feat: next generation

[chenquan]

Summary by CodeRabbit

• New Features

  • Added exactly-once semantics support with transaction coordination, two-phase commit protocol, write-ahead logging (WAL), and idempotency tracking to prevent duplicate message processing
  • Introduced checkpoint mechanism for fault tolerance, enabling state snapshots and recovery across stream restarts
  • Added Prometheus metrics export via new /metrics HTTP endpoint for monitoring system health and performance
  • Implemented filter processor for conditional message processing

• Documentation

  • Added comprehensive guides for checkpoint implementation, exactly-once semantics, metrics integration, and session recovery
  • Provided YAML configuration examples for new features

• Tests

  • Added extensive integration and end-to-end test coverage for checkpoint lifecycle, transaction workflows, and recovery scenarios

• Chores

  • Updated dependencies to support new subsystems (compression, serialization, caching)
  • Enhanced Docker setup with test infrastructure (Kafka, PostgreSQL, Redis)
  • Improved CI/CD workflows with security and quality checks

[coderabbitai]

Walkthrough

This PR introduces a comprehensive exactly-once semantics implementation for ArkFlow, including a checkpoint mechanism with barrier-based alignment, a two-phase commit transaction coordinator with write-ahead logging, idempotency caching, Prometheus metrics export, and integration across the streaming pipeline. It adds eight workspace dependencies, extends core abstractions (Input, Buffer, Output traits), introduces new checkpoint and transaction subsystems, and includes extensive testing and documentation.

Changes

Cohort / File(s)	Summary
Workspace & Plugin Dependencies Cargo.toml, crates/arkflow-core/Cargo.toml, crates/arkflow-plugin/Cargo.toml	Added workspace dependencies: humantime-serde, once_cell, lru, bincode, chrono (with serde), rmp-serde, zstd, uuid; added crc32fast and uuid to core, fastrand and uuid to plugin.
Checkpoint Core Subsystem crates/arkflow-core/src/checkpoint/*.rs, crates/arkflow-core/src/checkpoint/mod.rs	Implemented complete checkpoint subsystem: barrier coordination (barrier IDs, state tracking, BarrierManager), metadata tracking (CheckpointId, CheckpointStatus, CheckpointMetadata), state serialization (MessagePack + zstd compression), storage backends (LocalFileStorage, CloudStorage placeholder), checkpoint coordinator with interval-based triggering and recovery, events (CheckpointEventType, CheckpointEvent), and committing state (CheckpointProgress, CommittingState) for 2PC commit phase tracking.
Transaction/Exactly-Once Subsystem crates/arkflow-core/src/transaction/*.rs, crates/arkflow-core/src/transaction/mod.rs	Implemented transaction subsystem: TransactionCoordinator with 2PC workflow (begin/prepare/commit/rollback), write-ahead log (FileWal with append/recover/truncate), idempotency cache (LRU-based with TTL and persistence), and transaction types (TransactionId, TransactionState, TransactionRecord).
Metrics Subsystem crates/arkflow-core/src/metrics/definitions.rs, crates/arkflow-core/src/metrics/registry.rs, crates/arkflow-core/src/metrics/mod.rs	Introduced Prometheus metrics: 21 metric definitions (throughput, errors, queues, latencies, Kafka-specific, output, system resource gauges), global registry with lazy initialization, enable/disable toggling, and text-format gathering.
Configuration & Engine Integration crates/arkflow-core/src/config.rs, crates/arkflow-core/src/engine/mod.rs, crates/arkflow-core/src/lib.rs	Extended EngineConfig with MetricsConfig, CheckpointConfig, and ExactlyOnceConfig; added validation logic; integrated checkpoint/transaction coordinators into Engine startup with recovery and per-stream registration; added metrics HTTP endpoint and graceful shutdown.
Stream Integration crates/arkflow-core/src/stream/mod.rs	Added barrier manager and transaction coordinator fields to Stream; implemented checkpoint/restore lifecycle; modified processor workers to handle barrier messages and checkpoint-pause mode; refactored output stage for transactional/idempotent writes with per-message keys; added metrics collection gating.
Trait Extensions crates/arkflow-core/src/input/mod.rs, crates/arkflow-core/src/buffer/mod.rs, crates/arkflow-core/src/output/mod.rs	Extended Input, Buffer, Output traits with checkpoint/transaction methods: Input gains get_position/seek, Buffer gains get_buffered_messages/restore_buffer, Output gains write_idempotent and transactional control methods (begin/prepare/commit/rollback).
Plugin Input Checkpoint Integration crates/arkflow-plugin/src/input/kafka.rs, crates/arkflow-plugin/src/input/file.rs	Implemented checkpoint support: KafkaInput tracks offsets and implements seek; FileInput tracks batches_read and path; both added metrics collection (KAFKA_FETCH_RATE, KAFKA_CONSUMER_LAG, KAFKA_COMMIT_RATE).
Plugin Buffer & Output Transactions crates/arkflow-plugin/src/buffer/memory.rs, crates/arkflow-plugin/src/output/http.rs, crates/arkflow-plugin/src/output/kafka.rs, crates/arkflow-plugin/src/output/sql.rs	MemoryBuffer: added get_buffered_messages/restore_buffer with metrics collection; HttpOutput: added write_idempotent with Idempotency-Key header; KafkaOutput: added transactional mode with begin/commit/rollback, bounded exponential retry, write_idempotent; SqlOutput: added idempotency_key_column config and write_idempotent with dialect-specific UPSERT.
New Filter Processor crates/arkflow-plugin/src/processor/filter.rs, crates/arkflow-plugin/src/processor/mod.rs	Implemented FilterProcessor with configurable conditions (equality, comparisons, containment, null checks), AND/NOT semantics, and row-level masking.
Plugin Refactoring & Cleanup crates/arkflow-plugin/src/buffer/join.rs, crates/arkflow-plugin/src/buffer/window.rs, crates/arkflow-plugin/src/codec/json.rs, crates/arkflow-plugin/src/component/json.rs, crates/arkflow-plugin/src/component/protobuf.rs, crates/arkflow-plugin/src/input/*.rs, crates/arkflow-plugin/src/output/influxdb.rs, crates/arkflow-plugin/src/output/mqtt.rs, crates/arkflow-plugin/src/expr/mod.rs, crates/arkflow-plugin/src/processor/protobuf.rs, crates/arkflow-plugin/src/processor/python.rs, crates/arkflow-plugin/src/processor/sql.rs, crates/arkflow-plugin/src/processor/vrl.rs, crates/arkflow-plugin/src/pulsar/common.rs, crates/arkflow-plugin/src/temporary/redis.rs	Removed unused MessageBatch imports; simplified iterator/closure calls (map closures to function items), error handling, and control flow; introduced shared SessionContext; added Default derive for SubscriptionType; formatting/style improvements.
Integration Tests crates/arkflow-core/tests/exactly_once_test.rs, crates/arkflow-core/tests/exactly_once_integration_test.rs, crates/arkflow-core/tests/checkpoint_recovery_test.rs, crates/arkflow-core/tests/e2e_checkpoint_recovery_test.rs, crates/arkflow-core/tests/performance_test.rs	Added 50+ integration tests covering transaction lifecycle, checkpoint persistence/recovery, barrier alignment, idempotency deduplication, concurrent operations, timeout handling, and performance benchmarks.
Documentation docs/CHECKPOINT_COMPLETE.md, docs/CHECKPOINT_IMPLEMENTATION.md, docs/EXTENDED_METRICS.md, docs/PROMETHEUS_METRICS_IMPLEMENTATION.md, EXACTLY_ONCE.md, EXACTLY_ONCE_IMPROVEMENTS.md, IMPLEMENTATION_SUMMARY.md, SESSION_RECOVERY_IMPLEMENTATION.md, SESSION_WORK_SUMMARY.md, DEVELOPMENT_PLAN.md, P0_STATUS.md, P0_COMPLETION_REPORT.md, E2E_TESTING_SUMMARY.md, ROADMAP.md, TESTING_SUMMARY.md, TEST_COVERAGE_REPORT.md, TEST_COMPLETION_REPORT.md, TEST_IMPROVEMENT_SUMMARY.md, FINAL_SUMMARY.md	Comprehensive documentation covering checkpoint mechanism, exactly-once semantics architecture, metrics implementation, integration points, testing strategy, recovery procedures, session work summaries, roadmaps, and completion reports.
Example Configurations examples/checkpoint_example.yaml, examples/exactly_once_config.yaml, examples/exactly_once_quick_start.yaml, examples/metrics_example.yaml, examples/filter_processor_example.yaml, examples/e2e_exactly_once_test.yaml	Added 6 example YAML configurations demonstrating checkpoint setup, exactly-once end-to-end flow, metrics enablement, filter processor usage, and Kafka transactional pipeline.
Infrastructure & Build docker-compose.test.yml, scripts/init-postgres.sql, docker/Dockerfile, .github/workflows/docker.yml, .github/workflows/rust.yml, .claude/rules/build/build.md, deny.toml, crates/arkflow-core/src/cli/mod.rs, crates/arkflow-core/src/message_batch_tests.rs	Updated Docker image build to multi-architecture with OCI metadata, added PostgreSQL+Kafka test stack, SQL schema for idempotency testing, improved CI/CD workflows (quality, security, test jobs), added security policy (cargo-deny), CLI validate command now performs runtime validation, formatting updates.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Stream
    participant TxnCoord as TransactionCoordinator
    participant WAL as WriteAheadLog
    participant IdempCache as IdempotencyCache
    participant Output as Output
    
    Client->>TxnCoord: begin_transaction([seq])
    TxnCoord->>TxnCoord: allocate TransactionId
    TxnCoord->>TxnCoord: create TransactionRecord (Init)
    TxnCoord->>WAL: append(record)
    TxnCoord-->>Client: TransactionId
    
    Client->>TxnCoord: check_and_mark_idempotency(key)
    TxnCoord->>IdempCache: check_and_mark(key)
    IdempCache-->>TxnCoord: is_duplicate
    TxnCoord-->>Client: is_duplicate
    
    Client->>TxnCoord: prepare_transaction(tx_id)
    TxnCoord->>TxnCoord: transition to Preparing
    TxnCoord->>WAL: append(record)
    TxnCoord->>TxnCoord: transition to Prepared
    TxnCoord->>WAL: append(record)
    TxnCoord-->>Client: Ok(())
    
    Client->>Output: write_idempotent(msg, key)
    Output->>Output: encode & send
    Output-->>Client: Ok(())
    
    Client->>TxnCoord: commit_transaction(tx_id)
    TxnCoord->>TxnCoord: transition to Committing
    TxnCoord->>WAL: append(record)
    TxnCoord->>TxnCoord: transition to Committed
    TxnCoord->>WAL: append(record)
    TxnCoord->>WAL: truncate()
    TxnCoord-->>Client: Ok(())

Loading

sequenceDiagram
    participant Engine
    participant Coord as CheckpointCoordinator
    participant BarrierMgr as BarrierManager
    participant Streams as Processor Workers
    participant Storage as CheckpointStorage
    
    Engine->>Coord: trigger_checkpoint()
    Coord->>BarrierMgr: inject_barrier(checkpoint_id, expected_acks)
    BarrierMgr-->>Coord: Barrier
    
    Coord->>Streams: broadcast barrier
    Streams->>Streams: enter checkpoint mode
    Streams->>Streams: snapshot state
    
    Streams->>BarrierMgr: acknowledge_barrier(barrier_id)
    BarrierMgr->>BarrierMgr: increment ack counter
    
    rect rgba(100, 150, 200, 0.5)
    note over BarrierMgr: All workers acked
    BarrierMgr->>BarrierMgr: mark barrier Completed
    end
    
    Coord->>BarrierMgr: wait_for_barrier(barrier_id)
    BarrierMgr-->>Coord: Ok(())
    
    Coord->>Coord: collect StateSnapshots
    Coord->>Storage: save_checkpoint(id, snapshot)
    Storage-->>Coord: CheckpointMetadata
    
    Coord-->>Engine: CheckpointMetadata
    
    Streams->>Streams: exit checkpoint mode
    Streams->>Streams: resume processing

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• arkflow-rs/arkflow#242: Modifies crates/arkflow-core/src/stream/mod.rs for barrier manager integration and transactional stream wiring.
• arkflow-rs/arkflow#461: Extends crates/arkflow-plugin/src/output/sql.rs with idempotency key column support and UPSERT handling.
• arkflow-rs/arkflow#1087: Modifies crates/arkflow-core/src/config.rs to extend configuration structure with checkpoint and exactly-once settings.

Suggested labels

enhancement, feature, exactly-once, checkpoint, observability

Poem

🐰 A rabbit hops through checkpoint gates,
Two phases commit what transaction awaits,
With metrics to watch and logs that align,
Exactly-once semantics, now perfectly fine! 🎉

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/next

[coderabbitai]

Actionable comments posted: 13

Note

Due to the large number of review comments, Critical severity comments were prioritized as inline comments.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

crates/arkflow-plugin/src/output/http.rs (1)

204-205: ⚠️ Potential issue | 🟡 Minor

unwrap() on try_clone() could panic.

request_builder.try_clone() returns None if the request body is a stream that cannot be cloned. While unlikely with Vec<u8> bodies, this unwrap() could cause a runtime panic in edge cases.

🛡️ Proposed defensive handling

-            match request_builder.try_clone().unwrap().send().await {
+            let cloned_request = request_builder.try_clone().ok_or_else(|| {
+                Error::Process("Failed to clone HTTP request for retry".to_string())
+            })?;
+            match cloned_request.send().await {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-plugin/src/output/http.rs` around lines 204 - 205, The code
currently calls request_builder.try_clone().unwrap() inside the retry loop which
can panic if the request body is a non-cloneable stream; change this to handle
the None case defensively: replace the unwrap with an if let Some(cloned) =
request_builder.try_clone() { cloned.send().await } else { rebuild the request
(or return a controlled error) and avoid retrying a non-cloneable request };
ensure this logic is applied in the loop that uses self.config.retry_count so
you either recreate the RequestBuilder from the original components before each
attempt or return an Err/ log and break when try_clone() returns None.

🟠 Major comments (19)

scripts/init-postgres.sql-10-10 (1)

10-10: ⚠️ Potential issue | 🟠 Major

Make idempotency_key non-null to enforce deduplication.

UNIQUE permits multiple NULL values in PostgreSQL, so rows without a key bypass exactly-once protection.

🔧 Proposed change

-    idempotency_key VARCHAR(100) UNIQUE,
+    idempotency_key VARCHAR(100) NOT NULL UNIQUE,
...
-    idempotency_key VARCHAR(100) UNIQUE,
+    idempotency_key VARCHAR(100) NOT NULL UNIQUE,

Also applies to: 36-36

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/init-postgres.sql` at line 10, The idempotency_key column is
currently declared UNIQUE but allows NULLs (which bypasses deduplication);
update the schema so idempotency_key is declared NOT NULL (e.g., change
idempotency_key VARCHAR(100) UNIQUE to include NOT NULL) for both occurrences
(the idempotency_key column at the two spots referenced) and ensure any
migration or seed that introduces this change handles existing NULL values
before applying NOT NULL.

crates/arkflow-plugin/src/output/mqtt.rs-168-171 (1)

168-171: ⚠️ Potential issue | 🟠 Major

Avoid logging full payload content at INFO level.

This can leak message data and generate excessive logs on a hot write path.

🔧 Proposed change

-        for (i, payload) in payloads.into_iter().enumerate() {
-            info!(
-                "Send message: {}",
-                &String::from_utf8_lossy(payload.as_ref())
-            );
-
-            if let Some(topic_str) = topic.get(i) {
+        for (i, payload) in payloads.into_iter().enumerate() {
+            if let Some(topic_str) = topic.get(i) {
+                info!("Send message to topic={}, bytes={}", topic_str, payload.len());
                 // Post a message
                 client
                     .publish(topic_str, qos_level, retain, payload)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-plugin/src/output/mqtt.rs` around lines 168 - 171, The info!
log call currently prints the entire message payload via
String::from_utf8_lossy(payload.as_ref()), which can leak data and flood logs;
change this to avoid logging full content by replacing the info! invocation in
this module (the info! call that references payload and String::from_utf8_lossy)
with a safer log—e.g. lower to debug! or trace! and emit only metadata such as
payload.len(), a truncated prefix (first N bytes/chars), or a non-reversible
fingerprint (hash) instead of the full payload content.

tests/e2e/configs/kafka-to-kafka-simple.yaml-18-26 (1)

18-26: ⚠️ Potential issue | 🟠 Major

Add required error_output and buffer sections to stream config.

Current stream config omits two required sections from the project YAML schema (error_output, buffer), which can break consistency across e2e configs and loaders.

As per coding guidelines, "**/*.yaml: Use YAML for hierarchical configuration with structure: logging, streams (containing input, pipeline, output, error_output, buffer)."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/e2e/configs/kafka-to-kafka-simple.yaml` around lines 18 - 26, The
stream config is missing the required error_output and buffer sections; update
the YAML under the same stream stanza that contains pipeline and output to add
an error_output block (matching the expected schema, e.g., include type and any
broker/topic settings consistent with output) and a buffer block (with the
required buffer type/settings per project schema) so the overall structure
contains pipeline, output, error_output, and buffer; ensure the new sections
follow the same nesting/field names as pipeline/output (e.g., error_output.type,
error_output.brokers, error_output.topic and buffer.type, buffer.[required
fields]) to keep e2e configs consistent with loaders.

crates/arkflow-core/Cargo.toml-39-39 (1)

39-39: ⚠️ Potential issue | 🟠 Major

Add num_cpus to workspace dependencies and use workspace reference.

The member crate directly pins num_cpus = "1.17.0" instead of using centralized workspace dependency management. Update the root Cargo.toml to define the dependency in [workspace.dependencies], then reference it via workspace = true in this crate.

Suggested fix

In Cargo.toml (root):

[workspace.dependencies]
tokio = { version = "1", features = ["full"] }
tokio-util = "0.7.18"
async-trait = "0.1"
futures = "0.3"
futures-util = "0.3"
+num_cpus = "1.17.0"

In crates/arkflow-core/Cargo.toml:

-num_cpus = "1.17.0"
+num_cpus = { workspace = true }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/Cargo.toml` at line 39, The crate currently pins num_cpus
= "1.17.0" directly in crates/arkflow-core/Cargo.toml; instead add num_cpus =
"1.17.0" under [workspace.dependencies] in the root Cargo.toml and change the
dependency in crates/arkflow-core/Cargo.toml to reference the workspace (i.e.,
replace the version pin with workspace = true for the num_cpus dependency).
Update the dependency entry name exactly as "num_cpus" so functions/uses
importing num_cpus continue to resolve.

tests/e2e/configs/kafka-to-http.yaml-26-29 (1)

26-29: ⚠️ Potential issue | 🟠 Major

Avoid reusing 9092 for metrics.

This config also points Kafka at localhost:9092, so if ArkFlow is run the same way the other localhost endpoints imply, the metrics listener will collide with the broker. Use a different local port here.

Suggested change

 metrics:
   enabled: true
-  address: "0.0.0.0:9092"
+  address: "0.0.0.0:9093"
   endpoint: "/metrics"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/e2e/configs/kafka-to-http.yaml` around lines 26 - 29, The metrics
listener in the test config reuses Kafka's default port (address:
"0.0.0.0:9092"), which will collide with the Kafka broker; update the
metrics.address value under the metrics block to a different unused local port
(for example "0.0.0.0:9100" or "0.0.0.0:9093") so the metrics endpoint
(metrics.endpoint) does not conflict with the Kafka broker while keeping
metrics.enabled set to true.

crates/arkflow-plugin/src/input/file.rs-499-547 (1)

499-547: ⚠️ Potential issue | 🟠 Major

Don't report resumable checkpoints for file inputs yet.

get_position() stores only a batch count, and seek() explicitly cannot restore that position but still returns Ok(()). After a restart the engine will treat recovery as successful and reread from the beginning, which breaks checkpoint/exactly-once semantics for file sources. Please either return None / an unsupported error until a real byte- or row-level cursor exists, or implement a stable resume position.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-plugin/src/input/file.rs` around lines 499 - 547, Change File
input to not advertise resumable checkpoints: in get_position() (function name
get_position) stop returning Some(InputState::File { .. }) based on
batches_read/completed and always return Ok(None) unless you implement a real
byte/row cursor; and in seek() (function name seek) treat InputState::File as
unsupported by returning an Err(Error::Process(...)) instead of logging and
returning Ok(()), so the engine won't consider file checkpoint restoration
successful.

EXACTLY_ONCE.md-47-71 (1)

47-71: ⚠️ Potential issue | 🟠 Major

Align this config example with the shipped config shape.

The checked-in examples in this PR use exactly_once.transaction_coordinator.timeout, exactly_once.wal.path/max_size, and exactly_once.idempotency.capacity/persistence_path, but this block still documents transaction.wal.wal_dir, max_file_size, cache_size, persist_path, and transaction_timeout. As written, readers will copy a config that does not match the feature examples shipping in the same PR.

