feat(dataset): hybrid IP storage with parallel batch processing (#128)

* feat(dataset): hybrid IP storage with parallel batch processing

Implement memory-efficient hybrid storage that separates individual IPs
from CIDR ranges, significantly reducing memory usage for typical workloads.

## Changes

- Add IPMap using sync.Map for individual IP addresses (O(1) lookups)
- Keep BART (RangeSet) only for CIDR ranges requiring LPM
- Parallelize Add/Remove operations using sync.WaitGroup.Go() (Go 1.24+)
- CheckIP() checks IPMap first, falls back to RangeSet for range matching

## Memory Optimization

Most real-world deployments receive individual IP decisions, not ranges.
BART's radix trie has significant per-entry overhead optimized for prefix
matching. By storing individual IPs in a simple map:

- **1K IPs**: BART ~598KB → Map significantly less
- **10K IPs**: BART ~5.6MB → Map significantly less
- **50K IPs**: BART ~26.5MB → Map significantly less

## Performance

- IPMap lookup: ~72 ns/op, 0 allocs
- RangeSet lookup: ~69 ns/op, 0 allocs
- Parallel batch processing for Add/Remove operations

## Breaking Changes

None - API unchanged, internal storage optimization only.

* fix(ipmap): prevent data races with concurrent readers

Address Copilot review comments:

1. Clone RemediationIdsMap before modifying in add() and remove()
   - Prevents race between Contains() readers and Add/Remove modifiers
   - sync.Map's Load→Modify→Store pattern is unsafe with mutable values

2. Fix version comment: sync.WaitGroup.Go was added in Go 1.23, not 1.24

3. Remove trailing whitespace in benchmark_test.go

* refactor(dataset): rename BartUnifiedIPSet to BartRangeSet

More descriptive name since it now only handles CIDR ranges,
while individual IPs are stored in IPMap.

* feat(dataset): Consistent COW for lock free reads (#129)

* perf: lock-free reads for IPMap and CNSet

Use atomic pointers for completely lock-free reads across all data structures.
SPOA handlers never block, even during batch updates.

Changes:
1. IPMap: atomic.Pointer per entry for individual IPs
2. CNSet: atomic.Pointer for entire country map (small, cloning is cheap)
   - Added NewCNSet() constructor for consistency
   - Added defensive nil checks in Add/Remove/Contains
3. BartRangeSet: already uses atomic pointer (unchanged)

Concurrency model (consistent across all):
- Reads: atomic pointer load (instant, never blocks)
- Writes: clone → modify → atomic store (copy-on-write)
- Readers always see consistent state (old or new, never partial)

This ensures SPOA always has immediate access to decision data,
regardless of ongoing batch updates from the stream bouncer.

* refactor(ipmap): simplify addLocked - remove unreachable LoadOrStore fallback

Since writeMu is held for the entire batch, no other writer can race.
The LoadOrStore fallback code was unreachable - simplified to use Store directly.

* Simplify RemediationMap: remove ID tracking, optimize cloning

- Changed from map[Remediation][]RemediationDetails to map[Remediation]string
- Removed ID tracking (LAPI only sends longest decisions)
- Simplified Add/Remove methods (no ID parameters)
- Optimized IPMap cloning: skip clone for empty maps and single-entry removals
- Updated all callers to use new simplified API
- Reduced memory allocations and GC pressure

* Remove writeMu mutex from IPMap - single writer guarantee

- Removed writeMu mutex (unnecessary with single writer thread)
- Renamed addLocked/removeLocked to add/remove
- Updated comments to reflect single-writer, multiple-reader model
- Stream handler processes decisions sequentially, no concurrent writes
- Atomic pointer operations handle reader-writer synchronization safely

* Address Copilot review comments: remove unused ID parameters

- Remove unused 'id' parameter from CNSet.Add and CNSet.Remove methods
- Update addCN/removeCN helper functions to match new signatures
- Update outdated comments: 'merging IDs' -> 'merging remediations'
- Optimize CNSet.Add preallocation: remove +1 to avoid overallocation
- Fix map initialization syntax in CNSet.Add

