fix(writeback): service-side delete-storm breaker + boot staleness gate (#249) (#251)

* test(writeback): pin service-side delete-storm breaker contract (#249)

Failing tests first, per the in-run incident design (ratified in #249):
the 2026-06-06 storm destroyed 149+ canonical records via ~186 admitted
file_delete ops; the binary guard refuses false diffs client-side, this
breaker is the layer that survives future client bugs.

- write-time: DeleteFile refuses admissions beyond DeleteStormThreshold
  within DeleteStormWindow (ErrDeleteStormRejected, 429 at the API; the
  FS MUTATION is refused — the incident destroyed records even though
  every provider call failed)
- boot-time: the construction scan re-arms every pending/running op at
  every restart (a deploy is a restart); a rehydrated pending delete
  burst above threshold is quarantined (outside the boot allowlist,
  invisible to /writeback/pending, unreplayable) instead of re-armed
- disabled unless DeleteStormThreshold > 0; window latches while a
  storm is ongoing and clears when it goes quiet

API surface (options, sentinel, status, handler mapping) lands with
stub bodies so the red state is 4 meaningful test failures, not a build
failure.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(writeback): implement service-side delete-storm breaker (#249)

Sliding-window admission control in DeleteFile (per-workspace, latching)
plus boot-scan quarantine of rehydrated pending delete bursts, exactly as
pinned by the red commit. Quarantined ops are terminal by construction:
the boot allowlist (only pending/running re-enqueue) skips them,
GetPendingWritebacks filters them, and ReplayOperation refuses anything
not dead_lettered.

Open review question (flagged in-code): fork-commit deletes
(CommitFork → recordWriteLocked) do not share the window; the storm came
through the direct DeleteFile path. Decide in review whether to extend.

Closes #249 (service-side layer; binary-side guard tracked in the same
issue)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* test(writeback): pin boot staleness gate for stuck-running ops (#249)

The freeze closure surfaced op_20440: a stuck-running UPSERT of a draft
at a canonical message path — a chat.postMessage duplicate armed for the
next restart, a class the delete-scoped breaker misses. Generalized
criterion from the incident: any non-terminal op is armed, regardless of
verb. running-at-boot is definitionally abandoned (the executor died in
a previous process life); stale ones must quarantine instead of re-arm,
while fresh ones keep at-least-once crash semantics.

Red: StaleRunningOpThreshold option exists, gate not implemented.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(writeback): boot staleness gate quarantines stuck-running ops (#249)

Verb-agnostic: an op still 'running' at boot executed in a previous
process life — its executor is dead. Older than StaleRunningOpThreshold
= abandoned → quarantined (op_20440 class: a stuck-running upsert is an
armed chat.postMessage duplicate exactly like a stuck delete). Fresher
running ops keep at-least-once crash semantics and re-arm as before.
Unparseable UpdatedAt on a dead-process op is treated as stale rather
than re-armed blind. Disabled when unconfigured.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: kjgbot <kjgbot@agentrelay.dev>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: 3 people

internal/httpapi/server.go

@@ -1823,6 +1823,12 @@ func (s *Server) handleDeleteFile(w http.ResponseWriter, r *http.Request, worksp
 			writeError(w, http.StatusNotFound, "not_found", err.Error(), correlationID)
 		case relayfile.ErrMissingPrecondition:
 			writeError(w, http.StatusPreconditionFailed, "precondition_failed", err.Error(), correlationID)
+		case relayfile.ErrDeleteStormRejected:
+			// #249: deliberate breaker trip, not a server fault — 429 tells
+			// well-behaved clients to back off and makes storms visible in
+			// access logs as a distinct class.
+			w.Header().Set("Retry-After", "60")
+			writeError(w, http.StatusTooManyRequests, "delete_storm_rejected", err.Error(), correlationID)
 		default:
 			writeError(w, http.StatusInternalServerError, "internal_error", err.Error(), correlationID)
 		}

