Lab #355: Partitioned index for S3/GCS datastores (Phase 3)

Problem

S3/GCS datastore extensions use a monolithic .datastore-index.json that tracks every file in the bucket. This creates two problems:

Push serialization. Per-model push acquires a global lock because concurrent writes to the same index file would clobber each other. Two people running model methods on different models serialize their pushes even though their data doesn't overlap.
Pull scope. pullChanged fetches the entire index and walks all entries even when only one model is locked. With Phase 1's scope parameter now available in the framework, pull could be scoped — but the monolithic index means you still pay to fetch and parse the whole thing.

Phase 1 (issue #350, shipped) added scope and capabilities() to the domain contracts. Phase 2 (issue #354, shipped) added per-path dirty tracking so push only uploads changed files. Phase 3 completes the picture: partition the index so S3/GCS can declare scopedSync: true and unlock concurrent per-model push without the global lock.

Proposed Solution

Replace the monolithic .datastore-index.json with a two-level structure:

Manifest + per-model sub-indexes

.datastore-index.json          → manifest (lightweight, lists sub-indexes)
.datastore-index/
  data/aws-ec2/i-abc123.json   → sub-index for one model
  data/aws-ec2/i-def456.json   → sub-index for another model
  outputs.json                 → sub-index for outputs subdirectory
  workflow-runs.json           → sub-index for workflow runs
  ...

The manifest is a small JSON file listing sub-index keys and their ETags/generations. A scoped pull only fetches the manifest + the relevant sub-index. A scoped push only writes the relevant sub-index and updates the manifest entry.

Each sub-index has the same structure as today's index entries for files under that prefix — keys, sizes, lastModified, localMtime.

Scoped operations

pushChanged({ scope: "data/aws-ec2/i-abc123/" }) — only walks/uploads files under that prefix, writes only that sub-index, updates the manifest entry. No global lock needed because sub-indexes don't overlap.
pullChanged({ scope: "data/aws-ec2/i-abc123/" }) — fetches manifest, then only the relevant sub-index, then only stats/downloads files in that sub-index.
Unscoped operations (structural commands) — fetch manifest + all sub-indexes, equivalent to today's full index.

Declaring scopedSync

After the index is partitioned, both extensions add:

capabilities: () => ({ scopedSync: true }),

This tells the framework to use per-model locks only (no global lock) for per-model push, and to pass scope to pull/push.

Migration and backward compatibility

This is the highest-risk phase. Migration must be safe:

Old format detection. On first push from a new extension version, detect the monolithic .datastore-index.json, read it, split entries by prefix into sub-indexes, write the manifest + sub-indexes, and delete the old file.
Compatibility shim. During a transition period (one release cycle), also write a monolithic .datastore-index.json as a read-only shim so older swamp versions can still pull. The shim is rebuilt from sub-indexes on each push. Remove the shim after one release cycle.
Idempotent migration. A crash mid-migration must be resumable. The manifest is the source of truth — if it exists, the migration completed. If the old monolithic file exists without a manifest, migration hasn't run yet. If both exist, the shim is active.
Discovery fallback. The existing discoverIndexFromBucket fallback (lists bucket, builds index from listing) still works as the last-resort recovery — if both manifest and monolithic index are somehow lost, discovery rebuilds from bucket contents.

Risk factors

Mixed-version teams. User A on new swamp (partitioned) and user B on old swamp (monolithic). The compatibility shim handles this — user B reads the shim. But user B's push writes a monolithic index that the new format won't expect. The migration code must handle this gracefully (re-split on next push from a new version).
Manifest as coordination point. The manifest replaces the monolithic index as the thing that must be atomically updated. Concurrent manifest writes from two different scoped pushes could still race. Options: use conditional writes (S3 If-Match, GCS ifGenerationMatch), or accept last-writer-wins on the manifest since each push only updates its own entry.
Sub-index count. A repo with 500 models means 500+ sub-index files. The manifest avoids needing to list them, but storage cost and cleanup (orphaned sub-indexes after model deletion) need consideration.

