fix: support manifests >5 GB via size-aware copy

[lixmgl]

Fixes #7197.

Summary

• object_store.copy() is called unconditionally on the staging→final manifest copy path. This routes to S3's CopyObject API, which has a ~5 GB hard cap. Manifests above this fail with EntityTooLarge — production case was a ~14 GB manifest with ProposedSize 14961429442 on _versions/...manifest.
• Add copy_size_aware: keeps the cheap server-side store.copy() for sources below the limit, falls back to read+rewrite via a multipart upload for larger sources. The required size argument lets the caller skip an extra head() round-trip.
• The 5 GiB threshold is backend-agnostic, not S3-specific: S3's CopyObject and GCS's single-shot Objects.copy both cap at ~5 GiB, so the constant is named MAX_SERVER_SIDE_COPY_BYTES. Stores without such a cap (e.g. local FS) take the read+rewrite fallback above 5 GiB too; correctness is preserved, only the rare large copy is slower.
• Also tighten MAX_UPLOAD_PART_SIZE from 5 GiB to 5 GiB - 1 so LANCE_INITIAL_UPLOAD_SIZE=5368709120 can't trigger a single PUT of exactly 5 GiB on shutdown — which S3 also rejects.

Same bug class as #6750 (multipart-aware put for txn file writes), different code path.

Test plan

New tests in rust/lance/src/io/commit/external_manifest.rs covering both the >5 GB read+rewrite fallback and the small-file fast path.

Related downstream issue: lance-format/lance-spark#529

[claude]

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

[codecov]

Codecov Report

❌ Patch coverage is 80.69307% with 39 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
rust/lance/src/io/commit/external_manifest.rs	86.01%	19 Missing and 1 partial ⚠️
...ust/lance-table/src/io/commit/external_manifest.rs	64.81%	15 Missing and 4 partials ⚠️

📢 Thoughts on this report? Let us know!

[westonpace]

A few questions but nothing too worrisome. Go ahead and ping me when you're ready for another review.

[westonpace]

Is there actually a follow-up issue created? Can we specify the issue directly?

[lixmgl]

I reworded this from a "deferred to a follow-up" TODO into a plain inline NOTE rather than referencing a tracked issue.
It's a cold path (only triggers for >5 GiB manifests) and the whole read+rewrite helper is a stopgap until object_store exposes UploadPartCopy, so I didn't think a standalone tracking issue was warranted — a self-contained note explaining the tradeoff seemed more useful than an issue link that'd likely sit untouched.
Happy to file one if you'd prefer it tracked.

[westonpace]

This could maybe be optimized to allow for concurrent calls to put_part but maybe that will be addressed by the previously mentioned follow-up?

[lixmgl]

Right — left sequential for now, covered by the reworded note just above. It can be parallelized with a bounded JoinSet (mirroring object_writer.rs's LANCE_UPLOAD_CONCURRENCY) or sidestepped by switching to object_store::WriteMultipart, which handles concurrency and abort-on-drop for free. Deferred since this only runs for >5 GiB manifests and the helper itself is interim until UploadPartCopy exists.

[westonpace]

Is this limit S3-specific or common across all object stores? Should we limit the slow path to S3?

[lixmgl]

It's not actually S3-specific — GCS's single-shot Objects.copy has the same ~5 GiB limit. So rather than gate the slow path to S3, I reframed the threshold as the most-conservative server-side-copy limit across backends and renamed the constant to MAX_SERVER_SIDE_COPY_BYTES.

[lixmgl]

A few questions but nothing too worrisome. Go ahead and ping me when you're ready for another review.

Thanks @westonpace for reviewing it. Please take another look with the updates.

[westonpace]

Thanks for your help! Will merge assuming CI passes.