fix(async): pack of fixes for async engine under degraded providers

[andreatgretel]

📋 Summary

Fixes the async engine's tendency to abandon entire runs (returning 0 records) when the provider is degraded. The root cause was the early-shutdown gate counting retryable errors (timeouts, transient 5xx, connection blips) toward its trip threshold, then leaving partially-completed row groups un-checkpointed. This PR keeps the gate as a circuit-breaker for genuine structural failures (auth, schema, code bugs) but stops it from firing under transient provider stress, where salvage rounds can recover.

The set of changes also closes a few smaller correctness gaps along the way: CustomColumnGenerator was stripping retryability from wrapped exceptions, the sync-to-async bridge raised a non-retryable stdlib TimeoutError, and the throttle's consecutive_429s counter wasn't being reset on non-rate-limit failures.

Replaces #578 (~921 lines, cooldown-queue rabbit hole) with a focused fix (~830 lines including tests) that addresses the actual failure mode observed in production runs.

🔗 Related Issue

Closes #575

🔄 Changes

🐛 Fixed

• Exclude retryable errors from the early-shutdown gate (`b746f2e6`). Sliding-window error rate now ignores `ModelRateLimitError`, `ModelTimeoutError`, `ModelInternalServerError`, and `ModelAPIConnectionError`. These cluster in time under provider degradation and would otherwise trip the gate even when salvage could recover. Non-retryable failures (auth, schema, code bugs) still trip the gate as intended.
• Salvage partial row groups on early shutdown (`763eeddb`). When the gate does fire, the scheduler now drops incomplete rows, then checkpoints any fully-complete survivors instead of leaving the row group un-written and raising `FileNotFoundError` downstream. Finalization runs after worker cancellation so in-flight `from_scratch` / `batch` tasks can't race a freed buffer.
• Reset `consecutive_429s` on non-rate-limit failure (`25d53b69`). A `429 → 500 → 429` sequence was being treated as 2 consecutive 429s by the AIMD throttle. Independent bug surfaced during this investigation.
• Preserve retryability through `CustomColumnGenerator` wrap (`49cc9bfd`). The wrapper's `except Exception` was wrapping retryable model errors in `CustomColumnGenerationError`, hiding them from the scheduler's salvage path. Also fixes the sync-to-async bridge in `_AsyncBridgedModelFacade` to raise `ModelTimeoutError` (was raising stdlib `TimeoutError`, which is non-retryable). Moves `RETRYABLE_MODEL_ERRORS` to `models.errors` as the canonical source.

✨ Added

• Periodic WARN when retryable error rate is elevated (`6a85d1e9`). Today's runs failed silently — no visibility until shutdown. Logs "provider X showing degraded performance — run may take longer than expected" when the rolling rate exceeds a threshold. Throttled to one warning per cool-down interval.
• `DataDesignerEarlyShutdownError` typed exception (`6e508b47`). New subclass of `DataDesignerGenerationError` raised when an early-shutdown produced no records, so callers can detect the case programmatically instead of pattern-matching error messages.

🧪 Testing

• `make test` passes locally
• Unit tests added/updated — new tests cover: gate exclusion of each retryable error type, WARN throttling under sustained degradation, partial-RG checkpoint with mixed completion states (including zero-survivor case), `consecutive_429s` reset, retryability preservation through both sync and async `CustomColumnGenerator` paths, bridge `ModelTimeoutError` wrapping, and the new `DataDesignerEarlyShutdownError` raising path.
• Live A/B against `build.nvidia.com` (Anonymizer notebook 04, 25 biographies, async engine):
  • Without fix: `DataDesignerGenerationError: 0 records produced` after ~17 min. Gate trips on clustered `ModelTimeoutError`s mid-rewrite, row group never checkpoints.
  • With fix: 25/25 records produced in ~39 min. 27 retryable errors during the run (rate-limits + bridge timeouts), all retried successfully via salvage. No early-shutdown event.
  • Bumped concurrency stress test (`gpt-oss-120b: max_parallel_requests=8`, `nemotron: 32`): 25/25 records in ~19.5 min. AIMD reduced concurrency on initial 429 storms; salvage absorbed all retryable errors. Demonstrates the fix lets users tune for higher throughput without paying the 0-records tax.

