fix(ha): PR #101 HA implementation bug fixes

[poyrazK]

Summary

Bug fixes for PR #101 HA implementation:

Critical Fixes

• Timer leak in retry.go: Add defer timer.Stop() to prevent timer leak on ctx cancellation
• Inverted reclaim interval: Change provisionReclaimMs from 20min to 1min (was incorrectly > stale threshold)

High Fixes

• Goroutine deadlock in leader_elector.go: Add recover() to heartbeat goroutine to prevent deadlock on panic
• Orphaned container in pipeline_worker.go: Fail step if collectTaskLogs fails instead of just logging

Medium Fixes

• Unbounded Redis key growth: Add 24h TTL to retry keys in durable_task_queue
• DLQ message loss: Reorder deadLetter: XAdd to DLQ first, only ack/del if successful
• Reclaim race in execution_ledger.go: Use RETURNING TRUE pattern to avoid race
• Silent Update failures: Add warning logs when repo.Update fails in cluster handlers

Features

• Resilience metrics: Add Prometheus metrics for circuit breaker transitions/blocked requests and bulkhead concurrency/rejections
• Retry integration: Integrate retry wrapper into all resilient wrappers with configurable attempts and backoff

Test Plan

• go test ./internal/platform/...
• go test ./internal/workers/...
• go test ./internal/repositories/redis/...
• go test ./internal/repositories/postgres/...

Summary by CodeRabbit

• New Features

  • Resilience primitives (circuit breakers, bulkheads, timeouts, retries) applied across compute, storage, network, LB and DNS adapters; resilient wrappers added
  • Durable consumer‑group task queues, a durable Redis-backed queue implementation, idempotent execution ledger, and Postgres-backed leader election
  • Workers migrated to durable queues + execution ledger for reliable, idempotent processing

• Tests

  • Extensive HA/resilience drills and comprehensive unit tests for circuit breaker, bulkhead, retry, durable queues, and leader election

• Chores

  • CI: benchmark publishing split between PR and main branch

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds durable Redis Streams queues, Postgres-backed leader election and execution ledger, resilience primitives (circuit breaker, bulkhead, retry), resilient backend adapters, and rewrites workers to use consumer groups with ack/nack, reclaim loops, and leader-gated singleton execution. CI benchmark publishing steps were split for PR vs main.

Changes

Cohort / File(s)	Summary
CI Workflow .github/workflows/benchmarks.yml	Split benchmark publishing into PR-only and main-branch steps with different auto-push, token and comment-on-alert settings.
API bootstrap & tests cmd/api/main.go, cmd/api/main_test.go	Wire LeaderElector, build resilient adapters, change runApplication to return error, switch env var to ROLE with allowlist (`api
Dependency wiring & no-op implementations internal/api/setup/dependencies.go, internal/repositories/noop/adapters.go	Add durable queue, execution ledger, and LeaderElector wiring; wrap DNS with resilient adapter; add Noop durable queue and Noop execution ledger.
Durable queue port & Redis impl + tests internal/core/ports/task_queue.go, internal/repositories/redis/durable_task_queue.go, internal/repositories/redis/durable_task_queue_test.go	Introduce DurableTaskQueue/DurableMessage; implement Redis Streams consumer-group queue (EnsureGroup/Receive/Ack/Nack/ReclaimStale) with DLQ/retry behavior and tests.
LeaderElector & ExecutionLedger ports + Postgres impls & migrations internal/core/ports/leader.go, internal/repositories/postgres/leader_elector.go, internal/repositories/postgres/leader_elector_test.go, internal/core/ports/execution_ledger.go, internal/repositories/postgres/execution_ledger.go, internal/repositories/postgres/migrations/100_create_job_executions.{up,down}.sql	Add LeaderElector and ExecutionLedger interfaces; implement Postgres-backed PgLeaderElector (advisory-lock heartbeat) and PgExecutionLedger (atomic claim/reclaim/terminal updates); add migration.
Platform resilience primitives & tests internal/platform/circuit_breaker.go, internal/platform/circuit_breaker_test.go, internal/platform/bulkhead.go, internal/platform/bulkhead_test.go, internal/platform/retry.go, internal/platform/retry_test.go	Add circuit breaker (half-open single-flight, callbacks), bulkhead semaphore with ErrBulkheadFull, and Retry with jitter/backoff; include tests.
Resilient backend adapters + tests internal/platform/resilient_compute.go, internal/platform/resilient_compute_test.go, internal/platform/resilient_storage.go, internal/platform/resilient_network.go, internal/platform/resilient_dns.go, internal/platform/resilient_lb.go	Add resilient wrappers for compute/storage/network/DNS/LB applying bulkhead, circuit breaker, and per-call timeouts; include constructors, options/defaults, and tests (compute tests cover CB, bulkhead, timeouts).
Workers → Durable consumer groups, ledger, reclaim loops internal/workers/pipeline_worker.go, internal/workers/provision_worker.go, internal/workers/cluster_worker.go, internal/workers/*_test.go	Migrate pipeline/provision/cluster workers to DurableTaskQueue consumer-group model; add hostname-based consumer identity, bounded concurrency, reclaim loops, explicit Ack/Nack, and ExecutionLedger idempotency (TryAcquire/Mark*); update tests/mocks.
Leader-gated singleton wrapper & tests internal/workers/leader_guard.go, internal/workers/leader_guard_test.go	Add LeaderGuard runner that uses LeaderElector.RunAsLeader to gate inner worker execution with retry and lifecycle coordination; add unit tests.
Repositories: migrations & helpers internal/repositories/postgres/*, internal/repositories/redis/*	Add Postgres execution ledger and leader elector, job_executions migration; add Redis durable queue implementation and tests.
HA drills & release-gate tests internal/drills/ha_drills_test.go, internal/drills/release_gates_test.go	Add HA-focused test suites exercising circuit breaker, bulkhead, retry, and composed adapter behaviors with deterministic assertions and latency checks.
VPC/autoscaling & e2e tweaks internal/core/services/vpc.go, tests/*_e2e_test.go	Add AutoScalingRepository to VpcService and dependency check; extend several e2e test timeouts for cleanup polling.

Sequence Diagram(s)

sequenceDiagram
  participant LeaderElector as LeaderElector (Postgres)
  participant Worker as Worker
  participant DurableQ as DurableQueue (Redis)
  participant Ledger as ExecutionLedger (Postgres)
  participant Backend as Backend

  Note right of Worker: (optional) leader-gated runner
  Worker->>LeaderElector: RunAsLeader(key, fn)
  LeaderElector-->>Worker: granted
  Worker->>DurableQ: EnsureGroup / Receive(queue, group, consumer)
  DurableQ-->>Worker: DurableMessage{id, payload}
  Worker->>Ledger: TryAcquire(jobKey, staleThreshold)
  alt acquired
    Worker->>Backend: execute task
    Backend-->>Worker: result / error
    Worker->>Ledger: MarkComplete / MarkFailed
    Worker->>DurableQ: Ack(messageID)
  else already-owned
    Worker->>DurableQ: Ack(messageID)
  end
  Note over DurableQ,Ledger: ReclaimLoop periodically calls ReclaimStale and reprocesses reclaimed messages

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• feat: implement granular IAM Policies with JSON-based evaluation (ABAC) #59: Modifies dependency wiring and service/repository initialization—overlaps with added durable queue/ledger/leader-elector wiring.
• feat: Kubernetes CSI Driver and ARM64 UEFI Support #79: Touches volume attach APIs and adapters—likely touches resilient storage/attach call sites introduced here.
• feat: CLI and UX improvements #68: Adds auth endpoints and related API plumbing—may intersect with API bootstrap and dependency changes.

Poem

🐰 I hopped through streams and advisory locks,

I guarded leaders, watched reclaiming flocks.
Bulkheads held tight, breakers learned to mend,
Workers acked, retried, and reconciled the end.
Carrots of logs — resilient systems, my friend!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 37.76% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'fix(ha): PR #101 HA implementation bug fixes' clearly references the HA feature work and describes fixing implementation bugs from PR #101. However, the title is somewhat generic—'bug fixes' is vague and doesn't specify which bugs or the scope.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pr-101-ha

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR fixes several HA-related correctness issues introduced in PR #101 by moving workers to a durable queue + execution ledger model, tightening leader-election behavior, and adding resilience primitives (circuit breaker / bulkhead / retry) with metrics and drills.

Changes:

• Migrate Provision / Pipeline / Cluster workers to ports.DurableTaskQueue semantics (Receive/Ack/Nack/ReclaimStale) and add Postgres-backed ExecutionLedger for idempotency.
• Add Postgres advisory-lock leader election (PgLeaderElector) and a LeaderGuard wrapper to run singleton workers only on the elected leader.
• Introduce resilience primitives + metrics (circuit breaker, bulkhead, retry) and add drills/release-gate tests.

Reviewed changes

Copilot reviewed 38 out of 38 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
internal/workers/provision_worker_test.go	Updates tests to DurableQueue semantics (Ack/Nack expectations).
internal/workers/provision_worker.go	Migrates provision worker to durable queue + ledger + reclaim loop.
internal/workers/pipeline_worker_test.go	Updates pipeline worker test to pass durable message + Ack expectation.
internal/workers/pipeline_worker.go	Migrates pipeline worker to durable queue + ledger + reclaim + step failure on log-collection error.
internal/workers/leader_guard_test.go	Adds unit tests for leader-guard behavior (leader/not leader/restart/shutdown).
internal/workers/leader_guard.go	Adds LeaderGuard wrapper around workers using LeaderElector.
internal/workers/cluster_worker_test.go	Updates cluster worker tests for durable queue Ack/Nack + signature changes.
internal/workers/cluster_worker.go	Migrates cluster worker to durable queue + ledger + reclaim + improved update warnings.
internal/repositories/redis/durable_task_queue_test.go	Adds miniredis tests for durable queue group/receive/ack/nack/reclaim + legacy dequeue.
internal/repositories/redis/durable_task_queue.go	Implements Redis Streams durable queue (consumer groups, reclaim, DLQ, retry counters w/ TTL).
internal/repositories/postgres/migrations/100_create_job_executions.up.sql	Adds job_executions table for execution ledger.
internal/repositories/postgres/migrations/100_create_job_executions.down.sql	Drops job_executions table.
internal/repositories/postgres/leader_elector_test.go	Adds tests for deterministic/positive/unique lock ID hashing.
internal/repositories/postgres/leader_elector.go	Adds Postgres advisory-lock leader elector + heartbeat + panic-safe goroutine.
internal/repositories/postgres/execution_ledger.go	Adds Postgres execution ledger implementation (TryAcquire/MarkComplete/MarkFailed/GetStatus).
internal/repositories/noop/adapters.go	Extends no-op task queue to DurableTaskQueue + adds NoopExecutionLedger.
internal/platform/retry_test.go	Adds unit tests for retry behavior and backoff.
internal/platform/retry.go	Adds retry helper with exponential backoff + jitter + metrics.
internal/platform/resilient_storage.go	Adds resilient StorageBackend wrapper (CB/BH/Retry/Timeout).
internal/platform/resilient_network.go	Adds resilient NetworkBackend wrapper (CB/BH/Retry/Timeout).
internal/platform/resilient_lb.go	Adds resilient LB proxy wrapper (CB/Retry/Timeout).
internal/platform/resilient_dns.go	Adds resilient DNS backend wrapper (CB/Retry/Timeout).
internal/platform/resilient_compute_test.go	Adds tests validating compute wrapper behavior (CB/BH/timeout/passthrough).
internal/platform/resilient_compute.go	Adds resilient ComputeBackend wrapper (CB/BH/Retry/Timeout).
internal/platform/resilience_metrics.go	Adds Prometheus metrics for CB/BH/Retry.
internal/platform/circuit_breaker_test.go	Expands circuit breaker test coverage (single-flight, callbacks, successRequired, string).
internal/platform/circuit_breaker.go	Adds named/configurable CB with half-open single-flight + transition metrics.
internal/platform/bulkhead_test.go	Adds bulkhead tests (limits, rejection, context, errors, available).
internal/platform/bulkhead.go	Adds bulkhead implementation + metrics (concurrency/rejections).
internal/drills/release_gates_test.go	Adds CI-style release gates validating resilience SLO invariants.
internal/drills/ha_drills_test.go	Adds HA drill tests for CB/BH/Retry properties and transitions.
internal/core/ports/task_queue.go	Introduces DurableTaskQueue + DurableMessage; deprecates Dequeue for parallel consumers.
internal/core/ports/leader.go	Adds LeaderElector port.
internal/core/ports/execution_ledger.go	Adds ExecutionLedger port.
internal/api/setup/dependencies.go	Wires DurableQueue/Ledger into services/workers; adds LeaderGuard wrapping for singleton workers.
cmd/api/main_test.go	Adds role-mode tests; updates runApplication to return error.
cmd/api/main.go	Wraps backends with resilient decorators; introduces ROLE env; wires PgLeaderElector; worker-only mode skips HTTP.
.github/workflows/benchmarks.yml	Splits benchmark reporting for PR vs main (no auto-push on PR).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The TryAcquire comment says the stale-entry reclaim uses "FOR UPDATE SKIP LOCKED", but the implementation actually uses an optimistic compare-and-swap update on (job_key, status, started_at) with RETURNING TRUE. Adjust the comment to match the real concurrency control mechanism so future readers don't rely on locking semantics that aren't present.

