feat: data force repair

[hzcheng]

• enable tsdb repair to enter the real execution path
  • add vnode/tsdb force repair handling and backup logic
  • add tsdb force repair pytest coverage and design notes
  • normalize timezone strings for repair-related tests

Description

Issue(s)

• Close/close/Fix/fix/Resolve/resolve: Issue Link

Checklist

Please check the items in the checklist if applicable.

• Is the user manual updated?
• Are the test cases passed and automated?
• Is there no significant decrease in test coverage?

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

此拉取请求为 TDengine 引入了关键的数据修复功能，通过对 taosd -r 命令的参数层进行全面重构，使其能够支持更精细化的 vnode 和 TSDB 文件强制修复操作。核心工作包括设计并实现了元数据和 TSDB 文件的故障恢复逻辑，确保在数据损坏时能够进行有针对性的修复，同时通过引入崩溃安全机制和详细的备份策略，极大地提升了系统的健壮性和可恢复性。此外，还通过广泛的测试用例和对测试环境稳定性的改进，确保了新功能的可靠性。

Highlights

• 命令行参数重构: 重构了 taosd -r 命令的参数解析逻辑，以支持新的修复选项，同时保持对旧行为的兼容性。
• 元数据强制修复 (META Force Repair): 实现了 vnode 元数据（meta）的强制修复功能，包括针对指定 vnode 或所有 vnode 的修复，以及外部备份机制。
• TSDB 强制修复 (TSDB Force Repair): 引入了 TSDB 文件（tsdb）的强制修复能力，能够分析文件组、备份受影响的文件集、处理缺失的 STT/核心文件，并支持从有效块重建核心文件组。
• 崩溃安全 (Crash-Safe) 机制: 在 TSDB 修复过程中，对 current.json 的更新采用了事务性 manifest 切换机制，确保在系统崩溃时数据一致性。
• 测试覆盖与环境稳定性: 增加了大量的 pytest 测试用例，覆盖了参数解析、元数据修复和 TSDB 修复的各种场景，并修复了与 ASAN/LSAN 环境相关的测试稳定性问题，以及时区字符串规范化问题。
• 详细文档与规划: 新增了多份详细的文档，包括设计、实施计划、发现和进度日志，为数据修复功能的开发提供了全面的记录和指导。

