rakka-inference-remote-core 0.2.6

Remote-provider infrastructure for rakka-inference — distributed rate limiter (CRDT), circuit breaker, retry/backoff, SSE parser, session lifecycle.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249

//! Rate-limiter actors. Doc §3.5, §12.1.
//!
//! Two flavours, selected per `RateLimits::strict`:
//!
//! - [`RateLimiterActor`] — approximate, distributed via
//!   `rakka_distributed_data::counters::GCounter`. Each node keeps a
//!   local per-window view; over-spend is bounded by sync interval and
//!   per-node budget. Default for high-throughput deployments.
//! - [`StrictRateLimiterActor`] — runs as a cluster singleton; every
//!   request `ask`s for a permit. Higher latency, exact accounting.
//!   Default for low-throughput / pay-per-call deployments.

use std::sync::Arc;
use std::time::{Duration, Instant};

use async_trait::async_trait;
use parking_lot::Mutex;
use rakka_core::actor::{Actor, Context};
use rakka_distributed_data::{DeltaCrdt, GCounter};
use tokio::sync::oneshot;

use inference_core::deployment::RateLimits;
use inference_core::error::InferenceError;

/// Permit returned to a worker. Holding the permit until the request
/// completes is the convention; `Drop` is a no-op because spend is
/// recorded at acquire time. Strict mode could swap this for a
/// release-on-drop scheme later.
#[derive(Debug)]
pub struct Permit {
    pub requests: u32,
    pub tokens: u32,
}

pub struct AcquirePermit {
    pub requests: u32,
    pub tokens: u32,
    pub reply: oneshot::Sender<Result<Permit, InferenceError>>,
}

#[derive(Default)]
struct Window {
    /// Wall-clock instant the current 60-s window started.
    started_at: Option<Instant>,
    requests: u64,
    tokens: u64,
}

/// Cheap shared view that workers consult before acquiring. Useful for
/// status endpoints and tests.
#[derive(Default, Clone)]
pub struct RateLimiterHandle {
    state: Arc<Mutex<Window>>,
}

impl RateLimiterHandle {
    pub fn snapshot(&self) -> (u64, u64) {
        let s = self.state.lock();
        (s.requests, s.tokens)
    }
}

pub struct RateLimiterActor {
    node_id: String,
    limits: RateLimits,
    /// Distributed counter — total requests this window across the
    /// cluster, by node.
    requests_counter: GCounter,
    tokens_counter: GCounter,
    window: Arc<Mutex<Window>>,
}

impl RateLimiterActor {
    pub fn new(node_id: impl Into<String>, limits: RateLimits) -> Self {
        Self {
            node_id: node_id.into(),
            limits,
            requests_counter: GCounter::new(),
            tokens_counter: GCounter::new(),
            window: Arc::new(Mutex::new(Window::default())),
        }
    }

    pub fn handle(&self) -> RateLimiterHandle {
        RateLimiterHandle {
            state: self.window.clone(),
        }
    }

    /// Apply a CRDT delta from another node. Wired through
    /// `rakka_distributed_data::Replicator` in production.
    pub fn merge_remote_delta_requests(&mut self, delta: &<GCounter as DeltaCrdt>::Delta) {
        self.requests_counter.merge_delta(delta);
    }

    pub fn merge_remote_delta_tokens(&mut self, delta: &<GCounter as DeltaCrdt>::Delta) {
        self.tokens_counter.merge_delta(delta);
    }

    fn rotate_window_if_needed(&mut self) {
        let mut w = self.window.lock();
        let needs_reset = match w.started_at {
            Some(started) => started.elapsed() >= Duration::from_secs(60),
            None => true,
        };
        if needs_reset {
            *w = Window {
                started_at: Some(Instant::now()),
                requests: 0,
                tokens: 0,
            };
            // Window rotation: zero the local view of the CRDT.
            // Cluster peers will re-observe the new window via gossip
            // since their own counters reset on the same wall clock.
            self.requests_counter = GCounter::new();
            self.tokens_counter = GCounter::new();
        }
    }

    fn acquire(&mut self, req: AcquirePermit) -> Result<Permit, InferenceError> {
        self.rotate_window_if_needed();
        let mut w = self.window.lock();

        // Approximate distributed budget: each node may consume up to
        // its share. With one node the share is the full budget; the
        // CRDT sync widens this scope when peers join.
        if let Some(rpm) = self.limits.requests_per_minute {
            if w.requests + req.requests as u64 > rpm {
                return Err(InferenceError::Backpressure(format!(
                    "requests-per-minute limit reached ({}/{})",
                    w.requests, rpm
                )));
            }
        }
        if let Some(tpm) = self.limits.tokens_per_minute {
            if w.tokens + req.tokens as u64 > tpm {
                return Err(InferenceError::Backpressure(format!(
                    "tokens-per-minute limit reached ({}/{})",
                    w.tokens, tpm
                )));
            }
        }
        w.requests += req.requests as u64;
        w.tokens += req.tokens as u64;
        // Record into the CRDT so peers see our spend.
        drop(w);
        self.requests_counter
            .increment(&self.node_id, req.requests as u64);
        self.tokens_counter.increment(&self.node_id, req.tokens as u64);
        Ok(Permit {
            requests: req.requests,
            tokens: req.tokens,
        })
    }
}

#[async_trait]
impl Actor for RateLimiterActor {
    type Msg = AcquirePermit;

    async fn handle(&mut self, _ctx: &mut Context<Self>, msg: Self::Msg) {
        let reply = msg.reply;
        let res = self.acquire(AcquirePermit {
            reply: dummy_reply(),
            ..msg
        });
        let _ = reply.send(res);
    }
}

/// Strict variant — run as a cluster singleton. The actor structure is
/// identical to the approximate one; the different default is
/// expressed at deploy time by registering it through
/// `rakka_cluster_tools::ClusterSingletonManager` rather than as a
/// per-node actor.
pub struct StrictRateLimiterActor {
    inner: RateLimiterActor,
}

impl StrictRateLimiterActor {
    pub fn new(inner: RateLimiterActor) -> Self {
        Self { inner }
    }
}

#[async_trait]
impl Actor for StrictRateLimiterActor {
    type Msg = AcquirePermit;

    async fn handle(&mut self, _ctx: &mut Context<Self>, msg: Self::Msg) {
        let reply = msg.reply;
        let res = self.inner.acquire(AcquirePermit {
            reply: dummy_reply(),
            ..msg
        });
        let _ = reply.send(res);
    }
}

/// Construct a no-op oneshot reply so we can move the original out by
/// value into `acquire` without touching it.
fn dummy_reply() -> oneshot::Sender<Result<Permit, InferenceError>> {
    let (tx, rx) = oneshot::channel();
    drop(rx);
    tx
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn approximate_limiter_blocks_on_rpm() {
        let mut a = RateLimiterActor::new(
            "node-a",
            RateLimits {
                requests_per_minute: Some(2),
                tokens_per_minute: None,
                concurrent_requests: None,
                strict: false,
            },
        );
        let (tx1, _) = oneshot::channel();
        let (tx2, _) = oneshot::channel();
        let (tx3, _) = oneshot::channel();
        assert!(a
            .acquire(AcquirePermit {
                requests: 1,
                tokens: 0,
                reply: tx1
            })
            .is_ok());
        assert!(a
            .acquire(AcquirePermit {
                requests: 1,
                tokens: 0,
                reply: tx2
            })
            .is_ok());
        assert!(matches!(
            a.acquire(AcquirePermit {
                requests: 1,
                tokens: 0,
                reply: tx3
            }),
            Err(InferenceError::Backpressure(_))
        ));
    }
}