feat(vector): complete vector search engine — SIMD, TurboQuant, HNSW, MVCC, IVF, GPU

[TinDang97]

Summary

Full vector search engine for moon, implementing Redis-compatible FT.CREATE, FT.SEARCH, FT.DROPINDEX, and FT.INFO commands with a high-performance custom backend.

25,273 lines added across 94 files, 146 commits, 14 phases (59–72).

Core Architecture

• SIMD distance engine — L2, cosine, dot-product with AVX2/AVX-512/NEON kernels + scalar fallback, VPSHUFB FastScan for IVF
• TurboQuant 4-bit encoder — Lloyd-Max codebook, FWHT (scalar + AVX2 + NEON), nibble packing, multi-bit (1/2/3-bit) ADC, sub-centroid LUT scoring
• HNSW index — layered navigable small-world graph with BFS reorder, dual prefetch, beam search, Light/Exact build modes
• Segment architecture — mutable (brute-force f32) → immutable (HNSW + TQ) compaction pipeline with recall verification
• MVCC — snapshot isolation with TransactionManager, visibility checks, dirty-set merge
• Filtered search — Roaring bitmap PayloadIndex, ACORN 2-hop expansion, cost-based strategy selection
• IVF + FastScan — inverted file index with k-means clustering, FAISS-interleaved posting lists
• Persistence — WAL records with CRC32 framing, segment disk I/O with checksums, crash recovery
• GPU scaffold — gpu-cuda feature flag, CAGRA build kernel, batch FWHT, GPU-aware compaction (CPU fallback)

Redis Integration

• FT.CREATE / FT.DROPINDEX / FT.INFO / FT.SEARCH wired through command dispatch + shard routing
• HSET auto-indexing hook + DEL/HDEL/UNLINK auto-delete
• Multi-shard scatter-gather search coordinator
• Per-index configurable EF_RUNTIME and COMPACT_THRESHOLD

Performance Highlights

• 2.4× Redis QPS and 17× Qdrant QPS in fair TCP benchmarks (server-mode, 384d vectors)
• 31K inserts/s on real MiniLM-L6 768d embeddings
• 92% recall@10 with TQ 4-bit compression (vs 95% Redis HNSW, 96% Qdrant)
• Sub-centroid LUT scoring eliminates f32 reranking → +23% QPS
• Light build mode: 5× less memory, faster compaction

Bug Fixes (7 critical)

• BitVec indexing bug causing HNSW recall collapse
• Dimension-adaptive codebook (σ=1/√dim, not hardcoded)
• DashTable get_mut-after-insert panic
• SPSC self-send crash in FT.* routing
• f32 reranking restore (recall 0.18 → 0.99)
• Dense Gaussian QJL restore (recall 88% → 94.5%)
• Mutable segment uses f32 brute-force, not TQ-ADC

Testing

• Unit tests for all SIMD paths (scalar, AVX2, AVX-512, NEON)
• Edge case + stress tests (10K interleaved ops + compaction)
• Memory audit validating per-vector overhead budget
• Recall benchmarks (f32 baseline + TQ compressed)
• Criterion benchmarks for distance kernels, HNSW build/search, FWHT
• Competitive benchmark scripts vs Redis 8.6.1 and Qdrant

Test plan

• cargo test --no-default-features --features runtime-tokio,jemalloc passes
• cargo clippy -- -D warnings clean
• Vector edge case tests pass (tests/vector_edge_cases.rs)
• Vector stress tests pass (tests/vector_stress.rs)
• Memory audit passes (tests/vector_memory_audit.rs)
• Recall benchmark validates >85% recall@10 (tests/vector_recall_benchmark.rs)
• Server-mode FT.CREATE → HSET → FT.SEARCH pipeline works end-to-end
• Multi-shard vector search returns merged results

Summary by CodeRabbit

• New Features

  • Interactive vector search (FT.*): index lifecycle, KNN queries (HNSW/IVF), TurboQuant compression, payload filters, MVCC snapshots, auto-indexing on HSET, cross-shard scatter/merge, optional GPU helpers, persistent segments, compaction/vacuum, and vector metrics in INFO.

• Bug Fixes

  • Prevented panic during hash creation and improved lookup robustness.

• Documentation

  • Added a comprehensive vector-search user guide with quick start, tuning, and examples.

• Chores

  • Added extensive benchmarks, profiling and competitor-comparison scripts.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a full vector-search subsystem and integration: new public vector crate (aligned buffers, TurboQuant, IVF, HNSW, segments, MVCC, filtering, persistence), runtime-selected SIMD dispatch and optional GPU stubs, Redis-style FT.* commands with cross-shard routing and auto-indexing, WAL/frame formats and recovery, extensive Criterion benches and benchmarking scripts, and wiring into server/shard/connection dispatch.

Changes

Cohort / File(s)	Summary
Manifest & build Cargo.toml, build.rs, .planning, src/lib.rs, src/main.rs	Add CUDA-detection build script, new GPU-optional feature/deps and bench targets, update submodule pointer, export vector module, and call vector distance init at startup.
Public vector entry & exports src/vector/mod.rs, src/vector/...	Introduce top-level vector module exposing many submodules (aligned_buffer, distance, turbo_quant, hnsw, segment, persistence, gpu, metrics, mvcc, filter, store, types).
Distance kernels & dispatch src/vector/distance/mod.rs, src/vector/distance/{scalar,avx2,avx512,neon,fastscan}.rs	Add scalar and arch-specific SIMD kernels, FastScan IVF kernel, and a runtime-selected DistanceTable dispatch with init/table accessors.
HNSW & search src/vector/hnsw/...	Add HNSW builder, BFS-ordered immutable graph, layer-0 beam search (filtered and sub-centroid variants), SearchScratch/BitVec utilities and search_sq implementation.
Segments, IVF & compaction src/vector/segment/{mutable,immutable,ivf,compaction,holder,mod}.rs	New mutable append-only segments with MVCC, immutable segments, IVF posting lists/interleave logic, compaction pipeline (CPU + GPU try-path), and ArcSwap-backed SegmentHolder with merged search APIs.
TurboQuant & aligned buffer src/vector/turbo_quant/{codebook,collection}.rs, src/vector/aligned_buffer.rs	Codebook scaling, collection metadata (FWHT sign flips, checksum, QJL matrices), and a 64-byte aligned AlignedBuffer type.
Persistence & WAL framing src/vector/persistence/{wal_record,segment_io,recovery}.rs, src/persistence/wal.rs	Vector-specific WAL framing (to/from frames), immutable segment I/O, recovery replay, and WalWriter.append_vector_record to buffer vector frames without incrementing cmd count.
MVCC & filtering src/vector/mvcc/{manager,visibility}.rs, src/vector/filter/{expression,payload_index,selectivity,mod}.rs	Transaction manager, visibility predicate, filter AST, payload inverted index using Roaring bitmaps, and cost-based filter selectivity strategy.
Store, metrics & auto-indexing src/vector/store.rs, src/vector/metrics.rs, src/shard/spsc_handler.rs	Per-shard VectorStore/VectorIndex lifecycle, compaction trigger, global atomic metrics, SPSC handler integration, dispatch_vector_command, and auto_index_hset_public side-effect on HSET.
Sharding & coordinator src/shard/{shared_databases,dispatch,event_loop,coordinator,mod}.rs, src/shard/spsc_handler.rs	Per-shard vector_store in shared DBs, new ShardMessage variants for VectorSearch/VectorCommand, scatter/broadcast helpers, event-loop and SPSC drain updated to accept vector_store.
Connection & server wiring src/server/conn/{handler_single.rs,handler_sharded.rs,handler_monoio.rs,mod.rs,listener.rs,tests.rs}	Early FT.* intercepts in connection handlers with local/remote routing, broadcasting for lifecycle commands, auto-index side-effects after HSET/DEL/HDEL, and listener passing shared VectorStore to connections.
Command layer & metadata src/command/vector_search.rs, src/command/mod.rs, src/command/metadata.rs, src/command/connection.rs	New Redis-style FT.* handlers (FT.CREATE/SEARCH/INFO/DROPINDEX/COMPACT), ACL SEARCH category, parsing/response shaping, and INFO vector metrics insertion.
GPU infra & CUDA kernels (stubs) src/vector/gpu/{mod,context,error,fwht_kernel,cagra}.rs, src/gpu/kernels/{turbo_quant_wht.cu,cagra_build.cu}	GPU context/error types and FWHT/CAGRA kernel stubs, try-GPU helpers; CUDA detection present but kernel compilation/loading not wired (functions short-circuit when CUDA unavailable).
Benches & tooling scripts benches/{distance_bench,fwht_bench,hnsw_bench}.rs, scripts/*, scripts/bench-vs-competitors.py	Add Criterion benches (distance, FWHT, HNSW) and many orchestration scripts (bash + Python) for benchmarking, profiling, production runs, and competitor comparisons.
Core fixes & tests src/storage/{dashtable/mod.rs,dashtable/segment.rs,db.rs}, src/server/conn/tests.rs	New regression tests, Segment::find extended fallback scan across groups, safer get_or_create_hash error handling, and minor test adjustments.
Docs & reports docs/vector-search-guide.md, scripts/bench-server-mode.sh	Comprehensive vector-search user guide and benchmark orchestration/reporting utilities.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Client
    participant Conn as Connection Handler
    participant Coord as Shard Coordinator
    participant ShardA as Local Shard
    participant ShardB as Remote Shard
    participant StoreA as VectorStore (A)
    participant StoreB as VectorStore (B)
    participant Segs as Segments/HNSW

    Client->>Conn: FT.SEARCH index KNN ... PARAMS (query_blob) [FILTER?]
    Conn->>Coord: scatter_vector_search_remote(index, query_blob, k)
    Coord->>StoreA: search_local_filtered(index, query_blob, k)  -- local
    StoreA->>Segs: segments.search_filtered(...)
    Segs-->>StoreA: local top-K Frame
    Coord->>ShardB: SPSC VectorSearch {index, query_blob, k}
    ShardB->>StoreB: search_local_filtered(...)  -- remote
    StoreB-->>ShardB: remote top-K Frame (oneshot reply)
    ShardB-->>Coord: oneshot reply Frame
    Coord->>Coord: merge_search_results([local, remote], k)
    Coord-->>Conn: merged Frame
    Conn-->>Client: RESP Array(results)

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related issues

• GPU: compile FWHT CUDA kernel via build.rs PTX pipeline #28 — build.rs + CUDA/FWHT kernel: PR adds CUDA detection, a FWHT kernel template, and gpu_batch_fwht stubs that overlap the issue requesting compilation/loading of .cu and implementing gpu_batch_fwht.

Possibly related PRs

• feat: sharded pub/sub + multi-shard scaling optimizations #18 — overlaps in connection handler and sharded routing changes for FT.* commands (handler_monoio/handler_sharded).
• feat: multi-shard scaling #17 — overlaps in shard/shared_databases and SPSC dispatch changes affecting cross-shard vector message flow.
• v0.1.1 Structural Stability — codebase refactoring for maintainability #13 — related command registry/metadata edits and addition of FT.* command metadata.

Suggested labels

enhancement

Poem

🐰
I hopped through code in morning light,
Packed centroids, graphs take flight,
FWHT twirls, and shards all sing,
Queries hop — a joyful spring,
A tiny rabbit built search bright.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/vector-engine

[coderabbitai]

Actionable comments posted: 10

Note

Due to the large number of review comments, Critical severity comments were prioritized as inline comments.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/storage/db.rs (1)

557-570: ⚠️ Potential issue | 🟠 Major

Remove the unwrap() on line 569 and use pattern matching instead.

Inside the if let guard at line 567, after converting the listpack to a HashMap, the code calls as_redis_value_mut().unwrap() again on line 569 to assign the result. This violates the no-unwrap() rule for library code. Instead, restructure to mutate through a pattern match that safely handles the reassignment without unwrap—either by separating the conversion from the reassignment block or by using a match statement that covers all cases.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/storage/db.rs` around lines 557 - 570, The code currently calls unwrap()
on entry.value.as_redis_value_mut() after detecting a RedisValue::HashListpack;
instead, in the get_or_create_hash flow mutate safely by matching
entry.value.as_redis_value_mut() again (or by using if let Some(rv) =
entry.value.as_redis_value_mut() { match rv { RedisValue::HashListpack(_) => *rv
= RedisValue::Hash(map), _ => { /* no-op or return Err */ } } }) so you replace
the unwrap with a pattern match that assigns RedisValue::Hash(map) to the same
mutable reference only when it is present and of the expected variant; reference
the variables/functions entry, as_redis_value_mut, RedisValue::HashListpack and
RedisValue::Hash when making this change.

🟠 Major comments (14)

scripts/bench-vs-competitors.py-551-556 (1)

551-556: ⚠️ Potential issue | 🟠 Major

Add timeout to requests calls to prevent hangs.

Multiple requests calls lack timeout parameters (lines 551, 570, 585, 591, 610, 624, 1051, 1062, 1069, 1082). If Qdrant becomes unresponsive, the benchmark script will hang indefinitely.

Proposed fix — add timeout to all requests calls

-    resp = requests.put(f"{base}/collections/bench", json={
+    resp = requests.put(f"{base}/collections/bench", json={
         "vectors": {"size": d, "distance": "Euclid"},
         "optimizers_config": {"default_segment_number": 2, "indexing_threshold": 0},
         "hnsw_config": {"m": 16, "ef_construct": 200}
-    })
+    }, timeout=30)

Apply similarly to all other requests.put, requests.post, and requests.get calls.

Also applies to: 570-574, 585-591, 610-612, 624-628

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vs-competitors.py` around lines 551 - 556, The requests calls
in the benchmark script (e.g., the requests.put that creates the "bench"
collection) lack timeout parameters and can hang if Qdrant is unresponsive;
update every requests.put/requests.post/requests.get invocation (including the
calls around the shown requests.put and the other locations noted) to pass a
sensible timeout argument (e.g., timeout=10) so the HTTP call raises on timeout,
and handle/propagate exceptions consistently where needed (same pattern for all
requests.* usages in this file).

src/vector/filter/payload_index.rs-68-114 (1)

68-114: ⚠️ Potential issue | 🟠 Major

NOT needs the live-ID set, not just total_vectors.

0..total_vectors is only the correct complement universe if valid internal IDs are always exactly that dense range. Since this type also supports remove(), that invariant is easy to break and NOT can admit dead IDs or miss live ones depending on how callers compute total_vectors. Pass an explicit live/visible bitmap into evaluate_bitmap() and complement against that instead.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/filter/payload_index.rs` around lines 68 - 114, The Not branch of
evaluate_bitmap currently builds a universe via insert_range(0..total_vectors)
which assumes dense contiguous live IDs; instead change evaluate_bitmap to
accept an explicit live/visible bitmap (e.g., pass a &RoaringBitmap or
RoaringBitmap reference) and use that bitmap as the universe when handling
FilterExpr::Not (replace the insert_range/universe construction with a
complement against the provided live bitmap). Update all recursive calls to
evaluate_bitmap (including the And/Or/Not branches) to propagate the new
live/visible bitmap parameter so complements are computed against the actual
live-ID set rather than total_vectors.

src/vector/distance/scalar.rs-17-24 (1)

17-24: ⚠️ Potential issue | 🟠 Major

Fail fast on dimension mismatch in release builds.

debug_assert_eq! disappears in release, and zip() truncates to the shorter slice. That lets the scalar fallback/reference kernels return a score for malformed input instead of surfacing the bug.

💡 Minimal fix

-    debug_assert_eq!(a.len(), b.len(), "l2_f32: dimension mismatch");
+    assert_eq!(a.len(), b.len(), "l2_f32: dimension mismatch");

Apply the same change to l2_i8, dot_f32, and cosine_f32.

Also applies to: 34-41, 51-57, 70-85

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/distance/scalar.rs` around lines 17 - 24, The functions l2_f32,
l2_i8, dot_f32, and cosine_f32 currently use debug_assert_eq! and zip(), which
in release builds can silently truncate mismatched slices; change the fast-fail
to a runtime check (e.g., assert_eq!(a.len(), b.len(), "…") or an explicit if
check that panics with a clear message) before iterating, and then you can
safely use zip() or indexed iteration — ensure each function performs this
length check so malformed input panics in release instead of producing a wrong
score.

src/vector/gpu/mod.rs-43-55 (1)

43-55: ⚠️ Potential issue | 🟠 Major

Don't open CUDA device 0 for every GPU attempt.

Both helpers call GpuContext::new(0) per operation. That adds repeated device/context setup, defeats shard-owned pooling/batching, and forces all shards through device 0. Hold a long-lived shard-owned GPU worker/context and reuse it here.

Based on learnings: Per-shard HNSW index for vector search — no cross-shard GPU sharing; Never allocate GPU memory per-request — use a pre-allocated pool; Accumulate GPU work in a queue, dispatch to GPU when batch is full or timeout fires; Free GPU memory on shard shutdown, not per-operation.

Also applies to: 68-80

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/gpu/mod.rs` around lines 43 - 55, The code currently calls
GpuContext::new(0) inside the per-request path (seen around GpuContext::new and
gpu_build_hnsw), which repeatedly creates device 0 contexts and allocates GPU
memory per operation; instead, create and own a long-lived per-shard GPU
worker/manager that holds a persistent GpuContext, a pre-allocated memory pool
and a batching queue; change gpu_build_hnsw and call sites to accept/lookup this
shard-owned worker (not call GpuContext::new), enqueue work into the worker's
batch queue, dispatch to GPU when batch size or timeout triggers, and release
GPU memory only when the shard/worker shuts down via its drop/shutdown method —
ensure functions referencing GpuContext::new and gpu_build_hnsw are updated to
use the shared worker API and avoid per-request GPU allocation.

src/shard/coordinator.rs-719-723 (1)

719-723: ⚠️ Potential issue | 🟠 Major

Don't turn a missing shard into a partial “successful” FT.SEARCH.

Ignoring recv() failures means merge_search_results() runs on a subset of shards and returns an incomplete global top-K with no signal to the caller. Fail closed here, or make partial results explicit.

💡 Minimal fix

-            Err(_) => {} // shard disconnected, skip
+            Err(_) => {
+                return Frame::Error(Bytes::from_static(
+                    b"ERR vector search incomplete: cross-shard reply channel closed",
+                ));
+            }

Also applies to: 775-778

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/shard/coordinator.rs` around lines 719 - 723, The loop in coordinator.rs
that iterates receivers and currently swallows rx.recv().await errors (in the
block that pushes into shard_responses and similarly at the 775-778 spot) must
not treat a disconnected shard as a silent success; instead propagate a failure
or surface partial results explicitly. Modify the receive loop(s) (where
rx.recv().await is matched) to return an Err (or propagate a Result) from the
enclosing function (e.g., the coordinator search function that calls
merge_search_results) when rx.recv() returns Err, or alternatively set and
return a clear PartialResults error/flag so callers know the global top-K is
incomplete; update the caller signatures/return types as needed to carry the
error/partial-result signal rather than continuing to call merge_search_results
on a subset of shards.

scripts/profile-vector.sh-127-130 (1)

127-130: ⚠️ Potential issue | 🟠 Major

Replace -perm +111 with a portable executable check

The -perm +111 syntax is not supported by current GNU find (v4.9.0), causing benchmark binary discovery to fail on Linux systems.

Portable alternative

-BENCH_BIN=$(find target/release/deps -name "${BENCH_NAME}-*" -type f -perm +111 2>/dev/null | head -1)
+BENCH_BIN=$(find target/release/deps -name "${BENCH_NAME}-*" -type f \
+    -exec test -x {} \; -print 2>/dev/null | head -1)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/profile-vector.sh` around lines 127 - 130, The find invocation that
sets BENCH_BIN uses the non-portable "-perm +111"; update it to a portable
executable check such as "-perm /111" or the more readable "-executable" so
benchmark discovery works on current GNU find versions — e.g., change the line
that defines BENCH_BIN (the find command referencing BENCH_NAME) to use "-perm
/111" or "-executable" instead of "-perm +111" and keep the rest of the pipeline
(2>/dev/null | head -1) unchanged.

scripts/bench-vector-production.sh-27-39 (1)

27-39: ⚠️ Potential issue | 🟠 Major

Heredoc variable expansion won't work as intended.

The cat <<'HEADER' uses single-quoted delimiter which prevents variable expansion. The $(date ...), $(sysctl ...), and $(rustc ...) commands on lines 30-32 will be printed literally rather than executed.

🐛 Fix: Use unquoted heredoc delimiter

-cat <<'HEADER'
+cat <<HEADER
 # Moon Vector Engine — Production Benchmark Report
 
 **Date:** $(date -u +"%Y-%m-%d %H:%M UTC")
 **Hardware:** $(sysctl -n machdep.cpu.brand_string 2>/dev/null || lscpu 2>/dev/null | grep "Model name" | cut -d: -f2 | xargs)
 **Rust:** $(rustc --version)
 **Profile:** release (opt-level=3, lto=fat, codegen-units=1)
 **Features:** runtime-tokio, jemalloc
-**RUSTFLAGS:** -C target-cpu=native
+**RUSTFLAGS:** $RUSTFLAGS_OPT
 
 ---
 
 HEADER

Without this fix, the report header will contain literal $(date ...) text instead of the actual date.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vector-production.sh` around lines 27 - 39, The heredoc uses a
single-quoted delimiter (cat <<'HEADER') which prevents shell expansion so
$(date ...), $(sysctl ...), and $(rustc ...) are printed literally; change the
heredoc to an unquoted delimiter (cat <<HEADER) so those command substitutions
and variables are expanded in the generated header (keep the same HERADER token
and content, only remove the surrounding single quotes).

src/vector/segment/compaction.rs-156-330 (1)

156-330: ⚠️ Potential issue | 🟠 Major

compact() never actually enforces MIN_RECALL.

verify_recall() and CompactionError::RecallTooLow are dead right now—the function builds/persists/returns the segment without ever measuring recall, and the test only checks for Ok. A low-recall graph would still ship.

Also applies to: 515-519

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/compaction.rs` around lines 156 - 330, compact() currently
never checks MIN_RECALL; call verify_recall(...) after the HNSW graph is built
(the local graph variable) and before proceeding to BFS reorder / constructing
the ImmutableSegment, and if it reports recall below threshold return
Err(CompactionError::RecallTooLow(...)) so we don't build/persist low-recall
segments; ensure the persistence path (persist and
segment_io::write_immutable_segment) only runs after verify_recall passes and
adjust the control flow around ImmutableSegment::new accordingly.

scripts/bench-vector-vs-competitors.sh-395-449 (1)

395-449: ⚠️ Potential issue | 🟠 Major

The Moon numbers in this section are estimates, not measurements.

This block prints hard-coded build/search timings and scales them heuristically by n, while Redis and Qdrant run the actual generated workload. The quick Criterion calls below are also fixed to the canned 10K benchmark cases, so the final comparison is not apples-to-apples for the selected dataset.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vector-vs-competitors.sh` around lines 395 - 449, The Moon
benchmark uses hard-coded timing constants and heuristics (build_per_10k,
search_ef128_us, search_latency_us) and the Criterion calls are fixed to canned
10K cases (cargo bench --bench hnsw_bench with
"hnsw_search"/"hnsw_search_ef/ef/128"/"search_768d"/"ef_768d/128"), causing an
unfair apples-to-apples comparison; fix by either (A) running real measurements
for the requested dataset by parameterizing the Python estimation to accept
measured timing inputs or by invoking Criterion with the actual NUM_VECTORS and
DIM (replace the fixed benchmark names with ones derived from DIM/NUM_VECTORS),
or (B) clearly annotate and isolate these outputs as estimates and remove them
from any automated comparisons; update the Python block (variables:
build_per_10k, search_us, search_ef128_us, search_latency_us) and the cargo
bench invocations (bench name strings passed to cargo) accordingly so the script
measures or labels Moon consistently with Redis/Qdrant.

src/vector/hnsw/search_sq.rs-146-205 (1)

146-205: 🛠️ Refactor suggestion | 🟠 Major

Add explicit scalar-fallback coverage here.

These tests only exercise whatever distance::table().l2_f32 dispatches to on the current host, so a broken scalar fallback or architecture-specific SIMD path can still slip through. Please add one test that forces the scalar implementation and another that exercises the SIMD-dispatched path. As per coding guidelines "SIMD code must always provide a scalar fallback for non-x86_64 architectures" and "Add unit tests for both SIMD and scalar paths".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/hnsw/search_sq.rs` around lines 146 - 205, Add two unit tests that
call measure_recall but force the distance implementation mode before generating
vectors: one test should enable the scalar fallback (e.g.
distance::force_scalar(true) or equivalent API in distance module) then call
measure_recall (use same parameters as an existing test) and assert recall, and
the other should enable the SIMD/dispatched path (e.g.
distance::force_simd(true) or distance::force_scalar(false)) then call
measure_recall and assert recall; use the same helpers hnsw_search_f32 and
distance::table().l2_f32 context so the tests exercise the same logic but with
explicit scalar vs SIMD selection, and remember to restore/reset the distance
mode after each test if the distance module uses global state.

src/vector/mvcc/manager.rs-27-28 (1)

27-28: ⚠️ Potential issue | 🟠 Major

txn_id as u32 truncation will cause correctness bugs after 4 billion transactions.