Suggested doc shape

 exactly_once:
   enabled: true
-
-  transaction:
-    wal:
-      wal_dir: "/var/lib/arkflow/wal"
-      max_file_size: 1073741824  # 1GB
-      sync_on_write: true
-      compression: true
-
-    idempotency:
-      cache_size: 100000
-      ttl: 86400s  # 24 hours
-      persist_path: "/var/lib/arkflow/idempotency.json"
-      persist_interval: 60s
-
-    transaction_timeout: 30s
+  transaction_coordinator:
+    timeout: 30s
+  wal:
+    path: "/var/lib/arkflow/wal"
+    max_size: 1073741824  # 1GB
+    sync_on_write: true
+    compression: true
+  idempotency:
+    capacity: 100000
+    ttl: 86400s  # 24 hours
+    persistence_path: "/var/lib/arkflow/idempotency.json"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@EXACTLY_ONCE.md` around lines 47 - 71, The documented config block uses
outdated keys (exactly_once.transaction.wal.wal_dir, max_file_size,
idempotency.cache_size, persist_path, transaction_timeout); update the example
to match the shipped config shape by replacing those fields with the actual keys
used in code: exactly_once.transaction_coordinator.timeout,
exactly_once.wal.path, exactly_once.wal.max_size (or wal.max_size), and
exactly_once.idempotency.capacity and exactly_once.idempotency.persistence_path
(and any persistence/persist_interval equivalents), ensuring the example layout
and names exactly match the symbols used by the runtime (e.g.,
transaction_coordinator.timeout, wal.path/max_size,
idempotency.capacity/persistence_path).

tests/e2e/configs/crash-recovery.yaml-10-21 (1)

10-21: ⚠️ Potential issue | 🟠 Major

Configuration schema mismatch across test YAML files.

The exactly_once configuration in crash-recovery.yaml uses a different schema than other test configs:

• Uses transaction: instead of transaction_coordinator:
• WAL: wal_dir and max_file_size (vs. path and max_size in other configs)
• Idempotency: cache_size and persist_path (vs. capacity and persistence_path in other configs)
• Includes extra fields: persist_interval, transaction_timeout

Align the schema with the pattern used in kafka-to-postgres.yaml, kafka-to-http.yaml, and kafka-to-kafka.yaml.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/e2e/configs/crash-recovery.yaml` around lines 10 - 21, Replace the
differing schema in crash-recovery.yaml to match the other test configs: rename
the top-level transaction block to transaction_coordinator, change wal.wal_dir
-> wal.path and wal.max_file_size -> wal.max_size, change idempotency.cache_size
-> idempotency.capacity and idempotency.persist_path ->
idempotency.persistence_path, keep idempotency.ttl but remove nonstandard fields
persist_interval and transaction_timeout so the keys match
kafka-to-postgres.yaml / kafka-to-http.yaml / kafka-to-kafka.yaml.

crates/arkflow-plugin/src/output/http.rs-113-128 (1)

113-128: ⚠️ Potential issue | 🟠 Major

Same idempotency key used for all payloads in a batch may cause issues.

When a MessageBatchRef contains multiple rows, write_idempotent uses the same idempotency_key for each HTTP request (line 125). Many idempotency implementations (e.g., Stripe, payment gateways) will reject or deduplicate subsequent requests with the same key, potentially causing data loss.

Consider appending an index or row identifier to make each key unique:

🐛 Proposed fix

     async fn write_idempotent(
         &self,
         msg: MessageBatchRef,
         idempotency_key: &str,
     ) -> Result<(), Error> {
         // Apply codec encoding if configured
         let payloads = crate::output::codec_helper::apply_codec_encode(&msg, &self.codec)?;
         if payloads.is_empty() {
             return Ok(());
         }

-        for x in payloads {
-            self.send(&x, Some(idempotency_key)).await?
+        for (idx, x) in payloads.iter().enumerate() {
+            let unique_key = format!("{}-{}", idempotency_key, idx);
+            self.send(x, Some(&unique_key)).await?
         }
         Ok(())
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-plugin/src/output/http.rs` around lines 113 - 128,
write_idempotent currently reuses the same idempotency_key for every payload in
payloads, causing upstream deduplication or rejection; modify write_idempotent
(and its call to self.send) to derive a unique, deterministic key per payload
(e.g., append the payload index or a row-specific identifier from
MessageBatchRef) such as "#{idempotency_key}-{index}" or
"#{idempotency_key}-{row_id}" when iterating over payloads, and pass that unique
key to self.send(&x, Some(&unique_key)). Ensure the derivation is stable and
collision-free for the batch.

crates/arkflow-plugin/src/input/kafka.rs-284-305 (1)

284-305: ⚠️ Potential issue | 🟠 Major

Multi-topic consumers will lose checkpoint data for topics beyond the first.

get_position() only saves the first topic from self.config.topics, but current_offsets may contain partitions from multiple topics. This will cause incorrect checkpoint recovery when consuming from multiple topics.

🔧 Consider supporting multi-topic checkpointing

The InputState::Kafka variant may need to support multiple topics, or the offsets map should include topic information as part of the key:

-        // Use the first topic from config for checkpoint
-        let topic = self
-            .config
-            .topics
-            .first()
-            .ok_or_else(|| Error::Config("No topics configured".to_string()))?;
+        // For multi-topic consumers, this needs enhancement
+        if self.config.topics.len() > 1 {
+            tracing::warn!(
+                "Checkpoint only supports single-topic consumers; {} topics configured",
+                self.config.topics.len()
+            );
+        }
+        let topic = self
+            .config
+            .topics
+            .first()
+            .ok_or_else(|| Error::Config("No topics configured".to_string()))?;

A proper fix would require changing InputState::Kafka to hold a HashMap<String, HashMap<i32, i64>> (topic → partition → offset).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-plugin/src/input/kafka.rs` around lines 284 - 305,
get_position currently only writes the first topic from self.config.topics into
InputState::Kafka which loses offsets for other topics present in
self.current_offsets; update get_position to include topic information for all
stored offsets (e.g. build a HashMap<String, HashMap<i32,i64>> keyed by topic
from self.current_offsets) and modify the produced InputState::Kafka payload to
use that multi-topic map (this will require updating the InputState::Kafka
variant and any code that reads it to accept a topic→partition→offset structure
instead of a single topic string).

crates/arkflow-core/src/engine/mod.rs-331-335 (1)

331-335: ⚠️ Potential issue | 🟠 Major

Continuing after WAL recovery failure may violate exactly-once guarantees.

If WAL recovery fails, incomplete transactions from before a crash will not be recovered, potentially causing data loss or duplicate processing. Consider whether this should be a fatal error when exactly_once.enabled is true, rather than silently continuing.

🔧 Suggested stricter handling

                         Err(e) => {
                             error!("Failed to recover from WAL: {}", e);
-                            error!("Continuing without recovery...");
+                            // WAL recovery failure compromises exactly-once guarantees
+                            return Err(Box::new(e));
                         }

Alternatively, if continuing is intentional, consider making it configurable or at least logging at warn! level to indicate this is degraded operation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/engine/mod.rs` around lines 331 - 335, The current
WAL recovery error handler just logs and continues, which can break exactly-once
semantics; update the Err(e) branch where WAL recovery is handled to check the
configuration flag exactly_once.enabled and, if true, propagate the error
(return Err(e) or otherwise make startup/failure fatal) instead of continuing,
otherwise log a degraded-state message (use warn! and include the error details)
or make this behavior configurable; ensure you reference the same WAL recovery
block and the exactly_once.enabled flag when implementing the change so failures
either abort when exactly-once is required or explicitly warn when falling back
to degraded operation.

crates/arkflow-plugin/src/output/sql.rs-362-364 (1)

362-364: ⚠️ Potential issue | 🟠 Major

Column position assumption may cause data mismatch.

If idempotency_key_column already exists in the schema (from a previous batch or table definition), the code doesn't add it to columns, but still appends SqlValue::String(key) to each row. This causes a column count mismatch.

🐛 Proposed fix: track whether column was added

-            // Add the idempotency key column if it's not already in the schema
-            if !columns.contains(key_col) {
-                columns.push(key_col.clone());
-            }
+            // Add the idempotency key column - must always be appended for batch construction
+            // The column should NOT be in the Arrow schema (it's added by us, not from data)
+            columns.push(key_col.clone());

Or alternatively, check if it exists and find its position to update the correct column index instead of always appending.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-plugin/src/output/sql.rs` around lines 362 - 364, The code
currently unconditionally appends SqlValue::String(key) to each row while only
pushing idempotency_key_column into columns when missing, causing column
count/position mismatches; modify the logic around idempotency_key_column to
detect whether the column was newly added (e.g., record a bool when doing
columns.push(key_col.clone())) and when building each row either append the key
only if the column was added, or if it already existed find its index in columns
(using columns.iter().position or similar) and overwrite the corresponding entry
in the row instead of appending; update the code paths that construct rows
(where SqlValue::String(key) is pushed) to use this presence/position-aware
behavior so column counts and positions remain consistent.

crates/arkflow-core/tests/exactly_once_test.rs-115-132 (1)

115-132: ⚠️ Potential issue | 🟠 Major

TempDir dropped immediately, directory may be deleted before use.

The TempDir::new().unwrap() at line 117 is created inline and immediately dropped after .path().join("wal").to_string_lossy().to_string() completes. The temporary directory may be deleted before the coordinator uses it.

🐛 Proposed fix: keep TempDir alive

 #[tokio::test]
 async fn test_idempotency_duplicate_detection() {
     let temp_dir = TempDir::new().unwrap();
     let persist_path = temp_dir.path().join("idempotency.json");
+    let wal_temp_dir = TempDir::new().unwrap();
+    let wal_path = wal_temp_dir.path().join("wal");

     let config = TransactionCoordinatorConfig {
         wal: WalConfig {
-            wal_dir: TempDir::new()
-                .unwrap()
-                .path()
-                .join("wal")
-                .to_string_lossy()
-                .to_string(),
+            wal_dir: wal_path.to_string_lossy().to_string(),
             ..Default::default()
         },
         idempotency: IdempotencyConfig {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/tests/exactly_once_test.rs` around lines 115 - 132, The
TempDir created inline for WalConfig.wal_dir is dropped immediately, risking
deletion before the coordinator uses it; create a TempDir binding (e.g., let
wal_temp = TempDir::new().unwrap()) and use
wal_temp.path().join("wal").to_string_lossy().to_string() for
TransactionCoordinatorConfig.WalConfig.wal_dir, keeping wal_temp in scope for
the lifetime of the test (i.e., not dropping it until after
TransactionCoordinator::new and any coordinator use) so the directory remains
present.

crates/arkflow-core/tests/exactly_once_test.rs-324-339 (1)

324-339: ⚠️ Potential issue | 🟠 Major

Same TempDir lifetime issue in test_idempotency_persistence.

The inline TempDir::new().unwrap() at line 326 is dropped immediately, potentially deleting the WAL directory before use.

🐛 Proposed fix

 #[tokio::test]
 async fn test_idempotency_persistence() {
     let temp_dir = TempDir::new().unwrap();
     let persist_path = temp_dir.path().join("idempotency.json");
+    let wal_temp_dir = TempDir::new().unwrap();
+    let wal_path = wal_temp_dir.path().join("wal");

     let config = TransactionCoordinatorConfig {
         wal: WalConfig {
-            wal_dir: TempDir::new()
-                .unwrap()
-                .path()
-                .join("wal")
-                .to_string_lossy()
-                .to_string(),
+            wal_dir: wal_path.to_string_lossy().to_string(),
             ..Default::default()
         },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/tests/exactly_once_test.rs` around lines 324 - 339, The
inline TempDir::new().unwrap() used to build wal_dir in
TransactionCoordinatorConfig causes the temporary directory to be dropped
immediately; fix by creating a named TempDir variable (e.g., let wal_tmp =
TempDir::new().unwrap();) before constructing the TransactionCoordinatorConfig
and use wal_tmp.path().join("wal").to_string_lossy().to_string() for
WalConfig.wal_dir so the TempDir (wal_tmp) remains in scope for the duration of
the test (e.g., test_idempotency_persistence) and the WAL directory is not
deleted prematurely.

tests/e2e/run-e2e-tests.sh-275-288 (1)

275-288: ⚠️ Potential issue | 🟠 Major

trap cleanup EXIT conflicts with interactive cleanup prompt.

The trap at line 287 will always execute cleanup on script exit, making the user prompt at lines 275-283 ineffective—cleanup will run regardless of user choice.

🐛 Proposed fix: remove trap or make cleanup conditional

-# 捕获Ctrl+C
-trap cleanup EXIT
+# 捕获Ctrl+C (only during test execution, not at the end)
+trap 'cleanup; exit 1' INT TERM

 # 运行主流程
 main

Or remove the trap entirely and rely on the interactive prompt for cleanup.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/e2e/run-e2e-tests.sh` around lines 275 - 288, The trap `trap cleanup
EXIT` unconditionally runs cleanup and overrides the interactive prompt using
`read -p`/`$REPLY`; change this by making cleanup conditional: introduce a flag
(e.g., SKIP_CLEANUP) defaulting to false, set SKIP_CLEANUP=true when the user
answers "n" in the prompt, and replace the direct `trap cleanup EXIT` with a
trap handler that checks the flag and only calls the `cleanup` function when
SKIP_CLEANUP is not set (or alternatively remove the trap if you want solely
interactive cleanup); reference the `cleanup` function, the `trap cleanup EXIT`
invocation, the `read -p` prompt and `$REPLY` variable when implementing the
change.

crates/arkflow-core/src/checkpoint/coordinator.rs-380-410 (1)

380-410: ⚠️ Potential issue | 🟠 Major

Advance next_checkpoint_id after restore.

new() resets the counter to 1, and restore_from_checkpoint() doesn't bump it after loading an existing checkpoint. The next checkpoint after restart can reuse an old ID and overwrite or confuse retention bookkeeping.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/checkpoint/coordinator.rs` around lines 380 - 410,
restore_from_checkpoint currently loads an existing checkpoint but does not
advance the in-memory checkpoint counter, so after new() initializes the counter
(to 1) the next_checkpoint_id() may return an ID that collides with the restored
checkpoint; after successfully loading a snapshot in restore_from_checkpoint()
(the block that sets snapshot from self.storage.load_checkpoint) increment the
atomic counter backing self.next_checkpoint_id (the same counter read/written by
async fn next_checkpoint_id) to a value higher than the restored checkpoint ID
so future calls to next_checkpoint_id() produce unique, monotonically increasing
IDs (use the write lock on self.next_checkpoint_id to compare-and-set or set to
restored_id + 1).

crates/arkflow-core/src/checkpoint/state.rs-196-200 (1)

196-200: ⚠️ Potential issue | 🟠 Major

Make the decompression ceiling configurable.

BufferState can inline serialized messages, so writing a checkpoint can succeed and later recovery can fail once the uncompressed snapshot grows past 100 MiB. This limit needs to come from config or recorded snapshot size instead of a hard-coded constant.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/checkpoint/state.rs` around lines 196 - 200, The
decompression ceiling inside BufferState::decompress is hard-coded to
MAX_DECOMPRESSED_SIZE (100 MiB) which can cause recovery to fail for larger
inlined snapshots; change the function to accept a configurable max size (e.g.,
a parameter or a field on BufferState/CheckpointConfig) and pass that value into
zstd::bulk::decompress instead of the constant, or derive the limit from the
recorded snapshot metadata (recorded snapshot size) when available; update all
callers of decompress to supply the configured or recorded size and remove the
fixed MAX_DECOMPRESSED_SIZE constant.

crates/arkflow-core/src/checkpoint/coordinator.rs-170-177 (1)

170-177: ⚠️ Potential issue | 🟠 Major

Honor CheckpointConfig.enabled in new().

enabled is initialized to true unconditionally, so a config with enabled: false still starts checkpointing.

Suggested fix

-            enabled: Arc::new(RwLock::new(true)),
+            enabled: Arc::new(RwLock::new(config.enabled)),

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/checkpoint/coordinator.rs` around lines 170 - 177,
The constructor new() for the coordinator ignores CheckpointConfig.enabled and
always sets enabled to true; update the initialization of the enabled field in
Coordinator::new (the Arc<RwLock<bool>> named enabled) to use config.enabled
instead of hardcoding true so the coordinator honors the
CheckpointConfig.enabled flag (ensure you reference the config parameter and
wrap its bool value into the existing Arc::new(RwLock::new(...)) used for
enabled).

crates/arkflow-core/src/checkpoint/state.rs-146-200 (1)

146-200: ⚠️ Potential issue | 🟠 Major

Return a typed error here instead of panicking/stringifying failures.

with_compression() aborts on invalid input, and the serialize/deserialize path collapses incompatibility, corruption, and decompression failures into String. That turns bad config into a crash and makes restore failures hard to handle upstream. As per coding guidelines, Use thiserror for structured error types and anyhow for error context propagation through the pipeline.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/checkpoint/state.rs` around lines 146 - 200, Create a
typed error enum (e.g., CheckpointError) derived from thiserror::Error with
variants for InvalidCompressionLevel, Serialization(anyhow::Error),
Deserialization(anyhow::Error), IncompatibleVersion { got: u32, expected: u32 },
Compression(anyhow::Error) and Decompression(anyhow::Error); change
with_compression to return Result<Self, CheckpointError> and validate the level
returning CheckpointError::InvalidCompressionLevel instead of assert!, and
change serialize/deserialize/compress/decompress to return Result<...,
CheckpointError> mapping underlying rmp_serde/zstd errors into the corresponding
CheckpointError variants (wrapping errors with anyhow::Error::from /
anyhow::Context where useful) and return IncompatibleVersion when
state.is_compatible() fails (use STATE_VERSION and state.version in the
variant). Ensure signatures reference the same types (e.g., StateSnapshot) so
callers can propagate errors with anyhow at higher layers.

🟡 Minor comments (20)

scripts/init-postgres.sql-28-29 (1)

28-29: ⚠️ Potential issue | 🟡 Minor

Trigger creation is not repeat-safe.

CREATE TRIGGER will error on reruns if update_orders_updated_at already exists.

🔧 Proposed change

+DROP TRIGGER IF EXISTS update_orders_updated_at ON orders;
 CREATE TRIGGER update_orders_updated_at BEFORE UPDATE ON orders
 FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/init-postgres.sql` around lines 28 - 29, The CREATE TRIGGER for
update_orders_updated_at is not idempotent and will fail on reruns; make the
migration repeat-safe by ensuring the old trigger is removed first (use DROP
TRIGGER IF EXISTS for update_orders_updated_at on the orders table) before
creating it, so that the create statement referencing update_updated_at_column()
can run without error on repeated executions.

tests/e2e/README.md-80-83 (1)

80-83: ⚠️ Potential issue | 🟡 Minor

Manual step intent and command are mismatched.

Line 80 says “生成测试数据”, but the command is python verify_e2e.py, which reads like validation. Either switch to the data generator script or relabel the step to verification.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/e2e/README.md` around lines 80 - 83, The README step label and command
are inconsistent: the text says “生成测试数据” but runs verify_e2e.py (a verification
script). Update the step so the intent matches the command by either changing
the command to the data generator (e.g., run the actual generator script instead
of verify_e2e.py) or change the description to “验证测试数据/验证测试案例” to reflect
verify_e2e.py; reference the verify_e2e.py filename in the README to locate and
correct the mismatch.

tests/e2e/TEST_RESULTS.md-7-8 (1)

7-8: ⚠️ Potential issue | 🟡 Minor

Top-level test status overstates Exactly-Once verification.

Line 7 says core validation passed, but Line 68 explicitly states the Exactly-Once test was skipped due to WAL permission errors. Please make the headline status explicit about partial completion.

Also applies to: 68-74

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/e2e/TEST_RESULTS.md` around lines 7 - 8, Update the top-level test
status in TEST_RESULTS.md to reflect partial completion instead of a full pass:
change the headline line that currently reads "核心功能验证: 通过 ✓" to indicate "部分通过"
(or "部分完成") and append a short note that the Exactly-Once test was skipped due
to WAL permission errors; also update the corresponding Exactly-Once section
(the block currently describing the skipped test around the skipped-test
message) to clearly state the skip reason and link it to the headline note so
readers see the partial status and the WAL permission cause at a glance.

DEVELOPMENT_PLAN.md-279-280 (1)

279-280: ⚠️ Potential issue | 🟡 Minor

Fix branch baseline metadata to match this PR context.

Line 279 currently says there is no main baseline, but this PR targets main (PR #1161, opened on March 28, 2026). This can confuse reviewers and release tracking.

Suggested doc fix

-**基准分支**: `feat/next` (无特定main分支)
+**基准分支**: `main`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@DEVELOPMENT_PLAN.md` around lines 279 - 280, Update the baseline metadata
line that currently reads "**基准分支**: `feat/next` (无特定main分支)" to reflect that
this PR targets main: change it to something like "**基准分支**: `main` (PR `#1161`
opened 2026-03-28)" so reviewers and release tracking are accurate; locate and
edit the exact string in DEVELOPMENT_PLAN.md to replace the old baseline text
with the new `main`-targeted text.

tests/e2e/TESTING_GUIDE.md-329-332 (1)

329-332: ⚠️ Potential issue | 🟡 Minor

Fix broken relative links in related docs section.

From tests/e2e/TESTING_GUIDE.md, links like tests/e2e/README.md resolve incorrectly. They should be relative to this file’s directory.

