keyvizFanoutNodes whose response is non-empty for the row.

6. §7 / §8 test scenario count mismatch (minor)

§8 references "the four scenarios in §7 PR-1" but §7 lists only three:

1. stable-leader (max wins, no conflict)
2. mid-window flip (max wins, conflict=true)
3. partial failure (one node times out)

Either a fourth scenario was dropped from §7 (e.g., catalog_divergence warning), or the count in §8 should be corrected to three. If catalog_divergence is the missing fourth, add it to the §7 test list.

7. §8 lens 3 — io.LimitReader over-cap behavior description is imprecise (minor)

The document says:

Over-cap responses log a warning rather than silently truncating.

With io.LimitReader, reads stop exactly at the limit — there is no automatic warning. What actually happens is: the JSON decoder hits EOF mid-stream, returns a parse error, and the aggregator treats that peer as ok=false (error: "unexpected EOF" or similar). This is the right behavior but should be described accurately, both to set operator expectations and to ensure the implementation matches:

Responses exceeding the cap cause a JSON-decode error; the peer is treated as ok=false with the decode error in its error field, and a WARN-level log is emitted. Partial data is not used.

---

Open questions status

• Q1: Resolved ✓
• Q2: Effectively resolved (§3), but not marked resolved in §9 — see item 4 above.
• Q3 (per-node generated_at in response): Still open, deferred to PR 2 — this is fine.

---

Verdict

The design is solid and ready to move to implementation on PR 1. The round-1 concerns are well addressed. Items 1–7 above are documentation-level fixes (no architectural changes needed). Recommend updating the doc to fix the arithmetic, resolve Q2, and tighten the io.LimitReader description before merging.
| Branch: docs/keyviz-fanout-phase2c

[bootjp]

@claude review

Round-2 follow-ups (d012f4c) addressing all 7 doc-level items:

1. §8 lens 3 / cap math — replaced 32 B/uint64 ≈ 128 MiB raw, ~32 MiB JSON (inconsistent: JSON doesn't compress) with 1024 × 4096 × 8 B/uint64 ≈ 32 MiB raw; 64 MiB cap = 2× headroom.
2. §8 lens 3 / MaxHistoryColumns — explicit reference to MaxHistoryColumns = 100 000 and the ~800 MiB raw upper bound that trips the cap on extreme ring queries.
3. §8 lens 2 / timeout — replaced 5-second ceiling with configured per-call timeout (default 2 s, override via --keyvizFanoutTimeout per §3).
4. §9 Q2 / mark resolved — restated as Resolved with the same shape as Q1, citing §3.
5. §4.4 / first-non-empty precision — explicit "after all per-node responses have been collected" + selection by lowest-indexed-in-flag rather than wall-clock arrival. Notes why (peers respond out-of-order).
6. §8 lens 5 / scenario count — was "four scenarios" with no fourth listed; now lists the three §7 PR-1 scenarios plus the url-builder / per-node-order / over-cap tests.
7. §8 lens 3 / over-cap behavior — clarified that io.LimitReader causes a JSON decode error (EOF mid-stream), recorded as ok=false with the error in that node's status entry plus a WARN-level log. No partial data accepted.

Q3 (per-node generated_at) intentionally still open — deferred to PR 2 (SPA UI).

[claude]

Claude finished @bootjp's task in 1m 44s —— View job

---

Round-3 Review

• Read design doc (docs/design/2026_04_27_proposed_keyviz_cluster_fanout.md)
• Verify all 7 round-2 fixes
• Check for any remaining issues
• Post review findings

---

Round-2 follow-ups: all addressed ✓

#	Item	Verified
1	§8 cap math — 8 B/uint64 × 1024 × 4096 ≈ 32 MiB raw; 64 MiB = 2× headroom	✓
2	§8 MaxHistoryColumns = 100 000 + ~800 MiB upper-bound call-out	✓
3	§8 lens 2 timeout — "5-second ceiling" → "configured per-call timeout (default 2 s)"	✓
4	§9 Q2 marked Resolved with citation to §3	✓
5	§4.4 explicit post-collection selection + lowest-indexed-in-flag rule with rationale	✓
6	§8 lens 5 scenario count — lists three §7 scenarios plus url-builder / per-node-order / over-cap	✓
7	§8 lens 3 io.LimitReader over-cap → JSON-decode error → ok=false + WARN log, no partial data	✓

---

Round-3 findings

Three genuinely new items (all doc-level) plus one confirmation.