internal/relayfile/delete_storm.go

@@ -0,0 +1,145 @@
+package relayfile
+
+import (
+	"errors"
+	"time"
+)
+
+// Delete-storm breaker (issue #249, service-side layer).
+//
+// The 2026-06-06 incident: stale private mount state over a layout change made
+// a client push file_delete for every tracked record — the service admitted
+// ~186 canonical-record deletions from one mount correlation family within
+// minutes. The binary-side guard (#249 main body) refuses the false diff at
+// the client; this breaker is the layer that survives future client bugs: a
+// workspace's legitimate delete rate is near zero, so a burst is treated as
+// hostile until proven otherwise.
+//
+// Two protected surfaces, matching the incident's two arming paths:
+//   - WRITE TIME: DeleteFile refuses admissions beyond the threshold within
+//     the sliding window. The fs mutation itself is refused — the incident's
+//     actual harm was the fs damage (every provider call failed and the
+//     records were still destroyed).
+//   - BOOT TIME: the construction-time scan re-enqueues every pending/running
+//     op (a deploy is a restart). A rehydrated burst of pending file_delete
+//     ops above the threshold is flipped to "quarantined" instead:
+//     outside the boot allowlist, invisible to /writeback/pending, and not
+//     replayable (ReplayOperation requires dead_lettered).
+//
+// Disabled unless DeleteStormThreshold > 0 — enabling it (and sizing the
+// threshold) is a deployment decision.
+
+// ErrDeleteStormRejected is returned by DeleteFile when the workspace's
+// file_delete admission rate exceeds the configured threshold within the
+// configured window.
+var ErrDeleteStormRejected = errors.New("delete storm rejected: file_delete burst exceeds configured threshold")
+
+const defaultDeleteStormWindow = time.Minute
+
+// admitDeleteLocked records a file_delete admission attempt and reports
+// whether it may proceed. Caller must hold s.mu. Refused attempts are also
+// recorded so the breaker stays latched while a storm is ongoing; the window
+// must go quiet before deletes are admitted again.
+func (s *Store) admitDeleteLocked(workspaceID string, now time.Time) error {
+	if s.deleteStormThreshold <= 0 {
+		return nil
+	}
+	window := s.deleteStormWindow
+	if window <= 0 {
+		window = defaultDeleteStormWindow
+	}
+	cutoff := now.Add(-window)
+	admissions := s.deleteStormAdmissions[workspaceID]
+	kept := admissions[:0]
+	for _, ts := range admissions {
+		if ts.After(cutoff) {
+			kept = append(kept, ts)
+		}
+	}
+	if len(kept) >= s.deleteStormThreshold {
+		s.deleteStormAdmissions[workspaceID] = append(kept, now)
+		return ErrDeleteStormRejected
+	}
+	s.deleteStormAdmissions[workspaceID] = append(kept, now)
+	return nil
+}
+
+// quarantineBootDeleteStorms runs once at store construction, after state
+// load and before the boot re-enqueue scan. Workspaces holding more
+// pending/running file_delete ops than the threshold get that entire delete
+// set flipped to "quarantined": the boot allowlist then skips them, external
+// consumers never see them, and ReplayOperation refuses them. Releasing a
+// quarantined op is a deliberate operator action (ack it, or a future
+// explicit release API) — never automatic.
+// Two verb-asymmetric rules, matching the two armed classes the 2026-06-06
+// incident produced:
+//
+//   - DELETE STORMS: a rehydrated pending/running file_delete burst above
+//     DeleteStormThreshold is the storm signature at a different entry point.
+//   - STALE RUNNING (op_20440 class, verb-agnostic): any op still "running"
+//     at boot executed in a previous process life — its executor is dead.
+//     Ones older than StaleRunningOpThreshold are abandoned and quarantined;
+//     fresher ones keep the existing at-least-once crash semantics and
+//     re-arm as before. A stuck-running upsert is an armed provider
+//     duplicate exactly like a stuck delete.
+func (s *Store) quarantineBootDeleteStorms() {
+	if s.deleteStormThreshold <= 0 && s.staleRunningOpThreshold <= 0 {
+		return
+	}
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	now := time.Now().UTC()
+	changed := false
+	for _, ws := range s.workspaces {
+		quarantine := make([]string, 0)
+
+		if s.deleteStormThreshold > 0 {
+			stormOps := make([]string, 0)
+			for opID, op := range ws.Ops {
+				if (op.Status == "pending" || op.Status == "running") && op.Action == string(WritebackActionFileDelete) {
+					stormOps = append(stormOps, opID)
+				}
+			}
+			if len(stormOps) > s.deleteStormThreshold {
+				quarantine = append(quarantine, stormOps...)
+			}
+		}
+
+		if s.staleRunningOpThreshold > 0 {
+			for opID, op := range ws.Ops {
+				if op.Status != "running" {
+					continue
+				}
+				updatedAt, err := time.Parse(time.RFC3339Nano, op.UpdatedAt)
+				if err != nil {
+					// Unparseable age on an op from a dead process life:
+					// treat as stale rather than re-arm blind.
+					quarantine = append(quarantine, opID)
+					continue
+				}
+				if now.Sub(updatedAt) > s.staleRunningOpThreshold {
+					quarantine = append(quarantine, opID)
+				}
+			}
+		}
+
+		if len(quarantine) == 0 {
+			continue
+		}
+		nowTS := nowRFC3339NanoUTC()
+		for _, opID := range quarantine {
+			op := ws.Ops[opID]
+			if op.Status == "quarantined" {
+				continue
+			}
+			op.Status = "quarantined"
+			op.NextAttemptAt = nil
+			op.UpdatedAt = nowTS
+			ws.Ops[opID] = op
+		}
+		changed = true
+	}
+	if changed {
+		_ = s.saveLocked()
+	}
+}

