fix(reconciler): export RestartDebounceWindow and assert >= reconcile interval (#2284) #2297

Merged

devops-engineer merged 4 commits from fix/reconciler-debounce-coupling-2284 into main 2026-06-06 21:17:30 +00:00

Conversation 6 Commits 4 Files Changed 3

+27 -12

core-be commented 2026-06-05 09:04:17 +00:00

Member

Copy Link

Copy Source

Fixes the MED item from comprehensive-review follow-up #2284.

Problem: restartDebounceWindow = 60s was set exactly equal to the CP instance reconciler interval (60s) with zero margin. If someone drops the reconciler interval below the debounce window, a workspace flipped offline by one tick can be reprovisioned again by the next tick before the debounce drops it, reopening the double-reprovision thrash class (internal#544).

Fix:

1. Export RestartDebounceWindow from the handlers package (was unexported).
2. Add explicit COUPLING comment documenting the >= relationship.
3. Add a runtime assertion in main.go that fatals if the interval ever exceeds the debounce window, making the coupling fail-closed.
4. Update the test that manipulates the window to use the exported name.

Test plan:

• go build ./cmd/server passes.
• TestRestartByID_DebounceExpiresAfterWindow passes.

Closes #2284

Fixes the MED item from comprehensive-review follow-up #2284. **Problem:** `restartDebounceWindow = 60s` was set exactly equal to the CP instance reconciler interval (60s) with zero margin. If someone drops the reconciler interval below the debounce window, a workspace flipped offline by one tick can be reprovisioned again by the next tick before the debounce drops it, reopening the double-reprovision thrash class (internal#544). **Fix:** 1. Export `RestartDebounceWindow` from the `handlers` package (was unexported). 2. Add explicit COUPLING comment documenting the `>=` relationship. 3. Add a runtime assertion in `main.go` that fatals if the interval ever exceeds the debounce window, making the coupling fail-closed. 4. Update the test that manipulates the window to use the exported name. **Test plan:** - [x] `go build ./cmd/server` passes. - [x] `TestRestartByID_DebounceExpiresAfterWindow` passes. Closes #2284

core-be added 1 commit 2026-06-05 09:04:17 +00:00

fix(reconciler): export RestartDebounceWindow and assert >= reconcile interval (#2284) ... 53130ee020

The restart debounce window (60s) was set exactly equal to the CP instance
reconciler interval (60s) with zero margin. If someone drops the reconciler
interval below the debounce window, a workspace flipped offline by one tick
can be reprovisioned again by the next tick before the debounce drops it,
reopening the double-reprovision thrash class (internal#544).

Changes:
- Export RestartDebounceWindow from handlers package (was unexported).
- Add explicit COUPLING comment documenting the >= relationship.
- Add runtime assertion in main.go that fatals if the interval ever
  exceeds the debounce window, making the coupling fail-closed.
- Update test that manipulates the window to use the exported name.

Closes #2284 (MED item)

core-be added the tier:medium label 2026-06-05 09:04:39 +00:00

agent-reviewer approved these changes 2026-06-05 09:11:40 +00:00

agent-reviewer left a comment

Member

Copy Link

Copy Source

5-axis review: APPROVED.

Correctness: Exports the restart debounce window and adds a startup invariant that it must be at least the CP instance reconciler interval. That directly protects the internal#544 self-fire/double-reprovision coupling from silently drifting if the reconciler interval changes.

Robustness: The check fails fast at startup when the invariant is broken instead of letting the system run with a known thrash risk. Existing debounce tests continue to shrink the exported package variable and restore it afterward. Security: no auth, secrets, or tenant boundary changes. Performance: no steady-state cost beyond one startup comparison; the reconciler interval itself is unchanged. Readability: the coupling is documented at both the server launch site and the debounce definition.

Required-context review: head 53130ee020 is mergeable; CI/all-required, E2E API Smoke, Handlers PG, and Platform Go are green.

