fix(sqlite-native): delete metadata before chunk range

[NathanFlurry]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• fix(rivetkit): surface native sqlite kv errors to callers #4645
• fix(rivetkit): prevent sleep races during disconnect and db work #4644
• fix(rivetkit): isolate engine envoys and propagate startup failures #4643
• test(rivetkit): remove wasm sqlite-only fixtures and coverage #4642
• chore(sqlite-vfs): remove wasm sqlite packages and workspace wiring #4641
• chore(rivetkit): remove wasm sqlite runtime #4614
• fix(sqlite-native): restore native startup kv preload #4639
• fix(sqlite-native): delete metadata before chunk range #4638 👈 (View in Graphite)
• fix(sqlite-native): keep truncate cache coherent #4637
• fix(sqlite-vfs): use delete range for truncate cleanup #4636
• fix(sqlite-native): restore kv error hook #4635
• perf(sqlite-native): avoid cloning cached read chunks #4634
• perf(sqlite-native): gate kv operation labels #4633
• perf(sqlite-native): reuse read cache for partial writes #4632
• perf(sqlite-native): remove delete file existence probe #4631
• fix(sqlite-native): gate native read cache behind env var #4630
• fix(pegboard): isolate runner config dc lookup failures #4625 : 1 other dependent PR (#4626 )
• docs(pegboard): note runner config upsert split write risk #4624
• fix(pegboard): unpack global runner config keys correctly #4623
• fix(pegboard-gateway): enforce tunnel message state #4622
• fix(pegboard-runner): clear terminal tunnel routes #4621
• fix(pegboard): skip protocol version keys in runner pool backfill #4620
• fix(pegboard): create missing normal runner configs #4619
• fix(epoxy): reuse cached optimistic value #4618
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR Review: fix(sqlite-native): delete metadata before chunk range

What the Change Does

The delete_file function in the native Rust SQLite VFS swaps the order of two KV deletion operations.

Before: chunks deleted first, metadata deleted second
After: metadata deleted first, chunks deleted second

---

Correctness: The Fix is Sound

This is a genuine crash-safety improvement. The two KV operations are not atomic, so failure/crash ordering matters.

Old order (chunks first, metadata second): If the process crashes after kv_delete_range succeeds but before kv_delete(meta_key) completes, the metadata entry survives pointing to zero chunks. On the next xOpen or xAccess, the VFS sees a valid file that has no data. This is silent corruption.

New order (metadata first, chunks second): If the process crashes after deleting metadata but before the range delete finishes, orphaned chunk data is left behind. Since no metadata key points to those chunks, xOpen and xAccess treat the file as nonexistent. Orphaned chunks waste KV storage but do not corrupt reads. This is the correct, safer failure mode.

---

Issues Found

Required: WASM VFS Parity Violation

CLAUDE.md mandates the native Rust VFS and the WASM TypeScript VFS must match 1:1, and when changing any VFS behavior in one implementation, update the other.

The WASM counterpart in packages/sqlite-wasm/src/vfs.ts still deletes chunks before metadata, the same pattern that was just fixed in the Rust implementation. The same crash-safety fix should be applied to the WASM VFS in this PR.

Low: Missing Ordering Rationale Comment

delete_file has no comment explaining why metadata is deleted first. Future readers may view this as arbitrary ordering. A short comment would prevent regressions, e.g.: "Delete metadata first so a crash mid-delete leaves only unreachable orphan chunks rather than dangling metadata pointing to absent data."

Low: No Test Coverage

No test verifies the crash-safety property. A test confirming that a file with deleted metadata but present chunks is treated as nonexistent by xAccess/xOpen would lock in the intended behavior.

---

Summary

Category	Finding	Severity
Correctness	Fix is correct, metadata-first is the safe ordering	Good
Parity	WASM VFS still deletes chunks first, violating required 1:1 parity	Medium
Code clarity	No comment explaining ordering rationale	Low
Testing	No test for crash-safety behavior	Low