Suggested change

	// Reclaim the stale entry using FOR UPDATE SKIP LOCKED.
	// This prevents two reclaimers from racing to reclaim the same stale entry.
	// If another reclaimer holds the lock (already reclaimed), we skip it.
	// Reclaim the stale entry with an optimistic compare-and-swap update.
	// The UPDATE only succeeds if the row is still in the previously observed
	// (job_key, status='running', started_at) state; otherwise another worker
	// updated it first and RETURNING yields no row.

[Copilot]

When TryAcquire returns false, ClusterWorker immediately acks the message as a "duplicate cluster job". This is unsafe if the existing ledger row is status='running' but not yet past clusterStaleThreshold (e.g., the original worker crashed soon after acquiring the ledger). In that case, acking here drops the only durable copy of the job, so it can't be retried once the ledger entry becomes stale. Mirror the Provision/Pipeline pattern: call GetStatus and only Ack when status is 'completed' (or 'failed' if you want to drop), otherwise leave the message unacked/pending so it can be reclaimed and retried later.

[Copilot]

PgLeaderElector uses Postgres session-level advisory locks, but all Acquire/Release/heartbeat calls go through the generic DB interface (compatible with *pgxpool.Pool). With a pool, each QueryRow/Exec may run on a different connection, so the lock may not actually be held (or released) by the same session; the heartbeat check can also run on a different session and produce incorrect results. To make session-scoped advisory locks correct, RunAsLeader should pin a single connection for the full leadership term (e.g., pool.Acquire → use that conn for pg_try_advisory_lock/pg_advisory_unlock/heartbeat, then Close the conn on release), or otherwise ensure all lock operations use the same underlying connection.

[Copilot]

ReclaimStale ignores the error from pipe.Exec and then blindly indexes/type-asserts pipeResults[0]. If Exec returns an error (network issue, Redis down, ctx cancelled), this can panic or record an incorrect attempts count. Capture and handle the Exec error (and validate the returned cmds) before using the results; if it fails, return the error or at least skip processing the claimed ID so the reclaim loop can retry safely.

Suggested change

	pipe.HIncrBy(ctx, retryKey, "count", 1)
	pipe.Expire(ctx, retryKey, 24*time.Hour)
	pipeResults, _ := pipe.Exec(ctx)
	attempts := pipeResults[0].(*redis.IntCmd).Val()
	attemptsCmd := pipe.HIncrBy(ctx, retryKey, "count", 1)
	pipe.Expire(ctx, retryKey, 24*time.Hour)
	if _, err := pipe.Exec(ctx); err != nil {
	return nil, fmt.Errorf("increment retry counter for %s/%s/%s: %w", queueName, groupName, msgID, err)
	}
	attempts := attemptsCmd.Val()

[Copilot]

deadLetter logs and returns nil when the post-DLQ XAck/XDel pipeline fails. That leaves the original message pending in the PEL while also having a DLQ copy, which can lead to repeated DLQ entries on subsequent reclaim cycles and unbounded pending growth. Consider making the DLQ move idempotent/atomic (e.g., Lua script or MULTI/EXEC transaction for XADD+XACK+XDEL), or at minimum return an error when ack/del fails so the caller can retry cleanup deterministically.

Suggested change

	pipe.XAck(ctx, queueName, groupName, msgID)
	pipe.XDel(ctx, queueName, msgID)
	if _, err := pipe.Exec(ctx); err != nil {
	// DLQ entry was added but original ack/del failed.
	// Log but don't return error — message is in DLQ and original is still in PEL.
	q.logger.Warn("dead-letter: failed to ack/del original message",
	"msg_id", msgID, "dlq_id", added, "error", err)
	}
	ackCmd := pipe.XAck(ctx, queueName, groupName, msgID)
	delCmd := pipe.XDel(ctx, queueName, msgID)
	if _, err := pipe.Exec(ctx); err != nil {
	return fmt.Errorf("dead-letter cleanup failed after dlq add (msg_id=%s, dlq_id=%s): %w", msgID, added, err)
	}
	acked, err := ackCmd.Result()
	if err != nil {
	return fmt.Errorf("dead-letter xack result failed after dlq add (msg_id=%s, dlq_id=%s): %w", msgID, added, err)
	}
	if acked == 0 {
	return fmt.Errorf("dead-letter xack affected 0 messages after dlq add (msg_id=%s, dlq_id=%s)", msgID, added)
	}
	deleted, err := delCmd.Result()
	if err != nil {
	return fmt.Errorf("dead-letter xdel result failed after dlq add (msg_id=%s, dlq_id=%s): %w", msgID, added, err)
	}
	if deleted == 0 {
	return fmt.Errorf("dead-letter xdel affected 0 messages after dlq add (msg_id=%s, dlq_id=%s)", msgID, added)
	}

[Copilot]

Retry creates a new timer on each backoff iteration but uses defer timer.Stop() inside the retry loop. Defers in a loop accumulate until Retry returns, which can retain timers longer than necessary under high MaxAttempts and defeats the intent of promptly releasing timer resources. Prefer stopping the timer explicitly after the select (and draining the channel when needed) instead of deferring inside the loop.

Suggested change

	defer timer.Stop()
	select {
	case <-ctx.Done():
	select {
	case <-ctx.Done():
	if !timer.Stop() {
	select {
	case <-timer.C:
	default:
	}
	}

[Copilot]

The comment above provisionReclaimMs says the reclaim idle time "must be longer than provisionStaleThreshold (15m)", but the value is 1 minute. Given the surrounding logic, this looks like the comment is inverted/outdated and may mislead future tuning. Please update the comment to reflect the intended relationship between PEL reclaim idle time and the execution-ledger stale threshold (and why).

[Copilot]

Pull request overview

Copilot reviewed 49 out of 49 changed files in this pull request and generated 8 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In reclaimLoop, sem <- struct{}{} can block forever under saturation and ignores ctx.Done(), which can deadlock shutdown. Consider acquiring the semaphore with select { case sem<-...: case <-ctx.Done(): return } (or skipping reclaimed work when shutting down).

[Copilot]

In reclaimLoop, sem <- struct{}{} can block forever under high load and ignores ctx.Done(), which can deadlock shutdown. Acquire the semaphore with a select on ctx.Done() or skip scheduling reclaimed jobs once shutdown has started.

[Copilot]

The comment says this reclaim uses “FOR UPDATE SKIP LOCKED”, but the implementation is an UPDATE ... WHERE started_at = $2 RETURNING TRUE compare-and-swap. Please update the comment to match the actual mechanism (or change the query) so future readers don’t assume row locking semantics that aren’t present.

[Copilot]

pipe.Exec(ctx) errors are ignored here. If Exec fails, pipeResults can be nil/short and pipeResults[0].(*redis.IntCmd) can panic, potentially breaking the reclaim loop and leaving messages stuck. Handle the Exec error and validate result length/types before reading attempts (or use the returned *IntCmd from HIncrBy directly).

[Copilot]

sem <- struct{}{} can block indefinitely when the semaphore is full, and that send does not respect ctx.Done(). This can prevent the worker from shutting down cleanly (Run goroutine stuck on semaphore send even after context cancellation). Acquire the semaphore with a select that also listens for ctx.Done() (or move acquisition into the goroutine with a cancellable select).

[Copilot]

In reclaimLoop, sem <- struct{}{} can also block forever when the worker is saturated, and it similarly ignores ctx.Done(). On shutdown this can deadlock the reclaim loop and keep the process alive. Use a select on ctx.Done() when acquiring the semaphore (and consider skipping reclaimed work when shutting down).

[Copilot]

sem <- struct{}{} can block indefinitely when the worker is at max concurrency, and that send doesn’t observe ctx.Done(). This can prevent graceful shutdown (Run loop stuck trying to acquire a slot). Acquire the semaphore with a select including ctx.Done() or restructure so shutdown can always progress.

[Copilot]

sem <- struct{}{} can block indefinitely when the worker is saturated, and the send doesn’t respect ctx.Done(). That can prevent the cluster worker from stopping cleanly (Run loop stuck on semaphore send). Acquire the semaphore with a select that also listens for ctx.Done() (or move acquisition into a cancellable goroutine).

[Copilot]

Pull request overview

Copilot reviewed 38 out of 38 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

initBackends builds rawLBProxy using rawCompute (see setup.InitLBProxy for libvirt path). Since compute is wrapped after initBackends, the LB proxy’s internal compute calls won’t benefit from the compute bulkhead/timeouts in the libvirt case, even though ResilientLB’s comment assumes compute bulkhead already limits container/VM creation. Consider wrapping compute before calling InitLBProxy (or re-initializing LBProxy using the resilient compute backend) so LB proxy operations are subject to the same resilience limits.

[Copilot]

TestReleaseGate_CircuitBreakerFailFast asserts an average latency <1ms across 100 iterations. This is very sensitive to CI host load/scheduling and can be flaky even when fail-fast behavior is correct. Consider relaxing the threshold, using a higher-latency budget/percentile, gating via env/build tag, or converting this to a benchmark instead of a default-running test.

Suggested change

	if avgLatency > 1*time.Millisecond {
	t.Fatalf("average fail-fast latency %v exceeds 1ms SLO", avgLatency)
	}
	t.Logf("PASS: avg fail-fast latency = %v (SLO: <1ms)", avgLatency)
	if avgLatency > 5*time.Millisecond {
	t.Fatalf("average fail-fast latency %v exceeds 5ms SLO", avgLatency)
	}
	t.Logf("PASS: avg fail-fast latency = %v (SLO: <5ms)", avgLatency)

[Copilot]

provisionReclaimMs is set to 1 minute, but provisioning work can run up to 10 minutes (processJob timeout) and the ledger stale threshold is 15 minutes. Reclaiming after 1 minute will repeatedly XAUTOCLAIM in-flight messages, increment retry counters, and can eventually dead-letter work that is still actively being processed. Increase the reclaim idle threshold to exceed the maximum expected job runtime (or at least align it with the ledger stale threshold) and update the comment accordingly.

