rdbms-playground/docs/plans/20260526-adr-0035-composite-unique-drop-f1f2f3.md

Plan — ADR-0035 Phase-4 /runda follow-ups F1 / F2 / F3 (2026-05-26)

Bundle of the three error-message / capability follow-ups surfaced by the whole-Phase-4 /runda (handoff-42 §3). All three live on the safe composite-UNIQUE edge (dropping a UNIQUE-covered column is correctly refused today — no corruption); the work improves messaging and adds a way to drop the constraint itself.

Phase 1 — requirements

• F1 — friendly refusal for dropping a composite-UNIQUE column. do_drop_column's covering-index guard reads read_table_indexes, which filters to origin='c' (explicit CREATE INDEX) and excludes the UNIQUE-constraint auto-index (origin='u'). So drop column c when unique (b, c) spans c skips the guard, reaches the engine, and is refused with an unhelpful generic message. Add an up-front guard detecting the column in schema.unique_constraints (composite only — read_unique_constraints routes single-column UNIQUEs to the column flag, multi-column to unique_constraints), refusing with the constraint's derived name (F3) + the drop command. Behaviour stays "refused"; only the message improves. Message-only — no --cascade extension (the SQL drop-column has no --cascade spelling; dropping a constraint via cascade is a larger semantic change, out of scope unless the user asks).

• F2 — literal {table} leak in contextless friendly_message(). Verbosity defaults to Verbose, so friendly_message() (which uses TranslateContext::default(), no table) renders the generic hint "…current state of {table}." with the literal placeholder via ctx_table()'s "{table}" fallback. Hits every contextless friendly_message() callsite whose error lands in the generic bucket: replay, undo, rebuild-from-text, export. Fix: a tableless generic-hint variant selected when ctx.table is None. Broader finding (DA): the same {name}-marker fallbacks leak in other templates (e.g. a replayed UNIQUE violation → error.unique.*) when reached contextless. The documented F2 is the generic case; the broader leak is surfaced for the user to scope, not silently expanded/narrowed.

• F3 — a way to drop an anonymous composite UNIQUE (user-raised). By design (§4a.2/§4g) a composite UNIQUE(a,b) is anonymous — PRAGMA-detected, a bare column-list, no name — so DROP CONSTRAINT <name> can't target it and recreating the table is the only escape. Add a way to drop it. (Amends ADR-0035 — see Amendment 1.)

Baseline: cargo test → 1917 pass / 0 fail / 0 skip / 1 ignored doctest; cargo clippy --all-targets -- -D warnings clean.

Phase 2/3 — F3 design (the genuine fork; user-decided)

Composite UNIQUE has no name. Options considered:

• A — name composite UNIQUEs (user-supplied): reverse the §4g anonymity decision; needs a new __rdbms_* table + YAML round-trip + rebuild-arrival migration (the cost §4a.3 deliberately avoided). Most SQL-standard, largest.
• B — positional drop by column-list (drop … unique (cols)): preserves anonymity, no metadata, but needs a new grammar form.
• C — auto-assigned, engine-neutral derived name (chosen). The name is a deterministic function of the columns (unique_<cols>), recomputed live wherever shown or matched. Storage stays a bare column-list (anonymity preserved); the name is purely a presentation/addressing label. Reuses the existing DROP CONSTRAINT <name> grammar — no new syntax at all. Zero metadata, zero migration, round-trips for free. Tracks column renames.

User decisions (2026-05-26): approach C / derived (no storage); name format unique_<cols>; doc vehicle amend ADR-0035; scope advanced-SQL only (matching the 4g ADD form — no simple-mode verb).

DA critique (written down)

1. Ambiguous derived names (e.g. a column literally named b_c vs UNIQUE (b, c)): drop-by-name must detect ambiguity and refuse, never guess. In scope.
2. Collision with a user-named CHECK/FK of the same string: the do_drop_constraint_by_name order is CHECK → FK → UNIQUE, so a CHECK/FK shadows a derived UNIQUE name. Acceptable given the distinctive unique_ prefix; document the order.
3. F1 --cascade: not extended to drop a covering UNIQUE (constraint, not index). Refuse-only. Flagged.
4. F2 breadth: the leak is broader than error.generic.hint. Fix the documented generic case; surface the broader leak. Flagged.
5. Single-column UNIQUE column drop: a parallel gap (a single-column UNIQUE column drop also reaches the engine with a poor message) exists but is outside the documented F1 scope (different mechanism — ADR-0029 column-level drop constraint). Noted, not fixed here.

Phase 4 — execution (order: F3 → F1 → F2)

1. F3. unique_constraint_name(cols) -> "unique_<cols>" helper (db.rs, pub(crate)). Extend do_drop_constraint_by_name with a third step: match each composite UNIQUE's derived name; >1 match → refuse (ambiguous); 1 match → rebuild_table with that entry removed from unique_constraints (mirrors do_alter_add_unique in reverse) + do_describe_table. Annotate the describe "Table constraints:" section: unique_b_c: UNIQUE (b, c).
2. F1. Up-front guard in do_drop_column after the index-covering guard: column in any schema.unique_constraints entry → refuse with the derived name + alter table T drop constraint <name>.
3. F2. error.generic.hint_no_table catalog entry; in translate_generic, pick it when ctx.table is None.

Test-first for each (reproduce → fail → fix → pass), across the worker API (Tier-1/3) and the friendly-layer unit tests + insta snapshots.

Phase 5 — verification

Full cargo test + clippy; compare to baseline; every checklist item addressed; engine-neutral vocab held (no SQLite/STRICT/PRAGMA in new user-facing strings); ADR + README + this plan lockstep.