Expand description
Serverless writer-lease state machine.
Single owner of the {acquire, refresh, refresh_failed, lost_race, release} transitions. Centralises the side-effects that must
happen together so the WriteGate lease state and the
AuditLogger lease/* records can never drift out of sync.
Before this module those transitions lived inline in
lease_loop::spawn_refresh_thread and in
handlers_admin::handle_admin_failover_promote, with each
caller manually pairing write_gate.set_lease_state(...) and
audit_log.record("lease/..."). Four call sites, four chances
for drift.
Test surface:
- Construct with stand-alone
WriteGate+AuditLogger. - Inject a
MarkDrainingcallback (production wires it toLifecycle::mark_draining). - Drive transitions; assert gate state + audit lines together.
Structs§
- Lease
Lifecycle - Drives the serverless writer lease for one database key.
Functions§
- admin_
promote_ lease - Admin-driven failover promotion: acquire the writer lease as a
stand-alone action without flipping the local gate. The instance
stays a
Replicauntil the operator restarts it as primary; the gate flip is deliberately left out so an unintended promotion can’t accept writes mid-process.
Type Aliases§
- Mark
Draining - Callback the lifecycle uses to ask the surrounding runtime to
drain when the lease is lost. Production wires it to
Lifecycle::mark_draining. Tests pass a recorder.