feat(self-host): frontend MDC verify-and-cache pipeline (gh-8749)

[nnshah1]

What

Frontend slice of #8749. Every metadata CheckedFile (config.json, tokenizer.json, …) flows through one resolve pipeline: derive a URI, fetch via the URI's scheme handler, blake3-verify, atomically publish to a content-addressed cache at ~/.cache/dynamo/mdc/. Builds on PR1 (#8855) which shipped the worker side.

Resolution chain

checked_file_uri per CheckedFile. Path-only slots are coerced to a synthetic file:// URL up front, then:

1. http://, https://, hf:// → use as-is.
2. file:// and the file resolves locally → use as-is.
3. file:// missing, but <--model-path>/<basename> exists → rewrite to that. Lets a frontend host a local copy when the worker's path is unreachable and source_path isn't a valid HF repo id.
4. otherwise → hf://<source_path>/<basename> (legacy).

Worker-published checksums always preserved. size: Option<u64> is an optional cap-tightener (1 GiB absolute ceiling fallback).

Cache layout

~/.cache/dynamo/mdc/
  blobs/<blake3-hex>                   # content-addressed, dedup across slugs
  by-slug/<slug>/<mdcsum>/<filename>   # symlinks → blobs

flock(LOCK_EX) per blob serializes intra/inter-process writers; multiple frontends sharing \$HOME collapse to one fetch per blake3.

Not in this PR

• Auto-cleanup-on-detach in the worker registry → PR3.
• Default-ON flip on DYN_SELF_HOST_METADATA → PR4 (capstone) along with multi-replica e2e.

Test plan

• cargo build -p dynamo-llm clean
• cargo test -p dynamo-llm --lib -- model_card common::checked_file green
• cargo clippy -p dynamo-llm --lib -- -D warnings clean
• cargo fmt --check clean
• e2e shared-mount: worker → frontend → file:// resolve → cache populated
• e2e self-host: DYN_SELF_HOST_METADATA=true worker → frontend → http resolve → cache populated
• e2e legacy HF: worker paths unreachable on frontend → hf:// synthesized → cache populated
• e2e --model-path: frontend with --model-path /local/copy overrides unreachable worker paths → cache populated

[coderabbitai]

Walkthrough

A workspace dependency on libc is added. The CheckedFile API gains a public hash() accessor and support for serializing a size field. Model card metadata resolution is refactored to implement content-addressed blob caching with flock-based locking, concurrent URI resolution (http, file, hf://), strict byte limits, and checksum verification.

Changes

Artifact Caching & Metadata Resolution

Layer / File(s)	Summary
Dependencies lib/llm/Cargo.toml	Adds libc workspace dependency for file locking and system operations.
Data Shape & API lib/llm/src/common/checked_file.rs	CheckedFile gains serializable size field. Checksum::hash() accessor exposes internal hex string for verification. Tests validate JSON wire compatibility (legacy omits size; new format preserves it).
Core Infrastructure lib/llm/src/model_card.rs (lines 197–475)	Blob staging and locking primitives: BlobLock (flock-based per-blob lock), cache path helpers, atomic stage_and_rename* with tmp-file staging, cross-platform symlink_force, size-cap constant ABSOLUTE_MAX_METADATA_BYTES. URI resolution pipeline (resolve_uri, stream_to_tmp, copy_to_tmp) fetches over http(s), file://, and hf://... with download-time checksum and byte-limit enforcement.
Integration & Refactoring lib/llm/src/model_card.rs (lines 880–986)	ModelDeploymentCard::resolve_metadata_files implements three-pass concurrent blob resolution: normalize metadata to URIs, resolve cache misses with verification, symlink blobs into per-slug cache dirs, and rewrite metadata paths. download_config replaces prior local-file and hub download logic with unified pipeline.
Tests & Fixtures lib/llm/src/model_card.rs (lines 1664–1847)	Added unit tests for checksum mismatch/oversize rejection, hf:// URI parsing, and end-to-end download_config cache flow with symlink rewriting validation.