1. §3 — self-detection logic is under-specified (minor)

The doc says "internal/admin resolves --adminAddress and skips the network round-trip for the local entry." It does not say how self is detected. Two edge cases are worth documenting:

• If the operator writes 127.0.0.1:8080 in --keyvizFanoutNodes but passes 0.0.0.0:8080 as --adminAddress, a naive string-equality check misses the match and the node fans out to itself.
• If the admin listener is behind a reverse proxy or DNS alias, the address in the flag differs from --adminAddress and the self-skip never fires, resulting in a loopback round-trip that is harmless but wasteful.

Suggested addition to §3:

Self-detection uses string-equality against the normalized --adminAddress value. Operators who listen on 0.0.0.0 should include the fully-qualified address in --keyvizFanoutNodes (e.g., 10.0.0.1:8080, not 0.0.0.0:8080) so the skip fires. A loopback call is harmless — it degrades to an extra HTTP round-trip — but wastes a goroutine per fan-out request.

2. §5 — conflict field behavior for local-only (fan-out disabled) mode is unstated (minor)

conflict is a row-level field added to every row in the response. When --keyvizFanoutNodes is empty (local-only mode), there is no merge and no possible conflict, yet the field would still appear in the JSON (as false). This is fine from a wire-compatibility standpoint, but the document should state it explicitly so the implementation doesn't accidentally omit the field in fan-out mode and include it in local mode (or vice versa):

conflict is always present in the row object and defaults to false. It is only ever set to true by the fan-out aggregator — in local-only mode it is always false.

This also guards against a future SPA that patterns-matches "conflict" in row rather than checking its value.

3. §4.5 — keyvizStep_ms used but never defined (minor)

The section uses keyvizStep_ms as a variable name in the "Specifics" bullets, but the flag is --keyvizStep and its unit is not stated in §4.5 itself. One sentence is enough:

In the formulas below, keyvizStep_ms denotes the step duration in milliseconds (the value of --keyvizStep converted from its native unit).

4. §8 lens 3 — "similar size for typical small values" is defensible but could be tighter (nit)

The existing prose: "JSON encodes uint64 traffic counters at a similar size for typical small values." This is plausible (counters in the 0–9999 range encode shorter in decimal than 8 bytes binary) but "similar" is doing a lot of work. A precise version avoids any future argument:

For sparse heatmaps where most counters are ≤ 4 digits, JSON decimal encoding is smaller than raw binary; the 64 MiB cap provides comfortable headroom for the 32 MiB raw-binary ceiling at 1024 × 4096.

---

Open questions status

Q	Status
Q1	Resolved ✓
Q2	Resolved ✓
Q3 (generated_at per node)	Intentionally open, deferred to PR 2 ✓

---

Verdict

All round-2 items are cleanly addressed. The three round-3 items are genuinely minor (one implementation-hint for self-detection, one wire-format behavior clarification, one terminology nit). None of them are blockers. The design is ready to move to PR-1 implementation. Recommend landing the doc on this commit and opening the implementation PR.
| Branch: docs/keyviz-fanout-phase2c

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d012f4c219

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Define conflict to ignore leader-vs-follower zeros

