dds-map: subdir identity + keyset lifetime + ack metadata identity + side-maps + keysets list

[anthony-murphy]

Description

Bundles five structural changes in packages/dds/map/:

1. Subdirectory pending-op resubmit by reference identity — adds pendingEntry back-pointers on ICreateSubDirLocalOpMetadata / IDeleteSubDirLocalOpMetadata, threads them through the submit helpers, and rewrites resubmitSubDirectoryMessage to use the back-pointer instead of findLast(name && type).
2. PendingKeySet.lifetime back-pointer — adds a readonly lifetime: PendingKeyLifetime back-pointer on PendingKeySet in both mapKernel.ts and directory.ts, populates it at construction sites, and converts rollback consumers to use the back-pointer for O(1) parent lookup instead of findLastIndex over pendingData.
3. Local set/delete ack via metadata identity — replaces pendingData.findIndex(... entry.key === op.key) at the 4 local-op-ack sites with reference-identity (delete: localOpMetadata IS the PendingKeyDelete; set: uses the lifetime back-pointer from Address re-entrancy when playing ops (#3242) #2 directly).
4. pendingSubDirectoryByName side-map — adds Map<string, DoublyLinkedList<PendingSubDirectoryEntry>> next to pendingSubDirectoryData, maintained symmetrically at every mutation. Converts 10+ scan sites (findIndex/findLast/some for subdirName === name) to O(1) / O(per-name-length). New private helpers on SubDirectory: pushPendingSubDirectoryEntry, findLastPendingSubDirectoryNode, removePendingSubDirectoryEntry.
5. PendingKeyLifetime.keySets: DoublyLinkedList<PendingKeySet> — replaces the array with a doubly-linked list in both files. ACK shift() is O(1) instead of Array.shift()'s O(k); rollback pop() similarly; last-element reads use list.last!.data.

Why

• The subdir-identity change fixes a latent 0xc31 assert on same-name lifecycle cycles (delete → create → delete with the same subdirectory name), where findLast(name && type) could pair the resubmit with the wrong pending entry. Also removes two O(N) scans per resubmit.
• The lifetime back-pointer makes parent–child relationships between PendingKeyLifetime and its PendingKeySets explicit, eliminates findLastIndex scans during rollback, and lets the local-ack lookups (Sample: type-race switch to use webpack-dev-server from prague-dev-server #3) be O(1) instead of linear key scans.
• subdirectories() was O(n²) today (n entries × findLast per name). The side-map collapses those scans without changing observable behavior or insertion-order semantics. The flat pendingSubDirectoryData array is preserved to minimize blast radius; only the lookup-scans (the hot paths) become O(1).
• Array.shift() is O(k) per ack on a lifetime with k queued keySets — quadratic when draining a hot key written k times before any ack. DoublyLinkedList.shift() is O(1).

Notes

Pure structural prep — no reSubmitSquashed, no squash logic, no tests touched, no api-report changes.

[github-actions]

Hi! Thank you for opening this PR. Want me to review it?

Based on the diff (641 lines, 4 files), I've queued these reviewers:

• Correctness — logic errors, race conditions, lifecycle issues
• Security — vulnerabilities, secret exposure, injection
• API Compatibility — breaking changes, release tags, type design
• Performance — algorithmic regressions, memory leaks
• Testing — coverage gaps, hollow tests

How this works

• Adjust the reviewer set by ticking/unticking boxes above. Reviewer toggles alone don't trigger anything.

• Tick Start review below to dispatch the review fleet.

• After review finishes, tick Start review again to request another run — it auto-resets after each dispatch.

• This comment updates as new commits land; your reviewer selections are preserved.

• Start review

[anthony-murphy]

Deep Review: Subdirectory rollback ignores localOpMetadata.pendingEntry and still removes by name+type.

This PR plumbs pendingEntry through ICreateSubDirLocalOpMetadata / IDeleteSubDirLocalOpMetadata specifically to disambiguate same-name lifecycle ops, and resubmitSubDirectoryMessage now uses it — pendingSubDirectoryData.includes(localOpMetadata.pendingEntry) plus resubmission of that exact entry. Rollback here calls findLastPendingSubDirectoryNode(subdirName, "createSubDirectory" | "deleteSubDirectory") and then removePendingSubDirectoryEntry(pendingEntry, pendingNode) without ever consulting localOpMetadata.pendingEntry.

