Writing App State Migrations

1. Do you even need a migration?

A migration is needed only when old serialized state can no longer be read as the new state. Borsh is positional, so:

If you're unsure, the calimero-abi diff CI lint compares the old and new state-schema.json and tells you whether the change is additive, breaking, or an unsafe identity downgrade (see §6).

A migration runs once per node, the first time each context is accessed after the upgrade, under the LazyOnAccess upgrade policy.

5. The three data categories

Which migration moves are safe depends on the field type:

Replayable: Counter and RGA are guarded

Counter::increment / decrement stamp the running node's id; RGA::insert / insert_str stamp a node-local clock. Calling them in a migration would silently fork the network — so the SDK makes them panic during a migration:

Counter::increment() is non-deterministic during a state migration: it stamps
this node's identity… Carry the counter across unchanged (`field: old.field`)
or replay with `increment_for(executor_id, …)`.

To rebuild one in a migration, carry it (c: old.c) or use the deterministic replay APIs — increment_for(id, …), decrement_for(id, …), insert_str_at_timestamp(pos, fixed_ts, s) — which take the identity/clock explicitly so every node produces the same result.

Identity-gated: carry, don't re-insert

AuthoredMap/AuthoredVector/SharedStorage record ownership as the running node's executor_id. Re-inserting their entries during a migration would stamp each node as the owner and diverge. Carry the whole collection through (entries: old.entries); the v1 owner stamps are preserved. Inside the #[app::migrate] body, carry-through is still the only rule — converting an entry to the new schema happens after the migration, owner-by-owner (below).

Identity-gated: converting entries to the new schema (owner-driven)

Carry-through preserves the v1 entries, but each keeps its v1 schema_version (a Merkle-invisible tag) until its owner re-signs it — nobody can re-sign another identity's entry. Until then the entry is served at its v1 shape via dual-read. Two paths re-stamp an entry to the binary's target:

• Organically — the owner's (or a current writer's) next ordinary signed write of that entry stamps schema_version = target and re-signs on its monotonic nonce, replicating as a normal Action::Update. A non-owner can never drive it.
• One tap — #[app::state] auto-generates a migrate_my_entries() method (a wasm export) for any state with an AuthoredMap/AuthoredVector field. One signed call sweeps every entry the caller owns that is still below target, converting each through the path above; it returns {converted, remaining} and is idempotent. Call it from the app/frontend ("migrate my data") after an upgrade; remaining == 0 means the caller's data is fully converted.

For either path to fire, the new binary must declare its schema target with #[app::state(version = N)] — the value the convert compares each entry's tag against. It defaults to 0 (inert), so a v2 binary that omits it never converts its identity-gated data. WriterSetCell/SharedStorage (group writer-set data) converts only via the organic writer-write path, never the one-tap batch (it is group data, not single-owner "my data").

You do not write migrate_my_entries — #[app::state(version = N)] generates it. All you do is declare the version; the method appears on your app and is exported for RPC:

// v2 binary. `version = 2` both sets the convert target AND generates
// `migrate_my_entries()` because the state has an AuthoredMap field.
#[app::state(version = 2, emits = for<'a> Event<'a>)]
#[derive(app::Migrate)]
#[migrate(from = NotesV1, method = migrate_v1_to_v2)]
pub struct NotesV2 {
    notes: AuthoredMap<String, LwwRegister<String>>,  // carried by the migrate
    #[migrate(new = LwwRegister::new(String::new()))]
    migration_note: LwwRegister<String>,
}
// No migrate_my_entries body anywhere — the macro emits it.

Then the owner triggers it like any other method — one signed call, no args, returning {converted, remaining}:

# after the upgrade, from the owner's node (frontend "migrate my data" button):
app_call(context_id, "migrate_my_entries", {})
  → { "converted": 2, "remaining": 0 }   # this owner's 2 stale notes converted

Loop until remaining == 0 if you want to drain everything in one sitting (a single call already converts all of the caller's currently-stale entries; a second call returns {converted: 0, remaining: 0}). It only ever touches entries the caller owns, so each user converts their own data independently.

