fix: CodeRabbit feedback + formal verification (proptest, snapshots, bug fixes)

[strawgate]

Summary

Addresses all late CodeRabbit feedback on PR #701 and adds a comprehensive formal verification layer discovered through research agent analysis.

CodeRabbit Fixes (PR #701 late feedback)

• worker_pool: MAX_ATTEMPTS off-by-one — was 5 total (1+4), now 4 total (1+3) as documented
• worker_pool: assert! now includes the actual max_workers value in the message
• worker_pool: debug_assert!(submit after drain) promoted to real runtime guard that rejects the batch via AckItem (preserves at-least-once invariant in release builds)
• worker_pool: RetryAfter delay reset bug — after a server-specified retry delay, we were doubling the exponential backoff counter; now reset to initial value
• worker_pool: num_rows + submitted_at added to AckItem — output latency metrics now reflect actual delivery time, not near-zero submission time
• worker_pool: Ack channel failures are now logged instead of silently discarded
• pipeline: record_batch() moved to apply_pool_ack() so metrics use real delivery latency
• elasticsearch: self.batch_buf.clone() → std::mem::replace — eliminates per-send buffer copy (0→64KB allocation per batch avoided)
• elasticsearch: debug_assert!(ends_with b"}\\n") → runtime Err — prevents silent usize underflow/truncate corruption in release builds
• .coderabbit.yaml: All 5 custom check instructions fields moved to docs/ci/*.md (fixes 10,000-char schema limit error)
• fanout + json_lines: impl OutputSink blocks moved above #[cfg(test)] modules (convention compliance)

Formal Verification Additions

Loki:

• Fix: timestamp overflow in sort_and_dedup_timestamps — checked_add with graceful truncation at u64::MAX instead of wrapping to 0
• New proptest: minimal-displacement invariant — N duplicate timestamps → N consecutive values [base, base+1, ..., base+N-1]
• New test: stream key encoding round-trip with special chars (=, ,, ", \) that were lossy in the old k=v,... format
• New unit test: overflow truncation behavior

Elasticsearch:

• 4 insta snapshot tests: basic multi-type batch, nullable columns, special char strings, all-null fields
• Snapshots committed to src/snapshots/ — CI fails if serialization format changes

Output lib (write_row_json):

• 5 property-based tests (proptest): valid JSON output, _int/_str/_float suffix stripping + round-trip, no internal newlines in NDJSON bulk format

Test plan

• cargo test -p logfwd-output -p logfwd — all pass (116 logfwd-output tests, 51 logfwd tests)
• cargo fmt — no changes
• cargo clippy — no warnings
• Snapshot tests committed with cargo insta accept

🤖 Generated with Claude Code

[coderabbitai]

Walkthrough

This PR moves extensive pre-merge rules out of .coderabbit.yaml into dedicated docs under docs/ci/ while leaving a concise pass/fail checklist in .coderabbit.yaml. It adds detailed CI/verification/maintainer guidance files, tightens crate-boundary rules, and updates testing/verification guidance. Code changes: elasticsearch serialization gains runtime validation and insta snapshots/proptests; JSON/NDJSON sinks and FanOut impls are reorganized; Loki timestamp deduplication now returns retained counts and handles u64::MAX truncation; and worker/pipeline types and metrics flow added submitted_at, num_rows, scan_ns, and transform_ns.

Possibly related PRs

• strawgate/memagent PR 701: Overlaps async output/worker-pool and sink changes (worker pool, elasticsearch/loki/fanout sink code).
• strawgate/memagent PR 688: Directly modified .coderabbit.yaml pre-merge checks that this PR refactors into docs and a short checklist.
• strawgate/memagent PR 416: Modified Pipeline::flush_batch metrics/ack semantics, related to this PR’s metric/timestamp/ack flow changes.