The spec currently says to set row-level conflict=true when any per-node values disagree for any cell, but in steady state writes naturally disagree (leader>0, followers 0), so this rule would flag nearly every active write row as conflicted. That contradicts the later stable-leader expectation (no conflict) and would make the UI hatch normal traffic as if it were a leadership anomaly. Please narrow the conflict condition to true disagreement among competing non-zero writers (or an equivalent predicate) so expected follower zeros are not treated as conflicts.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[bootjp]

@claude review

Round-3 follow-ups (0b5bfa0):

1. §3 self-detection — documented the matching shape: exact host:port match vs --adminAddress, plus wildcard-bind/loopback handling (0.0.0.0:8080 listener with 127.0.0.1:8080 in the flag still self-skips). Reverse-proxy / DNS-aliased entries fall through to a harmless loopback call. The behavior matches the implementation in PR feat(admin): KeyViz cluster fan-out aggregator (Phase 2-C PR-1) #686 (isSelfFanoutNode).
2. §5 conflict field — explicit "always present, defaults false in local-only mode" so an SPA that pattern-matches "conflict" in row rather than the value doesn't regress when --keyvizFanoutNodes flips.
3. §4.5 keyvizStep_ms — defined in-section as time.Duration(--keyvizStep) / time.Millisecond so the formula is self-contained.
4. §8 lens 3 sizing prose — replaced "similar size for typical small values" with the precise statement: decimal encoding is smaller than 8-byte binary for ~4-digit counters; cap only becomes a real ceiling for traffic-saturated heatmaps with ~20-digit counters.

[claude]

Claude finished @bootjp's task in 1m 53s —— View job

---

Round-4 Review

• Read design doc
• Verify round-3 fixes (4 items)
• Check Codex P1 finding (conflict semantics in steady state)
• Check for any remaining issues
• Post findings

---

Round-3 follow-ups: all addressed ✓

#	Item	Verified
1	§3 self-detection: exact host:port + wildcard-bind + loopback; reverse-proxy falls through to harmless extra call	✓
2	§5 conflict always present, defaults false in local-only mode, only fan-out aggregator ever sets it true	✓
3	§4.5 keyvizStep_ms defined in-section as time.Duration(--keyvizStep) / time.Millisecond	✓
4	§8 lens 3: decimal encoding is smaller than 8-byte binary for ≤4-digit counters; cap becomes real ceiling only for ~20-digit traffic-saturated counters	✓

---

Round-4 finding

§2.1 vs §4.2 — conflict predicate is still broader than intent (medium, Codex P1 carry-over)

This is the Codex P1 issue raised on d012f4c and it remains in 0b5bfa03.

§2.1 (lines 63–65):

max across nodes, with a row-level conflict=true flag raised when any per-node values disagreed for any cell in the row

§4.2 (lines 167–172):

Under stable leadership, exactly one node (the current leader for the route's group) records writes for any given window; other nodes report 0. max returns the leader's count; non-leader zeros do not perturb it.

The §2.1 wording says conflict fires whenever "any values disagreed." Under stable leadership, the leader reports e.g. writes=5 and every follower reports writes=0 — these disagree. So the §2.1 predicate triggers conflict=true on every active write row in steady state, not just during leadership flips. That directly contradicts §4.2's intent and the §7 test expectation ("stable-leader: max wins, no conflict").

The fix is a one-line clarification in §2.1 to narrow the predicate to multiple non-zero reporters:

-  flag raised when *any* per-node values disagreed for *any* cell
-  in the row (best-effort dedup; correct under stable leadership,
-  conservative under leadership flip).
+  flag raised when *multiple nodes report a non-zero value for
+  any cell in the row* (i.e., at least two nodes have counts > 0
+  for the same cell; follower zeros do not count as disagreement).
+  Correct under stable leadership (leader is the sole non-zero
+  reporter), conservative under a leadership flip.

The same wording needs a matching clarification in the §4.2 max rule: "conflict fires when the count of nodes with value > 0 for a given cell is ≥ 2 after aggregation" — making the "non-leader zeros do not perturb it" sentence also apply to the conflict flag, not just to the max value.