[Copilot]

Cluster deprovision success path ignores errors from repo.Delete. If Delete fails, the worker will Ack the queue message (in processJob) and MarkComplete in the ledger, leaving a cluster record that will never be retried/cleaned up. Consider handling the delete error (return it so the message is nacked/retried, or at least log+leave the job in a state that can be reconciled).

[Copilot]

Pull request overview

Copilot reviewed 41 out of 41 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This leader elector uses session-level advisory locks, but it calls pg_try_advisory_lock/pg_advisory_unlock via the generic DB interface (typically backed by *pgxpool.Pool). With a pool, each call may use a different underlying connection, which breaks session-scoped lock semantics (locks can remain held on an idle pooled connection, Release may run on a different session and not unlock, and heartbeat may check the wrong session). Consider having PgLeaderElector hold a dedicated *pgxpool.Conn (or pgx.Conn) for the lifetime of leadership and run Acquire/heartbeat/Release on that same connection.

[Copilot]

time.NewTimer is created inside the retry loop, but defer timer.Stop() is also inside the loop. This defers all Stop() calls until Retry returns, which can accumulate many deferred calls and keep timer resources alive longer than necessary. Stop (and if needed drain) the timer per-iteration instead of deferring inside the loop (or use time.After / a reusable timer).

Suggested change

	defer timer.Stop()
	select {
	case <-ctx.Done():
	select {
	case <-ctx.Done():
	if !timer.Stop() {
	select {
	case <-timer.C:
	default:
	}
	}

[Copilot]

The comment says the PEL reclaim idle time "must be longer than provisionStaleThreshold (15m)", but provisionReclaimMs is set to 1 minute. More importantly, with ReclaimStale incrementing retry attempts on every reclaim and maxRetries defaulting to 5, reclaiming every 1 minute can dead-letter a legitimately long-running provision (worker timeout is 10m) before it finishes. Consider setting provisionReclaimMs to a value comfortably larger than the expected max processing time (or change retry counting so it only increments on actual failures) and update the comment accordingly.

[Copilot]

CircuitBreaker.Execute sets halfOpenInFlight in allowRequest(), but if fn() panics, recordSuccess/recordFailure won't run and halfOpenInFlight can remain true indefinitely, causing the breaker to reject all future requests in half-open. Consider wrapping fn() with a defer that clears halfOpenInFlight (likely via recordFailure) on panic, and decide whether to re-panic or convert it into an error.

[Copilot]

TryAcquire can return false not only for already-completed jobs but also when another worker currently owns a non-stale running execution. In that case, immediately Acking here can delete the only queue message while the other worker is still processing; if that worker crashes before MarkComplete, the job will be stuck as running in the ledger with no message left to retry. Mirror the provision/pipeline pattern: only ack when ledger status is completed (or otherwise terminal), and leave the message unacked when the job is actively running elsewhere.

[Copilot]

Pull request overview

Copilot reviewed 42 out of 42 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

pipelineReclaimMs (10 minutes) is shorter than the 30-minute job timeout; long-running builds will be auto-claimed while still processing, which can lead to duplicate execution attempts or message churn. Consider setting pipelineReclaimMs >= worst-case build duration (or >= pipelineStaleThreshold) or implementing a periodic "lease renewal" (XCLAIM-to-self) while a build is running.

[Copilot]

clusterReclaimMs (5 minutes) is shorter than clusterStaleThreshold (15 minutes) and likely shorter than real cluster provision/upgrade runtimes. That means in-progress jobs can be auto-claimed and treated as stale while still running. Consider aligning clusterReclaimMs with the expected max job duration (or with clusterStaleThreshold), or add a lease-renewal mechanism while work is in flight.

[Copilot]

defer timer.Stop() is inside the retry loop. Because defer runs only when Retry returns, this accumulates one deferred call per attempt and can retain timers longer than needed. Prefer stopping the timer explicitly at the end of each iteration (and draining timer.C if Stop() returns false) rather than deferring inside the loop.

Suggested change

	defer timer.Stop()
	select {
	case <-ctx.Done():
	return lastErr
	case <-timer.C:
	}
	select {
	case <-ctx.Done():
	if !timer.Stop() {
	select {
	case <-timer.C:
	default:
	}
	}
	return lastErr
	case <-timer.C:
	}
	if !timer.Stop() {
	select {
	case <-timer.C:
	default:
	}
	}

[Copilot]

When TryAcquire returns false and the ledger status is not completed, the worker returns without ack/nack. This leaves the message pending under the current consumer; with reclaim enabled it can cause repeated reclaims/processing attempts and an ever-growing PEL if the job never becomes acked. Consider explicitly handling the running vs failed cases (e.g., re-check later, or only leave pending when you can guarantee it won't be reclaimed prematurely; otherwise ack duplicates safely).

[Copilot]

When TryAcquire returns false and the ledger status isn't completed, the code returns without ack/nack. This leaves the message stuck pending for this consumer and relies entirely on the reclaim loop to make progress, which can cause repeated reclaim churn. Consider explicitly deciding what to do for running vs failed (e.g., defer processing but ensure the message won't be reclaimed prematurely, or ack known-duplicate messages once it's safe).

[Copilot]

The comment says the stale-running reclaim uses "FOR UPDATE SKIP LOCKED", but the implementation is an UPDATE ... WHERE ... started_at = $2 RETURNING TRUE without any FOR UPDATE. Either update the comment to match the actual approach or switch to a locking strategy if that was the intent.

[Copilot]

Pull request overview

Copilot reviewed 44 out of 44 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

keyToLockID masks to 63 bits, so converting directly from uint64 to int64 is safe. Casting through uintptr can truncate on 32-bit architectures, increasing collision risk for advisory lock IDs. Prefer return int64(h.Sum64() & 0x7FFFFFFFFFFFFFFF) to keep the full 63-bit space on all platforms.

Suggested change

	// Sum64 returns uint64. Mask to lower 63 bits (positive int64 range) and
	// cast via uintptr to silence G115 integer overflow warning.
	v := uintptr(h.Sum64() & 0x7FFFFFFFFFFFFFFF)
	return int64(v)
	// Sum64 returns uint64. Mask to lower 63 bits so the value always fits in
	// the positive int64 range, then convert directly to preserve the full
	// 63-bit space on all architectures.
	return int64(h.Sum64() & 0x7FFFFFFFFFFFFFFF)

[Copilot]

If DLQ XADD succeeds but the subsequent XACK/XDEL pipeline fails, the original message remains pending and will be reclaimed again, creating duplicate DLQ entries on each reclaim. Instead of only logging, consider returning an error (so callers can retry the ack/del without re-adding), or persisting a “deadlettered” marker to avoid repeated DLQ writes until the original is successfully acked/deleted.

[Copilot]

cleanupDeletedScalingGroups claims to remove groups marked as DELETED, but it actually deletes rows in DELETING state. Deleting a DELETING group row while instances/cleanup are still in progress risks leaving orphaned infrastructure and hiding an in-flight operation. Either (a) restrict this cleanup to ScalingGroupStatusDeleted, or (b) verify the group has no remaining instances (e.g., via GetInstancesInGroup) before deleting the DB row.

[Copilot]

Pull request overview

Copilot reviewed 44 out of 44 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

VPC deletion now tries to clean up autoscaling groups, but checkDeleteDependencies still doesn’t check for non-deleted scaling groups. Because scaling_groups.vpc_id is a FK to vpcs(id) (no cascade), s.repo.Delete can still fail with a generic internal error when ACTIVE/UPDATING groups exist. Consider adding an explicit scaling group dependency check (similar to the LB check) so callers get a clear 409 conflict instead of a late DB error.

[Copilot]

The comment says this function removes scaling groups “marked as DELETED”, but the implementation deletes groups in ScalingGroupStatusDeleting. Either the comment is inaccurate or the status check is wrong; please align the wording/status so it’s clear which terminal state is being cleaned up.

[Copilot]

The comment on provisionReclaimMs says it “must be longer than provisionStaleThreshold (15m)”, but the value is 1 minute and the PR description indicates reclaim should be shorter than the stale threshold. Please fix the comment (or the value) so reclaim/ledger staleness expectations are consistent.

[coderabbitai]

Actionable comments posted: 10

Note

Due to the large number of review comments, Critical, Major severity comments were prioritized as inline comments.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

tests/autoscaling_e2e_test.go (1)

105-117: ⚠️ Potential issue | 🟡 Minor

Fail when the scaling-group deletion wait expires.

This loop silently falls through after 120s if the group never returns 404, then reports a later VPC cleanup failure. Track the observed deletion so the test fails at the root cause.

Proposed fix

 		// Wait for scaling group to be fully deleted from database
 		// Allow up to 120s for the autoscaling worker to terminate instances and delete the group.
 		// With HA enabled, instance termination may take longer due to retries.
 		timeout := 120 * time.Second
 		start := time.Now()
+		deleted := false
 		for time.Since(start) < timeout {
 			resp = getRequest(t, client, fmt.Sprintf("%s/autoscaling/groups/%s", testutil.TestBaseURL, groupID), token)
 			_ = resp.Body.Close()
 			if resp.StatusCode == http.StatusNotFound {
+				deleted = true
 				break
 			}
 			time.Sleep(1 * time.Second)
 		}
+		require.Truef(t, deleted, "Timeout waiting for scaling group %s to be deleted", groupID)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/autoscaling_e2e_test.go` around lines 105 - 117, The wait loop that
polls for autoscaling group deletion (variables timeout, start) can silently
time out and let the test continue; update the loop around
getRequest/getRequest(t, client, fmt.Sprintf("%s/autoscaling/groups/%s",
testutil.TestBaseURL, groupID), token) to record the last observed status (e.g.
lastStatus) and after the for loop check if lastStatus != http.StatusNotFound
and if so call t.Fatalf with a clear message including groupID and lastStatus so
the test fails immediately on deletion timeout. Ensure resp.Body is still closed
and reuse the existing resp variable when capturing the last status.

tests/networking_e2e_test.go (1)

23-23: ⚠️ Potential issue | 🟡 Minor

Increase HTTP client timeout to match the VPC deletion retry window.

The client timeout at line 23 is 10s, but the retry loop (lines 151–155) allows 60s for VPC deletion. When deleteRequest() is called with a slow but successful DELETE, the client timeout fires before the response arrives, causing require.NoError(t, err) at helpers_test.go:211 to fatally fail the test—preventing the retry loop from ever checking the response status.

The timeout must exceed the intended deletion budget. Following the pattern in elastic_ip_e2e_test.go, define a constant and set the client timeout accordingly:

Proposed adjustment

 func TestNetworkingE2E(t *testing.T) {
 	t.Parallel()
 	if err := waitForServer(); err != nil {
 		t.Fatalf("Failing Networking E2E test: %v", err)
 	}
 
-	client := &http.Client{Timeout: 10 * time.Second}
+	const vpcDeleteTimeout = 60 * time.Second
+	client := &http.Client{Timeout: vpcDeleteTimeout + 5*time.Second}

Also applies to: 151–155

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/networking_e2e_test.go` at line 23, The HTTP client timeout is too
short for the VPC deletion retry window; define a named constant (e.g.,
vpcDeletionTimeout) similar to elastic_ip_e2e_test.go with a duration that
exceeds the retry budget (≈60s) and use it when constructing the client (replace
the literal in client := &http.Client{Timeout: 10 * time.Second} with the new
constant); ensure deleteRequest() calls use this longer timeout so the retry
loop that checks deletion status can receive slow-but-successful DELETE
responses.

internal/platform/circuit_breaker.go (1)

104-118: ⚠️ Potential issue | 🟠 Major

Execute is not panic-safe; a panicking fn can deadlock the breaker in HALF-OPEN.

