fix: resolve full-codebase audit findings (L0 range-del get, trivial move)

Full /x-overhaul audit across all src/ subsystems (10 parallel reviews).
Nine subsystems were clean; three findings fixed:

- HIGH db: get() could resurrect a range-deleted key. A single memtable
  flush split into multiple L0 SSTs numbers files by user key, not
  sequence, and a range tombstone is written only to the file holding
  its start key. The L0 get() loop scanned newest-first and early-
  returned on the first matching point entry, before visiting the
  lower-numbered file carrying the covering tombstone -- so get()
  returned a stale value while iter() correctly returned nothing. The L0
  branch now pre-scans all tombstone-bearing L0 files before any point
  lookup, matching the L1+ and iterator paths.

- LOW compaction: trivial-move was permanently unreachable because the
  always-on lazy-delete wrapper makes options.compaction_filter always
  Some. Added a defaulted CompactionFilter::is_noop(); LazyDeleteFilter
  reports no-op when no user filter is set and no dead keys are
  registered, so single-file Ln->Ln+1 moves skip the rewrite again.

- LOW types: module-header doc now documents the trailer bit-inversion,
  matching the struct doc and the actual encoding.

make fmt + clippy -D warnings clean; full debug + release suites pass.

Author: ktmlm

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "mmdb"
-version = "3.3.0"
+version = "3.3.1"
 edition = "2024"
 description = "The storage engine behind vsdb — a pure-Rust LSM-Tree key-value store"
 license = "MIT"

docs/audit.md

@@ -55,9 +55,9 @@
 - **What**: Comment uses "Safety:" but no unsafe block is involved.
 - **Reason**: Comment is a design note, not a safety justification. Cosmetic only.
 
-### [LOW] db: point-lookup `get` path scans all L1+ files with range deletions
+### [LOW] db: point-lookup `get` path scans all L0 + L1+ files with range deletions
 - **Where**: src/db.rs (get path), src/iterator/
-- **What**: The point-lookup `get` path iterates ALL L1+ files that have range deletions to check for covering tombstones — O(files_with_range_dels). The iterator path bounds this by checking `smallest_key > upper_bound` to skip files entirely past the range, but the point-lookup path cannot apply the same optimization since range tombstones can extend past a file's largest key.
+- **What**: The point-lookup `get` path iterates ALL L0 and L1+ files that have range deletions to check for covering tombstones — O(files_with_range_dels). The iterator path bounds the L1+ portion by checking `smallest_key > upper_bound` to skip files entirely past the range, but the point-lookup path cannot apply the same optimization since range tombstones can extend past a file's largest key. The L0 branch must pre-scan every tombstone-bearing L0 file before any point lookup because a single split flush numbers its files by key, not sequence, so a tombstone can live in a different L0 file than the keys it covers.
 - **Reason**: This is an inherent limitation of range tombstones combined with point lookups. The cost is bounded by the number of tombstone-bearing files (typically small in practice), and the alternative (maintaining a separate tombstone index) would add write-path complexity disproportionate to the benefit.
 
 ### [LOW] types: `InternalKey` panics on malformed encoded data

src/compaction/leveled.rs

@@ -1027,11 +1027,17 @@ impl LeveledCompaction {
 
         // Trivial move optimization: if there's exactly one input file and no
         // overlap with the next level, just move the metadata without rewriting.
-        // Skip the optimisation when a compaction filter is installed, because
-        // the filter needs to see every key-value pair to decide on removals.
+        // Skip the optimisation when the compaction filter could remove or
+        // change entries — it needs to see every key-value pair. A filter that
+        // reports itself a no-op (e.g. lazy-delete with no user filter and no
+        // registered dead keys) still permits the move.
         if task.input_files_level.len() == 1
             && task.input_files_next.is_empty()
-            && ctx.options.compaction_filter.is_none()
+            && ctx
+                .options
+                .compaction_filter
+                .as_ref()
+                .is_none_or(|f| f.is_noop())
         {
             let tf = &task.input_files_level[0];
             let mut edit = VersionEdit::new();

