questdb · bluestreak01 · Apr 25, 2026 · Apr 23, 2026 · Apr 25, 2026 · Apr 25, 2026
diff --git a/.claude/skills/review-pr/SKILL.md b/.claude/skills/review-pr/SKILL.md
@@ -0,0 +1,210 @@
+---
+name: review-pr
+description: Review a GitHub pull request against QuestDB coding standards
+argument-hint: [PR number or URL]
+allowed-tools: Bash(gh *), Read, Grep, Glob, Agent
+---
+
+Review the pull request `$ARGUMENTS`.
+
+## Review mindset
+
+You are a senior QuestDB engineer performing a blocking code review. QuestDB is mission-critical software deployed on spacecraft — bugs can cause data loss or system failures that cannot be patched after deployment. There is zero tolerance for correctness issues, resource leaks, or undefined behavior. Be critical, thorough, and opinionated. Your job is to catch problems before they ship, not to be nice.
+
+- **Assume nothing is correct until you've verified it.** Read surrounding code to understand context — don't just look at the diff in isolation.
+- **Flag every issue you find**, no matter how small. Do not soften language or hedge. Say "this is wrong" not "this might be an issue".
+- **Do not praise the code.** Skip "looks good", "nice work", "clever approach". Focus entirely on problems and risks.
+- **Think adversarially.** For each change, ask: what inputs break this? What happens under concurrent access? What if this runs on a 10-billion-row table? What if the column is NULL? What if the partition is empty?
+- **Check what's missing**, not just what's there. Missing tests, missing error handling, missing edge cases, missing documentation for non-obvious behavior.
+- **Verify every claim.** If the PR title says "fix", verify the bug actually existed and the fix is correct. If it says "improve performance", look for benchmarks or reason about the algorithmic change — does it actually improve things, or could it regress in other cases? If it says "simplify", verify the new code is actually simpler and doesn't drop behavior. Treat the PR description as an unverified hypothesis, not a statement of fact.
+- **Read the full context of changed files** when the diff alone is ambiguous. Use Read/Grep/Glob to inspect the surrounding code, callers, and related tests.
+- **Assess reachability before reporting.** For every potential bug, trace the actual callers and inputs. If a problem
+  requires physically impossible conditions (billions of columns, corrupted JNI inputs, values that no caller can
+  produce), it is not a real finding — drop it. Focus on bugs that real workloads can trigger, not theoretical edge
+  cases that exist only in the type system.
+- **QuestDB runs with Java assertions enabled (`-ea`).** Assertions are a valid guard for invariants that indicate
+  corruption or internal bugs. Do NOT flag `assert` as insufficient — it is the preferred mechanism for conditions
+  that should never occur in a non-corrupt database. Only flag an `assert` if the condition can plausibly be triggered
+  by normal (non-corrupt) user operations.
+
+## Step 1: Gather PR context
+
+Fetch PR metadata, diff, and any review comments:
+
+```bash
+gh pr view $ARGUMENTS --json number,title,body,labels,state
+gh pr diff $ARGUMENTS
+gh pr view $ARGUMENTS --comments
+```
+
+## Step 2: PR title and description
+
+Check against CLAUDE.md conventions:
+- Title follows Conventional Commits: `type(scope): description`
+- Description repeats the verb (e.g., `fix(sql): fix ...` not `fix(sql): DECIMAL ...`)
+- Description speaks to end-user impact, not implementation internals
+- If fixing an issue, `Fixes #NNN` is at the top of the body
+- Tone is level-headed and analytical, no superlatives or bold emphasis on numbers
+- Labels match the PR scope (SQL, Performance, Core, etc.)
+
+## Step 3: Parallel review
+
+Launch the following agents in parallel. Each agent receives the full PR diff and should read surrounding source files as needed for context.
+
+**Agent 1 — Correctness & bugs:** NULL handling, edge cases, logic errors, off-by-one, operator precedence, error paths.
+
+**Agent 2 — Concurrency:** Race conditions, shared mutable state, missing volatile, lock ordering, thread-safety of data structures.
+
+**Agent 3 — Performance & allocations:** Regressions, zero-GC violations, `java.util.*` collections vs `io.questdb.std`, string creation/concatenation on hot paths, SIMD opportunities. Algorithmic complexity: for each new loop, traversal, or data structure, analyze how it scales with data size (row count, partition count, join fan-out). Flag any O(n^2) or worse patterns that could regress on large tables (1M+ rows, 1000+ partitions). Check whether new code paths are compile-time-only or data-path — compile-time allocations are acceptable, data-path allocations are not.
+
+**Agent 4 — Resource management:** Leaks on all code paths (especially errors), try-with-resources, native memory, pool management.
+
+**Agent 5 — Test review & coverage:** Coverage gaps, error path tests, NULL tests, boundary conditions, regression tests, test quality, `assertMemoryLeak()` usage.
+
+**Agent 6 — Code quality & standards:** Code smell, member ordering, naming conventions, modern Java features, dead code, third-party dependencies.