Files to change

In systeminit/swamp-extensions:

datastore/s3/extensions/datastores/_lib/s3_cache_sync.ts — index read/write, manifest management, migration, scoped pull/push
datastore/s3/extensions/datastores/s3.ts — add capabilities() to provider
datastore/gcs/extensions/datastores/_lib/gcs_cache_sync.ts — same changes, mirrored
datastore/gcs/extensions/datastores/gcs.ts — add capabilities() to provider
Test files for both extensions

Validation

Migration test: create monolithic index, run new code, verify split + manifest created
Migration test: crash mid-split, rerun, verify idempotent completion
Compatibility test: old swamp reads the shim after new swamp writes partitioned index
Compatibility test: old swamp writes monolithic, new swamp re-splits on next push
Scoped push test: two models push concurrently, verify both sub-indexes correct and no data loss
Scoped pull test: pull with scope only downloads the relevant sub-index entries
Cold-start test: empty bucket, verify discovery still works with new format
GC test: deleted model's sub-index is cleaned up

Context

This is Phase 3 of the scoped sync plan documented in design/datastores.md. Depends on Phase 1 (#350, shipped) for scope/capabilities contracts and Phase 2 (#354, shipped) for per-path dirty tracking. After this phase, S3/GCS users get concurrent per-model push — the main goal of the entire initiative.

After this ships, open an issue on https://github.com/keeb/swamp-mongodb-datastore for keeb to add capabilities: () => ({ scopedSync: true }) to their provider — their extension already supports scoped sync natively.

Upgrade TUI graphics — better AI-generated ANSI or a Moebius hand-authored pipeline

Add assertVaultAnnotationExportConformance to @systeminit/swamp-testing

Add VaultAnnotationProvider conformance helpers to @systeminit/swamp-testing

Vault annotations: --note/--notes flag inconsistency and UX improvements

Docs: document VaultAnnotationProvider interface and extension opt-in pattern

Add VaultAnnotationProvider support to @swamp/1password

Add VaultAnnotationProvider support to @swamp/azure-kv

Add VaultAnnotationProvider support to @swamp/aws-sm

Harness detection invents env vars for kiro/opencode/codex

Annotating vault items should be a first-class swamp operation

workflow direct-execution inputs.* persist as globalArguments on auto-definitions and freeze on first run

workflow-scope report's dataRepository.getContent returns null for data written in the same workflow run

swamp-report skill references nonexistent `swamp model report` command

@swamp/digitalocean — add domain-records model for /v2/domains/{domain_name}/records

Docs: update extension scoring documentation for dependency-trust rubric factor

Warn when a ${{ }} secret expression is single-quoted in a command/shell run: script

Workflow validation should resolve modelType for direct-execution steps

dbcluster state schema is missing DBClusterMembers (writer/reader, instance class)

Add a list/discover method to dbcluster for enumerating clusters in a region

Add dependency-trust rubric factor to server-side scorer (RUBRIC_VERSION 3)

cloudidentity API calls fail with 'requires a quota project' — bundle doesn't send x-goog-user-project header

Improve idempotency match field heuristic for auto-generated name resources (tagKeys, tagValues)

@swamp/gcp/cloudresourcemanager/folders: create method has 5 blocking bugs (missing parent in body, LRO detection, post-LRO state, idempotency, projectId requirement)

Add IAM policy management (setIamPolicy/getIamPolicy) on cloudresourcemanager resources; add custom-role CRUD to @swamp/gcp/iam

@swamp/ssh exec method fails with 'ctx.createCelEnvironment is not a function'

Extension decision order should prefer @swamp/community extensions over local types

Make wheelshop-style dependency trust-gating a core swamp feature

swamp repo <unknown-subcommand> silently inits a nested repo (e.g. `swamp repo update`)