internal/relayfile/delete_storm_test.go

@@ -0,0 +1,234 @@
+package relayfile
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+)
+
+// Issue #249 (service-side layer): the 2026-06-06 delete storm destroyed 149+
+// canonical records when stale private mount state met a layout change — the
+// service admitted ~186 file_delete ops from one mount correlation family in
+// minutes without blinking. The binary-side guard refuses false diffs at the
+// client; this breaker is the layer that survives future client bugs.
+//
+// Contract (from the in-issue design, ratified in-run):
+//   - Sliding-window burst detection at the write API (DeleteFile/BulkWrite)
+//     BEFORE recordWriteLocked: a workspace exceeding the configured number
+//     of file_delete admissions within the window gets ErrDeleteStormRejected
+//     — the fs mutation itself is refused (the incident's real harm was the
+//     fs damage; every provider call failed and records were still
+//     destroyed).
+//   - The breaker also covers BOOT RE-ENQUEUE (store.go boot scan re-arms
+//     every pending/running op at every restart — including deploys): a
+//     rehydrated burst of pending file_delete ops above the threshold is
+//     quarantined (status "quarantined": outside the boot allowlist, not
+//     replayable, not shown to external consumers) instead of re-enqueued.
+//   - Disabled unless DeleteStormThreshold > 0 — defaults are a deploy
+//     decision, not a library surprise.
+
+func newStormStore(t *testing.T, threshold int, window time.Duration) *Store {
+	t.Helper()
+	store := NewStoreWithOptions(StoreOptions{
+		ExternalWritebackMode: true,
+		DeleteStormThreshold:  threshold,
+		DeleteStormWindow:     window,
+	})
+	t.Cleanup(store.Close)
+	return store
+}
+
+func seedStormFiles(t *testing.T, store *Store, workspaceID string, count int) []string {
+	t.Helper()
+	paths := make([]string, 0, count)
+	for i := 0; i < count; i++ {
+		path := fmt.Sprintf("/slack/channels/C0STORM/messages/%d.json", i)
+		if _, err := store.WriteFile(WriteRequest{
+			WorkspaceID:   workspaceID,
+			Path:          path,
+			IfMatch:       "0",
+			ContentType:   "application/json",
+			Content:       `{"text":"x"}`,
+			CorrelationID: fmt.Sprintf("corr_seed_%d", i),
+		}); err != nil {
+			t.Fatalf("seed write %d failed: %v", i, err)
+		}
+		paths = append(paths, path)
+	}
+	return paths
+}
+
+func deleteStormPath(store *Store, workspaceID, path string, n int) error {
+	_, err := store.DeleteFile(DeleteRequest{
+		WorkspaceID:   workspaceID,
+		Path:          path,
+		IfMatch:       "*",
+		CorrelationID: fmt.Sprintf("mount_1780738999_storm_%d", n),
+	})
+	return err
+}
+
+func TestDeleteStormBreakerRefusesBurst(t *testing.T) {
+	store := newStormStore(t, 5, time.Minute)
+	paths := seedStormFiles(t, store, "ws_storm", 8)
+
+	for i := 0; i < 5; i++ {
+		if err := deleteStormPath(store, "ws_storm", paths[i], i); err != nil {