+
+**Agent 7 — PR metadata & conventions:** Title format, description quality, commit messages, labels, SQL style in tests.
+
+**Agent 8 — Rust safety (only if PR contains .rs files):** Check for any code that can panic at runtime — `unwrap()`,
+`expect()`, array indexing without bounds checks, `panic!()`, `unreachable!()`, `todo!()`, integer overflow in release
+mode, `slice::from_raw_parts` with invalid inputs. In mission-critical software a panic in Rust code called via JNI/FFI
+will abort the entire JVM process with no recovery. Every fallible operation must use `Result`/`Option` with proper
+error propagation. Flag every potential panic site.
+
+Combine all agent findings into a single deduplicated **draft** report. Do NOT present this draft to the user yet — it goes straight into verification.
+
+## Step 3b: Verify every finding against source code
+
+The parallel review agents work from the diff alone and frequently produce false positives — especially around memory ownership, polymorphic dispatch, Rust control-flow guarantees, and JNI lifecycle conventions. Every finding MUST be verified before it is reported.
+
+For each finding in the draft report:
+
+1. **Read the actual source code** at the exact lines cited. Do not rely on the agent's description alone.
+2. **Trace the full code path**: follow callers, inheritance hierarchies, and runtime types. A method called on a base-class reference may dispatch to a subclass override (e.g., `PartitionDescriptor.clear()` vs `OwnedMemoryPartitionDescriptor.clear()`).
+3. **Check both sides of JNI/FFI boundaries**: if a finding involves Java↔Rust interaction, read both the Java caller and the Rust JNI function. Verify ownership transfer, error propagation, and cleanup on both sides.
+4. **For resource leak claims**: trace every allocation to its corresponding free/close on ALL code paths (happy path,
+   error path, finally blocks). Check for polymorphic `close()`/`clear()` overrides. Before claiming a leak between
+   allocation and cleanup registration, verify that the intervening code can actually throw.
+5. **For Rust panic claims**: verify whether the panic site is actually reachable. Trace control flow backwards — a
+   preceding guard or early return may make it unreachable.
+6. **For Rust panic claims via JNI**: trace the Java caller to check whether it can actually pass parameters that
+   trigger the panic. If every caller validates inputs before the JNI call, the panic is unreachable — drop it.
+7. **For Rust numeric overflow claims**: check whether the overflow is reachable at realistic scale. QuestDB handles
+   billions to a few trillion rows, thousands of tables, and thousands of columns — not billions of columns or
+   quintillions of rows. If overflow requires values beyond that scale, drop it.
+8. **For performance claims**: check whether the cost is measurable in a realistic scenario. Downgrade to a nit if the
+   saving is negligible relative to the surrounding work. Exception: GC allocations on a hot path are always worth
+   flagging, even a single one.
+9. **Classify each finding** as:
+    - **CONFIRMED** — the bug is real and reproducible via the traced code path
+    - **FALSE POSITIVE** — the code is actually correct (explain why)
+    - **CONFIRMED with nuance** — the issue exists but is less severe than stated (explain)
+
+**Move false positives to a separate "Downgraded" section** at the end of the report. For each, give a one-line explanation of why it was dismissed. This lets the PR author verify the reasoning and catch verification mistakes.
+
+Launch verification agents in parallel where findings are independent. Each verification agent should read surrounding source files, not just the diff.
+
+## Review checklists
+
+Review the diff for:
+
+### Correctness & bugs
+- NULL handling: distinguish sentinel NULL vs actual NULL
+- Edge cases and error paths
+- SqlException positions point at the offending character, not the expression start
+- Logic errors, off-by-one, incorrect bounds, wrong operator precedence
+
+### Concurrency
+- Race conditions: unsynchronized shared mutable state, missing volatile, unsafe publication
+- Lock ordering issues that could cause deadlocks
+- Thread-safety of data structures used across threads
+
+### Performance
+- Performance regressions: changes that make hot paths slower or increase complexity
+- Unnecessary allocations on data paths (zero-GC requirement)
+- Use of `java.util.*` collections (HashMap, ArrayList, etc.) instead of QuestDB's own zero-GC collections in `io.questdb.std`
+- String creation or concatenation on hot paths (use CharSink, StringSink, or direct char[] instead)
+- Capturing lambdas on hot paths — lambdas that capture local variables or instance fields allocate a new object on every invocation. Non-capturing lambdas (static method refs, no closed-over state) are safe as the JVM caches them. Flag any capturing lambda on a data path.
+- Autoboxing on hot paths — primitive-to-wrapper conversions (`int` → `Integer`, `long` → `Long`, etc.) allocate silently. Watch for primitives passed to generic methods, stored in `java.util.*` collections, or returned from methods with wrapper return types.
