bpm-engine 0.1.0

Lightweight embeddable BPM runtime for long-running, stateful workflows with tokens, timers, Saga compensation, and crash recovery
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185

# Recovery & Rehydration Model

> This document describes how the engine **recovers from crashes, restarts, and partial failures**.
> Recovery is a **first-class capability**, not an edge case.

---

## 1. Failure Is Assumed

The engine assumes:

- Process crashes
- Node restarts
- Network partitions
- Partial transaction commits

> **If it can fail, it eventually will.**

---

## 2. Design Philosophy

Recovery is built on three principles:

1. Persist facts, not intentions
2. Make execution resumable
3. Never guess state

---

## 3. Persisted Runtime State

The following entities are fully persisted:

- ProcessInstance
- Token
- Event (outbox)
- Timer
- CompensationRecord

Memory contains **no critical state**.

---

## 4. Token States During Failure

At crash time, tokens may be in any state:

- Ready
- Executing
- Waiting
- Completed
- Failed

Only `Executing` requires special handling.

---

## 5. Executing Token Recovery

### 5.1 The Problem

A token marked as `Executing` may have:

- Completed handler logic
- Not completed handler logic
- Partially completed side effects

The engine must assume **the worst**.

---

### 5.2 Safe Rule

> **Executing tokens are always considered incomplete.**

They are never assumed successful.

---

### 5.3 Recovery Strategy

On engine startup:

1. Scan tokens in `Executing`
2. Reset them to `Ready`
3. Increment attempt counter
4. Re-dispatch execution

This is safe because:

- Handlers must be idempotent
- Side effects must be protected

---

## 6. Idempotency Contract

All handlers must obey:

- At-least-once execution
- External side effects must be idempotent
- Engine does not guarantee exactly-once

---

## 7. Outbox Recovery

Events are persisted before dispatch.

On restart:

- Undelivered events are re-published
- Duplicate delivery is allowed
- Consumers must be idempotent

---

## 8. Timer Recovery

Timers are persisted with:

- due_at
- status

On recovery:

- Expired timers are immediately fired
- Pending timers are rescheduled

---

## 9. Saga Recovery

Saga recovery relies on facts:

- CompensationRecord is immutable
- Completed compensations are never repeated
- Failed compensations remain failed

Saga resumes deterministically.

---

## 10. Rehydration Process

Rehydration steps:

1. Load all runtime entities
2. Restore in-memory indexes
3. Resume schedulers
4. Resume token dispatch

---

## 11. What Recovery Never Does

Recovery does **not**:

- Infer missing compensation
- Skip failed steps
- Assume success

If state is unclear, the engine chooses **safety over progress**.

---

## 12. Operational Guarantees

This model guarantees:

- No lost tokens
- No phantom success
- Deterministic restart behavior

---

## 13. Relationship to Other Documents

- Execution & concurrency: `execution-model.md`
- Saga & compensation: `saga.md`

---

> **A system that cannot recover is not a system.**