From 6e24cb07c262e8c01347041c63c91ae79040f02e Mon Sep 17 00:00:00 2001
From: arreyder <christopher.rhodes@gmail.com>
Date: Fri, 9 Jan 2026 09:35:26 -0600
Subject: [PATCH 1/2] fix(dotc1z): add fsync and size validation to prevent c1z
 corruption

Two defensive fixes to prevent corrupt c1z files from being saved:

1. Add explicit fsync on sqlite database file after Close() but before
   saveC1z() reads it for compression. On filesystems with aggressive
   caching (like ZFS with ARC), data may still be in kernel buffers.

2. Add size validation in SaveC1Z to detect truncated copies. Compares
   bytes copied to source file size and fails if they don't match. This
   catches the actual symptom we observed: truncated zstd streams missing
   the end-of-stream marker.

Root cause investigation: Production incidents showed c1z corruption where
sync succeeded and SaveC1Z logged success, but the uploaded file had a
truncated zstd stream (missing end-of-stream marker). The size validation
would catch this scenario and fail fast rather than uploading corrupt data.

Cost: ~5ms for fsync + <1ms for stat - negligible for sync operations.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 pkg/dotc1z/c1file.go              | 18 ++++++++++++++++++
 pkg/dotc1z/manager/local/local.go | 13 +++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/pkg/dotc1z/c1file.go b/pkg/dotc1z/c1file.go
index 548968ce6..fc3b8bc58 100644
--- a/pkg/dotc1z/c1file.go
+++ b/pkg/dotc1z/c1file.go
@@ -276,6 +276,24 @@ func (c *C1File) CloseContext(ctx context.Context) error {
 		if c.readOnly {
 			return cleanupDbDir(c.dbFilePath, ErrReadOnly)
 		}
+
+		// CRITICAL: Ensure database file is synced to disk before reading for compression.
+		// On filesystems with aggressive caching (like ZFS with ARC), data written by
+		// sqlite during Close() may still be in kernel buffers. Without this explicit
+		// fsync, saveC1z() could read stale/incomplete data, producing a truncated
+		// zstd stream that appears valid but is missing the end-of-stream marker.
+		dbFile, err := os.OpenFile(c.dbFilePath, os.O_RDONLY, 0)
+		if err != nil {
+			return cleanupDbDir(c.dbFilePath, fmt.Errorf("open db for sync: %w", err))
+		}
+		if err := dbFile.Sync(); err != nil {
+			dbFile.Close()
+			return cleanupDbDir(c.dbFilePath, fmt.Errorf("sync db before compress: %w", err))
+		}
+		if err := dbFile.Close(); err != nil {
+			return cleanupDbDir(c.dbFilePath, fmt.Errorf("close db after sync: %w", err))
+		}
+
 		err = saveC1z(c.dbFilePath, c.outputFilePath, c.encoderConcurrency)
 		if err != nil {
 			return cleanupDbDir(c.dbFilePath, err)
diff --git a/pkg/dotc1z/manager/local/local.go b/pkg/dotc1z/manager/local/local.go
index 3f3190795..3693579e9 100644
--- a/pkg/dotc1z/manager/local/local.go
+++ b/pkg/dotc1z/manager/local/local.go
@@ -168,11 +168,24 @@ func (l *localManager) SaveC1Z(ctx context.Context) error {
 	}
 	defer dstFile.Close()
 
+	// Get source file size before copy for validation
+	srcStat, err := tmpFile.Stat()
+	if err != nil {
+		return fmt.Errorf("failed to stat source file: %w", err)
+	}
+	expectedSize := srcStat.Size()
+
 	size, err := io.Copy(dstFile, tmpFile)
 	if err != nil {
 		return err
 	}
 
+	// CRITICAL: Validate copy was complete. A truncated copy would result in
+	// a corrupt c1z file missing the zstd end-of-stream marker.
+	if size != expectedSize {
+		return fmt.Errorf("copy truncated: copied %d bytes, expected %d bytes", size, expectedSize)
+	}
+
 	// CRITICAL: Sync to ensure data is written before function returns.
 	// This is especially important on ZFS ARC where writes may be cached.
 	if err := dstFile.Sync(); err != nil {

From 670333bb302b8428cde8a903d50480857ba50a45 Mon Sep 17 00:00:00 2001
From: arreyder <christopher.rhodes@gmail.com>
Date: Fri, 9 Jan 2026 10:02:35 -0600
Subject: [PATCH 2/2] fix: use O_RDWR for fsync to fix Windows test failure

Sync() on a read-only file descriptor fails on Windows because
FlushFileBuffers requires write access. Changed from O_RDONLY to
O_RDWR so the fsync works correctly on both Linux and Windows.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 pkg/dotc1z/c1file.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/dotc1z/c1file.go b/pkg/dotc1z/c1file.go
index fc3b8bc58..0ffd2ed94 100644
--- a/pkg/dotc1z/c1file.go
+++ b/pkg/dotc1z/c1file.go
@@ -282,7 +282,8 @@ func (c *C1File) CloseContext(ctx context.Context) error {
 		// sqlite during Close() may still be in kernel buffers. Without this explicit
 		// fsync, saveC1z() could read stale/incomplete data, producing a truncated
 		// zstd stream that appears valid but is missing the end-of-stream marker.
-		dbFile, err := os.OpenFile(c.dbFilePath, os.O_RDONLY, 0)
+		// Note: O_RDWR is required because Sync() on read-only fd fails on Windows.
+		dbFile, err := os.OpenFile(c.dbFilePath, os.O_RDWR, 0)
 		if err != nil {
 			return cleanupDbDir(c.dbFilePath, fmt.Errorf("open db for sync: %w", err))
 		}