Suggested link fixes

-- [端到端测试 README](tests/e2e/README.md)
-- [测试总结](tests/e2e/TEST_SUMMARY.md)
-- [Exactly-Once 语义](EXACTLY_ONCE.md)
-- [开发计划](DEVELOPMENT_PLAN.md)
+- [端到端测试 README](README.md)
+- [测试总结](TEST_RESULTS.md)
+- [Exactly-Once 语义](../../EXACTLY_ONCE.md)
+- [开发计划](../../DEVELOPMENT_PLAN.md)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/e2e/TESTING_GUIDE.md` around lines 329 - 332, Update the broken
relative links in TESTING_GUIDE.md so they resolve relative to tests/e2e/:
replace references to "tests/e2e/README.md" and "tests/e2e/TEST_SUMMARY.md" with
"./README.md" and "./TEST_SUMMARY.md" respectively, and change "EXACTLY_ONCE.md"
and "DEVELOPMENT_PLAN.md" to point up one level as "../EXACTLY_ONCE.md" and
"../DEVELOPMENT_PLAN.md" so the links are correct from the
tests/e2e/TESTING_GUIDE.md location.

E2E_TESTING_SUMMARY.md-3-8 (1)

3-8: ⚠️ Potential issue | 🟡 Minor

Bring the report metadata in sync with the actual E2E state.

The header still says this was completed on January 28, 2025, and the footer says E2E passed / next step is to open a PR, but the body still marks exactly-once validation as pending because of the WAL permission blocker. Please downgrade the conclusion until that blocker is resolved.

Also applies to: 170-176, 251-282

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@E2E_TESTING_SUMMARY.md` around lines 3 - 8, Update the report metadata so it
matches the actual E2E state: change the "## 📅 完成日期" header (currently
"2025-01-28") to reflect that the run is not fully complete (e.g., remove the
completion date or mark as "in progress"/"blocked"), downgrade the overall E2E
status lines (the "端到端测试" / conclusion and any "E2E passed / next step is to
open a PR" footer) to indicate the run is blocked by the WAL permission issue,
and explicitly mark the "exactly-once validation" item as pending/blocked due to
the WAL permission blocker; update the summary/conclusion sentences accordingly
so date, overall status, footer, and the body (the exactly-once validation note
referencing "WAL permission blocker") are consistent.

docs/CHECKPOINT_COMPLETE.md-428-433 (1)

428-433: ⚠️ Potential issue | 🟡 Minor

Refresh the pending-P0 section.

This block still lists exactly-once, 2PC, idempotency cache, transaction coordinator, and WAL as future work, but those pieces are part of the current PR. Merging this as-is will make the shipped feature set look incomplete.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/CHECKPOINT_COMPLETE.md` around lines 428 - 433, The pending-P0 checklist
incorrectly lists features already implemented in this PR; update
docs/CHECKPOINT_COMPLETE.md by removing or moving the entries "Exactly-Once 语义",
"两阶段提交 (2PC)", "幂等性缓存", "事务协调器", and "WAL (预写日志)" out of the "待实施的 P0 功能" block
and into the completed/shipped features section (or mark them as implemented) so
the shipped feature set accurately reflects this PR.

tests/e2e/configs/kafka-to-postgres.yaml-62-62 (1)

62-62: ⚠️ Potential issue | 🟡 Minor

Hardcoded credentials in test configuration.

The DSN contains plaintext credentials (arkflow:arkflow123). While acceptable for local test configurations, consider using environment variable substitution if the test framework supports it, to establish better practices.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/e2e/configs/kafka-to-postgres.yaml` at line 62, The test config
currently hardcodes DB credentials in the dsn key (dsn:
"postgres://arkflow:arkflow123@localhost:5432/arkflow_test"); replace this with
environment-variable substitution so credentials are not stored in plaintext
(e.g., reference a single POSTGRES_DSN or compose from POSTGRES_USER,
POSTGRES_PASSWORD, POSTGRES_HOST, POSTGRES_PORT, POSTGRES_DB) and update any
test runner or CI setup to provide those env vars when running the e2e tests;
keep the config key name dsn but use the env-backed value instead of the literal
string.

docker-compose.test.yml-22-24 (1)

22-24: ⚠️ Potential issue | 🟡 Minor

Port 9093 is exposed but has no corresponding Kafka listener.

Port 9093 is mapped to the host, but KAFKA_ADVERTISED_LISTENERS only defines PLAINTEXT://kafka:29092 and PLAINTEXT_HOST://localhost:9092. The exposed port appears unused and may cause confusion.

🔧 Proposed fix: Remove unused port or add listener

If the port is not needed:

     ports:
       - "9092:9092"
-      - "9093:9093"

Or if a second listener is intended, add to environment:

KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT,EXTERNAL:PLAINTEXT
KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:29092,PLAINTEXT_HOST://localhost:9092,EXTERNAL://localhost:9093

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker-compose.test.yml` around lines 22 - 24, docker-compose exposes host
port 9093 but there is no matching Kafka listener in KAFKA_ADVERTISED_LISTENERS,
causing an unused mapping; either remove the "9093:9093" entry under ports or
add a corresponding listener by updating environment variables (e.g., add
EXTERNAL to KAFKA_LISTENER_SECURITY_PROTOCOL_MAP and include
EXTERNAL://localhost:9093 in KAFKA_ADVERTISED_LISTENERS) so the exposed port
maps to a real Kafka listener.

examples/exactly_once_config.yaml-129-131 (1)

129-131: ⚠️ Potential issue | 🟡 Minor

Avoid plaintext credentials in example configurations.

The PostgreSQL connection string contains a plaintext password (user:password). Even in examples, this can lead to copy-paste mistakes in production. Consider using an environment variable placeholder or a placeholder that clearly indicates substitution is required.

Proposed fix

       output_type:
         type: "postgres"
-        uri: "postgresql://user:password@localhost:5432/mydb"
+        uri: "postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@localhost:5432/mydb"
+        # Or use: "postgresql://user:YOUR_PASSWORD_HERE@localhost:5432/mydb"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/exactly_once_config.yaml` around lines 129 - 131, The example YAML
contains a plaintext password in the PostgreSQL URI (the uri field with value
"postgresql://user:password@localhost:5432/mydb"); change this to use a
placeholder or environment-variable reference instead (e.g.,
"postgresql://user:${PG_PASSWORD}@localhost:5432/mydb" or
"postgresql://user:<PASSWORD>@localhost:5432/mydb") and update any accompanying
comments to note that the password must be substituted or supplied from the
environment; ensure the type and table_name fields (type: "postgres",
table_name: "events") remain unchanged.

docs/EXTENDED_METRICS.md-199-205 (1)

199-205: ⚠️ Potential issue | 🟡 Minor

Invalid PromQL alert syntax in example.

The alert(HighBufferUtilization) { ... } syntax is not valid PromQL. Alerting rules in Prometheus are defined in YAML configuration files, not in PromQL queries. Consider correcting the example to show proper Alertmanager rule syntax.

Proposed fix with correct Prometheus alerting rule syntax

-```promql
-# Buffer Utilization Alert
-alert(HighBufferUtilization) {
-  expr: arkflow_buffer_utilization > 80
-  for: 5m
-  labels:
-    severity: warning
-}
+```yaml
+# Buffer Utilization Alert (Prometheus alerting rule)
+groups:
+  - name: arkflow
+    rules:
+      - alert: HighBufferUtilization
+        expr: arkflow_buffer_utilization > 80
+        for: 5m
+        labels:
+          severity: warning

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/EXTENDED_METRICS.md` around lines 199 - 205, Replace the invalid
PromQL-style snippet using alert(HighBufferUtilization) with a proper Prometheus
alerting rule in YAML: create a groups block with a group (e.g., name: arkflow)
containing rules, and add a rule with alert: HighBufferUtilization, expr:
arkflow_buffer_utilization > 80, for: 5m and labels: severity: warning; update
the example to show this YAML structure instead of the alert(...) construct and
ensure the metric name arkflow_buffer_utilization is used verbatim in the expr.

crates/arkflow-plugin/src/output/kafka.rs-411-416 (1)

411-416: ⚠️ Potential issue | 🟡 Minor

Transaction ID generation may produce collisions under high load.

Using SystemTime::now().as_nanos() as u64 for transaction IDs risks collisions when multiple transactions start within the same nanosecond, or due to clock adjustments. Consider using uuid::Uuid::new_v4() or an atomic counter combined with a timestamp for uniqueness.

Proposed fix using UUID

-        let tx_id = std::time::SystemTime::now()
-            .duration_since(std::time::UNIX_EPOCH)
-            .map_err(|e| Error::Process(format!("Failed to generate transaction ID: {}", e)))?
-            .as_nanos() as u64;
+        let tx_id = uuid::Uuid::new_v4().as_u128() as u64;

Note: This requires importing uuid crate which is already a workspace dependency.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-plugin/src/output/kafka.rs` around lines 411 - 416, The
current tx_id generation using SystemTime::now().as_nanos() as u64 can collide;
replace that logic in the kafka.rs block where tx_id is created to generate a
UUID instead (use uuid::Uuid::new_v4()) and use the UUID (or its canonical
string) as the transaction identifier; update any downstream types/uses that
expect a u64 to accept a String/Uuid or convert the UUID to a larger integer
form if necessary, and add the required use/import for uuid::Uuid. Ensure error
handling remains consistent (remove the duration_since map_err branch) and
adjust serialization or logging of tx_id accordingly in the surrounding code
paths that reference tx_id.

crates/arkflow-plugin/src/buffer/memory.rs-257-260 (1)

257-260: ⚠️ Potential issue | 🟡 Minor

Restored messages are pushed in reverse order.

Using push_front in a loop over messages reverses their order in the queue. If the original order matters for processing semantics, consider using push_back or iterating in reverse.

Proposed fix to preserve order

         // Restore messages
-        for msg in messages {
+        for msg in messages.into_iter().rev() {
             // Create a NoopAck for restored messages
             let ack = Arc::new(arkflow_core::input::NoopAck);
             queue_lock.push_front((msg, ack));
         }

Or alternatively, use push_back:

         // Restore messages
         for msg in messages {
             let ack = Arc::new(arkflow_core::input::NoopAck);
-            queue_lock.push_front((msg, ack));
+            queue_lock.push_back((msg, ack));
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-plugin/src/buffer/memory.rs` around lines 257 - 260, The loop
that restores messages uses queue_lock.push_front((msg, ack)) which reverses the
original order; update the restoration in the function that iterates over
messages so the queue preserves original ordering—either replace
queue_lock.push_front with queue_lock.push_back for each (msg, ack) or iterate
messages in reverse before calling push_front; refer to the symbols messages,
queue_lock.push_front, Arc::new(arkflow_core::input::NoopAck) to locate and
apply the change.

tests/e2e/COMPLETION_REPORT.md-245-246 (1)

245-246: ⚠️ Potential issue | 🟡 Minor

Placeholder date should be completed.

Line 245 contains "2025-01-XX" which appears to be an incomplete date placeholder.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/e2e/COMPLETION_REPORT.md` around lines 245 - 246, Replace the
placeholder date string "2025-01-XX" under the "**创建日期**" header with the actual
completion date (e.g., "2025-01-15" or the real YYYY-MM-DD value); update the
"**创建日期**" field so the document no longer contains the incomplete placeholder.

crates/arkflow-plugin/src/input/kafka.rs-176-194 (1)

176-194: ⚠️ Potential issue | 🟡 Minor

Blocking watermark fetch on every read may impact latency.

fetch_watermarks with a 1-second timeout is called synchronously for every message read when metrics are enabled. Consider sampling (e.g., once per N messages) or fetching asynchronously to avoid adding up to 1 second latency on each read.

🔧 Suggested sampling approach

+                    // Sample consumer lag periodically to avoid latency impact
+                    static LAG_SAMPLE_COUNTER: std::sync::atomic::AtomicU64 = 
+                        std::sync::atomic::AtomicU64::new(0);
+                    let sample_count = LAG_SAMPLE_COUNTER.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
+                    if sample_count % 100 == 0 {
                         if let Ok((low_watermark, high_watermark)) = consumer.fetch_watermarks(
                             kafka_message.topic(),
                             kafka_message.partition(),
                             std::time::Duration::from_secs(1),
                         ) {
                             let lag = high_watermark - kafka_message.offset();
                             metrics::KAFKA_CONSUMER_LAG.observe(lag as f64);
                         }
+                    }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-plugin/src/input/kafka.rs` around lines 176 - 194, The code
calls consumer.fetch_watermarks(...) with a 1s timeout on every message read
(inside the block guarded by metrics::is_metrics_enabled()), which can add up to
a 1s blocking latency per message; change this by sampling or moving watermark
fetches off the hot path: keep the existing metrics code but only call
fetch_watermarks from the message loop every N messages (use a counter stored
alongside the consumer) or run an async/background task that periodically calls
fetch_watermarks and updates metrics::KAFKA_CONSUMER_LAG, make N configurable
(or use a fixed small default) and reference fetch_watermarks, kafka_message,
metrics::KAFKA_CONSUMER_LAG and fetch_start when implementing the sampling or
background updater so the hot-path per-message code avoids the blocking call.

tests/e2e/TEST_SUMMARY.md-176-181 (1)

176-181: ⚠️ Potential issue | 🟡 Minor

Incorrect relative link to README.

Line 181 references tests/e2e/README.md, but since this file is already in tests/e2e/, the link should be README.md.

📝 Proposed fix

-- [端到端测试文档](tests/e2e/README.md)
+- [端到端测试文档](README.md)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/e2e/TEST_SUMMARY.md` around lines 176 - 181, The relative link in
TEST_SUMMARY.md points to "tests/e2e/README.md" while the file is already
located in tests/e2e/, so update the link target to "README.md" (replace the
string "tests/e2e/README.md" with "README.md") to make the reference correct
within the same directory.

tests/e2e/verify_e2e.py-78-84 (1)

78-84: ⚠️ Potential issue | 🟡 Minor

Bare except silently swallows JSON decode errors.

This masks potential data format issues. At minimum, log the error or count malformed messages.

🐛 Proposed fix

             for message in consumer:
                 try:
                     data = json.loads(message.value.decode('utf-8'))
                     messages.append(data)
-                except:
-                    pass
+                except json.JSONDecodeError as e:
+                    log_warning(f"Failed to decode message: {e}")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/e2e/verify_e2e.py` around lines 78 - 84, Replace the bare except in the
consumer loop with a specific handler for json.JSONDecodeError (raised by
json.loads) and record or log malformed messages instead of silently ignoring
them; in the loop that iterates over consumer and appends to messages (using
json.loads(message.value.decode('utf-8'))), catch json.JSONDecodeError (and
optionally UnicodeDecodeError) and either increment a malformed counter or call
the test/logger (create one if needed) to emit the message key/offset and the
error details so malformed payloads are visible during test runs.

crates/arkflow-core/src/transaction/wal.rs-214-248 (1)

214-248: ⚠️ Potential issue | 🟡 Minor

Silent error handling may mask WAL corruption.

Lines 218-219 and 231-233 treat any I/O error as EOF and break the loop. This could silently discard valid records after a corrupted entry or partial write. Consider:

• Distinguishing EOF from actual errors
• Logging warnings for unexpected read failures
• Returning partial results with an error indication

🛡️ Suggested improvement

             // Read length prefix
             let len = match reader.read_u32().await {
                 Ok(l) => l,
-                Err(_) => break, // EOF or corrupted
+                Err(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => break,
+                Err(e) => {
+                    tracing::warn!("WAL read error (possibly corrupted): {}", e);
+                    break;
+                }
             };

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/transaction/wal.rs` around lines 214 - 248, The loop
in wal.rs currently treats any I/O error from reader.read_u32().await and
reader.read_exact(&mut buffer).await as EOF and silently breaks, which can mask
corruption; change the error handling in the WAL read loop (the match on
reader.read_u32().await and the check around reader.read_exact) to distinguish
genuine EOF/UnexpectedEof from other I/O errors: if EOF, stop and return the
accumulated records; if any other error, log or return an explicit Error (e.g.,
wrap the underlying io::Error) so callers know the WAL is corrupted; keep the
rest of the flow (bincode deserialize into WalEntry, entry.verify(), pushing
into records) intact and reference WalEntry, entry.verify(), and the records Vec
so you update the correct code paths.

crates/arkflow-core/src/checkpoint/storage.rs-119-125 (1)

119-125: ⚠️ Potential issue | 🟡 Minor

Blocking path.exists() call in async context.

Path::exists() is a synchronous filesystem operation that can block the async runtime. In load_metadata, load_checkpoint, and delete_checkpoint, consider using tokio::fs::try_exists() or handle the NotFound error from the open/remove operation.

♻️ Non-blocking alternative

     async fn load_metadata(&self, id: CheckpointId) -> Result<Option<CheckpointMetadata>, Error> {
         let meta_path = self.metadata_path(id);

-        // Check if file exists
-        if !meta_path.exists() {
-            return Ok(None);
-        }
-
-        // Read metadata
-        let mut file = fs::File::open(&meta_path)
+        // Attempt to open - handle NotFound as None
+        let mut file = match fs::File::open(&meta_path).await {
+            Ok(f) => f,
+            Err(e) if e.kind() == std::io::ErrorKind::NotFound => return Ok(None),
+            Err(e) => return Err(Error::Read(format!("Failed to open metadata: {}", e))),
+        };

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/checkpoint/storage.rs` around lines 119 - 125, The
use of synchronous Path::exists() in load_metadata is blocking; update
load_metadata (and similar methods load_checkpoint and delete_checkpoint) to use
non-blocking filesystem APIs (e.g., tokio::fs::try_exists) or simply attempt the
async open/remove and handle NotFound errors instead of pre-checking existence.
Locate functions load_metadata, load_checkpoint, delete_checkpoint and the
helper metadata_path to remove the blocking exists() call, replace it with
tokio::fs::try_exists(meta_path).await or wrap tokio::fs::File::open /
tokio::fs::remove_file calls to catch and treat std::io::ErrorKind::NotFound as
Ok(None) / no-op, preserving existing return semantics.

crates/arkflow-core/src/transaction/types.rs-108-114 (1)

108-114: ⚠️ Potential issue | 🟡 Minor

age_seconds() calculates transaction duration, not age.

The method computes updated_at - created_at, which is the duration the transaction was active, not its age (time since creation). For a newly created transaction, this returns 0 regardless of actual elapsed time.

If the intent is to get elapsed time since creation:

🐛 Proposed fix

     /// Get transaction age in seconds
     pub fn age_seconds(&self) -> u64 {
-        self.updated_at
-            .duration_since(self.created_at)
+        SystemTime::now()
+            .duration_since(self.created_at)
             .unwrap_or_default()
             .as_secs()
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/transaction/types.rs` around lines 108 - 114, The
method age_seconds() currently returns updated_at.duration_since(created_at)
(the transaction active duration) which doesn't reflect elapsed time since
creation; change age_seconds() to compute the time since created_at using the
current clock (e.g.,
SystemTime::now().duration_since(self.created_at).unwrap_or_default().as_secs())
so it returns the actual age, or alternatively rename the method (e.g.,
duration_seconds or active_duration_seconds) if you intend to keep the
updated_at-based calculation; update references to age_seconds() accordingly.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Always clean up current_checkpoint and the barrier on save failures.

The ? on capture_state() / save_checkpoint() exits before cleanup_after_checkpoint() runs. One storage error leaves the coordinator stuck with an in-progress checkpoint, and run() will keep skipping future checkpoints as "still in progress".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/checkpoint/coordinator.rs` around lines 258 - 269,
The code currently returns early on errors from capture_state() or
save_checkpoint(), leaving current_checkpoint and the barrier set and blocking
future checkpoints; wrap the capture + save sequence so you always call
cleanup_after_checkpoint(checkpoint_id, barrier.id).await regardless of success
or failure (e.g., execute capture_state() and storage.save_checkpoint(...)
inside a local Result-returning block, store its Result, then call
cleanup_after_checkpoint(...) unconditionally, clear current_checkpoint, and
finally propagate the original Result); refer to capture_state,
storage.save_checkpoint, cleanup_after_checkpoint, current_checkpoint and
barrier.id so you locate the code to change.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Only one processor will receive each barrier.

The barrier channel is shared among all processor workers via barrier_receiver.clone(). Since flume channels are MPSC (multi-producer, single-consumer), each message is delivered to only ONE receiver. When a barrier is sent, only one of N processors receives it, acknowledges, and waits—while others never see the barrier.

For Flink-style barrier alignment, each processor must receive and acknowledge the barrier independently.

🔧 Suggested approach

Use a broadcast channel (e.g., tokio::sync::broadcast) so all processors receive the barrier, or have each processor track barriers separately and poll a shared barrier state:

-        let barrier_channel = if self.barrier_manager.is_some() {
-            let (tx, rx) = flume::bounded::<Barrier>(1);
-            self.barrier_sender = Some(tx.clone());
-            Some((tx, rx))
-        } else {
-            None
-        };
+        // Use broadcast for barrier distribution to all processors
+        let barrier_channel = if self.barrier_manager.is_some() {
+            let (tx, _) = tokio::sync::broadcast::channel::<Barrier>(16);
+            self.barrier_sender = Some(tx.clone());
+            Some(tx)
+        } else {
+            None
+        };

Then each processor subscribes to receive all barriers.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/stream/mod.rs` around lines 351 - 375, The barrier
handling is incorrect because barrier_receiver (shared via clone) uses a flume
MPSC channel so each barrier is delivered to only one processor; change to a
broadcast-style channel so every processor receives every barrier. Replace the
shared barrier_receiver usage in the worker spawn with a per-processor
subscriber (e.g., use tokio::sync::broadcast::Sender for sending and call
sender.subscribe() to get a distinct Receiver for each processor), then in the
code paths referencing barrier_receiver.try_recv(), use the per-processor
receiver's try_recv()/recv() to get barriers and keep using
barrier_manager.acknowledge_barrier(...) and
barrier_manager.wait_for_barrier(...) as before (ensure the variable names
barrier_receiver, barrier_manager, acknowledge_barrier, wait_for_barrier, and
processor index i remain the same to locate the change).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Recovery is not rebuilding the durable coordinator state completely.