* Remove unused ID fields from operation structs

- Remove ID field from IPAddOp, IPRemoveOp, BartAddOp, BartRemoveOp
- Remove id field from internal cnOp struct
- Update all operation struct literals to remove ID assignments
- Update benchmark tests to match new struct definitions
- IDs are no longer tracked since LAPI behavior ensures only longest decisions

* Add comprehensive metrics tests and optimize no-op handling

- Add comprehensive test suite for metrics tracking (IPMap, BartRangeSet, CNSet)
- Fix BartRangeSet no-op check to use exact prefix lookup (Get) instead of LPM
- Add HasRemediation and GetOriginForRemediation methods to BartRangeSet for exact prefix matching
- Optimize ipType assignment to only occur after no-op checks
- Remove pre-allocation of operation slices to avoid wasting memory when many decisions are no-ops
- Replace hardcoded metric increments with len(decisions) for better readability

* Fix outdated comment: replace 'ID' with 'remediation'

- Update comment in bart_types.go to reflect that IDs are no longer tracked
- Addresses Copilot review feedback from PR #129

* Refactor Remove() to return error for cleaner duplicate delete handling

- Add ErrRemediationNotFound sentinel error
- Update RemediationMap.Remove() to return error instead of silently ignoring
- Update all call sites to use errors.Is() for cleaner error checking
- Simplify RemoveBatch logic - no need to check existence before calling Remove()
- Metrics are only updated for actual removals, not duplicate deletes

This makes the code easier to follow and more explicit about error handling.

* refactor(metrics): use WithLabelValues instead of With for better performance

Replace prometheus.With(Labels{...}) with WithLabelValues() to avoid
map allocation overhead. This aligns with the optimization from main branch.

- Remove unused prometheus import
- Update all metrics calls to use WithLabelValues
- Add comments indicating label order for clarity

* fix(lint): remove unused nolint directive in metrics tests

* fix: verify origin matches before removing decisions

- Add origin verification in IPMap.remove() to prevent removing decisions
  when origin has been overwritten (e.g., by CAPI)
- Add same origin check in BartRangeSet.RemoveBatch() for range removals
- Remove optimization that deleted IP when only one remediation existed
  to handle edge cases where same origin changes remediation types
- Ensures metrics are decremented correctly and prevents orphaned decisions

Fixes issue where unsubscribing from blocklists didn't properly remove
decisions when origins were overwritten by other sources.

* fix: correct Go version in comments and add origin overwrite test

- Fix version documentation: sync.WaitGroup.Go was added in Go 1.22, not 1.23
- Add TestMetrics_OriginOverwriteAndDelete to verify metrics correctness
  when same origin changes remediation types (ban -> captcha -> delete ban)
- Test ensures origin verification works correctly and metrics are accurate

Author: LaurenceJJones

go.mod

@@ -44,6 +44,7 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect

pkg/dataset/bart_types.go

@@ -1,6 +1,7 @@
 package dataset
 
 import (
+	"errors"
 	"net/netip"
 	"sync"
 	"sync/atomic"
@@ -15,7 +16,6 @@ type BartAddOp struct {
 	Prefix netip.Prefix
 	Origin string
 	R      remediation.Remediation
-	ID     int64
 	IPType string
 	Scope  string
 }
@@ -24,27 +24,26 @@ type BartAddOp struct {
 type BartRemoveOp struct {
 	Prefix netip.Prefix
 	R      remediation.Remediation
-	ID     int64
 	Origin string
 	IPType string
 	Scope  string
 }
 
-// BartUnifiedIPSet provides a unified interface for IP and CIDR operations using bart library.
+// BartRangeSet provides a unified interface for IP and CIDR operations using bart library.
 // Uses atomic pointer for lock-free reads and mutex-protected writes
 // following the pattern recommended in bart's documentation.
-type BartUnifiedIPSet struct {
-	tableAtomicPtr atomic.Pointer[bart.Table[RemediationIdsMap]]
+type BartRangeSet struct {
+	tableAtomicPtr atomic.Pointer[bart.Table[RemediationMap]]
 	writeMutex     sync.Mutex // Protects writers only
 	logger         *log.Entry
 }
 