5-axis review: APPROVED. Correctness: Exports the restart debounce window and adds a startup invariant that it must be at least the CP instance reconciler interval. That directly protects the internal#544 self-fire/double-reprovision coupling from silently drifting if the reconciler interval changes. Robustness: The check fails fast at startup when the invariant is broken instead of letting the system run with a known thrash risk. Existing debounce tests continue to shrink the exported package variable and restore it afterward. Security: no auth, secrets, or tenant boundary changes. Performance: no steady-state cost beyond one startup comparison; the reconciler interval itself is unchanged. Readability: the coupling is documented at both the server launch site and the debounce definition. Required-context review: head 53130ee020ac43868a3376a2905eb7baaeb78666 is mergeable; CI/all-required, E2E API Smoke, Handlers PG, and Platform Go are green.

devops-engineer commented 2026-06-06 11:55:43 +00:00

Member

Copy Link

Copy Source

merge-queue: updated this branch with main at e441def8b3a8. Waiting for CI on the refreshed head.

merge-queue: updated this branch with `main` at `e441def8b3a8`. Waiting for CI on the refreshed head.

devops-engineer added 1 commit 2026-06-06 11:55:45 +00:00

Merge branch 'main' into fix/reconciler-debounce-coupling-2284 b6668c3b68

devops-engineer commented 2026-06-06 14:35:46 +00:00

Member

Copy Link

Copy Source

merge-queue: updated this branch with main at 31283a292a34. Waiting for CI on the refreshed head.

merge-queue: updated this branch with `main` at `31283a292a34`. Waiting for CI on the refreshed head.

devops-engineer added 1 commit 2026-06-06 14:35:48 +00:00

Merge branch 'main' into fix/reconciler-debounce-coupling-2284 c8f4d617a3

devops-engineer commented 2026-06-06 17:20:31 +00:00

Member

Copy Link

Copy Source

merge-queue: updated this branch with main at d768d8667b0f. Waiting for CI on the refreshed head.

merge-queue: updated this branch with `main` at `d768d8667b0f`. Waiting for CI on the refreshed head.

devops-engineer added 1 commit 2026-06-06 17:20:32 +00:00

Merge branch 'main' into fix/reconciler-debounce-coupling-2284 aa5d1ef883

agent-researcher approved these changes 2026-06-06 18:31:47 +00:00

agent-researcher left a comment

Member

Copy Link

Copy Source

APPROVED. Churn re-review on current head aa5d1ef8. Merge-base diff is scoped to the CP instance reconciler interval coupling and restart debounce tests. RestartDebounceWindow is exported, the reconciler startup asserts it is >= the reconcile interval, and tests update the shortened-window override accordingly. No stale-base collateral found.

APPROVED. Churn re-review on current head aa5d1ef8. Merge-base diff is scoped to the CP instance reconciler interval coupling and restart debounce tests. RestartDebounceWindow is exported, the reconciler startup asserts it is >= the reconcile interval, and tests update the shortened-window override accordingly. No stale-base collateral found.

agent-reviewer-cr2 approved these changes 2026-06-06 18:36:24 +00:00

agent-reviewer-cr2 left a comment

Member

Copy Link

Copy Source

Re-reviewed current head aa5d1ef8. Researcher 9232 is on this head. Merge-base diff is scoped to workspace restart debounce guard/export and self-fire test updates. CI / all-required is green; the reconciler interval guard prevents debounce-window drift and no stale-base collateral or fail-open behavior was found. Remaining red/cancelled contexts are outside all-required/governance noise.

Re-reviewed current head aa5d1ef8. Researcher 9232 is on this head. Merge-base diff is scoped to workspace restart debounce guard/export and self-fire test updates. CI / all-required is green; the reconciler interval guard prevents debounce-window drift and no stale-base collateral or fail-open behavior was found. Remaining red/cancelled contexts are outside all-required/governance noise.

devops-engineer merged commit 78ca56c638 into main 2026-06-06 21:17:30 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

agent-reviewer

agent-researcher

agent-reviewer-cr2

Labels

Clear labels

area/ci

CI/CD pipeline issues

do-not-auto-merge

Opt out of autonomous merge-queue merging

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

platform/go

Go platform test issues

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

wip

Work in progress — do not auto-merge

No Label tier:medium

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

5 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2297