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .gitignore
  • 新增了 .agents/ 和 skills-lock.json 的忽略条目。
• AGENTS.md
  • 新增了一份文档，概述了仓库指南、项目结构、构建命令、编码风格、测试指南和提交/PR 约定。
• docs/data_repair/01-参数重构/findings.md
  • 新增了一份文档，详细说明了数据修复第一阶段参数重构的发现、决策和遇到的问题。
• docs/data_repair/01-参数重构/progress.md
  • 新增了一份进度日志，记录了数据修复第一阶段参数重构所采取的行动、测试结果和错误解决方案。
• docs/data_repair/01-参数重构/task_plan.md
  • 新增了一份任务计划文档，用于 taosd -r 参数层重构的第一阶段。
• docs/data_repair/02-META_repair/findings.md
  • 新增了一份文档，详细说明了 META 强制修复第二阶段的发现、决策和实施说明。
• docs/data_repair/02-META_repair/progress.md
  • 新增了一份进度日志，记录了 META 强制修复第二阶段的会话、行动和验证步骤。
• docs/data_repair/02-META_repair/task_plan.md
  • 新增了一份任务计划文档，用于 META 强制修复的第二阶段。
• docs/data_repair/03-TSDB_repair/2026-03-07-next-session-handoff-prompt.md
  • 新增了一份详细的交接文档，用于 TSDB 强制修复的下一阶段，概述了上下文、当前状态和优先级。
• docs/data_repair/03-TSDB_repair/findings.md
  • 新增了一份文档，详细说明了 TSDB 强制修复第三阶段的发现、确认范围、代码库洞察和崩溃安全分析。
• docs/data_repair/03-TSDB_repair/progress.md
  • 新增了一份进度日志，记录了 TSDB 强制修复第三阶段的会话、行动和验证步骤。
• docs/data_repair/03-TSDB_repair/task_plan.md
  • 新增了一份任务计划文档，用于 TSDB 强制修复的第三阶段。
• docs/plans/2026-03-06-meta-force-repair-design.md
  • 新增了一份 META 强制修复的设计文档。
• docs/plans/2026-03-06-meta-force-repair-plan.md
  • 新增了一份 META 强制修复的实施计划。
• docs/plans/2026-03-07-tsdb-force-repair-design.md
  • 新增了一份 TSDB 强制修复的设计文档。
• docs/plans/2026-03-07-tsdb-force-repair-plan.md
  • 新增了一份 TSDB 强制修复的实施计划。
• source/dnode/mgmt/exe/dmMain.c
  • 重构了命令行参数解析，以支持新的修复选项，废弃了 --force，添加了修复专用帮助，并引入了管理修复流程状态的函数。
• source/dnode/mgmt/node_mgmt/inc/dmMgmt.h
  • 为新的修复选项访问器函数添加了外部声明。
• source/dnode/vnode/CMakeLists.txt
  • 更新了 CMake 配置，以包含新的 vnodeRepair.c 源文件。
• source/dnode/vnode/src/meta/metaOpen.c
  • 集成了新的修复流程逻辑，包括 vnode 特定的修复匹配、修复前的外部元数据备份，以及标记已修复的 vnode 以防止重复执行。
• source/dnode/vnode/src/tsdb/tsdbFS2.c
  • 实现了 TSDB 强制修复逻辑，包括文件集分析、受影响文件集备份、崩溃安全的 manifest 更新，以及核心文件组的修复/重建。
• source/dnode/vnode/src/vnd/vnodeRepair.c
  • 为修复选项访问器函数添加了弱符号定义，允许它们被 dmMain.c 覆盖。
• source/os/src/osTimezone.c
  • 修改了 truncateTimezoneString 以移除时区字符串中的前导斜杠，并将其应用于 getTimezoneStr。
• source/os/test/osTimeTests.cpp
  • 为 truncateTimezoneString 添加了一个单元测试，以验证前导斜杠的移除。
• test/cases/80-Components/01-Taosd/test_com_cmdline.py
  • 更新了 _run_taosd 以确保 ASAN_OPTIONS 包含 detect_leaks=0，并为 taosd -r 命令行解析添加了全面的测试套件。
• test/cases/80-Components/01-Taosd/test_meta_force_repair.py
  • 新增了 META 强制修复的 pytest 用例，包括所有 vnode 修复、非元数据修复占位符行为和真实 vnode 元数据备份创建的测试。
• test/cases/80-Components/01-Taosd/test_tsdb_force_repair.py
  • 新增了 TSDB 强制修复的 pytest 用例，涵盖了 open_fs 中的调度、真实执行路径入口、受影响文件集备份、缺失 STT/核心文件的移除、崩溃安全的 manifest 更新，以及从有效块重建核心文件组。

Activity

• 拉取请求描述概述了关键变更，包括启用 TSDB 修复、添加 vnode/TSDB 强制修复处理和备份逻辑，以及添加 pytest 覆盖和设计说明。
• 描述中还提到了规范化修复相关测试的时区字符串。
• 作者提供了一份用户手册更新、测试用例自动化和测试覆盖的清单，表明了对变更的全面方法。
• 在多个修复阶段（01-参数重构、02-META_repair、03-TSDB_repair）中存在详细的 findings.md、progress.md 和 task_plan.md 文件，表明了迭代开发过程和持续的文档与审查。
• 2026-03-07-next-session-handoff-prompt.md 文件表明了结构化的开发交接过程，强调了特定文件、当前任务范围、边界以及先前会话的关键发现。
• progress.md 文件详细记录了所采取的具体行动、测试结果（包括红/绿阶段）、错误日志和解决方案，显示了积极的开发和调试过程。例如，修复了 LSAN 问题、pytest 环境问题和 printf 缓冲问题。
• findings.md 文件记录了确认的范围、现有实现事实、用户约束、设计主题、新确认的决策、实施说明、验证说明以及从调试复杂测试环境中获得的长期记忆/经验教训。
• task_plan.md 文件概述了目标、当前阶段、详细步骤、关键问题和已做出的决策，表明了周密的开发计划。
• test_com_cmdline.py、test_meta_force_repair.py 和 test_tsdb_force_repair.py 文件显示了为覆盖新修复功能和确保捕获回归而进行的活跃测试用例开发。
• source/os/src/osTimezone.c 和 source/os/test/osTimeTests.cpp 的变更表明修复了一个导致 taosd 启动问题的时区解析问题，展示了对已识别问题的响应能力。
• source/dnode/vnode/src/tsdb/tsdbFS2.c 的变更包括 printf 缓冲的修复以及 tsdbRepairDropCoreOnTmpFSet 正确生成 TSDB_FOP_REMOVE 操作的关键修复，表明对核心逻辑进行了详细的调试和纠正。