✅ Checklist

• Follows commit message conventions
• Commits are signed off (DCO)
• Architecture docs updated — N/A; behavior change is internal to the scheduler

🔍 Attention Areas

⚠️ Reviewers: Please pay special attention to the following:

• `packages/data-designer-engine/src/data_designer/engine/dataset_builders/async_scheduler.py` — biggest behavior change is here (gate exclusion + partial-RG salvage in `_finalize_after_shutdown`). The worker-drain ordering matters: `_finalize_after_shutdown` must run after `_cancel_workers` to avoid a race against in-flight `from_scratch` / `batch` tasks writing into a freed buffer.
• `packages/data-designer-engine/src/data_designer/engine/column_generators/generators/custom.py` — the `except RETRYABLE_MODEL_ERRORS: raise` pattern is added in two places (`_generate` and `agenerate`); easy to miss the async one.

📎 Follow-ups (out of scope, worth filing)

• Bridge timeout configurability. `SYNC_BRIDGE_TIMEOUT = 300` is a hardcoded constant that pre-dates this PR. It should ideally derive from the model's configured timeout (and account for `max_correction_steps`), and/or be exposed via `RunConfig`. Out of scope here, but worth a follow-up issue.
• Batch-level error rates for early shutdown #211 alignment for async path. The sliding-window gate still differs from the sync engine's batch-level error rate. Larger structural change, deferred.
• Anonymizer logging visibility. `LoggingConfig.default()` swallows DataDesigner scheduler events. During this investigation we had to switch to `LoggingConfig.debug()` to see anything. Worth a doc note or a more verbose default for when things go wrong.

[github-actions]

Review: PR #585 — fix(async): pack of fixes for async engine under degraded providers

Summary

This PR fixes the async engine's failure mode where clustered retryable errors (rate-limits, timeouts, 5xx, connection blips) were tripping the early-shutdown gate and leaving partially-completed row groups un-checkpointed, producing a 0 records error. The changes:

1. Exclude retryable model errors from the early-shutdown gate; keep it as a circuit-breaker for genuine failures (auth, schema, code bugs).
2. Add a _finalize_after_shutdown salvage path so partial row groups are drained and checkpointed instead of leaking into the final FileNotFoundError.
3. Introduce a throttled "provider showing degraded performance" WARN so users have visibility before shutdown.
4. Fix three smaller correctness gaps: CustomColumnGenerator wrapping retryable errors into a non-retryable wrapper, the sync-to-async bridge raising stdlib TimeoutError instead of ModelTimeoutError, and consecutive_429s not being reset on non-rate-limit failures in the throttle.
5. Add DataDesignerEarlyShutdownError as a typed subclass of DataDesignerGenerationError so callers can react programmatically.

~778 / -23 lines across 12 files, roughly half tests. Scope is focused and well-matched to the stated failure.

Findings

Correctness

• Worker-drain ordering is correct. _finalize_after_shutdown runs after await asyncio.shield(self._cancel_workers()) in the finally block of run() (async_scheduler.py:313-318). Workers are fully drained before survivors are counted, so the "in-flight task writes into a freed buffer" race the PR description calls out is actually prevented.
• _checkpoint_completed_row_groups is now called twice on the early-shutdown path — once inside _main_dispatch_loop (async_scheduler.py:342) and again from _finalize_after_shutdown (async_scheduler.py:596). This is benign (the first call is a no-op if nothing is newly complete and _rg_states shrinks between calls), but worth a one-line comment at the first call site so future readers don't assume it's the terminal checkpoint pass.
• Zero-survivor case is handled cleanly. _finalize_after_shutdown drops all incomplete rows, then _checkpoint_completed_row_groups detects all(is_dropped(...)) and calls buffer_manager.free_row_group(rg_id) instead of writing parquet. The test test_zero_survivor_shutdown_does_not_raise asserts storage.write_batch_to_parquet_file.assert_not_called(), which pins this down well.
• _record_retryable_outcome semantics are sound. Every outcome (success or failure) feeds the window; only retryable failures count as True. A 50% threshold over 20 outcomes is a reasonable signal-vs-noise point. The deque(maxlen=...) with a len(...) < window guard avoids firing on a short warmup.
• consecutive_429s = 0 in release_failure (throttle_manager.py:316). This is the right call for the 429 → 500 → 429 cascade bug, but note that release_failure is also invoked for non-transient failures unrelated to rate limiting. Resetting here is correct — a gap in the cascade is a gap regardless of why — but the docstring/comment could be slightly sharper: the reset isn't about "non-rate-limit failure breaks the cascade" so much as "any non-429 failure indicates the cascade isn't a pure 429 streak."
• CustomColumnGenerator exception order is right. CustomColumnGenerationError → RETRYABLE_MODEL_ERRORS → Exception — the retryable tuple isn't a subclass of the custom wrapper, so ordering is non-aliasing. The pattern is duplicated in both _generate and agenerate; this is correctly called out in the PR "Attention Areas" and tests cover both paths (test_custom.py:382-417).

