Correction to my earlier review:

Finding 2 (migrate swap): PR #890 touches the same swap code path in migrate.py, adding _replace_palace_dir() with retry logic. Different focus (Windows handle cleanup) but related.

Finding 3 (cli.py offset): PRs #239 and #632 both rewrite the repair code path entirely (migrate-to-fresh strategy and nuke-rebuild respectively). If either lands, the extraction loop with the offset bug no longer exists.

Hi, In migrate(), if the cross-device fallback (shutil.move) partially creates the destination directory and then fails, the rollback os.rename(stale_path, palace_path) will also fail because palace_path already exists, leaving a partial migrated palace at the target and the original only at .old.

Severity: action required | Category: reliability

How to fix: Harden rollback and cleanup

Agent prompt to fix - you can give this to your LLM of choice:

Issue description

mempalace.migrate.migrate() can leave the palace in an inconsistent state if the cross-device swap fallback (shutil.move) fails after partially creating palace_path. The rollback then tries os.rename(stale_path, palace_path) which will fail if palace_path already exists.

Issue Context

The new logic correctly avoids the “both missing” window, but needs to handle the case where shutil.move(temp_palace, palace_path) partially copies and creates palace_path before raising.

Fix Focus Areas

• mempalace/migrate.py[235-246]

What to change

• In the except Exception: rollback path:
  • If palace_path exists (directory or file), remove it first (e.g., shutil.rmtree(palace_path, ignore_errors=False) / os.remove for file), then restore stale_path into place.
  • Consider wrapping rollback in its own try/except to emit a clear recovery message that names both paths (stale_path and partially-copied palace_path).
• Optionally, use os.replace for same-filesystem renames, and distinguish cross-device errors (EXDEV) from other OSErrors to avoid masking real rename failures.

Found by Qodo code review

Pushed 659cb81 addressing both pieces of review feedback.

@qodo-ai-reviewer — rollback hardening:

• Primary swap moved to os.replace so same-filesystem is atomic
• errno.EXDEV branch gates the shutil.move fallback — any non-EXDEV OSError now surfaces instead of getting masked by a slow copy
• Rollback extracted into _restore_stale_palace which clears the partial destination before os.replace(stale, palace), and logs both paths if the restore itself fails
• Three regression tests in tests/test_migrate.py (clean rollback, partial-copy cleanup, failure-path logging)

@mvalentsev — overlap notes:

• Finding 1 vs fix: safer repair command that survives HNSW index corruption #239: agree it'll be moot if the migrate-to-fresh rewrite lands. Happy to close the repair.py hunk if a maintainer wants to prioritize fix: safer repair command that survives HNSW index corruption #239; otherwise it's a strict improvement over today's rebuild_index.
• Finding 2 vs fix: release Chroma handles before migrate swap on Windows #890: the Windows handle cleanup in _replace_palace_dir() is orthogonal to the atomicity fix here — if fix: release Chroma handles before migrate swap on Windows #890 goes in first, the rename pattern here can be dropped into it; if this goes in first, fix: release Chroma handles before migrate swap on Windows #890 slots on top without conflict.
• Finding 3 vs fix: safer repair command that survives HNSW index corruption #239/feat: repair nuke-rebuild, purge command, --version flag #632: same situation — harmless if they land, prevents data loss on the current extraction loop until they do.

Also split the parent #934 into six child issues (#1151–#1156; finding 6 withdrawn). Filed corresponding child references: #1151 / #1152 / #1153.

Question for maintainers (@bensig): bensig asked on #934 that each finding get its own PR. This PR bundles three fixes under the "crash-safety" theme in three independent files. Happy to split into three per-child-issue PRs if preferred — say the word and I'll carve this up.