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a significant new feature: data force repair for meta and tsdb data, including backup logic and detailed execution paths. While the implementation is comprehensive, a security audit identified two medium-severity issues related to how backups are handled: the default backup location in the system's temporary directory may expose sensitive data, and user-provided backup paths are not sanitized for path traversal, potentially allowing arbitrary directory creation. Furthermore, two critical race conditions related to tracking repaired vnodes in a multi-threaded context and a bug in a test helper function need to be addressed.

[gemini-code-assist]

The global static variable tsMetaRepairDoneVnodeId is accessed and modified here without any synchronization. Since metaOpen is called in parallel for different vnodes, this will lead to a race condition when multiple threads try to update this shared string simultaneously. This can cause memory corruption or incorrect behavior.

Please protect all accesses to tsMetaRepairDoneVnodeId (in this function and in metaForceRepairMatchesVnode) with a mutex. A static TdThreadMutex would be appropriate here.

[gemini-code-assist]

Similar to the issue in metaOpen.c, the global static variable tsTsdbRepairDoneVnodeId is modified here without thread synchronization. The tsdbDispatchForceRepair function, which calls this, is part of the parallel vnode startup process. This creates a race condition that can lead to memory corruption or incorrect repair behavior.

Please add a mutex to protect all reads and writes to tsTsdbRepairDoneVnodeId.

[gemini-code-assist]

The variable extra_env is used within this function but is not defined as a parameter or a local variable. This will cause a NameError if the function is ever called.

Although this helper function does not seem to be used in the current test suite, this is a latent bug that should be fixed. Please add extra_env=None to the function signature.

Suggested change

	def _start_repair_process(self, args):
	def _start_repair_process(self, args, extra_env=None):

[gemini-code-assist]

The data repair process defaults to backing up sensitive database metadata to the system's temporary directory (/tmp) when --backup-path is not specified. On multi-user systems, /tmp is typically world-readable, which could allow unauthorized local users to access sensitive database information. It is recommended to use a more secure default location (e.g., a subdirectory within the TDengine data directory with restricted permissions) or explicitly set restrictive permissions (e.g., 0700) on the created backup directories.

[gemini-code-assist]

The data repair process defaults to backing up sensitive database files to the system's temporary directory (/tmp) when --backup-path is not specified. On multi-user systems, /tmp is typically world-readable, which could allow unauthorized local users to access sensitive database information. It is recommended to use a more secure default location or explicitly set restrictive permissions on the created backup directories.

[gemini-code-assist]

The user-provided --backup-path is used to construct filesystem paths for data backups without sanitization for path traversal sequences (e.g., ..). This allows a user with the ability to run the repair command to create directories and write backup files in arbitrary locations on the filesystem. While the impact is limited by the fixed subdirectory structure appended to the path, it is best practice to sanitize the input or validate that the resolved path remains within an authorized base directory.

[gemini-code-assist]

The user-provided --backup-path is used to construct filesystem paths for data backups without sanitization for path traversal sequences (e.g., ..). This allows a user with the ability to run the repair command to create directories and write backup files in arbitrary locations on the filesystem. It is recommended to sanitize the input or validate that the resolved path remains within an authorized base directory.

[Copilot]

Pull request overview

This PR enables real execution for taosd -r --node-type vnode --file-type tsdb --mode force by dispatching repair logic inside vnode/TSDB open paths, adds backup/manifest/log handling for affected TSDB file-sets, and introduces end-to-end pytest coverage plus supporting docs/design notes. It also normalizes timezone strings (e.g., /UTC → UTC) to stabilize repair-related startup/tests.

Changes:

• Add TSDB force-repair dispatch in tsdb open fs, including affected file-set backup (manifest + original files) and core-group drop/rebuild logic.
• Add META force-repair dispatch in metaOpen() with external backup support and CLI parameter flow accessors.
• Add/extend pytest E2E coverage for repair flows and add a timezone normalization fix + unit test.