Multiple locations truncate u64 txn_id to u32 for RoaringBitmap storage. After u32::MAX transactions:

• is_committed(4_294_967_296) will check bit 0, returning a false positive
• Two different transactions could map to the same bit, causing phantom commits

The comment acknowledges this limit but doesn't prevent it. Consider:

1. Adding a runtime check when txn_id exceeds u32::MAX
2. Using a different data structure (e.g., HashSet<u64>)
3. Periodic committed set truncation (remove txn_ids older than oldest_snapshot)

Option: Add overflow check

pub fn commit(&mut self, txn_id: u64) -> bool {
    if txn_id > u32::MAX as u64 {
        tracing::error!("txn_id {} exceeds u32::MAX, committed bitmap overflow", txn_id);
        // Consider: panic, or use alternate tracking
    }
    // ...
}

Also applies to: 94-96, 117-117, 136-138

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/mvcc/manager.rs` around lines 27 - 28, The code currently
truncates u64 txn_id to u32 for RoaringBitmap operations (e.g., in functions
commit, is_committed, uncommit and where the bitmap variable
committed/committed_set is used) which will wrap after u32::MAX; add a runtime
guard at every conversion site that checks if txn_id > u32::MAX as u64 and
handle it deterministically (choose one strategy: log and return an error/false,
panic with a clear message, or switch to an alternate tracker for overflowed
ids), and update the surrounding call sites to propagate or handle that error
path; ensure the check is applied wherever txn_id is cast to u32 so no silent
truncation can occur.

src/vector/persistence/recovery.rs-196-210 (1)

196-210: ⚠️ Potential issue | 🟠 Major

Delete operations must be tracked for transaction rollback to maintain MVCC correctness.

When a transaction performs a VectorDelete and then aborts, the entry's deletion should be undone so the entry becomes visible again. Currently, deletes are not added to pending_txns (unlike inserts), so TxnAbort has no record of which entries were deleted by the transaction. The mark_deleted() call sets delete_lsn but there is no mechanism to reverse it during rollback. This violates ACID semantics: an aborted transaction's delete effects should not persist.

Add deleted internal_ids to the transaction's pending_txns entry, or introduce a parallel pending_deletes structure to track deletions for rollback.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/persistence/recovery.rs` around lines 196 - 210, VectorDelete
currently marks entries deleted via state.mutable.mark_deleted(internal_id,
next_lsn) but does not record the internal_id for rollback, so aborted
transactions cannot undo deletes; update the VectorWalRecord::VectorDelete
handling to record the deleted internal_id under the transaction's entry in
pending_txns (or add a parallel pending_deletes collection keyed by txn_id) so
that TxnAbort logic can look up and call state.mutable.unmark_deleted/internal
undo for each recorded internal_id; ensure you add the internal_id when it
exists (use states.get(collection_id) and state.point_map.get(point_id)), store
it under the same txn_id used for inserts, and adjust the TxnAbort rollback code
paths that iterate pending_txns to process these recorded deletions and reverse
mark_deleted.

src/shard/spsc_handler.rs-265-296 (1)

265-296: ⚠️ Potential issue | 🟠 Major

Auto-indexing logic missing from batch and slotted execution paths.

HSET auto-indexing (lines 265–273) and delete-marking (lines 277–296) are implemented only in the Execute variant. The MultiExecute, PipelineBatch, ExecuteSlotted, and PipelineBatchSlotted variants all execute commands via cmd_dispatch() and can process HSET/DEL/HDEL/UNLINK commands, but lack the subsequent auto-indexing post-processing. This means vectors won't be indexed if these commands arrive through batch or slotted paths.

Extract the auto-indexing and delete-marking logic into a shared helper function (the public wrapper auto_index_hset_public already exists at line 892) and call it from all execution variants, or document and enforce that vector-related HSET/delete operations are routed exclusively through Execute.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/shard/spsc_handler.rs` around lines 265 - 296, Auto-indexing and
delete-marking for HSET/DEL/HDEL/UNLINK are only applied in the Execute path;
move that logic into the existing public wrapper auto_index_hset_public (or a
new shared helper) and invoke it after cmd_dispatch returns in all execution
variants (MultiExecute, PipelineBatch, ExecuteSlotted, PipelineBatchSlotted as
well as Execute). Specifically, call the helper with the same args used in the
Execute branch so it runs the auto_index_hset behavior and calls
vector_store.mark_deleted_for_key(...) for delete commands; ensure you detect
command bytes (cmd.eq_ignore_ascii_case(b"HSET"/b"DEL"/b"HDEL"/b"UNLINK")) and
check for non-error frames before invoking the helper to preserve existing
semantics.

src/vector/store.rs-205-220 (1)

205-220: ⚠️ Potential issue | 🟠 Major

Recovered segment attachment will fail—recovered segments are keyed by original collection_id but lookup uses newly assigned collection_id.

The recovery process preserves original collection_ids from WAL/persisted data in RecoveredState.collections (HashMap<u64, RecoveredCollection>). When attach_recovered() is called, these are stored in pending_segments with their original ids as keys. However, in create_index() at line 206, the code tries to match using collection_id from next_collection_id (line 181), which is a newly assigned sequential id. These will never match, so recovered segments will never be attached and are effectively lost.

🟡 Minor comments (9)

src/storage/dashtable/segment.rs-319-328 (1)

319-328: ⚠️ Potential issue | 🟡 Minor

Add // SAFETY: comment for the unsafe match_h2 call at line 326.

Line 326 calls unsafe { self.ctrl[g].match_h2(h2) } without a // SAFETY: comment. The x86_64 version of match_h2 is defined as pub unsafe fn in simd.rs (requires SSE2), but there is no documentation explaining why the call is safe here. Other unsafe blocks in this file (e.g., line 333) properly document their safety invariants.

Add a // SAFETY: comment before line 326 explaining the preconditions that make this call safe (e.g., that ctrl[g] is properly initialized, and the x86_64 branch assumes SSE2 availability via the compilation target).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/storage/dashtable/segment.rs` around lines 319 - 328, Add a // SAFETY:
comment immediately before the unsafe call to self.ctrl[g].match_h2(h2) (the
x86_64 branch) documenting the invariants that make the unsafe pub unsafe fn
match_h2 call safe here: state that ctrl[g] has been properly initialized and
contains valid bytes for SIMD processing, that h2 is a valid input for match_h2,
and that on the x86_64 compilation target SSE2 (or required SIMD feature) is
guaranteed by the target_arch cfg so the caller may use the unsafe SIMD
implementation; ensure the comment mirrors the style/level of detail used for
other unsafe blocks in this file (e.g., the one at line 333) and references
ctrl, g, and h2 to locate the invariant scope.

src/vector/distance/avx2.rs-410-429 (1)

410-429: ⚠️ Potential issue | 🟡 Minor

Empty vector test for cosine_f32 is missing.

The test_empty_vectors function tests l2_f32, dot_f32, and l2_i8 for empty inputs, but omits cosine_f32. An empty vector has zero norm, so cosine_f32 should return 1.0.

🧪 Proposed fix to add empty vector test for cosine

     #[test]
     fn test_empty_vectors() {
         if !has_avx2_fma() {
             return;
         }
         let a: &[f32] = &[];
         let b: &[f32] = &[];
         // SAFETY: AVX2+FMA verified above.
         unsafe {
             assert_eq!(l2_f32(a, b), 0.0);
             assert_eq!(dot_f32(a, b), 0.0);
+            assert_eq!(cosine_f32(a, b), 1.0);
         }
 
         let ai: &[i8] = &[];
         let bi: &[i8] = &[];
         // SAFETY: AVX2+FMA verified above.
         unsafe {
             assert_eq!(l2_i8(ai, bi), 0);
         }
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/distance/avx2.rs` around lines 410 - 429, The test_missing is that
test_empty_vectors checks l2_f32, dot_f32 and l2_i8 but omits cosine_f32; update
test_empty_vectors to also assert that unsafe { cosine_f32(a, b) } == 1.0 for
the empty f32 slices (keeping the existing has_avx2_fma() guard and SAFETY
comment), so the test verifies cosine_f32 returns 1.0 for zero-norm inputs.

src/vector/distance/neon.rs-374-390 (1)

374-390: ⚠️ Potential issue | 🟡 Minor

Empty vector test for cosine_f32 is also missing here.

Same issue as AVX2 module - test_empty_vectors tests l2/dot but not cosine.

🧪 Proposed fix

     #[test]
     fn test_empty_vectors() {
         let a: &[f32] = &[];
         let b: &[f32] = &[];
         // SAFETY: NEON is baseline on AArch64.
         unsafe {
             assert_eq!(l2_f32(a, b), 0.0);
             assert_eq!(dot_f32(a, b), 0.0);
+            assert_eq!(cosine_f32(a, b), 1.0);
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/distance/neon.rs` around lines 374 - 390, The test_empty_vectors
test currently asserts l2_f32, dot_f32 and l2_i8 for empty slices but omits
cosine_f32; update the test to also call cosine_f32 with the empty f32 slices
(the same `a: &[f32] = &[]` and `b: &[f32] = &[]`) inside the unsafe block and
assert it returns 0.0 (e.g., add unsafe { assert_eq!(cosine_f32(a, b), 0.0); })
so the NEON tests mirror the AVX2 coverage.

scripts/bench-vector-production.sh-20-20 (1)

20-20: ⚠️ Potential issue | 🟡 Minor

REPORT variable is defined but never used.

The script outputs to stdout via heredocs and the final output is piped to the file, but REPORT is never referenced. Either use it or remove it.

🔧 Option 1: Remove unused variable

-REPORT="target/vector-benchmark-report.md"

🔧 Option 2: Use it for the final output

-} > "$OUTPUT_FILE"
+} > "$REPORT"

But note this would conflict with the hardcoded redirect behavior. The script appears to intend outputting to stdout with the user redirecting manually.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vector-production.sh` at line 20, The REPORT variable is
declared but never used; either remove the
REPORT="target/vector-benchmark-report.md" assignment or make the script write
its final heredoc output to that path (replace the hardcoded stdout redirection
with a redirect to "$REPORT" or use tee "$REPORT") so REPORT is actually
referenced; update the top-level variable REPORT accordingly and ensure any
redirects or piping in the final output section (heredocs) use "$REPORT" if you
choose to keep it.

scripts/bench-vector.sh-25-26 (1)

25-26: ⚠️ Potential issue | 🟡 Minor

CLIENTS variable is declared and parsed but never used.

The --clients option sets CLIENTS (Lines 77-81), but this variable is never actually used in the server benchmark section. The search benchmark runs sequentially in a for-loop (Line 315-317) rather than with concurrent clients.

🔧 Options to address

Either remove the unused --clients option:

-CLIENTS=4
 ...
-        --clients)
-            if [[ -z "${2:-}" ]] || [[ "$2" == --* ]]; then
-                echo "Error: --clients requires a numeric value"; exit 1
-            fi
-            CLIENTS="$2"; shift 2 ;;

Or implement concurrent client execution (requires more significant changes to use background jobs or a tool like parallel/redis-benchmark).

Also applies to: 77-81

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vector.sh` around lines 25 - 26, The CLIENTS variable is
declared and parsed (via the --clients option) but never used in the
search/server benchmark; either remove the --clients parsing and related CLIENTS
default (e.g., CLIENTS=4 and the --clients case) to avoid dead options, or
modify the search benchmark loop to spawn CLIENTS concurrent workers (use
background jobs or GNU parallel) instead of the current sequential for-loop in
the server benchmark section: replace the single sequential loop that runs
searches with a concurrency pattern that launches CLIENTS jobs (e.g., start each
worker in background, collect PIDs, and wait) and ensure any result aggregation
and SHARDS logic continues to work with concurrent execution.

src/vector/metrics.rs-57-61 (1)

57-61: ⚠️ Potential issue | 🟡 Minor

Make the index decrement saturating.

fetch_sub(1) wraps from 0 to u64::MAX, so a duplicate or failed FT.DROPINDEX path can leave INFO reporting a huge active-index count until restart. Clamp at zero or only decrement after a confirmed removal.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/metrics.rs` around lines 57 - 61, The decrement_indexes function
currently calls VECTOR_INDEXES.fetch_sub(1, Ordering::Relaxed) which wraps 0 to
u64::MAX; change it to perform a saturating decrement so the counter never
underflows (e.g. use VECTOR_INDEXES.fetch_update(...) with a closure like |v|
Some(v.saturating_sub(1)) or check and only decrement when > 0) and replace the
fetch_sub call in decrement_indexes with that saturating logic (use appropriate
atomic orderings such as SeqCst or Acquire/Release as needed).

src/vector/persistence/recovery.rs-96-106 (1)

96-106: ⚠️ Potential issue | 🟡 Minor

RESP block skip logic may misparse non-VECTOR_RECORD_TAG bytes.

If a byte at position pos is neither VECTOR_RECORD_TAG (0x56) nor the start of a valid RESP block, this code reads the next 4 bytes as a length and skips that many bytes — potentially jumping into the middle of a record.

This assumes the WAL only contains two frame types. If there's any header corruption or unknown frame type, recovery could skip valid data or read garbage.

Consider adding bounds validation or a frame type check:

Suggested defensive check

         } else {
             // RESP block frame -- skip it
             if pos + 4 > wal_data.len() {
                 break;
             }
             let block_len = u32::from_le_bytes([
                 wal_data[pos],
                 wal_data[pos + 1],
                 wal_data[pos + 2],
                 wal_data[pos + 3],
             ]) as usize;
+            // Sanity check: block_len should be reasonable
+            if block_len > 100_000_000 || pos + 4 + block_len > wal_data.len() {
+                warn!("Suspicious RESP block length {} at offset {}, stopping", block_len, pos);
+                break;
+            }
             pos += 4 + block_len;
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/persistence/recovery.rs` around lines 96 - 106, The RESP-skip
logic currently assumes any non-VECTOR_RECORD_TAG byte starts a RESP block and
reads a 4-byte length, which can misparse corrupted or unknown frame types;
update the loop that inspects wal_data[pos] to first check the frame tag byte
explicitly (compare wal_data[pos] to VECTOR_RECORD_TAG and a defined RESP frame
tag/marker), and if it's a RESP frame then validate that pos + 4 <=
wal_data.len() and that the parsed block_len is <= wal_data.len() - (pos + 4)
before advancing pos by 4 + block_len; if the tag is unknown or block_len is
invalid, bail out (return an error or stop recovery) or log and break to avoid
jumping into arbitrary data. Ensure references to wal_data, pos, block_len and
VECTOR_RECORD_TAG are updated accordingly.

src/vector/hnsw/search.rs-157-162 (1)

157-162: ⚠️ Potential issue | 🟡 Minor

Zero-allocation guarantee is violated by adc_lut allocation.

The doc comment claims "zero-allocation guarantee (VEC-HNSW-03)" but line 265 allocates adc_lut via Vec::with_capacity(padded_dim * entries_per_coord). For 1024-dim with 16 entries, this is 64KB per search.

Either move adc_lut into SearchScratch (pre-allocated buffer) or update the documentation.

Option: Add to SearchScratch

pub struct SearchScratch {
    // ... existing fields
    /// Pre-allocated LUT buffer for ADC scoring (reused across searches).
    pub(crate) adc_lut: Vec<f32>,
}

Then resize/clear in clear() instead of allocating per search.

Also applies to: 265-265

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/hnsw/search.rs` around lines 157 - 162, The zero-allocation
guarantee is violated by allocating adc_lut inside the search routine; move
adc_lut into the SearchScratch struct as a pre-allocated buffer (add pub(crate)
adc_lut: Vec<f32> to SearchScratch), allocate it once when SearchScratch is
constructed, and then reuse it by resizing/clearing it in SearchScratch::clear()
before each search instead of calling Vec::with_capacity(...) inside the search
function; update any references to the local adc_lut to use scratch.adc_lut so
searches no longer allocate.

src/vector/segment/mutable.rs-363-363 (1)

363-363: ⚠️ Potential issue | 🟡 Minor

Unused variable centroids in append_transactional.

Line 363 retrieves centroids from the collection but it's never used in the method body. This appears to be dead code from a previous iteration.

🧹 Remove unused variable

         let signs = self.collection.fwht_sign_flips.as_slice();
         let boundaries = self.collection.codebook_boundaries_15();
-        let centroids = self.collection.codebook_16();
         let mut work_buf = vec![0.0f32; padded];

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/mutable.rs` at line 363, In append_transactional remove
the dead local let centroids = self.collection.codebook_16(); since centroids is
never used; either delete that line or, if the codebook was intended to be used,
actually reference self.collection.codebook_16() where needed (e.g., pass it
into the relevant logic in append_transactional) — look for the
append_transactional function and the codebook_16() method on self.collection to
fix the unused-variable issue.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 76439cf9-6a88-4405-af96-abc6b4eb0c81

📥 Commits

Reviewing files that changed from the base of the PR and between 606f8f8 and 6f91362.

⛔ Files ignored due to path filters (5)

• Cargo.lock is excluded by !**/*.lock
• moon_crash.log is excluded by !**/*.log
• moon_debug.log is excluded by !**/*.log
• moon_err.log is excluded by !**/*.log
• moon_stderr.log is excluded by !**/*.log

📒 Files selected for processing (89)

• .planning
• Cargo.toml
• benches/distance_bench.rs
• benches/fwht_bench.rs
• benches/hnsw_bench.rs
• build.rs
• docs/vector-search-guide.md
• scripts/bench-server-mode.sh
• scripts/bench-vector-production.sh
• scripts/bench-vector-vs-competitors.sh
• scripts/bench-vector.sh
• scripts/bench-vs-competitors.py
• scripts/profile-vector.sh
• src/command/connection.rs
• src/command/metadata.rs
• src/command/mod.rs
• src/command/vector_search.rs
• src/gpu/kernels/cagra_build.cu
• src/gpu/kernels/turbo_quant_wht.cu
• src/lib.rs
• src/main.rs
• src/persistence/wal.rs
• src/server/conn/handler_monoio.rs
• src/server/conn/handler_sharded.rs
• src/server/conn/handler_single.rs
• src/server/conn/mod.rs
• src/server/conn/tests.rs
• src/server/listener.rs
• src/shard/coordinator.rs
• src/shard/dispatch.rs
• src/shard/event_loop.rs
• src/shard/mod.rs
• src/shard/shared_databases.rs
• src/shard/spsc_handler.rs
• src/storage/dashtable/mod.rs
• src/storage/dashtable/segment.rs
• src/storage/db.rs
• src/vector/aligned_buffer.rs
• src/vector/distance/avx2.rs
• src/vector/distance/avx512.rs
• src/vector/distance/fastscan.rs
• src/vector/distance/mod.rs
• src/vector/distance/neon.rs
• src/vector/distance/scalar.rs
• src/vector/filter/expression.rs
• src/vector/filter/mod.rs
• src/vector/filter/payload_index.rs
• src/vector/filter/selectivity.rs
• src/vector/gpu/cagra.rs
• src/vector/gpu/context.rs
• src/vector/gpu/error.rs
• src/vector/gpu/fwht_kernel.rs
• src/vector/gpu/mod.rs
• src/vector/hnsw/build.rs
• src/vector/hnsw/graph.rs
• src/vector/hnsw/mod.rs
• src/vector/hnsw/search.rs
• src/vector/hnsw/search_sq.rs
• src/vector/metrics.rs
• src/vector/mod.rs
• src/vector/mvcc/manager.rs
• src/vector/mvcc/mod.rs
• src/vector/mvcc/visibility.rs
• src/vector/persistence/mod.rs
• src/vector/persistence/recovery.rs
• src/vector/persistence/segment_io.rs
• src/vector/persistence/wal_record.rs
• src/vector/segment/compaction.rs
• src/vector/segment/holder.rs
• src/vector/segment/immutable.rs
• src/vector/segment/ivf.rs
• src/vector/segment/mod.rs
• src/vector/segment/mutable.rs
• src/vector/store.rs
• src/vector/turbo_quant/codebook.rs
• src/vector/turbo_quant/collection.rs
• src/vector/turbo_quant/encoder.rs
• src/vector/turbo_quant/fwht.rs
• src/vector/turbo_quant/inner_product.rs
• src/vector/turbo_quant/mod.rs
• src/vector/turbo_quant/qjl.rs
• src/vector/turbo_quant/sub_centroid.rs
• src/vector/turbo_quant/tq_adc.rs
• src/vector/types.rs
• tests/vector_edge_cases.rs
• tests/vector_insert_bench.rs
• tests/vector_memory_audit.rs
• tests/vector_recall_benchmark.rs
• tests/vector_stress.rs

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Don't send SHUTDOWN NOSAVE to arbitrary services on the benchmark ports.

This script reuses 6379/6400 and blindly shuts down whatever answers there, while the readiness probe only checks for PONG. On a dev machine that can kill an unrelated Redis instance or benchmark the wrong server as Moon if the shutdown fails. Only stop processes this script started, and prefer dedicated/high benchmark ports.

Also applies to: 43-49, 101-118

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-server-mode.sh` around lines 27 - 29, The script currently uses
shared ports (MOON_PORT, REDIS_PORT, QDRANT_PORT) and blindly issues SHUTDOWN
NOSAVE (and similar stop logic) to whatever responds, which can kill unrelated
services; change the logic so the script binds to dedicated/high benchmark ports
and only stops processes it started: when launching services (the
Redis/Moon/Qdrant start commands) capture and store their PIDs (or container
IDs) in variables/files and on teardown use those PIDs to terminate the exact
processes instead of sending SHUTDOWN to the port; also remove or guard any raw
"SHUTDOWN NOSAVE" calls so they target the started Redis instance (use redis-cli
-p "$REDIS_PORT" only after verifying its PID matches the started PID), and
apply the same PID-based teardown pattern for the Moon and Qdrant start/stop
blocks referenced by MOON_PORT, REDIS_PORT, and QDRANT_PORT.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

MULTI/EXEC currently bypasses the new vector hooks.

These FT.* and HSET auto-index paths only run on the non-transactional flow. Inside MULTI, the frames are queued before they reach this logic, and execute_transaction() has no vector_store parameter, so transactional HSETs can leave indexes stale and transactional FT.* commands cannot execute correctly.

Also applies to: 1128-1145

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/server/conn/handler_single.rs` around lines 947 - 971, The transactional
path currently bypasses vector hooks: FT.* handling and HSET auto-indexing run
only in the non-transactional branch because execute_transaction() has no access
to vector_store and queued frames are not dispatched through the vector logic;
to fix, add a parameter (e.g., &Option<Arc<Mutex<VectorStore>> or the existing
vector_store type) to execute_transaction(...) and update its callers, then
inside execute_transaction() replay/execute queued frames through the same FT.*
and HSET handling used in the single-command path (reuse the FT.* dispatch logic
and HSET auto-indexing functions such as
crate::command::vector_search::ft_create/ft_search/ft_dropindex/ft_info/ft_compact
and the HSET index update code) so transactional HSETs update indexes only on
EXEC and FT.* commands inside MULTI are handled correctly.

[coderabbitai]

Actionable comments posted: 9

Note

Due to the large number of review comments, Critical severity comments were prioritized as inline comments.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/server/conn/handler_monoio.rs (1)

1506-1546: ⚠️ Potential issue | 🟠 Major

Mirror vector maintenance hooks on the monoio write path.

This path only auto-indexes HSET. Unlike the tokio handler, HMSET and delete operations never update the vector store here, so runtime-monoio can return stale documents from FT.SEARCH after updates/deletes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/server/conn/handler_monoio.rs` around lines 1506 - 1546, The monoio
write-path only calls auto_index_hset_public for HSET, causing HMSET and deletes
to miss vector-store updates; update the block after the successful-response
check to mirror the tokio handler: add a branch for HMSET
(cmd.eq_ignore_ascii_case(b"HMSET")) that extracts the key(s)/fields from
cmd_args and invokes the same auto-indexing logic (or an equivalent HMSET
helper) against shard_databases.vector_store(shard_id) (reuse
auto_index_hset_public or add an auto_index_hmset helper), and add handling for
delete commands (e.g., DEL, HDEL/UNLINK as used elsewhere) to call the
vector-store removal routine for the key(s) so documents are removed/stale
results prevented; place these checks alongside the existing HSET auto-indexing
and only run them on non-error responses.

♻️ Duplicate comments (5)

src/vector/persistence/wal_record.rs (1)

297-327: ⚠️ Potential issue | 🔴 Critical

Reject empty WAL payloads before indexing payload[0].

A corrupt frame with payload_len == 0 can still reach payload[0] when extra bytes are present, which panics recovery instead of returning a WalRecordError.

🛠️ Minimal fix

         // Payload length
         let payload_len = u32::from_le_bytes([data[1], data[2], data[3], data[4]]) as usize;
+        if payload_len == 0 {
+            return Err(WalRecordError::Truncated);
+        }
         let frame_len = 1 + 4 + payload_len + 4; // TAG + len + payload + crc

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/persistence/wal_record.rs` around lines 297 - 327, The code
currently indexes payload[0] without ensuring payload_len > 0, which can panic
for corrupt frames; modify the parsing in wal_record.rs to explicitly reject
empty payloads before accessing payload[0] (e.g., after CRC verification and
before "let record_type = payload[0];") by returning an appropriate
WalRecordError (such as WalRecordError::Truncated or another existing error
variant), ensuring you reference the payload_len/payload variables and the
record_type/record_data extraction (so add the check right before "let
record_type = payload[0];").

src/vector/aligned_buffer.rs (1)

35-47: ⚠️ Potential issue | 🔴 Critical

Do not recycle a Vec<T> allocation behind a fabricated 64-byte layout.

