pub(crate) fn deserialize_command_for_replay(
cmd_type: CommandType,
command_version: u8,
data: &[u8],
) -> Result<EngineCommand>Expand description
Deserialize a persisted engine command during restart recovery.
This intentionally has a narrower compatibility surface than live NATS. The
source-hash cutover changed DepositUpdate from BalanceCommandPayload to
DepositUpdatePayload, but existing WAL rows can still contain the old
named payload. Recovery accepts only that persisted shape and only when a
sequence exists, so live messages stay on the new deterministic source-hash
contract.
Compatibility exception audit:
- Tracking ticket: CALL-1900.
- Environment: AWS staging restart recovery after PR #2555, observed at command_id=284965 with command_data_len=73.
- Historical shape: legacy wire-version tuple
(WalletAddress, Decimal amount, Decimal balance_after, u64 timestamp_ms, Option<u64> sequence). - Hard cutover risk: staging cannot boot far enough to replay the journal and write a current snapshot while the historical WAL row is undecodable.
- Removal plan: remove the legacy tuple branch after AWS staging boots on
the hotfix image, replays the row, writes a compatible snapshot, and
restarts without
ENGINE_SNAPSHOT_RESTORE_ALLOW_UNSAFE_REPLAY=true.