aalhour
diff --git a/‎Makefile‎
Lines changed: 18 additions & 18 deletions b/‎Makefile‎
Lines changed: 18 additions & 18 deletions
diff --git a/‎cmd/crash/README.md‎
Lines changed: 90 additions & 16 deletions b/‎cmd/crash/README.md‎
Lines changed: 90 additions & 16 deletions
diff --git a/‎cmd/crash/artifact.go‎
Lines changed: 157 additions & 0 deletions b/‎cmd/crash/artifact.go‎
Lines changed: 157 additions & 0 deletions
@@ -1,4 +1,4 @@
-.PHONY: all build test coverage lint fmt-check fmt clean check examples crash-test help
+.PHONY: all build test coverage lint fmt-check fmt clean check examples crash-check help
 
 CYCLES ?= 100
 
@@ -48,25 +48,25 @@ fmt:
 ## check: Runs fmt-check, lint and test
 check: fmt-check lint test
 
-## crash-test: Run crash harness in writer+orchestrator modes ($(CYCLES) cycles) using /tmp workspace
-crash-test:
+## crash-check: Run the controller/worker crash harness ($(CYCLES) cycles) with a temporary workspace
+crash-check:
 	@set -eu; \
 	tmpdir=$$(mktemp -d /tmp/beachdb-crash.XXXXXX); \
-	trap 'rm -rf "$$tmpdir"' EXIT INT TERM; \
-	writer_db="$$tmpdir/writer-db"; \
-	orchestrator_db="$$tmpdir/orchestrator-db"; \
-	mkdir -p "$$writer_db" "$$orchestrator_db"; \
-	echo "Running writer mode crash loop ($(CYCLES) cycles) in $$writer_db"; \
-	for cycle in $$(seq 1 $(CYCLES)); do \
-		state_file="$$tmpdir/writer-state-$$cycle.txt"; \
-		go run ./cmd/crash --mode=writer --dbdir="$$writer_db" --state="$$state_file" >/dev/null 2>&1 & \
-		pid=$$!; \
-		sleep 0.05; \
-		kill -9 $$pid >/dev/null 2>&1 || true; \
-		wait $$pid >/dev/null 2>&1 || true; \
-	done; \
-	echo "Running orchestrator mode crash loop ($(CYCLES) cycles) in $$orchestrator_db"; \
-	go run ./cmd/crash --mode=orchestrator --dbdir="$$orchestrator_db" --cycles=$(CYCLES)
+	dbdir="$$tmpdir/db"; \
+	artdir="$$tmpdir/artifacts"; \
+	echo "Running crash harness ($(CYCLES) cycles) in $$dbdir"; \
+	echo ""; \
+	go run ./cmd/crash run \
+		--dbdir="$$dbdir" \
+		--artifact-dir="$$artdir" \
+		--cycles=$(CYCLES) \
+		--seed=777 \
+		--ops=64 \
+		--min-delay-ms=10 \
+		--max-delay-ms=30 \
+		--verify-every-cycle=true; \
+	echo ""; \
+	echo "Crash run data kept in "$$tmpdir". Delete it when done: 'rm -rf $$tmpdir'";
 
 ## clean: Remove build artifacts and test output
 clean:
 
@@ -1,25 +1,99 @@
 # crash
 
-Tests database durability by spawning writer subprocesses and killing them with SIGKILL at random intervals.
+`cmd/crash` is BeachDB's controller/worker crash harness.
 
-## Usage
+It generates a deterministic workload, feeds one operation at a time to a
+worker subprocess, kills that subprocess at controlled points, reopens the
+database after every cycle, and verifies that recovered state is consistent
+with the set of acknowledged operations.
 
-```bash
-# Run crash test with 50 cycles (default)
-./bin/crash --dbdir=/tmp/crashtest
+## Subcommands
 
-# Customize cycle count and kill timing
-./bin/crash --dbdir=/tmp/crashtest --cycles=100 --min-delay=5 --max-delay=50
+### `crash run`
 
-# Run writer subprocess manually (for debugging)
-./bin/crash --mode=writer --dbdir=/tmp/testdb --state=/tmp/state.txt
-```
+Runs a new crash harness session.
 
