RFC: Unbounded History Pagination

Date: 2026-06-09

Status: Draft. The transactions reform (§Rollout stage 1–2) is being implemented; the rest of this document is direction we may adopt incrementally, not a commitment.

In early June we shipped a hard 7-day cap on all history endpoints (MAX_HISTORICAL_QUERY_WINDOW_NS, rs/sdk/src/protocol/time_range.rs): both time bounds are required, and any range wider than 7 days is rejected with a 400. This was a deliberate hotfix lineage:

• A-3520 / PR #2168 — the order-history endpoint allowed unbounded full table scans of historical_orders (~272M rows per query) and was taking prod ClickHouse to its knees. Fix: bound the window to 7 days, and add a (timestamp_ns, user_id, order_id) projection so time-range queries prune.
• A-3521 / PR #2172 — generalized the bound to all history endpoints (fills, trades, transactions, funding-transactions), rejecting rather than silently clamping.

The cap stopped the bleeding, but on 2026-06-09 it produced its first customer-facing incident: a Flowdesk customer's withdrawals "disappeared" from the Admin UI because they were older than the UI's largest selectable window. "Show me all withdrawals for this customer" is now impossible to express against the API — by design.

Meanwhile the GUI has independently grown three client-side workarounds:

• useWindowedCursorPagination / stepWindowedQuery (gui/packages/app/util/historyWindow.ts) walks 7-day windows backwards, skipping empty windows, capped at 90 days lookback and 16 steps.
• Admin useTransactions (gui/packages/admin/src/hooks/useTransactions.ts) loops a cursor up to 20 pages within one normalized window.
• PR #2331 adds 7-day-aware filter UX ("walk back 7 days") to admin history tabs.

Every external API consumer (e.g. Flowdesk's integration, ops curl scripts) must rebuild the same loop. When a client-side loop must be reimplemented by every caller of an API, the loop belongs on the server.

The 7-day cap bounds the wrong variable. Query cost in ClickHouse is not driven by the width of the requested time range; it is driven by how many granules the query reads, which is a function of how well the query's predicates align with the table's primary key, partitioning, and skip indexes. Concretely:

• An account-scoped query over 2 years against an account-led index reads a handful of granules. Cheap, but currently rejected.
• A sparse filter (e.g. transaction_types=withdrawal for one user) over a single hot 7-day window can still read every granule in the window, run FINAL merge-on-read over all of it, plus a separate COUNT(*) ... FINAL for total_count — on every page. Expensive, but currently allowed.

The cap therefore simultaneously over- and under-protects, while exporting a window-walking loop to every client and silently hiding data in UIs that don't walk.

• Stripe, Slack, Shopify, GitHub (GraphQL): opaque keyset cursors; no hard time-range caps on list endpoints. "All transactions ever" is fine because each page is a bounded index seek + LIMIT; the unbounded range is never scanned in one query. Slack explicitly made cursors opaque "to give the server the ability to encode additional information within the cursor."
• GitHub Search API is the cautionary tale: a hard 1,000-result cap whose documented workaround is client-side date-slicing — the most-complained-about pagination design in the industry, and structurally what we shipped.
• DynamoDB normalizes the contract we need: each request reads a bounded amount (≤1 MB pre-filter) and may return zero items plus a continuation key; clients continue until the key is absent, not until a page is empty.
• Grafana Loki splits every range query into ~1-day slices server-side, executes newest-first, stops when the limit is met — and also keeps a generous hard backstop (~30 days). Split-walking and a backstop coexist.
• Elasticsearch replaced scroll with search_after + point-in-time: keyset tuple + tiebreaker, snapshot anchoring so concurrent writes don't shift pages.
• Binance is the one exchange-API precedent for hard time caps (24h on trade history) — and it pairs the cap with a fromId keyset escape hatch.

The consensus mechanism for "unbounded history without unbounded scans" is: cursor = bounded per-page work, server-side slicing for non-indexed predicates, scan budgets as the backstop.

Four commitments in the current public contract (docs/internal/overview/pagination.mdx) should be walked back:

1. The cursor is the sole, opaque carrier of position. Today the cursor format ({timestamp_ns}:{id}) is documented and transparent; clients will couple to it, foreclosing evolution (window-walking progress, snapshot anchoring). The public contract becomes: pass it back unchanged. The encoding lives in internal docs only.
2. The time range is an optional filter, subordinate to the cursor. Today the client owns a mandatory bounded range and re-sends it with every page; the cursor is position within that fixed window. This inverts: progress state (including which window the server is scanning, and the pinned "as-of" upper bound for open-ended queries) lives in the cursor.
3. Explicit completeness signaling. Responses gain complete: bool and a searched_until_ns watermark. An empty page with a next_cursor is valid — it means "scanned my budget, found nothing yet, resume here." Termination is absence of next_cursor, never an empty page. (The current docs teach the opposite invariant; this is a contract change to state before third parties couple to the wording.)
4. Counts are lower bounds or absent. total_count on cursor pages is semantically ambiguous (count of which scope?) and costs a COUNT(*) ... FINAL per page. Omit it for wide/unbounded ranges; where provided, it means "at least N."