On a pending delete("x") → create("x") → delete("x") sequence, rolling back the first delete removes the last delete entry instead of the metadata's own entry — the exact same-name ambiguity the resubmit-side fix was authored to prevent, and the failure mode Abe27342 flagged on #15493 (2023-05-26, inline on directory.ts:1116). The asymmetry is logically indefensible: both rollback and resubmit must use identity, or neither does.

Fix: in both create-rollback and delete-rollback branches, locate and remove localOpMetadata.pendingEntry directly. Mirror what resubmitSubDirectoryMessage already does. At minimum, add assert(pendingNode.data === localOpMetadata.pendingEntry) before removePendingSubDirectoryEntry so the asymmetry fails loud rather than silently corrupting the pending queue. Storing the owning ListNode on pendingEntry at push time makes removal O(1) without an indexOf scan.

[anthony-murphy]

Deep Review

Reviewed commit 63b260b on 2026-05-27.

Readiness: 3/10 — GETTING STARTED

Not ready for sign-off. The structural refactor — identity back-pointers on subdir pendingEntry and on PendingKeySet.lifetime, the pendingSubDirectoryByName side-map, and the DLL-based keySets — is sound. One Tier 1 holds readiness in GETTING STARTED: subdirectory rollback still removes pending entries by findLast(name, type) while resubmitSubDirectoryMessage was pivoted to identity, re-exposing the same same-name-lifecycle ambiguity the pendingEntry back-pointer was authored to prevent. The unresolved inline thread on directory.ts:2685 (raised on the prior SHA) still applies — the affected code at lines 2637–2698 is unchanged at 63b260b.

Path to Ready

• Resolve inline threads
• Convert subdirectory rollback to identity-based removal at directory.ts ~2637–2698 (both create-rollback and delete-rollback branches): use localOpMetadata.pendingEntry directly instead of findLastPendingSubDirectoryNode(name, type), mirroring resubmitSubDirectoryMessage. At minimum add assert(pendingNode.data === localOpMetadata.pendingEntry, "…") before removePendingSubDirectoryEntry so the asymmetry fails loud.
• Add a focused mocha regression under packages/dds/map/src/test/mocha/ for the disconnected SharedDirectory delete("a") → create("a") → delete("a") cycle that rolls back the first delete and asserts the later create("a") / delete("a") entries survive. Mirror the same-key SharedMap regression in map.rollback.spec.ts:330-390.
• Add assert(pendingEntryIndex !== -1, "…") at the set-ack splice sites — mapKernel.ts:836-838 and directory.ts:2143-2145 — to match the sibling delete-ack and rollback paths.
• Update the PR description to acknowledge the two new regression tests (map.rollback.spec.ts same-key set → delete → set; reconnection.spec.ts same-subdir delete → create → delete) and the latent bugs they pin — "no tests touched" no longer fits. Also tighten the asymptotic wording: key iteration (internalIterator, getOptimisticValue, optimisticallyHas) remains effectively O(n²) until a per-key side index lands as follow-up.
• Run the SharedMap / SharedDirectory fuzz suites (directoryFuzzTests.spec.ts) and the tinylicious / odsp / odsp-df stress stages on 63b260b — Revert "Map rollback across remote ops" #25066 reverted the prior change here because stress, not unit tests, caught the regression.
• Run pnpm run policy-check:asserts and decide on 0xc05–0xc07 / 0xbf7–0xbf9 continuity: either re-mint short codes on the equivalent post-PR predicates, or document the retirement so telemetry owners can migrate.