-Example output:
+```bash
+./bin/crash run \
+  --dbdir=/tmp/beachdb-crash-db \
+  --artifact-dir=/tmp/beachdb-crash-artifacts \
+  --cycles=100 \
+  --seed=777 \
+  --ops=500
 ```
-2026/02/08 15:03:32 Starting crash orchestrator: 30 cycles
-2026/02/08 15:03:32 Cycle 0: spawning writer subprocess
-2026/02/08 15:03:32 Cycle 0: killing subprocess with SIGKILL after 47ms
-...
-2026/02/08 15:03:47 Results: 70 recovered, 10 lost out of 80 total
+
+Important flags:
+
+- `--dbdir`: required, must be missing or empty
+- `--artifact-dir`: required, stores the run artifact JSON
+- `--cycles`: number of worker crash/reopen cycles
+- `--seed`: deterministic workload and kill-schedule seed
+- `--ops`: number of logical operations in the generated workload
+- `--profile=ci|full`: deterministic preset profiles
+- `--crash-point`: internal crash point to arm for phase-2 testing
+- `--fault-point`: internal fault point to arm for phase-2 testing
+
+### `crash replay`
+
+Replays a recorded artifact with the same workload and deterministic schedule.
+
+```bash
+./bin/crash replay \
+  --artifact=/tmp/beachdb-crash-artifacts/crash-20260419T213015.123Z.json \
+  --dbdir=/tmp/beachdb-crash-replay-db
 ```
+
+### `crash worker`
+
+Internal subprocess used by `run` and `replay`. It is not intended to be used
+manually.
+
+## Artifact model
+
+Each run writes a JSON artifact containing:
+
+- the run configuration
+- the deterministic seed
+- the full generated workload
+- the ordered worker event stream
+- per-cycle worker metadata and verification results
+- the last acknowledged op ID
+- the first verification failure, if any
+
+Keys and values are base64-encoded so binary payloads survive round-trip
+without newline or text parsing issues.
+
+## Durability contract
+
+The worker emits:
+
+- `ready` after opening the DB
+- `start` immediately before executing an operation
+- `ack` only after the DB call succeeds
+- `fail` if the DB call returns an error
+
+The controller treats:
+
+- `ack`ed operations as required after recovery
+- the single `start`ed-but-not-`ack`ed operation as indeterminate
+- never-started operations as irrelevant to that cycle
+
+Per-cycle verification therefore checks that recovered state matches either:
+
+1. all acknowledged operations only, or
+2. all acknowledged operations plus the one in-flight idempotent operation
+
+## Internal crash and fault points
+
+Phase-2 hook points are internal-only and activated by environment variables
+that the controller passes to the worker:
+
+- crash points:
+  - `wal_after_append`
+  - `wal_after_sync`
+  - `flush_after_file_sync`
+  - `flush_after_publish`
+- fault points:
+  - `wal_sync_error`
+  - `sst_write_error`
+  - `sst_publish_error`
@@ -0,0 +1,157 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+// artifactVersion is the JSON schema version for persisted crash artifacts.
+const artifactVersion = 1
+
+// artifact captures a full run or replay transcript for deterministic analysis.
+type artifact struct {
+	Version       int                  `json:"version"`
+	Config        artifactConfig       `json:"config"`
+	Seed          uint64               `json:"seed"`
+	Ops           []operationMessage   `json:"ops"`
+	Cycles        []artifactCycle      `json:"cycles"`
+	Events        []artifactEvent      `json:"events"`
+	LastAckedOpID int                  `json:"last_acked_op_id,omitempty"`
+	Failure       *verificationFailure `json:"failure,omitempty"`
+}
+
+// artifactConfig records the effective run configuration embedded in an artifact.
+type artifactConfig struct {
+	DBDir            string `json:"dbdir"`
+	Cycles           int    `json:"cycles"`
+	MinDelayMS       int    `json:"min_delay_ms"`
+	MaxDelayMS       int    `json:"max_delay_ms"`
+	Ops              int    `json:"ops"`
+	PutRatio         int    `json:"put_ratio"`
+	DeleteRatio      int    `json:"delete_ratio"`
+	BatchRatio       int    `json:"batch_ratio"`
+	MaxKeyLen        int    `json:"max_key_len"`
+	MaxValueLen      int    `json:"max_value_len"`
+	HotKeyRatio      int    `json:"hot_key_ratio"`
+	VerifyEveryCycle bool   `json:"verify_every_cycle"`
