Skip to main content

Module commit_resolution

reddb_server::cluster

Module commit_resolution 

Source
Expand description

Commit policy resolution for multi-writer clusters (issue #1001, PRD #987).

A cluster has one global default CommitPolicy, and a collection may declare a stricter or looser override when its model semantics justify it (see the clustering glossary entries Commit policy and Ephemeral-local commit). This module is the single deterministic place that combines those two inputs into the effective policy a write actually commits under, and enforces the one safety rule that the raw CommitPolicy type cannot express on its own:

Durable transactional, queue, audit, config, and vault collections must not silently use local-only acknowledgement once HA intent is declared. Only collections explicitly declared ephemeral/cache-like may opt into local commit, and they do so with documented failover semantics.

§Why a resolver rather than a field on the collection

The effective policy is a function of three independent inputs — the cluster default, the per-collection override, and whether the deployment has declared HA intent — and the guardrail couples all three. Resolving them ad hoc at each call site (write admission and failover eligibility both need the answer) would let the two paths drift, so a misconfigured durable collection could be admitted with local on the write path while failover still believed it was quorum-durable. A single pure resolver keeps both paths reading the same decision and makes the guardrail testable in isolation.

§Resolution

  1. The effective policy is the collection override if present, otherwise the cluster default (ResolutionSource records which won).
  2. If the effective policy is local-only acknowledgement (Local, or the degenerate AckN(0) which the policy docs define as equivalent to Local) and HA intent is declared:
  3. Otherwise the resolution succeeds; the guardrail is GuardrailDisposition::Satisfied for a durable model under declared HA intent (the effective policy is genuinely durable), or GuardrailDisposition::NotApplicable when HA intent is not declared.

The resolved policy also reports its failover eligibility (CommitPolicyResolution::failover_eligibility): a durable policy means a candidate may be promoted only if its log covers the range commit watermark, while a local-ack policy carries an explicit data-loss window — the documented failover semantics ephemeral/cache collections accept in exchange for local.

Structs§

CommitPolicyResolution
The deterministic outcome of resolving a cluster default + collection override + HA intent against a collection’s data model.

Enums§

CollectionDataModel
The durability model a collection declares for itself. The first five are durable models whose data must survive a single-node loss; the last two are explicitly local-eligible — losing their most recent unreplicated writes on failover is an accepted trade for lower write latency.
CommitPolicyViolation
Rejection raised when resolution would silently degrade a durable model to local-only acknowledgement under declared HA intent. The caller must fail closed rather than admit writes under the degraded policy.
FailoverEligibility
Failover implication of a resolved commit policy. Consumed by failover eligibility: a durable policy gates promotion on watermark coverage, while a local-ack policy admits an explicit data-loss window on the promoted node.
GuardrailDisposition
How the ephemeral-local guardrail dispositioned a successful resolution.
HaIntent
Whether the deployment has declared HA intent. The guardrail only restricts local-only acknowledgement once intent is Declared; a single-writer / non-HA deployment resolves policies without restriction.
ResolutionSource
Which input supplied the effective policy.

Functions§

is_local_ack
true when policy acknowledges a commit on local WAL durability alone: Local, or the degenerate AckN(0) the policy docs define as equivalent.
resolve_commit_policy
Deterministically resolve the effective commit policy for one collection.