Vec<T> is allocated with align_of::<T>(), not with ALIGN, so the reuse fast path can store the wrong layout and later call dealloc with mismatched alignment. new() also hard-codes ALIGN, which under-aligns any over-aligned T. This block also introduces unwrap() / expect() in library code.

#!/bin/bash
rg -n -C2 'from_size_align|from_vec|mem::forget|dealloc' src/vector/aligned_buffer.rs

As per coding guidelines, "When modifying existing unsafe code, verify all SAFETY comments remain accurate" and "No unwrap() or expect() in library code outside tests; use pattern matching or if let".

Also applies to: 68-79, 153-158

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/aligned_buffer.rs` around lines 35 - 47, The code incorrectly
fabricates a Layout with ALIGN (64) for all T and uses unwrap/expect; fix by
using the actual alignment for T when computing layouts and never fabricating a
smaller alignment than align_of::<T>()—compute let align = std::cmp::max(ALIGN,
std::mem::align_of::<T>()) and use Layout::from_size_align(byte_size, align) but
handle the Err case instead of unwrap/expect; when constructing from an existing
Vec<T> (e.g., from_vec or wherever mem::forget / dealloc is used) preserve the
original allocation's Layout (size and align_of::<T>()) rather than substituting
ALIGN so drop/dealloc uses a matching layout; update new(), from_vec(), and drop
logic in AlignedBuffer (and any stored layout field) to store and use the
correct Layout, and replace all expect()/unwrap() calls with proper error
handling (match/if let) so no panics occur in library code.

src/shard/coordinator.rs (1)

794-830: ⚠️ Potential issue | 🔴 Critical

Still allows partial FT.CREATE/FT.DROPINDEX across shards.

This still applies: the local shard is mutated before any remote acknowledgement is known, and the wildcard arm ignores closed or malformed remote replies. A single late failure can leave index metadata divergent across shards.

Based on learnings "Per-shard HNSW index for vector search — no cross-shard GPU sharing".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/shard/coordinator.rs` around lines 794 - 830, The function
broadcast_vector_command mutates the local shard before confirming remote
success, and it treats non-Error remote replies as success; change the flow so
you first send the ShardMessage::VectorCommand to all other shards via spsc_send
and collect all reply_rx, then await all receivers and treat any non-Ok or
unexpected/malformed reply (including closed channel) as an error (return
Frame::Error) before applying the local mutation by calling
crate::shard::spsc_handler::dispatch_vector_command on vector_store(my_shard);
ensure you reference the existing symbols broadcast_vector_command,
ShardMessage::VectorCommand, spsc_send, reply_rx.recv().await, and
dispatch_vector_command so the local update happens only after all remote acks
succeed.

src/vector/segment/compaction.rs (2)

103-118: ⚠️ Potential issue | 🔴 Critical

The gpu-cuda path still won't compile or populate CPU-side rerank data.

try_gpu_build_hnsw() reads live_f32_vecs and dim before either symbol exists, so --features gpu-cuda fails at compile time. Even after that is fixed, both sub_signs_bfs builders are still gated on need_cpu_build, so a successful GPU build leaves CPU searches with all-zero sub-centroid bits.

#!/bin/bash
sed -n '99,140p' src/vector/segment/compaction.rs
sed -n '241,310p' src/vector/segment/compaction.rs
rg -n '\blive_f32_vecs\b|\blet dim\b|\blet live_f32\b|\bneed_cpu_build\b|\bsub_signs_bfs\b' src/vector/segment/compaction.rs

Expected: live_f32_vecs appears only at the GPU call site, dim is declared later, and every sub_signs_bfs population branch remains behind need_cpu_build.
Based on learnings "Index building on GPU, serving on CPU (unless batch query mode)".

Also applies to: 246-310

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/compaction.rs` around lines 103 - 118, The GPU branch
calls try_gpu_build_hnsw before live_f32_vecs and dim are declared and then
prevents sub_signs_bfs population when gpu_graph exists, causing compile errors
and empty CPU rerank bits; move or declare live_f32_vecs and dim before invoking
try_gpu_build_hnsw (or defer the GPU call until after those values exist), and
ensure the sub_signs_bfs builders (the code that populates sub_signs_bfs) always
run regardless of gpu_graph/need_cpu_build (only skip heavy
HnswBuilder/all_rotated work when need_cpu_build is false), referencing
try_gpu_build_hnsw, live_f32_vecs, dim, gpu_graph, need_cpu_build, sub_signs_bfs
and HnswBuilder to locate the changes.

---

221-238: ⚠️ Potential issue | 🔴 Critical

Reorder the auxiliary buffers by the live-entry index, not by an internal_id lookup.

graph.to_original() here is the live-entry ordinal. Looking it back up with entry.internal_id == orig_id can land on a different row once there are gaps from deletions, so the reordered QJL signs, residual norms, and raw vectors stop matching the BFS-ordered codes.

Also applies to: 249-256

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/compaction.rs` around lines 221 - 238,
graph.to_original(bfs_pos) already returns the live-entry ordinal, so looking it
up via live_entries.iter().position(|e| e.internal_id == orig_id) is wrong when
there are gaps; replace that lookup with using orig_id directly as the
live-entry index (i.e., set live_idx = orig_id) and use that index to compute
src_qjl, copy into qjl_signs_bfs, and index frozen.residual_norms; apply the
same change in the analogous block around the other referenced range (lines
~249-256) so QJL signs, residual norms, and raw vectors stay aligned with the
BFS order (use symbols: graph.to_original, live_entries, internal_id, live_idx,
qjl_bpv, qjl_signs_bfs, frozen.qjl_signs, residual_norms_bfs,
frozen.residual_norms, bfs_pos).

🟠 Major comments (15)

src/server/conn/handler_sharded.rs-1371-1378 (1)

1371-1378: ⚠️ Potential issue | 🟠 Major

Don’t treat every HDEL as full document deletion.

HDEL key field... removes selected hash fields, not the whole hash. Unconditionally calling mark_deleted_for_key will drop still-live vector docs when a non-vector field is removed. Recompute the indexed state from the remaining hash contents, or gate this only on deleting the indexed vector field(s).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/server/conn/handler_sharded.rs` around lines 1371 - 1378, The current
handler treats every HDEL as a full-doc delete and blindly calls
mark_deleted_for_key; change this so HDEL only triggers mark_deleted_for_key
when the vector/indexed field(s) are actually removed. In the HDEL branch (where
cmd is "HDEL" and you have cmd_args, extract_bytes,
shard_databases.vector_store(shard_id) and vs), inspect the fields being deleted
and either (a) check if any of them match the configured indexed vector field
name(s) and only then call vs.mark_deleted_for_key(&key), or (b) after deletion
recompute the indexed state by reading the remaining hash fields (HGET/HMGET)
for the vector field(s) and call mark_deleted_for_key only if those vector
fields are now absent/empty; reference vs.mark_deleted_for_key,
shard_databases.vector_store, cmd_args, and extract_bytes to locate and
implement the check.

src/vector/distance/scalar.rs-17-24 (1)

17-24: ⚠️ Potential issue | 🟠 Major

Release builds silently truncate mismatched vector dimensions.

These are safe pub fns, but the only guard is debug_assert_eq!. In release, .zip() stops at the shorter slice and returns a plausible distance over the shared prefix instead of surfacing the dimension bug.

Also applies to: 34-41, 51-57, 70-86

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/distance/scalar.rs` around lines 17 - 24, The public distance
functions (starting with l2_f32) use debug_assert_eq! so release builds silently
truncate with .zip(); replace the debug-only check with a runtime length check
that panics on mismatch (e.g., use assert_eq! or an explicit if a.len() !=
b.len() { panic!(...); }) before iterating, and apply the same change to the
other public distance functions in this file referenced by the reviewer so that
dimension mismatches are surfaced at runtime rather than silently producing
wrong results.

src/server/conn/handler_sharded.rs-1260-1267 (1)

1260-1267: ⚠️ Potential issue | 🟠 Major

The scatter path loses FT.SEARCH filters—this is a logic bug.

parse_ft_search_args extracts a filter as the fourth return value, but it's discarded at call sites. Meanwhile, scatter_vector_search_remote has no filter parameter, and internally calls search_local() which hardcodes search_local_filtered(..., None). The infrastructure exists (search_local_filtered accepts filters), but the filter is never passed through the call chain. FT.SEARCH commands with filters will execute unfiltered across all shards.

To fix: add a filter parameter to scatter_vector_search_remote, thread the _filter through the coordinator, and call search_local_filtered with the actual filter instead of search_local.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/server/conn/handler_sharded.rs` around lines 1260 - 1267, The scatter
path drops FT.SEARCH filters because parse_ft_search_args returns a filter that
is discarded and scatter_vector_search_remote never accepts or forwards it;
update parse_ft_search_args call site to capture the fourth value and add a
filter parameter to scatter_vector_search_remote, propagate that filter through
the coordinator into whatever internal worker function, and replace calls to
search_local(...) with search_local_filtered(..., filter) so the filter is
applied on each shard; make sure function signatures
(scatter_vector_search_remote and any coordinator/worker functions that call
search_local) and call sites are updated to accept and pass the filter (use the
same filter type returned by parse_ft_search_args).

src/vector/hnsw/graph.rs-309-407 (1)

309-407: ⚠️ Potential issue | 🟠 Major

Validate deserialized graph invariants before returning Ok.

from_bytes() currently rejects truncation, but not malformed graphs. Corrupt or stale segment files with an inconsistent layer0_len, bytes_per_code < 4, non-monotonic upper_offsets, or out-of-range BFS/CSR indices will deserialize and then panic later in neighbors_l0(), neighbors_upper(), or tq_norm().

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/hnsw/graph.rs` around lines 309 - 407, from_bytes currently only
checks truncation but must validate graph invariants before returning Ok: add
explicit validation in from_bytes to (1) verify bytes_per_code >= 4,
num_nodes/entry_point bounds and that levels.len() == n and all level values <=
max_level, (2) ensure layer0_len and layer0_neighbors entries are all <
num_nodes, (3) check bfs_order and bfs_inverse entries are in 0..num_nodes and
are mutual inverses if expected, (4) validate CSR fields: upper_offsets is
monotonic, each offset is <= neighbors_len and final offset == neighbors_len,
and every index in upper_index and upper_neighbors is < num_nodes, and (5)
validate neighbors_len matches actual neighbor count; return Err with
descriptive messages on any violation rather than allowing later panics
(references: function from_bytes, variables layer0_len, bytes_per_code,
bfs_order, bfs_inverse, levels, upper_index, upper_offsets, upper_neighbors,
neighbors_len, entry_point).

src/vector/hnsw/graph.rs-189-200 (1)

189-200: ⚠️ Potential issue | 🟠 Major

Guard neighbors_upper() against invalid levels.

row = idx_start + (level - 1) underflows for level == 0, and a request above the node's actual height can walk into the next node's CSR rows because self.levels is never consulted. That returns the wrong neighbor list instead of &[].

🔧 Minimal guard using the stored level metadata

 pub fn neighbors_upper(&self, node_id: u32, level: usize) -> &[u32] {
-    let idx_start = self.upper_index[node_id as usize];
+    let node_idx = node_id as usize;
+    if level == 0 || node_idx >= self.upper_index.len() || level > self.levels[node_idx] as usize
+    {
+        return &[];
+    }
+    let idx_start = self.upper_index[node_idx];
     if idx_start == SENTINEL {
         return &[];
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/hnsw/graph.rs` around lines 189 - 200, neighbors_upper currently
computes row = idx_start + (level - 1) which underflows for level == 0 and can
index into CSR rows beyond a node's height; fix by validating the requested
level before computing row: check level > 0 and compare level against the node's
actual height (use the per-node height metadata, e.g. self.levels[node_id as
usize] or equivalent) to ensure level <= node_height, and only then compute row
and bounds-check against self.upper_offsets length; if any check fails (invalid
node id, level == 0, level > node_height, or out-of-range offsets) return &[]
instead of proceeding to slice upper_neighbors.

src/shard/coordinator.rs-682-729 (1)

682-729: ⚠️ Potential issue | 🟠 Major

Don't silently merge partial FT.SEARCH results.

Both scatter paths drop recv() failures, and neither treats a shard Frame::Error as fatal. That turns a missing/failing shard into an apparently valid but incomplete top-K result set, which breaks the "globally correct top-K" contract in the doc comments.

Also applies to: 741-784

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/shard/coordinator.rs` around lines 682 - 729, scatter_vector_search
currently ignores recv() failures and treats Frame::Error responses like
successful results, producing incomplete top-K outputs; change the receiver loop
so that any rx.recv().await Err or any returned Frame::Error causes the function
to immediately return a fatal error Frame (e.g., Frame::Error with a clear
message) instead of pushing partial results, and do the same for the equivalent
scatter path around merge_search_results (the other block mentioned).
Concretely: in scatter_vector_search inspect each rx.recv().await outcome, if
Err(_) -> return Frame::Error("shard X disconnected" or similar), and if
Ok(frame) and frame is Frame::Error -> return that error frame (or wrap and
return a new Frame::Error), only after all responses are Ok(non-error) push into
shard_responses and call merge_search_results; apply the identical change to the
other scatter routine referenced (same pattern around receivers, reply_rx,
shard_responses, and merge_search_results).

src/vector/distance/fastscan.rs-145-158 (1)

145-158: ⚠️ Potential issue | 🟠 Major

Fix u8 overflow in SIMD distance accumulation to match scalar path.

The SIMD code adds dist_lo + dist_hi in 8-bit lanes before widening to u16. This causes overflow: if both LUT values are ≥128, the sum exceeds 255 and wraps. The scalar path correctly widens each distance to u16 before adding.

The test masks LUT values to 0x7F to avoid triggering overflow; the comment at line 428 confirms this was intentional: "LUT values must be in [0, 127] to avoid overflow when adding lo+hi as u8."

Widen each LUT lookup separately, then add in 16-bit lanes:

Corrected accumulation

-        let dist_sum = _mm256_add_epi8(dist_lo, dist_hi);
-
-        // Zero-extend lower 16 bytes to u16 and accumulate.
-        let lo_16 = _mm256_unpacklo_epi8(dist_sum, zero);
-        let hi_16 = _mm256_unpackhi_epi8(dist_sum, zero);
+        let dist_lo_lo = _mm256_unpacklo_epi8(dist_lo, zero);
+        let dist_lo_hi = _mm256_unpackhi_epi8(dist_lo, zero);
+        let dist_hi_lo = _mm256_unpacklo_epi8(dist_hi, zero);
+        let dist_hi_hi = _mm256_unpackhi_epi8(dist_hi, zero);
+
+        let lo_16 = _mm256_add_epi16(dist_lo_lo, dist_hi_lo);
+        let hi_16 = _mm256_add_epi16(dist_lo_hi, dist_hi_hi);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/distance/fastscan.rs` around lines 145 - 158, The SIMD path
currently computes dist_sum = _mm256_add_epi8(dist_lo, dist_hi) which can
overflow 8-bit lanes before widening, unlike the scalar path; instead, widen
each lookup to 16-bit first and then add: use
_mm256_unpacklo_epi8/_mm256_unpackhi_epi8 on dist_lo and on dist_hi to produce
lo_lo16, lo_hi16, hi_lo16, hi_hi16 (or similar), then add the corresponding
16-bit vectors (e.g., lo16 = _mm256_add_epi16(unpacklo(dist_lo),
unpacklo(dist_hi)); hi16 = _mm256_add_epi16(unpackhi(dist_lo),
unpackhi(dist_hi))); finally accumulate into acc_lo and acc_hi with those 16-bit
sums (replace creation/usage of dist_sum, lo_16, hi_16 accordingly) so addition
happens in u16 lanes and avoids u8 wraparound.

src/vector/persistence/recovery.rs-152-166 (1)

152-166: ⚠️ Potential issue | 🟠 Major

Don't synthesize new collection metadata during recovery.

Both constructors hard-code L2 / TurboQuant4 / seed=collection_id instead of reusing the metadata that was persisted with the index. After restart, new mutable writes can be quantized and searched with a different metric/codebook than the immutable segments already loaded for the same collection.

Also applies to: 270-279

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/persistence/recovery.rs` around lines 152 - 166, The recovery code
constructs new CollectionMetadata with hard-coded parameters inside the
states.entry closure (see CollectionReplayState and MutableSegment::new calling
crate::vector::turbo_quant::collection::CollectionMetadata::new) which can
produce a different metric/codebook than persisted data; instead, load and reuse
the persisted collection metadata for the given collection_id when creating the
MutableSegment so mutable writes use the same metric/quantization/seed as the
immutable segments; update both the constructor at the shown entry closure and
the analogous block around lines 270-279 to fetch the persisted metadata (from
whatever storage/segment metadata API is available) and pass that metadata into
MutableSegment::new rather than constructing a new CollectionMetadata with
L2/TurboQuant4/seed.

src/shard/spsc_handler.rs-275-289 (1)

275-289: ⚠️ Potential issue | 🟠 Major

Don't treat every HDEL as deletion of the vector field.

This tombstones the whole document on any successful HDEL, even when the removed field is unrelated to the indexed vector. Deleting title or tag from a hash should not make its embedding disappear from FT search.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/shard/spsc_handler.rs` around lines 275 - 289, The HDEL branch currently
tombstones the whole document for any successful HDEL; change it to only call
vector_store.mark_deleted_for_key when the HDEL actually removed the vector
field: inspect args (the fields in args[1..]) and verify the configured vector
field name for that key is present among the requested fields (or fetch the
index's vector field name from your index metadata/vector_store) before calling
vector_store.mark_deleted_for_key(key_bytes); keep using the same HDEL branch,
check frame to ensure the command succeeded, and only mark when the removed
field matches the vector field.

src/vector/hnsw/search.rs-270-291 (1)

270-291: ⚠️ Potential issue | 🟠 Major

Guard the sub-centroid fast path on the table as well as the sign bits.

use_subcent only checks the bit buffer, but the branch immediately does sub_table.unwrap(). Any segment loaded without sub_centroid_table will panic on the read path instead of falling back to the 16-entry LUT.

As per coding guidelines "No unwrap() or expect() in library code outside tests; use pattern matching or if let".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/hnsw/search.rs` around lines 270 - 291, The fast path assumes
sub-centroid table exists but only checks sub_sign_bpv; update the guard so the
sub-centroid branch requires both non-empty sub_centroid_signs and
collection.sub_centroid_table.is_some() (i.e. change the computation of
use_subcent or add an explicit check) and replace sub_table.unwrap() with
pattern matching (if let Some(st) = sub_table { ... } ) so you fall back to the
regular 16-entry LUT code when the table is absent; remove any unwrap()/expect()
usage around sub_centroid_table and ensure adc_lut is populated using the
16-entry path when the table is missing.

src/server/conn/handler_single.rs-1129-1146 (1)

1129-1146: ⚠️ Potential issue | 🟠 Major

Mirror the delete hooks in the single-shard path.

This handler now updates the vector index on successful HSET, but it never tombstones entries on successful DEL, HDEL, or UNLINK. In single-shard/server mode, FT search can keep returning hashes that were already deleted from Redis.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/server/conn/handler_single.rs` around lines 1129 - 1146, The HSET
auto-indexing block must be extended to also tombstone vector entries on
successful deletions: detect DEL, UNLINK, and HDEL by comparing d_cmd (e.g., let
is_del = d_cmd.eq_ignore_ascii_case(b"DEL"), is_unlink =
d_cmd.eq_ignore_ascii_case(b"UNLINK"), is_hdel =
d_cmd.eq_ignore_ascii_case(b"HDEL")), and after verifying the DispatchResult
response is not Frame::Error, call the vector-store tombstone routine in the
same module (crate::shard::spsc_handler) analogous to auto_index_hset_public —
for DEL/UNLINK iterate all keys in d_args and call the tombstone API for each
key, and for HDEL use the first argument (the hash key) to tombstone the hash
entry; place these calls inside the same vector_store lock block so single-shard
deletes remove entries from the vector index.

src/vector/segment/compaction.rs-160-205 (1)

160-205: ⚠️ Potential issue | 🟠 Major

compact() never executes the recall gate it advertises.

After the graph is built, the function goes straight to BFS reorder and persistence. verify_recall(), MIN_RECALL, and CompactionError::RecallTooLow are currently dead, so a low-recall graph will still be committed.

Also applies to: 351-417

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/compaction.rs` around lines 160 - 205, The code builds or
selects the HNSW graph (via HnswBuilder::build or gpu_graph) but never checks
recall; add a recall verification step immediately after the graph is chosen
(right after the let graph = ... block) that calls verify_recall(&graph, ...)
and compares the returned recall against MIN_RECALL, returning
Err(CompactionError::RecallTooLow) when below threshold; ensure this
verification runs for both the CPU-built graph (from builder.build) and the GPU
branch (gpu_graph) so the function aborts before BFS reorder and persistence if
recall is insufficient.

src/vector/hnsw/search.rs-55-60 (1)

55-60: 🛠️ Refactor suggestion | 🟠 Major

Please avoid a new unsafe block for bitvec clearing.

A slice fill(0) expresses the same reset without adding a new unsafe surface.

♻️ Safe replacement

         if self.words.len() < words_needed {
             self.words.resize(words_needed, 0);
         } else {
-            // SAFETY: self.words.as_mut_ptr() points to `words_needed` initialized u64s.
-            // write_bytes zeroes exactly `words_needed` u64-sized slots.
-            // words_needed <= self.words.len() (checked above).
-            unsafe {
-                std::ptr::write_bytes(self.words.as_mut_ptr(), 0, words_needed);
-            }
+            self.words[..words_needed].fill(0);
         }

As per coding guidelines "Never introduce new unsafe blocks without explicit user approval" and "Prefer safe abstractions for unsafe code; if unsafe is needed, isolate it in a dedicated module".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/hnsw/search.rs` around lines 55 - 60, The new unsafe block using
std::ptr::write_bytes to zero the bitvec should be replaced with a safe slice
fill; instead of calling write_bytes on self.words.as_mut_ptr() with
words_needed, remove the unsafe block and call the safe fill method on the slice
(e.g. operate on self.words[..words_needed] or equivalent) to set zeros—update
the code around the symbols self.words and words_needed and delete the
std::ptr::write_bytes call to eliminate the new unsafe surface.

src/vector/mvcc/manager.rs-27-28 (1)

27-28: ⚠️ Potential issue | 🟠 Major

Transaction ID truncation to u32 may cause incorrect visibility after wraparound.

The txn_id is u64 but RoaringBitmap stores u32. After 4 billion transactions, txn_id as u32 will wrap, causing false positives in is_committed() checks — a transaction with txn_id = 2^32 + X would incorrectly appear committed if transaction X was previously committed.

Consider either:

1. Periodically compacting/resetting the committed bitmap when transaction IDs approach u32::MAX
2. Using a different data structure that supports u64 keys (e.g., HashSet<u64> with periodic cleanup)
3. Adding a runtime check/assertion when txn_id exceeds u32::MAX

The comment on lines 27-28 acknowledges this limitation, but the "acceptable for Phase 65" note suggests this needs a follow-up.

Do you want me to open an issue to track adding overflow protection or a different committed-set representation?

Also applies to: 94-94, 113-113, 133-133, 149-149

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/mvcc/manager.rs` around lines 27 - 28, The committed-set uses
RoaringBitmap<u32> while txn_id is u64, causing wraparound after 2^32
transactions; update the MVCC manager to avoid incorrect visibility by adding a
runtime guard and a migration strategy: in functions that convert txn_id to u32
(e.g., is_committed(), commit path methods referenced in manager.rs) add a
check/assert that txn_id <= u32::MAX and return an error or trigger a
compaction/reset when the next txn_id would exceed u32::MAX; alternatively
replace the committed bitmap with a u64-capable structure (e.g., HashSet<u64> or
a roaring64 implementation) and implement periodic cleanup to bound memory —
ensure all call sites that currently cast txn_id to u32 are updated to use the
new representation or the guard.

src/vector/store.rs-291-291 (1)

291-291: ⚠️ Potential issue | 🟠 Major

Hardcoded delete_lsn = 1 breaks MVCC delete visibility.

The mark_deleted_by_key_hash call at line 291 uses a hardcoded delete_lsn of 1. In MVCC, entries deleted at LSN 1 are invisible to all transactions with snapshot_lsn >= 1. This means:

• All DEL/HDEL/UNLINK operations mark entries as deleted at LSN 1, regardless of when they execute
• A delete at LSN 100 still appears to have happened at LSN 1
• Transactions with snapshot_lsn >= 1 (i.e., the second transaction onwards) will not see these entries as deleted at the correct time

The visibility rule at src/vector/mvcc/visibility.rs:57 confirms: if delete_lsn != 0 && delete_lsn <= snapshot_lsn { return false; }. Entries should be marked deleted at the actual LSN when the delete command is processed, not at a constant value.

