ai-memory 0.6.2

AI-agnostic persistent memory system — MCP server, HTTP API, and CLI for any AI platform
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422

// Copyright 2026 AlphaOne LLC
// SPDX-License-Identifier: Apache-2.0

//! W-of-N quorum-write layer for the peer-mesh sync (v0.7 track C).
//!
//! This module scaffolds the quorum-write contract described in
//! `docs/ADR-0001-quorum-replication.md`. The `QuorumWriter` sits ABOVE
//! the existing sync-daemon — deployments that don't configure
//! `--quorum-writes` keep the v0.6.0 one-way push behaviour byte-for-byte.

#![allow(dead_code)]
//!
//! ## What ships in this PR
//!
//! - `QuorumPolicy` — configuration: N peers, W quorum size, timeouts.
//! - `QuorumWriter::commit` — the atomic-from-caller contract: local
//!   write + W-1 remote acks within deadline, else
//!   `QuorumError::QuorumNotMet`.
//! - `AckTracker` — collects remote acks with a simple `Instant`
//!   deadline. Pure logic, no network — so the unit tests don't need
//!   a live sync mesh.
//! - Metrics: `replication_quorum_ack_total{result}`,
//!   `replication_quorum_failures_total{reason}`,
//!   `replication_clock_skew_seconds`.
//!
//! ## What does NOT ship in this PR
//!
//! - Wiring into the `memory_store` path — follow-up PR once the
//!   sync-daemon gains a synchronous ack channel.
//! - Real chaos harness — follow-up PR under `tests/chaos/` with
//!   three-node fixture and failure-injection hooks.
//!
//! That phasing matches the ADR's implementation plan.

use std::collections::HashSet;
use std::time::{Duration, Instant};

use serde::{Deserialize, Serialize};

/// Operator-tunable quorum policy. See ADR-0001 § Model for the
/// complete contract.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct QuorumPolicy {
    /// Total peer count — local node + remotes. Must be >= 1.
    pub n: usize,
    /// Required acks including the local commit. Clamped to `[1, n]`
    /// at construction via [`QuorumPolicy::new`].
    pub w: usize,
    /// Deadline for the remote-ack collection phase. Times out with
    /// `QuorumError::QuorumNotMet { reason: Timeout }`.
    pub ack_timeout: Duration,
    /// Warning threshold for peer clock skew. Exceeding this does not
    /// fail the quorum; it surfaces in the clock-skew histogram.
    pub clock_skew_warn: Duration,
}

impl QuorumPolicy {
    /// Construct a quorum policy. `w` is clamped to `[1, n]` and
    /// `n = 0` is rejected as invalid input.
    ///
    /// # Errors
    ///
    /// Returns `QuorumError::InvalidPolicy` if `n == 0`.
    pub fn new(
        n: usize,
        w: usize,
        ack_timeout: Duration,
        clock_skew_warn: Duration,
    ) -> Result<Self, QuorumError> {
        if n == 0 {
            return Err(QuorumError::InvalidPolicy {
                detail: "n must be >= 1".to_string(),
            });
        }
        Ok(Self {
            n,
            w: w.clamp(1, n),
            ack_timeout,
            clock_skew_warn,
        })
    }

    /// Majority-quorum convenience: `W = ceil((N+1)/2)`. Matches the
    /// ADR's default.
    ///
    /// # Errors
    ///
    /// Returns `QuorumError::InvalidPolicy` if `n == 0`.
    pub fn majority(n: usize) -> Result<Self, QuorumError> {
        let w = n.div_ceil(2).max(1);
        Self::new(n, w, Duration::from_secs(2), Duration::from_secs(30))
    }
}

/// Errors surfaced by the quorum writer. Non-exhaustive so we can add
/// variants without breaking downstream matches.
#[non_exhaustive]
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum QuorumError {
    /// The local write succeeded but we did not collect enough acks
    /// within the policy deadline.
    QuorumNotMet {
        got: usize,
        needed: usize,
        reason: QuorumFailureReason,
    },
    /// The policy itself is malformed (e.g. N = 0).
    InvalidPolicy { detail: String },
    /// The local write itself failed — caller sees the underlying cause.
    LocalWriteFailed { detail: String },
}

impl std::fmt::Display for QuorumError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::QuorumNotMet {
                got,
                needed,
                reason,
            } => write!(
                f,
                "quorum not met (got {got}, need {needed}, reason {reason:?})"
            ),
            Self::InvalidPolicy { detail } => write!(f, "invalid quorum policy: {detail}"),
            Self::LocalWriteFailed { detail } => write!(f, "local write failed: {detail}"),
        }
    }
}

impl std::error::Error for QuorumError {}

/// Reason a quorum failed — reported in metrics.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum QuorumFailureReason {
    /// No peers reachable at all (network / DNS / zero configured).
    /// Only reported after the deadline passed with zero acks.
    Unreachable,
    /// Peers reachable but fewer than `W-1` acked before deadline.
    /// Reported after the deadline passed with a partial ack set.
    Timeout,
    /// Peer ack arrived but disagreed on the memory id — replication
    /// divergence surfaced for operator investigation.
    IdDrift,
    /// Quorum is not (yet) met but the deadline has not passed.
    /// Caller should keep waiting; this is a transient
    /// "ask-for-status-while-tasks-in-flight" answer. Distinguished
    /// from `Timeout` / `Unreachable` so retry strategies don't
    /// confuse "give it more time" with "peers are gone"
    /// (#299 item 3 — classification was previously inverted).
    InFlight,
}

