maybe_synthesize_recovery_completion

nixfleet_control_plane::runtime::reducer

Function maybe_synthesize_recovery_completion 

Source 
async fn maybe_synthesize_recovery_completion(
    state: &Arc<AppState>,
    clock: &ClockHandle,
    event_log_tx: &EventLogTx,
    rs: &mut ReducerState,
    host: &str,
    agent_current: &str,
    at: DateTime<Utc>,
)
Expand description

Scan active host_rollout_records for host; for each record whose observed closure on the wire identifies a missed transition, synthesize the event chain that advances the row to a state consistent with the agent’s reality. Idempotent: if the state has already advanced (e.g. concurrent agent emit), the record won’t match and the synthesis is a no-op.

LOADBEARING: this is the CP-side half of architecture.md §305 acceptance gate 1 (“destroying the CP database and rebuilding from empty state results in full fleet visibility within one reconcile cycle, with zero operator intervention beyond restarting the service”). The agent’s heartbeat carries current_closure on every tick; CP rebuilds soft-state HRR rows from those inputs.

Four reachable recovery cases:

  • Activating + current == target: agent restarted mid-rollout, post-boot observed the activation took. Synthesise RemoteActivationCompleted.
  • Deferred + current == target: operator rebooted to finish a critical-component activation. Same synthesis.
  • Pending + current == target: CP itself was wiped, the planner re-opened the rollout in Pending, but the agent has been running the target closure all along. Synthesise the full RemoteDispatchAck → RemoteActivationCompleted → RemoteConverged chain. RemoteConverged’s soak-elapsed invariant is satisfied by stamping converged_at = max(at, record.soak_due_at) — the soak window’s purpose (give probes time to fail) was exercised pre-wipe. Gated by evaluate_synth_gates so a fleet bump that opens a Pending row for a host whose closure already matches doesn’t bypass channel-edges or wave-promotion ordering.
  • Failed + current == current_closure_at_dispatch: the rollback’s switch-to-configuration restarted the agent mid-VerifyPoll, dropping LocalRollbackCompleted. Synthesise RemoteRollbackComplete on the heartbeat that observes the rolled-back closure; the canonical Failed reducer arm (failed.rs::RemoteRollbackComplete) produces the quarantine
    • event_log + transition effects.