feat(sqs): leadership-refusal hook + flag flip (Phase 3.D PR 4-B-3b)

[bootjp]

Summary

Phase 3.D PR 4-B-3b — closes the routing+leadership-refusal pair the §11 PR 4 contract requires before a binary is "marked htfifo-eligible". With this PR landed, every node's /sqs_health advertises htfifo and the §8 downgrade-protection safeguard is in place. PR 5 (next) lifts the PartitionCount > 1 dormancy gate and wires PollSQSHTFIFOCapability (#721) into the CreateQueue gate in the same commit.

What's added

raftengine: leader-acquired observer (mirror of leader-loss)

• raftengine.Admin gains RegisterLeaderAcquiredCallback. Same contract as RegisterLeaderLossCallback (non-blocking, panic-contained, sentinel-pointer deregister) but fires on the previous!=Leader → status==Leader edge in refreshStatus.
• The etcd backend's slot-management is now shared between leader-loss and leader-acquired via registerLeaderCallback + gatherLeaderCallbacks helpers — this satisfies the dupl lint check and keeps both paths consistent in one place.
• 7 observer tests mirror the existing leader-loss tests: panic-containment, empty-list safety, deregister removal, idempotence, nil-fn safe, nil-receiver safe, identical-fn disambiguation.

main: SQS leadership-refusal hook

• main_sqs_leadership_refusal.go:
  • installSQSLeadershipRefusal(ctx, admin, gid, partitionedGroups, advertisesHTFIFO, logger) func() — startup check + per-acquisition observer.
  • installSQSLeadershipRefusalAcrossGroups(...) — composite installer iterating every shard runtime.
  • partitionedGroupSet(partitionMap, logger) — flattens --sqsFifoPartitionMap into the {gid → bool} set the hook consumes.
  • sqsAdvertisesHTFIFO() — wraps adapter.AdvertisesHTFIFO().
• run() installs the composite refusal across runtimes after the coordinator is built; deregister flows through cleanup.
• TransferLeadership runs in a goroutine because the leader-acquired callback contract is non-blocking — a synchronous admin RPC inside the callback would stall refreshStatus.
• 11 helper tests cover the contract: htfifo no-op, no-partitioned-queue no-op, startup-already-leader refuses, startup-follower waits, per-acquisition fires, deregister propagates, transfer-error logged, nil-admin safe, partitionedGroupSet flatten / empty-input / malformed-ref-skip.

adapter: AdvertisesHTFIFO + flag flip

• adapter.AdvertisesHTFIFO() exposes the package-private flag.
• htfifoCapabilityAdvertised = false → true. Both the routing wiring (PR 4-B-2 feat(sqs): partition resolver for HT-FIFO routing (Phase 3.D PR 4-B-2) #715) and the leadership-refusal hook (this PR) are now in the binary, so the design's "marked htfifo-eligible" bar is met.

What's still gated

PR 5 lifts the PartitionCount > 1 dormancy gate AND wires PollSQSHTFIFOCapability (#721) into the CreateQueue gate in the same commit. Until PR 5 lands, no partitioned queue can land in production — the leadership-refusal hook is dormant in the happy-path runtime (every binary past this PR advertises htfifo, and the per-group early return keeps the hook out of the hot path).

Test plan

• go test -race ./internal/raftengine/etcd/ — 7 new + existing tests pass.
• go test -race ./kv/ — existing 30+ tests pass (verified the tests that previously failed due to the misplaced interface method now pass).
• go test -race ./adapter/ + go test -race . — all pass.
• golangci-lint ./kv/... ./adapter/... ./internal/raftengine/... . — clean.