Startup ignores idempotency_cache.restore() failures, and WAL replay never advances next_transaction_id. After a restart the coordinator can forget committed idempotency keys and then reuse an existing transaction ID when it appends new records.

Also applies to: 225-249

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/transaction/coordinator.rs` around lines 79 - 95, The
constructor ignores errors from idempotency_cache.restore() and the WAL replay
logic never advances next_transaction_id, so on restart committed idempotency
keys can be lost and transaction IDs reused; fix by returning or logging and
propagating restore failures from TransactionCoordinator::new (replace the
ignored let _ = idempotency_cache.restore().await with proper error handling so
restore errors cause startup failure or are logged with context) and update the
WAL replay code that iterates WAL records (the FileWal replay logic and any
method that appends records) to scan for the highest seen transaction id and set
next_transaction_id (the Arc<Mutex<i64>> next_transaction_id) to max_seen + 1
after replay completes; apply the same changes to the other startup/replay path
referenced in the file (the similar restore/replay block around lines 225-249).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Persist the next record before mutating the live one.

These paths update the in-memory TransactionRecord first and only then append it to the WAL. If append() fails, memory has already advanced to a state that never became durable, so retries and recovery can take a different path from the WAL.

Also applies to: 147-164, 174-191, 211-220

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/transaction/coordinator.rs` around lines 123 - 140,
The prepare_transaction implementation mutates the in-memory TransactionRecord
(via record.transition_to) before writing that new state to the WAL, which can
leave memory ahead of durable state if wal.append fails; fix by creating a
separate durable record representing the next state (e.g., clone or build a new
TransactionRecord with TransactionState::Preparing, call
self.wal.append(&next_record).await? first), only after successful append update
the live record with record.transition_to(TransactionState::Preparing), and
repeat the same pattern for the subsequent Prepared transition (and apply
identical changes to the other affected methods/ranges that call
record.transition_to then self.wal.append, ensuring wal.append is called with
the immutable next-state record before mutating the in-memory record).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the exact field structure of ExactlyOnceConfig
ast-grep --pattern 'pub struct ExactlyOnceConfig {
  $$$
}'

# Also check TransactionCoordinatorConfig for the timeout field name
ast-grep --pattern 'pub struct TransactionCoordinatorConfig {
  $$$
}'

Repository: arkflow-rs/arkflow

Length of output: 1700

---

Fix config field access in test: transaction_coordinator → transaction, timeout → transaction_timeout.

The test at line 215 accesses config.exactly_once.transaction_coordinator.timeout, but ExactlyOnceConfig defines the field as transaction: TransactionCoordinatorConfig, and that config struct has field transaction_timeout: Duration, not timeout. The test will fail to compile.

🐛 Fix

-        assert_eq!(config.exactly_once.transaction_coordinator.timeout.as_secs(), 30);
+        assert_eq!(config.exactly_once.transaction.transaction_timeout.as_secs(), 30);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	#[tokio::test]
	async fn test_config_loading() {
	// 测试配置文件加载
	use arkflow_core::config::EngineConfig;
	let config_content = r#"
	logging:
	level: debug
	exactly_once:
	enabled: true
	transaction_coordinator:
	timeout: 30s
	wal:
	path: "/tmp/test/wal"
	max_size: 10485760
	idempotency:
	capacity: 10000
	ttl: 3600s
	streams:
	- name: "test-stream"
	input:
	type: "generate"
	pipeline:
	thread_num: 2
	output:
	type: "drop"
	"#;
	let result: Result<EngineConfig, _> = serde_yaml::from_str(config_content);
	assert!(result.is_ok());
	let config = result.unwrap();
	assert!(config.exactly_once.enabled);
	assert_eq!(config.exactly_once.transaction_coordinator.timeout.as_secs(), 30);
	}
	#[tokio::test]
	async fn test_config_loading() {
	// 测试配置文件加载
	use arkflow_core::config::EngineConfig;
	let config_content = r#"
	logging:
	level: debug
	exactly_once:
	enabled: true
	transaction_coordinator:
	timeout: 30s
	wal:
	path: "/tmp/test/wal"
	max_size: 10485760
	idempotency:
	capacity: 10000
	ttl: 3600s
	streams:
	- name: "test-stream"
	input:
	type: "generate"
	pipeline:
	thread_num: 2
	output:
	type: "drop"
	"#;
	let result: Result<EngineConfig, _> = serde_yaml::from_str(config_content);
	assert!(result.is_ok());
	let config = result.unwrap();
	assert!(config.exactly_once.enabled);
	assert_eq!(config.exactly_once.transaction.transaction_timeout.as_secs(), 30);
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/e2e_test.rs` around lines 180 - 216, The test is accessing the wrong
fields on ExactlyOnceConfig; change the assertions to use the actual struct
fields: read the transaction coordinator via config.exactly_once.transaction
(TransactionCoordinatorConfig) and assert its transaction_timeout (Duration)
value, e.g. replace
config.exactly_once.transaction_coordinator.timeout.as_secs() with
config.exactly_once.transaction.transaction_timeout.as_secs(); ensure any other
references in test_config_loading to transaction_coordinator or timeout are
updated to transaction and transaction_timeout respectively.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

YAML syntax error: incorrect indentation for query.

The static analyzer detected a syntax error at line 48. The query: key has extra indentation, causing a block mapping error. It should align with type:.

🐛 Proposed fix

     pipeline:
       thread_num: 2
       processors:
         - type: "sql"
-            query: |
+          query: |
             SELECT
               id::text as order_id,
               customer_id::text,
               product_id::text,
               quantity::integer,
               price::decimal,
               CONCAT('idempotency-', id::text, '-', __meta_partition::text, '-', __meta_offset::text) as idempotency_key
             FROM flow

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	processors:
	- type: "sql"
	query: |
	SELECT
	id::text as order_id,
	customer_id::text,
	product_id::text,
	quantity::integer,
	price::decimal,
	CONCAT('idempotency-', id::text, '-', __meta_partition::text, '-', __meta_offset::text) as idempotency_key
	FROM flow
	processors:
	- type: "sql"
	query: |
	SELECT
	id::text as order_id,
	customer_id::text,
	product_id::text,
	quantity::integer,
	price::decimal,
	CONCAT('idempotency-', id::text, '-', __meta_partition::text, '-', __meta_offset::text) as idempotency_key
	FROM flow

🧰 Tools

🪛 YAMLlint (1.38.0)

[error] 48-48: syntax error: expected , but found ''

(syntax)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/e2e/configs/kafka-to-postgres.yaml` around lines 46 - 56, The YAML has
incorrect indentation for the query key under processors; align the `query:` key
with `type:` (same indentation level under the processor item) so the block
scalar is correctly nested under the processor mapping — update the processor
entry containing `type: "sql"` and `query:` (and the multi-line SQL) to use
matching indentation for `type`, `query`, and the SQL block.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

SQL query filter doesn't match generated test data.

Line 143 filters WHERE id::text LIKE '%-%' but the Kafka→PostgreSQL test (lines 120-123) generates records with numeric id values (1-50), not hyphenated strings like order-1. This query will return 0 rows.

🔧 Fix the query to match generated data

-ROW_COUNT=$(docker exec postgres psql -U arkflow -d arkflow_test -t -c "SELECT COUNT(*) FROM orders WHERE id::text LIKE '%-%';" 2>/dev/null | xargs)
+ROW_COUNT=$(docker exec postgres psql -U arkflow -d arkflow_test -t -c "SELECT COUNT(*) FROM orders;" 2>/dev/null | xargs)

Or modify the data generation to use string IDs:

-    echo "{\"id\":$i,\"customer_id\":...
+    echo "{\"id\":\"order-$i\",\"customer_id\":...

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ROW_COUNT=$(docker exec postgres psql -U arkflow -d arkflow_test -t -c "SELECT COUNT(*) FROM orders WHERE id::text LIKE '%-%';" 2>/dev/null | xargs)
	DUPLICATE_COUNT=$(docker exec postgres psql -U arkflow -d arkflow_test -t -c "SELECT COUNT(*) - COUNT(DISTINCT idempotency_key) FROM orders WHERE idempotency_key IS NOT NULL;" 2>/dev/null | xargs)
	ROW_COUNT=$(docker exec postgres psql -U arkflow -d arkflow_test -t -c "SELECT COUNT(*) FROM orders;" 2>/dev/null | xargs)
	DUPLICATE_COUNT=$(docker exec postgres psql -U arkflow -d arkflow_test -t -c "SELECT COUNT(*) - COUNT(DISTINCT idempotency_key) FROM orders WHERE idempotency_key IS NOT NULL;" 2>/dev/null | xargs)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/e2e/quick-test.sh` around lines 143 - 144, The SQL filter in the
ROW_COUNT command uses WHERE id::text LIKE '%-%' which doesn't match the test
data (numeric ids 1-50), so update the ROW_COUNT query used in the docker exec
psql invocation (the line that sets ROW_COUNT) to match the generated numeric
IDs (for example remove the LIKE filter or use an appropriate numeric filter
such as WHERE id BETWEEN 1 AND 50); leave DUPLICATE_COUNT as-is (it already
checks idempotency_key) or similarly adjust it if you intend to restrict to the
same id range.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Malformed JSON: invalid price field syntax.

The price field generates invalid JSON like "price":109."45}. The shell arithmetic and string concatenation produce a malformed number.

🐛 Proposed fix

     for i in {1..100}; do
         cat <<EOF | docker exec -i kafka kafka-console-producer --broker-list localhost:9092 --topic test-input
-{"id":"order-$i","customer_id":"customer-$((i % 10))","product_id":"product-$((i % 20))","quantity":$((i % 5 + 1)),"price":$((i * 10 + 99))."$((RANDOM % 99))}
+{"id":"order-$i","customer_id":"customer-$((i % 10))","product_id":"product-$((i % 20))","quantity":$((i % 5 + 1)),"price":$((i * 10 + 99)).$((RANDOM % 99))}
 EOF
     done

Note: Even with the fix, using $RANDOM produces non-deterministic test data which may cause flaky tests. Consider using a deterministic value like $((i % 100)) for reproducibility.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	cat <<EOF | docker exec -i kafka kafka-console-producer --broker-list localhost:9092 --topic test-input
	{"id":"order-$i","customer_id":"customer-$((i % 10))","product_id":"product-$((i % 20))","quantity":$((i % 5 + 1)),"price":$((i * 10 + 99))."$((RANDOM % 99))}
	EOF
	done
	cat <<EOF | docker exec -i kafka kafka-console-producer --broker-list localhost:9092 --topic test-input
	{"id":"order-$i","customer_id":"customer-$((i % 10))","product_id":"product-$((i % 20))","quantity":$((i % 5 + 1)),"price":$((i * 10 + 99)).$((RANDOM % 99))}
	EOF
	done

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/e2e/run-e2e-tests.sh` around lines 93 - 96, The JSON produced by the
kafka-console-producer block in run-e2e-tests.sh builds the "price" field with
broken syntax (e.g., 109."45}) by concatenating arithmetic and a string; fix it
by formatting price as a valid JSON number or string using the loop variable i
and $RANDOM properly (e.g., compute a numeric price with arithmetic or format
cents with printf), update the producer payload generation inside the loop that
creates {"id":"order-$i",...,"price":...} to emit a syntactically valid JSON
value for price, and consider replacing $RANDOM with a deterministic expression
like $((i % 100)) to avoid flaky tests.

[coderabbitai]

Actionable comments posted: 9

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

crates/arkflow-plugin/src/output/kafka.rs (1)

237-247: ⚠️ Potential issue | 🟠 Major

Return an Error when topic evaluation is shorter than the payload list.

Both write() and write_idempotent() index EvaluateResult::Vec(v) with v[i] unconditionally, while the key path already guards i < v.len(). A short topic vector will panic the output worker instead of surfacing a recoverable Error.

🔧 Apply the same guard in both methods

- let mut record = match &topic {
-     EvaluateResult::Scalar(s) => FutureRecord::to(s).payload(x.as_slice()),
-     EvaluateResult::Vec(v) => FutureRecord::to(&v[i]).payload(x.as_slice()),
- };
+ let mut record = match &topic {
+     EvaluateResult::Scalar(s) => FutureRecord::to(s).payload(x.as_slice()),
+     EvaluateResult::Vec(v) if i < v.len() => FutureRecord::to(&v[i]).payload(x.as_slice()),
+     EvaluateResult::Vec(_) => {
+         return Err(Error::Process(
+             "Topic expression produced fewer values than payloads".to_string(),
+         ));
+     }
+ };

Also applies to: 356-366

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-plugin/src/output/kafka.rs` around lines 237 - 247, The code
in crates/arkflow-plugin/src/output/kafka.rs (inside write() and
write_idempotent()) unconditionally indexes EvaluateResult::Vec(v) with v[i] for
topic, which can panic when the topic vector is shorter than the payload list;
change both occurrences to mirror the key-guard: check i < v.len() before using
v[i], and if the guard fails return a recoverable Error (propagate Err from the
function) with a clear message about "topic shorter than payloads" rather than
panicking; update the topic handling branches where EvaluateResult::Vec(v) is
used (the block around the existing record construction and the similar block at
the later occurrence) to perform the bounds check and return Err when
out-of-range.

♻️ Duplicate comments (1)

crates/arkflow-core/src/stream/mod.rs (1)

128-138: ⚠️ Potential issue | 🔴 Critical

Barrier alignment cannot work reliably with this channel setup.

self.barrier_sender is only stored privately here, so this module never actually injects a barrier. Even if another hook is added later, cloning a flume::Receiver does not broadcast a barrier to every worker, and the Line 355 try_recv() poll is skipped while a worker is blocked on recv_async(). Multi-worker or idle streams will therefore dead-end in BarrierManager::wait_for_barrier(). Use a per-worker broadcast subscription and await it alongside input.

Also applies to: 163-172, 351-378

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/stream/mod.rs` around lines 128 - 138, The current
creation of barrier_channel (the flume bounded pair and setting
self.barrier_sender) does not provide a per-worker broadcast subscription and
thus cannot reliably inject or broadcast barriers; change the design so that the
module stores a single broadcast-capable sender (accessible via
self.barrier_sender or a new field) and, for each worker/stream, create a
per-worker receiver/subscription (instead of cloning a flume::Receiver) that the
worker awaits alongside its input. Specifically, replace the flume::bounded pair
used in barrier_channel with a broadcast/topic-style channel (or a small wrapper
that clones receivers for each worker), ensure each worker obtains its own
subscription and awaits it rather than blocking on recv_async (so the try_recv()
polling path in BarrierManager::wait_for_barrier can co-exist), and update any
uses around barrier_channel, self.barrier_sender, try_recv(), recv_async(), and
BarrierManager::wait_for_barrier to use the new per-worker subscription model.

🧹 Nitpick comments (4)

crates/arkflow-core/src/transaction/wal.rs (4)

15-18: WAL semantics violated in coordinator (cross-file concern).

The module documentation claims WAL "provides durability guarantees for transactions by appending transaction records to a log before committing them." However, in coordinator.rs (Lines 122-144 per context snippet), the in-memory state transition happens before the WAL append:

record.transition_to(TransactionState::Preparing);  // Line 131 - state change
self.wal.append(record).await?;                      // Line 134 - WAL write

This violates write-ahead semantics. A crash between the state transition and WAL append loses the record. The WAL append must precede any in-memory mutation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/transaction/wal.rs` around lines 15 - 18, The
in-memory state change is happening before the WAL write, breaking write-ahead
semantics; update the coordinator logic so wal.append(record).await is invoked
and confirmed successful before calling
record.transition_to(TransactionState::Preparing) (and any other in-memory
mutation). Locate the code using symbols wal.append, record.transition_to, and
TransactionState::Preparing in the coordinator method and reorder the operations
so the WAL append completes (handle/propagate errors) prior to mutating
in-memory state.

---

115-117: Blocking filesystem call in constructor.

std::fs::create_dir_all is a synchronous blocking call. While this only happens once at initialization, consider using tokio::fs::create_dir_all for consistency with the rest of the async implementation, or document that new() should be called outside the async runtime hot path.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/transaction/wal.rs` around lines 115 - 117, The
constructor is doing a blocking filesystem call with std::fs::create_dir_all on
wal_dir; replace it with a non-blocking alternative by either making the
constructor async and calling tokio::fs::create_dir_all(&wal_dir).await (update
the signature of new to async) or, if you must keep new synchronous, wrap the
blocking call in tokio::task::spawn_blocking and await that result; ensure the
Error mapping (Error::Read) is preserved and reference the wal_dir creation site
inside the new function when applying the change.

---

42-49: Unused configuration options: max_file_size and compression.

These config fields are defined and documented but never actually used in the implementation. FileWal uses a single wal.log file without rotation, and no compression is applied during serialization.

Consider either implementing these features or removing/marking them as reserved for future use to avoid misleading users.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/transaction/wal.rs` around lines 42 - 49, The config
fields max_file_size and compression are declared but unused; update FileWal
(and any WAL write/serialize paths) to either honor these options or mark them
unused: either implement rotation logic that checks WalConfig.max_file_size and
rotates wal.log into numbered/dated files when exceeded (update FileWal::append
/ write path to track current size and perform rotation), and apply compression
when WalConfig.compression is true (compress serialized entries before writing
and decompress on read in FileWal::read/iterate), or remove/annotate the fields
and documentation to indicate they are reserved; reference
WalConfig.max_file_size, WalConfig.compression, and the FileWal
append/read/serialize code paths to locate where to change behavior.

---

316-396: Consider adding test coverage for edge cases.

Current tests cover happy paths well. Consider adding tests for:

1. Checksum mismatch detection: Corrupt a serialized entry and verify recover() returns an error
2. Partial write recovery: Simulate a truncated entry (incomplete write) to verify graceful handling
3. Concurrent operations: Test append() during truncate() to catch race conditions

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/transaction/wal.rs` around lines 316 - 396, Add unit
tests in the existing tests mod for FileWal that cover three edge cases: (1)
checksum mismatch — write a valid WalEntry then corrupt bytes in the wal file
and assert wal.recover() returns an Err or that WalEntry.verify() fails for that
entry (use WalEntry::new/verify and FileWal::append/recover to locate where to
corrupt); (2) partial/truncated write — append an entry then truncate the
underlying file bytes to simulate an incomplete entry and assert recover()
handles it gracefully (returns only complete entries or an Err depending on
desired behavior) by operating on the same FileWal produced by FileWal::new and
calling recover(); (3) concurrent append vs truncate race — spawn concurrent
tasks that call FileWal::append() and FileWal::truncate() (via tokio::spawn) to
ensure no panics and assert final recovered state is consistent; keep tests
inside the tests mod and reuse TempDir + WalConfig as in existing tests to
isolate filesystem state.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@crates/arkflow-core/src/metrics/registry.rs`:
- Around line 42-47: init_metrics currently uses METRICS_INITIALIZED.load/store
as a fast-path only, which allows two callers to race and both run the
registration code; fix by adding a real critical section around the
registration: introduce a global lock (e.g., a Mutex or use std::sync::Once) and
wrap the body of init_metrics (the collector registration code between the
initial load check and the METRICS_INITIALIZED.store(true)) inside that critical
section, keeping the initial fast-path load for performance but re-checking
METRICS_INITIALIZED after acquiring the lock and only performing registration
and the METRICS_INITIALIZED.store(true) when still false; reference init_metrics
and METRICS_INITIALIZED to locate the code to change.

In `@crates/arkflow-core/src/stream/mod.rs`:
- Around line 608-637: The permanent-error branch currently ACKs the batch and
drops msgs without routing them to the dead-letter sink; update the branch where
is_temporary is false (the block containing error!("Permanent error...") and
ack.ack().await) to forward the failed msgs to err_output/error_output (using
the same sending function used elsewhere in this module) before acknowledging,
and only ACK after the err_output send completes or is enqueued; alternatively,
if discarding is intended, change the comment near the permanent-error handling
to state that messages are intentionally discarded rather than routed to
err_output. Ensure you reference the existing variables err_output (or
error_output), msgs, and ack so the fix uses the same error-output path and
acknowledge ordering as the rest of the function.
- Around line 76-77: stream_uuid is generated randomly and the idempotency key
built using it plus the in-memory seq makes keys change across replays; change
the key generation so it uses stable source/checkpoint identifiers instead.
Replace use of stream_uuid and seq in the idempotency key with deterministic
fields derived from the incoming source record or checkpoint (e.g., source_id /
partition / offset / checkpoint_id or a stable record UID) where the key is
assembled (the code that currently references stream_uuid and seq), so
check_and_mark_idempotency() can reliably deduplicate retries; ensure any helper
that constructs the key uses those stable fields and remove reliance on
Uuid::new_v4() and ephemeral seq counters.
- Around line 535-581: The coordinator transaction is started but the sink's
transaction is not begun before the first write, so call
output.begin_transaction(tx_id).await? right after obtaining tx_id from
tx_coordinator::begin_transaction (and before any write_idempotent calls) to
ensure the output sets its current_transaction_id (e.g., Kafka's
begin_transaction uses current_transaction_id); also ensure the rollback path
mirrors both IDs by invoking output.rollback_transaction(tx_id).await? whenever
coordinator.rollback_transaction(tx_id).await? is called (and likewise call
output.commit_transaction(tx_id).await? only after
coordinator.commit_transaction(tx_id).await? or maintain the current ordering
but ensure both begin/commit/rollback are called on coordinator and output in
the same paired sequence).

