outbox-core 0.4.0

Core traits and logic for modular transactional outbox pattern in Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349

//! Background reaper that quarantines chronically failing events.
//!
//! [`DlqProcessor`] is the worker side of the dead-letter-queue subsystem.
//! It wakes up on `config.dlq_interval_secs` and is meant to drain events
//! whose failure count has crossed `config.dlq_threshold` from the
//! [`DlqHeap`] backend. The current implementation owns the loop and the
//! shutdown plumbing; the per-tick draining/quarantine logic is being filled
//! out incrementally.
//!
//! The processor is feature-gated behind `dlq` and is only spawned when that
//! feature is enabled — see
//! [`OutboxManager::run`](crate::manager::OutboxManager::run).

use crate::config::OutboxConfig;
use crate::dlq::storage::DlqHeap;
use crate::error::OutboxError;
use crate::prelude::OutboxStorage;
use serde::Serialize;
use std::fmt::Debug;
use std::sync::Arc;
use std::time::Duration;
use tokio::sync::watch::Receiver;
use tracing::{debug, error, info};

/// Long-running task that drains overdue events from a [`DlqHeap`] and
/// hands them to [`OutboxStorage::quarantine_events`] for atomic move into
/// the dead-letter table.
///
/// The processor owns four collaborators:
///
/// - a [`DlqHeap`] that tracks per-event failure counts (drained on each
///   tick to fetch events that have crossed the configured threshold).
/// - an [`OutboxStorage`] used to perform the atomic move from the active
///   table into the quarantine table.
/// - an [`OutboxConfig`] from which the tick interval and threshold are
///   read.
/// - a [`Receiver<bool>`](tokio::sync::watch::Receiver) shutdown channel
///   that lets the loop exit cleanly.
///
/// Construct one with [`new`](Self::new) and drive it with [`run`](Self::run).
pub struct DlqProcessor<S, PT>
where
    PT: Debug + Clone + Serialize + Send + Sync + 'static,
    S: OutboxStorage<PT> + Send + Sync + 'static,
{
    heap: Arc<dyn DlqHeap>,
    storage: Arc<S>,
    config: Arc<OutboxConfig<PT>>,
    shutdown_rx: Receiver<bool>,
}

impl<S, PT> DlqProcessor<S, PT>
where
    PT: Debug + Clone + Serialize + Send + Sync + 'static,
    S: OutboxStorage<PT> + Send + Sync + 'static,
{
    /// Creates a new processor bound to the supplied heap, storage,
    /// configuration and shutdown channel.
    ///
    /// The processor does nothing until [`run`](Self::run) is called.
    pub fn new(
        heap: Arc<dyn DlqHeap>,
        storage: Arc<S>,
        config: Arc<OutboxConfig<PT>>,
        shutdown_rx: Receiver<bool>,
    ) -> Self {
        Self {
            heap,
            storage,
            config,
            shutdown_rx,
        }
    }

    /// Runs the dead-letter reaper loop until shutdown is observed.
    ///
    /// Each iteration races two arms in a `tokio::select!`:
    ///
    /// - the shutdown receiver — the loop exits when the watched value flips
    ///   to `true`, and also when the sender side is dropped (treated as an
    ///   implicit shutdown via [`Receiver::has_changed`]).
    /// - a periodic tick on `config.dlq_interval_secs`. On each tick the
    ///   processor drains entries above
    ///   `config.dlq_threshold` from the [`DlqHeap`] and forwards them to
    ///   [`OutboxStorage::quarantine_events`] for atomic move into the DLQ
    ///   table. Errors from either step are logged and the loop keeps
    ///   running — a transient drain/quarantine failure does not bring the
    ///   reaper down. Drained entries that fail to be quarantined are lost
    ///   from the heap but will re-accumulate on subsequent failures.
    ///
    /// This method consumes the processor and is meant to be spawned on a
    /// dedicated Tokio task. Only compiled with the `dlq` feature.
    ///
    /// # Errors
    ///
    /// Always returns `Ok(())` in the current implementation — every shutdown
    /// path is graceful. The fallible signature is preserved so future
    /// drain/quarantine logic can surface terminal failures without breaking
    /// the API.
    #[cfg(feature = "dlq")]
    pub async fn run(self) -> Result<(), OutboxError> {
        let mut rx_dlq = self.shutdown_rx.clone();
        let mut interval =
            tokio::time::interval(Duration::from_secs(self.config.dlq_interval_secs));