This is the only outstanding issue. All other aspects of the design are clean and ready for PR-1 implementation.

---

Open questions status

Q	Status
Q1	Resolved ✓
Q2	Resolved ✓
Q3 (generated_at per node)	Intentionally open, deferred to PR 2 ✓

---

Verdict

Three full rounds of careful review, and we're down to one issue: tighten the §2.1 conflict predicate wording to match §4.2's intent (follower zeros are not disagreements). That's a two-sentence doc fix. Everything else — merge rules, wire format, auth story, self-detection, cap math, timeout handling, test scenarios — is solid. Recommend fixing §2.1 and landing.
| Branch: docs/keyviz-fanout-phase2c

[bootjp]

@claude review

Round-4 follow-up (3035181): tightened the conflict predicate in §2.1 and mirrored the clarification in §4.2.

The predicate is now stated as "≥ 2 nodes report a non-zero value for the same cell", not "any disagreement". Follower zeros against a leader's non-zero value do not count — that's the steady-state shape, not a conflict. This matches the implementation in PR #686 (maxMerge ignores zero on either side and returns conflict=false) and the §7 "stable-leader: max wins, no conflict" test expectation.

Both §2.1 (scope summary) and §4.2 (merge-rule detail) now state the rule explicitly so future readers can't reach the looser interpretation.

[claude]

Claude finished @bootjp's task in 1m 18s —— View job

---

Round-5 Review

• Read design doc
• Verify round-4 fix (conflict predicate in §2.1 and §4.2)
• Check for any remaining issues
• Post findings

---

Round-4 follow-up: addressed ✓

#	Item	Verified
1	§2.1 predicate narrowed to "two or more nodes report a non-zero value for the same cell" — follower zeros explicitly excluded	✓
2	§4.2 adds "and do not raise the conflict flag" to the non-leader-zeros sentence; adds explicit contrast: "≥ 2 nodes report a value > 0 for the same cell" vs. "any two values differ"	✓
3	§4.2 leadership-flip bullets updated: "both nodes report values > 0 for the same cell. The conflict predicate fires." — now matches the new predicate rather than the vague "both nodes report values"	✓

Both §2.1 and §4.2 now state the same predicate in complementary ways — §2.1 as a scope summary, §4.2 as the detailed rule — and both are internally consistent with the §7 test expectations:

• Stable-leader: leader=5, followers=0 → only 1 node has value > 0 → conflict=false ✓
• Mid-window flip: ex-leader > 0, new-leader > 0 → 2 nodes > 0 → conflict=true ✓

---

Remaining issues

None. This is the last outstanding item from across five rounds of review.

---

Open questions status

Q	Status
Q1	Resolved ✓
Q2	Resolved ✓
Q3 (generated_at per node)	Intentionally open, deferred to PR 2 ✓

---

Verdict

All five rounds of review are complete and every finding has been addressed. The design is consistent end-to-end: merge rules, wire format, auth story, self-detection, cap math, timeout handling, time alignment, test scenarios, and the conflict predicate all agree. Ready to merge and open PR 1.

Branch: docs/keyviz-fanout-phase2c |

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3035181133

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Round timestamps to nearest step before merge

Section 4.5 says fan-out should absorb routine sub-step jitter, but this rule floors each column_unix_ms to the previous step boundary; with a 1s step, samples for the same logical window at 10.95s and 11.05s still split into different merged columns (10s vs 11s). That recreates the column fragmentation this section is trying to eliminate and can halve apparent traffic in affected windows. Use nearest-boundary rounding (or an explicitly aligned window-start timestamp contract) so ±step/2 skew coalesces correctly.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Merge untrimmed peer rows before top-k selection

