feat(sync): graceful cooldowns for 429 fair-use + backend-busy stale-fails; surface the reason, back off, and log why

[mdmohsin7]

Problem

Two distinct backend conditions both manifested as the same alarming amber "Couldn't process — retrying" on every recording, with users tapping Retry forever and amplifying the storm. The chain was the same in both cases: the client treated transient-but-systemic backend signals as content failures, burned each recording's retry budget, and never told the user or itself what was actually happening.

(1) Fair-use throttling (HTTP 429) — a user draining a multi-day offline backlog past their fair-use cap got the cap enforced (~474× 429 in 48h in Cloud Run for one user). uploadLocalFilesV2 mapped 429 to a generic Exception('Rate limited or budget exhausted') and auto-sync's catch — which already excludes SocketException — didn't exclude 429. So every throttle bumped retryCount and the app re-fired uploads every minute with no backoff.

(2) Backend-busy stale-guard fails — when backend-sync's storage/postprocess pools are saturated (storage 96/96 + 29 queued, postprocess 24/24 + 80 queued observed), uploads are accepted (202), assigned a jobId, and sit in queued server-side. After 10 min the server's stale guard in database/sync_jobs.py:get_sync_job rewrites the status to failed with the misleading message "Job timed out (background worker likely died)" — but no worker died, none was available. The reconciler reads failed, reverts the WAL, bumps retry. User taps Retry → new job → also queued → same fate → retry budget exhausted → red "Failed". Reproduced and confirmed end-to-end via reporter's reconcile_poll / reconcile_revert log breadcrumbs (added in this PR). Separate backend issue opened: #7469.

Fix

Surface the real reason, back off instead of hammering

• uploadLocalFilesV2 throws a typed SyncRateLimitedException on 429, parsing Retry-After.
• SyncRateLimiter (new, persisted, app-global) holds a cooldown timestamp + a RateLimitReason (rateLimit | backendBusy). extends ChangeNotifier so SyncProvider rebuilds the UI the moment the gate flips.
• Every upload entry point checks the cooldown and skips while active: auto-sync _syncSingleWal, batch syncAll (gates entry, breaks the loop on 429 mid-batch), single syncWal. syncWals/syncWal at the provider level early-return when limited — no more "Cancel pill flashes then resets". Any successful upload clears the cooldown.
• 429 no longer bumps retryCount — treated like SocketException (transient throttle, not content failure). Side-effect: rows that would have flipped to amber "Couldn't process — retrying" stay calm grey "Waiting to sync" automatically — no new per-row state needed.

Backend-busy detection (new in this PR)

• Reconciler's failed/partial_failure branch detects the specific "background worker likely died" error from the server's stale guard and treats it as backend capacity, not a content failure:
  • WAL reverts to miss without bumping retryCount.
  • Triggers a 10-min cooldown via SyncRateLimiter with reason: backendBusy.
• Status cards (auto-sync + manual) read SyncProvider.rateLimitReason and pick distinct, calm copy:
  • backendBusy → "Omi servers are busy — your recordings will sync once capacity returns".
  • rateLimit → "Fair-use limit reached — syncing will resume automatically".
• Spinner is hidden in the rate-limited state on both cards so the card reads unambiguously as paused (per-row "Uploaded · processing on Omi" still shows the in-flight server work on the WALs that uploaded before the limit hit).

Observability (the gap that prevented diagnosis before)

The reconciler used to silently break on transient / non-terminal and silently revert on failed/notFound — the server's status, error, failedSegments were received but discarded. With "Log to file" on in Settings → Developer, you now get the actual cause in a shareable log:

• fetchSyncJobStatus logs the HTTP status code when non-200 (so 429-on-the-GET, 5xx, etc. are visible — answers "why is the WAL stuck on 'Processing on Omi'?").
• reconcileUploadedWals emits reconcile_poll for every per-job outcome (transient / non-terminal-queued / non-terminal-processing / completed) and reconcile_revert on the notFound and failed/partial_failure branches with the server's status, error, failedSegments/totalSegments, the post-bump retryCount, and backendBusy / retryCountBumped flags.

This is how the reporter's stuck-recordings case was actually diagnosed — the breadcrumbs lined up with the server's "background worker likely died" error at the 10-minute mark, leading to the backend-busy fix above.

Files

Area	File	Change
Gate (new)	app/lib/services/wals/sync_rate_limiter.dart	New SyncRateLimiter, persisted, ChangeNotifier, with RateLimitReason
HTTP	app/lib/backend/http/api/conversations.dart	Typed SyncRateLimitedException, Retry-After parser, HTTP-status log on non-200 GET
Barrels	app/lib/services/wals.dart, app/lib/services/wals/wal_interfaces.dart	Export the limiter + the exception
Engine	app/lib/services/wals/local_wal_sync.dart	Gate syncAll, typed 429 catch in batch + single paths, backend-busy detection in reconciler, per-job poll / revert logging
Provider	app/lib/providers/sync_provider.dart	Listens to limiter; syncWals/syncWal early-return when limited; expose isRateLimited / rateLimitedUntil / rateLimitReason
Auto-sync	app/lib/providers/capture_provider.dart	Gate _syncSingleWal, typed 429 catch (no retryCount bump), clear on success
UI	app/lib/pages/conversations/auto_sync_page.dart, app/lib/pages/conversations/sync_page.dart	"Fair-use limit reached" / "Omi servers are busy" branches selected by reason; spinner hidden while paused; pill hidden so taps don't no-op
l10n	app/lib/l10n/app_en.arb + 48 locales + codegen	Two new keys (syncCardRateLimited, syncCardBackendBusy)

Out of scope (explicit follow-ups)

• Backend fix for the stale guard mis-flagging healthy queued jobs and for capacity: tracked in sync-job stale guard incorrectly marks healthy queued jobs as 'failed' (background-busy is mislabelled) #7469 (cc @beastoin). The client mitigation here is pattern-matching a server error string; the right fix is server-side. Lays out: distinguish queued vs processing in the stale guard, fix the misleading error string, scale the saturated pools, and add observability (log stale-guard rewrites, include UID in POST 202 accept logs).
• Reconciler staleness bound for the different "stuck on Processing on Omi" case where the status GET is unreachable (429'd, 5xx'd) so WALs sit uploaded indefinitely. Sketched earlier; not in this PR.
• Manual sync_page's full integration with feat(sync): redesign manual sync page (sync_page) to match auto-sync; fix 'stuck' processing perception #7449 already merged — this PR's branch carries the merge.