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (3 errors, 2 warnings)

Check name	Status	Explanation	Resolution
High-Quality Rust Practices	❌ Error	New public struct fields added without doc comments explaining their purpose.	Add /// doc comments to all newly added public fields in WorkItem and AckItem structs explaining their purpose and when populated.
Formal Verification Coverage	❌ Error	PR modifies public functions (sort_and_dedup_timestamps, serialize_loki_json) and WorkItem/AckItem structs but provides no Kani proofs for changes.	Add Kani proofs with #[cfg(kani)] mod verification blocks; ensure proptest sets PROPTEST_CASES=2000; update dev-docs/VERIFICATION.md with proof coverage.
Crate Boundary And Dependency Integrity	❌ Error	New insta dependency in logfwd-output is not declared in workspace.dependencies root Cargo.toml, violating centralized dependency management requirement.	Add insta to [workspace.dependencies] in root Cargo.toml, then update logfwd-output to use insta = { workspace = true }.
Documentation Thoroughly Updated	⚠️ Warning	PR lacks required documentation updates for non-obvious bugs discovered and test coverage metrics.	Create dev-docs/DEVELOPING.md with timestamp overflow bug lesson, update VERIFICATION.md with new test counts, and document sort_and_dedup_timestamps signature change in DESIGN.md.
Maintainer Fitness	⚠️ Warning	Hot-path code optimization lacks before/after benchmark results from just bench to validate performance impact of mem::replace() memory optimization.	Add benchmark results demonstrating performance impact of elasticsearch buffer optimization and document any limitations or edge cases in PR description.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 10

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.coderabbit.yaml:
- Around line 39-49: Update the condensed exemption list in the instructions
block so it matches the full guide by adding BTreeMap back into the heap-heavy
exemption; specifically edit the instructions string that currently lists
"Vec/HashMap" to read "Vec/HashMap/BTreeMap" (or equivalent) so the rule in
.coderabbit.yaml aligns with docs/ci/formal-verification-coverage.md and does
not false-block heap-heavy uses of BTreeMap.
- Around line 27-33: The condensed "error" check in .coderabbit.yaml removed the
typestate escape hatch—update the "Pass if" / error-mode summary text to
explicitly preserve the exception that permits enum+match state machines when
the PR documents why the typestate pattern is impractical; edit the rule (the
"Pass if" block / "error" summary) to add a clause like "except when the PR
provides justification that typestate is impractical" or "unless justified in PR
with documentation", so the checker still allows documented exceptions while
keeping the other constraints (no vague .unwrap/.expect, avoid clones in hot
loops, SAFETY comments, doc comments, etc.).

In `@crates/logfwd-output/src/elasticsearch.rs`:
- Around line 984-1086: The tests currently exercise ElasticsearchSink via
make_sync_sink but not the async path that ElasticsearchSinkFactory /
ElasticsearchAsyncSink now implements (which injects `@timestamp` and uses the new
"}\n" line ending); add corresponding snapshots that construct an async
serializer (use ElasticsearchSinkFactory::new or instantiate
ElasticsearchAsyncSink) and run the same RecordBatch through its serialization
path, capturing the output buffer and asserting snapshots (e.g., mirror
snapshot_basic_multi_type_batch, snapshot_nullable_columns,
snapshot_special_char_strings, snapshot_all_null_fields but using
ElasticsearchAsyncSink/ElasticsearchSinkFactory), or instead refactor the common
serialization logic into a shared function (e.g., serialize_record_batch or
similar) and call that from both the sync and async tests so the new behavior is
covered.

In `@crates/logfwd-output/src/loki.rs`:
- Around line 75-89: The helper sort_and_dedup_timestamps currently truncates
entries on overflow but doesn't inform callers, causing send_batch/do_send to
report the original batch size and silently lose rows; change
sort_and_dedup_timestamps to return a Result<usize, Error> or at minimum the
retained count (e.g., Ok(retained_count)) instead of void, and update callers
(send_batch and do_send) to read that return value and either (a) subtract the
dropped count from the metrics reported or (b) treat the overflow as a rejected
batch and error out so metrics reflect actual payload; adjust signatures and
callers accordingly (sort_and_dedup_timestamps, send_batch, do_send) to
propagate the count/error and ensure recorded success/row counts match the
actual entries sent.