Migration UX surfaces

Two node-level events help frontends track migration progress without polling:

AppVersionChanged event — fired once, over the context's SSE/WebSocket event stream, when the context's application version flips (i.e. a migrate/upgrade was applied). contextId rides on the outer ContextEvent envelope; the payload carries the fromVersion / toVersion semver strings (either may be null if the corresponding ApplicationMeta row was unavailable at emit time):

{
  "type": "AppVersionChanged",
  "data": {
    "fromVersion": "1.0.0",
    "toVersion": "2.0.0"
  }
}

Subscribe to context events via the node's SSE endpoint and react to this event to prompt owners to run migrate_my_entries() — this avoids bundle-skew where the frontend loads v2 assets but the context is still running v1.

authored_remaining in the migration status endpoint — tracks how many members in the cohort still have unconverted identity-gated entries:

GET /admin-api/groups/{namespace_id}/migration-status
→ { ..., "authored_remaining": 3 }   # 3 cohort members still have stale entries

authored_remaining == 0 means all members have run migrate_my_entries() or had no entries to convert. Use this to drive a "migration complete" indicator in admin UIs.

9. Shipping a migration

Migrations run only under UpgradePolicy::LazyOnAccess. Trigger the upgrade — note there is no method name to pass; the node resolves the migration from the version + edge your app's build embeds in its ABI:

upgrade_group(
    target_application = <new bundle's application id>,
    cascade            = true,   // optional: fan out across a namespace subtree
)

Per service, the node compares the state version of the bytecode the group currently runs against the target's and decides: equal → code-only swap (nothing runs); one ahead with a declared edge → run that edge's migrate; version bump with NO edge, more than one hop, or an older target → the upgrade is rejected with an actionable error instead of silently shipping new code onto old-layout state. There is no caller-supplied method at all — the declared ABI is the single source of truth.

Each node self-migrates on its next context access (logged as Executing migration → Migrated state written successfully; the extra performing lazy upgrade before execution line precedes them only on the non-cascade lazy-on-read path — under cascade: true the cascade propagator drives the migrate instead). Picking Automatic/Coordinated for a migration is rejected at emit time — only LazyOnAccess runs the migrate function.

If the app has identity-gated state (AuthoredMap/AuthoredVector), declare the new binary's schema target with #[app::state(version = N)] so the post-migrate owner-driven convert (§5) has a target to compare against.

9.1 The policy prerequisite: create groups as LazyOnAccess

Migrations run only under UpgradePolicy::LazyOnAccess; an upgrade_group whose target declares a migration is rejected at emit time under Automatic or Coordinated. The trap: if your app creates its namespace with upgradePolicy: 'Automatic' (a tempting-sounding default), every migration you ever ship to that workspace fails at the upgrade call. Either create groups as LazyOnAccess from day one, or heal before upgrading:

PATCH /admin-api/groups/:group_id   { "upgradePolicy": "LazyOnAccess" }

9.2 Bundle apps: the id never changes — the blob does

A bundle (.mpk) derives ApplicationId = hash(package, signer) — it is version-stable. v1 and v2 of the same package share one id; installing v2 overwrites the blob in place under that id. Consequences:

• Never key "is an update available / applied" off the ApplicationId changing. It won't. The version discriminator is the bytecode blob id, recorded on the group as appKey at upgrade time.
• Download ≠ apply. Installing the new bundle (registry download) flips the local node's installed version immediately — but the workspace group still targets the old bytecode until upgrade_group runs. A UI that only compares "installed version vs registry latest" reads "up to date" in the downloaded-but-never-migrated state and strands the admin. The ground truth for "has this workspace been migrated" is: group.appKey == installed_application.blob.bytecode (note: appKey is hex on the admin API, blob ids are base58 — decode before comparing).
• Single-wasm apps content-address the id per version, so the old id-comparison instinct works there — bundles are the exception that ships to real users.

9.2b The node resolves the method — callers carry nothing

Your build embeds state_version and the declared migration edges (migrations: [{method, fromVersion}]) in each service's ABI, and the node reads them at upgrade time. Updater UIs/CLIs never carry a method name; the typo/omission class of failure is structurally gone. The export name is generated (migrate_v{N-1}_to_v{N}) unless you pass method = … explicitly in the derive — explicit names remain supported and resolve identically.

9.2c Multi-service bundles: per-service version arithmetic

A multi-service bundle (e.g. a registry service + a data service) upgrades as one unit, but the node judges each service by its own declared state version:

• a service whose version is unchanged is code-only by arithmetic — no wasm probing, no fake failure, nothing to declare;
• a service one version ahead with a declared edge runs its own migrate;
• a service that bumps its version without declaring an edge rejects the whole upgrade at emit time (mis-built bundle).

So each service simply declares its own truth and the release composes: "only service A changed", "only B", and "both" all work with zero coordination. One current restriction: if two services declare different explicit method names for the same release, the upgrade is rejected (the wire carries one method for pre-v2 receivers) — omit method = … or use the same name; full per-service actuation lifts this later.