        info!("Starting DLQ processor");

        loop {
            tokio::select! {
                _ = rx_dlq.changed() => {
                    if rx_dlq.has_changed().is_err(){
                            break;
                        }
                        if *rx_dlq.borrow() {
                            break
                        }
                }
                _ = interval.tick() => {
                    match self.heap.drain_exceeded(self.config.dlq_threshold).await {
                        Ok(entries) if entries.is_empty() => {}
                        Ok(entries) => {
                            debug!("DLQ reaper draining {} entries", entries.len());
                            if let Err(e) = self.storage.quarantine_events(&entries).await {
                                error!(
                                    "Failed to quarantine {} events: {}",
                                    entries.len(),
                                    e
                                );
                            }
                        }
                        Err(e) => error!("DLQ drain_exceeded failed: {}", e),
                    }
                }
            }
        }

        info!("Dlq processor stopped");
        Ok(())
    }
}

#[cfg(all(test, feature = "dlq"))]
#[allow(clippy::unwrap_used)]
mod tests {
    use super::*;
    use crate::config::IdempotencyStrategy;
    use crate::dlq::model::DlqEntry;
    use crate::dlq::storage::MockDlqHeap;
    use crate::object::EventId;
    use crate::storage::MockOutboxStorage;
    use rstest::rstest;
    use serde::{Deserialize, Serialize};
    use std::sync::atomic::{AtomicUsize, Ordering};
    use tokio::sync::watch;

    #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
    struct TestPayload;

    fn config() -> Arc<OutboxConfig<TestPayload>> {
        Arc::new(OutboxConfig {
            batch_size: 100,
            retention_days: 7,
            gc_interval_secs: 3600,
            poll_interval_secs: 5,
            lock_timeout_mins: 5,
            idempotency_strategy: IdempotencyStrategy::None,
            dlq_threshold: 10,
            dlq_interval_secs: 3600,
        })
    }

    fn empty_storage() -> Arc<MockOutboxStorage<TestPayload>> {
        Arc::new(MockOutboxStorage::<TestPayload>::new())
    }

    fn quiet_heap() -> Arc<MockDlqHeap> {
        let mut h = MockDlqHeap::new();
        h.expect_drain_exceeded().returning(|_| Ok(vec![]));
        Arc::new(h)
    }

    #[rstest]
    #[tokio::test]
    async fn run_exits_when_shutdown_flag_is_set_to_true() {
        let (tx, rx) = watch::channel(false);

        let processor = DlqProcessor::new(quiet_heap(), empty_storage(), config(), rx);
        let handle = tokio::spawn(async move { processor.run().await });

        tokio::task::yield_now().await;
        tx.send(true).unwrap();

        let result = tokio::time::timeout(Duration::from_millis(500), handle)
            .await
            .expect("run did not stop in time")
            .unwrap();
        assert!(result.is_ok());
    }

    #[rstest]
    #[tokio::test]
    async fn run_exits_when_sender_is_dropped() {
        let (tx, rx) = watch::channel(false);

        let processor = DlqProcessor::new(quiet_heap(), empty_storage(), config(), rx);
        let handle = tokio::spawn(async move { processor.run().await });

        tokio::task::yield_now().await;
        drop(tx);

        let result = tokio::time::timeout(Duration::from_millis(500), handle)
            .await
            .expect("run did not stop in time")
            .unwrap();
        assert!(result.is_ok());
    }

    #[rstest]
    #[tokio::test]
    async fn run_does_not_exit_on_shutdown_value_set_to_false() {
        let (tx, rx) = watch::channel(false);

        let processor = DlqProcessor::new(quiet_heap(), empty_storage(), config(), rx);
        let handle = tokio::spawn(async move { processor.run().await });

        tokio::task::yield_now().await;
        tx.send(false).unwrap();

        let abort = handle.abort_handle();
        let outcome = tokio::time::timeout(Duration::from_millis(100), handle).await;
        assert!(
            outcome.is_err(),
            "loop must keep running when the watched value stays falsy"
        );
        abort.abort();
    }