In `@crates/arkflow-core/src/transaction/wal.rs`:
- Around line 161-197: The append() function has a race with truncate():
ensure_file_open() releases the current_file lock before append() later
re-acquires it and unwraps, allowing truncate() to set current_file to None and
cause a panic; fix by keeping the file lock held for the whole append operation
or re-checking current_file after acquiring the write lock—specifically modify
append() (and/or ensure_file_open()) to either hold the RwLockWriteGuard for
current_file across serialization, length write and data write, or after
acquiring file_guard in append() verify file_guard.is_some() (avoid unwrap) and
reopen the file if None; reference symbols: append, ensure_file_open, truncate,
current_file, current_size.
- Around line 255-264: Add a Rust docstring to the async fn truncate(&self,
retain_last_n: usize) function explaining that it operates on the output of
recover() and therefore retains only incomplete (non-terminal) transactions;
mention that recover() filters out terminal states (Committed, RolledBack,
TimedOut) and that truncate is intended for WAL recovery maintenance rather than
audit logging, so keeping only non-terminal transactions is the expected
behavior. Reference the truncate method and its use of recover() in the
docstring so future readers understand the design intent.
- Around line 73-87: The WalEntry serialization currently swallows errors via
unwrap_or_default, producing empty payloads and bogus checksums; change
WalEntry::new and WalEntry::verify to return Result (e.g., Result<Self, E> and
Result<bool, E> or make verify return Result<(), E>) and propagate serialization
errors instead of defaulting, using bincode::serialize?() to surface failures;
update all callers—append(), recover(), and truncate()—to handle the Result
(propagate with ? or map errors into the WAL error type) so serialization
failures fail the operation rather than silently creating/verifying invalid
entries.
- Around line 215-234: The WAL reader loop currently treats any read_u32 or
read_exact error as EOF and breaks silently, which can hide mid-entry
corruption; update the loop in the WAL reader (where reader.read_u32().await and
reader.read_exact(&mut buffer).await are called) to distinguish
io::ErrorKind::UnexpectedEof (treat as normal EOF and break) from other errors
(log or return an Error::Process indicating WAL corruption with the underlying
error details), and ensure the large-entry check (len > 10 * 1024 * 1024)
remains; include the underlying error string in the Error::Process or a warning
log so corruption is visible.

In `@crates/arkflow-plugin/src/output/kafka.rs`:
- Around line 200-206: The Kafka transaction APIs (init_transactions,
begin_transaction, commit_transaction, abort_transaction) are blocking and must
be offloaded from async context; update the calls in kafka.rs (the
init_transactions call and the ones referenced near the
begin_transaction/commit_transaction/abort_transaction usage) to use
tokio::task::spawn_blocking with .await and propagate/map the Result into the
existing Error::Connection variants, preserving the timeout argument
(self.config.transaction_timeout) and existing error messages; ensure you await
the spawned task, map any JoinError or inner error into Connection errors, and
keep the same behavior when transactional_id.is_some().

---

Outside diff comments:
In `@crates/arkflow-plugin/src/output/kafka.rs`:
- Around line 237-247: The code in crates/arkflow-plugin/src/output/kafka.rs
(inside write() and write_idempotent()) unconditionally indexes
EvaluateResult::Vec(v) with v[i] for topic, which can panic when the topic
vector is shorter than the payload list; change both occurrences to mirror the
key-guard: check i < v.len() before using v[i], and if the guard fails return a
recoverable Error (propagate Err from the function) with a clear message about
"topic shorter than payloads" rather than panicking; update the topic handling
branches where EvaluateResult::Vec(v) is used (the block around the existing
record construction and the similar block at the later occurrence) to perform
the bounds check and return Err when out-of-range.

---

Duplicate comments:
In `@crates/arkflow-core/src/stream/mod.rs`:
- Around line 128-138: The current creation of barrier_channel (the flume
bounded pair and setting self.barrier_sender) does not provide a per-worker
broadcast subscription and thus cannot reliably inject or broadcast barriers;
change the design so that the module stores a single broadcast-capable sender
(accessible via self.barrier_sender or a new field) and, for each worker/stream,
create a per-worker receiver/subscription (instead of cloning a flume::Receiver)
that the worker awaits alongside its input. Specifically, replace the
flume::bounded pair used in barrier_channel with a broadcast/topic-style channel
(or a small wrapper that clones receivers for each worker), ensure each worker
obtains its own subscription and awaits it rather than blocking on recv_async
(so the try_recv() polling path in BarrierManager::wait_for_barrier can
co-exist), and update any uses around barrier_channel, self.barrier_sender,
try_recv(), recv_async(), and BarrierManager::wait_for_barrier to use the new
per-worker subscription model.

---

Nitpick comments:
In `@crates/arkflow-core/src/transaction/wal.rs`:
- Around line 15-18: The in-memory state change is happening before the WAL
write, breaking write-ahead semantics; update the coordinator logic so
wal.append(record).await is invoked and confirmed successful before calling
record.transition_to(TransactionState::Preparing) (and any other in-memory
mutation). Locate the code using symbols wal.append, record.transition_to, and
TransactionState::Preparing in the coordinator method and reorder the operations
so the WAL append completes (handle/propagate errors) prior to mutating
in-memory state.
- Around line 115-117: The constructor is doing a blocking filesystem call with
std::fs::create_dir_all on wal_dir; replace it with a non-blocking alternative
by either making the constructor async and calling
tokio::fs::create_dir_all(&wal_dir).await (update the signature of new to async)
or, if you must keep new synchronous, wrap the blocking call in
tokio::task::spawn_blocking and await that result; ensure the Error mapping
(Error::Read) is preserved and reference the wal_dir creation site inside the
new function when applying the change.
- Around line 42-49: The config fields max_file_size and compression are
declared but unused; update FileWal (and any WAL write/serialize paths) to
either honor these options or mark them unused: either implement rotation logic
that checks WalConfig.max_file_size and rotates wal.log into numbered/dated
files when exceeded (update FileWal::append / write path to track current size
and perform rotation), and apply compression when WalConfig.compression is true
(compress serialized entries before writing and decompress on read in
FileWal::read/iterate), or remove/annotate the fields and documentation to
indicate they are reserved; reference WalConfig.max_file_size,
WalConfig.compression, and the FileWal append/read/serialize code paths to
locate where to change behavior.
- Around line 316-396: Add unit tests in the existing tests mod for FileWal that
cover three edge cases: (1) checksum mismatch — write a valid WalEntry then
corrupt bytes in the wal file and assert wal.recover() returns an Err or that
WalEntry.verify() fails for that entry (use WalEntry::new/verify and
FileWal::append/recover to locate where to corrupt); (2) partial/truncated write
— append an entry then truncate the underlying file bytes to simulate an
incomplete entry and assert recover() handles it gracefully (returns only
complete entries or an Err depending on desired behavior) by operating on the
same FileWal produced by FileWal::new and calling recover(); (3) concurrent
append vs truncate race — spawn concurrent tasks that call FileWal::append() and
FileWal::truncate() (via tokio::spawn) to ensure no panics and assert final
recovered state is consistent; keep tests inside the tests mod and reuse TempDir
+ WalConfig as in existing tests to isolate filesystem state.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dffb4234-e30f-4175-b257-e997ec61f0d9

📥 Commits

Reviewing files that changed from the base of the PR and between 7976f9e and 8f358be.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

• crates/arkflow-core/Cargo.toml
• crates/arkflow-core/src/metrics/registry.rs
• crates/arkflow-core/src/stream/mod.rs
• crates/arkflow-core/src/transaction/wal.rs
• crates/arkflow-plugin/Cargo.toml
• crates/arkflow-plugin/src/output/kafka.rs

✅ Files skipped from review due to trivial changes (1)

• crates/arkflow-plugin/Cargo.toml

🚧 Files skipped from review as they are similar to previous changes (1)

• crates/arkflow-core/Cargo.toml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Guard init_metrics() with a real critical section.

METRICS_INITIALIZED.load() at Line 44 and store(true) at Line 134 are only a fast-path flag, not mutual exclusion. Two callers can enter together, partially register the collectors, and then poison later retries with duplicate-registration errors even though this function is documented as idempotent.

🔧 Simple fix

+static METRICS_INIT_LOCK: Lazy<std::sync::Mutex<()>> =
+    Lazy::new(|| std::sync::Mutex::new(()));
+
 pub fn init_metrics() -> Result<(), Error> {
+    let _guard = METRICS_INIT_LOCK.lock().unwrap();
+
     // Check if already initialized
     if METRICS_INITIALIZED.load(Ordering::Acquire) {
         info!("Metrics already initialized, skipping registration");
         return Ok(());
     }

Also applies to: 49-135

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/metrics/registry.rs` around lines 42 - 47,
init_metrics currently uses METRICS_INITIALIZED.load/store as a fast-path only,
which allows two callers to race and both run the registration code; fix by
adding a real critical section around the registration: introduce a global lock
(e.g., a Mutex or use std::sync::Once) and wrap the body of init_metrics (the
collector registration code between the initial load check and the
METRICS_INITIALIZED.store(true)) inside that critical section, keeping the
initial fast-path load for performance but re-checking METRICS_INITIALIZED after
acquiring the lock and only performing registration and the
METRICS_INITIALIZED.store(true) when still false; reference init_metrics and
METRICS_INITIALIZED to locate the code to change.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

The idempotency key changes on every replay.

stream_uuid at Line 77 is random per process, and the key at Line 552 also includes seq, which is just an in-memory counter. check_and_mark_idempotency() in crates/arkflow-core/src/transaction/idempotency.rs:105-125 only deduplicates exact key matches, so a retried or recovered source record is treated as new and can be emitted twice. Derive the key from stable source/checkpoint identity instead.

Also applies to: 550-556

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/stream/mod.rs` around lines 76 - 77, stream_uuid is
generated randomly and the idempotency key built using it plus the in-memory seq
makes keys change across replays; change the key generation so it uses stable
source/checkpoint identifiers instead. Replace use of stream_uuid and seq in the
idempotency key with deterministic fields derived from the incoming source
record or checkpoint (e.g., source_id / partition / offset / checkpoint_id or a
stable record UID) where the key is assembled (the code that currently
references stream_uuid and seq), so check_and_mark_idempotency() can reliably
deduplicate retries; ensure any helper that constructs the key uses those stable
fields and remove reliance on Uuid::new_v4() and ephemeral seq counters.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Begin the sink transaction before the first write_idempotent().

This branch opens only the coordinator transaction. crates/arkflow-plugin/src/output/kafka.rs:433-544 sets current_transaction_id inside Output::begin_transaction(), so output.commit_transaction(tx_id) / rollback_transaction(tx_id) will fail on the first batch and every preceding write ran outside the Kafka transaction. The default no-op methods in crates/arkflow-core/src/output/mod.rs:56-85 also let unsupported outputs slip through silently.

🔧 Missing call flow

- let tx_id = match coordinator.begin_transaction(vec![seq]).await {
+ let coordinator_tx_id = match coordinator.begin_transaction(vec![seq]).await {
     Ok(id) => id,
     Err(e) => {
         error!("Failed to begin transaction: {}", e);
         if metrics::is_metrics_enabled() {
             metrics::ERRORS_TOTAL.inc();
         }
         return;
     }
 };
+ let output_tx_id = match output.begin_transaction().await {
+     Ok(id) => id,
+     Err(e) => {
+         let _ = coordinator.rollback_transaction(coordinator_tx_id).await;
+         error!("Failed to begin output transaction: {}", e);
+         return;
+     }
+ };

  ...
- coordinator.add_idempotency_key(tx_id, idempotency_key.clone()).await?;
+ coordinator
+     .add_idempotency_key(coordinator_tx_id, idempotency_key.clone())
+     .await?;

  ...
- coordinator.prepare_transaction(tx_id).await?;
- output.prepare_transaction(tx_id).await?;
- output.commit_transaction(tx_id).await?;
- coordinator.commit_transaction(tx_id).await?;
+ coordinator.prepare_transaction(coordinator_tx_id).await?;
+ output.prepare_transaction(output_tx_id).await?;
+ output.commit_transaction(output_tx_id).await?;
+ coordinator.commit_transaction(coordinator_tx_id).await?;

The rollback path should mirror both IDs as well.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/stream/mod.rs` around lines 535 - 581, The
coordinator transaction is started but the sink's transaction is not begun
before the first write, so call output.begin_transaction(tx_id).await? right
after obtaining tx_id from tx_coordinator::begin_transaction (and before any
write_idempotent calls) to ensure the output sets its current_transaction_id
(e.g., Kafka's begin_transaction uses current_transaction_id); also ensure the
rollback path mirrors both IDs by invoking
output.rollback_transaction(tx_id).await? whenever
coordinator.rollback_transaction(tx_id).await? is called (and likewise call
output.commit_transaction(tx_id).await? only after
coordinator.commit_transaction(tx_id).await? or maintain the current ordering
but ensure both begin/commit/rollback are called on coordinator and output in
the same paired sequence).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Permanent sink failures are ACKed and dropped.

When is_temporary is false, this branch acknowledges the batch without ever routing msgs to err_output. That turns configuration/schema failures into irreversible data loss even though a dead-letter output is available in this function. If discard is intentional, the comment at Lines 634-636 should be corrected.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/stream/mod.rs` around lines 608 - 637, The
permanent-error branch currently ACKs the batch and drops msgs without routing
them to the dead-letter sink; update the branch where is_temporary is false (the
block containing error!("Permanent error...") and ack.ack().await) to forward
the failed msgs to err_output/error_output (using the same sending function used
elsewhere in this module) before acknowledging, and only ACK after the
err_output send completes or is enqueued; alternatively, if discarding is
intended, change the comment near the permanent-error handling to state that
messages are intentionally discarded rather than routed to err_output. Ensure
you reference the existing variables err_output (or error_output), msgs, and ack
so the fix uses the same error-output path and acknowledge ordering as the rest
of the function.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Silent serialization failure masks integrity issues.

Using unwrap_or_default() on Lines 76 and 83 silently swallows serialization errors, producing an empty byte vector. This means:

1. In new(): A failed serialization computes a CRC of empty data, storing a bogus checksum
2. In verify(): The same failure computes CRC of empty data, incorrectly matching the bogus checksum

This defeats the purpose of integrity verification—corrupted records would pass verification.

Proposed fix to propagate serialization errors

 impl WalEntry {
-    fn new(record: TransactionRecord) -> Self {
+    fn new(record: TransactionRecord) -> Result<Self, Error> {
         // Use CRC32 for robust integrity verification
-        let serialized = bincode::serialize(&record).unwrap_or_default();
+        let serialized = bincode::serialize(&record)
+            .map_err(|e| Error::Process(format!("Failed to serialize record for checksum: {}", e)))?;
         let checksum = calculate_crc32(&serialized);
 
-        Self { record, checksum }
+        Ok(Self { record, checksum })
     }
 
-    fn verify(&self) -> bool {
-        let serialized = bincode::serialize(&self.record).unwrap_or_default();
-        let checksum = calculate_crc32(&serialized);
-        checksum == self.checksum
+    fn verify(&self) -> Result<bool, Error> {
+        let serialized = bincode::serialize(&self.record)
+            .map_err(|e| Error::Process(format!("Failed to serialize record for verification: {}", e)))?;
+        let computed = calculate_crc32(&serialized);
+        Ok(computed == self.checksum)
     }
 }

Then update callers in append(), recover(), and truncate() to handle the Result.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/transaction/wal.rs` around lines 73 - 87, The
WalEntry serialization currently swallows errors via unwrap_or_default,
producing empty payloads and bogus checksums; change WalEntry::new and
WalEntry::verify to return Result (e.g., Result<Self, E> and Result<bool, E> or
make verify return Result<(), E>) and propagate serialization errors instead of
defaulting, using bincode::serialize?() to surface failures; update all
callers—append(), recover(), and truncate()—to handle the Result (propagate with
? or map errors into the WAL error type) so serialization failures fail the
operation rather than silently creating/verifying invalid entries.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Race condition between append and truncate operations.

There's a potential race:

1. append() calls ensure_file_open() at Line 162, which acquires write lock, opens file, releases lock
2. Concurrent truncate() acquires lock, sets current_file to None at Line 271
3. append() acquires lock at Line 173, calls unwrap() at Line 174 on None → panic

The issue is that ensure_file_open() releases the lock before append() re-acquires it to write. Consider keeping the lock held across the entire append operation, or re-checking the file handle after acquiring the write lock.

Proposed fix to hold lock across entire operation

     async fn append(&self, record: &TransactionRecord) -> Result<(), Error> {
-        self.ensure_file_open().await?;
-
         // Create WAL entry
         let entry = WalEntry::new(record.clone());
 
         // Serialize
         let serialized = bincode::serialize(&entry)
             .map_err(|e| Error::Process(format!("Failed to serialize WAL entry: {}", e)))?;
 
         // Write length prefix (4 bytes)
         let len = serialized.len() as u32;
         let mut file_guard = self.current_file.write().await;
-        let file = file_guard.as_mut().unwrap();
+        
+        // Ensure file is open (while holding the lock)
+        if file_guard.is_none() {
+            let path = self.wal_file_path();
+            let file = OpenOptions::new()
+                .create(true)
+                .append(true)
+                .open(&path)
+                .await
+                .map_err(|e| Error::Read(format!("Failed to open WAL file: {}", e)))?;
+            
+            let metadata = file.metadata().await
+                .map_err(|e| Error::Read(format!("Failed to get WAL metadata: {}", e)))?;
+            *self.current_size.write().await = metadata.len();
+            *file_guard = Some(file);
+        }
+        
+        let file = file_guard.as_mut()
+            .ok_or_else(|| Error::Process("WAL file not available".to_string()))?;

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	async fn append(&self, record: &TransactionRecord) -> Result<(), Error> {
	self.ensure_file_open().await?;
	// Create WAL entry
	let entry = WalEntry::new(record.clone());
	// Serialize
	let serialized = bincode::serialize(&entry)
	.map_err(|e| Error::Process(format!("Failed to serialize WAL entry: {}", e)))?;
	// Write length prefix (4 bytes)
	let len = serialized.len() as u32;
	let mut file_guard = self.current_file.write().await;
	let file = file_guard.as_mut().unwrap();
	file.write_u32(len)
	.await
	.map_err(|e| Error::Read(format!("Failed to write WAL length: {}", e)))?;
	// Write data
	file.write_all(&serialized)
	.await
	.map_err(|e| Error::Read(format!("Failed to write WAL data: {}", e)))?;
	// Optionally sync
	if self.config.sync_on_write {
	file.sync_all()
	.await
	.map_err(|e| Error::Read(format!("Failed to sync WAL: {}", e)))?;
	}
	// Update size
	let mut size = self.current_size.write().await;
	*size += 4 + serialized.len() as u64;
	Ok(())
	}
	async fn append(&self, record: &TransactionRecord) -> Result<(), Error> {
	// Create WAL entry
	let entry = WalEntry::new(record.clone());
	// Serialize
	let serialized = bincode::serialize(&entry)
	.map_err(|e| Error::Process(format!("Failed to serialize WAL entry: {}", e)))?;
	// Write length prefix (4 bytes)
	let len = serialized.len() as u32;
	let mut file_guard = self.current_file.write().await;
	// Ensure file is open (while holding the lock)
	if file_guard.is_none() {
	let path = self.wal_file_path();
	let file = OpenOptions::new()
	.create(true)
	.append(true)
	.open(&path)
	.await
	.map_err(|e| Error::Read(format!("Failed to open WAL file: {}", e)))?;
	let metadata = file.metadata().await
	.map_err(|e| Error::Read(format!("Failed to get WAL metadata: {}", e)))?;
	*self.current_size.write().await = metadata.len();
	*file_guard = Some(file);
	}
	let file = file_guard.as_mut()
	.ok_or_else(|| Error::Process("WAL file not available".to_string()))?;
	file.write_u32(len)
	.await
	.map_err(|e| Error::Read(format!("Failed to write WAL length: {}", e)))?;
	// Write data
	file.write_all(&serialized)
	.await
	.map_err(|e| Error::Read(format!("Failed to write WAL data: {}", e)))?;
	// Optionally sync
	if self.config.sync_on_write {
	file.sync_all()
	.await
	.map_err(|e| Error::Read(format!("Failed to sync WAL: {}", e)))?;
	}
	// Update size
	let mut size = self.current_size.write().await;
	*size += 4 + serialized.len() as u64;
	Ok(())
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/transaction/wal.rs` around lines 161 - 197, The
append() function has a race with truncate(): ensure_file_open() releases the
current_file lock before append() later re-acquires it and unwraps, allowing
truncate() to set current_file to None and cause a panic; fix by keeping the
file lock held for the whole append operation or re-checking current_file after
acquiring the write lock—specifically modify append() (and/or
ensure_file_open()) to either hold the RwLockWriteGuard for current_file across
serialization, length write and data write, or after acquiring file_guard in
append() verify file_guard.is_some() (avoid unwrap) and reopen the file if None;
reference symbols: append, ensure_file_open, truncate, current_file,
current_size.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Silent error handling may mask WAL corruption.