Align the index with the dominant query. History queries are overwhelmingly "one entity, ordered by time."

• historical_orders already has the proj_ts_user projection (A-3520).
• transactions is ReplacingMergeTree, PRIMARY KEY (timestamp, account_id, sequence_number), queried with FINAL. Projections are not usable here: ClickHouse does not apply projections to SELECT ... FINAL queries (and ALTER TABLE ... ADD PROJECTION on ReplacingMergeTree requires opting into deduplicate_merge_projection_mode). The implementable alternative is a bloom_filter skip index on account_id (and user_id if we query it directly): granule pruning composes fine with FINAL. Bloom filters skip granules with zero matches, so they help sparse/cold accounts most and degrade for accounts active in every granule — acceptable, since hot accounts' rows cluster near the scan frontier anyway.
• Cursor predicate: today's form (ts < $c) OR (ts = $c AND id < $i) relies on the optimizer's OR-analysis for PK pruning. Add the redundant range conjunct — ts <= $c AND (...) — so pruning is guaranteed, not inferred. (The server-side slice bounds below add ts >= slice_start AND ts < slice_end conjuncts naturally.)
• Scan budgets as backstop: per-query max_execution_time (with timeout_overflow_mode left at throw) bounds any single slice query. max_rows_to_read / read_overflow_mode='break' is available but returns silently-truncated results with no resume position, and partial results can poison the query cache (ClickHouse #67476) — prefer slice-granular budgets (the cursor resumes at an exact window boundary) over row-granular breaks.
• Audit FINAL + per-page COUNT(*): set do_not_merge_across_partitions_select_final=1 (partitions are monthly; merges need not cross them), and stop issuing the count query for wide/unbounded ranges per model item 4.

Accept unbounded ranges; walk windows server-side. The handler chunks the requested (or open-ended) range into slices — MAX_HISTORICAL_QUERY_WINDOW_NS becomes the slice size instead of a rejection threshold — and queries slice-by-slice in sort order until the page fills or the per-request slice budget is exhausted:

The GUI's stepWindowedQuery is a working prototype of exactly this algorithm, written in the wrong tier; the reform ports it down the stack.

Cursor v2: a versioned, opaque token (base64) encoding {position: row(ts, id) | boundary(ts), as_of_end_ns, …}. Servers accept legacy {ts}:{id} cursors indefinitely (they decode to a row position with no pinned end). Pinning as_of_end_ns at first request fixes the live-drift problem historyWindow.ts currently works around with its 'live' sentinel.

Backstops, not gates: per-request slice budget + per-slice max_execution_time. A whole-ledger admin scan with no entity filter remains the one genuinely unprunable query; option: require an entity, symbol, or type filter for open-ended ranges on admin endpoints. Per-query cost protection is strictly stronger than the range cap (a 7-day window over a hot month is still a heavy query today), which also addresses the admin-vs-trading-traffic isolation concern.

• Delete the client-side walkers (historyWindow.ts windowing, admin 20-page loops, 16-step empty-window heuristics) once the server walks. Hooks become plain useInfiniteQuery with getNextPageParam: (last) => last.next_cursor.
• Time filters become optional refinement, not a required gate; "All time" returns as a legal option.
• Surface partial results honestly: when complete: false, render "Searched back to ⟨searched_until⟩ — Keep searching" (explicit button beats auto-loop for admin tools). Show "1,000+" rather than exact totals.

Rewrite docs/internal/overview/pagination.mdx (and any public derivative) to state the target model: opaque cursor, optional range, completeness signaling, lower-bound counts, empty-page-with-cursor contract. The public version must describe look-ahead and budgets behaviorally, without naming the datastore.

1. Transactions endpoints first (the incident surface): cursor v2 accepted+emitted, response gains complete/searched_until_ns, validation relaxed from "reject >7d" to "walk", per-page COUNT(*) dropped for wide ranges, bloom_filter(account_id) skip index + materialization migration.
2. Fills / trades / funding-transactions / orders follow the same shape once transactions soaks. (historical_orders already has its projection; trades is symbol-led and may want a per-account projection or index of its own.)
3. GUI simplification per above, including reverting the load-bearing parts of PR #2331's filter clamping to optional UX.
4. Docs rewrite lands with stage 1, before third parties couple to the current cursor format and termination semantics.

• Migrating every paginated endpoint to cursor v2 (limit/offset stays for small stable collections: users, risk profiles).
• Removing total_count everywhere (offset-paginated admin tables keep it).
• Removing the 7-day constant — it survives as the internal slice size and as a per-slice cost unit.
• read_overflow_mode='break' row-granular partial results (revisit if slice-granular budgets prove too coarse).

• Should open-ended admin whole-ledger queries (no entity/symbol/type filter) be allowed at all, or 400 with "add a filter or bound the range"?
• Cursor v2 envelope: include a filter hash so a cursor replayed with different filters is rejected rather than silently misinterpreted?
• Do we backport complete/searched_until_ns to the WS/SDK typed clients in the same release, or let REST lead?
• trades table: per-account access path (projection is viable there — no FINAL-blocking? trades is ReplacingMergeTree with FINAL too, so likely also bloom-filter territory).