Pass the current LSN through the handler chain to mark_deleted_for_key, or refactor to access the transaction manager's next LSN at the call site.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/store.rs` at line 291, The delete call uses a hardcoded
delete_lsn=1 which breaks MVCC visibility; replace the constant with the actual
LSN when marking deletions by passing the current LSN from the transaction
manager into the handler chain (or call txn manager's next/current LSN at the
call site) and change the call site that invokes
snap.mutable.mark_deleted_by_key_hash(key_hash, 1) to supply that LSN (or call
the alternative API mark_deleted_for_key that accepts an LSN), ensuring
mark_deleted_by_key_hash / mark_deleted_for_key receive the real delete_lsn so
visibility logic in mvcc/visibility.rs behaves correctly.

🟡 Minor comments (3)

src/vector/hnsw/search_sq.rs-87-128 (1)

87-128: ⚠️ Potential issue | 🟡 Minor

Remove the unwrap()s from this search path.

results.peek().unwrap() can panic for k == 0 && ef_search == 0, and partial_cmp(...).unwrap() reintroduces a library-code unwrap in the hot path. An early zero-k return plus total_cmp() avoids both.

As per coding guidelines "No unwrap() or expect() in library code outside tests; use pattern matching or if let".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/hnsw/search_sq.rs` around lines 87 - 128, The search path can
panic from unwraps; modify the function handling the HNSW search (the while loop
using candidates and the final extraction) to early-return when requested k == 0
or ef == 0, replace all results.peek().unwrap() uses with safe pattern matches
(e.g., if let Some(&(OrderedFloat(worst), _)) = results.peek() and use
results.peek().map(|p| p.0.0) when computing dominated), and avoid
partial_cmp().unwrap() by sorting the final collected Vec<(f32,u32)> with
f32::total_cmp (or using total_cmp via d.total_cmp(&other.0)) so no unwraps
remain; keep references to symbols results, candidates, OrderedFloat, dist_bfs,
passes, graph.to_original and collected when making these changes.

src/vector/segment/holder.rs-752-753 (1)

752-753: ⚠️ Potential issue | 🟡 Minor

Remove unused imports flagged by CI.

The pipeline reports unused imports in the test module. These should be removed to keep CI clean.

🧹 Proposed fix

     #[test]
     fn test_holder_search_with_ivf() {
-        use crate::vector::aligned_buffer::AlignedBuffer;
-        use crate::vector::segment::ivf::{self, IvfQuantization, IvfSegment};
+        use crate::vector::segment::ivf;

         distance::init();

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/holder.rs` around lines 752 - 753, Tests currently import
AlignedBuffer and ivf::{self, IvfQuantization, IvfSegment} but CI reports they
are unused; remove these unused imports from the test module to silence the
warning. Locate the test module in holder.rs and delete the use lines
referencing AlignedBuffer and the ivf::{self, IvfQuantization, IvfSegment}
symbols (or wrap them with #[allow(unused_imports)] only if you plan to use them
imminently). Ensure no other code relies on those imports before removing.

src/command/vector_search.rs-492-499 (1)

492-499: ⚠️ Potential issue | 🟡 Minor

Add validation or clarify that KNN queries ignore the @field name.

The parser skips the @field component without validating it matches the index's source_field. The inline comment "we already know from index meta" is misleading—the field name is extracted from the query string but discarded without any validation. This could lead to confusing behavior if the query specifies an incorrect field name, as the mismatch would silently fail.

Consider:

1. Adding validation that @field matches the index's vector field, matching Redis FT.SEARCH behavior
2. Updating the comment to clarify that any field name is accepted (the field is ignored)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/command/vector_search.rs` around lines 492 - 499, The parser in
vector_search.rs currently slices past the "@field" token (variables after_k,
field_end, after_field) without validating it against the index's vector field,
which can silently accept incorrect field names; update the logic in the KNN
parsing path (where after_k, field_end, after_field are computed) to either
validate the extracted field name matches the index's source_field (and return a
clear parse error if not) or explicitly document in the comment that the field
name is ignored, and choose one behavior consistently; ensure any error messages
reference the offending field name and use the same validation in the function
that parses KNN queries to match Redis FT.SEARCH semantics.

🧹 Nitpick comments (9)

src/storage/db.rs (1)

557-570: Good defensive error handling.

This change correctly converts a potential panic into a recoverable error path, aligning with the guideline to avoid .unwrap() in library code. The logging of key.len() (rather than the key itself) is appropriate for debugging without risking PII exposure.

Consider applying the same pattern to similar locations in this file that still use .unwrap() after insert operations (e.g., get_or_create_list at line 624, get_or_create_set at line 678, get_or_create_intset at line 748, get_or_create_hash_listpack at line 795, get_or_create_list_listpack at line 842, get_or_create_sorted_set at line 890, get_or_create_stream at line 1245) for consistency.

,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/storage/db.rs` around lines 557 - 570, The new defensive pattern used in
get_or_create_hash (replacing an unwrap with logging and returning Err) should
be applied to the other get_or_create_* functions that still call .unwrap()
after insert: update get_or_create_list, get_or_create_set,
get_or_create_intset, get_or_create_hash_listpack, get_or_create_list_listpack,
get_or_create_sorted_set, and get_or_create_stream to mirror the same
behavior—after attempting self.data.get_mut(key) match on Some/None, log an
error with key.len() when None and return a Frame::Error (same message or
file-consistent message) instead of panicking; ensure you reference the same
error construction and tracing::error style used in the get_or_create_hash
change so all functions consistently avoid unwrap().

benches/distance_bench.rs (1)

51-56: Black-box the computed distance as well.

These closures only black-box the inputs. The repo guideline asks for black_box() on both inputs and outputs, so I'd wrap each returned distance too for consistency.

📏 Example fix pattern

-            bench.iter(|| distance::scalar::l2_f32(black_box(&a), black_box(&b)));
+            bench.iter(|| black_box(distance::scalar::l2_f32(black_box(&a), black_box(&b))));

As per coding guidelines "Benchmarks use Criterion with `black_box()` on inputs and outputs".

Also applies to: 67-72, 83-88, 99-104, 115-120

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@benches/distance_bench.rs` around lines 51 - 56, The benchmark closures only
black_box the inputs; update each bench.iter invocation so the computed distance
is also wrapped with black_box before returning — e.g., in the closures that
call distance::scalar::l2_f32 and (distance::table().l2_f32) replace the direct
call return with black_box((distance::scalar::l2_f32)(black_box(&a),
black_box(&b))) / black_box((distance::table().l2_f32)(black_box(&a),
black_box(&b))); apply the same change to the other benchmark blocks (the
closures around lines using distance::scalar::l2_f64, distance::table().l2_f64,
etc.) so both inputs and outputs are black_boxed consistently.

src/command/vector_search.rs (3)

461-468: Consider caching empty RoaringBitmap for non-transactional searches.

Each search creates a new empty_committed bitmap. While RoaringBitmap::new() is cheap (no heap allocation), for ultra-high-QPS workloads, a thread-local or static empty bitmap could eliminate this micro-overhead.

♻️ Suggested optimization

// At module level or in a lazy_static/once_cell
thread_local! {
    static EMPTY_COMMITTED: roaring::RoaringBitmap = roaring::RoaringBitmap::new();
}

// In search_local_filtered:
EMPTY_COMMITTED.with(|empty| {
    let mvcc_ctx = MvccContext {
        snapshot_lsn: 0,
        my_txn_id: 0,
        committed: empty,
        // ...
    };
    // ...
})

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/command/vector_search.rs` around lines 461 - 468, Replace per-call
creation of empty_committed with a shared static/thread-local empty
RoaringBitmap to avoid micro-allocation in hot paths: define a thread-local (or
static via once_cell) EMPTY_COMMITTED and, inside the search function where
MvccContext is built (the code that creates empty_committed and constructs
crate::vector::segment::holder::MvccContext), use EMPTY_COMMITTED.with(|empty| {
let mvcc_ctx = MvccContext { snapshot_lsn: 0, my_txn_id: 0, committed: empty,
dirty_set: &[], dimension: idx.meta.dimension, }; ... }) so committed receives a
reference to the shared empty bitmap instead of creating a new
roaring::RoaringBitmap each call.

---

1-7: Consider splitting file as it exceeds 1500 line limit.

At 1526 lines, this file slightly exceeds the 1500-line guideline. The parsing utilities (lines 689-835) and/or tests (lines 837-1526) could be extracted to separate modules.

As per coding guidelines: "No single .rs file should exceed 1500 lines; split into submodules if approaching this limit."

---

609-609: NaN scores would result in non-deterministic ordering.

The partial_cmp(...).unwrap_or(Equal) pattern safely handles NaN but could cause non-deterministic result ordering if NaN scores occur. While distances should never be NaN in practice, consider filtering or replacing NaN scores during extraction.

🛡️ Defensive NaN handling

-    all_results.sort_by(|a, b| a.0.partial_cmp(&b.0).unwrap_or(std::cmp::Ordering::Equal));
+    all_results.sort_by(|a, b| {
+        // Treat NaN as infinity (worst match)
+        let a_score = if a.0.is_nan() { f32::INFINITY } else { a.0 };
+        let b_score = if b.0.is_nan() { f32::INFINITY } else { b.0 };
+        a_score.partial_cmp(&b_score).unwrap_or(std::cmp::Ordering::Equal)
+    });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/command/vector_search.rs` at line 609, The sort call using
all_results.sort_by(|a, b|
a.0.partial_cmp(&b.0).unwrap_or(std::cmp::Ordering::Equal)) can yield
non-deterministic ordering when scores are NaN; update the extraction/sorting
logic (around the all_results vector and its sort_by usage) to defensively
handle NaN by normalizing scores before sorting (e.g., filter out NaN entries or
map NaN to a stable sentinel like f64::INFINITY or f64::MAX_NEG for
distances/similarities) and then sort using the normalized values instead of
relying on partial_cmp unwraps so ordering becomes deterministic even if NaN
appears.

src/vector/store.rs (1)

116-118: Log or record metrics when compaction fails.

Compaction failures are silently ignored, which could mask recall issues or resource problems. Consider logging at warn level or incrementing a compaction failure counter.

🔧 Suggested improvement

         match compaction::compact(&frozen, &self.collection, seed, None) {
             Ok(immutable) => {
                 // ... success path
             }
-            Err(_e) => {
-                // Compaction failed (recall too low, etc.) — fall back to brute force
-            }
+            Err(e) => {
+                // Compaction failed (recall too low, etc.) — fall back to brute force
+                tracing::warn!(
+                    index = %self.meta.name,
+                    error = ?e,
+                    "compaction failed, continuing with brute force"
+                );
+                crate::vector::metrics::increment_compaction_failures();
+            }
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/store.rs` around lines 116 - 118, The Err(_e) match arm for the
compaction result currently swallows failures; update that arm to record the
failure by logging a warning (include the error e and context like which segment
or recall threshold) and/or incrementing a compaction failure metric counter
(e.g., compaction_failure_counter). Locate the Err(_e) branch in the compaction
code path (the match handling the compaction Result) and replace the empty block
with a process_logger.warn or tracing::warn call that formats _e, plus an
increment call to your metrics registry to track compaction failures.

src/vector/segment/holder.rs (3)

219-254: Consider reusing scratch buffers for IVF query rotation to reduce per-search allocations.

Each IVF segment search allocates q_rotated (up to 4KB for 1024-dim) and lut_buf (up to 16KB) vectors. For high-QPS workloads with multiple IVF segments, this could pressure the allocator.

Since SearchScratch is already passed but unused (_scratch), consider extending it to hold pre-allocated IVF buffers.

♻️ Suggested approach

// In SearchScratch or a new IvfScratch struct:
pub struct IvfScratch {
    pub q_rotated: Vec<f32>,
    pub lut_buf: Vec<u8>,
}

// Then in search_filtered:
if !snapshot.ivf.is_empty() {
    scratch.ivf.q_rotated.resize(pdim, 0.0);
    scratch.ivf.lut_buf.resize(pdim * 16, 0);
    // ... use scratch.ivf.q_rotated instead of allocating
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/holder.rs` around lines 219 - 254, The loop allocates
per-IVF-segment scratch (q_rotated and lut_buf) which hurts high-QPS
performance; modify the existing SearchScratch (or add a new IvfScratch) to hold
reusable buffers (e.g., q_rotated: Vec<f32> and lut_buf: Vec<u8>), resize them
once to pdim and pdim*16 before iterating over snapshot.ivf, and replace the
local allocations of q_rotated and lut_buf in the ivf loop with references to
scratch.ivf.q_rotated and scratch.ivf.lut_buf so ivf_seg.search and
ivf_seg.search_filtered reuse those buffers (ensure the buffers are
resized/cleared as needed before each search).

---

323-360: Consider extracting IVF search logic to reduce duplication with search_filtered.

The IVF segment search code (query rotation, normalization, FWHT, LUT buffer setup) is duplicated between search_filtered (lines 215-255) and search_mvcc (lines 323-360). This increases maintenance burden and risk of divergence.

♻️ Suggested extraction

fn search_ivf_segments(
    ivf_segments: &[Arc<IvfSegment>],
    query_f32: &[f32],
    k: usize,
    filter_bitmap: Option<&RoaringBitmap>,
) -> SmallVec<[SearchResult; 32]> {
    let mut results = SmallVec::new();
    if ivf_segments.is_empty() {
        return results;
    }
    // ... shared IVF search logic
    results
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/holder.rs` around lines 323 - 360, The IVF search logic
(normalization, rotation via fwht::fwht, LUT buffer creation, and calling
IvfSegment::search / IvfSegment::search_filtered) is duplicated between
search_filtered and search_mvcc; extract that shared logic into a helper
function (e.g., search_ivf_segments) that accepts ivf segment slice
(&[Arc<IvfSegment>]), query_f32, k, DEFAULT_NPROBE, and an
Option<&RoaringBitmap>, performs padded_dimension, q_rotated setup,
normalization, fwht::fwht(&mut q_rotated, ivf_seg.sign_flips()), allocates the
lut_buf once per segment, and delegates to ivf_seg.search or
ivf_seg.search_filtered as appropriate, then return a SmallVec<[SearchResult;
32]> so both search_filtered and search_mvcc call this new function instead of
duplicating the logic.

---

471-471: Clean up unused query_sq variables in tests.

Multiple tests create query_sq variables that are never used (lines 471, 496, 522, 558, 593, 624, 688, 828). These appear to be leftover from an earlier API that used scalar-quantized queries directly.

🧹 Example cleanup

-        let query_sq = make_sq_vector(dim, 1); // same as vector 0
         let query_f32 = vec![0.0f32; dim];

Also applies to: 496-496, 522-522, 558-558, 593-593, 624-624, 688-688, 828-828

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/holder.rs` at line 471, Tests in
src/vector/segment/holder.rs create unused query_sq variables via make_sq_vector
(e.g. let query_sq = make_sq_vector(dim, 1)) that are remnants of an old API;
remove those unused let query_sq bindings at the mentioned locations (around the
current uses of make_sq_vector in functions/tests) so the tests no longer
declare unused variables and compile cleanly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ab98120b-cbd9-42b5-ae4f-7782dce4e090

📥 Commits

Reviewing files that changed from the base of the PR and between 6f91362 and 03512ed.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (61)

• Cargo.toml
• benches/distance_bench.rs
• benches/fwht_bench.rs
• benches/hnsw_bench.rs
• build.rs
• src/command/connection.rs
• src/command/mod.rs
• src/command/vector_search.rs
• src/main.rs
• src/server/conn/handler_monoio.rs
• src/server/conn/handler_sharded.rs
• src/server/conn/handler_single.rs
• src/server/conn/mod.rs
• src/server/listener.rs
• src/shard/coordinator.rs
• src/shard/dispatch.rs
• src/shard/event_loop.rs
• src/shard/mod.rs
• src/shard/shared_databases.rs
• src/shard/spsc_handler.rs
• src/storage/db.rs
• src/vector/aligned_buffer.rs
• src/vector/distance/avx2.rs
• src/vector/distance/avx512.rs
• src/vector/distance/fastscan.rs
• src/vector/distance/mod.rs
• src/vector/distance/neon.rs
• src/vector/distance/scalar.rs
• src/vector/filter/selectivity.rs
• src/vector/gpu/error.rs
• src/vector/gpu/mod.rs
• src/vector/hnsw/build.rs
• src/vector/hnsw/graph.rs
• src/vector/hnsw/search.rs
• src/vector/hnsw/search_sq.rs
• src/vector/mod.rs
• src/vector/mvcc/manager.rs
• src/vector/persistence/mod.rs
• src/vector/persistence/recovery.rs
• src/vector/persistence/segment_io.rs
• src/vector/persistence/wal_record.rs
• src/vector/segment/compaction.rs
• src/vector/segment/holder.rs
• src/vector/segment/immutable.rs
• src/vector/segment/ivf.rs
• src/vector/segment/mod.rs
• src/vector/segment/mutable.rs
• src/vector/store.rs
• src/vector/turbo_quant/codebook.rs
• src/vector/turbo_quant/collection.rs
• src/vector/turbo_quant/encoder.rs
• src/vector/turbo_quant/fwht.rs
• src/vector/turbo_quant/inner_product.rs
• src/vector/turbo_quant/qjl.rs
• src/vector/turbo_quant/sub_centroid.rs
• src/vector/turbo_quant/tq_adc.rs
• tests/vector_edge_cases.rs
• tests/vector_insert_bench.rs
• tests/vector_memory_audit.rs
• tests/vector_recall_benchmark.rs
• tests/vector_stress.rs

✅ Files skipped from review due to trivial changes (8)

• src/command/mod.rs
• src/main.rs
• src/command/connection.rs
• src/vector/persistence/mod.rs
• src/vector/mod.rs
• src/vector/segment/mod.rs
• Cargo.toml
• benches/fwht_bench.rs

🚧 Files skipped from review as they are similar to previous changes (11)

• src/server/conn/mod.rs
• src/shard/event_loop.rs
• src/shard/shared_databases.rs
• build.rs
• src/server/listener.rs
• src/vector/gpu/error.rs
• src/vector/gpu/mod.rs
• src/shard/dispatch.rs
• src/vector/persistence/segment_io.rs
• src/vector/segment/ivf.rs
• src/vector/segment/mutable.rs

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Keep FT.* execution in batch order with preceding writes.

These commands run during phase 1 before earlier dispatchable frames are applied, so a pipeline like HSET ... then FT.SEARCH ... or DEL ... then FT.SEARCH ... can observe stale vector state. They need to execute in the same ordered phase as the queued DB writes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/server/conn/handler_single.rs` around lines 948 - 967, The FT.* vector
commands are being executed early (inside the dispatchable branch) using
vector_store and producing immediate responses (ft_create, ft_search,
ft_dropindex, ft_info, ft_compact), which allows later queued DB writes to be
observed out of order; instead, stop treating FT.* as immediately dispatchable:
remove the early special-case that locks vector_store and pushes responses in
that branch and let those commands fall through into the normal ordered
execution phase where queued DB writes are applied first, so FT.* handlers
(crate::command::vector_search::ft_create, ft_search, ft_dropindex, ft_info,
ft_compact) are invoked in the same ordered phase as other DB mutations using
the existing mechanism that consumes cmd, cmd_args and responses.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Run the vector maintenance hooks in every execute-style branch.

The new HSET auto-index / DEL-family auto-delete logic only runs in ShardMessage::Execute. MultiExecute, PipelineBatch, and the slotted variants can still mutate hashes without updating the shard-local vector index, so FT results diverge from the primary data path.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/shard/spsc_handler.rs` around lines 265 - 296, The HSET auto-index and
DEL/HDEL/UNLINK auto-delete hooks (currently using auto_index_hset(...) and
vector_store.mark_deleted_for_key(...)) are only invoked inside the Execute
branch, causing MultiExecute, PipelineBatch and slotted execute paths to skip
vector maintenance; refactor by extracting the logic that inspects
cmd/args/frame into a single helper (e.g., run_vector_hooks(cmd, args, frame,
vector_store)) and call that helper from every execute-style branch (Execute,
MultiExecute, PipelineBatch and their slotted variants) so every code path that
mutates hashes triggers auto_index_hset and the mark_deleted_for_key calls
consistently.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

fd -t f "fastscan\.rs" | head -5

Repository: pilotspace/moon

Length of output: 90

---

🏁 Script executed:

rg "scan_posting_list" --type rust -A 3 -B 3 | head -100

Repository: pilotspace/moon

Length of output: 1680

---

🏁 Script executed:

rg "fastscan_dispatch" --type rust -A 3 -B 3 | head -100

Repository: pilotspace/moon

Length of output: 1564

---

🏁 Script executed:

rg "init_fastscan" --type rust -A 3 -B 3 | head -50

Repository: pilotspace/moon

Length of output: 2480

---

🏁 Script executed:

rg "distance::init" --type rust -A 5 -B 2 | head -100

Repository: pilotspace/moon

Length of output: 5387

---

fastscan_dispatch() violates safe-to-unsafe boundaries by exposing UB via a public safe API.

scan_posting_list() is public and reachable from safe Rust, but it calls fastscan_dispatch() which uses unwrap_unchecked(). If distance::init() is skipped, this triggers immediate UB. The // SAFETY: comment documents an external initialization contract but does not enforce it at the API boundary.

Replace unwrap_unchecked() with a lazy-init using get_or_init() that returns a scalar fallback, or return an error if initialization is mandatory.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/distance/fastscan.rs` around lines 49 - 56, The public safe
function fastscan_dispatch currently calls unsafe {
FASTSCAN_DISPATCH.get().unwrap_unchecked() } and can cause UB if
init_fastscan()/distance::init() is not run; change this API boundary to a safe
lazy-init or an explicit error: replace unwrap_unchecked() usage on
FASTSCAN_DISPATCH in fastscan_dispatch with a call to get_or_init() (providing a
safe scalar/default FastScanDispatch fallback) or make fastscan_dispatch return
Result<&'static FastScanDispatch, InitError> and propagate that error into
callers such as scan_posting_list so callers cannot hit UB from skipped
initialization; ensure references to FASTSCAN_DISPATCH, init_fastscan,
fastscan_dispatch, and scan_posting_list are updated accordingly.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cd /repo && find . -type f -name "mod.rs" | grep -E "vector/distance" | head -5

Repository: pilotspace/moon

Length of output: 114

---

🏁 Script executed:

cd /repo && find . -type f -name "*.rs" | grep -E "distance|simd|avx" | head -20

Repository: pilotspace/moon

Length of output: 114

---

🏁 Script executed:

cd /repo && git ls-files | grep -E "src/vector" | head -20

Repository: pilotspace/moon

Length of output: 114

---

🏁 Script executed:

git ls-files | grep -E "src/vector" | head -20

Repository: pilotspace/moon

Length of output: 612

---

🏁 Script executed:

git ls-files | grep -E "distance|avx512|avx2" | head -20

Repository: pilotspace/moon

Length of output: 259

---

🏁 Script executed:

wc -l src/vector/distance/mod.rs

Repository: pilotspace/moon

Length of output: 89

---

🏁 Script executed:

head -150 src/vector/distance/mod.rs | tail -130

Repository: pilotspace/moon

Length of output: 5929

---

🏁 Script executed:

head -80 src/vector/distance/avx512.rs

Repository: pilotspace/moon

Length of output: 2801

---

🏁 Script executed:

head -80 src/vector/distance/avx2.rs

Repository: pilotspace/moon

Length of output: 3046

---

🏁 Script executed:

head -80 src/vector/distance/scalar.rs

Repository: pilotspace/moon

Length of output: 2451

---

🏁 Script executed:

tail -200 src/vector/distance/mod.rs | head -100

Repository: pilotspace/moon

Length of output: 3299

---

🏁 Script executed:

grep -n "pub fn\|pub const" src/vector/distance/mod.rs | head -20

Repository: pilotspace/moon

Length of output: 124

---

🏁 Script executed:

rg "l2_f32|dot_f32|cosine_f32" --type rust src/vector/distance/ -A 5 -B 2 | head -150

Repository: pilotspace/moon

Length of output: 8408

---

🏁 Script executed:

rg "table()\s*\." --type rust -A 3 -B 1 src/ | head -80

Repository: pilotspace/moon

Length of output: 4111

---

🏁 Script executed:

rg "\.l2_f32\(|\.dot_f32\(|\.cosine_f32\(" --type rust -B 2 -A 1 src/ | head -100

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

grep -n "debug_assert_eq" src/vector/distance/avx2.rs | head -5

Repository: pilotspace/moon

Length of output: 357

---

🏁 Script executed:

sed -n '147,165p' src/vector/distance/mod.rs

Repository: pilotspace/moon

Length of output: 647

---

🏁 Script executed:

rg "pub fn.*l2_f32|pub fn.*dot_f32" --type rust src/vector/distance/ -A 10

Repository: pilotspace/moon

Length of output: 1287

---

🏁 Script executed:

rg "impl.*DistanceTable" --type rust src/vector/distance/ -A 20

Repository: pilotspace/moon

Length of output: 41

---

Add runtime length validation at the safe wrapper boundary before calling unsafe kernels.

