feat(tern): verify re-planned DDL matches reviewed DDL before resume#613
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR strengthens SchemaBot’s fail-closed safety boundary for Tern apply resume/materialization by ensuring that any DDL recomputed against a deployment’s live schema cannot be silently applied unless it canonically matches the DDL that was reviewed and dispatched.
Changes:
- Added a drift-guard comparison for non-primary plan materialization (
verifyMaterializedPlanMatchesLiveSchema) to ensure dispatched reviewed DDL matches this deployment’s locally recomputed plan (shard-aware). - Added a resume-time guard (
verifyReplannedTaskDDL) to preventreplanAndFilterTasksfrom overwriting a task’s reviewed DDL with a recomputed (potentially unreviewed) delta. - Added targeted tests covering canonicalization tolerance and fail-closed behavior on drift for both materialization and resume.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pkg/tern/local_plan_drift.go | Introduces shard-aware multiset comparison + canonicalization helpers for drift detection between reviewed vs recomputed DDL. |
| pkg/tern/local_plan_drift_guard_test.go | Adds unit tests validating the new materialization drift guard behavior (including shard-scoped parity and canonicalization tolerance). |
| pkg/tern/local_control_resume.go | Hooks resume re-plan to verify replanned DDL matches reviewed task DDL before overwriting/continuing. |
| pkg/tern/local_control_resume_test.go | Adds tests ensuring resume fails closed when replanned DDL diverges from reviewed DDL. |
| pkg/tern/local_client.go | Enables drift verification during non-primary plan materialization so unreviewed DDL can’t be replayed on drifted deployments. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The resume re-plan recomputes each deployment's delta against its live schema and overwrites task.DDL with it; on a drifted deployment that is unreviewed DDL applied silently. Fail closed unless the re-plan matches what the task was reviewed with.
statement.Classify accepts non-DDL (e.g. SELECT, INSERT), which has no place in a schema-change drift comparison; reject it instead of canonicalizing it as DDL.
173754e to
c0d33fe
Compare
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
aparajon
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
On resume/recovery,
replanAndFilterTasksrecomputes each deployment's own delta against its live schema and overwrites each still-needed task's DDL with that recomputed delta before applying it. On a deployment whose schema has drifted, that recomputed delta is DDL no human reviewed — and it was being applied silently. This makes the path fail closed: the resume now refuses to apply DDL that does not match what the task was reviewed with.What
verifyReplannedTaskDDL: canonically compare the recomputed DDL against the task's reviewedtask.DDL; return a drift error on mismatch. Canonicalization absorbs incidental formatting so only real divergence trips it. A task with no reviewed DDL (legacy synthetic VSchema tasks, already skipped downstream) is left to existing handling.replanAndFilterTasksbefore overwritingtask.DDL. BothStart()andResumeApply()callers already propagate the error, so the resume halts for operator reconciliation.formatDriftLocationfromformatDriftKeyfor the operator-facing message.Why
A drifted non-primary deployment could silently apply a locally recomputed, unreviewed delta on resume. This restores the fail-closed review boundary on the apply/resume path, reusing the shard-aware comparator.
Scope: closes the "applies unreviewed DDL" failure mode. The "table dropped out of the diff is silently completed" mode (needs a reviewed-target reference) and shrinking the verify→apply TOCTOU window are tracked as a follow-up.