-// NewBartUnifiedIPSet creates a new BartUnifiedIPSet
+// NewBartRangeSet creates a new BartRangeSet
 // The table starts as nil and will be created on first use for better memory efficiency
 // Initialize with nil; the table will be allocated during the first AddBatch operation.
 // This approach enables using Insert for the initial table population, which is more memory efficient than incremental updates.
-func NewBartUnifiedIPSet(logAlias string) *BartUnifiedIPSet {
-	return &BartUnifiedIPSet{
+func NewBartRangeSet(logAlias string) *BartRangeSet {
+	return &BartRangeSet{
 		logger: log.WithField("alias", logAlias),
 	}
 }
@@ -55,7 +54,7 @@ func NewBartUnifiedIPSet(logAlias string) *BartUnifiedIPSet {
 // For the initial load (when table is nil), uses Insert for better memory efficiency.
 // For subsequent updates, uses ModifyPersist for incremental changes.
 // All operations always succeed (duplicates are merged, new entries are created).
-func (s *BartUnifiedIPSet) AddBatch(operations []BartAddOp) {
+func (s *BartRangeSet) AddBatch(operations []BartAddOp) {
 	if len(operations) == 0 {
 		return
 	}
@@ -78,14 +77,14 @@ func (s *BartUnifiedIPSet) AddBatch(operations []BartAddOp) {
 
 // initializeBatch creates a new table and initializes it with the given operations using Insert.
 // This is more memory efficient than using ModifyPersist for the initial load.
-// Handles duplicate prefixes by merging IDs before inserting.
+// Handles duplicate prefixes by merging remediations before inserting.
 // All operations always succeed.
-func (s *BartUnifiedIPSet) initializeBatch(operations []BartAddOp) {
+func (s *BartRangeSet) initializeBatch(operations []BartAddOp) {
 	// Create a new table for the initial load
-	next := &bart.Table[RemediationIdsMap]{}
+	next := &bart.Table[RemediationMap]{}
 
 	// First, collect all operations by prefix to handle duplicates
-	prefixMap := make(map[netip.Prefix]RemediationIdsMap)
+	prefixMap := make(map[netip.Prefix]RemediationMap)
 	for _, op := range operations {
 		prefix := op.Prefix.Masked()
 
@@ -99,10 +98,10 @@ func (s *BartUnifiedIPSet) initializeBatch(operations []BartAddOp) {
 		// Get or create the data for this prefix
 		data, exists := prefixMap[prefix]
 		if !exists {
-			data = RemediationIdsMap{}
+			data = RemediationMap{}
 		}
-		// Add the ID (this handles merging if prefix already seen)
-		data.AddID(valueLog, op.R, op.ID, op.Origin)
+		// Add the remediation (this handles merging if prefix already seen)
+		data.Add(valueLog, op.R, op.Origin)
 		prefixMap[prefix] = data
 	}
 
@@ -126,7 +125,7 @@ func (s *BartUnifiedIPSet) initializeBatch(operations []BartAddOp) {
 // updateBatch updates an existing table with the given operations using ModifyPersist.
 // This handles incremental updates efficiently.
 // All operations always succeed.
-func (s *BartUnifiedIPSet) updateBatch(cur *bart.Table[RemediationIdsMap], operations []BartAddOp) {
+func (s *BartRangeSet) updateBatch(cur *bart.Table[RemediationMap], operations []BartAddOp) {
 	// Process all operations, chaining the table updates
 	next := cur
 	for _, op := range operations {
@@ -141,21 +140,21 @@ func (s *BartUnifiedIPSet) updateBatch(cur *bart.Table[RemediationIdsMap], opera
 