The unsafe distance kernels only use debug_assert_eq! for slice length validation, which is a no-op in release builds. In release mode, mismatched slice lengths cause unchecked reads via get_unchecked, leading to out-of-bounds memory access. Since DistanceTable is publicly exposed via table(), the safe closure wrappers must validate slice lengths before entering unsafe code:

Add invariant checks at safe boundary

                    l2_f32: |a, b| {
+                       assert_eq!(a.len(), b.len(), "l2_f32: dimension mismatch");
                        // SAFETY: AVX-512F verified by is_x86_feature_detected! above.
                        unsafe { avx512::l2_f32(a, b) }
                    },
                    l2_i8: |a, b| {
+                       assert_eq!(a.len(), b.len(), "l2_i8: dimension mismatch");
                        // SAFETY: AVX-512F+BW verified by is_x86_feature_detected! above.
                        unsafe { avx512::l2_i8_vnni(a, b) }
                    },
                    dot_f32: |a, b| {
+                       assert_eq!(a.len(), b.len(), "dot_f32: dimension mismatch");
                        // SAFETY: AVX-512F verified by is_x86_feature_detected! above.
                        unsafe { avx512::dot_f32(a, b) }
                    },
                    cosine_f32: |a, b| {
+                       assert_eq!(a.len(), b.len(), "cosine_f32: dimension mismatch");
                        // SAFETY: AVX-512F verified by is_x86_feature_detected! above.
                        unsafe { avx512::cosine_f32(a, b) }
                    },

Repeat for AVX2 (lines 79–97) and scalar fallback paths (104–123).

Per coding guidelines: "Prefer safe abstractions for unsafe code; if unsafe is needed, isolate it in a dedicated module" — the safe/unsafe boundary must validate all preconditions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/distance/mod.rs` around lines 57 - 75, The safe closures returned
by DistanceTable (e.g., l2_f32, l2_i8, dot_f32, cosine_f32, and tq_l2) must
perform runtime slice-length validation before invoking the corresponding unsafe
kernels to avoid release-mode OOB reads; modify each closure in the AVX-512
branch to check that a.len() == b.len() (and any other kernel-specific
invariants) and return/abort gracefully (e.g., panic with a clear message) if
the check fails, and apply the same change to the AVX2 closures and the scalar
fallback closures so the safe/unsafe boundary enforces preconditions for all
architectures.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's find and read the full file to understand the context
head -200 src/vector/distance/mod.rs

Repository: pilotspace/moon

Length of output: 7923

---

🏁 Script executed:

# Search for the init() function definition
rg "fn init\(\)" src/ -A 10

Repository: pilotspace/moon

Length of output: 803

---

🏁 Script executed:

# Search for all calls to table() to see the usage patterns
rg "\.table\(\)" src/ -B 2 -A 2

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Search for DISTANCE_TABLE definition
rg "DISTANCE_TABLE" src/vector/distance/ -B 3 -A 3

Repository: pilotspace/moon

Length of output: 1461

---

🏁 Script executed:

# Search for init() calls in the codebase, especially in main()
rg "distance::init\(\|init\(" src/ -B 2 -A 2

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Search for main() function
rg "fn main\(\)" src/ -A 15

Repository: pilotspace/moon

Length of output: 888

---

🏁 Script executed:

# Search for calls to init (broader search, case-insensitive pattern)
rg "\.init\(\)" src/ -B 2 -A 2 | head -50

Repository: pilotspace/moon

Length of output: 1094

---

🏁 Script executed:

# Look for distance module usage patterns
rg "distance::" src/ -l | head -20

Repository: pilotspace/moon

Length of output: 486

---

🏁 Script executed:

# Check if there's a binary or entry point that calls init
rg "distance" src/main.rs 2>/dev/null || echo "Checking bin files"
fd "main.rs" src/

Repository: pilotspace/moon

Length of output: 188

---

🏁 Script executed:

# Check if there's a lib.rs and what it exports
cat src/lib.rs | head -80

Repository: pilotspace/moon

Length of output: 2407

---

🏁 Script executed:

# Check Cargo.toml to see if this is a binary or library
head -30 Cargo.toml

Repository: pilotspace/moon

Length of output: 1080

---

🏁 Script executed:

# Verify the full context of where distance::init() is called in main.rs
rg "distance::init" src/main.rs -B 5 -A 10

Repository: pilotspace/moon

Length of output: 434

---

🏁 Script executed:

# Check if vector module is exported from lib.rs (continue from where previous output was truncated)
tail -50 src/lib.rs | head -30

Repository: pilotspace/moon

Length of output: 907

---

🏁 Script executed:

# Or more directly, search for "pub mod vector" in lib.rs
rg "pub mod vector" src/

Repository: pilotspace/moon

Length of output: 127

---

🏁 Script executed:

# Verify that the module is indeed publicly accessible
rg "use.*vector::" src/ -l | head -10

Repository: pilotspace/moon

Length of output: 384

---

table() should not use unwrap_unchecked() in a safe public API.

The table() function is publicly exported from lib.rs and has a safe signature, yet it contains unsafe { unwrap_unchecked() } that causes immediate UB in release builds if init() has not been called. While init() is called early in main.rs, external library users can violate this precondition without any runtime safeguard—the debug_assert! is compiled out in release builds.

A safe public function must not have preconditions that lead to undefined behavior. Fix this by either marking table() as unsafe (with explicit caller responsibility), using lazy initialization with OnceLock, or panicking if the table is uninitialized.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/distance/mod.rs` around lines 147 - 156, The public safe function
table() currently uses unsafe unwrap_unchecked() on DISTANCE_TABLE which can
cause UB in release builds; replace the unsafe call with a safe runtime check
that panics if uninitialized (e.g. use
DISTANCE_TABLE.get().expect("distance::init() was not called before table()") or
unwrap_or_else with a clear message) so callers get a controlled panic instead
of undefined behavior; keep the debug_assert! for debug builds but remove the
unsafe block and unwrap_unchecked() from table() (alternatively, if you prefer
leaving responsibility to callers, mark table() as unsafe and document the
precondition that init() must be called).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Use wrapping_add for speculative prefetch addresses.

The new unsafe block assumes out-of-bounds prefetches are harmless, but ptr.add() itself requires the result to stay in-bounds or one-past the allocation. On the last node, the +16 / +64 / +128 offsets can violate that before _mm_prefetch ever runs.

🛡️ Safer pointer arithmetic for prefetch-only addresses

-                _mm_prefetch(nptr.add(neighbor_offset) as *const i8, _MM_HINT_T0);
-                _mm_prefetch(nptr.add(neighbor_offset + 16) as *const i8, _MM_HINT_T0);
-                _mm_prefetch(vptr.add(vector_offset) as *const i8, _MM_HINT_T0);
-                _mm_prefetch(vptr.add(vector_offset + 64) as *const i8, _MM_HINT_T0);
-                _mm_prefetch(vptr.add(vector_offset + 128) as *const i8, _MM_HINT_T0);
+                _mm_prefetch(nptr.wrapping_add(neighbor_offset) as *const i8, _MM_HINT_T0);
+                _mm_prefetch(nptr.wrapping_add(neighbor_offset + 16) as *const i8, _MM_HINT_T0);
+                _mm_prefetch(vptr.wrapping_add(vector_offset) as *const i8, _MM_HINT_T0);
+                _mm_prefetch(vptr.wrapping_add(vector_offset + 64) as *const i8, _MM_HINT_T0);
+                _mm_prefetch(vptr.wrapping_add(vector_offset + 128) as *const i8, _MM_HINT_T0);

As per coding guidelines "When modifying existing unsafe code, verify all SAFETY comments remain accurate".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/hnsw/graph.rs` around lines 421 - 431, The unsafe prefetch block
uses ptr.add(...) with offsets (neighbor_offset + 16, vector_offset + 64, etc.)
which can UB if the base pointer is near the end of the allocation; change those
uses to wrapping pointer arithmetic so the computed addresses are only used for
speculative prefetches: replace calls that compute prefetch targets from
self.layer0_neighbors.as_ptr() and _vectors_tq.as_ptr() (and the local
neighbor_offset / vector_offset arithmetic) to use wrapping_add (or equivalent
pointer::wrapping_offset) before calling _mm_prefetch inside the same unsafe
block, keeping the SAFETY comment updated to state that wrapping arithmetic is
used because prefetch addresses may go past the allocation but are only
speculative hints.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

flat_scan() walks past the compacted buffers after deletions.

total_count includes rows that were already dropped during compaction, but vectors_tq/graph only store the live rows. On any segment compacted from a source with tombstones, this loop can index past vectors_tq; after mark_deleted(), it also keeps returning newly tombstoned rows.

🩹 Minimal fix

-        let n = self.total_count as usize;
+        let n = self.graph.num_nodes() as usize;
         if n == 0 || k == 0 {
             return SmallVec::new();
         }
@@
         for bfs_pos in 0..n {
+            if self.mvcc[bfs_pos].delete_lsn != 0 {
+                continue;
+            }
             let offset = bfs_pos * bytes_per_code;
             let code = &tq_buf[offset..offset + code_len];

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/immutable.rs` around lines 323 - 387, flat_scan currently
iterates to self.total_count which can exceed the number of packed TQ codes
(vectors_tq) after compaction/tombstones causing OOB reads and returning deleted
rows; change the loop to use the actual number of packed codes (let live_n =
self.vectors_tq.len() / bytes_per_code) instead of self.total_count and iterate
bfs_pos in 0..live_n, and also skip rows that are tombstoned by checking the
graph tombstone API (e.g. graph.is_deleted(bfs_pos) or equivalent used by
mark_deleted()) before decoding a code so newly tombstoned rows are not
returned.

[pilotspacex-byte]

@claude review

[claude]

Claude finished @pilotspacex-byte's task in 5m 40s —— View job

---

Code Review — feat/vector-engine

This is a massive 26K-line PR adding a full vector search engine. I've done a thorough pass focusing on correctness, safety, and adherence to the project's coding standards. Below are findings organized by severity.

---

🔴 Build-Breaking / Compiler Errors

src/vector/distance/avx2.rs:17,33 — #[inline(always)] with #[target_feature] is illegal

The two private helper functions hsum_f32_avx2 and hsum_i32_avx2 still combine #[inline(always)] with #[target_feature]. This is explicitly forbidden in stable Rust (E0658) and will fail to compile even under the default feature set. Change to #[inline].

// Lines 17-18 and 33-34 — change both occurrences:
#[inline]   // was #[inline(always)]
#[target_feature(enable = "avx2,fma")]
unsafe fn hsum_f32_avx2(v: __m256) -> f32 { ... }

Fix this →

---

🔴 Critical Correctness Issues

src/vector/store.rs:291 — Hardcoded delete_lsn = 1 breaks MVCC snapshot isolation

Every DEL/HDEL/UNLINK operation marks vectors deleted at LSN 1, regardless of when the operation actually occurs. Per mvcc/visibility.rs:57, entries are invisible when delete_lsn <= snapshot_lsn. This means any transaction with snapshot_lsn >= 1 (all transactions after the first) will never see deleted vectors disappear — the deletion is backdated to the very beginning of time.

// store.rs:291 — should use actual current LSN, not 1
snap.mutable.mark_deleted_by_key_hash(key_hash, 1); // BUG: always LSN 1

Fix this →

src/vector/segment/immutable.rs:328 — flat_scan() uses total_count, causing buffer overrun after deletions

flat_scan() iterates 0..self.total_count, but the TQ code buffer (vectors_tq) only contains packed codes for live vectors. After compaction with tombstones, total_count > live_count, so the loop walks off the end of the buffer.

// immutable.rs:328
let n = self.total_count as usize;  // BUG: should be live_count or vectors_tq.len() / bytes_per_code

Fix this →

src/vector/aligned_buffer.rs:68-79 — from_vec fast path causes UB in Drop

When the source Vec<T> pointer happens to be 64-byte aligned, the code reuses the allocation directly but stores a Layout with align = 64. However, the original Vec<T> was allocated with Layout::array::<T>(capacity) which has align = align_of::<T>() (e.g., 4 for f32). When Drop calls alloc::dealloc(ptr, self.layout) with the mismatched 64-byte layout, this is undefined behavior — the allocator requires the exact same Layout used at allocation.

// aligned_buffer.rs:76-79 — dealloc will use wrong alignment
let layout = Layout::from_size_align(byte_size, ALIGN)  // align=64
    .expect("AlignedBuffer: invalid layout");
let ptr = v.as_ptr() as *mut T;
std::mem::forget(v);  // original layout (align=4 for f32) is lost
Self { ptr, len, layout }  // dealloc uses align=64 → UB

Fix: copy into a fresh aligned allocation instead of reusing the Vec's allocation in the fast path. Fix this →

src/vector/persistence/wal_record.rs:327 — Panic on zero-length WAL payload

If a WAL frame arrives with payload_len == 0 (malformed or corrupted), the code passes all size checks (data.len() >= 10) then panics at payload[0] since payload = &data[5..5] is empty. Recovery should treat this as WalRecordError::Truncated.

// Add before line 327:
let payload = &data[5..5 + payload_len];
if payload.is_empty() {
    return Err(WalRecordError::Truncated);
}
let record_type = payload[0]; // panics if payload_len was 0

Fix this →

src/vector/segment/compaction.rs:360 — Recall gate is dead code; low-quality graphs silently accepted

verify_recall() and MIN_RECALL are both decorated with #[allow(dead_code)] and are never called. The docstring for compact() promises "Returns Err if recall < 0.95," but the function never verifies recall before building, persisting, and returning the segment. A degenerate HNSW graph with 20% recall will be committed silently.

// compaction.rs:24-27
#[allow(dead_code)]
const MIN_RECALL: f32 = 0.95;  // never enforced

// compaction.rs:360
#[allow(dead_code)]
fn verify_recall(...)  // never called

Fix this →

src/vector/persistence/recovery.rs:162-166 — Recovery ignores persisted collection metadata

During WAL replay, mutable segments are always created with hardcoded DistanceMetric::L2 and QuantizationConfig::TurboQuant4. If the original collection used Cosine, IP, TQ1, or any other configuration, post-restart inserts will be quantized with the wrong codebook and distance computations will be incorrect.

// recovery.rs:162-166 — always uses L2 + TQ4 regardless of actual config
CollectionMetadata::new(
    *collection_id, dim,
    crate::vector::types::DistanceMetric::L2,           // hardcoded
    QuantizationConfig::TurboQuant4,                     // hardcoded
    *collection_id,
)

Fix this →

---

🟠 Major Issues

src/shard/coordinator.rs:794-839 — FT.CREATE/DROPINDEX broadcast is not atomic

The local shard is mutated first, then remote shards are notified. If any remote shard fails or its reply channel closes, the cluster is left in a split state: some shards have the index, others don't. FT.SEARCH scatter-gather will then produce incorrect results. Remote acknowledgements should be collected before local mutation, or a two-phase approach used.

src/shard/spsc_handler.rs:265-296 — Vector hooks missing from MultiExecute / PipelineBatch

Auto-indexing (HSET → vector store) and delete marking (DEL/HDEL/UNLINK) are wired only in the Execute variant. MultiExecute, PipelineBatch, ExecuteSlotted, and PipelineBatchSlotted all call cmd_dispatch() but skip these hooks. Vectors modified through pipelines or transactions will silently diverge from the vector index.

src/shard/spsc_handler.rs:285 — HDEL unconditionally marks the entire document deleted

HDEL key field1 field2 removes specific hash fields, not the entire hash. The current code tombstones the whole vector document on any successful HDEL, even if the field removed was unrelated to the indexed vector (e.g., HDEL doc:1 title). This causes FT.SEARCH to stop returning documents that are still alive.

src/server/conn/handler_single.rs — MULTI/EXEC bypasses vector hooks

FT.* dispatch and HSET auto-indexing are in the non-transactional path. Inside MULTI, frames are queued and execute_transaction() has no vector_store parameter. Transactional HSET operations don't trigger indexing, and FT.* commands inside MULTI cannot execute at all.

src/vector/filter/payload_index.rs:107-114 — NOT filter uses wrong universe

The FilterExpr::Not case constructs the complement universe as 0..total_vectors. After deletions or BFS reordering during compaction, internal IDs are not necessarily a dense range. The complement of a filter should use the actual live-ID bitmap, not 0..total_vectors, otherwise NOT queries can match deleted or non-existent vectors.

src/vector/mvcc/manager.rs:27-28 — u64 txn_id truncated to u32

Transaction IDs are u64 but stored in a RoaringBitmap<u32>. At 50K transactions/second this wraps in ~100 days. After wraparound, is_committed(4_294_967_296) checks bit 0, returning a false positive. The txn_id_to_u32() helper logs an error on overflow but silently returns None, treating overflowed transactions as uncommitted. This needs a circuit-breaker or a u64-capable structure.

src/vector/hnsw/search.rs:157-162,287 — Zero-allocation claim violated

The doc comment states "zero-allocation guarantee (VEC-HNSW-03)" but line 287 allocates adc_lut via Vec::with_capacity(padded_dim * entries_per_coord) on every search. For 1024-dim vectors this is 64KB per search. adc_lut should be moved into SearchScratch and pre-allocated.

src/vector/distance/mod.rs:157 — table() uses unwrap_unchecked() in a safe public function

table() is pub with a safe signature, but internally calls unsafe { DISTANCE_TABLE.get().unwrap_unchecked() }. If init() is skipped (valid for library users), this causes immediate UB in release builds. The debug_assert! above is compiled out in release. Either mark the function unsafe (with precondition documented), or use expect() for a controlled panic.

src/vector/distance/fastscan.rs:49-56 — Public safe API wraps unwrap_unchecked()

scan_posting_list() is a public safe function that calls fastscan_dispatch(), which internally calls unsafe { FASTSCAN_DISPATCH.get().unwrap_unchecked() }. Same problem as table() — if init() was not called, this is UB reachable from safe code. Use get_or_init() with a scalar fallback or use expect().

src/vector/hnsw/graph.rs:189-200 — neighbors_upper() underflows on level == 0

row = idx_start + (level - 1) wraps to usize::MAX when level == 0. Additionally, a request for a level above the node's actual height walks into adjacent CSR rows. The function should validate level > 0 && level <= self.levels[node_id] before computing row.

src/vector/hnsw/graph.rs:431 — ptr.add() for speculative prefetch is unsound

ptr.add(offset + 16) etc. requires the result to stay within the allocation or one-past-the-end per Rust's pointer rules. On the last node, these offsets will point beyond the allocation. Use wrapping_add for speculative prefetch addresses.

---

🟡 Minor / Cleanup

• src/vector/distance/scalar.rs:18,35,52,71 — assert_eq! on dimension mismatch is correct (per review), but worth noting the inconsistency with debug_assert_eq! in the SIMD paths.
• src/vector/turbo_quant/collection.rs:242-262 — compute_checksum() omits qjl_matrices and build_mode. Corruption of these fields won't be detected since they're not checksummed.
• src/vector/metrics.rs:57-61 — fetch_sub(1) wraps from 0 to u64::MAX on duplicate FT.DROPINDEX. Use saturating subtraction.
• src/vector/segment/mutable.rs:363 — let centroids = self.collection.codebook_16() is assigned but never used. Dead code.
• src/vector/segment/holder.rs:752 — Unused imports AlignedBuffer, IvfQuantization, IvfSegment in test module will fail cargo clippy -- -D warnings.
• src/command/vector_search.rs — At 1526 lines, this file exceeds the CLAUDE.md 1500-line hard limit. Extract parsing utilities or tests to a submodule.
• scripts/bench-vector-production.sh:27 — Single-quoted heredoc <<'HEADER' prevents $(date ...), $(rustc ...) etc. from expanding. Remove the quotes.
• src/vector/hnsw/search_sq.rs:87-128 — results.peek().unwrap() and partial_cmp(...).unwrap() violate the no-unwrap() in library code rule.

---

Summary

Severity	Count	Status
🔴 Build-blocking	1	avx2.rs #[inline(always)] + #[target_feature]
🔴 Critical correctness	6	MVCC delete_lsn, flat_scan OOB, AlignedBuffer UB, WAL panic, dead recall gate, recovery metadata
🟠 Major	10	Broadcast atomicity, missing hooks, HDEL semantics, MULTI/EXEC, NOT filter, txn_id wrap, zero-alloc claim, unsafe-in-safe APIs, graph bounds
🟡 Minor	8	Checksums, metrics, dead code, file size, scripts

The core algorithms (HNSW, TurboQuant, IVF, SIMD kernels) look technically solid. The main gaps are in the integration layer — correctness of MVCC semantics, persistence/recovery, and the Redis command hooks. I'd recommend addressing the 🔴 items before merge and tracking the 🟠 items as follow-up issues.
| Branch: feat/vector-engine

[coderabbitai]

Actionable comments posted: 15

♻️ Duplicate comments (1)

src/vector/distance/avx512.rs (1)

22-23: ⚠️ Potential issue | 🔴 Critical

This AVX-512 module is still above the repo MSRV.

With simd-avx512 enabled, these #[target_feature] functions and _mm512_* intrinsics still put the feature outside Rust 1.85, so this remains a build blocker until the module is gated out of MSRV builds or the MSRV is raised.

In Rust 1.85, are `#[target_feature(enable = "avx512f")]` and `core::arch::x86_64::_mm512_*` intrinsics stable, or do they require Rust 1.89+/nightly?

As per coding guidelines: **/*.rs: Rust MSRV must be 1.85 (edition 2024), enforced in CI

Also applies to: 77-78, 126-127, 173-174

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/distance/avx512.rs` around lines 22 - 23, The AVX-512 functions
(e.g., the l2_f32 function annotated with #[target_feature(enable = "avx512f")]
and any uses of core::arch::x86_64::_mm512_* intrinsics) must be excluded from
MSRV (Rust 1.85) builds; wrap the entire module or those functions behind an
explicit optional Cargo feature (e.g., feature "simd-avx512") and use
#[cfg(feature = "simd-avx512")] on the module and on l2_f32 (and related symbols
referenced at lines ~77, ~126, ~173), and ensure the Cargo.toml exposes that
feature as opt-in so CI/MSRV builds do not compile AVX-512 code unless the
feature is enabled.

🧹 Nitpick comments (7)

scripts/bench-vs-competitors.py (4)

366-384: Redis startup check relies on fixed sleep, unlike Qdrant's polling.

Qdrant mode (lines 523-540) polls /healthz up to 30 times with 1s intervals, but Redis mode uses a fixed time.sleep(2). On slower systems or under load, Redis may not be ready, causing connection failures.

♻️ Suggested polling loop for Redis startup

     subprocess.run(
         ["redis-server", "--port", str(port), "--daemonize", "yes",
          "--loglevel", "warning", "--save", "", "--appendonly", "no"],
         capture_output=True
     )
-    time.sleep(2)
 
     r = redis_lib.Redis(port=port, decode_responses=False)
 
+    # Poll for Redis readiness (similar to Qdrant health check)
+    for attempt in range(30):
+        try:
+            if r.ping():
+                break
+        except Exception:
+            pass
+        time.sleep(0.5)
+    else:
+        print(f"  ERROR: Redis failed to start within 15s on port {port}")
+        result_data = {"skipped": True, "reason": "Redis failed to start"}
+        output = args.output if args.output else "target/bench-results/redis.json"
+        os.makedirs(os.path.dirname(output), exist_ok=True)
+        with open(output, "w") as f:
+            json.dump(result_data, f, indent=2)
+        return
+
     try:
         pid = int(r.info("server")["process_id"])
     except Exception as e:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vs-competitors.py` around lines 366 - 384, The Redis startup
uses a fixed time.sleep(2) which can fail on slow systems; replace it with a
polling loop that retries checking the Redis server readiness using the existing
redis_lib.Redis instance `r` (e.g., call `r.ping()` or `r.info("server")`) up to
a configurable number of attempts (match Qdrant's pattern: ~30 tries with 1s
interval), sleeping between attempts and breaking when successful, and only then
proceed to read `process_id`; keep the current exception handling that logs the
error and writes the same `result_data` when the polling ultimately times out.

---

244-244: Remove extraneous f prefix from strings without placeholders.

Static analysis flagged several f-strings that contain no interpolation. While harmless, removing them reduces noise.

Examples to fix

-    print(f">>> Compacting (building HNSW index)...")
+    print(">>> Compacting (building HNSW index)...")

-    print(f">>> Warming up...")
+    print(">>> Warming up...")

Similar changes apply to lines 743, 747, 787-789, 802, 815 in mode_report.

Also applies to: 415-415, 608-608

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vs-competitors.py` at line 244, Several print statements and
strings in the script are using f-strings without any interpolation (e.g., the
print call that currently reads f">>> Compacting (building HNSW index)...") and
multiple similar occurrences in mode_report; remove the unnecessary leading "f"
so they are plain strings. Search for occurrences of f-strings with no "{" or
"}" (examples around the print at ">>> Compacting (building HNSW index)..." and
within the mode_report function) and change them to normal string literals,
ensuring no runtime behavior or formatting calls depend on those being
f-strings.

---

662-670: Memory parsing may miss decimal unit suffixes (GB, MB, KB).

docker stats may output memory with either binary (GiB/MiB/KiB) or decimal (GB/MB/KB) suffixes depending on Docker version and configuration. The current parser only handles binary units.

