Expand description
Replication Module
Implements single-primary, multi-replica replication via WAL streaming.
§Architecture
- Primary: accepts writes and streams WAL records to replicas
- Replica: read-only, connects to primary for WAL streaming
- Initial sync via snapshot transfer, then incremental WAL
§Usage
ⓘ
// Primary
let options = RedDBOptions::persistent("./primary-data")
.with_replication(ReplicationConfig::primary());
// Replica
let options = RedDBOptions::persistent("./replica-data")
.with_replication(ReplicationConfig::replica("http://primary:50051"));Modules§
- bookmark
- Causal bookmark token helpers.
- cascade
- Cascading replication for async read-replicas (issue #838, PRD #819).
- cdc
- Change Data Capture (CDC) — stream of database change events.
- commit_
policy - Primary commit policies (PLAN.md Phase 11.4).
- commit_
waiter - Synchronous commit waiter (PLAN.md Phase 11.4 —
ack_n). - election
- Term-based, quorum-gated automatic election (issue #834, PRD #819, ADR 0030).
- failover
- Coordinated zero-RPO failover (issue #833, PRD #819).
- fence
- Stale-term fencing for a returning ex-primary (issue #835, PRD #819, ADR 0030).
- flow_
control - Write-admission flow control keyed on in-quorum replica lag (issue #826).
- lease
- Serverless writer lease (PLAN.md Phase 5 / W6).
- logical
- Logical replication helpers shared by replica apply and point-in-time restore.
- primary
- Primary-side replication: WAL record production and snapshot serving.
- quorum
- Quorum-based commit coordination (Phase 2.6 multi-region PG parity).
- replica
- Replica-side replication: connects to primary, consumes WAL records.
- rollback
- Auto-rollback of a deposed primary to the common point (issue #840, PRD #819, ADR 0030).
- scheduler
- Backup Scheduler — automatic periodic snapshots with optional remote upload.
- swap_db
- Stay-readable re-bootstrap with an atomic dataset swap (issue #837, PRD #819).
- topology_
advertiser - Server-side
TopologyAdvertiser(issue #167). - witness
- Witness runtime profile (issue #836, PRD #819, ADR 0030).
Structs§
- Cascade
Relay - Tracks the sub-replica slots an intermediate holds and the frontiers that must propagate through the chain. Pure bookkeeping — the forwarding transport calls into it to decide what to send and what to advertise upstream.
- Cascade
Upstream - An intermediate replica a sub-replica may cascade from.
- Causal
Bookmark - Commit
Waiter - Divergent
Tail - The divergent tail removed from the live timeline: the records in
(common_point_lsn, to_lsn]that never reached quorum. - Downstream
Slot - A sub-replica slot held by an intermediate.
- Election
Coordinator - The quorum-gated election state machine.
- Election
Request - A request to run an election on behalf of
candidate. - Failover
Coordinator - The coordinated zero-RPO failover state machine.
- Failover
Node - A node participating in a failover.
- Failover
Outcome - The result of a completed handover.
- Failover
Request - A request to hand the primary role from
old_primarytotarget. - File
Last Vote Store - File-backed last-vote store. Persists the record alongside the node’s other durable replication state. The write is atomic (temp file + rename) so a crash mid-write never yields a torn record — either the old vote or the new one survives, never a half of each.
- File
Term Store - File-backed term store. Persisted with the atomic temp-file + rename +
parent-dir fsync discipline used for the durable last-vote
(
super::FileLastVoteStore) so a crash mid-write never yields a torn record and an adopted term cannot be silently lost. - Flow
Controller - Ticket-based write-admission flow controller.
- LagConfig
- Knobs for the lag/health computation. Kept as a small struct so
the call sites (gRPC
topologyRPC, RedWire HelloAck builder) thread the same defaults without each one redeclaring constants. - Last
Vote - A node’s durable voting record: the highest term it has participated in and who, if anyone, it granted that term. Persisted so a restart cannot erase the fact that a vote was already cast (requirement 2).
- Lease
Store - Wraps an
AtomicRemoteBackendwith lease primitives. The lease object is stored under a deterministic key derived fromdatabase_key; the store reads/writes that one key. - Member
- A cluster member as seen by the supervisor’s membership view.
- Memory
Last Vote Store - In-memory last-vote store for tests and witnesses that do not need cross-restart durability. (A witness should still persist in production; the file store is used there.)
- Memory
Term Store - In-memory term store for tests and ephemeral nodes.
- Quorum
Config - Quorum configuration stored alongside
ReplicationConfig. - Quorum
Coordinator - Tracks per-replica region bindings and pairs them with the primary’s
ack map.
PrimaryReplicationowns the WAL buffer +ReplicaStatelist; this coordinator adds the region dimension and the wait-for- quorum logic without duplicating the ack table. - Rebootstrap
InProgress - A causal read was requested while the node is re-bootstrapping.
- Replication
Config - Configuration for replication.
- Role
Assignment - Post-handover roles of the two nodes, used to assert that the new primary advertises the new term and the old primary streams as a replica (issue #833 criterion 3).
- Rollback
Coordinator - The deposed-primary auto-rollback state machine.
