feat(taskbroker): Add Claimed Status to Handle Push Failures

[george-sentry]

Linear

Completes STREAM-860

Description

Currently, taskworkers pull tasks from taskbrokers via RPC. This approach works, but has some drawbacks. Therefore, we want taskbrokers to push tasks to taskworkers instead. Read this page on Notion for more information.

Right now, I rely on processing_deadline to revert processing tasks back to pending if pushing them failed. This isn't good because it eats through processing attempts, resulting in needlessly dropped tasks.

I want to add a Sending status that indicates a task is being sent. Now, upkeep increments processing attempts only for tasks that are still in "sending" when their processing deadlines expire. If the status is "processing," that means the task was already sent successfully and its processing attempts can be incremented.

This will help us avoid dropping tasks needlessly when workers are busy.

Note that my original plan was different. You can see it in the commit history. Here is a description of that plan.

I want to add a sent column to the activation table to track whether a task was successfully sent after being fetched from the table. Now, upkeep increments processing attempts only for tasks that are processing and have sent = true.

If the status is processing and sent = false, that means pushing failed or timed out (or didn't happen yet), and we can revert back to pending without incrementing processing attempts.

[linear-code]

STREAM-860 Add Sent Flag to Handle Push Failures

[markstory]

What if we had a Claimed status? The lifecycle could be

flowchart

pending -- taken by a push thread and going to send soon --> claimed
claimed -- sent to a worker successfully --> processing
processing --> complete
processing --> retry
processing --> failure

Loading

You have 'claim' in a bunch of the methods, but no status reflecting that, and with the addition of Sending the Processing status can mean two different things depending on the broker mode.

[evanh]

This is functionally the same as before, right? Changing sending to claimed?

[george-sentry]

It sounds like it is. I don't mind changing sending to claimed if it's more clear that way.

[markstory]

Yeah, it is just a naming change.

[markstory]

With the methods using claim in their name, Claimed could be a better status name.

[george-sentry]

I think this is a good idea. Thoughts @evanh?

[evanh]

Yeah I think it makes sense. Cleans up the nomenclature for sure.

[markstory]

Sent isn't a status/state in the state machine, should this be mark_activation_processing?

[george-sentry]

Good point - yes.

[markstory]

In other tasks systems this is referred to as releasing a claim

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

Autofix Details

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: SQLite unixepoch uses unsupported 'milliseconds' modifier
  • Replaced the invalid SQLite milliseconds modifier with a seconds expression using fractional seconds so claim_expires_at is now populated correctly in push claims.

Or push these changes by commenting:

@cursor push 4d21eabfe0

Preview (4d21eabfe0)

diff --git a/src/store/inflight_activation.rs b/src/store/inflight_activation.rs
--- a/src/store/inflight_activation.rs
+++ b/src/store/inflight_activation.rs
@@ -930,7 +930,7 @@
             query_builder.push_bind(InflightActivationStatus::Processing);
         } else {
             query_builder.push(format!(
-                "claim_expires_at = unixepoch('now', '+' || {claim_lease_ms} || ' milliseconds', '+' || {grace_period} || ' seconds'), processing_deadline = NULL, status = "
+                "claim_expires_at = unixepoch('now', '+' || ({claim_lease_ms} / 1000.0) || ' seconds', '+' || {grace_period} || ' seconds'), processing_deadline = NULL, status = "
             ));
 
             query_builder.push_bind(InflightActivationStatus::Claimed);

_{This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.}

[markstory]

Looks good to me, outside of the at-most-once task handling. While I don't think what you have is wrong, it does run the risk of dropping tasks without ever executing them.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

There are 3 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 2156a43. Configure here.}

[cursor]

Claim lease formula omits push timeout causing premature expiration

Medium Severity

The claim_lease_ms formula is fetch_batch_size * push_queue_timeout_ms, which only covers the time to enqueue tasks into the push pool's bounded channel. After enqueuing, the actual gRPC push can take up to push_timeout_ms (default 30s). With defaults, claims expire after ~8s (5s lease + 3s grace), but pushes can legitimately take up to 30s. If a push takes longer than 8s but succeeds, upkeep reverts the task to Pending before mark_activation_processing runs, causing the successfully-delivered task to be re-claimed and pushed again — duplicate execution.

Additional Locations (1)

• src/store/postgres_activation_store.rs#L80-L81

 

^{Reviewed by Cursor Bugbot for commit 2156a43. Configure here.}

[george-sentry]

This is possibly a valid point. It may be a better idea to just make this value configurable, but then we'll need to pick an appropriate value, which is hard. Let's remember this for the future.

[sentry]

Bug: Tasks for demoted namespaces that fail Kafka publishing get stuck in an infinite retry loop because processing_attempts is never incremented, preventing them from reaching Failure status.
_{Severity: HIGH}

Suggested Fix

To fix this, ensure the processing_attempts counter is incremented for this failure path. This can be done by either using mark_processing: true for demoted namespaces, calling mark_activation_processing after a successful publish, or incrementing the counter when reverting a task from Claimed to Pending upon expiration.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: src/upkeep.rs#L318-L324

Potential issue: When forwarding tasks for demoted namespaces, the system first moves
them to a `Claimed` status. If the subsequent Kafka publish fails, these tasks remain
`Claimed` until they expire. The expiration handler, `handle_claim_expiration()`,
reverts them to `Pending` but does not increment the `processing_attempts` counter. This
creates an infinite loop where tasks that consistently fail to publish are retried
indefinitely, never reaching the `max_processing_attempts` limit and never being moved
to the `Failure` status for dead-lettering.

[george-sentry]

The AI reviewers constantly get tripped up by this code. If I mark them as claimed, it will complain about failed publishing resulting in infinite retries. If I mark them as processing, it will complain that we will run out of tries after the processing deadline is exceeded too many times. In other words, no matter which way you go, this chunk of code will be flagged.