Extension METHODS table truncates Method column; short names like apply/check wrap mid-word on /extensions/@swamp/ssh

swamp extension rm leaves empty <kind>-bundles/<hash>/ dirs behind

Pre-flight checks cannot access method arguments (check context omits methodArgs/unresolvedMethodArgs)

swamp audit record --from-hook creates a stray .swamp datastore in the process cwd instead of resolving the repo root

extension push publishes model files ending in _test.ts that no consumer can load

Docs: document --extensions-dir / SWAMP_EXTENSIONS_DIR for worktree workflows

No user feedback when model method run is waiting for lock acquisition

issue-lifecycle: thank external contributors when issues are resolved

Add swamp extension prune to clean up stale catalog entries

identity_map row not updated when user renames

`swamp extension rm` leaves empty scaffold dirs behind

Many CLI commands acquire global .datastore.lock unnecessarily, causing 60s LockTimeoutError under any concurrent writer

swamp CLI commands fail silently or hang when invoked from git worktrees via SWAMP_REPO_DIR

Datastore: lazy hydration for fast cold-start on first clone

S3 datastore: dirty sidecar, partitioned index, content hashing, and scoped sync

Datastore sync: add SyncContext and SyncCapabilities framework contracts

Terminal rendering breaks at large font sizes

Expose cel-js Environment to extensions for custom CEL evaluation

Add list/search as a factory method that produces many data artifacts (Drive files.list, gmail messages.list, etc.)

files.get returns only minimal fields (id, name, kind, mimeType) because no 'fields' query parameter is sent

ADC path uses wrong gcloud token store: 'gcloud auth print-access-token' instead of 'gcloud auth application-default print-access-token'

Docs: update doctor reference and autoupdate how-to for new doctor install subcommand

createModelTestContext: storedResources not used by readResource; readResource always returns null

swamp-vault skill documents 'swamp vault read' but correct subcommand is 'read-secret'

Add a manual_approval (pause) task type to workflow steps

Autoupdate silently fails when swamp is installed system-wide via the official install.sh

Missing 'parent' field in GlobalArgsSchema for several @swamp/gcp/* models causes get to fail

bucket-policy GlobalArgsSchema requires Bucket and PolicyDocument, blocking workflow-YAML direct execution of get

Report execute throws are advisory: workflow marked succeeded, exit 0, AND report output is discarded

dataRepository.getContent rejects string type in production but docs and testing helper demonstrate strings

bucket-policy StateSchema.PolicyDocument declared z.string() but CloudControl returns it as a parsed object

Unified login input that detects email vs username by presence of '@'

Introduce `swampd`: long-running local daemon for shared cache, secrets, and extensions

workflow validate: false "Missing required inputs" when method args are set in the model definition

CEL and vault expressions not evaluated inside nested globalArguments fields

@swamp/digitalocean: 30 of 33 model types fail with version mismatch error

Add first-class Kilo Code tool support

Partitioned index for S3/GCS datastores (Phase 3)

Per-path dirty tracking in S3/GCS datastore extensions (Phase 2)

Docs: update doctor extensions JSON reference to include warnings[] field

Doctor kind-completed events should carry correct per-registry status

Surface type-extraction failures in doctor JSON output

Scoped sync and capability-gated concurrency for datastores (Phase 1)

Direct type execution fails for locally-defined extension types with pulled duplicates

Scaffold new extensions to publish-ready quality (12/12) by default

Add table width controls to swamp report get

Add a markdown output mode to `swamp report get`

Add a markdown output mode to swamp report get

swamp.club: 'Mark all read' link doesn't clear unread count on /inbox

Official @swamp/ssh extension supporting multiple SSH transport styles

W7 — unify extension failure surfaces; collapse registries.failures[] into sourceDetails[]

Surface Tombstoned transitions in doctor extensions output

Workflow-level runtime expressions (env., vault.) not resolved in driverConfig — docker driver receives literal ${{ ... }} strings