    #[rstest]
    #[tokio::test(start_paused = true)]
    async fn run_drains_heap_and_forwards_to_quarantine_events() {
        let mut heap = MockDlqHeap::new();
        let entry = DlqEntry::new(EventId::load(uuid::Uuid::now_v7()), 12, None);
        let entry_for_heap = entry.clone();
        heap.expect_drain_exceeded()
            .withf(|t| *t == 10)
            .returning(move |_| Ok(vec![entry_for_heap.clone()]));

        let mut storage = MockOutboxStorage::<TestPayload>::new();
        let entry_for_storage = entry.clone();
        storage
            .expect_quarantine_events()
            .withf(move |entries| entries.len() == 1 && entries[0].id == entry_for_storage.id)
            .returning(|_| Ok(()));

        let (tx, rx) = watch::channel(false);
        let cfg = Arc::new(OutboxConfig::<TestPayload> {
            batch_size: 100,
            retention_days: 7,
            gc_interval_secs: 3600,
            poll_interval_secs: 5,
            lock_timeout_mins: 5,
            idempotency_strategy: IdempotencyStrategy::None,
            dlq_threshold: 10,
            dlq_interval_secs: 60,
        });

        let processor = DlqProcessor::new(Arc::new(heap), Arc::new(storage), cfg, rx);
        let handle = tokio::spawn(async move { processor.run().await });

        tokio::task::yield_now().await;
        tokio::time::advance(Duration::from_millis(1)).await;
        tokio::task::yield_now().await;

        tx.send(true).unwrap();
        let _ = tokio::time::timeout(Duration::from_secs(1), handle).await;
    }

    #[rstest]
    #[tokio::test(start_paused = true)]
    async fn run_skips_quarantine_when_drain_returns_empty_batch() {
        let mut heap = MockDlqHeap::new();
        heap.expect_drain_exceeded().returning(|_| Ok(vec![]));

        let mut storage = MockOutboxStorage::<TestPayload>::new();
        storage.expect_quarantine_events().times(0);

        let (tx, rx) = watch::channel(false);
        let cfg = Arc::new(OutboxConfig::<TestPayload> {
            dlq_interval_secs: 60,
            ..(*config()).clone()
        });

        let processor = DlqProcessor::new(Arc::new(heap), Arc::new(storage), cfg, rx);
        let handle = tokio::spawn(async move { processor.run().await });

        tokio::task::yield_now().await;
        tokio::time::advance(Duration::from_millis(1)).await;
        tokio::task::yield_now().await;

        tx.send(true).unwrap();
        let _ = tokio::time::timeout(Duration::from_secs(1), handle).await;
    }

    #[rstest]
    #[tokio::test(start_paused = true)]
    async fn run_swallows_quarantine_errors_and_keeps_running() {
        let drain_calls = Arc::new(AtomicUsize::new(0));
        let drain_calls_clone = drain_calls.clone();

        let mut heap = MockDlqHeap::new();
        heap.expect_drain_exceeded().returning(move |_| {
            drain_calls_clone.fetch_add(1, Ordering::SeqCst);
            Ok(vec![DlqEntry::new(
                EventId::load(uuid::Uuid::now_v7()),
                15,
                None,
            )])
        });

        let mut storage = MockOutboxStorage::<TestPayload>::new();
        storage
            .expect_quarantine_events()
            .returning(|_| Err(OutboxError::DatabaseError("boom".into())));

        let (tx, rx) = watch::channel(false);
        let cfg = Arc::new(OutboxConfig::<TestPayload> {
            dlq_interval_secs: 60,
            ..(*config()).clone()
        });

        let processor = DlqProcessor::new(Arc::new(heap), Arc::new(storage), cfg, rx);
        let handle = tokio::spawn(async move { processor.run().await });

        tokio::task::yield_now().await;
        tokio::time::advance(Duration::from_secs(60)).await;
        tokio::task::yield_now().await;

        tx.send(true).unwrap();
        let result = tokio::time::timeout(Duration::from_secs(1), handle)
            .await
            .expect("run did not stop in time")
            .unwrap();
        assert!(result.is_ok(), "loop must swallow quarantine errors");
        assert!(
            drain_calls.load(Ordering::SeqCst) >= 2,
            "expected at least 2 drain attempts despite quarantine errors"
        );
    }
}