fix(sqs): drain non-200 body, log close err, options struct

PR #721 round 1 review fixes:

1) Gemini medium — Body.Close error silently ignored

  defer func() { _ = resp.Body.Close() }() dropped any close
  error. A failed Close indicates a connection that the
  http.Transport will tear down rather than reuse — under load
  this can mask leaking connections / file descriptors. Logged
  via slog.Warn with the peer address so operators can grep the
  cluster log when triaging.

2) Claude minor — non-200 body not drained

  resp.Body.Close() without first draining the body prevents the
  http.Transport from reusing the underlying TCP connection. In a
  control-plane path (one CreateQueue call per gate check) this
  is acceptable, but if the gate ever fans out across many peers
  under load, the failed-peer branch would force connection
  teardown on every error response. Drain via
  io.Copy(io.Discard, io.LimitReader(resp.Body,
  sqsCapabilityMaxBodyBytes)) before the early return so the
  transport can reuse the connection.

3) Claude nit — per-peer cap not exercised independently

  TestPollSQSHTFIFOCapability_TimeoutFailsClosed used a 500ms
  parent ctx — the request actually timed out via the parent
  context, not the per-peer cap. The default 3s per-peer cap was
  never independently exercised by tests.

  Refactored signature to PollSQSHTFIFOCapability(ctx, peers,
  cfg PollerConfig). PollerConfig{HTTPClient, PerPeerTimeout} is
  the single options surface — zero values pick safe defaults.
  Renamed the existing test to
  TestPollSQSHTFIFOCapability_ParentContextDeadlineFailsClosed
  and added
  TestPollSQSHTFIFOCapability_PerPeerTimeoutFailsClosed which
  uses context.Background() and PerPeerTimeout=100ms to exercise
  the cap independently.

  PerPeerTimeout is also a sensible operator knob — different
  cluster latencies want different bounds. Caller-side: only
  *_test.go files use the function today; PR 5's CreateQueue gate
  will pick the appropriate timeout when it wires this up.

4) Claude minor — buildSQSHealthURL double-path edge case

  A caller passing a URL that already includes the health path
  (e.g. "http://node:5050/sqs_health") would receive a doubled
  path. Added an explicit test case to TestBuildSQSHealthURL
  documenting the behavior and the contract ("pass a base URL or
  host:port, never a full request URL"). A future refactor can
  intentionally change the contract; the test will catch it.

5) Audit per the lessons-learned discipline

  PollSQSHTFIFOCapability is exported but has no production
  callers yet — only the test file references it. grep confirmed
  the API change is safe.

Author: bootjp

adapter/sqs_capability_poller.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"log/slog"
 	"net/http"
 	"strings"
 	"sync"
@@ -63,13 +64,35 @@ type HTFIFOCapabilityPeerStatus struct {
 }
 
 // defaultSQSCapabilityPollTimeout caps how long the poller waits on
-// any single peer. The §8.5 design's "fail-closed default for
-// nodes that don't respond within a short timeout" turns into a
-// concrete bound here. Operators wanting a longer wait can pass
-// their own context with a deadline; the per-peer cap is enforced
-// in addition so a single slow peer cannot stall the whole poll.
+// any single peer when PollerConfig.PerPeerTimeout is zero. The
+// §8.5 design's "fail-closed default for nodes that don't respond
+// within a short timeout" turns into a concrete bound here.
+// Operators wanting a longer or shorter wait can override via
+// PollerConfig; the cap is enforced in addition to any
+// caller-supplied context deadline so a single slow peer cannot
+// stall the whole poll.
 const defaultSQSCapabilityPollTimeout = 3 * time.Second
 