If fn() panics, neither recordFailure nor recordSuccess runs, so halfOpenInFlight remains true forever. From that point on:

• In StateHalfOpen, allowRequest always hits if cb.halfOpenInFlight { break } → every call returns ErrCircuitOpen.
• The breaker can never transition to Closed because transitions from HALF-OPEN require a successful recordSuccess, which can't happen because calls are blocked.

A defer that treats an unhandled panic as a failure (and re-panics) restores correctness without swallowing bugs.

🛡️ Proposed fix

 func (cb *CircuitBreaker) Execute(fn func() error) error {
 	if !cb.allowRequest() {
 		CircuitBreakerBlocked.WithLabelValues(cb.name).Inc()
 		return ErrCircuitOpen
 	}
 
-	err := fn()
+	panicked := true
+	defer func() {
+		if panicked {
+			cb.recordFailure()
+		}
+	}()
+	err := fn()
+	panicked = false
 	if err != nil {
 		cb.recordFailure()
 		return err
 	}
 
 	cb.recordSuccess()
 	return nil
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/platform/circuit_breaker.go` around lines 104 - 118, Execute
currently isn't panic-safe: if fn() panics while the breaker is HALF-OPEN the
halfOpenInFlight flag never gets cleared. Add a defer before calling fn() in
CircuitBreaker.Execute that recovers a panic, calls cb.recordFailure() (to clear
in-flight/transition state) and then re-panics (panic(recovered)) so panics
aren't swallowed; keep existing recordSuccess()/recordFailure() calls for normal
returns. Ensure this defer runs regardless of fn() outcome and reference
Execute, fn, cb.recordFailure, cb.recordSuccess and cb.halfOpenInFlight when
making the change.

🟡 Minor comments (11)

internal/core/services/vpc.go-209-217 (1)

209-217: ⚠️ Potential issue | 🟡 Minor

Step numbering drift in comments.

Two new cleanup steps were inserted (steps 2 and 3), but the bridge-removal and DB-delete comments were not renumbered. Line 209 is now step 4 (fine), but line 216 still says "// 4. Delete from DB" and should be "// 5.".

Proposed fix

-	// 4. Delete from DB
+	// 5. Delete from DB
 	if err := s.repo.Delete(ctx, vpc.ID); err != nil {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/core/services/vpc.go` around lines 209 - 217, The step comments in
the VPC cleanup sequence are out of sync: update the comment before the repo
delete call to reflect the correct step number (change the "// 4. Delete from
DB" comment to "// 5. Delete from DB") so the sequence matches the newly
inserted steps; locate the block around s.network.DeleteBridge(ctx,
vpc.NetworkID) and s.repo.Delete(ctx, vpc.ID) and adjust the comment text
accordingly.

internal/repositories/postgres/leader_elector_test.go-34-35 (1)

34-35: ⚠️ Potential issue | 🟡 Minor

Inconsistent positivity contract across tests.

TestKeyToLockIDUnique fails when id <= 0, but TestKeyToLockIDPositive only requires id >= 0 (allowing 0). If keyToLockID ever legitimately returns 0 for some input (the masking contract asserted in TestKeyToLockIDPositive permits it), this test would flake/fail for reasons unrelated to uniqueness. Either tighten keyToLockID's contract to strictly-positive in both tests, or relax this one to id < 0.

Proposed fix

-		if id <= 0 {
-			t.Fatalf("expected positive lock ID for key %q, got %d", k, id)
+		if id < 0 {
+			t.Fatalf("expected non-negative lock ID for key %q, got %d", k, id)
 		}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/repositories/postgres/leader_elector_test.go` around lines 34 - 35,
The uniqueness test enforces a stricter positivity contract than the other test;
in TestKeyToLockIDUnique change the negative check from "id <= 0" to "id < 0" so
it accepts id == 0 like TestKeyToLockIDPositive does; update the error message
in that test to say "expected non-negative lock ID for key %q, got %d" and
reference the keyToLockID function and TestKeyToLockIDUnique when making this
change.

internal/repositories/postgres/leader_elector.go-40-47 (1)

40-47: ⚠️ Potential issue | 🟡 Minor

Replace the magic mask with a named constant.

As per coding guidelines: "Do not use magic numbers - use named constants instead".

🛠 Suggested fix

+const int63Mask = 0x7FFFFFFFFFFFFFFF // mask to lower 63 bits for non-negative int64
+
 func keyToLockID(key string) int64 {
 	h := fnv.New64a()
 	_, _ = h.Write([]byte(key))
-	// Sum64 returns uint64. Mask to lower 63 bits (positive int64 range) and
-	// cast via uintptr to silence G115 integer overflow warning.
-	v := uintptr(h.Sum64() & 0x7FFFFFFFFFFFFFFF)
+	// Sum64 returns uint64. Mask to lower 63 bits (positive int64 range) and
+	// cast via uintptr to silence G115 integer overflow warning.
+	v := uintptr(h.Sum64() & int63Mask)
 	return int64(v)
 }

Note separately: _, _ = h.Write(...) is a silent failure per the same guideline ("Do not use silent failures - avoid blank identifier assignment like _ = someFunc()"). hash.Hash.Write is documented as never returning an error, so a brief comment acknowledging that intent would satisfy the guideline's spirit without adding a real error check.

As per coding guidelines: "Do not use magic numbers - use named constants instead".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/repositories/postgres/leader_elector.go` around lines 40 - 47,
Replace the magic mask in keyToLockID with a named constant (e.g., lockIDMask =
0x7FFFFFFFFFFFFFFF) and use that constant in the expression instead of the
literal; also keep the uint64 masking and cast to uintptr then int64 as before
to avoid overflow warnings. In keyToLockID, remove the blank-identifier
assignment to h.Write (or keep the call but drop assigning the return) and add a
brief comment stating that hash.Hash.Write never returns an error so the error
is intentionally ignored. Ensure references to keyToLockID, lockIDMask, and the
h.Write call are adjusted together.

internal/platform/retry.go-53-86 (1)

53-86: ⚠️ Potential issue | 🟡 Minor

defer timer.Stop() inside the loop accumulates deferred calls; stop explicitly per iteration.

All timer.Stop() defers run only when Retry returns, so with higher MaxAttempts values you pile up N-1 pending defers and their timer references. Also, in the <-timer.C branch the timer has already fired, but the earlier-iteration timers created before it are still held live by the defer stack until return. Prefer an explicit stop.

Also note: RetryAttempts.WithLabelValues(...).Inc() counts the first (non-retry) attempt as well. If that's intentional, consider renaming to attempts_total or only incrementing when attempt > 0.

🛠 Suggested fix

 		delay := backoffDelay(attempt, opts.BaseDelay, opts.MaxDelay, opts.Multiplier)
 		RetryBackoff.WithLabelValues(service, operation).Observe(delay.Seconds())
 		timer := time.NewTimer(delay)
-		defer timer.Stop()
 		select {
 		case <-ctx.Done():
+			timer.Stop()
 			return lastErr
 		case <-timer.C:
 		}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/platform/retry.go` around lines 53 - 86, The loop currently defers
timer.Stop() each iteration which accumulates deferred calls; remove the defer
and instead stop the per-iteration timer explicitly: create timer :=
time.NewTimer(delay), then in the ctx.Done() branch call timer.Stop() (and
handle drain if you choose to be defensive) before returning; do not defer
timer.Stop() so timers are not held until function return. Also adjust the
metric update RetryAttempts.WithLabelValues(service, operation).Inc() if you
only want to count retries (e.g., only Inc() when attempt > 0) or rename the
metric to reflect it counts all attempts; update the increment location
accordingly. Reference symbols: opts.MaxAttempts, backoffDelay, timer variable,
RetryAttempts.WithLabelValues(service, operation).Inc(),
RetryBackoff.WithLabelValues(service, operation).Observe(delay.Seconds()).

internal/platform/circuit_breaker_test.go-110-128 (1)

110-128: ⚠️ Potential issue | 🟡 Minor

Wait for the probe goroutine instead of sleeping.

Line 125 can make this test flaky under CI scheduling; the probe may not have recorded success before Line 128 runs. Use a completion channel so the assertion happens after cb.Execute returns.

Suggested deterministic wait

+	done := make(chan struct{})
 	go func() {
+		defer close(done)
 		_ = cb.Execute(func() error {
 			close(probeStarted)
 			<-probeDone // block until test releases
 			return nil
 		})
 	}()
@@
 	close(probeDone) // release the probe
-	time.Sleep(10 * time.Millisecond)
+	<-done
 
 	// After probe succeeds, circuit should be closed.
 	assert.Equal(t, StateClosed, cb.GetState())

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/platform/circuit_breaker_test.go` around lines 110 - 128, Replace
the non-deterministic time.Sleep with a completion channel: in the goroutine
that calls cb.Execute (the one using probeStarted/probeDone), create a done
channel and close it after cb.Execute returns; after closing probeDone in the
main test, wait for <-done (the goroutine completion) before asserting
cb.GetState() equals StateClosed; this ensures the probe run (cb.Execute) has
finished before the assertion and preserves the existing check that a concurrent
Execute returns ErrCircuitOpen while the probe is in flight.

internal/workers/leader_guard_test.go-48-80 (1)

48-80: ⚠️ Potential issue | 🟡 Minor

Replace the sleep with a start signal from the mock runner.

Line 76 makes the test timing-dependent. Have mockRunner.Run signal when it starts so the assertion is deterministic.

Suggested deterministic start signal

 type mockRunner struct {
 	runCalled atomic.Int32
 	runCtx    context.Context
+	started   chan struct{}
 }
 
 func (r *mockRunner) Run(ctx context.Context, wg *sync.WaitGroup) {
 	defer wg.Done()
 	r.runCalled.Add(1)
 	r.runCtx = ctx
+	if r.started != nil {
+		close(r.started)
+	}
 	<-ctx.Done()
 }
@@
 	elector := &mockLeaderElector{acquireResult: true}
-	inner := &mockRunner{}
+	inner := &mockRunner{started: make(chan struct{})}
@@
-	// Wait a bit for the inner worker to start
-	time.Sleep(100 * time.Millisecond)
+	select {
+	case <-inner.started:
+	case <-time.After(time.Second):
+		t.Fatal("timeout waiting for inner worker to start")
+	}
 
 	if inner.runCalled.Load() == 0 {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/workers/leader_guard_test.go` around lines 48 - 80, The test is
timing-dependent; modify mockRunner to include a start signal (e.g., a started
chan struct{} field) and have mockRunner.Run close or send on that channel
immediately after incrementing runCalled so the test can block on that signal
instead of sleeping; update TestLeaderGuardRunsInnerWorkerWhenLeader to wait on
inner.started (with a timeout to avoid hangs) before asserting runCalled,
referencing mockRunner, mockRunner.Run and
TestLeaderGuardRunsInnerWorkerWhenLeader.

internal/platform/resilient_compute_test.go-275-286 (1)

275-286: ⚠️ Potential issue | 🟡 Minor

Ensure the bulkhead is actually saturated before asserting Ping bypass.

started is closed before StartInstance acquires the slot, so this test can pass without ever saturating the bulkhead. Wait until rc.bulkhead.Available() == 0 before calling Ping.

