ff-engine 0.3.1

FlowFabric cross-partition dispatch and background scanners
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397

//! Background scanner infrastructure.
//!
//! Scanners iterate execution partitions at fixed intervals, checking for
//! conditions that require action (expired leases, due delays, index drift).
//! Each scanner type implements the `Scanner` trait; the `ScannerRunner`
//! drives them as tokio tasks.

pub mod attempt_timeout;
pub mod budget_reconciler;
pub mod execution_deadline;
pub mod budget_reset;
pub mod delayed_promoter;
pub mod cancel_reconciler;
pub mod dependency_reconciler;
pub mod flow_projector;
pub mod index_reconciler;
pub mod lease_expiry;
pub mod pending_wp_expiry;
pub mod quota_reconciler;
pub mod retention_trimmer;
pub mod suspension_timeout;
pub mod unblock;

use std::collections::HashMap;
use std::sync::Arc;
use std::sync::atomic::{AtomicU64, Ordering};
use std::sync::Mutex;
use std::time::Duration;

use ff_core::backend::ScannerFilter;
use ff_core::partition::{Partition, PartitionFamily};
use ff_core::types::Namespace;
use tokio::sync::watch;
use tokio::task::JoinHandle;

/// Result of scanning one partition.
pub struct ScanResult {
    pub processed: u32,
    pub errors: u32,
}

// ── Failure tracking for persistent FCALL errors ──

/// Max consecutive failures before an item enters backoff.
const FAILURE_THRESHOLD: u32 = 3;
/// Number of scan cycles to skip after hitting the threshold.
const BACKOFF_CYCLES: u64 = 10;
/// Max tracked entries before GC runs.
const GC_THRESHOLD: usize = 500;

struct FailureEntry {
    consecutive_failures: u32,
    skip_until_cycle: u64,
}

/// Tracks persistently-failing items so they don't permanently consume
/// batch slots. After [`FAILURE_THRESHOLD`] consecutive failures for the
/// same key, the item is skipped for [`BACKOFF_CYCLES`] scan cycles.
#[derive(Default)]
pub struct FailureTracker {
    inner: Mutex<HashMap<String, FailureEntry>>,
    cycle: AtomicU64,
}

impl FailureTracker {
    pub fn new() -> Self {
        Self::default()
    }

    /// Call once per full scan cycle (e.g., when partition == 0).
    pub fn advance_cycle(&self) {
        let cycle = self.cycle.fetch_add(1, Ordering::Relaxed) + 1;
        // Periodic GC: remove entries whose backoff has expired
        if cycle.is_multiple_of(50) {
            let mut map = self.inner.lock().unwrap();
            if map.len() > GC_THRESHOLD {
                map.retain(|_, e| {
                    e.consecutive_failures >= FAILURE_THRESHOLD
                        && e.skip_until_cycle > cycle
                });
            }
        }
    }

    /// Returns true if this item should be skipped (in backoff).
    /// Also resets the entry when backoff expires, giving it another chance.
    pub fn should_skip(&self, key: &str) -> bool {
        let mut map = self.inner.lock().unwrap();
        if let Some(entry) = map.get_mut(key)
            && entry.consecutive_failures >= FAILURE_THRESHOLD
        {
            let cycle = self.cycle.load(Ordering::Relaxed);
            if entry.skip_until_cycle > cycle {
                return true;
            }
            // Backoff expired — reset and allow retry
            entry.consecutive_failures = 0;
            entry.skip_until_cycle = 0;
        }
        false
    }

    /// Record a failure. After [`FAILURE_THRESHOLD`] consecutive failures,
    /// logs an error and puts the item into backoff.
    pub fn record_failure(&self, key: &str, scanner_name: &str) {
        let mut map = self.inner.lock().unwrap();
        let entry = map.entry(key.to_owned()).or_insert(FailureEntry {
            consecutive_failures: 0,
            skip_until_cycle: 0,
        });
        entry.consecutive_failures += 1;
        if entry.consecutive_failures == FAILURE_THRESHOLD {
            let cycle = self.cycle.load(Ordering::Relaxed);
            entry.skip_until_cycle = cycle + BACKOFF_CYCLES;
            tracing::error!(
                scanner = scanner_name,
                item = key,
                failures = entry.consecutive_failures,
                backoff_cycles = BACKOFF_CYCLES,
                "persistent FCALL failure — skipping for {BACKOFF_CYCLES} scan cycles"
            );
        }
    }

    /// Record a success — clears any tracked failure state.
    pub fn record_success(&self, key: &str) {
        let mut map = self.inner.lock().unwrap();
        map.remove(key);
    }
}