Self-review (per CLAUDE.md)

1. Data loss — control-plane only; no FSM/Pebble/retention path. The hook calls TransferLeadership which is itself an admin action with the same data-loss profile as a graceful manual transfer. No issue.
2. Concurrency / distributed failures — leader-acquired callback contract mirrors leader-loss (non-blocking, panic-contained, sentinel-pointer deregister). refuse() offloads TransferLeadership to a goroutine so refreshStatus stays non-blocking. Multiple goroutines firing for the same group serialize on raft's admin channel; worst case is one redundant transfer attempt, which is idempotent on the raft side. No issue.
3. Performance — leader-acquired callbacks fire only on the transition edge (rare event); no per-request hot path cost. The early return on advertisesHTFIFO=true means production-binary hosts pay zero overhead. No issue.
4. Data consistency — the hook protects against the §8 downgrade scenario: a node rolled back to a pre-htfifo binary that still gets elected leader of a partitioned-queue shard would otherwise read/write under the legacy keyspace and silently corrupt the queue. The hook steps it down via TransferLeadership before any client request lands. No issue.
5. Test coverage — 7 raftengine observer tests + 11 main-side helper tests (18 new). Existing kv lease tests confirm the misplaced-interface bug from first draft was caught and fixed.

Summary by CodeRabbit

• New Features

  • SQS health endpoint now advertises HT-FIFO capability status for client detection.
  • Raft administration introduces leader-acquired callbacks, enabling systems to respond immediately to leadership acquisition events.
  • SQS FIFO queue groups now automatically refuse and transfer leadership when HT-FIFO capability is unavailable.

• Tests

  • Added comprehensive test coverage for leader-acquired callback registration, deregistration, panic isolation, and SQS leadership refusal logic.

[bootjp]

@claude review

Phase 3.D PR 4-B-3b — leadership-refusal hook (raftengine leader-acquired observer + main-side helper) and htfifoCapabilityAdvertised flag flip. Closes the §11 PR 4 routing+leadership-refusal pair so the binary is now "marked htfifo-eligible". PR 5 lifts the dormancy gate next.

[claude]

Claude finished @bootjp's task in 3m 33s —— View job

---

Review: Phase 3.D PR 4-B-3b — Leadership-Refusal Hook + Flag Flip

• Gather context
• Read changed files
• Review internal/raftengine/engine.go — leader-acquired interface
• Review internal/raftengine/etcd/engine.go — implementation + dedup helpers
• Review internal/raftengine/etcd/leader_acquired_callback_test.go — observer tests
• Review main_sqs_leadership_refusal.go — hook logic
• Review main_sqs_leadership_refusal_test.go — hook tests
• Review adapter/sqs.go — flag flip + AdvertisesHTFIFO
• Review main.go — wiring
• Post final review

---

Finding 1 — Bug: invokeLeaderAcquiredCallback missing structured log fields and stack trace

internal/raftengine/etcd/engine.go:1088-1096

func (e *Engine) invokeLeaderAcquiredCallback(fn func()) {
    defer func() {
        if r := recover(); r != nil {
            slog.Error("etcd raft engine: leader-acquired callback panic",
                "recover", r)   // ← missing node_id, raft_node_id, stack
        }
    }()
    fn()
}

Its counterpart invokeLeaderLossCallback (lines 1098–1122) logs four structured fields: node_id, raft_node_id, panic, and debug.Stack(). The acquired variant logs only the recovered value. In production — where the leadership-refusal callback itself panics — an operator has no node identity or stack to diagnose the problem. This should mirror the leader-loss pattern exactly.

Fix this →

---

Finding 2 — Minor: TOCTOU window in installSQSLeadershipRefusal startup check

main_sqs_leadership_refusal.go:97-103

if admin.State() == raftengine.StateLeader {
    refuse()
}
return admin.RegisterLeaderAcquiredCallback(refuse)

There is a narrow window between the admin.State() read and RegisterLeaderAcquiredCallback completing. If the node wins a Raft election in that window, refreshStatus calls fireLeaderAcquiredCallbacks before refuse is registered — the hook misses that acquisition. The node stays as leader of a partitioned-queue group indefinitely until a re-election occurs (e.g. network partition, transfer triggered by something else). Probability is extremely low (microsecond window), but this is a safety-enforcement hook so the gap is worth a comment.

The simplest mitigation is a second State() check after registration and an immediate refuse() call if the node turned leader in the interim. Alternatively, a comment explicitly acknowledging the invariant and why it is acceptable would be sufficient.

