bb-runtime 0.3.5

Sans-IO engine for the bytesandbrains framework — Node, Engine, Framework, Backends, roles, snapshot, runtime-side syscalls.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278

//! `PeerGovernor` - the single source of truth for peer policy
//! and health tracking per .
//!
//! The framework owns this Component; it's consulted at both
//! delivery boundaries:
//!
//! - **Inbound **: Phase 1 of `Engine::poll` calls
//!   [`PeerGovernor::check_inbound`] for every
//!   `IngressEvent::EnvelopeFrom { src_peer, .. }`. Blocked /
//!   non-allowlisted peers are dropped before any slot is written.
//!
//! - **Outbound **: the compiler pass
//!   `bb-compiler/src/insert_peer_health_gates.rs` inserts a
//!   `PeerHealthGate` syscall op upstream of every `wire::Send`.
//!   The gate's `dispatch_atomic` calls
//!   [`PeerGovernor::check_outbound`].
//!
//! Health state (per-peer consecutive failures + last-seen) is
//! updated by Send-completion callbacks so Component authors stop
//! touching [`BackoffTable`] by hand - the compiler wires the
//! tracking in for every wire send automatically.
//!
//! [`BackoffTable`]: crate::framework::BackoffTable

use std::collections::{HashMap, HashSet};

use crate::ids::PeerId;

/// Default number of consecutive `wire::Send` failures before a
/// peer is marked as down. `PeerGovernor::record_failure` emits
/// the lifecycle transition; the engine's Phase 8 surfaces it as
/// `EngineStep::PeerDown`.
pub const DEFAULT_FAILURE_THRESHOLD: u32 = 5;

/// Why a peer can't receive an envelope, surfaced both inbound
/// (drop) and outbound (gate failure).
#[derive(Clone, Debug, PartialEq, Eq)]
pub enum BlockReason {
    /// Peer is explicitly in the blocklist.
    Blocklisted,
    /// An allowlist is configured and the peer isn't on it.
    NotAllowlisted,
    /// Peer is currently in failure-driven cooldown.
    Cooldown {
        /// `scheduler.now_ns()` past which the peer becomes
        /// eligible again.
        retry_ns: u64,
    },
}

/// Per-peer health snapshot. Read by `Node::peer_health()` for
/// operator introspection.
#[derive(Clone, Copy, Debug, Default, PartialEq, Eq)]
pub struct PeerHealth {
    /// Number of consecutive `record_failure` calls since the
    /// last `record_success`.
    pub consecutive_failures: u32,
    /// `scheduler.now_ns()` at the last `record_success` /
    /// `record_failure`. `0` if neither has been called.
    pub last_event_ns: u64,
    /// True once `consecutive_failures` has reached the
    /// configured threshold without an intervening success;
    /// remains true until a success clears the streak.
    pub down: bool,
}

/// Outcome of a `check_inbound` / `check_outbound` consultation.
#[derive(Clone, Debug, PartialEq, Eq)]
pub enum Decision {
    /// Delivery / send is permitted.
    Allow,
    /// Delivery / send is denied; `reason` carries why.
    Deny(BlockReason),
}

/// Side-effect of recording a failure or success - the engine
/// translates these into `EngineStep` variants in Phase 8.
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
pub enum LifecycleTransition {
    /// No observable state change.
    None,
    /// Peer just crossed below the failure threshold.
    WentDown,
    /// Peer just came back up after a failure streak.
    CameUp,
}

/// Per-peer policy + health state owner.
///
/// Snapshot/restore: full state is captured in
/// `FrameworkSnapshot` (work). Pre-Stage-5, restore
/// rebuilds the governor from scratch - blocklist + allowlist
/// settings on `NodeConfig` are re-applied at construction time.
pub struct PeerGovernor {
    blocklist: HashSet<PeerId>,
    allowlist: Option<HashSet<PeerId>>,
    health: HashMap<PeerId, PeerHealth>,
    failure_threshold: u32,
}

impl Default for PeerGovernor {
    fn default() -> Self {
        Self::new()
    }
}

impl PeerGovernor {
    /// Construct a fresh governor with no blocklist, no
    /// allowlist, and the default failure threshold.
    pub fn new() -> Self {
        Self {
            blocklist: HashSet::new(),
            allowlist: None,
            health: HashMap::new(),
            failure_threshold: DEFAULT_FAILURE_THRESHOLD,
        }
    }

    /// Configure the failure threshold (consecutive failures
    /// before a peer is marked down). Default
    /// [`DEFAULT_FAILURE_THRESHOLD`].
    pub fn with_failure_threshold(mut self, threshold: u32) -> Self {
        self.failure_threshold = threshold.max(1);
        self
    }

    /// Add a peer to the blocklist. Subsequent inbound envelopes
    /// from this peer are dropped; subsequent outbound sends fail.
    pub fn block(&mut self, peer: PeerId) {
        self.blocklist.insert(peer);
    }

    /// Remove a peer from the blocklist.
    pub fn unblock(&mut self, peer: PeerId) {
        self.blocklist.remove(&peer);
    }