 		// Use ModifyPersist to atomically update or create the prefix entry
 		// This is more efficient than DeletePersist + InsertPersist as it only traverses once
-		next, _, _ = next.ModifyPersist(prefix, func(existingData RemediationIdsMap, exists bool) (RemediationIdsMap, bool) {
+		next, _, _ = next.ModifyPersist(prefix, func(existingData RemediationMap, exists bool) (RemediationMap, bool) {
 			if exists {
 				if valueLog != nil {
-					valueLog.Trace("exact prefix exists, merging IDs")
+					valueLog.Trace("exact prefix exists, merging remediations")
 				}
 				// bart already cloned via our Cloner interface, modify directly
-				existingData.AddID(valueLog, op.R, op.ID, op.Origin)
+				existingData.Add(valueLog, op.R, op.Origin)
 				return existingData, false // false = don't delete
 			}
 			if valueLog != nil {
 				valueLog.Trace("creating new entry")
 			}
 			// Create new data
-			newData := make(RemediationIdsMap)
-			newData.AddID(valueLog, op.R, op.ID, op.Origin)
+			newData := make(RemediationMap)
+			newData.Add(valueLog, op.R, op.Origin)
 			return newData, false // false = don't delete
 		})
 	}
@@ -165,10 +164,11 @@ func (s *BartUnifiedIPSet) updateBatch(cur *bart.Table[RemediationIdsMap], opera
 }
 
 // RemoveBatch removes multiple prefixes from the bart table in a single atomic operation.
-// Returns a slice of pointers to successfully removed operations (nil for failures).
+// Returns a slice of pointers to actually removed operations (nil for duplicate deletes or non-existent prefixes).
 // This allows callers to access operation metadata (Origin, IPType, Scope) for metrics.
+// Since Remove() never fails, we only return the operation pointer if the remediation actually existed.
 // IPs should be converted to /32 or /128 prefixes before calling this method.
-func (s *BartUnifiedIPSet) RemoveBatch(operations []BartRemoveOp) []*BartRemoveOp {
+func (s *BartRangeSet) RemoveBatch(operations []BartRemoveOp) []*BartRemoveOp {
 	if len(operations) == 0 {
 		return nil
 	}
@@ -199,7 +199,7 @@ func (s *BartUnifiedIPSet) RemoveBatch(operations []BartRemoveOp) []*BartRemoveO
 
 		// Use ModifyPersist to atomically update or remove the prefix entry
 		// This is more efficient than DeletePersist + InsertPersist as it only traverses once
-		next, _, _ = next.ModifyPersist(prefix, func(existingData RemediationIdsMap, exists bool) (RemediationIdsMap, bool) {
+		next, _, _ = next.ModifyPersist(prefix, func(existingData RemediationMap, exists bool) (RemediationMap, bool) {
 			if !exists {
 				if valueLog != nil {
 					valueLog.Trace("exact prefix not found")
@@ -208,19 +208,38 @@ func (s *BartUnifiedIPSet) RemoveBatch(operations []BartRemoveOp) []*BartRemoveO
 				return existingData, false // false = don't delete (prefix doesn't exist anyway)
 			}
 
-			// bart already cloned via our Cloner interface, modify directly
-			err := existingData.RemoveID(valueLog, op.R, op.ID)
-			if err != nil {
+			// Check if the remediation exists with the matching origin before removing
+			// This prevents removing decisions when the origin has been overwritten (e.g., by CAPI)
+			if !existingData.HasRemediationWithOrigin(op.R, op.Origin) {
+				// Origin doesn't match - this decision was likely overwritten by another origin
+				// Don't remove it, as it's not the decision we're trying to delete
 				if valueLog != nil {
-					valueLog.Trace("ID not found")
+					storedOrigin, exists := existingData[op.R]
+					if exists {
+						valueLog.Tracef("remediation exists but origin mismatch (stored: %s, requested: %s), skipping removal", storedOrigin, op.Origin)
+					} else {
+						valueLog.Tracef("remediation not found, skipping removal")
+					}
 				}
 				results[i] = nil
-				return existingData, false // false = don't delete, keep data unchanged
+				return existingData, false // false = don't delete, keep existing data
 			}
 
