feat: data recovery

[hzcheng]

Description

Issue(s)

• Close/close/Fix/fix/Resolve/resolve: Issue Link

Checklist

Please check the items in the checklist if applicable.

• Is the user manual updated?
• Are the test cases passed and automated?
• Is there no significant decrease in test coverage?

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances TDengine's data robustness by introducing a new file-level data recovery tool accessible via taosd -r. The tool provides flexible repair options for vnode WAL, TSDB, and META files, supporting various scenarios from local corruption fixes to replica-based recovery. A key feature is the ability to resume repair operations, ensuring resilience against interruptions. The changes also include extensive internal documentation and new system tests to validate the functionality.

Highlights

• New Data Recovery Tool: Introduced a comprehensive data recovery tool integrated into the taosd -r command, enabling file-level repair for vnode WAL, TSDB, and META files.
• Multiple Repair Modes: Implemented three distinct repair modes: force for single-replica self-recovery, replica for triggering full synchronization from healthy replicas, and copy for direct file transfer from a specified replica node.
• Resumable Repair Sessions: Added functionality for resumable repair sessions, allowing the tool to pick up from where it left off after an interruption by persisting session state to repair.state.json.
• Enhanced Command-Line Options: Extended taosd -r with new command-line options such as --node-type, --file-type, --vnode-id, --backup-path, --mode, and --replica-node for granular control over the repair process.
• Comprehensive Documentation and Testing: Provided detailed design, implementation plans, and release checklists, along with new system-level test scripts and updated user manuals in both English and Chinese to cover the new data recovery features.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .gitignore
  • Added numerous entries to ignore .agents and .claude related files, and skills-lock.json.
• AGENTS.md
  • Added a new document outlining TDengine Session Conventions, including progress reporting and required progress bar format.
• docs/en/08-operation/04-maintenance.md
  • Updated to include a new section on File-Level Repair (taosd -r), detailing supported scopes, command examples, validation, troubleshooting, and notes.
• docs/plans/2026-03-03-data-repair-tool-design.md
  • Added a new design document in Chinese for the TDengine data repair tool, covering background, goals, solution comparison, recommended architecture, mode-level design, safety, consistency, session recovery, testing strategy, risks, and confirmation points.
• docs/plans/2026-03-03-data-repair-tool-implementation.md
  • Added a new implementation plan document for the TDengine data repair tool, detailing the goal, architecture, tech stack, execution notes, and a task-by-task breakdown for implementation.
• docs/plans/2026-03-04-data-repair-release-checklist.md
  • Added a new release checklist document for the TDengine data repair feature, including scope, verification commands, results, release risks, and sign-off.
• docs/zh/08-operation/05-maintenance.md
  • Updated to include a new section on File-Level Repair (taosd -r) in Chinese, detailing supported scopes, command examples, operational validation, troubleshooting, and notes.
• findings.md
  • Added a new document detailing the findings from the data repair tool requirements research, including terminology clarification, key requirements, existing code analysis, reusable capabilities, main gaps, architectural recommendations, and discovered issues during execution.
• include/common/trepair.h
  • Added a new header file defining data structures and function prototypes for the data repair tool, including enums for node types, file types, and repair modes, CLI arguments, repair context, and various repair-related operations.
• include/libs/wal/wal.h
  • Modified to add SWalRepairStats struct and walGetRepairStats function prototype.
  • Added repairStats member to SWal struct.
• progress.md
  • Added a new document logging the development progress of the data repair tool, including checkpoints, session logs for each task, completed tasks, and risk warnings.
• source/common/src/trepair.c
  • Added a new C source file implementing the data repair tool functionalities, including parsing CLI options, validating arguments, initializing repair context, handling different repair modes (force, replica, copy), managing backup and rollback, session state persistence, progress reporting, and meta/tsdb/wal file scanning and rebuilding.
• source/dnode/mgmt/exe/dmMain.c
  • Modified to integrate new command-line arguments for the data repair tool.
  • Validated new command-line arguments and initialized the repair context.
  • Orchestrated the repair workflow based on the selected mode and file type.
• source/libs/wal/src/walMeta.c
  • Modified to increment corruptedSegments and rebuiltIdxEntries in SWalRepairStats during WAL meta and index repair.
• source/libs/wal/src/walMgmt.c
  • Modified to add walGetRepairStats function.
  • Initialized repairStats in walOpen.
• source/libs/wal/test/walMetaTest.cpp
  • Modified to add new test cases for walGetRepairStats.
  • Added tests to track corrupted segments and rebuilt index entries during WAL repair.
• task_plan.md
  • Added a new document outlining the overall task plan for the TDengine data repair tool, including goals, scope, current status, phase milestones, detailed 1-hour task breakdown, interruption recovery mechanism, and error records.
• tests/ci/repair_fixture_generator.sh
  • Added a new shell script to generate reproducible corruption fixtures for WAL, TSDB, and META files for testing the repair tool.
• tests/ci/repair_meta_force.sh
  • Added a new shell script to test the force mode repair for META files, including partial and complete corruption scenarios.
• tests/ci/repair_mode_matrix.sh
  • Added a new shell script to run a matrix of system tests for the repair tool across force (TSDB/META), replica, and copy modes.
• tests/ci/repair_tsdb_force.sh
  • Added a new shell script to test the force mode repair for TSDB files, including mixed recoverable and corrupted blocks.