This design treats fan-out input as up to 1024 rows per node, but /admin/api/v1/keyviz/matrix already enforces local top-k trimming, so merging those truncated sets can miss globally hot read buckets (for example, a bucket ranked just below 1024 on each node can still be top-ranked after cross-node summation). In high-cardinality workloads this causes false negatives in the cluster heatmap. The aggregator should merge full peer data (or a larger internal limit) and apply row-budget truncation only after cluster-wide merge.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9ec6ca26c8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Forward admin auth when calling peer keyviz endpoints

fetchPeer constructs a brand-new GET with only an Accept header, but /admin/api/v1/keyviz/matrix is mounted behind the protected middleware chain (SessionAuth) in buildAPIMux. In normal deployments that means every peer fan-out call is unauthenticated and returns 401, so cluster fan-out degrades to local-only data with persistent peer failures instead of aggregating remote matrices.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Recognize non-loopback self addresses in fan-out filtering

When --adminListen is a wildcard bind (for example 0.0.0.0:8080), this logic only treats loopback hosts as self, so a node’s own advertised hostname/IP is misclassified as a peer in --keyvizFanoutNodes. That creates a self-call on every request; today it shows up as a spurious failed node (401), and once peer auth is added it can recurse through the same fan-out handler path.

Useful? React with 👍 / 👎.

[bootjp]

@claude review

[claude]

Claude finished @bootjp's task in 4m 47s —— View job

---

Round-6 Review

• Post initial comment
• Read implementation files (keyviz_fanout.go, main_admin.go, keyviz_handler.go, server.go, middleware.go)
• Read design doc (all 9 sections)
• Analyze Codex P1/P2 findings from latest commit
• Check for additional code/doc discrepancies
• Post complete review findings

---

Round-5 follow-ups: addressed ✓

All five rounds of doc-level fixes are confirmed in the design doc.

---

Round-6 findings

Four of these are code/doc discrepancies — the design says one thing, the code does another. The first is the most serious.

1. fetchPeer vs SessionAuth: every peer call returns 401 in production (P1 — blocker)

fetchPeer (keyviz_fanout.go:290-295) constructs a GET with only an Accept header:

req, err := http.NewRequestWithContext(ctx, http.MethodGet, target, http.NoBody)
// ...
req.Header.Set("Accept", "application/json")
resp, err := f.client.Do(req)

The peer's endpoint is wired at server.go:316:

keyvizChain := protect(keyvizHandler)

protect at server.go:277-285 wraps SessionAuth, which reads the admin_session cookie and rejects the request with 401 if it is absent. CSRF (CSRFDoubleSubmit) is GET-exempt (middleware.go:140) so it is not a factor, but the session check is unconditional on every method.

Net effect: every fan-out call to a peer node returns 401 unauthenticated: missing session cookie. The aggregator records each peer as ok=false and the response is always local-only, regardless of cluster size. The feature does not work in production as shipped.

The design doc §3 explicitly describes the MVP as "anonymous — the aggregator issues unauthenticated GETs to peers", which is the intended behaviour. The contradiction is that no unauthenticated path exists for the endpoint. The two options that preserve the design intent are:

• Option A — Register an additional route (e.g. /admin/internal/keyviz/matrix) outside the protect chain, bound only when fan-out is enabled, with an explicit warning in the flag docs that it must not be exposed across an untrusted boundary.
• Option B — Strip SessionAuth from the keyviz endpoint when the server starts with --keyvizFanoutNodes and add a flag note that the admin port must be on a private interface. This is less precise but requires fewer changes.