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: implementing a frontend MDC (metadata) verify-and-cache pipeline.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description is detailed and comprehensive, covering the overview, technical approach, cache layout, test plan, and future work. It follows the expected structure with clear sections.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@lib/llm/src/model_card.rs`:
- Around line 205-216: The call to AsRawFd and libc::flock inside async fn
acquire (the block that creates/opens lock_path and calls unsafe {
libc::flock(f.as_raw_fd(), libc::LOCK_EX) }) is Unix-only and must be guarded;
wrap the flock-specific code in a #[cfg(unix)] so that the current
spawn_blocking closure uses AsRawFd and libc::flock only on Unix, and provide a
#[cfg(not(unix))] fallback that still opens/creates the same lock_path (e.g.,
open the file with OpenOptions) but implements a Windows-compatible lock (call
LockFileEx via winapi) or, if you intentionally accept no-op locking on
non-Unix, document that and open the file without calling flock; ensure symbols
mentioned (acquire, lock_path, AsRawFd, libc::flock,
tokio::task::spawn_blocking) are adjusted accordingly.
- Around line 937-951: The metadata HTTP client is created with
reqwest::Client::new() which has no timeouts; replace that with a configured
client via reqwest::Client::builder() and set explicit connect and overall
timeouts (e.g., std::time::Duration values) and, if you need a separate read
timeout, ensure resolve_uri uses request.timeout(...) on the RequestBuilder or
set per-request timeouts there; then pass the built client to resolve_uri
instead of Client::new(). Target symbols: replace the reqwest::Client::new()
call in download_config()/the loop, configure via
Client::builder().connect_timeout(...) and .timeout(...).build(), and ensure
resolve_uri(&client, ...) continues to receive the client with these timeouts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f90afcbd-440b-4d0d-a842-6b4c099ebb6c

📥 Commits

Reviewing files that changed from the base of the PR and between 297119e and a4a645a.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• lib/llm/Cargo.toml
• lib/llm/src/common/checked_file.rs
• lib/llm/src/model_card.rs

[nnshah1]

@nicolasnoble — both cross-cutting items addressed:

1. Python processor pickup: deferred to PR3/PR4 as you guessed. The TODOs at sglang_processor.py:625-633 and vllm_processor.py:763-779 (with gh-8749 tag) are the work tracker. PR2 wires up the Rust resolve+cache; PR3/PR4 swaps the Python preprocessors to read from mdc.<slot>.path()'s parent (the slug_dir) instead of running fetch_model on source_path().

2. Cache hit re-verification: switched to always-on in 6b2a342f4c. Cache hit now blake3-checks the existing blob; on mismatch we unlink and refetch. Cost is bounded (~5–30 ms per first-worker-per-MDC since the watcher dedups subsequent workers via registering_worker_sets); steady-state and rolling worker restarts dont trigger it. Closes the shared-cache poisoning, bit-rot, and our-write-path-bug windows without operator opt-in.

[nicolasnoble]

One small thing on 81b4358's commit message: the safety argument "watcher serializes via registering_worker_sets so the lock is redundant" is incomplete - download_config is also called from lib/bindings/c/src/lib.rs:1501 outside the watcher. The actual reason the removal is safe is the trio of content-addressed paths + unique tmp + verify-before-rename, where concurrent writers publish identical bytes. Worth a sentence in the commit body or a code comment near resolve_uri so future readers don't misread the guard's scope.

[grahamking]

This doesn't check the hash is correct, it only checks that it looks like a hash.

I gather that's intended, but it's confusing. Could you check the shape when you check the value also?

/// Worker-controlled wire field used as a path component downstream;

What does that mean? Is it relevant here.

[grahamking]

In here and the other places, why do you do as_os_str() before checking is_empty()? Likely can simplify.

[grahamking]

From the docs:

unlike canonicalize, this does not resolve symlinks and may succeed even if the path does not exist

You deleted the comment about symlinks, does that mean we don't have symlinks here any more? This one seems like it might break things.

[grahamking]

Nit: Normal practice is to import the model, so this should be just env::var(...

[grahamking]

Could you use the tempfile crate instead? We already have that.

[grahamking]

tempfile provides this

[grahamking]

Why do you have an async and a sync version? Are they both used?

[grahamking]

What do you use this for? I thought you streamed to tmp and then rename?

[grahamking]

Could you do another pass and push your agent to simplify? This feels like you accept it's first draft, both in the tests and in the complex temp/rename/copy setup.