+// PollerConfig tunes PollSQSHTFIFOCapability for a specific call
+// site. All fields are optional — the zero value picks safe
+// defaults. Tests use the explicit PerPeerTimeout to exercise the
+// per-peer cap independently of any caller-supplied context
+// deadline.
+type PollerConfig struct {
+	// HTTPClient is the client used for /sqs_health GETs. Nil
+	// falls back to http.DefaultClient. Callers wanting connection
+	// pooling, custom Transport, or shorter Client.Timeout pass
+	// their own.
+	HTTPClient *http.Client
+
+	// PerPeerTimeout caps how long any single peer's poll runs
+	// before being abandoned. Zero defaults to
+	// defaultSQSCapabilityPollTimeout (3s). Tests pass a small
+	// value (e.g. 100ms) so the per-peer cap path can be
+	// exercised quickly without a parent context deadline.
+	PerPeerTimeout time.Duration
+}
+
 // PollSQSHTFIFOCapability polls each peer's /sqs_health endpoint
 // concurrently and reports whether all advertise htfifo. The
 // helper is stateless — every call dials its peers fresh, so a
@@ -90,13 +113,19 @@ const defaultSQSCapabilityPollTimeout = 3 * time.Second
 // Concurrency: peers are polled in goroutines; results land via
 // an indexed channel so the slice writes are obviously race-free.
 //
-// Timeouts: each peer poll is bounded by min(ctx.Deadline(),
-// defaultSQSCapabilityPollTimeout). A long ctx deadline does not
-// extend the per-peer cap.
-func PollSQSHTFIFOCapability(ctx context.Context, client *http.Client, peers []string) *HTFIFOCapabilityReport {
+// Timeouts: each peer poll is bounded by
+// min(ctx.Deadline(), now+cfg.PerPeerTimeout). A long ctx deadline
+// does not extend the per-peer cap, and an absent ctx deadline
+// still triggers fail-closed at the per-peer cap.
+func PollSQSHTFIFOCapability(ctx context.Context, peers []string, cfg PollerConfig) *HTFIFOCapabilityReport {
+	client := cfg.HTTPClient
 	if client == nil {
 		client = http.DefaultClient
 	}
+	perPeerTimeout := cfg.PerPeerTimeout
+	if perPeerTimeout <= 0 {
+		perPeerTimeout = defaultSQSCapabilityPollTimeout
+	}
 	report := &HTFIFOCapabilityReport{
 		Peers: make([]HTFIFOCapabilityPeerStatus, len(peers)),
 	}
@@ -119,7 +148,7 @@ func PollSQSHTFIFOCapability(ctx context.Context, client *http.Client, peers []s
 			defer wg.Done()
 			results <- indexedStatus{
 				idx:    idx,
-				status: pollOneSQSPeerForHTFIFO(ctx, client, addr),
+				status: pollOneSQSPeerForHTFIFO(ctx, client, addr, perPeerTimeout),
 			}
 		}(i, peer)
 	}
@@ -142,15 +171,15 @@ func PollSQSHTFIFOCapability(ctx context.Context, client *http.Client, peers []s
 // returned struct's Error field — this function never returns a
 // Go error itself so the caller can map peers to results in one
 // pass without checking len(errors).
-func pollOneSQSPeerForHTFIFO(ctx context.Context, client *http.Client, peer string) HTFIFOCapabilityPeerStatus {
+func pollOneSQSPeerForHTFIFO(ctx context.Context, client *http.Client, peer string, perPeerTimeout time.Duration) HTFIFOCapabilityPeerStatus {
 	status := HTFIFOCapabilityPeerStatus{Address: peer}
 
 	if peer == "" {
 		status.Error = "empty peer address"
 		return status
 	}
 
-	pollCtx, cancel := context.WithTimeout(ctx, defaultSQSCapabilityPollTimeout)
+	pollCtx, cancel := context.WithTimeout(ctx, perPeerTimeout)
 	defer cancel()
 
 	url := buildSQSHealthURL(peer)
@@ -166,9 +195,24 @@ func pollOneSQSPeerForHTFIFO(ctx context.Context, client *http.Client, peer stri
 		status.Error = errors.Wrapf(err, "GET %q", url).Error()
 		return status
 	}
-	defer func() { _ = resp.Body.Close() }()
+	// Close the body via a deferred closure so a non-nil close
+	// error surfaces in the cluster logs rather than being
+	// dropped — masking it could hide leaking connections under
+	// load (gemini medium on PR #721). Body is also drained on
+	// every early return below so the http.Transport can reuse
+	// the underlying TCP connection (claude minor on PR #721).
+	defer func() {
+		if cerr := resp.Body.Close(); cerr != nil {
+			slog.Warn("sqs capability poller: response body close failed",
+				"peer", peer, "err", cerr)
+		}
+	}()
 
 	if resp.StatusCode != http.StatusOK {
+		// Drain the body before returning so the transport can
+		// reuse the connection. Non-200 bodies under our 1 KiB
+		// LimitReader are tiny, so the discard cost is negligible.
+		_, _ = io.Copy(io.Discard, io.LimitReader(resp.Body, sqsCapabilityMaxBodyBytes))
 		status.Error = fmt.Sprintf("%s returned HTTP %d", url, resp.StatusCode)
 		return status
 	}

adapter/sqs_capability_poller_test.go

@@ -46,7 +46,7 @@ func TestPollSQSHTFIFOCapability_AllAdvertise(t *testing.T) {
 	_, addr1 := newSQSHealthServer(t, sqsHealthBody{Status: "ok", Capabilities: []string{sqsCapabilityHTFIFO}})
 	_, addr2 := newSQSHealthServer(t, sqsHealthBody{Status: "ok", Capabilities: []string{sqsCapabilityHTFIFO}})
 