+- Missing SIMD or vectorization opportunities
+- Inefficient algorithms where QuestDB already provides optimized alternatives
+- Algorithmic complexity at scale: for each new loop or traversal, what is the time complexity as a function of row count, partition count, or join fan-out? Flag O(n^2) or worse patterns. Consider: what happens with 1M outer rows? 10K partitions? 100-way fan-out per row?
+- Compile-time vs data-path distinction: allocations and O(n) scans during SQL compilation/optimization are acceptable; the same on per-row data paths are not
+
+### Code quality
+- Code smell: overly complex methods, deep nesting, unclear intent, dead code
+- No third-party Java dependencies on data paths
+
+### QuestDB coding standards
+- Class members grouped by kind (static vs instance) and visibility, sorted alphabetically
+- Boolean names use `is...` / `has...` prefix
+- Modern Java features: enhanced switch, multiline strings, pattern variables in instanceof
+
+### Resource management
+- Resources properly closed in all code paths (especially error paths)
+- try-with-resources used where applicable
+- Native memory freed correctly
+
+### SQL conventions (if tests or SQL involved)
+- Keywords in UPPERCASE
+- `expr::TYPE` cast syntax preferred over CAST()
+- Underscores in numbers >= 5 digits (e.g., 1_000_000)
+- Multiline strings for complex queries
+- No DELETE statements (suggest DROP PARTITION or soft delete)
+- Tests use `assertMemoryLeak()`, `assertQueryNoLeakCheck()`, `execute()` for DDL
+- Single INSERT for multiple rows
+
+### Enterprise permissions & ACL (if PR introduces new SQL statements or ALTER operations)
+- New ALTER TABLE operations almost always require a new enterprise permission. If the PR adds a new ALTER statement (or any new SQL statement that modifies state), flag it if there is no corresponding `SecurityContext.authorize*()` call in the execution path.
+- New features in OSS should have an enterprise counterpart that wires up ACL. Check whether the PR introduces `authorize*` methods in `SecurityContext` and whether all enterprise `SecurityContext` implementations (`EntSecurityContextBase`, `AdminSecurityContext`, `AbstractReplicaSecurityContext`, and test mocks) are updated.
+- New permissions must be registered in `Permission.java` (constant, name maps, and included in `TABLE_PERMISSIONS`/`ALL_PERMISSIONS` as appropriate).
+- The `PermissionParser` must be able to parse GRANT/REVOKE for the new permission name — especially if the name contains SQL keywords like `ON`, `TO`, or `FROM` that could conflict with parser grammar.
+- Replica security contexts must deny new write operations (`deniedOnReplica()`).
+
+### Test review
+- **Coverage gaps:** For every new or changed code path, verify a corresponding test exists. If not, flag it explicitly as "missing test for X".
+- **Error path coverage:** Are failure cases, exceptions, and edge conditions tested — not just the happy path?
+- **NULL tests:** Are NULL inputs, NULL columns, and NULL expression results tested?
+- **Boundary conditions:** Empty tables, empty partitions, single-row tables, max-value inputs, zero-length strings.
+- **Concurrency tests:** If the code touches shared state, are there tests that exercise concurrent access?
+- **Resource leak tests:** Tests must use `assertMemoryLeak()` for anything that allocates native memory.
+- **Test quality:** Are tests actually asserting the right thing? Watch for tests that pass trivially, assert on wrong values, or test implementation details instead of behavior.
+- **Regression tests:** If this PR fixes a bug, is there a test that reproduces the original bug and would fail without the fix?
+- Use Grep/Glob to find existing test files for the changed classes and verify they cover the new behavior.
+
+### Unresolved TODOs and FIXMEs
+- Scan the diff for `TODO`, `FIXME`, `HACK`, `XXX`, and `WORKAROUND` comments. For each one found:
+  - Is it a pre-existing comment that was just moved/reformatted, or newly introduced in this PR?
+  - If newly introduced: does it represent unfinished work that should block the merge, or a known limitation that is acceptable to ship? Flag any that look like deferred bugs or incomplete implementations.
+  - If the TODO references a ticket/issue number, verify the reference exists.
+
+### Commit messages
+- Plain English titles (no Conventional Commits prefix), under 50 chars
+- Full long-form body description, line breaks at 72 chars
+- Active voice, naming the acting subject
+
+## Step 4: Output
+
+Present ONLY verified findings (false positives are excluded). Structure as:
+
+### Critical
+Issues that must be fixed before merge. Each must include:
+- Exact file path and line numbers
+- Code path trace showing why the bug is real
+- Suggested fix
+
+### Moderate
+Issues worth addressing but not blocking.
+
+### Minor
+Style nits and suggestions.
+
+### Downgraded (false positives)
+Findings from the initial review that were dismissed after source code verification. For each, state:
+- The original claim (one line)
+- Why it was dismissed (one line, citing the specific code that disproves it)
+
+### Summary
+- One-line verdict: approve, request changes, or needs discussion
+- Highlight any regressions or tradeoffs
+- State how many draft findings were verified vs dropped as false positives (e.g., "8 findings verified, 4 false positives removed")