9.3 Reaching every context: cascade: true

upgrade_group without cascade upgrades only the target group. If your app puts data in subgroup contexts (per-folder/per-channel child contexts), they stay on the old schema forever and the UI on top of them keeps reading v1. Pass cascade: true to fan the upgrade out across the namespace subtree as one atomic op.

9.4 What each member's node does (and when)

After the admin's upgrade_group, peers converge lazily:

1. the upgrade replicates via the group op stream; a peer's sync gate detects the pending upgrade (id change, or same-id appKey divergence for bundles) and pre-stages the new blob over BlobShare;
2. the node migrates on its next access to each context — reads count, so merely opening the app advances it; an idle node stays on v1 until then (write your UI copy accordingly: "updates next time you use it", not "updates automatically");
3. while a migration is in flight, writes are refused with upgrade in progress … writes refused until migration completes — handle this error in the frontend as a status ("workspace updating"), not a raw failure;
4. on completion the node emits the AppVersionChanged SSE event — subscribe to flip version displays live (mero.events.onAppVersionChanged).

9.5 Frontend checklist (the part nobody tests until a real user does)

• Show the installed version to every member, not just admins; pair it with honest LazyOnAccess copy.
• Detect the downloaded-but-not-applied state via the appKey-vs-blob comparison (§9.2) and keep offering the apply step — it must survive a page reload (the bundle id is stable, so the group's targetApplicationId still addresses the downloaded bytecode).
• Map the upgrade-gate write refusal (§9.4.3) to an "updating…" banner.
• Subscribe to AppVersionChanged for the completion signal.
• Browser-test the full admin flow once per release: CLI clients skip CORS, so a missing preflight method (e.g. PATCH for updateGroupSettings) surfaces only in browsers, as an opaque HTTP 0 network error.

9.6 Verifying propagation by hand

# the group's target bytecode (hex appKey) — same on every member after sync
meroctl --output-format json --node <n> namespace ls

# what's actually installed under the (stable) application id
meroctl --node <n> app ls          # check the Source/Blob columns' version

# poke a context to trigger the lazy migrate (reads count)
meroctl --node <n> call <any_read_method> --context <ctx_id>

appKey equal everywhere + each node's installed blob matching it + the call returning post-migration data = the migration has fully landed.

9.7 Multiple versions on one node

A context executes the bytecode its own group points at — not whatever was downloaded last. Installing a newer bundle never changes what existing workspaces run: each migrates when its own admin upgrades it. Consequences you can rely on:

• two workspaces on one node can run different versions of the same app indefinitely;
• createNamespace accepts an optional appKey to pin a new workspace to any installed version (default: latest);
• the admin API lists every retained version of a package (GET /admin-api/applications/:id/versions) and namespace DTOs carry a per-workspace appVersion — display that, never the shared installed version.

9.8 Catching up several versions behind

A context behind its group by more than one version catches up by replaying the group's recorded upgrade ladder hop by hop — each hop runs in that release's own bytecode, not the latest. The node fetches each rung's blob from peers as needed and runs that version's own migrate. Because every member runs the same frozen bytes for a given hop, the result is identical across the group by construction (no cross-node divergence). A single access on a stale context walks all pending hops in order and lands on the current version; nothing is run eagerly.

An admin can also move a group several versions in one action: the upgrade plans a rung per intermediate state version (a release that doesn't change state adds no rung) from the versions installed on the node, and the group advances rung by rung.

9.9 Support window and recovering a stranded member

The versions whose blobs remain obtainable (from peers or the registry) define which upgrades chain directly. A member below that window — an intermediate blob is gone everywhere, or it was offline across several releases and never fetched one — is detected, not silently wedged: it stays on its current real version and reports failed with no_migration_path in the migration rollup. It never runs a later hop's migrate against older state.

Two recoveries, both operator-initiated:

• Stepwise reinstall — install an intermediate version from the registry. Any installed version can be an upgrade target (§9.7), so the gap becomes a single hop and the next access finishes the chain.
• Resync — POST /admin-api/contexts/{id}/resync adopts an up-to-date peer's state wholesale (a full-state snapshot), bypassing replay. This is destructive: any local edits the context hasn't broadcast are discarded, so it refuses with the local-head count unless you pass {"force": true}. After it completes the member is back at the current version. (The 37-stranded-resync merobox workflow exercises exactly this path end to end.)

A self-heal needs no action: if the missing blob simply arrives later, the next access resolves the hop, migrates, and clears the failed marker.