- Rollback
Event - The loud operator event payload describing a completed rollback,
handed to
RollbackTransport::emit_rollback_event. Mirrorscrate::telemetry::operator_event::OperatorEvent::DeposedPrimaryRollbackso the production transport can forward it verbatim while a test transport can capture it. - Rollback
Outcome - The result of a completed rejoin.
- Rollback
Plan - The computed, side-effect-free rollback plan. Splitting this out lets the boundary invariant be asserted without driving any transport.
- Rollback
Request - A request to auto-rollback a deposed primary to the common point and rejoin it as a replica.
- Stale
Term Fenced - Why the term fence refused a message: the incoming term is behind the current term, so the sender is a deposed primary on a superseded timeline.
- SwapDb
- A dataset that stays readable across an atomic re-bootstrap swap.
- Tail
Record - A single record from the divergent tail that is about to be discarded.
- Term
Fence - The stale-term fence. Wraps a durable
TermStoreand applies the term rule at the apply and handshake boundaries. - Topology
Advertiser - Server-side advertiser. Zero-sized — all state is threaded
through
advertise()’s arguments so callers control the snapshot semantics. - Topology
Auth Gate - Predicate over the caller’s auth context — answers “does this
principal have
cluster:topology:read?”. - Vote
Request - A request for a vote, sent by a candidate to a voter.
- Voter
- A voting member. Wraps the durable
LastVoteStoreand applies the vote rule. The voter is the seat of correctness: the watermark rule and the durable double-vote guard both live here. - Witness
Supervisor - A booted witness node: the control-plane supervisor with no data plane.
- Writer
Lease - One snapshot of who owns the writer lease for a database key.
Enums§
- Admission
- Outcome of a write-admission attempt.
- Await
Outcome - Bookmark
Decode Error - Cascade
Refusal - Why a requested cascade source was refused and the node fell back to the primary. Surfaced (not swallowed) so a misconfiguration is observable rather than a silent performance cliff.
- Commit
Policy - Election
Outcome - The result of an election attempt.
- Failover
Error - Why a coordinated failover could not complete without losing writes.
- Failover
Mode - How a failover should be executed.
- Fence
Boundary - The boundary at which a term-stamped message is being admitted. Only affects diagnostics — the term rule is identical at both.
- Fence
Verdict - The verdict of the term fence for one incoming term-stamped message.
- Last
Vote Error - Lease
Error - Member
Kind - Whether a member holds data (and can therefore be promoted to primary) or is a vote-only witness (ADR 0030 — “a node that runs only the supervisor module”).
- Node
Role - The replication role a node plays after a failover step.
- Quorum
Error - Errors raised by the quorum coordinator. The write itself succeeded on the primary WAL — these errors signal that replica acknowledgement did not reach quorum and the caller must decide whether to surface the failure or continue anyway.
- Refusal
Reason - Why a voter refused a candidate.
- Replica
Class - How a node chooses its WAL upstream.
- Replication
Role - Role of this RedDB instance in a replication cluster.
- Rollback
Error - Why an auto-rollback could not complete.
- Runtime
Profile - Which planes a node boots.
- Term
Store Error - Error reading or persisting the durable current term.
- Upstream
Choice - Where a node should open its WAL stream.
- Vote
Decision - The outcome of a voter considering a
VoteRequest. - Voting
State - Whether a member currently participates in voting.
Constants§
- DEFAULT_
REPLICATION_ TERM - DEFAULT_
REPLICA_ TIMEOUT_ MS - Default replica heartbeat timeout used when an operator hasn’t
configured one explicitly. Matches the order of the
poll_interval_msdefault inReplicationConfig(100 ms) multiplied by a generous fudge factor — five seconds without an ack flips a replica tohealthy: false. Operators tune this viaLagConfig. - DEFAULT_
SLOT_ IDLE_ TIMEOUT_ MS - DEFAULT_
SLOT_ RETENTION_ MAX_ LAG_ LSN - TOPOLOGY_
READ_ CAPABILITY - Capability name from ADR 0008 §1.
Traits§
- Election
Transport - Cluster operations the candidate drives, injected so the state machine stays pure and deterministically testable. Production backs these onto the membership view, the per-peer vote RPC, the durable term store, and the FAILOVER handover; tests back them onto a scripted fake.
- Failover
Transport - Cluster mutations and the clock the coordinator drives, injected so the state machine stays pure and deterministically testable.
- Last
Vote Store - Durable store for a node’s last vote. The contract is narrow on purpose:
loadreturns the persisted record (or the defaultterm 0, voted_for Nonewhen nothing was ever written), andpersistmakes a record durable before the caller acknowledges a grant. - Rollback
Transport - Side effects the rollback coordinator drives, injected so the state machine stays pure and deterministically testable.
- Term
Store - Durable store for a node’s current replication term. The default (when
nothing was ever written) is
DEFAULT_REPLICATION_TERM, matching the term records carry before any failover.
Functions§
- plan_
upstream - Decide where a node streams from, given its streaming class and an optionally-requested intermediate source.
- quorum_
threshold - Quorum threshold for a set of members: a strict majority of the voting members. Witnesses count; catching-up replicas do not.
- randomized_
election_ timeout - A randomized election timeout in
[base, base + jitter).