/// Collects remote acks against a deadline. Pure logic — no I/O.
#[derive(Debug)]
pub struct AckTracker {
    policy: QuorumPolicy,
    deadline: Instant,
    local_committed: bool,
    acks: HashSet<String>,
    id_drifts: Vec<String>,
}

impl AckTracker {
    /// Create a tracker for one quorum-write attempt. `now` is injected
    /// for deterministic tests.
    #[must_use]
    pub fn new(policy: QuorumPolicy, now: Instant) -> Self {
        let deadline = now + policy.ack_timeout;
        Self {
            policy,
            deadline,
            local_committed: false,
            acks: HashSet::new(),
            id_drifts: Vec::new(),
        }
    }

    /// Record the local commit. Call once the originating node has
    /// durably persisted the memory.
    pub fn record_local(&mut self) {
        self.local_committed = true;
    }

    /// Record a peer ack. `peer_id` is the caller's opaque identifier
    /// (typically the peer's mTLS fingerprint or agent id). Duplicate
    /// `peer_id` values are deduplicated.
    pub fn record_peer_ack(&mut self, peer_id: impl Into<String>) {
        self.acks.insert(peer_id.into());
    }

    /// Record that a peer returned success but with a memory id that
    /// differs from the local commit id. Does NOT count toward the
    /// quorum and surfaces in metrics.
    pub fn record_id_drift(&mut self, peer_id: impl Into<String>) {
        self.id_drifts.push(peer_id.into());
    }

    /// True when the quorum is met: local commit + at least `W-1`
    /// unique peer acks, and the deadline has not elapsed at `now`.
    #[must_use]
    pub fn is_quorum_met(&self, now: Instant) -> bool {
        if !self.local_committed || now > self.deadline {
            return false;
        }
        // Total acks counted = local + distinct peers.
        let total = self.acks.len() + 1;
        total >= self.policy.w
    }

    /// Finalise the attempt. Returns `Ok(count_of_distinct_acks)` if
    /// quorum met, else `Err(QuorumError::QuorumNotMet{…})`.
    ///
    /// # Errors
    ///
    /// Returns `QuorumError::QuorumNotMet` if the deadline elapsed
    /// before W acks arrived.
    pub fn finalise(&self, now: Instant) -> Result<usize, QuorumError> {
        if !self.local_committed {
            return Err(QuorumError::LocalWriteFailed {
                detail: "local commit not recorded before finalise".to_string(),
            });
        }
        let got = self.acks.len() + 1;
        if got >= self.policy.w {
            return Ok(got);
        }
        // Classification (#299 item 3 — previously collapsed the
        // pre-deadline "still waiting" case to `Timeout` which
        // misdirected caller retry logic):
        //
        //   acks.is_empty() && past deadline → Unreachable (no ack ever
        //     landed, all peers down or network partitioned).
        //   past deadline, partial acks      → Timeout (some peers
        //     responded, some did not before the deadline).
        //   pre-deadline                     → InFlight (caller is
        //     asking early; tracker isn't done waiting yet).
        //
        // `InFlight` is a distinct variant so retry strategies can tell
        // "give it more time" apart from "the peers are gone".
        let reason = if now > self.deadline {
            if self.acks.is_empty() {
                QuorumFailureReason::Unreachable
            } else {
                QuorumFailureReason::Timeout
            }
        } else {
            QuorumFailureReason::InFlight
        };
        Err(QuorumError::QuorumNotMet {
            got,
            needed: self.policy.w,
            reason,
        })
    }

    /// Count of peers that reported divergent memory ids for this write.
    /// Exposed for metrics + debugging.
    #[must_use]
    pub fn id_drift_count(&self) -> usize {
        self.id_drifts.len()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    fn instant_base() -> Instant {
        Instant::now()
    }

    #[test]
    fn policy_rejects_zero_n() {
        let err = QuorumPolicy::new(0, 1, Duration::from_millis(500), Duration::from_secs(30))
            .unwrap_err();
        assert!(matches!(err, QuorumError::InvalidPolicy { .. }));
    }

    #[test]
    fn policy_clamps_w_to_n() {
        let p =
            QuorumPolicy::new(3, 9, Duration::from_millis(500), Duration::from_secs(30)).unwrap();
        assert_eq!(p.n, 3);
        assert_eq!(p.w, 3);
    }

    #[test]
    fn majority_default_matches_adr() {
        // N = 1 => W = 1 (ceil(2/2)); N = 3 => W = 2; N = 5 => W = 3.
        assert_eq!(QuorumPolicy::majority(1).unwrap().w, 1);
        assert_eq!(QuorumPolicy::majority(3).unwrap().w, 2);
        assert_eq!(QuorumPolicy::majority(5).unwrap().w, 3);
        assert_eq!(QuorumPolicy::majority(7).unwrap().w, 4);
    }

