Describe the bug
LIF field names flow into MongoDB document keys, but MongoDB forbids keys that start with $ and treats . as a nesting separator — so a permissive source-defined name (e.g. a CEDS-style code.CEDS or $ref) corrupts or fails the write.
Verified in code:
components/lif/query_cache_service/core.py:96-110 (build_mongo_update_ops) builds update keys as key_path = f"{root_prefix}.{k}" where k is the field name → a name containing . produces an ambiguous dotted path that Mongo interprets as deeper nesting (wrong/partial update), and a $-leading name yields a $set/$push key Mongo rejects.components/lif/query_cache_service/core.py:278 insert_one(lif_record.model_dump(by_alias=True)) and :321-322 update_one(..., {"$set": ...model_dump(by_alias=True)}) use field names (pydantic aliases = schema field names) as document keys.
Severity:
$-leading name → write rejected (key '...' must not start with '$')..-containing name → silent wrong-path write / data corruption.
Trigger: any MDR schema attribute/entity whose name contains . or starts with $ and reaches a mutation/cache write.
Fix direction: the durable fix is MDR write-time validation so such names never enter the model (#1014). This issue is one of the verified consumer-side failures behind that ADR (#1015). Defense-in-depth option: reject/escape illegal Mongo keys at the cache-write boundary.
Related: #1014 (boundary validation — the systemic fix), #1011/#1012 (GraphQL equivalent of the same name class), #1016 (semantic-search equivalent), docs/specs/data-model-rules.md → Naming Styles.
Describe the bug
LIF field names flow into MongoDB document keys, but MongoDB forbids keys that start with
$and treats.as a nesting separator — so a permissive source-defined name (e.g. a CEDS-stylecode.CEDSor$ref) corrupts or fails the write.Verified in code:
components/lif/query_cache_service/core.py:96-110(build_mongo_update_ops) builds update keys askey_path = f"{root_prefix}.{k}"wherekis the field name → a name containing.produces an ambiguous dotted path that Mongo interprets as deeper nesting (wrong/partial update), and a$-leading name yields a$set/$pushkey Mongo rejects.components/lif/query_cache_service/core.py:278insert_one(lif_record.model_dump(by_alias=True))and:321-322update_one(..., {"$set": ...model_dump(by_alias=True)})use field names (pydantic aliases = schema field names) as document keys.Severity:
$-leading name → write rejected (key '...' must not start with '$')..-containing name → silent wrong-path write / data corruption.Trigger: any MDR schema attribute/entity whose name contains
.or starts with$and reaches a mutation/cache write.Fix direction: the durable fix is MDR write-time validation so such names never enter the model (#1014). This issue is one of the verified consumer-side failures behind that ADR (#1015). Defense-in-depth option: reject/escape illegal Mongo keys at the cache-write boundary.
Related: #1014 (boundary validation — the systemic fix), #1011/#1012 (GraphQL equivalent of the same name class), #1016 (semantic-search equivalent),
docs/specs/data-model-rules.md→ Naming Styles.