Reviewed changes

Copilot reviewed 26 out of 27 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
test/cases/80-Components/01-Taosd/test_tsdb_force_repair.py	New E2E suite for TSDB force repair dispatch, backup/log behavior, crash-safe manifest staging, and rebuild scenarios.
test/cases/80-Components/01-Taosd/test_meta_force_repair.py	New E2E coverage for META force repair vnode targeting and backup directory creation.
test/cases/80-Components/01-Taosd/test_com_cmdline.py	Adds CLI parameter-layer regression matrix for taosd -r (phase1 behaviors).
source/os/src/osTimezone.c	Normalizes timezone strings via truncateTimezoneString() to handle leading /.
source/os/test/osTimeTests.cpp	Adds a unit test for the timezone string normalization behavior.
source/dnode/mgmt/exe/dmMain.c	Implements repair option parsing/validation and exposes repair accessors for vnode layers.
source/dnode/mgmt/node_mgmt/inc/dmMgmt.h	Declares repair option accessor APIs.
source/dnode/vnode/src/meta/metaOpen.c	Dispatches meta force repair per vnode and adds external backup copy logic.
source/dnode/vnode/src/tsdb/tsdbFS2.c	Adds TSDB force repair dispatch during FS open, backup/manifest/logging, and core repair actions.
source/dnode/vnode/src/vnd/vnodeRepair.c	Provides weak fallback stubs for dmRepair* accessors for linkability in libvnode contexts.
source/dnode/vnode/CMakeLists.txt	Adds the new vnodeRepair.c compilation unit.
docs/plans/2026-03-07-tsdb-force-repair-*.md	Adds TSDB force repair design + implementation plan notes.
docs/plans/2026-03-06-meta-force-repair-*.md	Adds META force repair design + implementation plan notes.
docs/data_repair/03-TSDB_repair/*	Adds phase3 task plan/findings/progress/handoff documentation for TSDB repair workstream.
docs/data_repair/02-META_repair/*	Adds/updates phase2 task plan/findings/progress documentation for META repair.
AGENTS.md	Adds repository guidelines for structure/build/test/style.
.gitignore	Ignores .agents/ and skills-lock.json.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The force-repair "done" tracking uses a process-global CSV string (tsMetaRepairDoneVnodeId) that is read/modified from metaOpen(). Vnodes are opened concurrently (vmOpenVnodes launches multiple threads), so this introduces a data race and possible string corruption, leading to repeated or skipped repairs. Protect the read/check/append with a mutex (or replace the string with a thread-safe set/bitmap keyed by vgId).

[Copilot]

The TSDB force-repair "done" tracking uses a process-global CSV string (tsTsdbRepairDoneVnodeId) that is read/modified during open_fs(). Vnodes are opened concurrently, so this is not thread-safe and can corrupt the buffer or cause incorrect de-dup decisions. Guard accesses with a mutex (or use a concurrent set/bitmap keyed by vgId).

[Copilot]

_start_repair_process() references extra_env but the function has no such parameter/variable in scope, so this will raise a NameError at runtime when the helper is used. Add an extra_env parameter (default None) and apply it to env, or remove the dead code path if not needed.

[Copilot]

_run_taosd_with_cfg() accepts an extra_env argument but never applies it to the subprocess environment. Either remove the parameter or update the function to merge extra_env into env so callers can reliably inject test-only environment variables.

[Copilot]

_run_taosd() uses subprocess.run() without a timeout. Several cases invoke taosd -r ... without -V and could hang if the CLI behavior regresses, which would stall CI. Add a reasonable timeout and include the timeout handling in the assertion helper.

[Copilot]

Pull request overview

Copilot reviewed 26 out of 27 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

metaMarkForceRepairDone() is never called after a successful meta force repair. Without marking the vnode as repaired, repeated metaOpen() calls in the same process could re-run force repair unexpectedly. After a successful metaForceRepair() (or after metaForceRepairIfShould() returns success), record completion via metaMarkForceRepairDone(TD_VID(pVnode)).