---

Finding 3 — Observation: installSQSLeadershipRefusalAcrossGroups nil/skip branches not covered

main_sqs_leadership_refusal.go:173-190

The nil-engine check (rt == nil || rt.engine == nil) and the interface-assertion-miss log path ("engine does not implement leader-acquired observer") are meaningful defensive branches with no direct test. The installSQSLeadershipRefusal path IS tested exhaustively; it's only the iterator's guard clauses that lack coverage. Not blocking, but worth a table-driven test against a nil-runtime or a stub engine that fails the type assertion.

---

Architecture / design passes (per CLAUDE.md)

Data loss — control-plane only; TransferLeadership has the same data-loss profile as a graceful manual transfer. No concern.

Concurrency / distributed failures — The shared registerLeaderCallback/gatherLeaderCallbacks helper correctly snapshots the callback list under a lock before firing, so a registration or deregistration concurrent with a fire event cannot cause a torn-read of in-flight callback state. The once.Do wrapper on deregister makes repeated calls safe. The goroutine in refuse() correctly offloads TransferLeadership so refreshStatus is never stalled. Cleanup ordering is correct (LIFO, deregister added last → runs first, before engine close).

Performance — callback fires only on the previous!=Leader → status==Leader edge (rare). The advertisesHTFIFO=true early return is in the hot call sites, so post-PR-4-B-3b production binaries pay exactly zero overhead.

Data consistency — the §8 downgrade-protection invariant is correctly closed: a rolled-back binary lacking the htfifo data plane can never hold leadership of a partitioned-queue shard, because either (a) it is already leader at install time → refuse() fires immediately, or (b) it wins a future election → RegisterLeaderAcquiredCallback fires refuse(). Finding 2 identifies a narrow TOCTOU window in case (a)→(b) boundary.

Test coverage — 7 raftengine observer tests mirror every leader-loss contract; 11 main-side tests cover all significant branches. The awaitTransferCalls polling loop (1 s deadline, 5 ms tick) is generous and race-free. The only gaps are Finding 1 (untestable at unit level, but the log difference is a maintenance concern) and Finding 3.

---

Positive notes

• The registerLeaderCallback/gatherLeaderCallbacks abstraction is a clean solution to the dupl lint constraint — sharing slot management between leader-loss and leader-acquired keeps the two paths symmetric with one code path to audit.
• Sentinel-pointer deregister correctly disambiguates identical fn values and the leaderCallbackSlot{} zero-clear on removal prevents GC pinning of the removed coordinator.
• htfifoCapabilityAdvertised = true as a const with the justification comment in adapter/sqs.go is the right call; a var would invite accidental mutation.
• Shutdown LIFO ordering for leadershipRefusalDeregister (runs before rt.Close()) is correct.

Summary: One clear fix needed (Finding 1 — missing log fields in panic recovery). Finding 2 is a minor robustness gap worth at least a comment. Everything else is solid.

[coderabbitai]

Warning

Rate limit exceeded

@bootjp has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 49 minutes and 2 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e2c5347b-5683-47fd-8496-2cacc43b8abd

📥 Commits

Reviewing files that changed from the base of the PR and between fe99a43 and 634fbcf.

📒 Files selected for processing (3)

• internal/raftengine/etcd/engine.go
• main_sqs_leadership_refusal.go
• main_sqs_leadership_refusal_test.go

📝 Walkthrough

Walkthrough

The PR enables HT-FIFO capability advertisement in SQS and adds a leader-acquired callback mechanism to the Raft engine. A new SQS leadership-refusal module uses this callback to prevent non-HT-FIFO nodes from leading partitioned FIFO queue groups.