-	report := PollSQSHTFIFOCapability(context.Background(), nil, []string{addr1, addr2})
+	report := PollSQSHTFIFOCapability(context.Background(), []string{addr1, addr2}, PollerConfig{})
 	require.True(t, report.AllAdvertise,
 		"all peers advertise → AllAdvertise must be true")
 	require.Len(t, report.Peers, 2)
@@ -66,7 +66,7 @@ func TestPollSQSHTFIFOCapability_OneMissingFailsClosed(t *testing.T) {
 	_, addrGood := newSQSHealthServer(t, sqsHealthBody{Status: "ok", Capabilities: []string{sqsCapabilityHTFIFO}})
 	_, addrOld := newSQSHealthServer(t, sqsHealthBody{Status: "ok", Capabilities: []string{}})
 
-	report := PollSQSHTFIFOCapability(context.Background(), nil, []string{addrGood, addrOld})
+	report := PollSQSHTFIFOCapability(context.Background(), []string{addrGood, addrOld}, PollerConfig{})
 	require.False(t, report.AllAdvertise,
 		"one peer without the capability must drop AllAdvertise")
 	require.Len(t, report.Peers, 2)
@@ -105,8 +105,8 @@ func TestPollSQSHTFIFOCapability_HTTPErrorFailsClosed(t *testing.T) {
 	t.Cleanup(garbageSrv.Close)
 	addrGarbage := strings.TrimPrefix(garbageSrv.URL, "http://")
 
-	report := PollSQSHTFIFOCapability(context.Background(), nil,
-		[]string{addr500, addrUnreachable, addrGarbage})
+	report := PollSQSHTFIFOCapability(context.Background(),
+		[]string{addr500, addrUnreachable, addrGarbage}, PollerConfig{})
 
 	require.False(t, report.AllAdvertise,
 		"any transport / parse failure must fail closed")
@@ -121,15 +121,13 @@ func TestPollSQSHTFIFOCapability_HTTPErrorFailsClosed(t *testing.T) {
 	require.Contains(t, report.Peers[2].Error, "malformed JSON")
 }
 
-// TestPollSQSHTFIFOCapability_TimeoutFailsClosed pins the
-// "fail-closed default for nodes that don't respond within a short
-// timeout" rule from §8.5: a peer that hangs past the per-peer
-// timeout must drop AllAdvertise without holding up the entire
-// poll for longer than that bound.
-func TestPollSQSHTFIFOCapability_TimeoutFailsClosed(t *testing.T) {
+// TestPollSQSHTFIFOCapability_ParentContextDeadlineFailsClosed
+// pins that an expiring parent ctx cancels the request — the
+// poll respects whichever bound (parent ctx or per-peer cap)
+// fires first.
+func TestPollSQSHTFIFOCapability_ParentContextDeadlineFailsClosed(t *testing.T) {
 	t.Parallel()
 
-	// Peer that delays past the test's timeout.
 	hangSrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		select {
 		case <-r.Context().Done():
@@ -141,20 +139,52 @@ func TestPollSQSHTFIFOCapability_TimeoutFailsClosed(t *testing.T) {
 	t.Cleanup(hangSrv.Close)
 	addrHang := strings.TrimPrefix(hangSrv.URL, "http://")
 
-	// Use a context with a short bound to force the per-peer
-	// timeout path quickly. The test should finish in well under
-	// the 5s the server would have waited.
+	// Parent ctx expires before the per-peer cap (default 3s).
 	ctx, cancel := context.WithTimeout(context.Background(), 500*time.Millisecond)
 	defer cancel()
 
 	start := time.Now()
-	report := PollSQSHTFIFOCapability(ctx, nil, []string{addrHang})
+	report := PollSQSHTFIFOCapability(ctx, []string{addrHang}, PollerConfig{})
 	elapsed := time.Since(start)
 
 	require.False(t, report.AllAdvertise)
 	require.Less(t, elapsed, 4*time.Second,
-		"poll must respect the per-peer timeout — a hung peer must "+
-			"not stall for the full server-side delay")
+		"poll must respect the parent ctx deadline")
+	require.NotEmpty(t, report.Peers[0].Error)
+}
+
+// TestPollSQSHTFIFOCapability_PerPeerTimeoutFailsClosed pins the
+// per-peer cap independently of any parent ctx deadline. With
+// context.Background() (no deadline) and PollerConfig.PerPeerTimeout
+// set short, the poll MUST still abandon a hung peer at the cap —
+// otherwise a missing parent deadline would let a single slow peer
+// stall a CreateQueue gate indefinitely (claude nit on PR #721
+// round 1).
+func TestPollSQSHTFIFOCapability_PerPeerTimeoutFailsClosed(t *testing.T) {
+	t.Parallel()
+
+	hangSrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		select {
+		case <-r.Context().Done():
+			return
+		case <-time.After(5 * time.Second):
+			w.WriteHeader(http.StatusOK)
+		}
+	}))
+	t.Cleanup(hangSrv.Close)
+	addrHang := strings.TrimPrefix(hangSrv.URL, "http://")
+
+	// No parent deadline; per-peer cap is the only bound.
+	start := time.Now()
+	report := PollSQSHTFIFOCapability(context.Background(), []string{addrHang},
+		PollerConfig{PerPeerTimeout: 100 * time.Millisecond})
+	elapsed := time.Since(start)
+
+	require.False(t, report.AllAdvertise)
+	require.Less(t, elapsed, 2*time.Second,
+		"poll must respect the per-peer cap when there is no "+
+			"parent ctx deadline — a missing deadline must NOT let "+
+			"a hung peer stall the CreateQueue gate")
 	require.NotEmpty(t, report.Peers[0].Error)
 }
 
