Skip to content

feat(cli): add backfill-repo-axis migration command (#23 follow-up)#37

Merged
pureliture merged 2 commits into
mainfrom
claude/repo-axis-backfill-cli
Jun 19, 2026
Merged

feat(cli): add backfill-repo-axis migration command (#23 follow-up)#37
pureliture merged 2 commits into
mainfrom
claude/repo-axis-backfill-cli

Conversation

@pureliture

@pureliture pureliture commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

What

Add a security-scanner backfill-repo-axis CLI command to run the repo-axis
GSI1 backfill from #23 against the configured DynamoDB-compatible endpoint
(local Dynalite / amazon/dynamodb-local).

Follow-up to #23 (merged in #34): #23 shipped the backfill mechanics
(repo_axis_migration.backfill_repo_axis); this exposes them as an operator
command so the migration can actually be run on the runtime host.

Why

After #23, rows written before the change still live on the unsharded
REPO#<repo> GSI1 partition. An operator needs a one-shot, observable way to
migrate them (and to inventory first) without writing ad-hoc scripts.

Changes

  • cli/commands/migrate.py: new backfill-repo-axis subcommand.
    • --dry-run: per-entity legacy inventory, no mutation.
    • apply: in-place conditional backfill, prints per-entity
      inventory/backfilled/skipped/failed/remaining + a gate: CLEAR|NOT CLEAR
      line; exit 1 if legacy rows remain or any update failed.
    • dynamodb backend only; jsonl is rejected with exit 2 before any table is
      built.
  • cli/app.py: register the command module.
  • Tests: tests/test_cli_backfill_repo_axis.py (dry-run, apply, idempotent
    re-run, backend guard) + updated test_cli.py registration-order lock.

The backfill mutates only existing items' GSI key fields — never copies rows or
writes finding payload data — and is idempotent across re-runs.

Run (on the runtime host with DynamoDB-local up)

security-scanner backfill-repo-axis --storage-backend dynamodb --dry-run   # inventory
security-scanner backfill-repo-axis --storage-backend dynamodb             # apply

Test

  • uv run pytest — full suite green (626 passed)
  • New files lint-clean under ruff (E,F,I,UP); advisory/ruff is non-blocking.

Related to #23.

@pureliture @claude
feat(cli): add backfill-repo-axis migration command (#23 follow-up)
aab9d21 
Add `security-scanner backfill-repo-axis` to run the repo-axis GSI1 backfill
(issue #23) against the configured DynamoDB-compatible endpoint:

- `--dry-run`: per-entity legacy inventory, no mutation
- apply: in-place conditional backfill, per-entity
  inventory/backfilled/skipped/failed/remaining report, and a gate status line
  (exit 1 if legacy rows remain or any update failed)
- dynamodb backend only; jsonl is rejected with exit 2 before any table build

The backfill mutates only existing items' GSI key fields (never copies rows or
writes payload data); it is idempotent across re-runs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 18, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces the backfill-repo-axis CLI subcommand to migrate legacy unsharded repository GSI1 rows to sharded partitions, along with corresponding unit tests. The feedback recommends improving CLI error handling by importing sys and directing error messages to standard error (sys.stderr) instead of standard output, updating the tests to assert on standard error, and adding a new test case to verify the failure path when the backfill operation fails.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread src/security_scanner/cli/commands/migrate.py
Comment thread src/security_scanner/cli/commands/migrate.py
Comment thread tests/test_cli_backfill_repo_axis.py Outdated
Comment thread tests/test_cli_backfill_repo_axis.py
@pureliture @claude
fix(cli): print backfill backend error to stderr; cover failure path
8c6e46c 
Address PR #37 review (gemini-code-assist):
- route the non-dynamodb backend rejection message to sys.stderr so diagnostics
  don't mix with stdout when piping/redirecting
- assert the rejection on stderr in the backend-guard test
- add a test for the backfill failure path (update_item raises -> exit 1,
  "gate: NOT CLEAR")

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@pureliture pureliture merged commit 6e799e0 into main Jun 19, 2026
9 checks passed
@pureliture pureliture deleted the claude/repo-axis-backfill-cli branch June 19, 2026 00:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pureliture