+	Profile          string `json:"profile"`
+	CrashPoint       string `json:"crash_point,omitempty"`
+	FaultPoint       string `json:"fault_point,omitempty"`
+}
+
+// artifactCycle stores cycle-level worker execution and verification metadata.
+type artifactCycle struct {
+	Index              int                  `json:"index"`
+	WorkerPID          int                  `json:"worker_pid"`
+	PlannedKillDelayMS int                  `json:"planned_kill_delay_ms"`
+	ActualEndUnixMilli int64                `json:"actual_end_unix_ms"`
+	ExitCode           int                  `json:"exit_code"`
+	LastEvent          *artifactEventRef    `json:"last_event,omitempty"`
+	Verification       artifactVerification `json:"verification"`
+	CrashPoint         string               `json:"crash_point,omitempty"`
+	FaultPoint         string               `json:"fault_point,omitempty"`
+}
+
+// artifactVerification stores verification summary data for one cycle.
+type artifactVerification struct {
+	CheckedKeys int   `json:"checked_keys"`
+	Allowed     []int `json:"allowed_optional_ops,omitempty"`
+}
+
+// artifactEventRef points to the last event seen for a cycle.
+type artifactEventRef struct {
+	Kind eventKind `json:"kind"`
+	OpID int       `json:"op_id,omitempty"`
+}
+
+// artifactEvent is one timestamped worker/controller protocol event.
+type artifactEvent struct {
+	Cycle int          `json:"cycle"`
+	Time  int64        `json:"time_unix_ms"`
+	Event eventMessage `json:"event"`
+}
+
+// newArtifact constructs an artifact with encoded operations and config metadata.
+func newArtifact(cfg runConfig, ops []operation) *artifact {
+	encodedOps := make([]operationMessage, len(ops))
+	for i, op := range ops {
+		encodedOps[i] = op.toMessage()
+	}
+
+	return &artifact{
+		Version: artifactVersion,
+		Config: artifactConfig{
+			DBDir:            cfg.DBDir,
+			Cycles:           cfg.Cycles,
+			MinDelayMS:       cfg.MinDelayMS,
+			MaxDelayMS:       cfg.MaxDelayMS,
+			Ops:              cfg.Ops,
+			PutRatio:         cfg.PutRatio,
+			DeleteRatio:      cfg.DeleteRatio,
+			BatchRatio:       cfg.BatchRatio,
+			MaxKeyLen:        cfg.MaxKeyLen,
+			MaxValueLen:      cfg.MaxValueLen,
+			HotKeyRatio:      cfg.HotKeyRatio,
+			VerifyEveryCycle: cfg.VerifyEveryCycle,
+			Profile:          cfg.Profile,
+			CrashPoint:       cfg.CrashPoint,
+			FaultPoint:       cfg.FaultPoint,
+		},
+		Seed: cfg.Seed,
+		Ops:  encodedOps,
+	}
+}
+
+// createArtifactPath returns a timestamped artifact filename in the given directory.
+func createArtifactPath(dir string) string {
+	return filepath.Join(dir, fmt.Sprintf("crash-%s.json", time.Now().UTC().Format("20060102T150405.000Z")))
+}
+
+// loadArtifact reads and validates an artifact file and decodes its operations.
+func loadArtifact(path string) (*artifact, []operation, error) {
+	//nolint:gosec // artifact path is an explicit user-selected local file
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, nil, fmt.Errorf("reading artifact: %w", err)
+	}
+
+	var art artifact
+	if err := json.Unmarshal(data, &art); err != nil {
+		return nil, nil, fmt.Errorf("decoding artifact: %w", err)
+	}
+	if art.Version != artifactVersion {
+		return nil, nil, fmt.Errorf("unsupported artifact version %d", art.Version)
+	}
+
+	ops := make([]operation, len(art.Ops))
+	for i, msg := range art.Ops {
+		op, err := msg.toOperation()
+		if err != nil {
+			return nil, nil, fmt.Errorf("decoding artifact operation %d: %w", i, err)
+		}
+		ops[i] = op
+	}
+
+	return &art, ops, nil
+}
+
+// saveArtifact atomically writes an artifact to disk via temp-file rename.
+func saveArtifact(path string, art *artifact) error {
+	data, err := json.MarshalIndent(art, "", "  ")
+	if err != nil {
+		return fmt.Errorf("encoding artifact: %w", err)
+	}
+
+	tmpPath := path + ".tmp"
+	if err := os.WriteFile(tmpPath, append(data, '\n'), 0o600); err != nil {
+		return fmt.Errorf("writing artifact temp file: %w", err)
+	}
+	if err := os.Rename(tmpPath, path); err != nil {
+		return fmt.Errorf("renaming artifact temp file: %w", err)
+	}
+
+	return nil
+}