In `@crates/logfwd/src/pipeline.rs`:
- Around line 611-619: The ack path is zeroing scan_ns/transform_ns so
successful batches no longer contribute to
scan_nanos_total/transform_nanos_total; fix by propagating the timing values
with the WorkItem or recording them in flush_batch() instead of dropping them:
add scan_ns and transform_ns fields to the WorkItem created in the pool.submit
call ( alongside submitted_at ), populate them from record_batch() where they
are currently owned, and then in flush_batch()/the ack path use those fields to
update scan_nanos_total and transform_nanos_total (alternatively, call the
existing record logic from flush_batch() to record timings there rather than
hard-coding zeros ). Ensure references to WorkItem, record_batch, flush_batch,
submitted_at, scan_ns, transform_ns, scan_nanos_total, and transform_nanos_total
are updated consistently.

In `@crates/logfwd/src/worker_pool.rs`:
- Around line 175-196: The submit() path only checks self.cancel.is_cancelled(),
so after a graceful drain callers can still spawn new workers; add a boolean
flag (e.g. self.drained) that drain() sets to true for the normal/graceful
shutdown path and update submit() to reject when either
self.cancel.is_cancelled() or self.drained is true, using the same ack/error
handling used now (keep the eprintln and AckItem rejection logic). Also ensure
drain() sets self.drained = true in the graceful-drain branch (not just the
forced-timeout branch) so post-drain submissions are consistently rejected.
- Around line 417-429: The worker completion path discards the result of
ack_tx.send(AckItem { ... }) so if the receiver is closed we lose tickets
silently; update the WorkerMsg::Work completion block to check the Result from
ack_tx.send(...) and log a warning (including worker id, tickets, success,
num_rows, and submitted_at or the AckItem) when send returns Err so we get
diagnostics but don’t panic. Locate the send call in the WorkerMsg::Work branch
(after process_item(...) in worker_pool.rs) and replace the discarded send with
a match or if let Err(e) = ack_tx.send(ack). { log::warn!(target: "...", "ack
send failed for worker {}: error={:?}, ack={:?}", id, e, ack); } ensuring the
code compiles with the existing logging facility.

In `@docs/ci/crate-boundary-and-dependency-integrity.md`:
- Around line 52-64: The doc currently states Rule 4 as an absolute invariant
but the codebase still contains violations (e.g., test panic!() calls in
crates/logfwd-core/src/aggregator.rs and production .unwrap()s in
crates/logfwd-core/src/structural.rs); update the text in
docs/ci/crate-boundary-and-dependency-integrity.md to clarify that the deny
rules for clippy::unwrap_used, clippy::panic, and clippy::indexing_slicing are
review-enforced for new changes (or that existing violations must be cleaned up
before converting to compiler denies), and explicitly state that PRs introducing
new .unwrap(), panic!(), or unchecked slice indexing in logfwd-core will be
flagged and must use .get(i)? or .get(i).ok_or(Error::OutOfBounds)? instead.

In `@docs/ci/documentation-thoroughly-updated.md`:
- Around line 153-164: The docs claim all reference files are versioned, which
is inaccurate; update the paragraph in the References section to reflect current
practice: state that only Arrow and DataFusion files (e.g., arrow-v54.md,
datafusion-v45.md) are versioned today while other guides
(tokio-async-patterns.md, opentelemetry-otlp.md, kani-verification.md,
notify-memchr-zstd.md) are maintained without versioned filenames; instruct
reviewers to consult dev-docs/references/ for the appropriate file (listing the
example files) and remove the requirement to rename non-versioned files on major
dependency bumps.