/// Trait for background partition scanners.
///
/// Each implementation scans one aspect of execution state (lease expiry,
/// delayed promotion, index consistency) across all partitions at a
/// configured interval.
pub trait Scanner: Send + Sync + 'static {
    /// Human-readable name for logging.
    fn name(&self) -> &'static str;

    /// How often to run a full scan across all partitions.
    fn interval(&self) -> Duration;

    /// Per-consumer filter applied by execution-shaped scanners to
    /// restrict the set of candidates they act on (issue #122).
    ///
    /// Default returns [`ScannerFilter::NOOP`] — pre-#122 behaviour.
    /// Implementations override by storing a `ScannerFilter` on the
    /// struct (constructed via `Self::with_filter(..)`) and
    /// returning `&self.filter`.
    fn filter(&self) -> &ScannerFilter {
        &ScannerFilter::NOOP
    }

    /// Scan a single partition. Called once per partition per cycle.
    fn scan_partition(
        &self,
        client: &ferriskey::Client,
        partition: u16,
    ) -> impl std::future::Future<Output = ScanResult> + Send;

    /// PR-94: per-cycle gauge sample. Returns `Some(depth)` summed
    /// across all partitions by the scanner runner to produce a
    /// single gauge value (today only `cancel_reconciler` exports
    /// one, feeding `ff_cancel_backlog_depth`). Default: `None` so
    /// scanners that don't export a gauge compile unchanged.
    ///
    /// Runs AFTER `scan_partition` for the same `partition` within
    /// the same cycle, so implementations can reuse cached state.
    /// The trivial default implementation returns `None` for every
    /// partition and the runner writes nothing.
    fn sample_backlog_depth(
        &self,
        _client: &ferriskey::Client,
        _partition: u16,
    ) -> impl std::future::Future<Output = Option<u64>> + Send {
        async { None }
    }
}

/// Issue #122: per-candidate filter helper shared by all
/// execution-shaped scanners.
///
/// Returns true iff the candidate `eid` on `partition` should be
/// SKIPPED by the scanner (i.e. the filter rejects it). A no-op
/// filter never rejects — returns false without issuing any HGET.
///
/// # `eid` format
///
/// Callers pass `eid` as the **full** `{fp:N}:<uuid>` ExecutionId
/// string — identical to what Lua stores as a ZSET member via
/// `ZADD ... A.execution_id` and what every scanner reads out of
/// per-partition index ZSETs with `ZRANGEBYSCORE`. The helper
/// formats `format!("ff:exec:{}:{}:core", tag, eid)` which produces
/// the canonical **double-tagged** production key shape
/// `ff:exec:{fp:N}:{fp:N}:<uuid>:core` — the first tag comes from
/// the partition's routing hash-tag; the second is the tag baked
/// into the ExecutionId string. Matches
/// [`ff_core::keys::ExecKeyContext::core`] / [`::tags`] exactly.
/// Do not strip the prefix — doing so would build a
/// single-tagged key that does not exist in production.
///
/// [`::tags`]: ff_core::keys::ExecKeyContext::tags
///
/// # Cost
///
/// 0 HGET if `filter.is_noop()`; 1 HGET when only `namespace` is
/// set (on `ff:exec:{fp:N}:{fp:N}:<uuid>:core`); 1 HGET when only
/// `instance_tag` is set (on `ff:exec:{fp:N}:{fp:N}:<uuid>:tags`);
/// 2 HGETs when both are set. Namespace is checked first (cheaper
/// — touches the already-hot `core` hash) and short-circuits on
/// mismatch.
///
/// # Failure mode
///
/// On HGET failure the helper returns true (skip), conservatively:
/// leaking a cross-tenant candidate due to a transient read error is
/// worse than the scanner temporarily underclaiming — the next cycle
/// picks it back up once the backend recovers.
pub async fn should_skip_candidate(
    client: &ferriskey::Client,
    filter: &ScannerFilter,
    partition: u16,
    eid: &str,
) -> bool {
    if filter.is_noop() {
        return false;
    }
    let p = Partition {
        family: PartitionFamily::Execution,
        index: partition,
    };
    let tag = p.hash_tag();

    if let Some(ref want_ns) = filter.namespace {
        let core_key = format!("ff:exec:{}:{}:core", tag, eid);
        match client
            .cmd("HGET")
            .arg(&core_key)
            .arg("namespace")
            .execute::<Option<String>>()
            .await
        {
            Ok(Some(s)) => {
                if &Namespace::new(s) != want_ns {
                    return true;
                }
            }
            // nil or transport error — skip conservatively.
            _ => return true,
        }
    }