Suggested saturation wait

 	// Saturate the bulkhead.
-	started := make(chan struct{})
 	go func() {
-		close(started)
 		_ = rc.StartInstance(ctx, "x")
 	}()
-	<-started
-	time.Sleep(20 * time.Millisecond)
+	deadline := time.After(time.Second)
+	for rc.bulkhead.Available() != 0 {
+		select {
+		case <-deadline:
+			t.Fatal("timeout waiting for bulkhead saturation")
+		case <-time.After(5 * time.Millisecond):
+		}
+	}
 
 	// Ping should still work (bypasses bulkhead).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/platform/resilient_compute_test.go` around lines 275 - 286, The test
currently signals the goroutine before StartInstance acquires a bulkhead slot so
the bulkhead may not be saturated; modify the test to wait until
rc.bulkhead.Available() == 0 (with a short polling loop and overall timeout)
after launching the goroutine and before calling rc.Ping(ctx) to ensure the
bulkhead is actually full; reference the StartInstance call that occupies the
bulkhead and the Ping call that should bypass it, and use
rc.bulkhead.Available() to detect saturation (fail the test if the timeout
elapses without saturation).

internal/workers/provision_worker.go-24-30 (1)

24-30: ⚠️ Potential issue | 🟡 Minor

Stale comment contradicts the corrected value.

The comment asserts provisionReclaimMs "Must be longer than provisionStaleThreshold (15m) to avoid premature reclaim", but the PR correctly sets provisionReclaimMs = 1 minute (much shorter than 15m). The code is fine per the PR objective, but the comment now describes the old, inverted relationship and will confuse the next reader. Please update the comment to describe the actual invariant (reclaim interval shorter than stale threshold so crashed PEL messages get picked up quickly while healthy in-flight workers keep the ledger lock).

📝 Suggested comment rewrite

-	// How long a message can sit in PEL before another consumer reclaims it.
-	// Must be longer than provisionStaleThreshold (15m) to avoid premature reclaim.
-	provisionReclaimMs = 60 * 1000 // 1 minute
+	// How long a message can sit in PEL before another consumer reclaims it.
+	// Intentionally shorter than provisionStaleThreshold so that crashed
+	// workers' messages get picked up quickly; the ledger's stale check
+	// still prevents duplicate processing while a healthy owner is running.
+	provisionReclaimMs = 60 * 1000 // 1 minute

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/workers/provision_worker.go` around lines 24 - 30, The comment above
provisionReclaimMs/provisionReclaimN/provisionStaleThreshold is outdated and
describes the inverted relationship; update it to state that the PEL reclaim
interval (provisionReclaimMs = 1 minute) is intentionally shorter than the
idempotency ledger stale threshold (provisionStaleThreshold = 15m) so
crashed/in-flight messages are quickly reclaimed while healthy workers holding
ledger locks remain considered active until the longer stale threshold; adjust
the wording to clearly describe this invariant and why it exists.

internal/workers/cluster_worker.go-246-249 (1)

246-249: ⚠️ Potential issue | 🟡 Minor

Silent failure on repo.Delete contradicts this PR's goal.

The PR description calls out "Add warning logs when repo.Update fails in cluster handlers to surface silent update failures" — but handleDeprovision still drops the repo.Delete error on the floor with _ = w.repo.Delete(...). If the delete fails, handleDeprovision returns nil, processJob calls MarkComplete + ACKs the message, and the cluster row is permanently stuck in deleting state with no audit trail. Also violates the project's "no silent failures" rule.

🛡️ Proposed fix

 	w.logger.Info("deprovisioning succeeded", "cluster_id", cluster.ID)
-	_ = w.repo.Delete(ctx, cluster.ID)
+	if err := w.repo.Delete(ctx, cluster.ID); err != nil {
+		w.logger.Warn("failed to delete cluster record after deprovision",
+			"cluster_id", cluster.ID, "error", err)
+	}
 	return nil

As per coding guidelines: "Do not use silent failures - avoid blank identifier assignment like _ = someFunc()".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/workers/cluster_worker.go` around lines 246 - 249, handleDeprovision
currently discards the error from w.repo.Delete(ctx, cluster.ID) which creates a
silent failure; change the call in handleDeprovision to check the returned error
from w.repo.Delete, and if non-nil log a warning/error via w.logger (include
cluster.ID and the error) and return the error so processJob won't call
MarkComplete/ACK on a failed delete; ensure you reference w.repo.Delete and
handleDeprovision when making the change.

internal/repositories/postgres/execution_ledger.go-70-79 (1)

70-79: ⚠️ Potential issue | 🟡 Minor

Comment misrepresents the reclaim mechanism.

The inline comment says "Reclaim the stale entry using SELECT FOR UPDATE SKIP LOCKED", but the code actually uses a conditional UPDATE with an optimistic started_at = $2 predicate (a different technique — no row locks, no SKIP LOCKED). The race safety comes from started_at being replaced on a successful reclaim, causing the second reclaimer's WHERE clause to miss. Please correct the comment to describe the actual approach so future readers aren't misled.

📝 Suggested comment rewrite

-		// Reclaim the stale entry using SELECT FOR UPDATE SKIP LOCKED.
-		// This atomically claims the row, preventing two reclaimers from racing.
-		// If another reclaimer holds the lock (already reclaimed), we skip it.
+		// Reclaim the stale entry using an optimistic conditional UPDATE: the
+		// row is only updated if started_at still matches the value we read.
+		// If another reclaimer won the race, started_at has already moved
+		// forward and our WHERE clause misses (ErrNoRows).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/repositories/postgres/execution_ledger.go` around lines 70 - 79, The
comment incorrectly describes a SELECT FOR UPDATE SKIP LOCKED reclaim; update
the comment above the QueryRow/UPDATE block (the code that sets started_at =
NOW(), status = 'running' where job_key = $1 AND status = 'running' AND
started_at = $2 and scans into reclaimed) to explain that this uses an
optimistic conditional UPDATE (matching on the previous started_at) to
atomically claim a stale row rather than row-level locks — i.e., the WHERE
started_at = $2 predicate ensures only one reclaimer succeeds and others will
miss the row, causing the race-safety, not SKIP LOCKED.

internal/platform/resilient_network.go-213-219 (1)

213-219: ⚠️ Potential issue | 🟡 Minor

Magic 5*time.Second ping timeout — extract a constant.

The Ping timeout is hard-coded and duplicated in resilient_compute.go (Line 289). Extract a named constant (e.g. defaultPingTimeout) or add a PingTimeout field to ResilientNetworkOpts so operators can tune health-check behavior without code changes.

🔧 Proposed fix

+const defaultPingTimeout = 5 * time.Second
+
 func (r *ResilientNetwork) Ping(ctx context.Context) error {
 	return r.cb.Execute(func() error {
-		ctx2, cancel := context.WithTimeout(ctx, 5*time.Second)
+		ctx2, cancel := context.WithTimeout(ctx, defaultPingTimeout)
 		defer cancel()
 		return r.inner.Ping(ctx2)
 	})
 }

As per coding guidelines: "Do not use magic numbers - use named constants instead".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/platform/resilient_network.go` around lines 213 - 219, Extract the
hard-coded 5*time.Second used in ResilientNetwork.Ping into a named exported or
package-level constant (e.g. defaultPingTimeout) or, if configurability is
desired, add a PingTimeout time.Duration field to ResilientNetworkOpts and use
that value (falling back to defaultPingTimeout when zero); update the Ping
method in type ResilientNetwork to use the new constant or opts.PingTimeout and
make the same change where the identical timeout is duplicated in
resilient_compute.go so both places reference the same constant/option.

🧹 Nitpick comments (13)

internal/repositories/postgres/migrations/075_add_instance_type.up.sql (1)

18-27: Use column-based conflict resolution for better migration robustness.

CREATE TABLE IF NOT EXISTS with id TEXT PRIMARY KEY will generate a constraint named instance_types_pkey by default, but this couples the ON CONFLICT clause to PostgreSQL's automatic naming convention. If the table ever pre-existed with a differently-named constraint, or if a constraint was renamed, the INSERT would fail. ON CONFLICT (id) directly targets the uniqueness property and is resilient across schema restoration and manual intervention.

Suggested change

 -- Seed default instance types (use explicit constraint to ensure idempotent migrations)
 INSERT INTO instance_types (id, name, vcpus, memory_mb, disk_gb, category, price_per_hour) VALUES
     ('basic-1',       'Basic 1',       1,   512,  8,  'basic',       0.005),
     ('basic-2',       'Basic 2',       1,  1024, 10,  'basic',       0.01),
     ('standard-1',    'Standard 1',    2,  2048, 20,  'standard',    0.02),
     ('standard-2',    'Standard 2',    2,  4096, 40,  'standard',    0.04),
     ('standard-4',    'Standard 4',    4,  8192, 80,  'standard',    0.08),
     ('performance-1', 'Performance 1', 4, 16384, 160, 'performance', 0.16),
     ('performance-2', 'Performance 2', 8, 32768, 320, 'performance', 0.32)
-ON CONFLICT ON CONSTRAINT instance_types_pkey DO NOTHING;
+ON CONFLICT (id) DO NOTHING;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/repositories/postgres/migrations/075_add_instance_type.up.sql`
around lines 18 - 27, The INSERT into instance_types uses ON CONFLICT ON
CONSTRAINT instance_types_pkey which ties the migration to a specific constraint
name; change the conflict target to the column-based form by replacing the
constraint reference with ON CONFLICT (id) DO NOTHING so the INSERT into
instance_types (id, name, vcpus, memory_mb, disk_gb, category, price_per_hour)
becomes resilient to different constraint names.

internal/core/services/vpc.go (1)

259-298: Consider pushing the VPC filter + soft-delete sweep into the repositories.

Both cleanupDeletedLBs and cleanupDeletedScalingGroups (and checkDeleteDependencies above) call ListAll across the entire tenant/cluster and filter by VpcID in Go. As the fleet grows this becomes a noticeable N+1/scan hotspot, and DeleteVPC traverses the full table up to three times. A ListByVPC (or DeleteAllByVPCAndStatus) on each repo would cut load and remove duplication here. Optional — safe to defer since this mirrors the pre-existing pattern.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/core/services/vpc.go` around lines 259 - 298, The current
cleanupDeletedLBs and cleanupDeletedScalingGroups scan entire tables via
lbRepo.ListAll and asgRepo.ListAllGroups and then filter by VpcID in the
service; add repository-level methods (e.g. lbRepo.ListByVPC(ctx, vpcID
uuid.UUID) or lbRepo.DeleteAllByVPCAndStatus(ctx, vpcID, status) and similarly
asgRepo.ListByVPC or asgRepo.DeleteAllByVPCAndStatus) and change
cleanupDeletedLBs and cleanupDeletedScalingGroups to call those repo methods (or
repo delete-all methods) instead of ListAll/ListAllGroups, keeping usage of
lbRepo.Delete or asgRepo.DeleteGroup only if you keep per-row deletes; update
repo implementations and tests accordingly to push the VPC filter and
soft-delete sweep into the repository layer.

cmd/api/main_test.go (1)

191-197: Minor: time-based shutdown trigger is mildly flaky, but assertions stay valid.

The 50 ms sleep before SIGTERM is decoupled from any observable worker signal. Since &setup.Workers{} is empty and the real invariant here is "no HTTP stubs are ever called", a flaky sleep can't produce a false pass — the t.Fatalf stubs guard that. Fine as-is; consider signalling on a sentinel (e.g., a channel the test closes after asserting) if you want to remove the timing dependency.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/api/main_test.go` around lines 191 - 197, The test uses a time.Sleep in
the deps.NotifySignals stub to send syscall.SIGTERM (in the anonymous function
assigned to deps.NotifySignals) which is flaky; replace the sleep-based trigger
with a deterministic sentinel channel: have the test create a channel (e.g.,
shutdownCh) that the stub waits to be closed or to receive from before sending
syscall.SIGTERM, then close/send on that channel only after test assertions
around setup.Workers{} complete so the signal is emitted deterministically
without timing dependency.

internal/repositories/redis/durable_task_queue_test.go (2)

172-207: Good coverage; consider also asserting Nack does not duplicate the live message.