Changes

Cohort / File(s)	Summary
SQS Capability Advertisement adapter/sqs.go	Enables htfifo capability advertisement by flipping htfifoCapabilityAdvertised to true and exports AdvertisesHTFIFO() accessor function for external consumption.
Raft Engine Leader-Acquired Callback API internal/raftengine/engine.go, internal/raftengine/etcd/engine.go	Adds public RegisterLeaderAcquiredCallback method to the Admin interface and implements callback registration, storage, and synchronous firing within refreshStatus on leader-acquire state edge. Refactors callback logic into shared helpers (leaderCallbackSlot, registerLeaderCallback, gatherLeaderCallbacks) with panic containment via invokeLeaderAcquiredCallback.
Raft Engine Callback Tests internal/raftengine/etcd/leader_acquired_callback_test.go	Tests leader-acquired callback behavior including panic containment, deregistration idempotency, nil-safe handling, and callback disambiguation when identical functions are registered multiple times.
SQS Leadership Refusal Integration main.go, main_sqs_leadership_refusal.go, main_sqs_leadership_refusal_test.go	Installs per-group leadership-refusal hook for non-HT-FIFO nodes hosting partitioned FIFO queues. Controller either steps down immediately if already leader or registers acquired-callback to refuse on future transition. Tests validate immediate/deferred refusal, callback firing, and safe nil-controller handling.

Sequence Diagram

sequenceDiagram
    participant Node as Raft Node
    participant Eng as Raft Engine
    participant SQS as Leadership<br/>Refusal
    participant Coord as Coordinator

    Coordinator->>Node: Start node (not HT-FIFO)
    Node->>Eng: RegisterLeaderAcquiredCallback(refusalFn)
    activate Eng
    Eng-->>SQS: (deregister)
    deactivate Eng
    
    alt Starts as Leader
        Eng->>Eng: Leader state detected
        Eng->>SQS: Invoke refusal callback
        activate SQS
        SQS->>Coord: TransferLeadership()
        Coord-->>SQS: Leadership transferred
        deactivate SQS
    else Starts as Follower
        Node->>Node: Follower state
        Note over Node: Waiting for<br/>leader acquisition...
    end
    
    alt Later Acquires Leadership
        Eng->>Eng: State transition to Leader
        Eng->>SQS: Fire registered callback
        activate SQS
        SQS->>Coord: TransferLeadership()
        Coord-->>SQS: Leadership transferred
        deactivate SQS
    end

Loading

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly Related PRs

• fix(raft): unblock leadership transfer under background proposal load  #532: Modifies internal/raftengine/etcd/engine.go in overlapping code paths (refreshStatus leader state logic); related through shared raft engine callback machinery.
• feat(sqs): partition resolver for HT-FIFO routing (Phase 3.D PR 4-B-2) #715: Adds partition-resolver integration to coordinator setup in main.go; related through SQS partition routing dependencies for leadership refusal.
• docs(sqs): proposals for Phase 3.C (throttling) + 3.D (split-queue FIFO) #664: Describes HT-FIFO capability advertisement and leadership-refusal safeguard proposal; related as this PR implements the design.

Poem

🐰 A hop, a bound—callbacks now acquired!
The leader learns when roles are desired,
SQS queues refuse with grace,
HT-FIFO finds its place,
One hop closer to the finish line, inspired! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(sqs): leadership-refusal hook + flag flip (Phase 3.D PR 4-B-3b)' directly and comprehensively summarizes the main changes: adding a leadership-refusal hook and flipping the htfifo capability flag.
Docstring Coverage	✅ Passed	Docstring coverage is 96.30% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/sqs-htfifo-leadership-refusal

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 49 minutes and 2 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fe99a436e5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Lock callback slice before taking snapshot

gatherLeaderCallbacks takes cbs by value, so both fireLeaderLossCallbacks and fireLeaderAcquiredCallbacks read e.leader* Cbs outside the mutex before mu.Lock() runs. That regresses the previous lock-then-copy behavior and introduces a real data race when a callback is registered/deregistered concurrently with refreshStatus firing callbacks (e.g., startup/shutdown churn), which can yield undefined behavior or race-detector failures. Please move the slice read under the lock (e.g., pass a pointer to the slice and dereference only after locking).

Useful? React with 👍 / 👎.

[gemini-code-assist]

Code Review

This pull request enables the SQS HT-FIFO capability and implements a leadership-refusal safeguard by introducing a leader-acquisition callback mechanism in the Raft engine. This allows nodes to automatically transfer leadership if they are ineligible to host partitioned queues. Review feedback highlighted critical data races in the shared callback firing logic and suggested enhancing panic recovery logs with node identity and stack traces for better production debugging.