♻️ Extended memory parser

     def parse_mem_mb(s):
         s = s.strip()
         if "GiB" in s:
             return float(s.replace("GiB", "")) * 1024
         if "MiB" in s:
             return float(s.replace("MiB", ""))
         if "KiB" in s:
             return float(s.replace("KiB", "")) / 1024
+        # Handle decimal units (GB, MB, KB)
+        if "GB" in s:
+            return float(s.replace("GB", "")) * 1000
+        if "MB" in s:
+            return float(s.replace("MB", ""))
+        if "KB" in s:
+            return float(s.replace("KB", "")) / 1000
         return 0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vs-competitors.py` around lines 662 - 670, The parse_mem_mb
function only handles binary suffixes ("GiB","MiB","KiB") so it will miss
decimal suffixes like "GB","MB","KB" (and mixed-case); update parse_mem_mb to
normalize the input (strip, lower), use a regex to extract the numeric value and
unit, map units {"gib","gb"} -> *1024, {"mib","mb"} -> *1, {"kib","kb"} ->
/1024, and handle bare bytes or values without units by dividing appropriately;
ensure the function returns a float MB and still returns 0 for unparseable
strings while referencing parse_mem_mb in your change.

---

127-131: Consider guarding against empty input in percentile calculation.

The function will fail with IndexError if values is empty. While latencies lists are expected to be non-empty in normal operation, adding a guard improves robustness.

🛡️ Suggested defensive fix

 def percentile(values, p):
     """Compute percentile from sorted list."""
+    if not values:
+        return 0.0
     idx = int(len(values) * p / 100)
     idx = min(idx, len(values) - 1)
     return values[idx]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vs-competitors.py` around lines 127 - 131, The percentile
function does not handle empty input and will raise IndexError; update the
percentile(values, p) function to check for an empty values list up front (e.g.,
if not values:) and either raise a clear ValueError like "percentile requires
non-empty values" or return a defined sentinel (None) and document that
behavior; ensure callers (e.g., any use with latencies) handle the chosen
sentinel or catch the ValueError.

scripts/bench-vector-production.sh (2)

40-50: Unused helper function run_bench — dead code.

This function is defined but never called; all benchmark invocations use inline cargo bench commands instead. Either remove it or refactor the inline calls to use this helper for consistency and reduced duplication.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vector-production.sh` around lines 40 - 50, The helper function
run_bench is defined but never used, creating dead code; either remove the
run_bench function or update all inline cargo bench invocations to call
run_bench instead. Locate the run_bench function and replace each occurrence of
direct "RUSTFLAGS=... cargo bench --bench ..." calls with run_bench
"<bench_name>" "<optional_filter>" (preserving use of RUSTFLAGS_OPT and
FEATURES), or if you prefer removal, delete the run_bench block entirely to
eliminate the unused function.

---

222-236: Hardcoded "Measured" values may confuse users.

The comparison table contains static benchmark results that don't reflect the current run. Users may expect these to be dynamically populated. Consider either:

1. Clearly labeling this as "Historical Baseline" or "Reference Values"
2. Or populating it dynamically from the benchmark outputs above

Suggested labeling clarification

-## Comparison: Measured vs Architecture Targets
+## Comparison: Reference Baseline vs Architecture Targets
+
+> **Note:** These are reference values from a previous benchmark run on Apple Silicon.
+> Actual performance varies by hardware. See sections above for current measurements.
 
 | Metric | Architecture Target | Measured | Status |

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vector-production.sh` around lines 222 - 236, The static
comparison table under the "Comparison: Measured vs Architecture Targets"
heading currently hardcodes "Measured" values; either mark the table as
historical/reference by renaming the column header (e.g., "Reference Measured"
or "Historical Baseline") and add a short note, or replace the hardcoded cells
by inserting the script's computed benchmark variables (e.g.,
measured_f32_L2_768d, measured_f32_dot_768d, measured_fwht_1024,
hnsw_search_1k_128d, recall_at_10_1k_128d, memory_per_vector_768d) so the table
is populated from the run outputs; update the table header and any descriptive
text accordingly so users are not misled by static values.

src/storage/db.rs (1)

542-588: src/storage/db.rs is past the file-size cap.

This file now runs to Line 1570, so continuing to add collection-specific helpers here makes the storage layer harder to navigate. Please split the hash/list/set accessors into submodules.

As per coding guidelines, "No single .rs file should exceed 1500 lines; split into submodules if approaching this limit".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/storage/db.rs` around lines 542 - 588, The file exceeds the size cap
because collection-specific accessors like get_or_create_hash (and similar
hash/list/set helpers) live in this large db.rs; extract those into focused
submodules (e.g. storage::hash, storage::list, storage::set) by moving functions
such as get_or_create_hash, any list/set accessor helpers, and related helper
logic (e.g. HashListpack upgrade code) into a new hash module; keep types Entry,
RedisValue, CompactKey, Frame and used_memory access either by making the helper
functions pub(crate) and accepting a &mut DB/state struct or by exposing the
minimal internal API they need, update imports (use ...) in the new module,
re-export the public accessors from the parent module (pub use
hash::get_or_create_hash) so call sites remain unchanged, and add a mod
declaration for the new submodule in the parent file to compile cleanly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/bench-vector-production.sh`:
- Line 16: The comment in scripts/bench-vector-production.sh claims the markdown
report is saved to target/vector-benchmark-report.md but the script only writes
to stdout; either update the comment or modify the script so its entire output
is captured to that file — for example, wrap the report generation in a subshell
and pipe to tee "target/vector-benchmark-report.md" (or set up an exec > >(tee
target/vector-benchmark-report.md)) so the output both prints and is saved;
locate the report-producing section in bench-vector-production.sh and implement
tee-based capture or remove/adjust the misleading comment.
- Line 195: The cargo test invocation places the test name filter in the wrong
position; move the test name argument "test_ft_search_end_to_end" so it appears
after the "--" (i.e. passed as a test-binary argument alongside "--nocapture")
while keeping $FEATURES and the "--" intact, updating the cargo test command
that currently contains "test_ft_search_end_to_end", "--nocapture", and
$FEATURES accordingly.
- Line 167: The cargo test invocation places the test filter before the `--` so
`test_search_1000_vectors_recall` is treated as a package selector; change the
order so the test name is passed as the test filter after the `--`. Update the
command using the same flags (`cargo test`, `--lib`, `$FEATURES`) but move
`test_search_1000_vectors_recall` after the `--` and ensure `--nocapture` is
passed as a test runner arg (i.e., `cargo test --lib $FEATURES --
test_search_1000_vectors_recall --nocapture 2>&1 | grep "recall"`).
- Line 215: The pipeline command "cargo clippy $FEATURES -- -D warnings 2>&1 |
tail -1 || echo 'CLEAN (0 warnings)'" is ineffective under set -e and because
tail always exits 0; either remove the trailing "|| echo 'CLEAN (0 warnings)'"
entirely so clippy's real output/exit code is preserved, or change the logic to
capture clippy output into a variable (run cargo clippy redirecting stderr to
stdout while preventing exit-on-error), then print the last line of that
captured output as the summary; locate the exact command string in the script
and apply one of these two fixes.

In `@scripts/bench-vs-competitors.py`:
- Around line 1165-1169: The returned metrics currently hardcode recall and use
arbitrary constants; update the function that builds the return dict (the block
returning {"search_us": search_time_us, "p50": ..., "bytes_per_vec":
memory_bytes_per_vec, "recall": 1.0}) to compute actual recall the same way
_legacy_bench_redis/_legacy_bench_qdrant do: run Moon queries against the
ground-truth set, compare retrieved IDs to ground-truth to compute recall,
remove the hardcoded 1.0; also replace any literal bytes_per_vec (813) with the
measured memory_bytes_per_vec value and ensure search_time_us falls back to a
measured timing instead of arbitrary constants—follow the approach used in
mode_bench_moon for query execution, timing, and recall computation.
- Around line 202-215: The FT.CREATE fallback branch currently leaves metadata
claiming "quantization": "TQ4" even when the fallback was created without
quantization; update the exception handling around the initial FT.CREATE (the
try/except that prints "FT.CREATE error: {e}" and the nested fallback that
prints "FT.CREATE (no quant): {result}" / "FT.CREATE fallback error: {e2}") so
that after a successful fallback you set the quantization tracking
variable/metadata to a neutral value (e.g., None or "none") and ensure the
reported result/dict used for benchmark output uses that variable instead of
hardcoding "TQ4"; apply the same change to the equivalent fallback block later
in the file (the other FT.CREATE fallback) so both places correctly reflect when
no quantization was used.
- Around line 898-900: os.makedirs(os.path.dirname(output), exist_ok=True) can
raise when os.path.dirname(output) is empty (a bare filename); change the block
to compute the directory (e.g., dirpath = os.path.dirname(output)) and only call
os.makedirs(dirpath, exist_ok=True) when dirpath is non-empty (or truthy) before
the with open(output, "w") as f: write(...) so that creating parent directories
is skipped for files in the current directory.

In `@src/storage/db.rs`:
- Around line 557-568: In get_or_create_hash, when the match on
self.data.get_mut(key) falls into the None branch after an insert, undo the
partial creation by removing the just-inserted key from self.data (e.g.,
self.data.remove(key)) and decrementing self.used_memory by the same amount it
was incremented during the create path (use the same size accounting logic used
on insert), then log the error and return the Err Frame; ensure you reference
the same allocation/size calculation used when the entry was first added so
memory accounting stays consistent.

In `@src/vector/persistence/recovery.rs`:
- Around line 159-167: The recovered mutable segments are created with
hard-coded CollectionMetadata using DistanceMetric::L2 and
QuantizationConfig::TurboQuant4; instead, locate and use the actual stored
collection metadata (the metadata/deserialized config produced by WAL/disk
recovery) when constructing MutableSegment and its Arc<CollectionMetadata>
(replace the CollectionMetadata::new(...) calls inside CollectionReplayState and
MutableSegment::new with the recovered metadata values), update the same fix for
the other two occurrences noted (the other constructors and the WAL path that
currently hard-codes L2/TurboQuant4), and ensure the code path that swaps the
disk placeholder (the branch that runs when replay produced a mutable segment)
uses that recovered metadata so pending_segments receives a mutable segment
whose metric and quantizer match the rest of the collection.
- Around line 76-113: The code is incorrectly using wal_data[pos] ==
VECTOR_RECORD_TAG as the discriminator; instead parse the outer WAL frame header
first (read the 4-byte little-endian length at wal_data[pos..pos+4], validate
bounds and a sane max like 100_000_000), then read the payload slice of that
length and only inspect the payload's first byte for VECTOR_RECORD_TAG; if it
matches, call VectorWalRecord::from_wal_frame on the payload slice and
push/advance by 4 + frame_len, otherwise treat it as a RESP block and just
advance by 4 + frame_len. Ensure you still handle truncated/bad lengths and use
the same warnings, referencing wal_data, pos, VECTOR_RECORD_TAG, and
VectorWalRecord::from_wal_frame.
- Around line 273-293: The match in recovery.rs that calls
read_immutable_segment should not log-and-skip on Err; instead propagate a
failure (or return an explicit partial-recovery result) so recovery does not
silently continue with missing data. Replace the warn-and-continue branch for
read_immutable_segment in the recovery flow (where you build entries with
RecoveredCollection and MutableSegment::new and push to entry.immutable) so it
returns Err(RecoveryError::SegmentLoad(...)) or an appropriate PartialRecovery
result, surfacing the underlying error `e` rather than skipping the segment.

In `@src/vector/segment/mutable.rs`:
- Around line 155-166: The mutable append currently reserves
qjl_signs/residual_norms/raw_f32 but leaves them zeroed for BuildMode::Exact,
causing live searches with Some(query_state) to use score_l2_prod() against
uninitialized QJL data; fix by computing and writing the real QJL metadata at
append time (use the same quantization routine used in freeze() to fill
inner.qjl_signs, push the correct inner.residual_norms value, and extend
inner.raw_f32 properly) when collection.build_mode == BuildMode::Exact and
query_state may be present, so score_l2_prod() sees correct data, or
alternatively change the mutable search path to continue using tq_l2_adc_scaled
until freeze() materializes QJL — adjust code around inner.qjl_signs,
inner.residual_norms, raw_f32 handling in the append logic to match freeze()’s
metadata generation and ensure query_state-dependent branches behave
consistently.
- Around line 701-704: The test currently creates q_rot via rotate_query,
codebook via col.codebook_16(), and qs via make_query_state but then calls
seg.brute_force_search(&vectors[0], None, 3), leaving those variables dead;
either remove the unused q_rot/codebook/qs declarations or wire them into the
search call by passing the constructed query state (use qs or the appropriate
Some(QueryState) argument) so rotate_query, codebook_16, and make_query_state
are actually used; apply the same fix to the other occurrence around
brute_force_search at the later block (the 779-780 spot) to eliminate the
warnings.
- Line 249: Replace the direct unwrap() on query_state with explicit pattern
matching: bind the inner value using if let Some(qs) = query_state (or a match)
and handle the None case by returning/propagating an error or early-exiting as
the surrounding code expects; do this for the occurrence where query_state is
unwrapped (let qs = query_state.unwrap()) and the second occurrence in the other
search helper so both search helpers in mutable.rs use pattern matching instead
of unwrap().

---

Duplicate comments:
In `@src/vector/distance/avx512.rs`:
- Around line 22-23: The AVX-512 functions (e.g., the l2_f32 function annotated
with #[target_feature(enable = "avx512f")] and any uses of
core::arch::x86_64::_mm512_* intrinsics) must be excluded from MSRV (Rust 1.85)
builds; wrap the entire module or those functions behind an explicit optional
Cargo feature (e.g., feature "simd-avx512") and use #[cfg(feature =
"simd-avx512")] on the module and on l2_f32 (and related symbols referenced at
lines ~77, ~126, ~173), and ensure the Cargo.toml exposes that feature as opt-in
so CI/MSRV builds do not compile AVX-512 code unless the feature is enabled.

---

Nitpick comments:
In `@scripts/bench-vector-production.sh`:
- Around line 40-50: The helper function run_bench is defined but never used,
creating dead code; either remove the run_bench function or update all inline
cargo bench invocations to call run_bench instead. Locate the run_bench function
and replace each occurrence of direct "RUSTFLAGS=... cargo bench --bench ..."
calls with run_bench "<bench_name>" "<optional_filter>" (preserving use of
RUSTFLAGS_OPT and FEATURES), or if you prefer removal, delete the run_bench
block entirely to eliminate the unused function.
- Around line 222-236: The static comparison table under the "Comparison:
Measured vs Architecture Targets" heading currently hardcodes "Measured" values;
either mark the table as historical/reference by renaming the column header
(e.g., "Reference Measured" or "Historical Baseline") and add a short note, or
replace the hardcoded cells by inserting the script's computed benchmark
variables (e.g., measured_f32_L2_768d, measured_f32_dot_768d,
measured_fwht_1024, hnsw_search_1k_128d, recall_at_10_1k_128d,
memory_per_vector_768d) so the table is populated from the run outputs; update
the table header and any descriptive text accordingly so users are not misled by
static values.

In `@scripts/bench-vs-competitors.py`:
- Around line 366-384: The Redis startup uses a fixed time.sleep(2) which can
fail on slow systems; replace it with a polling loop that retries checking the
Redis server readiness using the existing redis_lib.Redis instance `r` (e.g.,
call `r.ping()` or `r.info("server")`) up to a configurable number of attempts
(match Qdrant's pattern: ~30 tries with 1s interval), sleeping between attempts
and breaking when successful, and only then proceed to read `process_id`; keep
the current exception handling that logs the error and writes the same
`result_data` when the polling ultimately times out.
- Line 244: Several print statements and strings in the script are using
f-strings without any interpolation (e.g., the print call that currently reads
f">>> Compacting (building HNSW index)...") and multiple similar occurrences in
mode_report; remove the unnecessary leading "f" so they are plain strings.
Search for occurrences of f-strings with no "{" or "}" (examples around the
print at ">>> Compacting (building HNSW index)..." and within the mode_report
function) and change them to normal string literals, ensuring no runtime
behavior or formatting calls depend on those being f-strings.
- Around line 662-670: The parse_mem_mb function only handles binary suffixes
("GiB","MiB","KiB") so it will miss decimal suffixes like "GB","MB","KB" (and
mixed-case); update parse_mem_mb to normalize the input (strip, lower), use a
regex to extract the numeric value and unit, map units {"gib","gb"} -> *1024,
{"mib","mb"} -> *1, {"kib","kb"} -> /1024, and handle bare bytes or values
without units by dividing appropriately; ensure the function returns a float MB
and still returns 0 for unparseable strings while referencing parse_mem_mb in
your change.
- Around line 127-131: The percentile function does not handle empty input and
will raise IndexError; update the percentile(values, p) function to check for an
empty values list up front (e.g., if not values:) and either raise a clear
ValueError like "percentile requires non-empty values" or return a defined
sentinel (None) and document that behavior; ensure callers (e.g., any use with
latencies) handle the chosen sentinel or catch the ValueError.

In `@src/storage/db.rs`:
- Around line 542-588: The file exceeds the size cap because collection-specific
accessors like get_or_create_hash (and similar hash/list/set helpers) live in
this large db.rs; extract those into focused submodules (e.g. storage::hash,
storage::list, storage::set) by moving functions such as get_or_create_hash, any
list/set accessor helpers, and related helper logic (e.g. HashListpack upgrade
code) into a new hash module; keep types Entry, RedisValue, CompactKey, Frame
and used_memory access either by making the helper functions pub(crate) and
accepting a &mut DB/state struct or by exposing the minimal internal API they
need, update imports (use ...) in the new module, re-export the public accessors
from the parent module (pub use hash::get_or_create_hash) so call sites remain
unchanged, and add a mod declaration for the new submodule in the parent file to
compile cleanly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 34160e4a-f2d1-46e1-b159-77e2d42a5a78

📥 Commits

Reviewing files that changed from the base of the PR and between 03512ed and 5c8df60.

📒 Files selected for processing (19)

• Cargo.toml
• scripts/bench-vector-production.sh
• scripts/bench-vector.sh
• scripts/bench-vs-competitors.py
• scripts/profile-vector.sh
• src/shard/coordinator.rs
• src/storage/dashtable/segment.rs
• src/storage/db.rs
• src/vector/distance/avx2.rs
• src/vector/distance/avx512.rs
• src/vector/distance/mod.rs
• src/vector/distance/neon.rs
• src/vector/distance/scalar.rs
• src/vector/metrics.rs
• src/vector/mvcc/manager.rs
• src/vector/persistence/recovery.rs
• src/vector/segment/mutable.rs
• tests/vector_insert_bench.rs
• tests/vector_memory_audit.rs

✅ Files skipped from review due to trivial changes (3)

• src/vector/distance/scalar.rs
• scripts/bench-vector.sh
• src/vector/metrics.rs

🚧 Files skipped from review as they are similar to previous changes (5)

• Cargo.toml
• scripts/profile-vector.sh
• src/vector/distance/avx2.rs
• src/shard/coordinator.rs
• src/vector/mvcc/manager.rs

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Documentation claims output is saved to file, but no file write is implemented.

Line 16 states the report is saved to target/vector-benchmark-report.md, but the script only outputs to stdout. Either remove the claim or implement the file save.

Proposed fix: add tee to capture output

Wrap the entire output generation in a subshell with tee:

 mkdir -p target
+
+# Capture all output to file while also printing to stdout
+exec > >(tee target/vector-benchmark-report.md) 2>&1

Or invoke the script with redirection from the caller.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vector-production.sh` at line 16, The comment in
scripts/bench-vector-production.sh claims the markdown report is saved to
target/vector-benchmark-report.md but the script only writes to stdout; either
update the comment or modify the script so its entire output is captured to that
file — for example, wrap the report generation in a subshell and pipe to tee
"target/vector-benchmark-report.md" (or set up an exec > >(tee
target/vector-benchmark-report.md)) so the output both prints and is saved;
locate the report-producing section in bench-vector-production.sh and implement
tee-based capture or remove/adjust the misleading comment.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Incorrect cargo test syntax — test filter is in the wrong position.

The test name filter must come after --, not before. Currently test_search_1000_vectors_recall is interpreted as a target/package selector rather than a test name filter.

Proposed fix

-cargo test --lib test_search_1000_vectors_recall $FEATURES -- --nocapture 2>&1 | grep "recall"
+cargo test --lib $FEATURES -- test_search_1000_vectors_recall --nocapture 2>&1 | grep "recall"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	cargo test --lib test_search_1000_vectors_recall $FEATURES -- --nocapture 2>&1 | grep "recall"
	cargo test --lib $FEATURES -- test_search_1000_vectors_recall --nocapture 2>&1 | grep "recall"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vector-production.sh` at line 167, The cargo test invocation
places the test filter before the `--` so `test_search_1000_vectors_recall` is
treated as a package selector; change the order so the test name is passed as
the test filter after the `--`. Update the command using the same flags (`cargo
test`, `--lib`, `$FEATURES`) but move `test_search_1000_vectors_recall` after
the `--` and ensure `--nocapture` is passed as a test runner arg (i.e., `cargo
test --lib $FEATURES -- test_search_1000_vectors_recall --nocapture 2>&1 | grep
"recall"`).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Same issue: test filter in wrong position.

Same syntax bug as line 167 — the test name filter should come after --.

Proposed fix

-cargo test --lib test_ft_search_end_to_end $FEATURES -- --nocapture 2>&1 | grep -E "test |ok|FAIL"
+cargo test --lib $FEATURES -- test_ft_search_end_to_end --nocapture 2>&1 | grep -E "test |ok|FAIL"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vector-production.sh` at line 195, The cargo test invocation
places the test name filter in the wrong position; move the test name argument
"test_ft_search_end_to_end" so it appears after the "--" (i.e. passed as a
test-binary argument alongside "--nocapture") while keeping $FEATURES and the
"--" intact, updating the cargo test command that currently contains
"test_ft_search_end_to_end", "--nocapture", and $FEATURES accordingly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Ineffective error handling for clippy.

With set -e enabled, if cargo clippy fails, the script exits immediately — the || echo "CLEAN" fallback never executes. Additionally, tail -1 always succeeds (exit 0), so the fallback wouldn't trigger even without set -e.

Proposed fix

-cargo clippy $FEATURES -- -D warnings 2>&1 | tail -1 || echo "CLEAN (0 warnings)"
+if cargo clippy $FEATURES -- -D warnings 2>&1 | tee /dev/stderr | tail -1; then
+    echo "CLEAN (0 warnings)"
+fi

Or simply remove the || echo since clippy's own output is sufficient.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vector-production.sh` at line 215, The pipeline command "cargo
clippy $FEATURES -- -D warnings 2>&1 | tail -1 || echo 'CLEAN (0 warnings)'" is
ineffective under set -e and because tail always exits 0; either remove the
trailing "|| echo 'CLEAN (0 warnings)'" entirely so clippy's real output/exit
code is preserved, or change the logic to capture clippy output into a variable
(run cargo clippy redirecting stderr to stdout while preventing exit-on-error),
then print the last line of that captured output as the summary; locate the
exact command string in the script and apply one of these two fixes.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Quantization field may be misleading after fallback.

When FT.CREATE fails with QUANTIZATION TQ4 and the fallback succeeds without quantization, the result still reports "quantization": "TQ4". This produces misleading benchmark data.

🔧 Proposed fix to track actual quantization used

+    quantization_used = "TQ4"
     try:
         result = r.execute_command(
             "FT.CREATE", "idx", "ON", "HASH",
             ...
             "QUANTIZATION", "TQ4",
         )
         print(f"  FT.CREATE: {result}")
     except Exception as e:
         print(f"  FT.CREATE error: {e}")
         # Try without QUANTIZATION param
         try:
             result = r.execute_command(
                 "FT.CREATE", "idx", "ON", "HASH",
                 ...
             )
             print(f"  FT.CREATE (no quant): {result}")
+            quantization_used = "none"
         except Exception as e2:
             print(f"  FT.CREATE fallback error: {e2}")
+            quantization_used = "failed"
 ...
     result_data = {
         ...
-        "quantization": "TQ4",
+        "quantization": quantization_used,
     }

Also applies to: 340-341

🧰 Tools

🪛 Ruff (0.15.7)

[warning] 202-202: Do not catch blind exception: Exception

(BLE001)

---

[warning] 214-214: Do not catch blind exception: Exception

(BLE001)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vs-competitors.py` around lines 202 - 215, The FT.CREATE
fallback branch currently leaves metadata claiming "quantization": "TQ4" even
when the fallback was created without quantization; update the exception
handling around the initial FT.CREATE (the try/except that prints "FT.CREATE
error: {e}" and the nested fallback that prints "FT.CREATE (no quant): {result}"
/ "FT.CREATE fallback error: {e2}") so that after a successful fallback you set
the quantization tracking variable/metadata to a neutral value (e.g., None or
"none") and ensure the reported result/dict used for benchmark output uses that
variable instead of hardcoding "TQ4"; apply the same change to the equivalent
fallback block later in the file (the other FT.CREATE fallback) so both places
correctly reflect when no quantization was used.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Delete replay loses both persisted tombstones and transactional semantics.

point_map is filled only by VectorUpsert, so a delete for a point that exists only in an immutable segment is silently dropped at Lines 199-203. On top of that, the delete is applied immediately and txn_id is ignored, so TxnAbort and the EOF rollback cannot restore uncommitted deletes. Recovery needs a way to resolve deletes against checkpointed points and must defer transactional deletes until commit.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Do not continue after read_immutable_segment fails.