The test stubs (newKeyVizPeerStub) have no auth middleware, so all fan-out tests pass — they do not cover this path. Fix this →

2. KeyVizRow.Conflict uses omitempty — contradicts design §5 invariant (P1)

keyviz_handler.go:90:

Conflict bool `json:"conflict,omitempty"`

Design doc §5 states explicitly:

The field is always present on every row in the response — even when fan-out is disabled (single-node mode), conflict defaults to false and is emitted on the wire. This is wire-stable: an SPA that pattern-matches "conflict" in row rather than checking the value will not regress when the operator toggles --keyvizFanoutNodes.

omitempty on a bool field silently drops the field when its value is false. That breaks any SPA code that writes if "conflict" in row instead of if row.conflict. The design doc specifically called out this failure mode and documented it as a guarantee — the code violates that guarantee. Fix this →

3. §4.5 timestamp alignment described but not implemented (P1)

Design doc §4.5 says:

Both sides round column_unix_ms[i] down to the nearest multiple of keyvizStep_ms before merging.

unionColumns (keyviz_fanout.go:553-566) inserts raw millisecond values directly into the seen map. mergeRowInto (keyviz_fanout.go:490) looks up indexByColumn[ts] on the exact timestamp. No alignment is applied anywhere in the merge pipeline.

With a 1 s step, node A flushing at t=10.97 s and node B flushing at t=11.03 s produce ColumnUnixMs values of 10970 and 11030. After the union, these land in two separate columns; each carries only one node's contribution. The result is two half-populated columns instead of one merged column — the exact fragmentation §4.5 claims to prevent. Fix this →

4. FanoutNodeStatus has no Warnings field — catalog_divergence never emitted (P1)

Design doc §5 shows the per-node wire format as:

{"node": "10.0.0.2:8080", "ok": true, "error": "", "warnings": [
  {"code": "catalog_divergence", "bucket_id": "route:42", "detail": "start/end disagree with prior node"}
]}

The struct at keyviz_fanout.go:78-82:

type FanoutNodeStatus struct {
    Node  string `json:"node"`
    OK    bool   `json:"ok"`
    Error string `json:"error,omitempty"`
}

No Warnings field. Furthermore, mergeRowInto (keyviz_fanout.go:466-501) sets Start/End from the first-seen node and merges subsequent rows' Values, but never compares Start/End across nodes — so catalog_divergence cannot be detected or emitted even if the field existed. The design doc §4.4 says this divergence "surfaces as a warning in the per-node status payload", but neither the struct nor the merge logic implements it. Fix this →

5. Codex P1 (3035181133) — pre-truncated top-k merge for reads-sum is still unaddressed (P2)

Each peer's /admin/api/v1/keyviz/matrix response has already been trimmed to the per-node rows budget (1024 by default) by applyKeyVizRowBudget before the fan-out aggregator receives it. For reads (sum), a bucket ranked 1025 on every individual node can rank first after cross-node summation, but the aggregator never sees it — it was dropped before the response left each peer.

The previous round-5 review verdict said "ready to merge and open PR 1", but this finding was raised by Codex on the same commit that round-5 reviewed (3035181133) and was not addressed. It is a reads-specific blind spot: for writes (max), the dominant leader's bucket is also the globally dominant one, so pre-truncation is harmless. For reads (sum), globally-hot-but-per-node-rank-just-outside-budget buckets are invisible.

The design doc does not acknowledge this limitation. It should either: add a note in §2.2 ("not in scope: pre-merge row filtering; the aggregator merges already-trimmed sets") so future operators know the constraint, or add a server-side fanout_rows parameter that requests a larger per-peer budget when fan-out is active.

---

Open questions status

Q	Status
Q1	Resolved ✓
Q2	Resolved ✓
Q3 (generated_at per node)	Intentionally open, deferred to PR 2 ✓

---

Verdict

Items 1–4 are code/doc discrepancies that need to be resolved before this PR merges:

• Item 1 is a functional blocker: the feature silently degrades to local-only mode in every production deployment because SessionAuth rejects unauthenticated peer GETs.
• Item 2 is a one-character fix (conflict,omitempty → conflict) but violates a documented wire-stability invariant.
• Items 3 and 4 are implementation gaps where the design promises behaviour the code does not deliver.

Item 5 is a documentation gap that should be acknowledged in §2.2 but does not block merging.

---

| Branch: docs/keyviz-fanout-phase2c