Activity

• The author hzcheng has meticulously documented the development process, including task breakdowns, progress logs, and findings, indicating a structured and thorough approach.
• The development followed a Test-Driven Development (TDD) methodology, with failing tests written before implementation and subsequent verification.
• Extensive internal documentation, including design and implementation plans, has been created to guide the feature's development and future maintenance.
• New system-level test scripts have been added to ensure the reliability and correctness of the data recovery tool across various scenarios and modes.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a significant new feature: a data repair tool integrated into taosd -r. The changes are extensive, covering design documentation, implementation plans, the core C logic, command-line integration, and both unit and system-level tests. The overall structure is well-thought-out, with a clear separation of concerns between parsing, validation, and the repair workflow itself.

My review has identified a critical security vulnerability related to command injection in the copy mode, which must be addressed. I've also included a couple of medium-severity suggestions regarding a hardcoded limit and improving documentation examples for better usability.

Given the complexity and the critical nature of a data repair tool, thorough testing beyond the added scripts is highly recommended, especially focusing on edge cases and failure/rollback scenarios.

_{Note: Security Review did not run due to the size of the PR.}

[gemini-code-assist]

Potential command injection vulnerability. The replicaHost variable, which comes from user input, is directly embedded into a shell command string. While the validation in tRepairValidateReplicaNodeEndpoint checks for spaces, it's not sufficient to prevent all forms of command injection. A malicious value for --replica-node (e.g., somehost;reboot) could lead to arbitrary command execution on the server. This vulnerability exists in tRepairBuildCopySshProbeCmd, tRepairBuildCopyScpCmd, tRepairBuildCopySshStatCmd, and tRepairBuildCopySshDigestCmd. You should implement stricter validation for the hostname part of the replica-node parameter, allowing only characters that are valid in a hostname (e.g., alphanumeric, -, and .).

[gemini-code-assist]

The example for copy mode uses a hardcoded IP address and path (192.168.1.24:/var/lib/taos). This can be confusing and lead to copy-paste errors. It would be clearer and safer to use placeholders.

Suggested change

	--replica-node 192.168.1.24:/var/lib/taos \
	--replica-node <replica_host>:/path/to/remote/taos/data \

[gemini-code-assist]

The example for copy mode uses a hardcoded IP address and path (192.168.1.24:/var/lib/taos). This can be confusing and lead to copy-paste errors. It would be clearer and safer to use placeholders.

Suggested change

	--replica-node 192.168.1.24:/var/lib/taos \
	--replica-node <副本主机>:/远程taos数据目录的绝对路径 \

[gemini-code-assist]

The number of vnodes that can be repaired in a single command is limited by the REPAIR_MAX_VNODE_IDS constant, which is set to 128. For very large clusters, users might need to repair more vnodes at once. Using a fixed-size array for vnodeIds in SRepairCtx could be a limitation. Consider using a dynamic array (like SArray, which is used elsewhere in the codebase) to make this more flexible and avoid an arbitrary limit.

[Copilot]

Pull request overview

This PR extends taosd -r into a resumable “data repair” workflow with new repair CLI options, session/state artifacts, and CI coverage scripts for multiple repair modes (force/replica/copy), plus supporting WAL repair stats and related documentation/planning notes.

Changes:

• Add repair CLI options and a repair workflow orchestration in taosd (--node-type/--file-type/--vnode-id/--backup-path/--mode/--replica-node) with session log/state output.
• Add WAL repair statistics export (walGetRepairStats) and new WAL unit tests validating stats tracking.
• Add CI scripts to generate fixtures and validate repair flows (force TSDB/META + replica + copy) and update ops docs/plans.

Reviewed changes

Copilot reviewed 20 out of 22 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
source/dnode/mgmt/exe/dmMain.c	Adds repair CLI parsing/help and implements the repair workflow orchestration (precheck/backup + mode handlers + session logging/state).
include/common/trepair.h	Introduces the common repair API/types used by the CLI/workflow.
include/libs/wal/wal.h	Adds WAL repair stats struct + API and stores stats on the WAL handle.
source/libs/wal/src/walMgmt.c	Implements walGetRepairStats() and zeros stats on open.
source/libs/wal/src/walMeta.c	Updates WAL repair routines to accumulate repair statistics.
source/libs/wal/test/walMetaTest.cpp	Adds unit tests for WAL repair stats behavior.
tests/ci/repair_tsdb_force.sh	Adds a TSDB force-repair CI verification script.
tests/ci/repair_meta_force.sh	Adds a META force-repair CI verification script.
tests/ci/repair_mode_matrix.sh	Adds a matrix runner validating force/meta/replica/copy modes.
tests/ci/repair_fixture_generator.sh	Adds a fixture generator for reproducible corruption scenarios.
docs/zh/08-operation/05-maintenance.md	Documents file-level repair usage under taosd -r (Chinese).
docs/en/08-operation/04-maintenance.md	Documents file-level repair usage under taosd -r (English).
task_plan.md, progress.md, findings.md	Project planning/status documents for the repair tool effort.
docs/plans/2026-03-03-data-repair-tool-*.md	Design/implementation plan docs.
docs/plans/2026-03-04-data-repair-release-checklist.md	Release checklist and verification commands/results.
AGENTS.md	Adds session/progress reporting conventions document.
.gitignore	Ignores local agent/Claude tooling directories and related files.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This script requires the referenced force-mode scripts to be executable (-x), but it later invokes them explicitly via bash ..., so the execute bit is not actually needed at runtime. This extra requirement can cause CI failures if the repo file mode isn't preserved (e.g., when checking out on some systems). Consider checking for existence/readability (-f/-r) instead, or invoke them directly without bash if executability is truly required.