Logging and skipping here turns checksum/format errors into silent partial recovery. Once WAL has been checkpointed past that segment, those vectors are gone permanently, even though RecoveryError::SegmentLoad already exists for surfacing this case. Please fail recovery, or return an explicit partial-recovery state, instead of booting with missing data.

🧯 Minimal fix

         match read_immutable_segment(persist_dir, *seg_id) {
             Ok((segment, meta)) => {
                 let cid = meta.collection_id;
                 info!("Loaded immutable segment {} for collection {}", seg_id, cid);
                 let entry = collections.entry(cid).or_insert_with(|| {
                     RecoveredCollection {
                     mutable: MutableSegment::new(meta.dimension, std::sync::Arc::new(
                     crate::vector::turbo_quant::collection::CollectionMetadata::new(
                         cid, meta.dimension,
                         crate::vector::types::DistanceMetric::L2,
                         crate::vector::turbo_quant::collection::QuantizationConfig::TurboQuant4,
                         cid,
                     ))),
                     immutable: Vec::new(),
                 }
                 });
                 entry.immutable.push((segment, meta));
             }
             Err(e) => {
-                warn!("Failed to load segment {}: {:?}, skipping", seg_id, e);
+                warn!("Failed to load segment {}: {:?}, aborting recovery", seg_id, e);
+                return Err(e.into());
             }
         }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	match read_immutable_segment(persist_dir, *seg_id) {
	Ok((segment, meta)) => {
	let cid = meta.collection_id;
	info!("Loaded immutable segment {} for collection {}", seg_id, cid);
	let entry = collections.entry(cid).or_insert_with(|| {
	RecoveredCollection {
	mutable: MutableSegment::new(meta.dimension, std::sync::Arc::new(
	crate::vector::turbo_quant::collection::CollectionMetadata::new(
	cid, meta.dimension,
	crate::vector::types::DistanceMetric::L2,
	crate::vector::turbo_quant::collection::QuantizationConfig::TurboQuant4,
	cid,
	))),
	immutable: Vec::new(),
	}
	});
	entry.immutable.push((segment, meta));
	}
	Err(e) => {
	warn!("Failed to load segment {}: {:?}, skipping", seg_id, e);
	}
	match read_immutable_segment(persist_dir, *seg_id) {
	Ok((segment, meta)) => {
	let cid = meta.collection_id;
	info!("Loaded immutable segment {} for collection {}", seg_id, cid);
	let entry = collections.entry(cid).or_insert_with(|| {
	RecoveredCollection {
	mutable: MutableSegment::new(meta.dimension, std::sync::Arc::new(
	crate::vector::turbo_quant::collection::CollectionMetadata::new(
	cid, meta.dimension,
	crate::vector::types::DistanceMetric::L2,
	crate::vector::turbo_quant::collection::QuantizationConfig::TurboQuant4,
	cid,
	))),
	immutable: Vec::new(),
	}
	});
	entry.immutable.push((segment, meta));
	}
	Err(e) => {
	warn!("Failed to load segment {}: {:?}, aborting recovery", seg_id, e);
	return Err(e.into());
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/persistence/recovery.rs` around lines 273 - 293, The match in
recovery.rs that calls read_immutable_segment should not log-and-skip on Err;
instead propagate a failure (or return an explicit partial-recovery result) so
recovery does not silently continue with missing data. Replace the
warn-and-continue branch for read_immutable_segment in the recovery flow (where
you build entries with RecoveredCollection and MutableSegment::new and push to
entry.immutable) so it returns Err(RecoveryError::SegmentLoad(...)) or an
appropriate PartialRecovery result, surfacing the underlying error `e` rather
than skipping the segment.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Exact-mode mutable search is scoring against zeroed QJL metadata.

Lines 214-216 and 301-303 switch to score_l2_prod() whenever query_state is present, but Lines 155-166 and 404-414 only reserve qjl_signs/residual_norms and leave them zeroed until freeze(). src/vector/segment/holder.rs does pass Some(query_state) on normal MVCC searches, so fresh Exact-mode inserts can be misranked until compaction. Either compute that metadata during append or keep mutable search on tq_l2_adc_scaled until freeze() materializes it.

Also applies to: 214-216, 246-265, 301-303, 342-361, 404-414

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/mutable.rs` around lines 155 - 166, The mutable append
currently reserves qjl_signs/residual_norms/raw_f32 but leaves them zeroed for
BuildMode::Exact, causing live searches with Some(query_state) to use
score_l2_prod() against uninitialized QJL data; fix by computing and writing the
real QJL metadata at append time (use the same quantization routine used in
freeze() to fill inner.qjl_signs, push the correct inner.residual_norms value,
and extend inner.raw_f32 properly) when collection.build_mode ==
BuildMode::Exact and query_state may be present, so score_l2_prod() sees correct
data, or alternatively change the mutable search path to continue using
tq_l2_adc_scaled until freeze() materializes QJL — adjust code around
inner.qjl_signs, inner.residual_norms, raw_f32 handling in the append logic to
match freeze()’s metadata generation and ensure query_state-dependent branches
behave consistently.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Please remove unwrap() from the library path.

The guard makes this safe today, but the repo rule is still to pattern-match instead of unwrap() in non-test code.

♻️ Suggested change

-                let qs = query_state.unwrap();
+                let Some(qs) = query_state else {
+                    unreachable!("query_state is required when TQ-ADC is disabled");
+                };

Apply the same change in both search helpers.

As per coding guidelines: src/**/*.rs: No unwrap() or expect() in library code outside tests; use pattern matching or if let

Also applies to: 345-345

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/mutable.rs` at line 249, Replace the direct unwrap() on
query_state with explicit pattern matching: bind the inner value using if let
Some(qs) = query_state (or a match) and handle the None case by
returning/propagating an error or early-exiting as the surrounding code expects;
do this for the occurrence where query_state is unwrapped (let qs =
query_state.unwrap()) and the second occurrence in the other search helper so
both search helpers in mutable.rs use pattern matching instead of unwrap().

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Drop or use the dead Exact-mode setup in these tests.

CI is already warning on q_rot, codebook, and the first qs, and Line 704 still calls brute_force_search(..., None, ...), so that setup is dead code today.

Also applies to: 779-780

🧰 Tools

🪛 GitHub Actions: CI

[warning] 701-701: Unused variable: q_rot.

---

[warning] 702-702: Unused variable: codebook.

---

[warning] 703-703: Unused variable: qs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/mutable.rs` around lines 701 - 704, The test currently
creates q_rot via rotate_query, codebook via col.codebook_16(), and qs via
make_query_state but then calls seg.brute_force_search(&vectors[0], None, 3),
leaving those variables dead; either remove the unused q_rot/codebook/qs
declarations or wire them into the search call by passing the constructed query
state (use qs or the appropriate Some(QueryState) argument) so rotate_query,
codebook_16, and make_query_state are actually used; apply the same fix to the
other occurrence around brute_force_search at the later block (the 779-780 spot)
to eliminate the warnings.

[coderabbitai]

Actionable comments posted: 9

🧹 Nitpick comments (7)

scripts/bench-vector-vs-competitors.sh (3)

27-30: Unused variables and missing Moon server benchmark.

MOON_PORT is defined but never used, suggesting the Moon server-mode benchmark was planned but not implemented. The script only runs Criterion in-process benchmarks for Moon, while Redis and Qdrant are tested via their actual server protocols.

Consider either:

1. Implementing the Moon server-mode benchmark using MOON_PORT for an apples-to-apples comparison
2. Removing MOON_PORT if server-mode benchmarking is out of scope

Also, BYTES_PER_VEC (line 95) and QDRANT_CONTAINER_ID (line 353) are unused and can be removed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vector-vs-competitors.sh` around lines 27 - 30, The script
defines MOON_PORT but never uses it and also has unused variables BYTES_PER_VEC
and QDRANT_CONTAINER_ID; either implement a Moon server-mode benchmark that
binds to MOON_PORT and exercises Moon over its network API (to mirror how Redis
and Qdrant are tested) by adding a server-launch + client-driven Criterion
benchmark that targets MOON_PORT (update the benchmark runner code that
currently calls the in-process Moon Criterion tests), or if server-mode
benchmarking is out of scope remove MOON_PORT, BYTES_PER_VEC, and
QDRANT_CONTAINER_ID from the script to eliminate dead configuration; locate the
unused symbols MOON_PORT, BYTES_PER_VEC, and QDRANT_CONTAINER_ID in the file and
apply one of these two fixes.

---

98-105: Identical branches in platform check.

The Darwin and Linux branches execute the same command. If both platforms behave identically, the conditional is unnecessary. If they should differ (e.g., using /proc/$pid/status on Linux for more precise measurement), update accordingly.

♻️ Simplified version if behavior is identical

 get_rss_mb() {
     local pid=$1
-    if [[ "$(uname)" == "Darwin" ]]; then
-        ps -o rss= -p "$pid" 2>/dev/null | awk '{printf "%.1f", $1/1024}'
-    else
-        ps -o rss= -p "$pid" 2>/dev/null | awk '{printf "%.1f", $1/1024}'
-    fi
+    ps -o rss= -p "$pid" 2>/dev/null | awk '{printf "%.1f", $1/1024}'
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vector-vs-competitors.sh` around lines 98 - 105, The get_rss_mb
function contains identical Darwin and non-Darwin branches; remove the
unnecessary platform conditional and collapse to a single implementation (keep
the existing ps ... | awk approach if that is acceptable for both platforms) or,
if you intended different behavior, implement the Linux-specific path using
/proc/$pid/status (read VmRSS and convert to MB) while keeping the ps-based
command for Darwin; update the function get_rss_mb accordingly and ensure the
output formatting (printf "%.1f", value/1024) remains consistent.

---

500-513: Summary table is incomplete — only shows headers.

The summary table prints column headers but doesn't populate the actual measured values from the benchmark runs. The metrics from Redis/Qdrant/Moon are printed earlier but not captured into variables for the summary table.

Consider capturing metrics throughout and printing a complete comparison:

echo "| Insert (vec/s) | $REDIS_INSERT_VPS | $QDRANT_INSERT_VPS | (see Criterion) |"
echo "| Memory | ${REDIS_RSS_AFTER}MB | ${QDRANT_RSS_AFTER} | ${MOON_MEM_EST}MB |"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vector-vs-competitors.sh` around lines 500 - 513, The summary
table prints headers but never fills in measured values; capture the benchmark
outputs into named variables during the Redis/Qdrant/Moon runs (e.g.,
REDIS_INSERT_VPS, QDRANT_INSERT_VPS, MOON_INSERT_VPS, REDIS_RSS_AFTER,
QDRANT_RSS_AFTER, MOON_MEM_EST, REDIS_LATENCY_MS, QDRANT_LATENCY_MS,
MOON_LATENCY_MS) and then echo table rows after the existing header block using
those variables (for example add lines for "Insert (vec/s)", "Memory", and
"Latency" referencing NUM_VECTORS, DIM, K where helpful); ensure the code paths
that measure each system assign the corresponding variable names so the summary
prints a complete comparison rather than just headers.

src/vector/persistence/wal_record.rs (2)

15-40: Consider implementing std::error::Error via thiserror.

The enum implements Display but not std::error::Error, limiting composability with error-handling libraries. Using thiserror would add the trait with minimal boilerplate.

♻️ Suggested refactor using thiserror

+use thiserror::Error;
+
 /// Error type for WAL record serialization/deserialization.
-#[derive(Debug)]
+#[derive(Debug, Error)]
 pub enum WalRecordError {
+    #[error("WAL record truncated")]
     Truncated,
+    #[error("invalid WAL record tag: 0x{0:02x}")]
     InvalidTag(u8),
+    #[error("invalid WAL record type: {0}")]
     InvalidRecordType(u8),
+    #[error("CRC mismatch: expected 0x{expected:08x}, got 0x{actual:08x}")]
     CrcMismatch { expected: u32, actual: u32 },
+    #[error("deserialize failed: {0}")]
     DeserializeFailed(String),
 }
-
-impl std::fmt::Display for WalRecordError {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        match self {
-            Self::Truncated => write!(f, "WAL record truncated"),
-            Self::InvalidTag(t) => write!(f, "invalid WAL record tag: 0x{t:02x}"),
-            Self::InvalidRecordType(t) => write!(f, "invalid WAL record type: {t}"),
-            Self::CrcMismatch { expected, actual } => {
-                write!(
-                    f,
-                    "CRC mismatch: expected 0x{expected:08x}, got 0x{actual:08x}"
-                )
-            }
-            Self::DeserializeFailed(msg) => write!(f, "deserialize failed: {msg}"),
-        }
-    }
-}

As per coding guidelines: "library code uses thiserror or Frame::Error".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/persistence/wal_record.rs` around lines 15 - 40, The
WalRecordError enum currently implements Display but not std::error::Error;
replace the manual Display impl by deriving Error via thiserror: add
#[derive(thiserror::Error, Debug)] to WalRecordError, annotate each variant with
#[error("...")] messages matching the current Display outputs (use formatted
fields like {0} or named fields), remove the impl std::fmt::Display block, and
ensure the crate has thiserror in Cargo.toml so WalRecordError implements
std::error::Error and composes with other error handling.

---

338-449: Consider adding edge-case tests for empty vectors.

The roundtrip tests use non-empty vectors, but empty sq_vector, tq_code, and f32_vector are valid states. Testing these ensures the length-prefixed serialization handles zero-length payloads correctly.

🧪 Suggested test addition

#[test]
fn test_upsert_empty_vectors_roundtrip() {
    let record = VectorWalRecord::VectorUpsert {
        txn_id: 1,
        collection_id: 2,
        point_id: 3,
        sq_vector: vec![],
        tq_code: vec![],
        norm: 0.0,
        f32_vector: vec![],
    };
    let frame = record.to_wal_frame();
    let (decoded, consumed) = VectorWalRecord::from_wal_frame(&frame).unwrap();
    assert_eq!(consumed, frame.len());
    assert_eq!(decoded, record);
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/persistence/wal_record.rs` around lines 338 - 449, Add a unit test
named test_upsert_empty_vectors_roundtrip that constructs a
VectorWalRecord::VectorUpsert with empty sq_vector, empty tq_code, empty
f32_vector (e.g., norm 0.0), serializes it with to_wal_frame(), deserializes
with VectorWalRecord::from_wal_frame(&frame), and asserts consumed ==
frame.len() and decoded == record to ensure zero-length payloads roundtrip
correctly.

src/server/conn/handler_single.rs (2)

1113-1137: Also unreachable — same rationale as the read-run FT. block.*

FT.* commands are intercepted in Phase 1 before reaching dispatchable, making this write-run handling dead code.

🧹 Suggested removal

                                let (d_cmd, d_args) = extract_command(disp_frame).unwrap();
-
-                                // FT.* vector commands: dispatch to VectorStore directly
-                                if d_cmd.len() > 3 && d_cmd[..3].eq_ignore_ascii_case(b"FT.") {
-                                    if let Some(ref vs) = vector_store {
-                                        let mut store = vs.lock();
-                                        let response = if d_cmd.eq_ignore_ascii_case(b"FT.CREATE") {
-                                            crate::command::vector_search::ft_create(&mut *store, d_args)
-                                        } else if d_cmd.eq_ignore_ascii_case(b"FT.SEARCH") {
-                                            crate::command::vector_search::ft_search(&mut *store, d_args)
-                                        } else if d_cmd.eq_ignore_ascii_case(b"FT.DROPINDEX") {
-                                            crate::command::vector_search::ft_dropindex(&mut *store, d_args)
-                                        } else if d_cmd.eq_ignore_ascii_case(b"FT.INFO") {
-                                            crate::command::vector_search::ft_info(&*store, d_args)
-                                        } else if d_cmd.eq_ignore_ascii_case(b"FT.COMPACT") {
-                                            crate::command::vector_search::ft_compact(&mut *store, d_args)
-                                        } else {
-                                            Frame::Error(bytes::Bytes::from_static(b"ERR unknown FT.* command"))
-                                        };
-                                        responses[resp_idx] = response;
-                                        continue;
-                                    } else {
-                                        responses[resp_idx] = Frame::Error(bytes::Bytes::from_static(b"ERR vector search not initialized"));
-                                        continue;
-                                    }
-                                }
-
-                                // HSET auto-indexing: after dispatch, check for vector index match
-                                let is_hset = d_cmd.eq_ignore_ascii_case(b"HSET");
+                                let is_hset = d_cmd.eq_ignore_ascii_case(b"HSET");

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/server/conn/handler_single.rs` around lines 1113 - 1137, The FT.*
write-run branch is dead code because FT.* commands are already intercepted in
Phase 1 (before dispatchable); remove the entire conditional that checks
d_cmd.len() > 3 && d_cmd[..3].eq_ignore_ascii_case(b"FT.") along with its inner
handling (the branch that locks vector_store, calls
crate::command::vector_search::{ft_create, ft_search, ft_dropindex, ft_info,
ft_compact}, and the error responses assigned to responses[resp_idx]); keep any
surrounding logic intact so dispatchable handling remains unchanged and ensure
no other code expects responses[resp_idx] to be set here.

---

1052-1069: Unreachable code — FT. commands are already handled in Phase 1.*

Phase 1 (lines 958-982) intercepts all FT.* commands with continue, so they never get added to dispatchable. This Phase 2 read-run FT.* handling is dead code.

Consider removing this block to avoid confusion and reduce maintenance burden.

🧹 Suggested removal

                                let (d_cmd, d_args) = extract_command(disp_frame).unwrap();
-
-                                // FT.* read commands (FT.SEARCH, FT.INFO)
-                                if d_cmd.len() > 3 && d_cmd[..3].eq_ignore_ascii_case(b"FT.") {
-                                    if let Some(ref vs) = vector_store {
-                                        let mut store = vs.lock();
-                                        let response = if d_cmd.eq_ignore_ascii_case(b"FT.SEARCH") {
-                                            crate::command::vector_search::ft_search(&mut *store, d_args)
-                                        } else if d_cmd.eq_ignore_ascii_case(b"FT.INFO") {
-                                            crate::command::vector_search::ft_info(&*store, d_args)
-                                        } else if d_cmd.eq_ignore_ascii_case(b"FT.COMPACT") {
-                                            crate::command::vector_search::ft_compact(&mut *store, d_args)
-                                        } else {
-                                            Frame::Error(bytes::Bytes::from_static(b"ERR unknown FT.* command"))
-                                        };
-                                        responses[resp_idx] = response;
-                                        continue;
-                                    }
-                                }
-
                                let result = dispatch_read(&*guard, d_cmd, d_args, now_ms, &mut selected_db, db_count);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/server/conn/handler_single.rs` around lines 1052 - 1069, The FT.*
handling block inside the read-run phase (matching d_cmd starting with "FT." and
using vector_store, store lock, and responses[resp_idx]) is unreachable because
FT.* commands are already intercepted and continued in Phase 1; remove this
entire conditional block (the branch that checks
d_cmd[..3].eq_ignore_ascii_case(b"FT.") and its inner
FT.SEARCH/FT.INFO/FT.COMPACT handling) to eliminate dead code and avoid
duplicated logic, ensuring no other references to resp_idx or temporary store
variables remain orphaned.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/bench-vector-vs-competitors.sh`:
- Around line 439-483: The Python block in
scripts/bench-vector-vs-competitors.sh that computes Moon metrics (variables
build_per_10k, search_ef128_us, build_time, search_latency_us, memory_mb)
produces synthetic values but prints them as if measured; update the print
statements so the outputs are clearly labeled as estimates (e.g., prefix
messages like "Moon (estimated from Criterion baseline): Moon build:", "Moon
(estimated from Criterion baseline): Moon search (ef=128):", and "Moon
(estimated): recall@10=1.0000 (from Criterion)") and include a short note in the
same prints that values are extrapolated from hardcoded Criterion baselines;
alternatively, if you prefer real measurements, replace the extrapolation logic
with a call to run Moon server/bench (or parse cargo bench output) and use
actual measured numbers instead of the hardcoded build_per_10k/search_ef128_us
variables.
- Around line 488-494: The Criterion filter patterns in the else branch are
missing their benchmark group prefixes: inside the if [ "$DIM" -le 128 ] / else
block update the two filter arguments currently set to "search_768d/" and
"ef_768d/128" so they match the actual group names used by Criterion — replace
"search_768d/" with "hnsw_search_768d/search_768d/" and replace "ef_768d/128"
with "hnsw_search_ef_768d/ef_768d/128" for the cargo bench invocations that use
RUSTFLAGS and cargo bench --bench hnsw_bench --no-default-features --features
runtime-tokio,jemalloc -- "..." --quick.

In `@src/vector/persistence/segment_io.rs`:
- Around line 137-189: The writer currently calls segment_dir(dir, segment_id)
and create_dir_all() then writes files directly, which can leave a
partially-populated segment-{id} on crash; change to write everything into a
temporary staging directory (e.g., segment_dir(dir,
segment_id).with_extension("tmp") or a TempDir) and perform all writes there
(including hnsw_graph.bin, tq_codes.bin, mvcc_headers.bin generation, and
segment_meta.json using the same SegmentMeta building logic). After each file
write, flush the file (File::sync_all) and after all files are durable,
atomically rename the staging dir to the final segment directory (fs::rename),
optionally syncing the parent directory as well; ensure read_immutable_segment()
continues to read only the final segment-{id} so partially-written staging dirs
are ignored.
- Around line 150-152: Persistence currently omits the per-vector reranking
sidecars (qjl_signs_bfs, residual_norms_bfs, sub_signs_bfs) when writing and
reading segments, causing recovered segments to lose reranking data; update the
serialization code in segment_io.rs to write those buffers alongside existing
sidecars (add them to the write/serialize routine that handles sidecar files),
and update the deserialization/readback routine to reconstruct the
ImmutableSegment with those buffers (restore qjl_signs_bfs, residual_norms_bfs,
sub_signs_bfs into the segment struct instead of leaving empty buffers), and
add/adjust unit tests to verify roundtrip persistence of these sidecars so
restart recovery preserves Exact/Light reranking equivalence.

In `@src/vector/segment/compaction.rs`:
- Around line 206-341: The compaction flow never calls verify_recall(), so
low-recall graphs get published; after the graph is constructed but before
creating the ImmutableSegment or writing to disk, call verify_recall(...) with
the built graph and the BFS-ordered buffers (e.g., tq_bfs, qjl_signs_bfs,
residual_norms_bfs or whatever verify_recall expects) and check its result; if
it reports recall below the configured threshold return
Err(CompactionError::RecallTooLow(...)) and abort creating/persisting the
ImmutableSegment (the ImmutableSegment::new and
segment_io::write_immutable_segment calls must only run after verify_recall
succeeds). Ensure you reference the existing verify_recall function and
CompactionError::RecallTooLow symbol so the check is enforced in compact() prior
to segment creation/persistence.
- Around line 74-87: The current compaction loop is incorrectly dropping
tombstones by filtering out entries with delete_lsn != 0; modify the logic in
compact() so that the loop over frozen.entries (the live_entries collection)
does NOT skip entries where delete_lsn != 0 and instead includes them so
MvccHeader construction retains tombstones; ensure downstream logic that builds
MvccHeader and writes the immutable segment can handle entries with delete_lsn
set and let the vacuum process later reclaim them when safe.
- Around line 221-233: The QJL/residual sidecars are currently indexed by the
compacted position via orig_id, causing payloads to shift; replace use of
orig_id for sidecar lookups with the vector's persistent internal id (use
entry.internal_id as usize) so src_qjl and residual lookups use that internal_id
(compute src_qjl = internal_id * qjl_bpv and index
frozen.qjl_signs/frozen.residual_norms by internal_id) while keeping dst indices
based on bfs_pos; ensure bounds checks still compare src spans against
frozen.qjl_signs.len() and internal_id vs frozen.residual_norms.len().
- Around line 161-188: compact() currently ignores collection.metric and always
uses L2 (dist_table.l2_f32 / dist_table.tq_l2) and verify_recall() uses L2
ground truth; update the code to either (A) enforce metric==L2 earlier (validate
in collection creation and return an error when non-L2 metrics attempt
compaction) or (B) make compaction metric-aware: read collection.metric inside
compact() and select the appropriate distance functions from
crate::vector::distance::table() (e.g., choose the matching pairwise and TQ
functions instead of l2_f32/tq_l2), and update verify_recall() to use the same
metric-specific ground-truth comparator; adjust calls around HnswBuilder::insert
and the TQ decoding branch to use the selected distance function so the HNSW
graph and recall check match collection.metric.