Lines 219 and 232-234 silently break on any I/O error, treating both EOF and corruption identically. This could mask partially-written entries or disk corruption, leaving incomplete data undetected.

Consider distinguishing between expected EOF (UnexpectedEof at the end of file is normal for length-prefixed formats) vs. actual corruption (read errors mid-entry), and logging warnings for the latter.

Proposed fix to distinguish EOF from corruption

         loop {
             // Read length prefix
             let len = match reader.read_u32().await {
                 Ok(l) => l,
-                Err(_) => break, // EOF or corrupted
+                Err(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => break, // Normal EOF
+                Err(e) => {
+                    tracing::warn!("WAL read error (may indicate corruption): {}", e);
+                    break;
+                }
             };

             // Prevent unreasonably large allocations
             if len > 10 * 1024 * 1024 {
                 return Err(Error::Process(format!(
                     "WAL entry too large: {} bytes",
                     len
                 )));
             }

             // Read entry data
             let mut buffer = vec![0u8; len as usize];
-            if (reader.read_exact(&mut buffer).await).is_err() {
-                break;
+            match reader.read_exact(&mut buffer).await {
+                Ok(_) => {}
+                Err(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => {
+                    tracing::warn!("Truncated WAL entry detected (incomplete write?)");
+                    break;
+                }
+                Err(e) => {
+                    return Err(Error::Read(format!("Failed to read WAL entry: {}", e)));
+                }
             }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/transaction/wal.rs` around lines 215 - 234, The WAL
reader loop currently treats any read_u32 or read_exact error as EOF and breaks
silently, which can hide mid-entry corruption; update the loop in the WAL reader
(where reader.read_u32().await and reader.read_exact(&mut buffer).await are
called) to distinguish io::ErrorKind::UnexpectedEof (treat as normal EOF and
break) from other errors (log or return an Error::Process indicating WAL
corruption with the underlying error details), and ensure the large-entry check
(len > 10 * 1024 * 1024) remains; include the underlying error string in the
Error::Process or a warning log so corruption is visible.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if there's any documentation or usage that indicates terminal transactions should be preserved
rg -n "truncate|terminal|compaction" --type rust -C 3 crates/arkflow-core/src/transaction/

Repository: arkflow-rs/arkflow

Length of output: 6374

---

🏁 Script executed:

#!/bin/bash
# Get the full truncate function to check for docstring/documentation
sed -n '255,313p' crates/arkflow-core/src/transaction/wal.rs

Repository: arkflow-rs/arkflow

Length of output: 2185

---

🏁 Script executed:

#!/bin/bash
# Check for any archival or audit log mechanism for complete transactions
rg -n "archive|audit|history|complete" --type rust crates/arkflow-core/src/transaction/ | head -20

Repository: arkflow-rs/arkflow

Length of output: 171

---

🏁 Script executed:

#!/bin/bash
# Look at the full test to understand expected behavior
sed -n '357,390p' crates/arkflow-core/src/transaction/wal.rs

Repository: arkflow-rs/arkflow

Length of output: 1133

---

Add docstring to truncate() documenting that it retains only incomplete transactions.

The method discards all terminal transactions (Committed, RolledBack, TimedOut) because recover() filters them out by design—the WAL is intended for recovery of incomplete transactions only, not as an audit log. This is consistent with the coordinator's recovery logic (which explicitly recovers "incomplete transactions"). However, truncate() lacks documentation explaining this design choice. Add a docstring clarifying that the method retains only non-terminal transactions and why this is appropriate for the WAL's recovery-focused purpose.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/transaction/wal.rs` around lines 255 - 264, Add a
Rust docstring to the async fn truncate(&self, retain_last_n: usize) function
explaining that it operates on the output of recover() and therefore retains
only incomplete (non-terminal) transactions; mention that recover() filters out
terminal states (Committed, RolledBack, TimedOut) and that truncate is intended
for WAL recovery maintenance rather than audit logging, so keeping only
non-terminal transactions is the expected behavior. Reference the truncate
method and its use of recover() in the docstring so future readers understand
the design intent.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, locate and examine the kafka.rs file
find . -name "kafka.rs" -path "*/output/*" | head -20

Repository: arkflow-rs/arkflow

Length of output: 105

---

🏁 Script executed:

# Get the file size to determine how to read it
wc -l crates/arkflow-plugin/src/output/kafka.rs

Repository: arkflow-rs/arkflow

Length of output: 107

---

🏁 Script executed:

# Examine the specific lines mentioned in the review
cat -n crates/arkflow-plugin/src/output/kafka.rs | sed -n '195,210p'

Repository: arkflow-rs/arkflow

Length of output: 844

---

🏁 Script executed:

# Check all other mentioned line ranges
cat -n crates/arkflow-plugin/src/output/kafka.rs | sed -n '461,471p'
cat -n crates/arkflow-plugin/src/output/kafka.rs | sed -n '498,510p'
cat -n crates/arkflow-plugin/src/output/kafka.rs | sed -n '528,540p'

Repository: arkflow-rs/arkflow

Length of output: 1665

---

🏁 Script executed:

# Check the function signatures and context
cat -n crates/arkflow-plugin/src/output/kafka.rs | sed -n '180,220p'

Repository: arkflow-rs/arkflow

Length of output: 1984

---

🏁 Script executed:

# Check the function signatures containing these lines
cat -n crates/arkflow-plugin/src/output/kafka.rs | sed -n '150,220p'

Repository: arkflow-rs/arkflow

Length of output: 3170

---

🏁 Script executed:

# Check the function containing lines 466-469 and surrounding context
cat -n crates/arkflow-plugin/src/output/kafka.rs | sed -n '410,480p'

Repository: arkflow-rs/arkflow

Length of output: 3433

---

🏁 Script executed:

# Check the function containing lines 503-506 and surrounding context
cat -n crates/arkflow-plugin/src/output/kafka.rs | sed -n '480,515p'

Repository: arkflow-rs/arkflow

Length of output: 1761

---

🏁 Script executed:

# Check the function containing lines 533-536 and surrounding context
cat -n crates/arkflow-plugin/src/output/kafka.rs | sed -n '515,550p'

Repository: arkflow-rs/arkflow

Length of output: 1688

---

🏁 Script executed:

# Check what type of producer is being used and its imports
cat -n crates/arkflow-plugin/src/output/kafka.rs | sed -n '1,50p'

Repository: arkflow-rs/arkflow

Length of output: 1916

---

🏁 Script executed:

# Verify the FutureProducer type and its transaction API characteristics
grep -n "FutureProducer\|use rdkafka\|use kafka" crates/arkflow-plugin/src/output/kafka.rs | head -20

Repository: arkflow-rs/arkflow

Length of output: 398

---

🌐 Web query:

rdkafka FutureProducer init_transactions begin_transaction synchronous blocking

💡 Result:

In the rust-rdkafka library, FutureProducer supports Kafka transactions via synchronous, blocking methods inherited from the Producer trait. These methods mirror the underlying librdkafka C API behavior. Key methods: - producer.init_transactions(timeout): Initialize transactional state (blocking, acquires PID, fences old instances). Call once after creating the producer with 'transactional.id' configured. - producer.begin_transaction: Begin a new transaction (blocking). Requires prior successful init_transactions. - producer.commit_transaction(timeout) or abort_transaction(timeout): End the transaction (blocking; commit flushes outstanding messages). These are synchronous Result-returning functions that block until completion or timeout/error. After init_transactions, all produces belong to the active transaction until commit/abort. Example workflow (Rust pseudocode): let mut config = ClientConfig::new; config.set("bootstrap.servers", "localhost:9092"); config.set("transactional.id", "my-transactional-id"); let producer: FutureProducer = config.create.expect("Producer creation error"); producer.init_transactions(Timeout::After(Duration::from_secs(30))) .expect("Transaction init failed"); loop { producer.begin_transaction.expect("Begin txn failed"); // Send messages (async via .send.await, but part of txn) for record in records { let delivery = producer.send(record, Duration::from_secs(0)).await; // Handle delivery status } producer.commit_transaction(Timeout::After(Duration::from_secs(30))) .expect("Commit failed"); } For synchronous message confirmation within txn, await send futures or use flush. Official librdkafka docs confirm init_transactions, begin_transaction, etc., are blocking calls. rust-rdkafka exposes them directly as sync methods on FutureProducer (unlike async send). See rust-rdkafka PR #293 and docs.rs/rdkafka Producer trait.

Citations:

• 1: https://docs.rs/rdkafka/*/rdkafka/producer/future_producer/struct.FutureProducer.html
• 2: https://fede1024.github.io/rust-rdkafka/rdkafka/producer/future_producer/struct.FutureProducer.html
• 3: https://docs.rs/rdkafka/latest/rdkafka/producer/trait.Producer.html
• 4: https://docs.rs/rdkafka/latest/rdkafka/producer/struct.FutureProducer.html
• 5: Add producer transaction support fede1024/rust-rdkafka#293
• 6: https://fede1024.github.io/rust-rdkafka/rdkafka/producer/index.html
• 7: https://github.com/confluentinc/librdkafka/blob/master/examples/transactions.c

---

Use tokio::task::spawn_blocking to offload Kafka transaction APIs from the async runtime.

init_transactions, begin_transaction, commit_transaction, and abort_transaction are synchronous blocking calls with second-scale timeouts. Calling them directly in async fn blocks the executor thread and stalls other Tokio tasks. Wrap each call with spawn_blocking to move the blocking operation to a dedicated thread pool.

Also applies to: lines 466-469, 503-506, 533-536

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-plugin/src/output/kafka.rs` around lines 200 - 206, The Kafka
transaction APIs (init_transactions, begin_transaction, commit_transaction,
abort_transaction) are blocking and must be offloaded from async context; update
the calls in kafka.rs (the init_transactions call and the ones referenced near
the begin_transaction/commit_transaction/abort_transaction usage) to use
tokio::task::spawn_blocking with .await and propagate/map the Result into the
existing Error::Connection variants, preserving the timeout argument
(self.config.transaction_timeout) and existing error messages; ensure you await
the spawned task, map any JoinError or inner error into Connection errors, and
keep the same behavior when transactional_id.is_some().

[coderabbitai]

Actionable comments posted: 4

Note

Due to the large number of review comments, Critical severity comments were prioritized as inline comments.

♻️ Duplicate comments (6)

crates/arkflow-core/src/stream/mod.rs (4)

691-701: ⚠️ Potential issue | 🟠 Major

Permanent transactional failures are still ACKed and dropped.

This branch says the batch will go to error_output, but it never writes msgs there before acknowledging. For non-retryable sink errors, that turns a configuration/schema failure into irreversible data loss.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/stream/mod.rs` around lines 691 - 701, The
non-retryable branch currently ACKs and discards messages without sending them
to the configured error sink; locate the !is_temporary branch around the
error!("Permanent error...") and ack.ack().await and before calling
ack.ack().await send the batch (msgs) to the configured error_output (e.g., call
the error_output.write/send method or error_output.send_batch(msgs).await),
await its result, and log any failures; only after attempting (and logging) the
error_output write should you ack. Ensure you reference the existing symbols
error_output, msgs, ack.ack().await, and the permanent-error branch to make the
change.

---

598-645: ⚠️ Potential issue | 🔴 Critical

Begin the sink transaction before the first write_idempotent().

This branch opens only the coordinator transaction. Without output.begin_transaction(), sink implementations never initialize sink-side transactional state before write_idempotent(), and outputs relying on the trait's default no-op prepare/commit/rollback hooks can falsely look exactly-once-safe.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/stream/mod.rs` around lines 598 - 645, The
coordinator transaction is begun but the sink-side transaction isn't; call the
sink's begin_transaction before any write_idempotent calls so sink
implementations can initialize transactional state. After obtaining tx_id from
coordinator.begin_transaction(...) and before the loop that calls
output.write_idempotent(...), invoke output.begin_transaction(tx_id). Ensure the
same tx_id is used and that subsequent
prepare_transaction/commit_transaction/rollback paths remain consistent with
coordinator.prepare_transaction/commit_transaction to keep transaction lifecycle
aligned between coordinator and output.

---

76-77: ⚠️ Potential issue | 🔴 Critical

Idempotency keys still change across recovery.

The key uses a random stream_uuid, and while that UUID is written into checkpoint metadata it is never restored in restore_from_checkpoint(). The same replayed source record will therefore get a fresh key after restart and bypass deduplication.

Also applies to: 615-616, 818-820, 830-887

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/stream/mod.rs` around lines 76 - 77, The stream id
currently uses a freshly generated random stream_uuid (e.g., let stream_uuid =
uuid::Uuid::new_v4().to_string()) but that value is written to checkpoint
metadata and not restored, so idempotency keys change after restart; fix by
persisting and restoring the same stream_uuid in the checkpoint restore path: in
the checkpoint creation code keep writing stream_uuid into the checkpoint
metadata and in restore_from_checkpoint() load that stored value and assign it
back to the stream state (replacing any new_v4() creation), and ensure all
key-generation sites reference the restored self.stream_uuid (or the struct
field that holds it) so replayed records produce identical idempotency keys
across recoveries.

---

138-149: ⚠️ Potential issue | 🔴 Critical

Barrier delivery never reaches all processors.

barrier_sender is only created and stored privately here; nothing in Stream forwards BarrierManager::inject_barrier() into this channel, so workers never receive a barrier at all. Even after wiring the sender, cloned flume::Receivers compete for one message instead of broadcasting it, so a single barrier still cannot be observed by every processor.

#!/bin/bash
echo "Local barrier-channel wiring in crates/arkflow-core/src/stream/mod.rs"
rg -n --type=rust '\bbarrier_sender\b|flume::bounded::<Barrier>|barrier_receiver\.clone\(' crates/arkflow-core/src/stream/mod.rs

echo
echo "Cross-repo references to barrier_sender"
rg -n --type=rust '\bbarrier_sender\b' .

Does cloning a `flume::Receiver<T>` broadcast each message to all receiver clones, or are messages distributed so each message is consumed by only one receiver?

Also applies to: 171-182

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/stream/mod.rs` around lines 138 - 149, The barrier
channel currently stores a single flume::Sender in Stream::barrier_sender but
never wires BarrierManager::inject_barrier to send into it, and cloned
flume::Receiver instances compete for messages instead of broadcasting; fix by
(1) wiring the manager so inject_barrier calls the stored sender
(barrier_sender) to send Barrier values, and (2) replace the flume pair with a
broadcast-capable channel (e.g., tokio::sync::broadcast::channel or another
pub/sub implementation) so each worker gets its own subscriber instead of
cloning a competing flume::Receiver; update the code that constructs
barrier_channel (the creation using flume::bounded::<Barrier>) to create a
broadcast sender and create per-worker receivers (subscribe) assigned to
barrier_receiver, and ensure Stream::barrier_sender holds the broadcast Sender
used by BarrierManager::inject_barrier.

crates/arkflow-core/src/checkpoint/coordinator.rs (2)

296-302: ⚠️ Potential issue | 🔴 Critical

Cleanup still gets skipped on capture/save failure.

At Lines 296-302, ? can return before cleanup_after_checkpoint, leaving current_checkpoint and barrier state stuck.

Suggested fix

-                // 4. Capture state (with provided stream states)
-                let snapshot = self.capture_state(stream_states).await?;
-
-                // 5. Save checkpoint
-                let metadata = self
-                    .storage
-                    .save_checkpoint(checkpoint_id, &snapshot)
-                    .await?;
-
-                // 6. Cleanup
-                self.cleanup_after_checkpoint(checkpoint_id, barrier.id)
-                    .await;
+                // 4-5. Capture + save, but always cleanup afterwards
+                let save_result: CheckpointResult<CheckpointMetadata> = async {
+                    let snapshot = self.capture_state(stream_states).await?;
+                    self.storage.save_checkpoint(checkpoint_id, &snapshot).await
+                }
+                .await;
+
+                self.cleanup_after_checkpoint(checkpoint_id, barrier.id).await;
+
+                let metadata = match save_result {
+                    Ok(metadata) => metadata,
+                    Err(e) => {
+                        let mut stats = self.stats.write().await;
+                        stats.failed_checkpoints += 1;
+                        return Err(e);
+                    }
+                };

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/checkpoint/coordinator.rs` around lines 296 - 302,
The code returns early on errors from capture_state or storage.save_checkpoint
(using ?), which can skip cleanup_after_checkpoint and leave
current_checkpoint/barrier state stuck; wrap both calls to capture_state(...)
and storage.save_checkpoint(...) in explicit match/if-let error handling so that
on Err(e) you first call and await self.cleanup_after_checkpoint(checkpoint_id)
(and handle/propagate any cleanup error appropriately) and then return the
original error, e.g., replace the `let snapshot =
self.capture_state(...).await?` and the
`self.storage.save_checkpoint(...).await?` with error-checked versions that call
self.cleanup_after_checkpoint(checkpoint_id).await before propagating the error;
keep references to capture_state, storage.save_checkpoint,
cleanup_after_checkpoint, and current_checkpoint/barrier state to locate the
logic to update.

---

211-213: ⚠️ Potential issue | 🔴 Critical

Periodic checkpoints are triggered without stream state payloads.

At Line 212, trigger_checkpoint(None) means scheduled checkpoints can complete with empty/logical-only snapshots, which breaks recovery expectations for exactly-once flows.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/checkpoint/coordinator.rs` around lines 211 - 213,
The scheduled checkpoint currently calls trigger_checkpoint(None) which creates
empty snapshots; change the scheduled checkpoint flow to gather the current
stream state and pass it into trigger_checkpoint (e.g., build or fetch the
latest stream states from the coordinator's in-memory state or the method that
exposes them) so you call trigger_checkpoint(Some(stream_states)) instead of
None; ensure you handle any error from the state-gathering step before invoking
trigger_checkpoint and preserve the existing error logging around
trigger_checkpoint.

🟠 Major comments (18)

.claude/rules/build/build.md-2-2 (1)

2-2: ⚠️ Potential issue | 🟠 Major

Guideline contradicts established build practices.

This guideline instructs developers to use debug mode instead of release mode to reduce compilation time, which directly contradicts the established practice. Debug builds lack critical optimizations (LTO, codegen-units=1, opt-level=3) and may hide bugs that only appear in optimized release builds. This could compromise production binary quality and test validity.

If the intent is to speed up development iteration, consider clarifying that debug mode is acceptable for local development and quick testing only, while CI/CD pipelines and production builds must use release mode. Based on learnings, build optimized release binaries using cargo build --release with release profile settings: codegen-units = 1, lto = true, and opt-level = 3 in Cargo.toml.

📋 Proposed clarification

 # Build
-构建二进制文件时，尽可能使用debug模式，避免使用release模式，缩短编译时间。
+## Development Builds
+本地开发和快速测试时，可以使用debug模式以缩短编译时间。
+
+## Production and CI Builds
+生产环境和CI/CD流程必须使用release模式构建，启用完整优化：
+- 使用 `cargo build --release`
+- 在 `Cargo.toml` 中配置: `codegen-units = 1`, `lto = true`, `opt-level = 3`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/rules/build/build.md at line 2, The guideline line
"构建二进制文件时，尽可能使用debug模式，避免使用release模式，缩短编译时间。" is incorrect and should be
clarified: update the rule to state that debug builds are acceptable for local
development and fast iteration only, but CI/CD and production must use optimized
release builds (use cargo build --release) and recommend release profile
settings in Cargo.toml (codegen-units = 1, lto = true, opt-level = 3) so
optimized/reproducible binaries are produced for testing and deployment.

crates/arkflow-plugin/src/processor/filter.rs-317-333 (1)

317-333: ⚠️ Potential issue | 🟠 Major

LargeUtf8 columns will panic at runtime due to incorrect downcast.

The match arm handles both Utf8 and LargeUtf8, but the downcast uses StringArray which only works for Utf8. For LargeUtf8 columns, downcast_ref::<StringArray>() returns None and unwrap() will panic.

This same issue affects evaluate_starts_with (line 346) and evaluate_ends_with (line 373).