In `@docs/ci/formal-verification-coverage.md`:
- Around line 31-37: Update the coverage guideline to require explicit
state-machine invariant proofs for aggregator.rs: stateful protocol handling of
P/F flags and aggregation MUST include Kani proofs that invariants hold across
all transitions (e.g., add a proof like verify_aggregator_state_invariants that
exercises state transitions via kani::any() inputs over bounded traces/slices),
in addition to the existing no-panic (verify_<fn>_no_panic) and oracle guidance;
reference the aggregator.rs module and suggest using bounded trace length and
symbolic inputs to exhaustively check transition invariants for every state and
transition.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 644c7bc0-24da-4493-aac4-b8584ce3a409

📥 Commits

Reviewing files that changed from the base of the PR and between 8486bf8 and 26a0c97.

⛔ Files ignored due to path filters (5)

• Cargo.lock is excluded by !**/*.lock
• crates/logfwd-output/src/snapshots/logfwd_output__elasticsearch__snapshot_tests__all_null_fields.snap is excluded by !**/*.snap
• crates/logfwd-output/src/snapshots/logfwd_output__elasticsearch__snapshot_tests__basic_multi_type.snap is excluded by !**/*.snap
• crates/logfwd-output/src/snapshots/logfwd_output__elasticsearch__snapshot_tests__nullable_columns.snap is excluded by !**/*.snap
• crates/logfwd-output/src/snapshots/logfwd_output__elasticsearch__snapshot_tests__special_char_strings.snap is excluded by !**/*.snap

📒 Files selected for processing (14)

• .coderabbit.yaml
• crates/logfwd-output/Cargo.toml
• crates/logfwd-output/src/elasticsearch.rs
• crates/logfwd-output/src/fanout.rs
• crates/logfwd-output/src/json_lines.rs
• crates/logfwd-output/src/lib.rs
• crates/logfwd-output/src/loki.rs
• crates/logfwd/src/pipeline.rs
• crates/logfwd/src/worker_pool.rs
• docs/ci/crate-boundary-and-dependency-integrity.md
• docs/ci/documentation-thoroughly-updated.md
• docs/ci/formal-verification-coverage.md
• docs/ci/high-quality-rust-practices.md
• docs/ci/maintainer-fitness.md

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Snapshot the async Elasticsearch serializer too.

All four new tests build ElasticsearchSink, but the default single-output Elasticsearch path goes through ElasticsearchSinkFactory/ElasticsearchAsyncSink. That async serializer is the code changed above, and it adds behavior these snapshots never exercise (@timestamp injection plus the new }\n invariant). Either snapshot the async sink as well, or extract one shared serializer and test that directly.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/logfwd-output/src/elasticsearch.rs` around lines 984 - 1086, The tests
currently exercise ElasticsearchSink via make_sync_sink but not the async path
that ElasticsearchSinkFactory / ElasticsearchAsyncSink now implements (which
injects `@timestamp` and uses the new "}\n" line ending); add corresponding
snapshots that construct an async serializer (use ElasticsearchSinkFactory::new
or instantiate ElasticsearchAsyncSink) and run the same RecordBatch through its
serialization path, capturing the output buffer and asserting snapshots (e.g.,
mirror snapshot_basic_multi_type_batch, snapshot_nullable_columns,
snapshot_special_char_strings, snapshot_all_null_fields but using
ElasticsearchAsyncSink/ElasticsearchSinkFactory), or instead refactor the common
serialization logic into a shared function (e.g., serialize_record_batch or
similar) and call that from both the sync and async tests so the new behavior is
covered.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Submit-after-drain rejection still misses the clean-drain case.