Concerns / Nits

• Test test_partial_row_group_salvaged_after_early_shutdown is scheduler-order-sensitive. It asserts buffer_mgr.actual_num_records == 3 exactly — relying on seeds 0,1,2 completing before the gate trips from seeds 5,6,7 failing (window=4, rate=0.5 → trips after the 2nd failure). This works because the scheduler dispatches get_ready_tasks in order and the non-slow paths don't yield, but it's a fragile invariant. Consider >= 3 with an upper-bound assert, or patch asyncio.sleep to make ordering deterministic.
• SYNC_BRIDGE_TIMEOUT = 300 remains hardcoded (correctly called out as a follow-up in the PR description). No blocker.
• partial_row_groups naming. A row group is added only when had_incomplete and survivors > 0 — i.e., it was partially salvaged. A row group that was all-dropped-at-shutdown is not in this list (it's just gone). That matches the docstring; no change needed, but future readers reaching for "which row groups ended early" should use early_shutdown plus this list together.
• DataDesignerEarlyShutdownError is raised in two places (data_designer.py:240 and data_designer.py:258). The second path is a defensive guard for a DF-returning code path the first path's comment says shouldn't happen. Keeping both is fine; they share identical detection logic (builder.early_shutdown), so if that detection ever changes, both must move in lockstep.
• __init__.py lazy-import registration (interface/init.py:19, 28) correctly follows the established pattern — both the TYPE_CHECKING block and the _LAZY_IMPORTS dict get the new symbol.

Conventions

• Absolute imports only ✓
• from __future__ import annotations preserved in edited files ✓
• Modern type syntax (list[int], tuple[int, ...]) ✓
• RETRYABLE_MODEL_ERRORS as typed tuple[type[Exception], ...] in the canonical location (models/errors.py) — this is the right move; the previous private tuple in async_scheduler.py was a duplicate.
• Error class hierarchy (DataDesignerEarlyShutdownError < DataDesignerGenerationError < DataDesignerError) is consistent with existing conventions.

Tests

• Coverage is thorough. Parametrized tests across all four retryable error types for both the scheduler and custom-generator paths. The bridge-timeout test exercises the actual thread-and-event-loop plumbing rather than mocking it out. The degraded-provider WARN has separate tests for "fires", "throttled", and "silent under threshold." The interface-layer tests cover both the FileNotFoundError → DataDesignerEarlyShutdownError wrap and the defensive empty-DF path.
• One gap worth considering. No test verifies the interaction between a partial row group and on_before_checkpoint raising (the callback could fail mid-salvage). Low priority — existing code paths have the same behavior — but a one-off test would pin down the contract.

Security / Performance

• No credentials, secrets, or user input touched.
• _record_retryable_outcome is O(1) per outcome (bounded deque). The degraded-WARN throttle uses time.monotonic() — correct for interval gating.
• The finalize-after-shutdown loop is O(rg_size × columns) per unfinished row group, bounded by row groups left in flight at shutdown. Not a concern.

Verdict

Solid fix. Well-scoped, well-tested, correctly orders the worker drain vs. finalize, and the RETRYABLE_MODEL_ERRORS consolidation cleans up a duplicate. The only real suggestion is de-flaking the partial-RG salvage test's exact-count assertion; everything else is polish (comment wording, noted follow-ups). No blockers.

[greptile-apps]

Greptile Summary

This PR fixes the async engine's early-shutdown gate misfiring under transient provider degradation by excluding retryable errors (ModelRateLimitError, ModelTimeoutError, ModelInternalServerError, ModelAPIConnectionError) from the sliding-window error-rate check. A new _finalize_after_shutdown method salvages partially-complete row groups instead of leaving them un-checkpointed, resolving the downstream FileNotFoundError. Three companion fixes address consecutive_429s reset timing, retryability preservation through CustomColumnGenerator, and the sync-to-async bridge raising a non-retryable TimeoutError. The changes are well-scoped with comprehensive unit and live A/B testing.

Confidence Score: 5/5

This PR is safe to merge — all changes are well-scoped, correctly ordered, and covered by comprehensive tests including a live A/B run.