+			t.Fatalf("delete %d under threshold must succeed: %v", i, err)
+		}
+	}
+	err := deleteStormPath(store, "ws_storm", paths[5], 5)
+	if err != ErrDeleteStormRejected {
+		t.Fatalf("delete above threshold must trip the breaker, got %v", err)
+	}
+
+	// The refused delete must not have mutated the fs: the record survives.
+	if _, err := store.ReadFile("ws_storm", paths[5]); err != nil {
+		t.Fatalf("refused delete must leave the record intact: %v", err)
+	}
+	// And no operation/writeback may exist for it.
+	feed, err := store.ListOperations("ws_storm", "", string(WritebackActionFileDelete), "", "", 1000)
+	if err != nil {
+		t.Fatalf("list operations failed: %v", err)
+	}
+	for _, op := range feed.Items {
+		if op.Path == paths[5] {
+			t.Fatalf("refused delete must not create an operation, got %+v", op)
+		}
+	}
+}
+
+func TestDeleteStormBreakerHTTPErrorCode(t *testing.T) {
+	// The sentinel must be distinguishable so httpapi can map it (429-class)
+	// instead of a generic 500.
+	if ErrDeleteStormRejected == nil {
+		t.Fatalf("ErrDeleteStormRejected must be defined")
+	}
+	if !strings.Contains(ErrDeleteStormRejected.Error(), "delete storm") {
+		t.Fatalf("sentinel should self-describe, got %q", ErrDeleteStormRejected.Error())
+	}
+}
+
+func TestDeleteStormBreakerDisabledWhenUnconfigured(t *testing.T) {
+	store := NewStoreWithOptions(StoreOptions{ExternalWritebackMode: true})
+	t.Cleanup(store.Close)
+	paths := seedStormFiles(t, store, "ws_storm", 12)
+	for i, path := range paths {
+		if err := deleteStormPath(store, "ws_storm", path, i); err != nil {
+			t.Fatalf("breaker must be inert when threshold unset; delete %d failed: %v", i, err)
+		}
+	}
+}
+
+// Note for review: bulk deletes flow through fork commits (CommitFork →
+// recordWriteLocked with file.deleted), not BulkWrite. The storm came through
+// the direct DeleteFile path, which this breaker covers; whether fork-commit
+// deletes should share the window is an explicit open question in the PR.
+
+func TestDeleteStormBreakerWindowExpires(t *testing.T) {
+	store := newStormStore(t, 3, 50*time.Millisecond)
+	paths := seedStormFiles(t, store, "ws_storm", 7)
+
+	for i := 0; i < 3; i++ {
+		if err := deleteStormPath(store, "ws_storm", paths[i], i); err != nil {
+			t.Fatalf("delete %d failed: %v", i, err)
+		}
+	}
+	if err := deleteStormPath(store, "ws_storm", paths[3], 3); err != ErrDeleteStormRejected {
+		t.Fatalf("4th delete inside window must trip, got %v", err)
+	}
+	time.Sleep(80 * time.Millisecond)
+	if err := deleteStormPath(store, "ws_storm", paths[4], 4); err != nil {
+		t.Fatalf("delete after window expiry must succeed: %v", err)
+	}
+}
+
+func TestBootRequeueQuarantinesPendingDeleteStorm(t *testing.T) {
+	backend := NewInMemoryStateBackend()
+
+	// Phase 1: a store WITHOUT the breaker admits a storm of deletes whose
+	// ops stay pending (external mode, never acked) — the incident shape
+	// persisted to the state backend.
+	first := NewStoreWithOptions(StoreOptions{