🐛 Proposed fix

         match column.data_type() {
-            DataType::Utf8 | DataType::LargeUtf8 => {
-                let array = column.as_any().downcast_ref::<StringArray>().unwrap();
+            DataType::Utf8 => {
+                let array = column.as_any().downcast_ref::<StringArray>().unwrap();
+                let target = value.as_str().ok_or_else(|| {
+                    Error::Config("String value expected for Contains operator".to_string())
+                })?;
+                Ok(array
+                    .iter()
+                    .map(|v| v.map(|s| s.contains(target)))
+                    .collect())
+            }
+            DataType::LargeUtf8 => {
+                use datafusion::arrow::array::LargeStringArray;
+                let array = column.as_any().downcast_ref::<LargeStringArray>().unwrap();
                 let target = value.as_str().ok_or_else(|| {
                     Error::Config("String value expected for Contains operator".to_string())
                 })?;

Apply similar fixes to evaluate_starts_with and evaluate_ends_with.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-plugin/src/processor/filter.rs` around lines 317 - 333, The
Contains/StartsWith/EndsWith arms (in evaluate_contains, evaluate_starts_with,
evaluate_ends_with) downcast every string column to StringArray which panics for
LargeUtf8; change the logic to branch on DataType::Utf8 versus
DataType::LargeUtf8 and downcast to StringArray for Utf8 and LargeStringArray
for LargeUtf8, avoid unwrap() by returning an Err when downcast_ref returns
None, and keep the same iterator mapping logic (map over Option<&str> to bool)
for both StringArray and LargeStringArray so both string widths are handled
safely.

.github/workflows/rust.yml-18-18 (1)

18-18: ⚠️ Potential issue | 🟠 Major

Update all GitHub Actions to current major versions.

Replace actions/checkout@v3 with actions/checkout@v6 and actions/cache@v3 with actions/cache@v5 across all three jobs (quality, security, test). These versions are now multiple major releases behind the current stable versions, and the official upstream repositories recommend these newer releases.

Instances to update:

• actions/checkout@v3: lines 18, 57, 76
• actions/cache@v3: lines 27, 33, 39, 60, 85, 91, 97

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/rust.yml at line 18, Update the GitHub Actions steps to
use the current major versions: replace all occurrences of actions/checkout@v3
with actions/checkout@v6 and replace all occurrences of actions/cache@v3 with
actions/cache@v5, ensuring you update every job (quality, security, test) where
these actions are referenced (check the steps that call the actions named
"actions/checkout" and "actions/cache" and update their version suffixes
accordingly).

crates/arkflow-core/src/config.rs-214-234 (1)

214-234: ⚠️ Potential issue | 🟠 Major

validate() should not create the checkpoint directory.

This makes arkflow --validate a mutating command, and runtime already creates the same path in LocalFileStorage::new(). A validation pass should stay read-only; otherwise a dry-run can leave state behind even when the engine never starts.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/config.rs` around lines 214 - 234, The validate()
function currently mutates state by calling
std::fs::create_dir_all(&self.checkpoint.local_path); remove that creation and
instead perform a read-only check: if checkpoint.enabled, verify that
checkpoint.local_path exists and is a directory (use std::fs::metadata and
is_dir()) and return a Config error if it does not exist or is not a directory;
do not attempt to create or modify the filesystem here. Keep the runtime
behavior that creates the path in LocalFileStorage::new().

crates/arkflow-core/src/config.rs-77-113 (1)

77-113: ⚠️ Potential issue | 🟠 Major

Keep the new metrics listener opt-in for existing configs.

Because metrics is #[serde(default)], every legacy config that omits this new section will now start a listener on 0.0.0.0:9090. Since Engine::start_metrics_server() binds whenever metrics.enabled is true, this is a backwards-incompatible behavior change that can break existing deployments.

🔧 Proposed fix

 fn default_metrics_enabled() -> bool {
-    true
+    false
 }

Also applies to: 127-135

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/config.rs` around lines 77 - 113, The new
MetricsConfig currently defaults enabled to true, so legacy configs that omit
metrics will start a listener; change the opt-in behavior by making
default_metrics_enabled() return false (and ensure the Default impl uses that
same helper), so MetricsConfig::enabled is false for omitted configs; update any
tests or call sites that assume the old default and verify
Engine::start_metrics_server() still binds only when metrics.enabled is true.

.github/workflows/docker.yml-81-87 (1)

81-87: ⚠️ Potential issue | 🟠 Major

Add docker/setup-qemu-action before building multi-platform images.

The workflow enables multi-platform builds (linux/amd64,linux/arm64) but only configures Buildx. Since the Dockerfile executes RUN cargo build --release during the build process, the arm64 build still needs QEMU to emulate foreign-architecture RUN steps on the amd64 GitHub runner. Add docker/setup-qemu-action before the Buildx setup step.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker.yml around lines 81 - 87, The workflow enables
multi-platform builds but omits QEMU setup, so add the docker/setup-qemu-action
step before the docker/setup-buildx-action step in the GitHub Actions workflow
to enable emulation for cross-architecture RUN commands (e.g., cargo build
--release). Insert a step that uses docker/setup-qemu-action (with default
config) immediately prior to the existing buildx setup lines that reference
platforms: linux/amd64,linux/arm64 and build-args VERSION/BUILD_DATE/VCS_REF so
the arm64 build can run on an amd64 runner.

docker/Dockerfile-48-50 (1)

48-50: ⚠️ Potential issue | 🟠 Major

Add wget to the runtime dependencies in the Dockerfile.

The HEALTHCHECK command uses wget but the runtime dependencies (lines 48-50) do not install it. The debian:bookworm-slim base image does not include wget by default, causing health checks to fail immediately even when ArkFlow is healthy.

Proposed fix

 RUN apt-get update && \
-    apt-get install -y --no-install-recommends libsqlite3-0 python3 ca-certificates && \
+    apt-get install -y --no-install-recommends libsqlite3-0 python3 ca-certificates wget && \
     rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/Dockerfile` around lines 48 - 50, The Dockerfile's runtime install
step does not include wget, but the image's HEALTHCHECK uses wget and
debian:bookworm-slim lacks it; update the RUN apt-get install line in the
Dockerfile (the runtime install block that currently installs libsqlite3-0
python3 ca-certificates) to also install wget so the HEALTHCHECK command can run
successfully.

crates/arkflow-core/tests/exactly_once_integration_test.rs-15-21 (1)

15-21: ⚠️ Potential issue | 🟠 Major

This “exactly once” integration test never enters the data plane.

It only drives BarrierManager and CheckpointCoordinator. There is no Stream, no TransactionCoordinator, no sink write, and no replay after failure, so it won't catch the stream/output correctness bugs this PR introduces.

Also applies to: 331-419

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/tests/exactly_once_integration_test.rs` around lines 15 -
21, The integration test currently only exercises BarrierManager and
CheckpointCoordinator and therefore never exercises the data plane; update the
test to instantiate and run a real Stream pipeline (or a realistic mock) that
includes a TransactionCoordinator and a sink writer, emit records through the
Stream, trigger checkpoints/barriers via BarrierManager/CheckpointCoordinator,
simulate a failure and perform recovery/replay, and assert end-to-end
exactly-once output and idempotency; specifically modify the test in
exactly_once_integration_test.rs to wire up a Stream implementation, hook in the
TransactionCoordinator used by the runtime, perform actual sink writes (or a
durable mock) and validate replay behavior after recovery so the test fails on
stream/output correctness regressions.

crates/arkflow-core/tests/performance_test.rs-17-64 (1)

17-64: ⚠️ Potential issue | 🟠 Major

These benchmark-style assertions will flap in CI.

Hardcoded millisecond and throughput thresholds on temp files, scheduler timing, and debug-build performance will vary a lot by runner and load, so failures here won't reliably indicate regressions. I'd move these behind #[ignore]/bench tooling or assert relative invariants instead of absolute numbers.

Also applies to: 66-144, 146-202, 204-259, 261-327, 330-417

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/tests/performance_test.rs` around lines 17 - 64, The test
test_checkpoint_creation_overhead (and the other benchmark-style tests in this
file) uses hardcoded absolute timing thresholds that will flake in CI; mark
these tests as non-default (add #[ignore] to the test functions or move them to
proper benchmark/benches) or gate them behind a perf feature so they only run
intentionally, and replace the absolute assert! comparing avg_time <
Duration::from_millis(10) with a relative invariant (e.g., compare current
avg_time to a stored baseline or ensure creation latency scales appropriately)
so the check no longer depends on runner-specific throughput; update the
CheckpointCoordinator creation loop and assertion accordingly (refer to
test_checkpoint_creation_overhead and similar test functions in this file).

IMPLEMENTATION_SUMMARY.md-124-164 (1)

124-164: ⚠️ Potential issue | 🟠 Major

The readiness claims here overstate the current state.

This document still lists core runtime work like Stream barrier handling, connector checkpoint logic, and recovery as unfinished, but the conclusion says the feature is “生产就绪” and “完整”. For exactly-once semantics, that mismatch is risky because it suggests stronger guarantees than the same document says are implemented.

Also applies to: 221-240

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@IMPLEMENTATION_SUMMARY.md` around lines 124 - 164, The document's conclusion
overstates readiness despite unfinished items (e.g., Stream::run() barrier
handling, Processor workers, Input trait checkpoint, Output trait 2PC,
recovery/WAL replay), so update the final summary language to accurately reflect
remaining work and risks: replace claims like "生产就绪" and "完整" with wording that
lists the missing components (barrier propagation, connector checkpoint logic,
state recovery) and explicitly caveats that exactly-once semantics are not yet
fully guaranteed; also make the same edits in the corresponding section
referenced (lines 221-240) and ensure mentions of Stream::run(), Input trait,
Output trait, checkpoint and barrier are included to guide follow-up work.

examples/exactly_once_quick_start.yaml-90-103 (1)

90-103: ⚠️ Potential issue | 🟠 Major

Use portable storage paths in this example fixture.

/var/lib/arkflow/checkpoints and /var/lib/arkflow/wal will be unwritable in most local and CI runs, so this quick-start example is hard to execute as-is. Keep example paths repo-relative or temp-dir-based instead. As per coding guidelines, examples/**/*.yaml: Create example configurations in examples/ directory that serve as integration test fixtures.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/exactly_once_quick_start.yaml` around lines 90 - 103, The example
uses absolute system paths for storage and WAL which are unwritable in CI/local
runs; update the storage.path and transaction_coordinator.wal.path values in
examples/exactly_once_quick_start.yaml to use repo-relative or
temporary-directory style paths (e.g., ./tmp/arkflow/checkpoints and
./tmp/arkflow/wal or a template like ${TMPDIR}/arkflow/...) so the
storage.type/local and wal.type/file configurations (keys "storage.path" and
"transaction_coordinator.wal.path") point to portable, writable locations while
leaving other keys (alignment_timeout, wal.sync_mode) unchanged.

crates/arkflow-core/src/checkpoint/coordinator.rs-364-373 (1)

364-373: ⚠️ Potential issue | 🟠 Major

Multi-stream snapshot merge is lossy for input_state and buffer_state.

Only the first stream’s input_state and buffer_state are retained; subsequent streams are discarded. This will restore incomplete state in multi-stream deployments.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/checkpoint/coordinator.rs` around lines 364 - 373,
The current snapshot assembly in coordinator.rs only keeps the first
stream_snapshot's input_state and buffer_state and discards others; instead,
implement a proper merge across streams: when iterating stream_snapshot use
existing snapshot.input_state and snapshot.buffer_state as the accumulator and,
for each non-none stream_snapshot.input_state or buffer_state, merge it into the
accumulator (e.g., call new helper functions merge_input_state(existing,
incoming) and merge_buffer_state(existing, incoming) that handle combining
maps/offsets/entries, or if accumulator is None set it to the incoming clone);
update the code around symbols snapshot, stream_snapshot, input_state, and
buffer_state to call these helpers so multi-stream state is aggregated rather
than lost.

crates/arkflow-core/src/checkpoint/coordinator.rs-269-275 (1)

269-275: ⚠️ Potential issue | 🟠 Major

Ack expectation can race with stream registration changes.

expected_acks is computed, then barrier is injected later. A concurrent register_stream/unregister_stream between these steps can desynchronize expected vs real participants, causing premature completion or alignment stalls.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/checkpoint/coordinator.rs` around lines 269 - 275,
The race occurs because calculate_expected_acks() computes expected_acks before
calling barrier_manager.inject_barrier(...), allowing concurrent
register_stream/unregister_stream to change participants; fix by making the
snapshot and injection atomic: either (A) acquire the same participant-registry
lock used by register_stream/unregister_stream, call calculate_expected_acks()
and then call barrier_manager.inject_barrier(checkpoint_id, expected_acks) while
holding that lock so no registration changes can occur in between, or (B) change
inject_barrier to accept a participants-snapshot (e.g., Vec<StreamId> or a
generation token) or to recompute expected acks internally from a passed
immutable snapshot so the barrier is injected against a consistent participant
set; update calculate_expected_acks, barrier_manager.inject_barrier, and
register_stream/unregister_stream to use the same synchronization/generation
mechanism accordingly.

crates/arkflow-core/src/checkpoint/coordinator.rs-175-181 (1)

175-181: ⚠️ Potential issue | 🟠 Major

Honor config.enabled when initializing coordinator state.

At Line 180, enabled is hardcoded to true, so CheckpointConfig.enabled is ignored.

Suggested fix

 pub fn new(config: CheckpointConfig) -> CheckpointResult<Self> {
+    let initially_enabled = config.enabled;
     // Create storage backend
     let storage = Arc::new(LocalFileStorage::new(&config.local_path)?);

@@
         Ok(Self {
             config,
@@
-            enabled: Arc::new(RwLock::new(true)),
+            enabled: Arc::new(RwLock::new(initially_enabled)),
             stats: Arc::new(RwLock::new(CheckpointStats::default())),
             registered_streams: Arc::new(RwLock::new(std::collections::HashMap::new())),
         })
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/checkpoint/coordinator.rs` around lines 175 - 181,
The coordinator currently hardcodes enabled to true; update the initializer for
the enabled field to honor CheckpointConfig by using the config.enabled value
(e.g., enabled: Arc::new(RwLock::new(config.enabled))) so the coordinator state
reflects the configuration; reference the initializer where next_checkpoint_id,
current_checkpoint, enabled, and stats are set and replace the hardcoded true
with config.enabled (clone or copy as needed).

crates/arkflow-core/src/checkpoint/committing_state.rs-275-279 (1)

275-279: ⚠️ Potential issue | 🟠 Major

Table metadata merge currently overwrites earlier subtask entries.

Using insert(table_name, table_meta.clone()) replaces previously accumulated commit_data_by_subtask for the same table, dropping earlier subtasks.

Suggested fix

 for (table_name, table_meta) in &metadata.table_metadata {
-    operator_data
-        .table_metadata
-        .insert(table_name.clone(), table_meta.clone());
+    let entry = operator_data
+        .table_metadata
+        .entry(table_name.clone())
+        .or_insert_with(|| TableCheckpointMetadata {
+            table_name: table_name.clone(),
+            commit_data_by_subtask: HashMap::new(),
+        });
+    for (subtask_idx, bytes) in &table_meta.commit_data_by_subtask {
+        entry
+            .commit_data_by_subtask
+            .insert(*subtask_idx, bytes.clone());
+    }
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/checkpoint/committing_state.rs` around lines 275 -
279, The current loop copies metadata.table_metadata into
operator_data.table_metadata using insert, which overwrites any existing
TableMetadata and drops previously accumulated commit_data_by_subtask; instead,
for each (table_name, table_meta) check
operator_data.table_metadata.entry(table_name.clone()) and if an entry exists
merge table_meta.commit_data_by_subtask into the existing entry's
commit_data_by_subtask (e.g., iterate table_meta.commit_data_by_subtask and
extend/insert per subtask id), otherwise insert a clone of table_meta; this
preserves earlier subtask entries rather than replacing them.

crates/arkflow-core/src/checkpoint/committing_state.rs-126-133 (1)

126-133: ⚠️ Potential issue | 🟠 Major

operators_committed can be incremented multiple times for the same operator.

Repeated calls after an operator is already done will keep incrementing operators_committed, making done() true too early.

Suggested fix

 pub struct CommittingState {
@@
     /// Number of operators that have finished committing
     operators_committed: usize,
+    /// Operators already counted as fully committed
+    counted_committed_operators: HashSet<String>,
@@
         Self {
@@
             operators_committed: 0,
+            counted_committed_operators: HashSet::new(),
             total_operators,
         }
@@
 pub fn operator_fully_committed(&mut self, operator_id: &str) {
-    if self.operator_done(operator_id) {
+    if self.operator_done(operator_id)
+        && self.counted_committed_operators.insert(operator_id.to_string())
+    {
         self.operators_committed += 1;
         info!(

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/checkpoint/committing_state.rs` around lines 126 -
133, operator_fully_committed currently increments the operators_committed
counter every time operator_done(operator_id) is true, allowing duplicate
increments; fix by tracking which operators have already been counted (e.g., add
a committed_operators HashSet field) and in operator_fully_committed check
committed_operators.contains(operator_id) before incrementing, only increment
and insert into committed_operators when the operator_id is not yet present; use
the existing operator_fully_committed, operator_done, and operators_committed
symbols to locate and update the logic.

crates/arkflow-core/src/checkpoint/committing_state.rs-94-100 (1)

94-100: ⚠️ Potential issue | 🟠 Major

get_committing_operators() returns pending operators, not ready operators.

The current implementation returns operators that still have subtasks in subtasks_to_commit. That is the opposite of “ready to commit”.

Suggested fix

 pub fn get_committing_operators(&self) -> HashSet<String> {
-    let operators: HashSet<String> = self
-        .subtasks_to_commit
-        .iter()
-        .map(|(operator_id, _)| operator_id.clone())
-        .collect();
-    operators
+    self.committing_data
+        .keys()
+        .filter(|operator_id| self.operator_done(operator_id))
+        .cloned()
+        .collect()
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/checkpoint/committing_state.rs` around lines 94 -
100, get_committing_operators currently returns operators that still have
entries in self.subtasks_to_commit (pending), but it should return operators
ready to commit; update the method to collect operator ids from the canonical
operator map (e.g., self.committing_operator_states.keys() or whichever field
holds all operators) and filter out any operator_id present in
self.subtasks_to_commit, cloning the keys and returning the resulting
HashSet<String> so only operators with no pending subtasks are returned.

crates/arkflow-core/src/checkpoint/coordinator.rs-186-219 (1)

186-219: ⚠️ Potential issue | 🟠 Major

Implement graceful shutdown for run() using CancellationToken.

The method currently runs an unbounded loop with no cancellation mechanism. Following the established pattern in Stream::run() and other background tasks, accept a CancellationToken parameter and check for cancellation in the loop to enable proper task lifecycle management.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/checkpoint/coordinator.rs` around lines 186 - 219,
The run() method lacks cancellation support and runs an infinite loop; update
its signature to accept a CancellationToken (e.g., token: CancellationToken) and
wire it into the loop so the task exits cleanly: poll token cancellation
alongside the interval timer (using tokio::select! or token.cancelled().await)
before each tick and before triggering work, and break/return when cancelled.
Ensure checks around is_enabled(), is_checkpoint_in_progress(), and
trigger_checkpoint(None) remain the same but are skipped when the token is
cancelled, and update any callers of CheckpointCoordinator::run to pass the
CancellationToken.

🟡 Minor comments (7)

.claude/rules/build/build.md-1-1 (1)

1-1: ⚠️ Potential issue | 🟡 Minor

Fix markdown heading format.

The heading has multiple spaces after the hash, which violates markdown conventions.

📝 Proposed fix

-#  Build
+# Build

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/rules/build/build.md at line 1, The markdown heading currently
contains extra spaces after the hash ("#  Build"); fix it by normalizing the
heading to a single space after the hash (change the "#  Build" line to "#
Build") so it follows standard Markdown heading format and linting rules.

SESSION_RECOVERY_IMPLEMENTATION.md-116-147 (1)

116-147: ⚠️ Potential issue | 🟡 Minor

Add language tags to these fenced blocks.

Both fences are unlabeled, so markdownlint will keep reporting MD040 here. text is enough unless you want to convert the diagrams to mermaid.

Also applies to: 151-166

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@SESSION_RECOVERY_IMPLEMENTATION.md` around lines 116 - 147, The fenced
diagram blocks lack language tags causing MD040; update the code fences
surrounding the ASCII diagrams (the block containing Engine,
CheckpointCoordinator.restore_from_checkpoint(),
LocalFileStorage.load_checkpoint(latest_id), Stream.restore_from_checkpoint(),
Input.seek(), TransactionCoordinator.recover()) and the later block at lines
151-166 to include a language tag such as ```text (or ```mermaid if converting
to mermaid), so the markdown linter stops flagging MD040.

SESSION_WORK_SUMMARY.md-201-215 (1)

201-215: ⚠️ Potential issue | 🟡 Minor

Add a language tag to the diagram fence.

This block is unlabeled, so markdownlint will keep flagging MD040. text is enough for the current ASCII diagram.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@SESSION_WORK_SUMMARY.md` around lines 201 - 215, The fenced ASCII diagram
block containing lines like "Engine" and "CheckpointCoordinator (如果启用)" is
missing a language tag which triggers markdownlint MD040; update the opening
fence from ``` to ```text to label the block (leave the diagram content
unchanged) so the code fence is properly tagged.

TEST_IMPROVEMENT_SUMMARY.md-34-43 (1)

34-43: ⚠️ Potential issue | 🟡 Minor

This document reports two different total test counts.

The table says 298 tests, while the execution summary and conclusion say 307. That makes the coverage summary hard to trust as written.