    /// Set (or clear) the allowlist. When `Some`, only peers in
    /// the allowlist may communicate; everyone else is denied.
    /// `None` means "open" (default).
    pub fn set_allowlist(&mut self, allowlist: Option<HashSet<PeerId>>) {
        self.allowlist = allowlist;
    }

    /// Per-peer health snapshot read; returns `None` if no
    /// success/failure has ever been recorded for `peer`.
    pub fn peer_health(&self, peer: PeerId) -> Option<PeerHealth> {
        self.health.get(&peer).copied()
    }

    /// True when `peer` is currently marked down.
    pub fn is_down(&self, peer: PeerId) -> bool {
        self.health.get(&peer).is_some_and(|h| h.down)
    }

    /// Inbound consultation - called from the engine's Phase 1
    /// envelope router before any slot is written.
    pub fn check_inbound(&self, peer: PeerId) -> Decision {
        if self.blocklist.contains(&peer) {
            return Decision::Deny(BlockReason::Blocklisted);
        }
        if let Some(allow) = &self.allowlist {
            if !allow.contains(&peer) {
                return Decision::Deny(BlockReason::NotAllowlisted);
            }
        }
        Decision::Allow
    }

    /// Outbound consultation - called from the compiler-inserted
    /// `PeerHealthGate` syscall op upstream of every `wire::Send`.
    /// Returns `Deny(Cooldown { retry_ns })` when the peer is in
    /// failure cooldown, prompting the gate to reschedule.
    pub fn check_outbound(
        &self,
        peer: PeerId,
        backoff: &super::BackoffTable,
        now_ns: u64,
    ) -> Decision {
        if self.blocklist.contains(&peer) {
            return Decision::Deny(BlockReason::Blocklisted);
        }
        if let Some(allow) = &self.allowlist {
            if !allow.contains(&peer) {
                return Decision::Deny(BlockReason::NotAllowlisted);
            }
        }
        if !backoff.should_retry(peer, now_ns) {
            let retry_ns = backoff
                .state(peer)
                .map(|s| s.next_retry_ns)
                .unwrap_or(now_ns);
            return Decision::Deny(BlockReason::Cooldown { retry_ns });
        }
        Decision::Allow
    }

    /// Record a successful exchange with `peer` at `now_ns`.
    /// Resets the consecutive-failure counter; clears `down`.
    /// Returns the lifecycle transition the engine should
    /// surface as an `EngineStep::PeerUp`.
    pub fn record_success(&mut self, peer: PeerId, now_ns: u64) -> LifecycleTransition {
        let was_down = self.health.get(&peer).map(|h| h.down).unwrap_or(false);
        self.health.insert(
            peer,
            PeerHealth {
                consecutive_failures: 0,
                last_event_ns: now_ns,
                down: false,
            },
        );
        if was_down {
            LifecycleTransition::CameUp
        } else {
            LifecycleTransition::None
        }
    }

    /// Record a failure for `peer` at `now_ns`. Returns
    /// `WentDown` when the failure pushes the streak across the
    /// threshold.
    pub fn record_failure(&mut self, peer: PeerId, now_ns: u64) -> LifecycleTransition {
        let prev = self.health.get(&peer).copied().unwrap_or_default();
        let consecutive_failures = prev.consecutive_failures.saturating_add(1);
        let just_went_down = !prev.down && consecutive_failures >= self.failure_threshold;
        self.health.insert(
            peer,
            PeerHealth {
                consecutive_failures,
                last_event_ns: now_ns,
                down: prev.down || just_went_down,
            },
        );
        if just_went_down {
            LifecycleTransition::WentDown
        } else {
            LifecycleTransition::None
        }
    }

    /// Number of distinct peers with health state recorded.
    pub fn tracked_peers(&self) -> usize {
        self.health.len()
    }

    /// Read-only view of the blocklist. Used by snapshot capture.
    pub fn blocklist(&self) -> &HashSet<PeerId> {
        &self.blocklist
    }

    /// Read-only view of the allowlist.
    pub fn allowlist(&self) -> Option<&HashSet<PeerId>> {
        self.allowlist.as_ref()
    }

    /// Iterate `(PeerId, PeerHealth)` entries for snapshot capture.
    pub fn iter_health(&self) -> impl Iterator<Item = (PeerId, PeerHealth)> + '_ {
        self.health.iter().map(|(p, h)| (*p, *h))
    }

    /// Current failure threshold (consecutive failures to mark a
    /// peer down). Used by snapshot capture.
    pub fn failure_threshold(&self) -> u32 {
        self.failure_threshold
    }

    /// Replace a peer's health state directly. Used by
    /// `Node::restore` to re-seed health from a snapshot entry.
    pub fn restore_health(&mut self, peer: PeerId, health: PeerHealth) {
        self.health.insert(peer, health);
    }

    /// Overwrite the failure threshold. Used by `Node::restore`.
    pub fn set_failure_threshold(&mut self, threshold: u32) {
        self.failure_threshold = threshold.max(1);
    }
}