Verification

• flutter analyze clean on every touched file (the warnings shown for other files are pre-existing).
• flutter gen-l10n → zero untranslated.
• Reporter ran the simulate path and the dev log shows the full reconcile-poll/revert breadcrumbs matching the expected flow; the WALs stop showing as "Couldn't process — retrying" when the server returns the stale-guard error.

🤖 Generated with Claude Code

[mdmohsin7]

@greptile-apps review

[greptile-apps]

Greptile Summary

This PR addresses two distinct backend conditions (HTTP 429 fair-use throttling and backend-busy stale-guard failures) that were both surfacing as alarming "Couldn't process — retrying" states, burning the per-recording retry budget with no backoff. It introduces a persisted, app-global SyncRateLimiter singleton that gates all upload entry points, distinguishes the two failure modes with typed exceptions and RateLimitReason, and surfaces calm, reason-specific copy in both the auto-sync and manual-sync status cards.

• SyncRateLimiter (new): A ChangeNotifier singleton backed by SharedPreferences; markLimited / clear are called at all three upload sites (syncAll, _syncSingleWal, single WAL). The reconciler's failed branch detects the server's stale-guard error string and triggers a 10-min backendBusy cooldown without bumping retryCount.
• Observability: fetchSyncJobStatus now logs HTTP status on non-200; the reconciler emits reconcile_poll / reconcile_revert breadcrumbs with job ID, WAL IDs, server error, and bump flags.
• l10n: Two new string keys (syncCardRateLimited, syncCardBackendBusy) added to all 48 locales via code-gen.

Confidence Score: 3/5

Safe to merge after fixing the missing removeListener in SyncProvider.dispose — without it, any upload activity after the provider is disposed will trigger a Flutter assertion error in debug builds and a memory leak in release builds.

The core rate-limiting and backoff logic is well-structured and the observability additions are valuable. The missing removeListener in SyncProvider.dispose is the one concrete defect that would reliably fire whenever uploads happen after navigation. The backend-busy string-match fragility and uncapped retryAfterSeconds are worth noting but do not block the happy path.

app/lib/providers/sync_provider.dart needs the removeListener fix; app/lib/services/wals/local_wal_sync.dart and app/lib/services/wals/sync_rate_limiter.dart have the lower-priority concerns around string-matching fragility and the missing retryAfter cap.

Important Files Changed

Filename	Overview
app/lib/providers/sync_provider.dart	Adds isRateLimited/rateLimitReason getters and early-returns; missing removeListener in dispose causes a use-after-dispose error and memory leak.
app/lib/services/wals/sync_rate_limiter.dart	New singleton SyncRateLimiter persisted via SharedPreferences; solid design but no cap on server-supplied retryAfterSeconds.
app/lib/services/wals/local_wal_sync.dart	Adds rate-limit gate, typed 429 catch with batch-break, backend-busy detection via fragile string match, and detailed reconciler logging.
app/lib/backend/http/api/conversations.dart	Adds typed SyncRateLimitedException, Retry-After parser, and HTTP-status debug logging on non-200 job-status fetches — clean and self-contained.
app/lib/providers/capture_provider.dart	Auto-sync path gates on rate limiter before upload and handles SyncRateLimitedException without bumping retry count; correct and symmetric with batch path.
app/lib/pages/conversations/auto_sync_page.dart	Hides spinner and action pill in rate-limited state; shows distinct copy for backendBusy vs rateLimit reason.
app/lib/pages/conversations/sync_page.dart	Manual sync card mirrors auto-sync rate-limited UI branch consistently.

Comments Outside Diff (2)

1. app/lib/providers/sync_provider.dart, line 636-644 (link)

   Missing removeListener for SyncRateLimiter in dispose

   The constructor registers notifyListeners as a listener on the long-lived SyncRateLimiter.instance singleton, but dispose never calls SyncRateLimiter.instance.removeListener(notifyListeners). After SyncProvider is disposed (e.g., after navigating away), any subsequent markLimited() or clear() call on the singleton will call notifyListeners() on the dead provider — triggering a FlutterError: A [_ChangeNotifier] was used after being disposed assertion in debug mode and a memory leak in release mode.

2. app/lib/providers/sync_provider.dart, line 637-643 (link)

   Add the matching removeListener call so the disposed provider is not kept alive through the singleton's listener list.

_{Reviews (1): Last reviewed commit: "chore(l10n): regenerate AppLocalizations..." | Re-trigger Greptile}

[greptile-apps]

Fragile string-match for backend-busy detection

The backendBusy path matches the exact literal "background worker likely died" from the server's stale guard. If the backend message is ever rephrased or the error key changes (it currently says the error string is misleading per issue #7469), detection silently reverts to treating the failure as a content failure, bumping retryCount and eventually showing "Failed" — the exact bad behavior this PR fixes. Worth extracting as a named constant or adding a secondary signal (e.g., s.status == 'failed' with empty failedSegments) so a server-side rename is easy to track down.