The suite asserts XPending.Count == 1, which confirms the message stays pending — great for the contract in task_queue.go line 50-55 ("MUST NOT create duplicate live copies"). To harden against a future regression where a Nack impl accidentally XAdds a re-queue, consider also asserting s.Stream(queue) still has exactly one entry after Nack.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/repositories/redis/durable_task_queue_test.go` around lines 172 -
207, Add an assertion in TestDurableNackKeepsMessagePending that after calling
q.Nack(ctx, queue, group, msg.ID) the live Redis stream still contains exactly
one entry to ensure Nack did not XADD a duplicate; use the test helper
s.Stream(queue) (or equivalent helper exposed by the test harness) to get the
stream contents/length and fail the test if the count != 1. This complements the
existing XPending check and targets the q.Nack implementation.

---

209-244: Missing test for ReclaimStale.

The interface in internal/core/ports/task_queue.go adds ReclaimStale, but no test exercises it here. Given miniredis supports time advancement (s.FastForward), a reclaim test is cheap and would cover the crashed-peer recovery path called out in the PR summary.

Want me to sketch a TestDurableReclaimStale using miniredis.FastForward to advance past the idle threshold between Receive and ReclaimStale?

internal/repositories/postgres/leader_elector.go (1)

26-82: held map is written but never read — dead state.

e.held[key] = true in Acquire and delete(e.held, key) in Release are never consulted anywhere (no if e.held[...] check, no exposed getter). If it's intended for debugging/introspection, expose it or drop the mutex+map entirely — right now it only adds lock contention and has no semantic effect.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/repositories/postgres/leader_elector.go` around lines 26 - 82, The
held map and mu on PgLeaderElector are written in Acquire and Release but never
read, so either remove the dead state or make it observable: either (A) drop the
held map and mu fields, remove the e.held[...] writes in Acquire and delete in
Release (and update NewPgLeaderElector to not initialize held), or (B) keep them
and add a thread-safe accessor such as IsLeader(key string) bool or HeldKeys()
[]string that reads held under mu so the stored state is actually used; update
NewPgLeaderElector (constructor), Acquire, Release, and add the accessor(s) to
expose the intent.

internal/workers/leader_guard.go (1)

47-84: Optional: add a small backoff when leadership is repeatedly lost to avoid hot-looping on pathological electors.

Today the loop is paced by PgLeaderElector.RunAsLeader (which retries with leaderRetryInterval internally), so this is safe in practice. If LeaderGuard is ever used with a different elector implementation that returns quickly without blocking, this loop would spin. A bounded time.Sleep / jittered backoff between iterations would make LeaderGuard robust independent of the elector's internal pacing.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/workers/leader_guard.go` around lines 47 - 84, Add a bounded
jittered backoff between loop iterations in the LeaderGuard run loop to avoid
hot‑looping when g.elector.RunAsLeader returns quickly: after handling a
non‑fatal error or after "leadership lost or released, retrying" (i.e., before
the next iteration), sleep for a small randomized interval (e.g., base delay +
jitter) using time.Sleep and math/rand (or crypto/rand) to introduce jitter;
keep the backoff bounded (tens to a few hundreds of milliseconds) and
deterministic enough to not delay normal operation. Ensure the sleep is skipped
or the goroutine returns immediately if ctx.Err() != nil so shutdown remains
responsive; reference the loop around g.elector.RunAsLeader, the error handling
block that logs "leader election error, will retry", and the final log
"leadership lost or released, retrying".

internal/repositories/noop/adapters.go (1)

402-440: Add interface assertions for the new no-op durable components.

These are intended to satisfy ports contracts, but there is no compile-time assertion like the existing NoopComputeBackend assertion. Adding assertions prevents future signature drift from compiling unnoticed until a specific wiring path uses them.

Suggested assertions

 // NoopTaskQueue is a no-op task queue that implements DurableTaskQueue.
 type NoopTaskQueue struct{}
+
+var _ ports.DurableTaskQueue = (*NoopTaskQueue)(nil)
@@
 // NoopExecutionLedger is a no-op execution ledger that always grants ownership.
 type NoopExecutionLedger struct{}
+
+var _ ports.ExecutionLedger = (*NoopExecutionLedger)(nil)

As per coding guidelines, "internal/repositories/ must implement Ports interfaces".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/repositories/noop/adapters.go` around lines 402 - 440, Add
compile-time interface assertions for the new no-op types so signature drift is
caught at build time: add assertions that NoopTaskQueue implements the
DurableTaskQueue ports interface and that NoopExecutionLedger implements the
ExecutionLedger (or appropriately named ledger interface in ports). Place
assertions near the type definitions (e.g., immediately after NoopTaskQueue and
NoopExecutionLedger declarations) using the standard var _ InterfaceName =
(*TypeName)(nil) pattern, referencing the exact symbols NoopTaskQueue and
NoopExecutionLedger and the corresponding ports interfaces.

internal/repositories/postgres/execution_ledger.go (1)

61-101: Consider extracting status values as named constants.

"running", "completed", and "failed" are string literals used across TryAcquire, MarkComplete, and MarkFailed (and also in the job_executions CHECK constraint SQL). A typo in any of these silently breaks idempotency (e.g., a WHERE status = 'runing' would never match but produce no compile error). Extracting them to package-level constants makes the ledger’s state machine explicit and keeps call-sites consistent with the DB constraint.

♻️ Suggested refactor

+const (
+	jobStatusRunning   = "running"
+	jobStatusCompleted = "completed"
+	jobStatusFailed    = "failed"
+)

and reference these in the SQL/switch arms.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/repositories/postgres/execution_ledger.go` around lines 61 - 101,
Extract the literal status strings ("running", "completed", "failed") into
package-level constants (e.g., const StatusRunning = "running", StatusCompleted
= "completed", StatusFailed = "failed") and replace all occurrences in
TryAcquire (the switch on status and SQL UPDATE/WHERE), MarkComplete,
MarkFailed, and any SQL DDL/check constraint references to use these constants
so call-sites and queries are consistent; update the SQL string constructions
and switch arms to reference the constants (or format them into queries) so
typos cannot silently break matching and the ledger state machine is explicit.

internal/platform/resilient_storage.go (1)

168-174: Consider making Ping's timeout configurable.

The 5s timeout is hardcoded, while every other operation in this adapter gets its timeout from ResilientStorageOpts. For health checks against slow storage backends (or during warm-up) 5s can be either too strict or too lax. A PingTimeout time.Duration field on ResilientStorageOpts (defaulting to 5 * time.Second via withDefaults) would make this consistent with the rest of the adapter and easier to tune per environment.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/platform/resilient_storage.go` around lines 168 - 174, Ping
currently uses a hardcoded 5s timeout; add a PingTimeout time.Duration field to
ResilientStorageOpts (defaulting to 5*time.Second in withDefaults) and have
ResilientStorage.Ping use that option (e.g. context.WithTimeout(ctx,
r.opts.PingTimeout)) instead of the literal 5*time.Second; update any
construction of ResilientStorage to use withDefaults so the new field is
initialized.

internal/platform/resilient_dns.go (1)

42-78: r.logger is stored but never read.

logger is assigned in NewResilientDNS (line 74) but none of the adapter methods (callProtected, zone/record ops) ever use r.logger. The only logging path is the OnStateChange closure, which captures the outer logger parameter directly. Either drop the field to avoid dead state or start emitting per-call warnings (e.g., on retry exhaustion, bulkhead rejection for sibling adapters, etc.) through it. Minor, but keeps the struct honest about its surface.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/platform/resilient_dns.go` around lines 42 - 78, The ResilientDNS
struct stores logger in r.logger but never uses it; update NewResilientDNS to
wire the circuit-breaker OnStateChange to the instance logger (i.e., create the
ResilientDNS value first or set cb.OnStateChange after constructing the struct
so the closure uses r.logger.With("adapter", name)), and add per-call logging
via r.logger in the resilience paths (e.g., inside ResilientDNS.callProtected
and the zone/record operation methods) to emit warnings on retry exhaustion and
bulkhead/rejection events; alternatively if you prefer no per-call logging,
remove the logger field and the logger.With("adapter", name) usage in
NewResilientDNS to avoid dead state. Ensure you reference the ResilientDNS
struct, NewResilientDNS constructor, the cb.OnStateChange closure, and the
callProtected method when making these changes.

internal/repositories/redis/durable_task_queue.go (2)

50-62: Exported constructor returns unexported type.

NewDurableTaskQueue returns *durableTaskQueue, which forces callers to use it only through its methods and trips revive/golint's exported-return check. Since the concrete type is hidden but wiring in dependencies.go presumably assigns it to ports.DurableTaskQueue, consider either exporting the struct (DurableTaskQueue) or changing the return type to ports.DurableTaskQueue.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/repositories/redis/durable_task_queue.go` around lines 50 - 62,
NewDurableTaskQueue currently returns the unexported concrete type
*durableTaskQueue which triggers exported-return lint errors; change the
function signature to return the exported interface/port
(ports.DurableTaskQueue) instead of *durableTaskQueue, or alternatively export
the concrete struct by renaming durableTaskQueue to DurableTaskQueue; update the
constructor signature NewDurableTaskQueue(...) to return ports.DurableTaskQueue
(or make the struct public) and ensure callers (e.g., wiring in dependencies.go)
still receive the same value while keeping the concrete type unexported only if
returning the interface.

---

285-296: Reimplementing strings.Contains; also a redundant prefix check.

containsBusyGroup/containsSubstring duplicate strings.Contains, and the len(s) >= 9 && s[:9] == "BUSYGROUP" branch is fully subsumed by the substring check that follows. Drop the helpers and inline strings.Contains.

♻️ Proposed refactor

 import (
 	"context"
 	"encoding/json"
 	stdlib_errors "errors"
 	"fmt"
 	"log/slog"
+	"strings"
 	"time"

 	"github.com/poyrazk/thecloud/internal/core/ports"
 	"github.com/redis/go-redis/v9"
 )

 func isGroupExistsErr(err error) bool {
-	if err == nil {
-		return false
-	}
-	return containsBusyGroup(err.Error())
-}
-
-func containsBusyGroup(s string) bool {
-	return len(s) >= 9 && (s[:9] == "BUSYGROUP" || containsSubstring(s, "BUSYGROUP"))
-}
-
-func containsSubstring(s, sub string) bool {
-	for i := 0; i+len(sub) <= len(s); i++ {
-		if s[i:i+len(sub)] == sub {
-			return true
-		}
-	}
-	return false
+	return err != nil && strings.Contains(err.Error(), "BUSYGROUP")
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/repositories/redis/durable_task_queue.go` around lines 285 - 296,
The helpers containsBusyGroup and containsSubstring reimplement strings.Contains
and include a redundant prefix check; remove both functions and replace their
usages by calling strings.Contains(s, "BUSYGROUP") directly (drop the len(s) >=
9 && s[:9] == "BUSYGROUP" branch), and add/import the standard "strings" package
where needed so code compiles; update any references to containsBusyGroup to use
strings.Contains instead.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f111fab2-547a-4b65-bd1b-282726c7640b

📥 Commits

Reviewing files that changed from the base of the PR and between 1632050 and 11eda6e.