Suggested change

	metaMarkForceRepairDone(TD_VID(pVnode));

[Copilot]

The test docstring says taosd is stopped before running tsdb force repair, but the test doesn't actually stop the running dnode before launching taosd -r .... This can make the test flaky (port already in use / data directory lock) and diverges from the intended scenario. Stop taosd (e.g., tdDnodes.stop(1)) before invoking _run_taosd_with_cfg, and restart in a finally block like the other tests in this file.

Suggested change

	code, output = self._run_taosd_with_cfg(
	f"-r --node-type vnode --file-type tsdb --vnode-id {vnode_id} --mode force --log-output /dev/null"
	)
	tdSql.checkEqual("repair execution is not enabled in this phase" in output, False)
	tdSql.checkEqual(code == 0 and "repair parameter validation succeeded (phase1)" in output, False)
	tdDnodes.stop(1)
	try:
	code, output = self._run_taosd_with_cfg(
	f"-r --node-type vnode --file-type tsdb --vnode-id {vnode_id} --mode force --log-output /dev/null"
	)
	tdSql.checkEqual("repair execution is not enabled in this phase" in output, False)
	tdSql.checkEqual(code == 0 and "repair parameter validation succeeded (phase1)" in output, False)
	finally:
	tdDnodes.start(1)

[Copilot]

dmParseRepairOption() declares const char *arg = argv[index]; but never uses it. This can trigger -Wunused-variable warnings in builds that treat warnings as errors. Remove the unused variable (or use it) to keep the build clean.

[Copilot]

metaBackupCurrentMeta() is defined but never called. As a result, meta force repair won't create the external backup directory that the tests (and design notes) expect. Call metaBackupCurrentMeta(pVnode) when metaShouldForceRepair() is true (ideally before any local rename/switch operations) and handle/propagate its error code.

[Copilot]

Pull request overview

Copilot reviewed 36 out of 37 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

tsdbRepairDropCoreOnTmpFSet() clears/unrefs fset->farr[ftype] before calling tsdbTFileSetEdit() with a TSDB_FOP_REMOVE op. tsdbTFileSetEdit()'s remove path dereferences fset->farr[op->of.type] to unref it, so setting it to NULL here will lead to a NULL dereference (and also double-unref if it were non-NULL). Let tsdbTFileSetEdit() own the unref/NULL assignment (i.e., remove the manual tsdbTFileObjUnref + farr[ftype]=NULL), or apply the edit before mutating fset->farr.

[Copilot]

metaForceRepair() has multiple early-return error paths after successfully opening pNewMeta (and/or starting a transaction) that don't close pNewMeta or otherwise clean up the temp meta state. This can leak resources and potentially leave meta_tmp in a partially initialized state. Consider switching to a single goto _exit cleanup path that always metaClose(&pNewMeta) (and aborts/rolls back any started transaction) before returning.

[Copilot]

metaMarkForceRepairDone() / tsMetaRepairDoneVnodeId are introduced and used for the “already repaired in this process” check, but the code never calls metaMarkForceRepairDone() after a successful force repair. As a result, the done-list check will never take effect, and the helper itself is currently dead code. Either call metaMarkForceRepairDone(TD_VID(pVnode)) after metaForceRepair() succeeds (so repeated metaOpen() calls don't re-run repair), or remove the unused tracking code.

[Copilot]

After a successful repair in metaForceRepairIfShould(), the vnode isn't marked as “repaired” for this process, so a later metaOpen() for the same vnode (e.g., reopen paths) could re-run force repair again. This is especially important since metaForceRepairMatchesVnode() checks tsMetaRepairDoneVnodeId but that list is never updated. Mark the vnode as done on success (or remove the done-list gate entirely).

[Copilot]

Pull request overview

Copilot reviewed 36 out of 37 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

These plan docs include assistant-specific instructions (e.g. “For Claude: REQUIRED SUB-SKILL…”). This is likely to confuse human readers and may become stale quickly. Consider moving AI-runbook content into AGENTS.md (or an internal-only doc) and keep repository plans focused on the technical design/tasks.

Suggested change

> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.

[Copilot]

This plan doc contains assistant-specific instructions (“For Claude…Use superpowers…”). If these files are intended for general engineering handoff, consider removing or relocating the AI runbook content to AGENTS.md so the plan remains tool-agnostic and easier to maintain.

Suggested change

> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.