src/db.rs

@@ -245,6 +245,14 @@ impl CompactionFilter for LazyDeleteFilter {
         }
         CompactionFilterDecision::Keep
     }
+
+    fn is_noop(&self) -> bool {
+        // No-op only when there is no user filter to consult AND no key is
+        // currently registered for lazy deletion. A dead key registered after a
+        // trivial move is still removed by a later compaction that re-examines
+        // the relocated file, so allowing the move here is safe.
+        self.user_filter.as_ref().is_none_or(|f| f.is_noop()) && self.dead_keys.read().is_empty()
+    }
 }
 
 impl DB {
@@ -959,13 +967,27 @@ impl DB {
             return Ok(None);
         }
 
-        // 4. L0 SST files (newest first, may overlap)
-        // Check range tombstones in each file and accumulate max_tomb_seq.
-        for tf in version.level_files(0) {
+        // 4. L0 SST files (newest first, may overlap).
+        // A single memtable flush can be split into several L0 files cut at
+        // user-key boundaries; those files are numbered in ascending key order,
+        // and a range tombstone is written only to the file holding its start
+        // key (it is not fragmented into later split files). A tombstone in a
+        // lower-numbered file can therefore cover point keys living in a
+        // higher-numbered file from the same flush. Because L0 is scanned
+        // newest-first (descending file number), that point key would be found
+        // and returned before the tombstone-bearing file is ever visited. So
+        // accumulate covering tombstone sequences across ALL L0 files before
+        // doing any point lookup, mirroring the L1+ branch and the iterator
+        // path. (File number does not track sequence order within one split
+        // flush, so the per-file early-out is unsound here.)
+        let l0_files = version.level_files(0);
+        for tf in l0_files {
             if tf.meta.has_range_deletions {
                 let file_tomb_seq = tf.reader.max_covering_tombstone_seq(key, seq).c(d!())?;
                 max_tomb_seq = max_tomb_seq.max(file_tomb_seq);
             }
+        }
+        for tf in l0_files {
             if let Some((result, entry_seq)) = tf.reader.get_internal_with_seq(key, seq).c(d!())? {
                 if max_tomb_seq > entry_seq {
                     return Ok(None);

src/options.rs

@@ -359,6 +359,17 @@ pub enum CompactionFilterDecision {
 /// During compaction, each key-value pair is passed to the filter for a decision.
 pub trait CompactionFilter: Send + Sync {
     fn filter(&self, level: usize, key: &[u8], value: &[u8]) -> CompactionFilterDecision;
+
+    /// Returns `true` if this filter never removes or changes any entry, i.e.
+    /// [`filter`](Self::filter) always returns [`CompactionFilterDecision::Keep`].
+    ///
+    /// When `true`, the engine may apply the trivial-move optimization
+    /// (relocating a single SST to the next level without rewriting it) instead
+    /// of streaming every entry through the filter. The default is `false`
+    /// (conservative — the filter is assumed to be active).
+    fn is_noop(&self) -> bool {
+        false
+    }
 }
 
 impl fmt::Debug for dyn CompactionFilter {

src/types.rs

@@ -1,7 +1,8 @@
 //! Core data types: InternalKey, ValueType, SequenceNumber.
 //!
 //! Encoding follows RocksDB convention:
-//!   InternalKey = \[user_key bytes\]\[packed: seq << 8 | type\]  (last 8 bytes)
+//!   InternalKey = \[user_key bytes\]\[trailer: !(seq << 8 | type) as big-endian\]  (last 8 bytes)
+//!   The trailer is bit-inverted so a higher seq yields smaller bytes.
 //!   Sort order: user_key ASC, sequence DESC, value_type DESC
 
 use std::cmp::Ordering;