@@ -165,7 +195,7 @@ func TestPollSQSHTFIFOCapability_TimeoutFailsClosed(t *testing.T) {
 // report.
 func TestPollSQSHTFIFOCapability_EmptyPeersIsVacuouslyTrue(t *testing.T) {
 	t.Parallel()
-	report := PollSQSHTFIFOCapability(context.Background(), nil, nil)
+	report := PollSQSHTFIFOCapability(context.Background(), nil, PollerConfig{})
 	require.True(t, report.AllAdvertise)
 	require.Empty(t, report.Peers)
 }
@@ -176,7 +206,7 @@ func TestPollSQSHTFIFOCapability_EmptyPeersIsVacuouslyTrue(t *testing.T) {
 // a malformed URL and a confusing transport error.
 func TestPollSQSHTFIFOCapability_EmptyPeerAddressFailsClosed(t *testing.T) {
 	t.Parallel()
-	report := PollSQSHTFIFOCapability(context.Background(), nil, []string{""})
+	report := PollSQSHTFIFOCapability(context.Background(), []string{""}, PollerConfig{})
 	require.False(t, report.AllAdvertise)
 	require.Len(t, report.Peers, 1)
 	require.Equal(t, "empty peer address", report.Peers[0].Error)
@@ -191,7 +221,7 @@ func TestPollSQSHTFIFOCapability_FullURLPeer(t *testing.T) {
 	srv, _ := newSQSHealthServer(t, sqsHealthBody{
 		Status: "ok", Capabilities: []string{sqsCapabilityHTFIFO},
 	})
-	report := PollSQSHTFIFOCapability(context.Background(), nil, []string{srv.URL})
+	report := PollSQSHTFIFOCapability(context.Background(), []string{srv.URL}, PollerConfig{})
 	require.True(t, report.AllAdvertise)
 	require.True(t, report.Peers[0].HasHTFIFO)
 }
@@ -225,7 +255,7 @@ func TestPollSQSHTFIFOCapability_ConcurrentPolling(t *testing.T) {
 	}
 
 	start := time.Now()
-	report := PollSQSHTFIFOCapability(context.Background(), nil, peers)
+	report := PollSQSHTFIFOCapability(context.Background(), peers, PollerConfig{})
 	elapsed := time.Since(start)
 
 	require.True(t, report.AllAdvertise)
@@ -252,6 +282,18 @@ func TestBuildSQSHealthURL(t *testing.T) {
 		{"http://node.example:5050", "http://node.example:5050" + sqsHealthPath},
 		{"http://node.example:5050/", "http://node.example:5050" + sqsHealthPath},
 		{"https://node.example", "https://node.example" + sqsHealthPath},
+		// Caller passing a URL that ALREADY includes the health
+		// path: documented behaviour is that the helper appends
+		// the path again (claude minor on PR #721 round 1). The
+		// contract is "pass a base URL or a host:port, never a
+		// full request URL". This case pins the behaviour so a
+		// future refactor can either keep it (and reject misuse
+		// via CreateQueue input validation) or change the
+		// contract intentionally.
+		{
+			"http://node.example:5050" + sqsHealthPath,
+			"http://node.example:5050" + sqsHealthPath + sqsHealthPath,
+		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.peer, func(t *testing.T) {
@@ -282,7 +324,7 @@ func TestPollSQSHTFIFOCapability_RespectsBodyLimit(t *testing.T) {
 	t.Cleanup(bigSrv.Close)
 	addr := strings.TrimPrefix(bigSrv.URL, "http://")
 
-	report := PollSQSHTFIFOCapability(context.Background(), nil, []string{addr})
+	report := PollSQSHTFIFOCapability(context.Background(), []string{addr}, PollerConfig{})
 	require.False(t, report.AllAdvertise)
 	require.Contains(t, report.Peers[0].Error, "malformed JSON",
 		"truncated body must surface as JSON parse error, not as "+