📒 Files selected for processing (44)

• .github/workflows/benchmarks.yml
• cmd/api/main.go
• cmd/api/main_test.go
• internal/api/setup/dependencies.go
• internal/core/ports/execution_ledger.go
• internal/core/ports/leader.go
• internal/core/ports/task_queue.go
• internal/core/services/vpc.go
• internal/core/services/vpc_test.go
• internal/drills/ha_drills_test.go
• internal/drills/release_gates_test.go
• internal/platform/bulkhead.go
• internal/platform/bulkhead_test.go
• internal/platform/circuit_breaker.go
• internal/platform/circuit_breaker_test.go
• internal/platform/resilience_metrics.go
• internal/platform/resilient_compute.go
• internal/platform/resilient_compute_test.go
• internal/platform/resilient_dns.go
• internal/platform/resilient_lb.go
• internal/platform/resilient_network.go
• internal/platform/resilient_storage.go
• internal/platform/retry.go
• internal/platform/retry_test.go
• internal/repositories/noop/adapters.go
• internal/repositories/postgres/execution_ledger.go
• internal/repositories/postgres/leader_elector.go
• internal/repositories/postgres/leader_elector_test.go
• internal/repositories/postgres/migrations/075_add_instance_type.up.sql
• internal/repositories/postgres/migrations/100_create_job_executions.down.sql
• internal/repositories/postgres/migrations/100_create_job_executions.up.sql
• internal/repositories/redis/durable_task_queue.go
• internal/repositories/redis/durable_task_queue_test.go
• internal/workers/cluster_worker.go
• internal/workers/cluster_worker_test.go
• internal/workers/leader_guard.go
• internal/workers/leader_guard_test.go
• internal/workers/pipeline_worker.go
• internal/workers/pipeline_worker_test.go
• internal/workers/provision_worker.go
• internal/workers/provision_worker_test.go
• tests/autoscaling_e2e_test.go
• tests/database_e2e_test.go
• tests/networking_e2e_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirms whether the workflow still combines PR execution with write permissions
# and whether checkout credentials are explicitly disabled.

python - <<'PY'
from pathlib import Path
p = Path(".github/workflows/benchmarks.yml")
text = p.read_text()

print("workflow:", p)
print("has pull_request trigger:", "pull_request:" in text)
print("job requests contents: write:", "contents: write" in text)
print("checkout disables persisted credentials:", "persist-credentials: false" in text)
PY

Repository: poyrazK/thecloud

Length of output: 215

---

🏁 Script executed:

cat -n .github/workflows/benchmarks.yml

Repository: poyrazK/thecloud

Length of output: 2178

---

Split PR and main benchmark jobs to enforce read-only permissions on PR code execution.

Currently, PR benchmark execution (which runs checked-out PR code at lines 24–28) occurs within a job granted contents: write and pull-requests: write permissions. While the PR step disables publishing via auto-push: false, the execution context itself remains privileged. Create separate benchmark-pr and benchmark-main jobs: the PR job should use contents: read with persist-credentials: false on checkout; reserve contents: write and pull-requests: write for the main-only job.

Suggested structure

 jobs:
-  benchmark:
-    name: Run Benchmarks
+  benchmark-pr:
+    if: github.event_name == 'pull_request'
+    name: Run Benchmarks (PR)
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      pull-requests: write
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Setup Go
         uses: actions/setup-go@v6
         with:
           go-version: '1.25.0'
       - name: Run Benchmarks
         run: |
           go test -run '^$' -bench=. -benchmem ./internal/core/services/... 2>/dev/null \
             | grep -E '^(goos:|goarch:|pkg:|cpu:|Benchmark|PASS$|ok\s)' \
             | tee bench.txt
       - name: Store Benchmark Result (PR)
-        if: github.event_name == 'pull_request'
         uses: benchmark-action/github-action-benchmark@v1
         with:
           name: Go Benchmarks
           tool: 'go'
           output-file-path: bench.txt
           auto-push: false
           alert-threshold: '200%'
           comment-on-alert: false
           fail-on-alert: false
+
+  benchmark-main:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    name: Run Benchmarks (main)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v6
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: '1.25.0'
+      - name: Run Benchmarks
+        run: |
+          go test -run '^$' -bench=. -benchmem ./internal/core/services/... 2>/dev/null \
+            | grep -E '^(goos:|goarch:|pkg:|cpu:|Benchmark|PASS$|ok\s)' \
+            | tee bench.txt
+      - name: Store Benchmark Result (main)
+        uses: benchmark-action/github-action-benchmark@v1
+        with:
+          name: Go Benchmarks
+          tool: 'go'
+          output-file-path: bench.txt
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          auto-push: true
+          alert-threshold: '200%'
+          comment-on-alert: true
+          fail-on-alert: false

Sources: actions/checkout README, GitHub Actions token permissions, GitHub Security Lab guidance

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/benchmarks.yml around lines 30 - 42, Split the single
benchmark job into two jobs named benchmark-pr and benchmark-main: move the
existing use of benchmark-action/github-action-benchmark@v1 into both jobs but
guard benchmark-pr with if: github.event_name == 'pull_request' and
benchmark-main with if: github.event_name == 'push' && github.ref ==
'refs/heads/main' (or equivalent main-branch condition); in the benchmark-pr job
set permissions: contents: read and ensure the actions/checkout step uses
persist-credentials: false, and keep auto-push: false on the PR job; in the
benchmark-main job grant permissions contents: write and pull-requests: write
and allow publishing/pushing actions as needed (auto-push true or configured)
while preserving existing tool/output/alert settings (name Go Benchmarks, tool:
'go', output-file-path: bench.txt, alert-threshold, comment-on-alert,
fail-on-alert).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid an unbounded wait when saturating the bulkhead.

Line 131 discards acquisition errors, and Lines 140-142 can spin forever if any saturating goroutine fails before incrementing inFlight. Capture the error and add a timeout around the wait.

Suggested bounded wait

+	errCh := make(chan error, maxConc)
 	// Saturate the bulkhead.
 	for i := 0; i < maxConc; i++ {
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
-			_ = bh.Execute(ctx, func() error {
+			errCh <- bh.Execute(ctx, func() error {
 				inFlight.Add(1)
 				<-blockCh
 				return nil
 			})
 		}()
 	}
 
 	// Wait for all slots to be occupied.
-	for inFlight.Load() < int64(maxConc) {
-		time.Sleep(5 * time.Millisecond)
+	deadline := time.After(time.Second)
+	for inFlight.Load() < int64(maxConc) {
+		select {
+		case err := <-errCh:
+			if err != nil {
+				t.Fatalf("failed to saturate bulkhead: %v", err)
+			}
+		case <-deadline:
+			t.Fatalf("timeout waiting for bulkhead saturation: inFlight=%d", inFlight.Load())
+		case <-time.After(5 * time.Millisecond):
+		}
 	}

As per coding guidelines, "Do not use silent failures - avoid blank identifier assignment like _ = someFunc()".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Saturate the bulkhead.
	for i := 0; i < maxConc; i++ {
	wg.Add(1)
	go func() {
	defer wg.Done()
	_ = bh.Execute(ctx, func() error {
	inFlight.Add(1)
	<-blockCh
	return nil
	})
	}()
	}
	// Wait for all slots to be occupied.
	for inFlight.Load() < int64(maxConc) {
	time.Sleep(5 * time.Millisecond)
	}
	errCh := make(chan error, maxConc)
	// Saturate the bulkhead.
	for i := 0; i < maxConc; i++ {
	wg.Add(1)
	go func() {
	defer wg.Done()
	errCh <- bh.Execute(ctx, func() error {
	inFlight.Add(1)
	<-blockCh
	return nil
	})
	}()
	}
	// Wait for all slots to be occupied.
	deadline := time.After(time.Second)
	for inFlight.Load() < int64(maxConc) {
	select {
	case err := <-errCh:
	if err != nil {
	t.Fatalf("failed to saturate bulkhead: %v", err)
	}
	case <-deadline:
	t.Fatalf("timeout waiting for bulkhead saturation: inFlight=%d", inFlight.Load())
	case <-time.After(5 * time.Millisecond):
	}
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/drills/ha_drills_test.go` around lines 126 - 142, When saturating
the bulkhead in the loop that launches goroutines (using maxConc, wg,
bh.Execute, inFlight, blockCh, ctx) you must not ignore errors from bh.Execute
and you must bound the wait for inFlight to avoid an infinite spin if a
goroutine fails; change each goroutine to capture and check the error returned
by bh.Execute (do not assign to _), only call inFlight.Add(1) after a successful
acquisition, and send a success signal (or increment a dedicated success
counter) so the main goroutine can detect progress; replace the busy-spin wait
for inFlight.Load() with a select-based timeout (or wait on a channel with
time.After) so the test fails deterministically if acquisition does not reach
maxConc within the timeout.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Bound the startup wait and don’t discard bulkhead errors.

If either saturation goroutine fails before entering fn, startedWg.Wait() at Line 85 never returns because Line 79 is never reached. Capture the Execute error and use a timeout for the wait.

Suggested bounded startup wait

 	blockCh := make(chan struct{})
+	errCh := make(chan error, 2)
 	var wg sync.WaitGroup
 	var startedWg sync.WaitGroup
@@
 		go func() {
 			defer wg.Done()
-			_ = bhCompute.Execute(ctx, func() error {
+			errCh <- bhCompute.Execute(ctx, func() error {
 				startedWg.Done()
 				<-blockCh
 				return nil
 			})
 		}()
 	}
-	startedWg.Wait() // Ensure they have acquired slots.
+	started := make(chan struct{})
+	go func() {
+		startedWg.Wait()
+		close(started)
+	}()
+	select {
+	case <-started:
+	case err := <-errCh:
+		if err != nil {
+			t.Fatalf("failed to saturate compute bulkhead: %v", err)
+		}
+	case <-time.After(time.Second):
+		t.Fatal("timeout waiting for compute bulkhead saturation")
+	}

As per coding guidelines, "Do not use silent failures - avoid blank identifier assignment like _ = someFunc()".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/drills/release_gates_test.go` around lines 69 - 85, The startup
goroutines currently discard errors from bhCompute.Execute and rely on
startedWg.Wait() indefinitely; modify the goroutine body that calls
bhCompute.Execute to capture and report the returned error (do not assign to _),
signal startedWg only after Execute returns success or after confirming the slot
was acquired, and replace the unconditional startedWg.Wait() with a bounded wait
(e.g., wait using a time.After timeout or a context with deadline) so the test
fails fast if a goroutine never reaches the fn; reference blockCh, wg, startedWg
and bhCompute.Execute when making these changes.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Make WaitTimeout’s default behavior unambiguous.

Line 26 documents a 5s default, but Lines 34-38 leave timeout at zero, and Lines 75-83 then wait solely on ctx. With context.Background() this can block forever when the bulkhead is full. Either apply the documented default or change the comment/API to require callers to provide a deadline.

Suggested default timeout fix

+const (
+	defaultBulkheadMaxConc     = 10
+	defaultBulkheadWaitTimeout = 5 * time.Second
+)
+
 // BulkheadOpts configures a bulkhead.
 type BulkheadOpts struct {
 	Name        string        // Identifier for logging/metrics.
-	MaxConc     int           // Maximum concurrent requests. Default 10.
-	WaitTimeout time.Duration // How long to wait for a slot. Default 5s. 0 means use context deadline.
+	MaxConc     int           // Maximum concurrent requests. Default 10.
+	WaitTimeout time.Duration // How long to wait for a slot. Default 5s.
 }
@@
 func NewBulkhead(opts BulkheadOpts) *Bulkhead {
 	if opts.MaxConc <= 0 {
-		opts.MaxConc = 10
+		opts.MaxConc = defaultBulkheadMaxConc
+	}
+	if opts.WaitTimeout <= 0 {
+		opts.WaitTimeout = defaultBulkheadWaitTimeout
 	}
 	return &Bulkhead{

As per coding guidelines, "Do not use magic numbers - use named constants instead".