    if let Some((ref tag_key, ref want_value)) = filter.instance_tag {
        let tags_key = format!("ff:exec:{}:{}:tags", tag, eid);
        match client
            .cmd("HGET")
            .arg(&tags_key)
            .arg(tag_key.as_str())
            .execute::<Option<String>>()
            .await
        {
            Ok(Some(v)) if &v == want_value => {}
            _ => return true,
        }
    }

    false
}

/// Drives a scanner across all execution partitions in a loop.
pub struct ScannerRunner;

impl ScannerRunner {
    /// Spawn a tokio task that runs the scanner forever until shutdown.
    ///
    /// PR-94: the `metrics` handle records per-cycle duration +
    /// cycle-total counter. Under the no-op shim (`observability`
    /// feature off) the recorder calls compile to nothing.
    pub fn spawn<S: Scanner>(
        scanner: Arc<S>,
        client: ferriskey::Client,
        num_partitions: u16,
        mut shutdown: watch::Receiver<bool>,
        metrics: Arc<ff_observability::Metrics>,
    ) -> JoinHandle<()> {
        tokio::spawn(async move {
            let name = scanner.name();
            let interval = scanner.interval().max(Duration::from_millis(100));
            tracing::info!(scanner = name, ?interval, partitions = num_partitions, "scanner started");

            loop {
                let cycle_start = tokio::time::Instant::now();
                let mut total_processed: u32 = 0;
                let mut total_errors: u32 = 0;
                // Gauge aggregation strategy: require **every**
                // partition to return a sample before writing.
                // A partial sum (some partitions sampled, some
                // returned None on error) would under-report and
                // make the gauge jump below the true backlog, which
                // an operator could mis-interpret as drain progress.
                // On any missing sample we set `sample_valid = false`
                // and skip the gauge write — the previous value
                // stands until a full cycle succeeds.
                //
                // First partition returning `Some(_)` sets
                // `sampled = true`; a subsequent `None` on any
                // partition invalidates the cycle's write.
                let mut total_backlog_depth: u64 = 0;
                let mut sampled = false;
                let mut sample_valid = true;

                for p in 0..num_partitions {
                    // Check for shutdown between partitions
                    if *shutdown.borrow() {
                        tracing::info!(scanner = name, "shutdown requested, stopping");
                        return;
                    }

                    let result = scanner.scan_partition(&client, p).await;
                    total_processed += result.processed;
                    total_errors += result.errors;

                    // Only query the gauge-sample hook on scanners
                    // that override it (default returns None for
                    // every partition — the check short-circuits).
                    match scanner.sample_backlog_depth(&client, p).await {
                        Some(d) => {
                            sampled = true;
                            total_backlog_depth =
                                total_backlog_depth.saturating_add(d);
                        }
                        None => {
                            // A non-overriding scanner returns None
                            // on every partition → `sampled` stays
                            // false → gauge write skipped anyway.
                            // An overriding scanner with a transient
                            // failure invalidates the cycle only if
                            // it had already sampled a partition.
                            if sampled {
                                sample_valid = false;
                            }
                        }
                    }
                }

                let elapsed = cycle_start.elapsed();
                // PR-94: scanner cycle metrics. Recorded every cycle,
                // regardless of whether the cycle did any work, so
                // operators can see cadence drift (a stuck scanner
                // stops producing data points).
                metrics.record_scanner_cycle(name, elapsed);
                if sampled && sample_valid {
                    metrics.set_cancel_backlog_depth(total_backlog_depth);
                } else if sampled && !sample_valid {
                    // At least one partition sampled but another
                    // failed — leave the gauge at its prior value.
                    // Log at debug so operators investigating a
                    // flat gauge can correlate to the cycle where
                    // sampling partially failed.
                    tracing::debug!(
                        scanner = name,
                        "skipping cancel_backlog_depth gauge write this cycle \
                         (partial partition sample)"
                    );
                }
                if total_processed > 0 || total_errors > 0 {
                    tracing::info!(
                        scanner = name,
                        processed = total_processed,
                        errors = total_errors,
                        elapsed_ms = elapsed.as_millis() as u64,
                        "scan cycle complete"
                    );
                } else {
                    tracing::trace!(
                        scanner = name,
                        elapsed_ms = elapsed.as_millis() as u64,
                        "scan cycle complete (nothing to do)"
                    );
                }

                // Sleep for the remaining interval (or immediately if scan took longer)
                let sleep_dur = interval.saturating_sub(elapsed);
                tokio::select! {
                    _ = tokio::time::sleep(sleep_dur) => {}
                    _ = shutdown.changed() => {
                        if *shutdown.borrow() {
                            tracing::info!(scanner = name, "shutdown requested, stopping");
                            return;
                        }
                    }
                }
            }
        })
    }
}