    #[test]
    fn quorum_met_with_local_plus_peers() {
        let policy = QuorumPolicy::majority(3).unwrap();
        let mut tracker = AckTracker::new(policy, instant_base());
        tracker.record_local();
        tracker.record_peer_ack("peer-1");
        assert!(tracker.is_quorum_met(instant_base()));
    }

    #[test]
    fn quorum_dedupes_duplicate_peer() {
        let policy =
            QuorumPolicy::new(5, 3, Duration::from_millis(500), Duration::from_secs(30)).unwrap();
        let mut tracker = AckTracker::new(policy, instant_base());
        tracker.record_local();
        tracker.record_peer_ack("peer-1");
        tracker.record_peer_ack("peer-1");
        tracker.record_peer_ack("peer-1");
        // Only counts once + local = 2, need 3.
        assert!(!tracker.is_quorum_met(instant_base()));
        tracker.record_peer_ack("peer-2");
        assert!(tracker.is_quorum_met(instant_base()));
    }

    #[test]
    fn quorum_not_met_without_local() {
        let policy = QuorumPolicy::majority(3).unwrap();
        let mut tracker = AckTracker::new(policy, instant_base());
        // Record two peer acks but no local commit — quorum fails.
        tracker.record_peer_ack("peer-1");
        tracker.record_peer_ack("peer-2");
        assert!(!tracker.is_quorum_met(instant_base()));
    }

    #[test]
    fn quorum_expired_after_deadline() {
        let policy =
            QuorumPolicy::new(3, 2, Duration::from_millis(1), Duration::from_secs(30)).unwrap();
        let t0 = instant_base();
        let mut tracker = AckTracker::new(policy, t0);
        tracker.record_local();
        let later = t0 + Duration::from_millis(50);
        // No peer acks arrived — past deadline, quorum fails.
        assert!(!tracker.is_quorum_met(later));
        let err = tracker.finalise(later).unwrap_err();
        match err {
            QuorumError::QuorumNotMet {
                got,
                needed,
                reason,
            } => {
                assert_eq!(got, 1);
                assert_eq!(needed, 2);
                assert_eq!(reason, QuorumFailureReason::Unreachable);
            }
            other => panic!("expected QuorumNotMet, got {other:?}"),
        }
    }

    #[test]
    fn quorum_finalise_reports_timeout_when_partial_acks() {
        let policy =
            QuorumPolicy::new(5, 3, Duration::from_millis(1), Duration::from_secs(30)).unwrap();
        let t0 = instant_base();
        let mut tracker = AckTracker::new(policy, t0);
        tracker.record_local();
        tracker.record_peer_ack("peer-1");
        // Two total acks (1 local + 1 peer); need 3. Past deadline,
        // so it's Timeout (peers responded but not enough).
        let err = tracker
            .finalise(t0 + Duration::from_millis(50))
            .unwrap_err();
        match err {
            QuorumError::QuorumNotMet { reason, .. } => {
                assert_eq!(reason, QuorumFailureReason::Timeout);
            }
            other => panic!("expected QuorumNotMet/Timeout, got {other:?}"),
        }
    }

    #[test]
    fn id_drift_counted_but_does_not_satisfy_quorum() {
        let policy = QuorumPolicy::majority(3).unwrap();
        let mut tracker = AckTracker::new(policy, instant_base());
        tracker.record_local();
        tracker.record_id_drift("peer-1");
        tracker.record_id_drift("peer-2");
        // id-drift acks do NOT count toward quorum, only toward metrics.
        assert_eq!(tracker.id_drift_count(), 2);
        assert!(!tracker.is_quorum_met(instant_base()));
    }

    #[test]
    fn finalise_without_local_commit_errors_local_write_failed() {
        let policy = QuorumPolicy::majority(3).unwrap();
        let tracker = AckTracker::new(policy, instant_base());
        let err = tracker.finalise(instant_base()).unwrap_err();
        assert!(matches!(err, QuorumError::LocalWriteFailed { .. }));
    }

    #[test]
    fn quorum_error_is_displayable_and_is_an_error() {
        let e = QuorumError::QuorumNotMet {
            got: 1,
            needed: 3,
            reason: QuorumFailureReason::Timeout,
        };
        let display = format!("{e}");
        assert!(display.contains("quorum not met"));
        // Ensure it participates in the `std::error::Error` ecosystem.
        let _: &dyn std::error::Error = &e;
    }

    #[test]
    fn single_node_quorum_is_trivially_met() {
        // N = W = 1 is the degenerate case — equivalent to the v0.6.0
        // behaviour. Must still work so `--quorum-writes 1` is a
        // legitimate configuration and doesn't require special cases
        // in callers.
        let policy =
            QuorumPolicy::new(1, 1, Duration::from_millis(500), Duration::from_secs(30)).unwrap();
        let mut tracker = AckTracker::new(policy, instant_base());
        tracker.record_local();
        assert!(tracker.is_quorum_met(instant_base()));
    }
}