[Copilot]

This plan doc includes assistant-specific directions (“For Claude…Use superpowers…”). If the intent is a reusable engineering plan, consider removing those lines or moving them into an AI-specific runbook (e.g., AGENTS.md) to avoid confusing non-AI readers.

[Copilot]

Pull request overview

Copilot reviewed 36 out of 37 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

metaBackupCurrentMeta() is never executed because the call is wrapped in #if 0 inside metaForceRepair(). This makes the external backup feature effectively disabled and will also break the E2E expectation that a backup directory is created during meta force repair. Please remove the compile-time guard (or gate it on dmRepairHasBackupPath() / repair mode) so backups are actually produced in repair runs.

Suggested change

	#if 0
	code = metaBackupCurrentMeta(pVnode);
	if (code != 0) {
	metaError("vgId:%d failed to back up current meta, reason:%s", TD_VID(pVnode), tstrerror(code));
	return code;
	}
	#endif
	if (dmRepairHasBackupPath()) {
	code = metaBackupCurrentMeta(pVnode);
	if (code != 0) {
	metaError("vgId:%d failed to back up current meta, reason:%s", TD_VID(pVnode), tstrerror(code));
	return code;
	}
	}

[Copilot]

tsTsdbRepairDoneVnodeId is a process-global mutable buffer used to track which vnodes have been repaired. Vnodes are opened concurrently (see vmOpenVnodes() spawning threads in source/dnode/mgmt/mgmt_vnode/src/vmInt.c), so reads/writes to this global (via tsdbShouldForceRepair() / tsdbMarkForceRepairDone()) can race and corrupt the CSV or cause missed/duplicate repairs. Please make this tracking thread-safe (e.g., a mutex-protected hash/set keyed by vgId, or store the flag on SVnode/STsdb instance) or otherwise ensure the open path is single-threaded in repair mode.

[Copilot]

This plan document includes assistant-specific meta text ("For Claude" / "superpowers:executing-plans"). Please remove or replace with repo/tool-agnostic guidance to avoid confusion for future maintainers.

Suggested change

	> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.
	> Note: This implementation plan is intended to be executed task-by-task, either manually or by automation tooling.

[Copilot]

Pull request overview

Copilot reviewed 17 out of 18 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

tsTsdbRepairDoneVnodeId is a file-static global that is mutated by tsdbShouldForceRepair() / tsdbMarkForceRepairDone() without synchronization. Vnodes are opened concurrently (multiple threads in vmOpenVnodes), so this is a data race and can corrupt the CSV buffer or lead to repeated/partial dispatch decisions. Please make the “already repaired” state per-vnode/per-STFileSystem (or guard shared state with a mutex/atomic).

[Copilot]

walShouldDeleteCorruption() calls dmRepairNeedWalRepair(), but in this PR that symbol is only implemented in the taosd executable (dmMain.c) and in vnodeRepair.c (vnode library). The WAL unit test (walTest) links wal without those objects, so this introduces an undefined symbol at link time for test builds (and any other binary that links wal but not vnode/mgmt). Provide weak/default dmRepair implementations from a library that wal always links (e.g., common), or otherwise ensure the symbol is available wherever wal is used.

[Copilot]

This test runs taosd -r ... via _run_taosd_with_cfg() while the dnode is still running (unlike the other tests in this file which stop the dnode first). Starting a second taosd against the same config/data dir is likely to fail (port conflict / file lock / concurrent data access) and makes the test flaky. Stop tdDnodes before invoking the repair process and restart it in a finally block, consistent with test_tsdb_force_repair_dispatches_in_open_fs().

[Copilot]

Pull request overview

Copilot reviewed 18 out of 19 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

tsdbRepair.c currently contains incomplete/invalid C code (e.g., wrong type STFileset, empty initializer SSttBlk *pSttBlk = ;, and a placeholder call to tsdbReadFile(...) with a function signature pasted into the call). This will not compile and needs to be completed or removed (e.g., gate unfinished code behind #if 0 and enable the implemented path).

[Copilot]

tsdbForceRepairFileSetBadFiles / tsdbForceRepairFileSetDeepScanAndFix are called with the wrong argument lists here (missing pFileSet, opArr, hasChange, etc.), so this code cannot compile and also can’t apply any edits. Please fix the function calls/signatures consistently and ensure opArr is populated with the intended file operations.