-			// ID was successfully removed - return pointer to the operation for metadata access
-			// Use index to get pointer to original operation (safe since we don't modify the slice)
-			results[i] = &operations[i]
+			// bart already cloned via our Cloner interface, modify directly
+			// Remove returns an error if remediation doesn't exist (duplicate delete)
+			// We already checked origin above, so this should succeed
+			err := existingData.Remove(valueLog, op.R)
+			if errors.Is(err, ErrRemediationNotFound) {
+				// This shouldn't happen since we checked above, but handle it gracefully
+				if valueLog != nil {
+					valueLog.Trace("remediation not found after origin check, duplicate delete")
+				}
+				results[i] = nil
+			} else {
+				// Remediation was successfully removed - return pointer for metrics
+				// Use index to get pointer to original operation (safe since we don't modify the slice)
+				results[i] = &operations[i]
+			}
 
 			if existingData.IsEmpty() {
 				if valueLog != nil {
@@ -229,7 +248,7 @@ func (s *BartUnifiedIPSet) RemoveBatch(operations []BartRemoveOp) []*BartRemoveO
 				return existingData, true // true = delete the prefix (it's now empty)
 			}
 			if valueLog != nil {
-				valueLog.Trace("removed ID from existing prefix")
+				valueLog.Trace("removed remediation from existing prefix")
 			}
 			return existingData, false // false = don't delete, keep modified data
 		})
@@ -244,7 +263,7 @@ func (s *BartUnifiedIPSet) RemoveBatch(operations []BartRemoveOp) []*BartRemoveO
 // Contains checks if an IP address matches any prefix in the bart table.
 // Returns the longest matching prefix's remediation and origin.
 // This method uses lock-free reads via atomic pointer for optimal performance.
-func (s *BartUnifiedIPSet) Contains(ip netip.Addr) (remediation.Remediation, string) {
+func (s *BartRangeSet) Contains(ip netip.Addr) (remediation.Remediation, string) {
 	// Lock-free read: atomically load the current table pointer
 	table := s.tableAtomicPtr.Load()
 
@@ -275,3 +294,54 @@ func (s *BartUnifiedIPSet) Contains(ip netip.Addr) (remediation.Remediation, str
 	}
 	return remediationResult, origin
 }
+
+// HasRemediation checks if an exact prefix has a specific remediation with a specific origin.
+// Uses Get() for exact prefix lookup (not LPM like Contains/Lookup).
+// Returns true if the exact prefix exists and has the given remediation with the given origin.
+// This method uses lock-free reads via atomic pointer for optimal performance.
+func (s *BartRangeSet) HasRemediation(prefix netip.Prefix, r remediation.Remediation, origin string) bool {
+	// Lock-free read: atomically load the current table pointer
+	table := s.tableAtomicPtr.Load()
+
+	// Check for nil table (not yet initialized)
+	if table == nil {
+		return false
+	}
+
+	// Use Get() for exact prefix lookup (not LPM)
+	maskedPrefix := prefix.Masked()
+	data, found := table.Get(maskedPrefix)
+	if !found {
+		return false
+	}
+
+	return data.HasRemediationWithOrigin(r, origin)
+}
+
+// GetOriginForRemediation returns the origin for a specific remediation on an exact prefix.
+// Uses Get() for exact prefix lookup (not LPM).
+// Returns the origin and true if the exact prefix exists and has the given remediation, false otherwise.
+// This method uses lock-free reads via atomic pointer for optimal performance.
+func (s *BartRangeSet) GetOriginForRemediation(prefix netip.Prefix, r remediation.Remediation) (string, bool) {
+	// Lock-free read: atomically load the current table pointer
+	table := s.tableAtomicPtr.Load()
+
+	// Check for nil table (not yet initialized)
+	if table == nil {
+		return "", false
+	}
+
+	// Use Get() for exact prefix lookup (not LPM)
+	maskedPrefix := prefix.Masked()
+	data, found := table.Get(maskedPrefix)
+	if !found {
+		return "", false
+	}
+
+	// Check if the remediation exists and return its origin
+	if existingOrigin, ok := data[r]; ok {
+		return existingOrigin, true
+	}
+
+	return "", false
+}