Also applies to: 126-138, 204-206

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@TEST_IMPROVEMENT_SUMMARY.md` around lines 34 - 43, Summary: The document
shows inconsistent total test counts (table's "| **总计** | **298**" vs execution
summary/conclusion saying 307). Fix: reconcile and update all occurrences so
totals match the real run count (e.g., change the table row "| **总计** | **298**"
to the correct total, or recompute module counts to equal 307), and ensure the
execution summary and conclusion text use the same corrected number; update any
related percentage/coverage figures that depend on the total. Locate and update
the table total row ("| **总计** | **298**"), the execution summary paragraph, and
the conclusion paragraph so they all reference the same validated total and
derived coverage numbers.

FINAL_SUMMARY.md-12-20 (1)

12-20: ⚠️ Potential issue | 🟡 Minor

The test totals in this summary do not reconcile.

The detailed breakdown here is 165 + 133 + 9 = 307, but the overview and conclusion both say 359. Please reconcile those numbers before merging this summary.

Also applies to: 127-152, 254-255

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@FINAL_SUMMARY.md` around lines 12 - 20, The summary's test counts don't add
up: the detailed breakdown (the rows labeled "Checkpoint", "Transaction",
"Stream 集成", "Output 2PC") currently sum to 307 while the overview and "测试覆盖"
state 359; update either the per-section test counts or the overall totals so
they reconcile (make the sum of the four section test counts equal the reported
total tests and adjust the "总测试数" and "通过率" fields accordingly). Ensure you edit
the table rows "Checkpoint", "Transaction", "Stream 集成", "Output 2PC", the "总计"
row, and the "测试覆盖" block so all numbers consistently reflect the same total.

docker/Dockerfile-30-37 (1)

30-37: ⚠️ Potential issue | 🟡 Minor

OCI source metadata points at the wrong repository.

The workflow builds from arkflow-rs/arkflow, but this label advertises arkflow/arkflow. Registry UIs and provenance tooling will link users to the wrong source repo.

📝 Proposed fix

-      org.opencontainers.image.source="https://github.com/arkflow/arkflow" \
+      org.opencontainers.image.source="https://github.com/arkflow-rs/arkflow" \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/Dockerfile` around lines 30 - 37, The org.opencontainers.image.source
label currently points to the wrong repository; update the LABEL value for
org.opencontainers.image.source in the Dockerfile to the correct repo used by
the build (change "https://github.com/arkflow/arkflow" to the actual source URL,
e.g., "https://github.com/arkflow-rs/arkflow"), ensuring the LABEL block that
defines
org.opencontainers.image.title/description/version/created/revision/source/licenses
is modified so only the source field is corrected.

crates/arkflow-core/tests/e2e_checkpoint_recovery_test.rs-29-105 (1)

29-105: ⚠️ Potential issue | 🟡 Minor

This test stops before the recovery half of the scenario.

After the simulated crash it only reloads checkpoint 1 and checks the stored counter. It never resumes processing from that checkpoint or verifies that messages 26..=40 are replayed exactly once, so the “no data loss” claim is not actually exercised.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/tests/e2e_checkpoint_recovery_test.rs` around lines 29 -
105, The test test_e2e_checkpoint_recovery_no_data_loss only loads checkpoint 1
but never resumes processing to verify messages 26..=40 are replayed once;
update the test to, after calling storage.load_checkpoint(1) and unwrapping
StateSnapshot, spawn a recovery task that reads
snapshot.sequence_counter/next_seq to resume processing from the correct next
sequence and replays messages 26..=40 (incrementing the same processed_count
AtomicUsize) while ensuring crashed is cleared/handled, then await completion
and assert processed_count == 40 and no duplicate processing occurred; reference
StateSnapshot, storage.load_checkpoint, processed_count, crashed,
sequence_counter/next_seq and the spawned tokio tasks to locate where to add the
resume-and-replay logic and final assertions.

🧹 Nitpick comments (5)

crates/arkflow-plugin/src/processor/filter.rs (1)

505-590: Add integration tests for the process() method to catch the slice bug.

The current tests only validate apply_filter() which returns correct indices. An integration test calling process() with non-contiguous matching rows (e.g., the test_evaluate_eq_string case with indices [0, 3]) would have caught the slice bug, as the output batch would incorrectly contain 4 rows instead of 2.

♻️ Suggested test addition

#[tokio::test]
async fn test_process_non_contiguous_indices() {
    let schema = Schema::new(vec![Field::new("name", DataType::Utf8, false)]);
    let array = StringArray::from(vec!["Alice", "Bob", "Charlie", "Alice"]);
    let record_batch = RecordBatch::try_new(Arc::new(schema), vec![Arc::new(array)]).unwrap();
    let batch = Arc::new(MessageBatch::new_arrow(record_batch));

    let config = FilterProcessorConfig {
        conditions: vec![FilterCondition {
            field: "name".to_string(),
            operator: FilterOperator::Eq,
            value: Some(serde_json::json!("Alice")),
        }],
        invert: false,
    };

    let processor = FilterProcessor::new(config).unwrap();
    let result = processor.process(batch).await.unwrap();
    
    match result {
        ProcessResult::Single(filtered) => {
            // Should only contain 2 rows (indices 0 and 3), not 4
            assert_eq!(filtered.num_rows(), 2);
        }
        _ => panic!("Expected Single result"),
    }
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-plugin/src/processor/filter.rs` around lines 505 - 590, Add an
integration test that exercises FilterProcessor::process() (not just
apply_filter()) using a MessageBatch containing non-contiguous matching rows
(e.g., StringArray ["Alice","Bob","Charlie","Alice"] with FilterCondition {
field: "name", operator: FilterOperator::Eq, value: "Alice" }) to ensure
process() returns a ProcessResult::Single with filtered.num_rows() == 2; create
the RecordBatch, wrap it via MessageBatch::new_arrow, construct FilterProcessor
via FilterProcessor::new(config).unwrap(), call
processor.process(batch).await.unwrap(), and assert the output has the expected
row count to catch the slicing bug.

.github/workflows/rust.yml (3)

65-66: Install cargo-audit with --locked.

By default cargo install ignores the packaged Cargo.lock and can resolve newer transitive dependencies; Cargo documents --locked as the way to force the published lockfile for more reproducible installs. That is a better default for CI. (doc.rust-lang.org)

🔒 Suggested update

-    - name: Install cargo-audit
-      run: cargo install cargo-audit
+    - name: Install cargo-audit
+      run: cargo install --locked cargo-audit

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/rust.yml around lines 65 - 66, The CI step that installs
cargo-audit uses "cargo install cargo-audit" which ignores Cargo.lock; update
that step to run "cargo install --locked cargo-audit" so the install respects
the packaged lockfile for reproducible CI; locate the workflow job step with the
name "Install cargo-audit" and replace the run command accordingly.

---

20-24: Drop the unused protoc setup from CI.

These two jobs pay the apt-get cost and add another failure point, but the protobuf additions in Cargo.toml:35-38 are runtime crates, not codegen/build dependencies. If nothing else in this workflow invokes protoc, these steps can be removed.

♻️ Suggested cleanup

-    - name: Install Protobuf Compiler
-      run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
-
-    - name: Set PROTOC Environment Variable
-      run: echo "PROTOC=$(which protoc)" >> $GITHUB_ENV

Also applies to: 78-82

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/rust.yml around lines 20 - 24, The workflow includes
unnecessary steps named "Install Protobuf Compiler" and "Set PROTOC Environment
Variable" that install protoc and set PROTOC, but the project only depends on
protobuf runtime crates (Cargo.toml lines ~35-38) and nothing invokes protoc
during CI; remove those two steps (and the duplicate occurrences at lines 78-82)
from .github/workflows/rust.yml to avoid extra apt-get installs and failure
points, ensuring no other job references PROTOC or protoc before deleting.

---

44-48: Make the quality gate explicitly workspace-wide.

Cargo documents that cargo fmt formats the current crate, and cargo doc defaults to the workspace’s default members or just the root crate unless --workspace is passed; Clippy supports the usual workspace options. With only Line 106 explicitly set to --workspace, these quality steps can silently cover fewer crates depending on the root manifest. (doc.rust-lang.org)

🧭 Suggested command updates

-    - name: Rustfmt check
-      run: cargo fmt -- --check
+    - name: Rustfmt check
+      run: cargo fmt --all -- --check

-    - name: Clippy check
-      run: cargo clippy --all-targets --all-features -- -D warnings
+    - name: Clippy check
+      run: cargo clippy --workspace --all-targets --all-features -- -D warnings

-    - name: Documentation check
-      run: cargo doc --no-deps --all-features
+    - name: Documentation check
+      run: cargo doc --workspace --no-deps --all-features

Also applies to: 50-51, 105-106

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/rust.yml around lines 44 - 48, The workflow's "Rustfmt
check" and "Clippy check" steps currently run per-crate and should be made
workspace-wide: update the "Rustfmt check" step (labelled Rustfmt check) to
invoke cargo fmt with the --workspace flag (e.g., cargo fmt --workspace --
--check) and update the "Clippy check" step (labelled Clippy check) to include
--workspace (e.g., cargo clippy --workspace --all-targets --all-features -- -D
warnings); apply the same --workspace change to any other quality steps that run
cargo (the other cargo fmt/clippy/doc occurrences referenced in the review) so
the checks run across the entire workspace.

crates/arkflow-core/tests/checkpoint_recovery_test.rs (1)

31-115: Prefer mockall for the test doubles here.

The handwritten MockInput / MockOutput implementations will drift as the traits keep evolving, which is exactly what the repo-wide test convention is trying to avoid. As per coding guidelines, **/tests/**/*.rs: Place integration tests in tests/ directories within crates; use mockall for mocking dependencies.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/tests/checkpoint_recovery_test.rs` around lines 31 - 115,
Replace the handwritten test doubles (MockInput, MockOutput, MockAck) with
mockall-based mocks so they automatically follow changes to the Input and Output
traits; create mock! implementations for the Input and Output traits and
implement required async methods (connect, read, close, get_position, seek for
Input; connect, write, close for Output) using mockall::predicate where needed,
and replace uses of MockAck with either a mock Ack or a simple concrete impl if
Ack is stable—update tests to construct and configure the mock expectations for
read/get_position/seek/write rather than relying on manual structs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9b5c217f-7f7b-4708-afc4-29dc7b189edb

📥 Commits

Reviewing files that changed from the base of the PR and between 8f358be and fc8867a.

📒 Files selected for processing (35)

• .claude/rules/build/build.md
• .github/workflows/docker.yml
• .github/workflows/rust.yml
• EXACTLY_ONCE_IMPROVEMENTS.md
• FINAL_SUMMARY.md
• IMPLEMENTATION_SUMMARY.md
• ROADMAP.md
• SESSION_RECOVERY_IMPLEMENTATION.md
• SESSION_WORK_SUMMARY.md
• TESTING_SUMMARY.md
• TEST_COMPLETION_REPORT.md
• TEST_COVERAGE_REPORT.md
• TEST_IMPROVEMENT_SUMMARY.md
• crates/arkflow-core/src/checkpoint/committing_state.rs
• crates/arkflow-core/src/checkpoint/coordinator.rs
• crates/arkflow-core/src/checkpoint/events.rs
• crates/arkflow-core/src/checkpoint/mod.rs
• crates/arkflow-core/src/cli/mod.rs
• crates/arkflow-core/src/config.rs
• crates/arkflow-core/src/engine/mod.rs
• crates/arkflow-core/src/stream/mod.rs
• crates/arkflow-core/tests/checkpoint_recovery_test.rs
• crates/arkflow-core/tests/e2e_checkpoint_recovery_test.rs
• crates/arkflow-core/tests/exactly_once_integration_test.rs
• crates/arkflow-core/tests/performance_test.rs
• crates/arkflow-plugin/src/expr/mod.rs
• crates/arkflow-plugin/src/input/kafka.rs
• crates/arkflow-plugin/src/output/stdout.rs
• crates/arkflow-plugin/src/processor/filter.rs
• crates/arkflow-plugin/src/processor/mod.rs
• deny.toml
• docker/Dockerfile
• examples/e2e_exactly_once_test.yaml
• examples/exactly_once_quick_start.yaml
• examples/filter_processor_example.yaml

✅ Files skipped from review due to trivial changes (9)

• crates/arkflow-plugin/src/output/stdout.rs
• examples/filter_processor_example.yaml
• deny.toml
• TESTING_SUMMARY.md
• examples/e2e_exactly_once_test.yaml
• TEST_COMPLETION_REPORT.md
• ROADMAP.md
• TEST_COVERAGE_REPORT.md
• EXACTLY_ONCE_IMPROVEMENTS.md

🚧 Files skipped from review as they are similar to previous changes (4)

• crates/arkflow-plugin/src/expr/mod.rs
• crates/arkflow-core/src/engine/mod.rs
• crates/arkflow-core/src/checkpoint/mod.rs
• crates/arkflow-plugin/src/input/kafka.rs

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

update_subtask() is not idempotent and can overcount completion.

Duplicate TaskCheckpointCompleted events increment subtasks_checkpointed again, and operators_checkpointed can be incremented multiple times for one operator once threshold is reached.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Checkpoint state currently drops buffered payloads.

get_state_for_checkpoint() records only the count and explicitly discards the buffered messages, then restore_from_checkpoint() ignores buffer_state entirely. If the input has already advanced, recovery skips whatever was still queued in the buffer at checkpoint time.

Also applies to: 824-887

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/src/stream/mod.rs` around lines 797 - 807,
get_state_for_checkpoint() currently captures only message counts and discards
buffered payloads (snapshot.buffer_state with messages: None) and
restore_from_checkpoint() ignores buffer_state, causing queued messages at
checkpoint to be lost on recovery; change get_state_for_checkpoint() (which
calls buffer.get_buffered_messages()) to serialize and store the actual buffered
messages into snapshot.buffer_state.messages (or a safe, compact representation)
and update BufferState.buffer_type as needed, and change
restore_from_checkpoint() to detect snapshot.buffer_state on restore and
re-enqueue/replay those stored messages into the buffer (via the same buffer API
used at runtime) so that buffered payloads present at checkpoint are restored
and processed after recovery.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
file="$(fd -t f performance_test.rs . | head -n1)"

echo "Imports in $file"
rg -n '^use ' "$file"

echo
echo "Relevant symbol usages in $file"
rg -n '\b(LocalFileStorage|StateSnapshot|InputState|StateSerializer|HashMap)\b|CheckpointCoordinator::new\(config\)' "$file"

Repository: arkflow-rs/arkflow

Length of output: 1719

---

🏁 Script executed:

# Find and read CheckpointCoordinator definition to check return type of new()
rg -A 5 'impl.*CheckpointCoordinator' crates/ -t rs | head -40

Repository: arkflow-rs/arkflow

Length of output: 88

---

🏁 Script executed:

# Also check what's exported from the checkpoint module
fd checkpoint.rs -t f | head -5

Repository: arkflow-rs/arkflow

Length of output: 44

---

🏁 Script executed:

# Check the full imports/exports in checkpoint module
rg -n 'pub.*use|pub struct|pub enum' crates/arkflow-core/src/checkpoint --type rs | head -30

Repository: arkflow-rs/arkflow

Length of output: 88

---

🏁 Script executed:

# List files in checkpoint directory
find crates/arkflow-core/src -name "*checkpoint*" -type f

Repository: arkflow-rs/arkflow

Length of output: 44

---

🏁 Script executed:

# Search for CheckpointCoordinator::new implementation
rg 'impl.*CheckpointCoordinator' crates/arkflow-core/src --type-list | head -5

Repository: arkflow-rs/arkflow

Length of output: 451

---

🏁 Script executed:

# Simpler approach: find CheckpointCoordinator definition
rg 'impl CheckpointCoordinator' crates/arkflow-core/src -A 10

Repository: arkflow-rs/arkflow

Length of output: 1024

---

🏁 Script executed:

# Check what's actually exported from checkpoint module
rg 'pub (struct|enum|use)' crates/arkflow-core/src/checkpoint* -o

Repository: arkflow-rs/arkflow

Length of output: 1741

---

🏁 Script executed:

# Read the checkpoint mod.rs to see what's exported
cat crates/arkflow-core/src/checkpoint/mod.rs

Repository: arkflow-rs/arkflow

Length of output: 1642

---

🏁 Script executed:

# Check what CheckpointResult is
rg 'type CheckpointResult' crates/arkflow-core/src/

Repository: arkflow-rs/arkflow

Length of output: 152

---

🏁 Script executed:

# Verify where LocalFileStorage is defined
rg 'struct LocalFileStorage' crates/arkflow-core/src/

Repository: arkflow-rs/arkflow

Length of output: 137

---

🏁 Script executed:

# Check where InputState is defined
rg 'enum InputState' crates/arkflow-core/src/

Repository: arkflow-rs/arkflow

Length of output: 127

---

🏁 Script executed:

# Now let's look at the actual test file to understand the structure
head -50 crates/arkflow-core/tests/performance_test.rs

Repository: arkflow-rs/arkflow

Length of output: 1762

---

🏁 Script executed:

# Check if the nested module would get access to these types via use super::*
rg -A 2 'mod performance_tests' crates/arkflow-core/tests/performance_test.rs

Repository: arkflow-rs/arkflow

Length of output: 104

---

🏁 Script executed:

# Final verification: check if there's a use statement importing these later in the file
grep -n "use.*LocalFileStorage\|use.*StateSnapshot\|use.*InputState\|use.*StateSerializer\|use.*HashMap" crates/arkflow-core/tests/performance_test.rs

Repository: arkflow-rs/arkflow

Length of output: 44

---

🏁 Script executed:

# Also check the exact code around line 434 to confirm Arc construction
sed -n '430,440p' crates/arkflow-core/tests/performance_test.rs

Repository: arkflow-rs/arkflow

Length of output: 552

---

This test module does not compile as written.

Lines 9–11 import only CheckpointConfig, CheckpointCoordinator, CheckpointStorage, Arc, Duration, and Instant. The nested performance_tests module uses use super::*;, which brings only these into scope. However, the test code references LocalFileStorage, StateSnapshot, InputState, StateSerializer, and HashMap without importing them (lines 72, 75, 80, 85, 87, 210, 216, 221, 226, 228, 276, 294, 333, 336, 349, 354, 435, 439).

Additionally, line 434 wraps CheckpointCoordinator::new(config) directly in Arc. Since new() returns CheckpointResult<Self> (i.e., Result<CheckpointCoordinator, Error>), this produces Arc<Result<...>> instead of an Arc<CheckpointCoordinator> instance.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-core/tests/performance_test.rs` around lines 9 - 15, The test
module fails to compile because missing imports and an incorrect wrap of a
Result in Arc: add imports for LocalFileStorage, StateSnapshot, InputState,
StateSerializer and std::collections::HashMap into the test scope (so the nested
performance_tests sees them) and change the creation of the coordinator from
Arc::new(CheckpointCoordinator::new(config)) to unwrap or expect the Result
before wrapping (e.g., let coordinator =
Arc::new(CheckpointCoordinator::new(config).expect("failed to create
coordinator"));), referencing the symbols CheckpointCoordinator::new,
LocalFileStorage, StateSnapshot, InputState, StateSerializer, and HashMap.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: slice() produces incorrect results for non-contiguous matching rows.

The slice(offset, length) method returns a contiguous range, but apply_filter can return non-contiguous indices. For example, if rows 0 and 3 match (indices = [0, 3]), the code computes slice(0, 4) which returns all 4 rows, including the non-matching rows 1 and 2.

Use Arrow's filter kernel with a boolean mask or take kernel with the indices array to correctly select only the matching rows.

🐛 Proposed fix using filter kernel

+use datafusion::arrow::compute::filter_record_batch;
+use datafusion::arrow::array::BooleanArray;

 #[async_trait]
 impl Processor for FilterProcessor {
     async fn process(&self, batch: MessageBatchRef) -> Result<ProcessResult, Error> {
         let batch_ref = batch.as_ref();
 
-        let indices = self.apply_filter(batch_ref)?;
+        let mask = self.compute_filter_mask(batch_ref)?;
 
-        if indices.is_empty() {
+        // Check if any rows match
+        let any_match = mask.iter().any(|v| v == Some(true));
+        if !any_match {
             // All rows filtered out
             return Ok(ProcessResult::None);
         }
 
-        // Filter the batch by collecting matching rows
-        let filtered_batch = batch_ref.slice(
-            indices[0],
-            (indices[indices.len() - 1] - indices[0] + 1) as usize,
-        );
+        let filtered_batch = filter_record_batch(batch_ref, &mask)
+            .map_err(|e| Error::Process(format!("Failed to filter batch: {}", e)))?;
 
         Ok(ProcessResult::Single(Arc::new(MessageBatch::new_arrow(
             filtered_batch,
         ))))
     }

This requires adding a compute_filter_mask method that returns the BooleanArray directly (similar to existing logic in apply_filter but returning the mask instead of indices).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/arkflow-plugin/src/processor/filter.rs` around lines 460 - 464, The
current use of batch_ref.slice(offset, length) in apply_filter produces
incorrect results for non-contiguous matches; replace this with an Arrow
selection that picks only the matching rows—either compute a BooleanArray mask
(implement a new compute_filter_mask that mirrors apply_filter's logic but
returns a BooleanArray) and call arrow::compute::filter_record_batch/filter with
that mask, or convert the indices Vec to an Int64Array and call
arrow::compute::take on the RecordBatch; update apply_filter to call
compute_filter_mask (or take) instead of batch_ref.slice so only the exact
matching rows are returned.