Context for Reviewers

• This PR executes anthony-murphy's own Track op metadata locally in SharedMap #24902 review suggestion on mapKernel.ts:637 (convert pendingMapLocalOpMetadata to a linked list, pass the node as localOpMetadata) and extends the identity pattern to subdirectory metadata and PendingKeySet.lifetime. Direction is author-blessed; review judgment can focus on whether the back-pointer invariant is maintained at every mutation site.
• Abe27342 owns the same-name delete → create → delete subdirectory lifecycle bug class (0xc31), flagged on Fix eventual consistency issues in Shared Directory regarding Reconnection #15493 (directory.ts:1116, 2023-05-26) and Fix eventual consistency issues in SharedDirectory #14226 (directory.ts:632, 2023-03-21) — the exact shape of the Tier 1 failure mode and of the new reconnection.spec.ts regression test. jatgarg authored both PRs that introduced the current pendingSubDirectoryData shape; ChumpChief authored Track op metadata locally in SharedMap #24902.
• Rollback surface has revert-due-to-stress-failure history: Map rollback across remote ops (take 2) #25070 (the structures this PR rewires) is itself a redo after Revert "Map rollback across remote ops" #25066 reverted Map rollback across remote ops #24961 — stress, not unit tests, caught the bug. directory.ts is the higher-churn, higher-contention half (6-month churn 8, 12 related PRs); pending-data structures here are also young (feat(directory): Directory rollback across remote ops (Part 1 - storage ops only) #25126 Aug 2025, feat(directory): Directory rollback across remote ops (Part 2 - all ops) #25167 Sep 2025).
• Insertion-order contract for SharedDirectory.subdirectories() from Implement insertion order for directory #17816 (clarenceli-msft, 2023-11-21) is preserved analytically via post-sort by seqDataComparator — pendingSubDirectoryByName.keys() order is intermediate, not observable. Existing coverage in directory.iteration.spec.ts:203-253 pins the contract. Worth a one-line comment near pendingSubDirectoryByName for future readers.
• The processing-side findIndex(name) at directory.ts:2221/2240 (the actual 0xc31 site) is not converted by this PR — pre-existing and out of scope, but a natural follow-up surface for the same identity pattern.
• Suggested reviewers: Abe27342 (same-name lifecycle bug class), ChumpChief (Track op metadata locally in SharedMap #24902 local-metadata model), jatgarg (Fix eventual consistency issues in SharedDirectory #14226 / Fix eventual consistency issues in Shared Directory regarding Reconnection #15493), clarenceli-msft (Implement insertion order for directory #17816 insertion-order contract), scarlettjlee (Implement insertion order for directory #17816 / Rollback for Directory #10615), alexvy86 (stress-gating, Revert "Map rollback across remote ops" #25066 revert).

For human reviewer

• ChumpChief / scottn12 sign-off — both are direct authors of the structures this PR rewires (Map rollback across remote ops (take 2) #25070, feat(directory): Directory rollback across remote ops (Part 1 - storage ops only) #25126, feat(directory): Directory rollback across remote ops (Part 2 - all ops) #25167). Their judgment on whether the chosen scope (rollback set-arm + subdir resubmit only, deliberately leaving key resubmit and process* paths on their current identity guards) is the right cut for staging is the central design call.
• Abe27342 sign-off on the rollback-by-identity fix — they flagged this exact bug class in Fix eventual consistency issues in Shared Directory regarding Reconnection #15493. Their sign-off on the inline-thread fix and the new regression test is the strongest correctness signal.
• alexvy86 stress-test gating — historical evidence (Revert "Map rollback across remote ops" #25066 revert) is that this surface fails in stress, not in unit tests. Verify the stress pipeline is clean on 63b260b before merge.
• clarenceli-msft on insertion-order — the post-sort path preserves the contract analytically; a quick confirm from the Implement insertion order for directory #17816 author would close the question durably.
• Scope alignment with the upcoming DDS-wide squash PR — the description identifies this as prep work. Whether the chosen scope genuinely reduces that follow-up's churn (vs. having to revisit these same call sites for keys, for the pendingStorageByKey index, and for the flat-array → DLL conversion) is an owner judgment.
• Storage-side pendingStorageByKey index — independent design reasoning reached for a symmetric storage side-map. Whether it lands here, in a near-term follow-up, or stays deferred until the squash refactor is a design-taste call.

Review history (3 prior reviews)

• 56348dc 2026-05-27 · 4/10 — rollback-by-identity asymmetry persists as Tier 1
• 2e1932d 2026-05-27 · 4/10 — structural refactor sound; rollback-by-identity asymmetry preserved as Tier 1
• 0b901c9 2026-05-27 · 3/10 — structural refactor sound; missing regression test for the named 0xc31 lifecycle fix