submit() only checks self.cancel.is_cancelled(), but drain() sets that token only on the timeout/forced-shutdown path. After a graceful drain, a later submit() can spawn fresh workers again instead of rejecting the batch, so the new runtime guard does not actually cover normal post-drain use.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/logfwd/src/worker_pool.rs` around lines 175 - 196, The submit() path
only checks self.cancel.is_cancelled(), so after a graceful drain callers can
still spawn new workers; add a boolean flag (e.g. self.drained) that drain()
sets to true for the normal/graceful shutdown path and update submit() to reject
when either self.cancel.is_cancelled() or self.drained is true, using the same
ack/error handling used now (keep the eprintln and AckItem rejection logic).
Also ensure drain() sets self.drained = true in the graceful-drain branch (not
just the forced-timeout branch) so post-drain submissions are consistently
rejected.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

crates/logfwd/src/worker_pool.rs (1)

183-206: ⚠️ Potential issue | 🟠 Major

Submit-after-drain still allows new workers after graceful shutdown.

The check at line 183 only guards against the forced-cancel path. After drain() completes gracefully (no timeout), self.cancel.is_cancelled() returns false, and subsequent submit() calls will spawn fresh workers via lines 234-240.

A self.drained: bool flag set at the end of drain() (both branches) would close this gap.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/logfwd/src/worker_pool.rs` around lines 183 - 206, The
submit-after-drain bug: add a self.drained: bool field to WorkerPool, set it
true at the end of drain() in both the timeout and graceful-complete branches,
and have submit() check this flag in addition to self.cancel.is_cancelled()
(e.g. if self.drained { reject/ack as before }) to prevent spawn of new workers
after a successful graceful drain; ensure access to self.drained is synchronized
the same way other state is (or updated while holding the existing lock) and
reuse the same rejection/ack logic used when cancel.is_cancelled() is true.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/ci/crate-boundary-and-dependency-integrity.md`:
- Around line 20-22: The fenced code block showing the cargo build command lacks
a language identifier; update the markdown in
docs/ci/crate-boundary-and-dependency-integrity.md by adding a language tag
(e.g., "shell" or "bash") to the opening triple-backtick for the block
containing "cargo build -p logfwd-core --target thumbv6m-none-eabi" so the block
becomes a fenced code block with an explicit language identifier.

---

Duplicate comments:
In `@crates/logfwd/src/worker_pool.rs`:
- Around line 183-206: The submit-after-drain bug: add a self.drained: bool
field to WorkerPool, set it true at the end of drain() in both the timeout and
graceful-complete branches, and have submit() check this flag in addition to
self.cancel.is_cancelled() (e.g. if self.drained { reject/ack as before }) to
prevent spawn of new workers after a successful graceful drain; ensure access to
self.drained is synchronized the same way other state is (or updated while
holding the existing lock) and reuse the same rejection/ack logic used when
cancel.is_cancelled() is true.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6283629f-0c27-4eff-a8c9-01b1aa37c088

📥 Commits

Reviewing files that changed from the base of the PR and between 26a0c97 and 109eed4.

📒 Files selected for processing (7)

• .coderabbit.yaml
• crates/logfwd-output/src/loki.rs
• crates/logfwd/src/pipeline.rs
• crates/logfwd/src/worker_pool.rs
• docs/ci/crate-boundary-and-dependency-integrity.md
• docs/ci/documentation-thoroughly-updated.md
• docs/ci/formal-verification-coverage.md

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Add language identifier to fenced code block.

Static analysis flags MD040: fenced code blocks should have a language specified.

Suggested fix

-```
+```shell
 cargo build -p logfwd-core --target thumbv6m-none-eabi

</details>

<!-- suggestion_start -->

<details>
<summary>📝 Committable suggestion</summary>

> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

```suggestion

🧰 Tools

🪛 markdownlint-cli2 (0.22.0)

[warning] 20-20: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/ci/crate-boundary-and-dependency-integrity.md` around lines 20 - 22, The
fenced code block showing the cargo build command lacks a language identifier;
update the markdown in docs/ci/crate-boundary-and-dependency-integrity.md by
adding a language tag (e.g., "shell" or "bash") to the opening triple-backtick
for the block containing "cargo build -p logfwd-core --target
thumbv6m-none-eabi" so the block becomes a fenced code block with an explicit
language identifier.