---

Nitpick comments:
In `@scripts/bench-vector-vs-competitors.sh`:
- Around line 27-30: The script defines MOON_PORT but never uses it and also has
unused variables BYTES_PER_VEC and QDRANT_CONTAINER_ID; either implement a Moon
server-mode benchmark that binds to MOON_PORT and exercises Moon over its
network API (to mirror how Redis and Qdrant are tested) by adding a
server-launch + client-driven Criterion benchmark that targets MOON_PORT (update
the benchmark runner code that currently calls the in-process Moon Criterion
tests), or if server-mode benchmarking is out of scope remove MOON_PORT,
BYTES_PER_VEC, and QDRANT_CONTAINER_ID from the script to eliminate dead
configuration; locate the unused symbols MOON_PORT, BYTES_PER_VEC, and
QDRANT_CONTAINER_ID in the file and apply one of these two fixes.
- Around line 98-105: The get_rss_mb function contains identical Darwin and
non-Darwin branches; remove the unnecessary platform conditional and collapse to
a single implementation (keep the existing ps ... | awk approach if that is
acceptable for both platforms) or, if you intended different behavior, implement
the Linux-specific path using /proc/$pid/status (read VmRSS and convert to MB)
while keeping the ps-based command for Darwin; update the function get_rss_mb
accordingly and ensure the output formatting (printf "%.1f", value/1024) remains
consistent.
- Around line 500-513: The summary table prints headers but never fills in
measured values; capture the benchmark outputs into named variables during the
Redis/Qdrant/Moon runs (e.g., REDIS_INSERT_VPS, QDRANT_INSERT_VPS,
MOON_INSERT_VPS, REDIS_RSS_AFTER, QDRANT_RSS_AFTER, MOON_MEM_EST,
REDIS_LATENCY_MS, QDRANT_LATENCY_MS, MOON_LATENCY_MS) and then echo table rows
after the existing header block using those variables (for example add lines for
"Insert (vec/s)", "Memory", and "Latency" referencing NUM_VECTORS, DIM, K where
helpful); ensure the code paths that measure each system assign the
corresponding variable names so the summary prints a complete comparison rather
than just headers.

In `@src/server/conn/handler_single.rs`:
- Around line 1113-1137: The FT.* write-run branch is dead code because FT.*
commands are already intercepted in Phase 1 (before dispatchable); remove the
entire conditional that checks d_cmd.len() > 3 &&
d_cmd[..3].eq_ignore_ascii_case(b"FT.") along with its inner handling (the
branch that locks vector_store, calls crate::command::vector_search::{ft_create,
ft_search, ft_dropindex, ft_info, ft_compact}, and the error responses assigned
to responses[resp_idx]); keep any surrounding logic intact so dispatchable
handling remains unchanged and ensure no other code expects responses[resp_idx]
to be set here.
- Around line 1052-1069: The FT.* handling block inside the read-run phase
(matching d_cmd starting with "FT." and using vector_store, store lock, and
responses[resp_idx]) is unreachable because FT.* commands are already
intercepted and continued in Phase 1; remove this entire conditional block (the
branch that checks d_cmd[..3].eq_ignore_ascii_case(b"FT.") and its inner
FT.SEARCH/FT.INFO/FT.COMPACT handling) to eliminate dead code and avoid
duplicated logic, ensuring no other references to resp_idx or temporary store
variables remain orphaned.

In `@src/vector/persistence/wal_record.rs`:
- Around line 15-40: The WalRecordError enum currently implements Display but
not std::error::Error; replace the manual Display impl by deriving Error via
thiserror: add #[derive(thiserror::Error, Debug)] to WalRecordError, annotate
each variant with #[error("...")] messages matching the current Display outputs
(use formatted fields like {0} or named fields), remove the impl
std::fmt::Display block, and ensure the crate has thiserror in Cargo.toml so
WalRecordError implements std::error::Error and composes with other error
handling.
- Around line 338-449: Add a unit test named test_upsert_empty_vectors_roundtrip
that constructs a VectorWalRecord::VectorUpsert with empty sq_vector, empty
tq_code, empty f32_vector (e.g., norm 0.0), serializes it with to_wal_frame(),
deserializes with VectorWalRecord::from_wal_frame(&frame), and asserts consumed
== frame.len() and decoded == record to ensure zero-length payloads roundtrip
correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d2e85c47-4961-4fa3-a008-2198f99d76c2

📥 Commits

Reviewing files that changed from the base of the PR and between 5c8df60 and 5afe4f7.

📒 Files selected for processing (9)

• scripts/bench-server-mode.sh
• scripts/bench-vector-vs-competitors.sh
• src/server/conn/handler_single.rs
• src/shard/coordinator.rs
• src/vector/aligned_buffer.rs
• src/vector/persistence/segment_io.rs
• src/vector/persistence/wal_record.rs
• src/vector/segment/compaction.rs
• src/vector/turbo_quant/collection.rs

🚧 Files skipped from review as they are similar to previous changes (2)

• scripts/bench-server-mode.sh
• src/vector/aligned_buffer.rs

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Synthetic Moon metrics are misleading.

This section prints extrapolated/synthetic numbers based on hardcoded Criterion values (lines 455-461), not actual measurements on the current system. The output format (Moon build: ..., Moon search: ...) makes these appear as if they were measured alongside Redis/Qdrant, but they're actually estimates.

Issues:

1. Hardcoded baselines (e.g., build_per_10k = 2.78) won't match different hardware
2. The recall@10: 1.0000 is hardcoded and suspiciously perfect
3. Summary table will compare real Redis/Qdrant measurements against these synthetic Moon estimates

Consider either:

• Clearly label output as "Moon (estimated from Criterion baseline)"
• Actually run Moon in server mode and measure identically to competitors
• Parse actual Criterion output from the cargo bench calls that follow (lines 488-494)

🛠️ Minimal fix: clarify output is estimated

-print(f'Moon build: {build_time:.2f}s ({insert_vps:.0f} vec/s)')
-print(f'Moon search (ef=128): p50={search_ms:.2f}ms QPS(1-core)={qps_single:.0f}')
-print(f'Moon memory (hot tier): {memory_mb:.1f} MB ({813} bytes/vec)')
-print(f'Moon recall@10: 1.0000 (measured at 1K/128d/ef=128)')
+print(f'Moon build (ESTIMATED): {build_time:.2f}s ({insert_vps:.0f} vec/s)')
+print(f'Moon search (ESTIMATED, ef=128): p50={search_ms:.2f}ms QPS(1-core)={qps_single:.0f}')
+print(f'Moon memory (ESTIMATED): {memory_mb:.1f} MB ({813} bytes/vec)')
+print(f'Moon recall@10: ~0.92-1.00 (varies by dataset; see Criterion)')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vector-vs-competitors.sh` around lines 439 - 483, The Python
block in scripts/bench-vector-vs-competitors.sh that computes Moon metrics
(variables build_per_10k, search_ef128_us, build_time, search_latency_us,
memory_mb) produces synthetic values but prints them as if measured; update the
print statements so the outputs are clearly labeled as estimates (e.g., prefix
messages like "Moon (estimated from Criterion baseline): Moon build:", "Moon
(estimated from Criterion baseline): Moon search (ef=128):", and "Moon
(estimated): recall@10=1.0000 (from Criterion)") and include a short note in the
same prints that values are extrapolated from hardcoded Criterion baselines;
alternatively, if you prefer real measurements, replace the extrapolation logic
with a call to run Moon server/bench (or parse cargo bench output) and use
actual measured numbers instead of the hardcoded build_per_10k/search_ef128_us
variables.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify Criterion benchmark group names and filter patterns

echo "=== Checking benchmark group names ==="
rg -n "benchmark_group\(" benches/hnsw_bench.rs -A 1

echo ""
echo "=== Checking BenchmarkId patterns ==="
rg -n "BenchmarkId::new" benches/hnsw_bench.rs

echo ""
echo "=== Looking for bench_hnsw_search_ef function ==="
ast-grep --pattern 'fn bench_hnsw_search_ef($_) { $$$ }'

Repository: pilotspace/moon

Length of output: 3005

---

Fix incorrect Criterion filter patterns on lines 492–493.

The filter strings on these lines do not match the benchmark group structure:

• Line 492: "search_768d/" should be "hnsw_search_768d/search_768d/" (missing group prefix hnsw_search_768d)
• Line 493: "ef_768d/128" should be "hnsw_search_ef_768d/ef_768d/128" (missing group prefix hnsw_search_ef_768d)

Lines 489–490 are correct.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/bench-vector-vs-competitors.sh` around lines 488 - 494, The Criterion
filter patterns in the else branch are missing their benchmark group prefixes:
inside the if [ "$DIM" -le 128 ] / else block update the two filter arguments
currently set to "search_768d/" and "ef_768d/128" so they match the actual group
names used by Criterion — replace "search_768d/" with
"hnsw_search_768d/search_768d/" and replace "ef_768d/128" with
"hnsw_search_ef_768d/ef_768d/128" for the cargo bench invocations that use
RUSTFLAGS and cargo bench --bench hnsw_bench --no-default-features --features
runtime-tokio,jemalloc -- "..." --quick.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Silent failures in auto-indexing won't surface to the client.

Per the context snippet, auto_index_hset_public returns void and silently no-ops when no matching index is found. If the auto-indexing logic encounters an error (e.g., dimension mismatch, corrupted vector data), the HSET succeeds but the vector index becomes stale without any client notification.

Consider logging auto-indexing failures or returning an error frame when indexing fails after a successful HSET, so clients can detect the inconsistency.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Publish the segment directory atomically.

create_dir_all() makes segment-{id} visible before the file set is complete. A crash between any of these writes leaves a partially populated directory that read_immutable_segment() will later treat as corrupt/missing-file. Stage the files under a temp dir and rename only after the full set is durable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/persistence/segment_io.rs` around lines 137 - 189, The writer
currently calls segment_dir(dir, segment_id) and create_dir_all() then writes
files directly, which can leave a partially-populated segment-{id} on crash;
change to write everything into a temporary staging directory (e.g.,
segment_dir(dir, segment_id).with_extension("tmp") or a TempDir) and perform all
writes there (including hnsw_graph.bin, tq_codes.bin, mvcc_headers.bin
generation, and segment_meta.json using the same SegmentMeta building logic).
After each file write, flush the file (File::sync_all) and after all files are
durable, atomically rename the staging dir to the final segment directory
(fs::rename), optionally syncing the parent directory as well; ensure
read_immutable_segment() continues to read only the final segment-{id} so
partially-written staging dirs are ignored.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Recovery currently drops the reranking sidecars.

Freshly compacted segments carry qjl_signs_bfs, residual_norms_bfs, and sub_signs_bfs, but persistence skips them and readback reconstructs the segment with empty buffers. After restart, Exact/Light reranking no longer has the per-vector data it was built with, so recovered segments are not equivalent to the ones written to disk. The current roundtrip test won't catch this because the fixture already uses zeroed/empty sidecars.

Also applies to: 393-400

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/persistence/segment_io.rs` around lines 150 - 152, Persistence
currently omits the per-vector reranking sidecars (qjl_signs_bfs,
residual_norms_bfs, sub_signs_bfs) when writing and reading segments, causing
recovered segments to lose reranking data; update the serialization code in
segment_io.rs to write those buffers alongside existing sidecars (add them to
the write/serialize routine that handles sidecar files), and update the
deserialization/readback routine to reconstruct the ImmutableSegment with those
buffers (restore qjl_signs_bfs, residual_norms_bfs, sub_signs_bfs into the
segment struct instead of leaving empty buffers), and add/adjust unit tests to
verify roundtrip persistence of these sidecars so restart recovery preserves
Exact/Light reranking equivalence.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Don't vacuum tombstones during mutable→immutable compaction.

This physically drops every delete_lsn != 0 row before MvccHeaders are built, so snapshots older than the delete lose the only version they can still see. compact() has no safe-GC horizon input, so it cannot prove these tombstones are reclaimable yet; keep them in the immutable segment and let vacuum remove them once the visibility horizon advances.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/compaction.rs` around lines 74 - 87, The current
compaction loop is incorrectly dropping tombstones by filtering out entries with
delete_lsn != 0; modify the logic in compact() so that the loop over
frozen.entries (the live_entries collection) does NOT skip entries where
delete_lsn != 0 and instead includes them so MvccHeader construction retains
tombstones; ensure downstream logic that builds MvccHeader and writes the
immutable segment can handle entries with delete_lsn set and let the vacuum
process later reclaim them when safe.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's understand the structure of the compaction.rs file
wc -l src/vector/segment/compaction.rs

Repository: pilotspace/moon

Length of output: 95

---

🏁 Script executed:

# Read the context around lines 161-188 to understand the HNSW builder usage
sed -n '140,200p' src/vector/segment/compaction.rs | cat -n

Repository: pilotspace/moon

Length of output: 2911

---

🏁 Script executed:

# Also read around lines 367-398
sed -n '345,415p' src/vector/segment/compaction.rs | cat -n

Repository: pilotspace/moon

Length of output: 3246

---

🏁 Script executed:

# Search for where compaction is called and how metrics might be handled
rg -n "fn compact" src/vector/segment/compaction.rs | head -20

Repository: pilotspace/moon

Length of output: 77

---

🏁 Script executed:

# Check if there's metric conversion before compaction
rg -n "metric\|Cosine\|InnerProduct" src/vector/segment/compaction.rs

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Read the compact function definition starting at line 63
sed -n '63,150p' src/vector/segment/compaction.rs | cat -n

Repository: pilotspace/moon

Length of output: 4101

---

🏁 Script executed:

# Search for where compact() is called
rg -n "\.compact\(|compact(" src/vector/segment/ -A 2 -B 2

Repository: pilotspace/moon

Length of output: 149

---

🏁 Script executed:

# Check if CollectionMetadata has a metric field
rg -n "struct CollectionMetadata\|pub metric:" src/ -A 15

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Look for any metric conversion or normalization before compaction
rg -n "metric\|Cosine\|InnerProduct\|normalize" src/vector/segment/ | grep -v test | head -30

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Fix the regex and search for where compact is called
rg -n "compact\(" src/vector/segment/ -B 2 -A 2

Repository: pilotspace/moon

Length of output: 4920

---

🏁 Script executed:

# Look at CollectionMetadata structure
rg -n "pub struct CollectionMetadata" src/ -A 20

Repository: pilotspace/moon

Length of output: 1585

---

🏁 Script executed:

# Search for metric-related normalization or conversion in vector module
rg -n "pub.*metric\|fn.*normalize\|fn.*metric" src/vector/ | head -30

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Look for where vectors are inserted and if metric is handled
rg -n "fn insert\|metric" src/vector/segment/mutable.rs | head -30

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Find DistanceMetric enum definition
rg -n "pub enum DistanceMetric|enum DistanceMetric" src/ -A 10

Repository: pilotspace/moon

Length of output: 647

---

🏁 Script executed:

# Search for where vectors might be normalized based on metric
rg -n "normalize\|Cosine\|InnerProduct" src/vector/ -B 2 -A 2 | head -80

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Look for where frozen segment is created to understand the flow
rg -n "FrozenSegment\|frozen_segment" src/vector/segment/ | head -30

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Check if there's any metric-aware preprocessing in the insert path
rg -n "fn insert\|metric" src/vector/ -B 2 -A 3 | head -60

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Search more broadly for metric usage
rg -n "collection\.metric\|\.metric\s*==" src/vector/ | head -40

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Look at search implementation
rg -n "fn search\|fn hnsw_search" src/vector/ -A 5 | head -80

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Look for where mutable segment becomes frozen
rg -n "fn freeze\|impl.*Frozen\|FrozenSegment {" src/vector/segment/ -B 2 -A 5

Repository: pilotspace/moon

Length of output: 202

---

🏁 Script executed:

# Check if there are any guards/assertions about metric in compaction or search
rg -n "metric\|L2\|Cosine" src/vector/segment/compaction.rs

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Broadly search for "metric" in segment module
rg -n "metric" src/vector/segment/ -B 2 -A 2

Repository: pilotspace/moon

Length of output: 826

---

🏁 Script executed:

# Fix regex and search for freeze function
rg -n "freeze" src/vector/segment/ -B 2 -A 5

Repository: pilotspace/moon

Length of output: 6931

---

🏁 Script executed:

# Look for where segments are created or vectors are processed
rg -n "create.*segment\|new.*segment" src/vector/ -i | head -30

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Check if metric is validated at collection creation time
rg -n "impl.*CollectionMetadata\|fn.*new.*Collection" src/vector/ -A 10 | head -60

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Search for any vector normalization for Cosine or InnerProduct
rg -n "Cosine\|InnerProduct\|normalize_vector" src/ -B 2 -A 2 | head -80

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Search where collection.metric is actually used in the entire codebase
rg -n "\.metric" src/ | grep -v "test\|distance_metric" | head -40

Repository: pilotspace/moon

Length of output: 571

---

🏁 Script executed:

# Look at search functions to see how metric is used
rg -n "pub fn.*search\|fn search" src/vector/ -A 8 | head -100

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Check if there are any restrictions on metrics in collection creation
rg -n "Cosine\|InnerProduct" src/ | head -40

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Look for any feature flags or conditions around metrics
rg -n "metric.*Cosine\|metric.*InnerProduct\|metric.*L2" src/ -B 2 -A 2

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Look at the assertion in vector_search.rs that restricts to L2
sed -n '870,890p' src/command/vector_search.rs | cat -n

Repository: pilotspace/moon

Length of output: 1049

---

🏁 Script executed:

# Search around line 189 in store.rs to see how metric is used
sed -n '180,200p' src/vector/store.rs | cat -n

Repository: pilotspace/moon

Length of output: 957

---

🏁 Script executed:

# Check the segment_io.rs to understand metric serialization
sed -n '165,220p' src/vector/persistence/segment_io.rs | cat -n

Repository: pilotspace/moon

Length of output: 2804

---

🏁 Script executed:

# Search for any creation/validation of collections to see if metric is restricted
rg -n "DistanceMetric::L2\|restrict\|only.*L2\|metric.*support" src/ -B 3 -A 3 | head -60

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Check if there's documentation or comments about metric support
rg -n "TODO\|FIXME\|XXX\|metric\|Cosine\|InnerProduct" src/vector/types.rs -B 2 -A 2

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Look at the test that asserts metric L2 to understand the context
sed -n '870,920p' src/command/vector_search.rs | cat -n

Repository: pilotspace/moon

Length of output: 2159

---

🏁 Script executed:

# Search for where metric is actually used in search or verified
rg -n "metric.*assert\|assert.*metric\|metric.*check\|metric.*restrict" src/ -B 3 -A 3 | head -80

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Check if only L2 is supported by looking at search parameter handling
rg -n "DISTANCE_METRIC\|distance_metric\|distance-metric" src/ -B 3 -A 3 | head -80

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Look at CollectionMetadata::with_build_mode to see if it validates metric
rg -n "with_build_mode\|fn new" src/vector/turbo_quant/collection.rs -A 15 | head -80

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Look at ft_create to see if metric validation happens there
rg -n "fn ft_create" src/command/vector_search.rs -A 50 | head -100

Repository: pilotspace/moon

Length of output: 3732

---

🏁 Script executed:

# Check if there's any comment about metric support or restrictions
rg -n "metric\|Cosine\|InnerProduct\|L2.*only" src/command/vector_search.rs -B 2 -A 2 | head -60

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Search the entire codebase for where Cosine or InnerProduct might be used
rg -n "Cosine\|InnerProduct" src/ -B 3 -A 3

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Look at what metrics are actually tested
rg -n "DistanceMetric::" src/ | head -40

Repository: pilotspace/moon

Length of output: 3033

---

🏁 Script executed:

# Look at the Cosine test in collection.rs at line 417
sed -n '410,450p' src/vector/turbo_quant/collection.rs | cat -n

Repository: pilotspace/moon

Length of output: 1492

---

🏁 Script executed:

# Search for what happens with Cosine metric in search or build
rg -n "Cosine\|InnerProduct" src/vector/ -B 5 -A 5 | head -150

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Check if there's any place where non-L2 metrics cause different behavior
rg -n "metric.*==\|metric.*match" src/vector/ -B 2 -A 5 | head -100

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Look at the broader compaction function to see if metric is checked anywhere
sed -n '63,250p' src/vector/segment/compaction.rs | grep -n "metric\|collection\." | head -30

Repository: pilotspace/moon

Length of output: 220

---

🏁 Script executed:

# Look at the test around line 417 that uses Cosine
sed -n '400,450p' src/vector/turbo_quant/collection.rs | cat -n

Repository: pilotspace/moon

Length of output: 1846

---

🏁 Script executed:

# Search for where collection.metric is actually used to affect behavior
rg -n "collection\.metric\|self\.metric" src/ -A 5 -B 5 | head -150

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Look for any match statement on metric
rg -n "match.*metric\|metric.*=>" src/ -B 2 -A 5 | head -100

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Check if Cosine/InnerProduct are truly implemented or just placeholders
rg -n "DistanceMetric::Cosine\|DistanceMetric::InnerProduct" src/ -B 3 -A 3 | grep -v "test\|=>" | head -60

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Let's do a comprehensive check - search for any location where metric affects distance calculation or HNSW building
rg -n "dist_table\|l2_f32\|tq_l2\|distance\(" src/vector/segment/compaction.rs

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Check if there's any documentation or README about metric support
find src -name "README*" -o -name "*.md" | xargs grep -l "metric\|Cosine\|InnerProduct" 2>/dev/null

Repository: pilotspace/moon

Length of output: 43

---

🏁 Script executed:

# One more comprehensive search - look for any conditional logic based on metric in the entire vector module
rg -n "if.*metric\|match.*metric\|metric.*if\|metric.*match" src/vector/ -B 3 -A 3

Repository: pilotspace/moon

Length of output: 41

---

🏁 Script executed:

# Check comments in compaction.rs around the HNSW builder
sed -n '150,200p' src/vector/segment/compaction.rs | cat -n

Repository: pilotspace/moon

Length of output: 2338

---

Verify that non-L2 metrics are rejected before compaction or correctly used during HNSW graph construction.

The compact() function receives collection.metric but never uses it. The HNSW builder hardcodes L2 distance (dist_table.l2_f32 and dist_table.tq_l2), and verify_recall() explicitly uses L2 ground truth for validation. If a collection with Cosine or InnerProduct metrics reaches compaction, the graph will be built against the wrong distance objective, silently producing incorrect results.

Either:

1. Enforce that only L2-metric collections can be created (add validation at collection creation time), or
2. Make compaction metric-aware by using collection.metric to select the correct distance function for both HNSW construction and recall verification.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/compaction.rs` around lines 161 - 188, compact() currently
ignores collection.metric and always uses L2 (dist_table.l2_f32 /
dist_table.tq_l2) and verify_recall() uses L2 ground truth; update the code to
either (A) enforce metric==L2 earlier (validate in collection creation and
return an error when non-L2 metrics attempt compaction) or (B) make compaction
metric-aware: read collection.metric inside compact() and select the appropriate
distance functions from crate::vector::distance::table() (e.g., choose the
matching pairwise and TQ functions instead of l2_f32/tq_l2), and update
verify_recall() to use the same metric-specific ground-truth comparator; adjust
calls around HnswBuilder::insert and the TQ decoding branch to use the selected
distance function so the HNSW graph and recall check match collection.metric.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

The advertised recall floor is never enforced.

After graph is built, compact() goes straight to BFS reorder / segment creation / persistence / return. verify_recall() and CompactionError::RecallTooLow are dead today, so a low-quality graph can still be published even though the public contract says otherwise.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/compaction.rs` around lines 206 - 341, The compaction flow
never calls verify_recall(), so low-recall graphs get published; after the graph
is constructed but before creating the ImmutableSegment or writing to disk, call
verify_recall(...) with the built graph and the BFS-ordered buffers (e.g.,
tq_bfs, qjl_signs_bfs, residual_norms_bfs or whatever verify_recall expects) and
check its result; if it reports recall below the configured threshold return
Err(CompactionError::RecallTooLow(...)) and abort creating/persisting the
ImmutableSegment (the ImmutableSegment::new and
segment_io::write_immutable_segment calls must only run after verify_recall
succeeds). Ensure you reference the existing verify_recall function and
CompactionError::RecallTooLow symbol so the check is enforced in compact() prior
to segment creation/persistence.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Index QJL/residual sidecars by internal_id, not compacted position.

tq_codes and raw_f32 are sourced via entry.internal_id, but this block switches to live_idx = orig_id. After the first deleted row, every later QJL sketch / residual norm shifts and reranking reads another vector's payload.

🛠️ Minimal fix

     for bfs_pos in 0..n {
         let orig_id = graph.to_original(bfs_pos as u32) as usize;
-        let live_idx = orig_id;
+        let source_idx = live_entries[orig_id].internal_id as usize;
         // QJL signs
-        let src_qjl = live_idx * qjl_bpv;
+        let src_qjl = source_idx * qjl_bpv;
         let dst_qjl = bfs_pos * qjl_bpv;
         if src_qjl + qjl_bpv <= frozen.qjl_signs.len() {
             qjl_signs_bfs[dst_qjl..dst_qjl + qjl_bpv]
                 .copy_from_slice(&frozen.qjl_signs[src_qjl..src_qjl + qjl_bpv]);
         }
         // Residual norms
-        if live_idx < frozen.residual_norms.len() {
-            residual_norms_bfs[bfs_pos] = frozen.residual_norms[live_idx];
+        if source_idx < frozen.residual_norms.len() {
+            residual_norms_bfs[bfs_pos] = frozen.residual_norms[source_idx];
         }
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/vector/segment/compaction.rs` around lines 221 - 233, The QJL/residual
sidecars are currently indexed by the compacted position via orig_id, causing
payloads to shift; replace use of orig_id for sidecar lookups with the vector's
persistent internal id (use entry.internal_id as usize) so src_qjl and residual
lookups use that internal_id (compute src_qjl = internal_id * qjl_bpv and index
frozen.qjl_signs/frozen.residual_norms by internal_id) while keeping dst indices
based on bfs_pos; ensure bounds checks still compare src spans against
frozen.qjl_signs.len() and internal_id vs frozen.residual_norms.len().