Crash Consistency

Write Path (implemented)

LocalStore documents and implements this ordering:

1. pre-write ceiling check

2. stream to temp files (.seg.tmp, .meta.tmp)

3. fsync temp files

4. atomic rename to committed files

5. fsync shard directory

6. post-write ceiling check

If post-write check fails, committed files are deleted and ErrCeilingExceeded is returned.

Recovery

RunRecovery performs four passes:

1. remove temp files

2. remove orphan .seg (no .meta)

3. remove orphan .meta (no .seg)

4. index valid pairs

Guarantees

• Partial temp artifacts are removed at startup recovery.

• Committed pair is represented by both .seg and .meta present.

• Recovery is local-only and idempotent.

Evidence

• edge/storage/localstore.go (documented write protocol + implementation)

• edge/storage/recovery.go (RunRecovery)

• edge/storage/crash_test.go (partial temp/orphan recovery tests)

See Also

• Data Model

• On-Disk Layout