No P0 or P1 bugs found. The core invariants are sound: retryable exclusion from the gate is consistent across both the error path and the degraded-WARN window; _finalize_after_shutdown correctly runs after _cancel_workers to prevent race conditions; consecutive_429s reset is gated on in_flight == 0 to avoid double-reduction within a concurrent burst; DataDesignerEarlyShutdownError is only raised when actual_num_records == 0 preventing misdiagnosis on partial-salvage runs.

No files require special attention.

Important Files Changed

Filename	Overview
packages/data-designer-engine/src/data_designer/engine/dataset_builders/async_scheduler.py	Core behavioral change: retryable errors excluded from the early-shutdown gate, new _finalize_after_shutdown salvages in-flight row groups post-cancellation, degraded-provider WARN machinery added — logic is correct and ordering constraints are respected.
packages/data-designer-engine/src/data_designer/engine/column_generators/generators/custom.py	RETRYABLE_MODEL_ERRORS re-raise guard added in both _generate and agenerate; bridge now raises ModelTimeoutError instead of stdlib TimeoutError so the scheduler classifies it retryable.
packages/data-designer-engine/src/data_designer/engine/models/clients/throttle_manager.py	release_failure now resets consecutive_429s only when in_flight == 0, correctly guarding against double-reduction within a concurrent burst.
packages/data-designer-engine/src/data_designer/engine/dataset_builders/dataset_builder.py	Captures early_shutdown, partial_row_groups, and actual_num_records from the scheduler in finally blocks; adds _reset_run_state to prevent state leakage on builder reuse.
packages/data-designer/src/data_designer/interface/data_designer.py	Raises DataDesignerEarlyShutdownError only when early_shutdown=True AND actual_num_records == 0; partial-salvage runs fall through to the generic error, preventing misdiagnosis.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Task completes or fails] --> B{Success?}
    B -- Yes --> C[_check_error_rate success=True]
    B -- No --> D{is_retryable?}
    D -- Yes --> E[Skip _check_error_rate\nRetryable errors excluded\nfrom early-shutdown gate]
    D -- No --> F[_check_error_rate success=False]
    C --> G{is_llm?}
    E --> G
    F --> G
    G -- Yes --> H[_record_retryable_outcome\nUpdate degraded-provider window]
    H --> I{Window full & rate >= threshold\n& interval elapsed?}
    I -- Yes --> J[WARN: Provider degraded]
    I -- No --> K[Continue]
    F --> L{Error rate >= threshold?}
    L -- Yes --> M[_early_shutdown = True]
    L -- No --> K
    M --> N[_main_dispatch_loop returns]
    N --> O[finally: _cancel_workers]
    O --> P{_early_shutdown & _rg_states non-empty?}
    P -- Yes --> Q[_finalize_after_shutdown]
    Q --> R[Drop incomplete rows per RG]
    R --> S{survivors > 0?}
    S -- Yes --> T[Add to partial_row_groups\n_checkpoint_completed_row_groups]
    S -- No --> U[Log zero-survivor\n_checkpoint_completed_row_groups]
    P -- No --> V[Clean exit path]
    T --> V
    U --> V
    V --> W{early_shutdown & actual_num_records == 0?}
    W -- Yes --> X[Raise DataDesignerEarlyShutdownError]
    W -- No --> Y[Normal completion or DataDesignerGenerationError]

Loading

_{Reviews (2): Last reviewed commit: "test(interface): consolidate create() er..." | Re-trigger Greptile}

[nabinchha]

Do we need a similar check for preview?

[nabinchha]

Per style guide, this needs to get pushed down to maintain public before private pardigm.

[nabinchha]

Could we loop over what's already available in errors (RETRYABLE_MODEL_ERRORS)?

[nabinchha]

I guess some how the class based testing pattern slipped in.... could we take this opportunity to flatten this out?

[nabinchha]

Tests in this suite also imports inline....

[nabinchha]

Same comment as above...

[nabinchha]

Thanks for the careful diagnosis and write-up here, @andreatgretel — the live A/B against build.nvidia.com is exactly the kind of evidence that makes this easy to reason about, and the commit log is great for future spelunkers.

Summary

The PR keeps the early-shutdown gate as a circuit-breaker for genuine non-retryable failures while excluding clustered transient errors (rate-limit, timeout, 5xx, connection) that cluster under provider degradation. It also salvages partially-completed row groups instead of leaving them un-checkpointed, fixes a CustomColumnGenerator wrap that was stripping retryability, surfaces bridge timeouts as ModelTimeoutError, repairs the AIMD cascade reset, and exposes a typed DataDesignerEarlyShutdownError. The implementation matches the stated intent.