Also applies to: 60-83

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/platform/bulkhead.go` around lines 22 - 38, The WaitTimeout default
is ambiguous: add a named constant (e.g. DefaultBulkheadWait = 5*time.Second)
and in NewBulkhead set opts.WaitTimeout to that constant when opts.WaitTimeout
== 0 so Bulkhead.timeout is never zero by default; update BulkheadOpts comment
to reference DefaultBulkheadWait instead of a magic “5s” literal and ensure
callers can still override by providing a non-zero WaitTimeout (use the symbols
BulkheadOpts, WaitTimeout, NewBulkhead, and Bulkhead.timeout to locate the
changes).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Guard against a nil logger in the constructor.

logger.Warn and logger.With will panic if a caller passes nil. Defaulting to slog.Default() keeps the wrapper safe under partial dependency wiring.

Suggested nil guard

 func NewResilientLB(inner ports.LBProxyAdapter, logger *slog.Logger, opts ResilientLBOpts) *ResilientLB {
 	opts = opts.withDefaults()
 	name := "lb-proxy"
+	if logger == nil {
+		logger = slog.Default()
+	}
 
 	cb := NewCircuitBreakerWithOpts(CircuitBreakerOpts{

As per coding guidelines, "Do not panic in production code - return errors instead".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func NewResilientLB(inner ports.LBProxyAdapter, logger *slog.Logger, opts ResilientLBOpts) *ResilientLB {
	opts = opts.withDefaults()
	name := "lb-proxy"
	cb := NewCircuitBreakerWithOpts(CircuitBreakerOpts{
	Name: name,
	Threshold: opts.CBThreshold,
	ResetTimeout: opts.CBResetTimeout,
	SuccessRequired: 2,
	OnStateChange: func(n string, from, to State) {
	logger.Warn("circuit breaker state change",
	"breaker", n, "from", from.String(), "to", to.String())
	},
	})
	retryOpts := RetryOpts{
	MaxAttempts: opts.RetryMaxAttempts,
	BaseDelay: opts.RetryBaseDelay,
	}
	return &ResilientLB{
	inner: inner,
	cb: cb,
	logger: logger.With("adapter", name),
	opts: opts,
	retryOpts: retryOpts,
	}
	func NewResilientLB(inner ports.LBProxyAdapter, logger *slog.Logger, opts ResilientLBOpts) *ResilientLB {
	opts = opts.withDefaults()
	name := "lb-proxy"
	if logger == nil {
	logger = slog.Default()
	}
	cb := NewCircuitBreakerWithOpts(CircuitBreakerOpts{
	Name: name,
	Threshold: opts.CBThreshold,
	ResetTimeout: opts.CBResetTimeout,
	SuccessRequired: 2,
	OnStateChange: func(n string, from, to State) {
	logger.Warn("circuit breaker state change",
	"breaker", n, "from", from.String(), "to", to.String())
	},
	})
	retryOpts := RetryOpts{
	MaxAttempts: opts.RetryMaxAttempts,
	BaseDelay: opts.RetryBaseDelay,
	}
	return &ResilientLB{
	inner: inner,
	cb: cb,
	logger: logger.With("adapter", name),
	opts: opts,
	retryOpts: retryOpts,
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/platform/resilient_lb.go` around lines 57 - 83, NewResilientLB
currently assumes logger is non-nil and calls logger.Warn and logger.With which
will panic if a nil logger is passed; guard by defaulting nil logger to
slog.Default() at the start of NewResilientLB (e.g., if logger == nil { logger =
slog.Default() }) so all subsequent uses (logger.Warn, logger.With) are safe,
then proceed to create the CircuitBreaker (NewCircuitBreakerWithOpts), set up
retryOpts, and return the &ResilientLB as before.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Metrics' service label is hardcoded to "unknown" — the dimension is effectively dead.

RetryOpts exposes OperationName but no Service, and service := "unknown" is never overridden. Every RetryAttempts/RetryBackoff observation from every caller (compute, storage, network, DNS, LB…) will land on the same service="unknown" series, making the label useless and risking cardinality confusion if anyone later filters on it.

🛠 Suggested fix

 type RetryOpts struct {
 	MaxAttempts   int           // Total attempts (including the first). Default 3.
 	BaseDelay     time.Duration // Initial delay before first retry. Default 500ms.
 	MaxDelay      time.Duration // Cap on exponential growth. Default 30s.
 	Multiplier    float64       // Exponent base. Default 2.0.
+	ServiceName   string        // Name for metrics labels. Default "unknown".
 	OperationName string         // Name for metrics labels. Default "unknown".
 	// ShouldRetry is an optional predicate that returns false for errors
 	// that should NOT be retried (e.g., validation errors, 4xx HTTP).
 	// If nil, all non-nil errors are retried.
 	ShouldRetry func(error) bool
 }
@@
-	service := "unknown"
-	operation := opts.OperationName
-	if operation == "" {
-		operation = "unknown"
-	}
+	service := opts.ServiceName
+	if service == "" {
+		service = "unknown"
+	}
+	operation := opts.OperationName
+	if operation == "" {
+		operation = "unknown"
+	}

Then wire ServiceName at each resilient wrapper (resilient_compute.go, etc.) alongside the existing name := fmt.Sprintf("compute-%s", inner.Type()).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	service := "unknown"
	operation := opts.OperationName
	if operation == "" {
	operation = "unknown"
	}
	service := opts.ServiceName
	if service == "" {
	service = "unknown"
	}
	operation := opts.OperationName
	if operation == "" {
	operation = "unknown"
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/platform/retry.go` around lines 46 - 50, The metrics `service` label
is hardcoded to "unknown" in the retry path — add a ServiceName field to
RetryOpts and use that instead of the `service := "unknown"` fallback (keep
OperationName behavior for `operation`), then update callers (e.g., in
resilient_compute.go where `name := fmt.Sprintf("compute-%s", inner.Type())` is
set) to populate RetryOpts.ServiceName alongside the existing name so
RetryAttempts/RetryBackoff observations carry a real service dimension.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Inspect the pipeline worker's execution ledger usage.
# Expectation: If processJob or Start uses ExecutionLedger for ownership/completion, add a mock ledger to this test and assert those calls.

rg -n -C4 '\btype PipelineWorker\b|func NewPipelineWorker\b|func \(.*\) processJob\b|ExecutionLedger|ledger\.' --iglob '*.go'

Repository: poyrazK/thecloud

Length of output: 26941

---

🏁 Script executed:

cat -n internal/workers/pipeline_worker_test.go | sed -n '150,220p'

Repository: poyrazK/thecloud

Length of output: 3422

---

🏁 Script executed:

# Check for other test patterns with ledger mocking
rg -n 'NewPipelineWorker|ExecutionLedger|NoopExecutionLedger' internal/workers/pipeline_worker_test.go

Repository: poyrazK/thecloud

Length of output: 131

---

🏁 Script executed:

# Check if other worker tests use mock/noop ledger
rg -n 'NewProvisionWorker|NewClusterWorker' internal/workers/*_test.go -A2 -B2

Repository: poyrazK/thecloud

Length of output: 2772

---

Use a mock or no-op ledger instead of nil.

The worker's processJob method calls ledger.TryAcquire() and ledger.MarkComplete() on the success path, but the test passes nil and skips these code paths entirely. This masks potential issues as the HA features evolve. Use the existing NoopExecutionLedger or create a mock with testify/mock to exercise the idempotency checks.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/workers/pipeline_worker_test.go` at line 167, The test constructs a
PipelineWorker with a nil ledger which prevents exercising ledger-related code
in processJob (calls to ledger.TryAcquire and ledger.MarkComplete); update the
test to pass a NoopExecutionLedger instance or a testify/mock implementation
instead of nil when calling NewPipelineWorker so processJob executes the
idempotency paths (refer to NewPipelineWorker, processJob, ledger.TryAcquire,
ledger.MarkComplete and NoopExecutionLedger) and assert expected ledger
interactions where appropriate.

[Copilot]

Pull request overview

Copilot reviewed 45 out of 45 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Postgres session-level advisory locks are connection-scoped. Calling pg_try_advisory_lock/pg_advisory_unlock through a pooled DB interface can run on different connections, which breaks leadership correctness (lock may be acquired on one connection but checked/unlocked on another, potentially leaking locks or allowing multiple leaders). This implementation should use a dedicated long-lived connection per elector/key (e.g., acquire a pgxpool.Conn and run all lock/heartbeat/unlock queries on it) or use a different leader-election primitive that is safe with a pool.

[Copilot]

cleanupDeletedLBs deletes load balancer rows as soon as they are marked LBStatusDeleted. However, the LB worker relies on those rows to perform infrastructure cleanup (e.g., calling RemoveProxy) and then delete the row. Deleting the row here can orphan external LB resources. Safer options are: (1) wait/poll until the worker has deleted the rows, (2) trigger/perform the cleanup inline before deleting the DB row, or (3) introduce a distinct terminal status meaning “infra cleaned, row safe to delete” and only delete then.

Suggested change

	// cleanupDeletedLBs removes LB rows that are marked as DELETED.
	// Normally the LB worker would clean these up asynchronously, but VPC deletion
	// must remove them first due to FK constraints.
	func (s *VpcService) cleanupDeletedLBs(ctx context.Context, vpcID uuid.UUID) error {
	if s.lbRepo == nil {
	return nil // LBRepo not configured, skip cleanup
	}
	lbs, err := s.lbRepo.ListAll(ctx)
	if err != nil {
	return err
	}
	for _, lb := range lbs {
	if lb.VpcID == vpcID && lb.Status == domain.LBStatusDeleted {
	if err := s.lbRepo.Delete(ctx, lb.ID); err != nil {
	return fmt.Errorf("failed to delete LB %s: %w", lb.ID, err)
	}
	s.logger.Info("cleaned up deleted LB row", "lb_id", lb.ID, "vpc_id", vpcID)
	}
	}
	return nil
	// cleanupDeletedLBs waits for LB rows that are marked as DELETED to be removed
	// by the LB worker after infrastructure cleanup has completed.
	// VPC deletion must not delete these rows directly, because the worker may still
	// rely on them to tear down external LB resources.
	func (s *VpcService) cleanupDeletedLBs(ctx context.Context, vpcID uuid.UUID) error {
	if s.lbRepo == nil {
	return nil // LBRepo not configured, skip cleanup
	}
	waitCtx := ctx
	if _, hasDeadline := ctx.Deadline(); !hasDeadline {
	var cancel context.CancelFunc
	waitCtx, cancel = context.WithTimeout(ctx, 30*time.Second)
	defer cancel()
	}
	ticker := time.NewTicker(500 * time.Millisecond)
	defer ticker.Stop()
	for {
	lbs, err := s.lbRepo.ListAll(waitCtx)
	if err != nil {
	return err
	}
	pendingDeleted := make([]uuid.UUID, 0)
	for _, lb := range lbs {
	if lb.VpcID == vpcID && lb.Status == domain.LBStatusDeleted {
	pendingDeleted = append(pendingDeleted, lb.ID)
	}
	}
	if len(pendingDeleted) == 0 {
	return nil
	}
	s.logger.Info("waiting for deleted LB rows to be removed by worker", "vpc_id", vpcID, "pending_lb_count", len(pendingDeleted))
	select {
	case <-waitCtx.Done():
	return fmt.Errorf("timed out waiting for LB worker to remove deleted load balancers for VPC %s: %w", vpcID, waitCtx.Err())
	case <-ticker.C:
	}
	}

[Copilot]

cleanupDeletedScalingGroups deletes groups in ScalingGroupStatusDeleting. The autoscaling worker uses the presence of these rows (and that status) to terminate instances and finish cleanup; deleting the row early can leave instances running without any controller to clean them up. Consider only deleting groups once cleanup is complete (e.g., after the worker marks a terminal DELETED status), or explicitly verify there are no remaining group instances/resources before deleting the row.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[poyrazK]

It's okay to merge