+		ExternalWritebackMode: true,
+		StateBackend:          backend,
+	})
+	paths := seedStormFiles(t, first, "ws_storm", 10)
+	for i, path := range paths {
+		if err := deleteStormPath(first, "ws_storm", path, i); err != nil {
+			t.Fatalf("storm delete %d failed: %v", i, err)
+		}
+	}
+	first.Close()
+
+	// Phase 2: a new store (a deploy) boots over that state WITH the breaker
+	// configured. The boot scan must quarantine the pending delete burst
+	// instead of re-arming it into the queue.
+	second := NewStoreWithOptions(StoreOptions{
+		ExternalWritebackMode: true,
+		StateBackend:          backend,
+		DeleteStormThreshold:  5,
+		DeleteStormWindow:     time.Minute,
+	})
+	t.Cleanup(second.Close)
+
+	// The seed upserts legitimately re-arm (that's existing boot behavior);
+	// the breaker must remove exactly the DELETE burst from the armed set.
+	armedDeletes, err := second.ListOperations("ws_storm", "pending", string(WritebackActionFileDelete), "", "", 1000)
+	if err != nil {
+		t.Fatalf("list pending deletes failed: %v", err)
+	}
+	if len(armedDeletes.Items) != 0 {
+		t.Fatalf("boot must not re-arm a pending delete storm, got %d armed deletes", len(armedDeletes.Items))
+	}
+	feed, err := second.ListOperations("ws_storm", "quarantined", "", "", "", 1000)
+	if err != nil {
+		t.Fatalf("list quarantined failed: %v", err)
+	}
+	quarantinedDeletes := 0
+	for _, op := range feed.Items {
+		if op.Action == string(WritebackActionFileDelete) {
+			quarantinedDeletes++
+		}
+	}
+	if quarantinedDeletes != 10 {
+		t.Fatalf("expected all 10 storm deletes quarantined at boot, got %d", quarantinedDeletes)
+	}
+	// And none of the quarantined deletes may sit in the external queue.
+	for _, item := range second.GetPendingWritebacks("ws_storm") {
+		for _, op := range feed.Items {
+			if item["id"] == op.OpID {
+				t.Fatalf("quarantined op %s leaked into the pending queue", op.OpID)
+			}
+		}
+	}
+}
+
+func TestQuarantinedOpsAreNotReplayable(t *testing.T) {
+	backend := NewInMemoryStateBackend()
+	first := NewStoreWithOptions(StoreOptions{ExternalWritebackMode: true, StateBackend: backend})
+	paths := seedStormFiles(t, first, "ws_storm", 6)
+	for i, path := range paths {
+		if err := deleteStormPath(first, "ws_storm", path, i); err != nil {
+			t.Fatalf("storm delete %d failed: %v", i, err)
+		}
+	}
+	first.Close()
+
+	second := NewStoreWithOptions(StoreOptions{
+		ExternalWritebackMode: true,
+		StateBackend:          backend,
+		DeleteStormThreshold:  3,
+		DeleteStormWindow:     time.Minute,
+	})
+	t.Cleanup(second.Close)
+
+	feed, err := second.ListOperations("ws_storm", "quarantined", "", "", "", 10)
+	if err != nil || len(feed.Items) == 0 {
+		t.Fatalf("expected quarantined ops, err=%v items=%d", err, len(feed.Items))
+	}
+	if _, err := second.ReplayOperation("ws_storm", feed.Items[0].OpID, "corr_replay"); err != ErrInvalidState {
+		t.Fatalf("quarantined ops must not be replayable, got %v", err)
+	}
+}