Findings

Suggestions — Take it or leave it

packages/data-designer/src/data_designer/interface/data_designer.py:260-269 — Empty-DataFrame guard could mirror the load-failure guard

• What: The load-failure path requires both builder.early_shutdown and builder.actual_num_records == 0 before raising the typed error, but the defensive empty-DataFrame guard further down only checks early_shutdown.
• Why: The two paths are protecting against the same misdiagnosis (partial-salvage run hitting an unrelated load issue). If load_dataset_with_dropped_columns() ever does return an empty DF after a partial-salvage run (today it raises, but per the comment this guard exists for "future changes to that contract"), we'd surface a misleading "early shutdown produced zero records" instead of letting the real cause bubble up.
• Suggestion: Apply the same and builder.actual_num_records == 0 check to the empty-DF branch:

if len(dataset_for_profiler) == 0:
    if builder.early_shutdown and builder.actual_num_records == 0:
        raise DataDesignerEarlyShutdownError(...)
    raise DataDesignerGenerationError(...)

packages/data-designer-engine/src/data_designer/engine/dataset_builders/async_scheduler.py:680-685 — _record_retryable_outcome docstring slightly overstates scope

• What: The docstring says "every outcome (success or failure) feeds this window", but the call site only feeds it for is_llm tasks (lines 834 and 852).
• Why: A reader looking at the function in isolation will think the rate is computed across all task outcomes; the LLM-only gating is the whole point of the window (called out in the commit message), so it'd be nice to make that visible at the function too.
• Suggestion: Replace "every outcome" with "every LLM-bound task outcome" in the docstring, or add a one-line note that the call site filters by is_llm.

packages/data-designer-engine/tests/engine/column_generators/generators/test_custom.py:639-652 — Second "Sanity" block duplicates the pytest.raises

• What: After the with pytest.raises(ModelTimeoutError, match="bridge timed out") block already enforces the type, the second try/except ModelTimeoutError/except concurrent.futures.TimeoutError → pytest.fail block re-runs the same scenario.
• Why: pytest.raises already fails if the wrong exception type is raised, with a traceback that shows what was raised instead. The custom pytest.fail message is a nicer error string, but at the cost of doubling the test runtime (the bridge sleeps for SYNC_BRIDGE_TIMEOUT=0.05s plus event-loop overhead) and adding a maintenance surface.
• Suggestion: Drop the second block. If the explicit failure message feels valuable, fold it into the pytest.raises call as a custom message, e.g. via pytest.raises(ModelTimeoutError, match="bridge timed out") — the failure already shows the actual exception type.

What Looks Good

• The exclusion + salvage pairing is the right shape. Excluding retryable errors from the gate without also salvaging partial row groups would still produce 0-record runs in the timeout-cluster case; doing salvage without the exclusion would still trip the gate prematurely. Doing both is what unlocks the 25/25 result in the live A/B, and the PR description makes that dependency explicit.
• The worker-drain ordering is well thought through. The "must run AFTER _cancel_workers" comment in run() plus the doc note in _finalize_after_shutdown about pre-batch processors not re-running on salvaged row groups will save someone a head-scratching debug session later.
• RETRYABLE_MODEL_ERRORS was hoisted to the right home. Putting it next to the error class definitions in models/errors.py keeps the canonical list with the canonical types, and the CustomColumnGenerator wrap site can now share it without a back-import into the scheduler.
• The cascade-reset fix is a tidy independent improvement. The 429 → 500 → 429 sequence with in_flight > 0 correctly stays as one cascade, and the parametrized "drain vs in-flight" test pair makes the invariant easy to read.
• Typed error inherits from the existing one. DataDesignerEarlyShutdownError(DataDesignerGenerationError) lets existing handlers keep working while opening the door for callers that want to react programmatically — the test explicitly asserts both isinstance checks, which is a nice belt-and-suspenders.
• Test scaffolding consolidation. _make_storage and _seed_plus_cell_setup cut a lot of duplication out of the new tests, and the module-level RETRYABLE_ERROR_FACTORIES / RETRYABLE_EXCEPTION_FACTORIES parametrize lists keep the cases readable.

Verdict

Ship it (with nits). Only Suggestions; nothing blocking. The follow-ups already filed in the PR description (SYNC_BRIDGE_TIMEOUT configurability, #211 alignment, logging defaults) cover the larger structural work this PR intentionally defers.

---

This review was generated by an AI assistant.