[Copilot]

In tsdbForceRepair, the loop calls tsdbForceRepairFileSet(fs, pFileSet, &hasChange) but tsdbForceRepairFileSet is declared with four parameters (pFS, pFileSet, opArr, hasChange). This is a compile-time error; please pass the correct arguments and ensure the TFileOpArray opArr is properly initialized (e.g., via the project’s TARRAY2_INIT/append helpers) before using it in tsdbFSEditBegin/commit.

[Copilot]

The current tsdbForceRepair implementation doesn’t print the dispatch marker that the new pytest cases assert on (e.g., "tsdb force repair dispatch"). The only printf/marker emission is in the #if 0 block below, so the tests will fail even if this compiles. Please either re-enable the implemented dispatch/logging path or update the tests to assert on the actual output produced by the enabled repair flow.

[Copilot]

This test runs taosd -r --mode force ... without stopping the existing tdDnodes taosd instance first. Launching a second taosd process against the same data/cfg directories can fail due to locks or (worse) corrupt state. Consider stopping tdDnodes (as done in other repair tests) before invoking the repair-mode taosd, then restarting in finally.

[Copilot]

Pull request overview

Copilot reviewed 23 out of 24 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

tsdbRepairTest is added unconditionally, but tsdbRepairTest.cpp includes/uses POSIX-only APIs (e.g. sys/syscall.h, mkstemp, SYS_close). This will fail to build on Windows. Suggest guarding the ADD_EXECUTABLE(tsdbRepairTest ...) block with IF(NOT TD_WINDOWS) (similar to tqTest) or providing a Windows-compatible implementation.

Suggested change

	ADD_EXECUTABLE(tsdbRepairTest tsdbRepairTest.cpp)
	DEP_ext_gtest(tsdbRepairTest)
	TARGET_LINK_LIBRARIES(
	tsdbRepairTest
	PUBLIC os util common vnode
	)
	TARGET_INCLUDE_DIRECTORIES(
	tsdbRepairTest
	PUBLIC "${TD_SOURCE_DIR}/include/common"
	PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}/../src/inc"
	PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}/../src/tsdb"
	PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}/../inc"
	)
	IF(NOT TD_WINDOWS)
	ADD_EXECUTABLE(tsdbRepairTest tsdbRepairTest.cpp)
	DEP_ext_gtest(tsdbRepairTest)
	TARGET_LINK_LIBRARIES(
	tsdbRepairTest
	PUBLIC os util common vnode
	)
	TARGET_INCLUDE_DIRECTORIES(
	tsdbRepairTest
	PUBLIC "${TD_SOURCE_DIR}/include/common"
	PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}/../src/inc"
	PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}/../src/tsdb"
	PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}/../inc"
	)
	ENDIF()

[Copilot]

Pull request overview

Copilot reviewed 27 out of 28 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The metaBackupCurrentMeta function is defined but the call site is wrapped in #if 0 (line 558), so it's dead code. If this is intentional for a future phase, consider adding a comment explaining when it will be enabled; otherwise remove it to avoid confusion.

Suggested change

	#if 0
	code = metaBackupCurrentMeta(pVnode);
	if (code != 0) {
	metaError("vgId:%d failed to back up current meta, reason:%s", TD_VID(pVnode), tstrerror(code));
	return code;
	}
	#endif

[Copilot]

In metaForceRepair, if metaOpenImpl or metaBegin fails, pNewMeta is leaked (it's opened but never closed on the error path). Similarly, if metaForceRepairFromUid or metaForceRepairFromRedo fails at lines 582-591, pNewMeta is not closed before returning.

[Copilot]

dmFinalizeRepairOption returns 1 (line 788) for TSDB_CODE_OPS_NOT_SUPPORT, which is an ad-hoc non-standard error code that gets propagated from dmParseArgs. This breaks the convention where the function otherwise returns TSDB_CODE_* values. The caller in mainWindows checks code != 0 and may misinterpret this as an unrelated error. Consider returning a proper TSDB_CODE_* constant instead.

Suggested change

	return 1;
	return TSDB_CODE_OPS_NOT_SUPPORT;

[Copilot]

The _prepare_stt_fixture method accepts a total_rows=4000 parameter but never uses it — the actual row count is hardcoded to 200 (two batches of 100 + 1 extra row, and row_count is returned as 200). The total_rows parameter is misleading and should either be removed or actually used.