Suggested change

	if [[ ! -x "$TSDB_FORCE_SCRIPT" || ! -x "$META_FORCE_SCRIPT" ]]; then
	echo "required force-mode scripts are missing or not executable"
	if [[ ! -r "$TSDB_FORCE_SCRIPT" || ! -r "$META_FORCE_SCRIPT" ]]; then
	echo "required force-mode scripts are missing or not readable"

[Copilot]

When repair mode is enabled (global.repairCtx.enabled), the process runs dmRunRepairWorkflow() but then continues into the normal daemon startup path (dmInit/dmRun). This makes taosd -r --node-type/--file-type/... behave non-offline and can hang/side-effect CI and ops usage if startup succeeds. Consider exiting cleanly after a successful repair workflow (with proper cleanup) when repairCtx.enabled is true, instead of proceeding to start services.

Suggested change

	if (code != TSDB_CODE_SUCCESS) {
	taosCleanupCfg();
	taosCloseLog();
	taosCleanupArgs();
	taosConvDestroy();
	taosCleanupCfg();
	taosCloseLog();
	taosCleanupArgs();
	taosConvDestroy();
	if (code == TSDB_CODE_SUCCESS) {
	return 0;
	} else {

[Copilot]

The help text advertises multiple node/file repair targets (mnode/dnode/snode and file types like data/config/checkpoint), but the repair workflow in dmMain currently only performs vnode-level handlers (wal/tsdb/meta). With the current validator allowing these combinations, a non-vnode invocation can become a no-op that still reports a successful summary. Recommend either restricting --node-type to vnode for now (and updating help strings accordingly) or implementing the additional node/file-type handlers before advertising them.

Suggested change

	#define DM_REPAIR "Enable repair mode. Works with --node-type/--file-type/--mode and other repair options."
	#define DM_REPAIR_NODE_TYPE "Repair target node type. Options: vnode, mnode, dnode, snode."
	#define DM_REPAIR_FILE_TYPE "Repair target file type. Examples: vnode->wal|meta|tsdb; mnode->wal|data; dnode->config; snode->checkpoint."
	#define DM_REPAIR_VNODE_ID "Target vnode id list, separated by comma (required when --node-type=vnode)."
	#define DM_REPAIR_BACKUP_PATH "Backup path for corrupted files before repair."
	#define DM_REPAIR_MODE "Repair mode. Options: force, replica, copy."
	#define DM_REPAIR_REPLICA_NODE "Replica node endpoint for copy mode. Format: <ip>:<dataDir>, required when --mode=copy."
	#define DM_REPAIR "Enable repair mode. Currently supports vnode-level repair via --node-type, --file-type, --mode and other repair options."
	#define DM_REPAIR_NODE_TYPE "Repair target node type. Currently supported option: vnode."
	#define DM_REPAIR_FILE_TYPE "Repair target file type for vnode. Supported: wal | meta | tsdb."
	#define DM_REPAIR_VNODE_ID "Target vnode id list, separated by comma (required when --node-type=vnode)."
	#define DM_REPAIR_BACKUP_PATH "Backup path for corrupted files before repair."
	#define DM_REPAIR_MODE "Repair mode. Options: force, replica, copy."
	#define DM_REPAIR_REPLICA_NODE "Replica vnode node endpoint for copy mode. Format: <ip>:<dataDir>, required when --mode=copy."

[Copilot]

Pull request overview

Copilot reviewed 19 out of 22 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

dmRunRepairWorkflow() returns success and execution continues into the normal dnode startup path. For a repair invocation (taosd -r --node-type ...), this can cause the process to turn into a long-running daemon (or hang under CI unless it fails later), and it can also trigger unrelated side effects (e.g., vnode open) after a potentially destructive repair. Consider exiting the process after the repair summary is written (with a success exit code), or gating the post-repair startup behind an explicit flag.

[Copilot]

Non-vnode repair targets are accepted by CLI validation, but the workflow currently sets totalVnodes to 0 when nodeType != vnode and then proceeds to report success without performing any repair work. If mnode/dnode/snode repair is not implemented yet, this should fail fast with a clear "not supported" error; otherwise totalVnodes should be computed appropriately and the corresponding handlers added.