[gemini-code-assist]

This line contains a data race. The slice header of e.leaderLossCbs is read here to be passed by value to gatherLeaderCallbacks, but this read is not protected by e.leaderLossCbsMu. If another goroutine modifies the slice (e.g., via RegisterLeaderLossCallback) concurrently, it can lead to undefined behavior or a crash. The slice should be passed by pointer so that gatherLeaderCallbacks can read the header under the lock.

Suggested change

	for _, fn := range gatherLeaderCallbacks(&e.leaderLossCbsMu, e.leaderLossCbs) {
	for _, fn := range gatherLeaderCallbacks(&e.leaderLossCbsMu, &e.leaderLossCbs) {

References

1. To prevent race conditions and the use of stale data, ensure that shared variables are accessed and checked while holding the appropriate lock.

[gemini-code-assist]

To prevent data races on the slice header, this helper should accept a pointer to the slice. This allows the function to access the slice's pointer, length, and capacity safely while holding the mutex.

Suggested change

	func gatherLeaderCallbacks(mu *sync.Mutex, cbs []leaderCallbackSlot) []func() {
	mu.Lock()
	out := make([]func(), len(cbs))
	for i, c := range cbs {
	out[i] = c.fn
	}
	mu.Unlock()
	return out
	}
	func gatherLeaderCallbacks(mu *sync.Mutex, cbs *[]leaderCallbackSlot) []func() {
	mu.Lock()
	defer mu.Unlock()
	out := make([]func(), len(*cbs))
	for i, c := range *cbs {
	out[i] = c.fn
	}
	return out
	}

References

1. To prevent race conditions and the use of stale data, ensure that shared variables are accessed and checked while holding the appropriate lock.

[gemini-code-assist]

This line also has a data race. e.leaderAcquiredCbs is read without holding e.leaderAcquiredCbsMu before being passed to gatherLeaderCallbacks. It should be passed by pointer instead.

Suggested change

	for _, fn := range gatherLeaderCallbacks(&e.leaderAcquiredCbsMu, e.leaderAcquiredCbs) {
	for _, fn := range gatherLeaderCallbacks(&e.leaderAcquiredCbsMu, &e.leaderAcquiredCbs) {

References

1. To prevent race conditions and the use of stale data, ensure that shared variables are accessed and checked while holding the appropriate lock.

[gemini-code-assist]

The panic recovery logic here is less informative than its counterpart in invokeLeaderLossCallback. It should include the node identity and a stack trace to facilitate debugging of policy hook failures in production.

func (e *Engine) invokeLeaderAcquiredCallback(fn func()) {
	defer func() {
		if r := recover(); r != nil {
			slog.Error("etcd raft engine: leader-acquired callback panicked",
				slog.String("node_id", e.localID),
				slog.Uint64("raft_node_id", e.nodeID),
				slog.Any("panic", r),
				slog.String("stack", string(debug.Stack())),
			)
		}
	}()
	fn()
}

References

1. Include node identity in logs and metadata to ensure correct context and prevent incorrect metadata reuse.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/raftengine/etcd/engine.go`:
- Around line 1028-1039: gatherLeaderCallbacks currently takes the callback
slice by value and locks after reading it, which races with concurrent
register/deregister; change gatherLeaderCallbacks to lock before reading the
slice (accept the slice as a pointer or otherwise take a locked reference) so
the snapshot of []leaderCallbackSlot is performed while mu is held, and update
callers fireLeaderLossCallbacks and fireLeaderAcquiredCallbacks to pass
&e.leaderLossCbs and &e.leaderAcquiredCbs (using the same mu) so the function
reads a consistent slice of leaderCallbackSlot entries (and then returns the
copied []func() for use outside the lock).

In `@main_sqs_leadership_refusal.go`:
- Around line 97-103: Register the leader-acquired callback before doing the
immediate startup leader check: call
admin.RegisterLeaderAcquiredCallback(refuse) first to subscribe to future
acquisitions, then check admin.State() == raftengine.StateLeader and call
refuse() if true; this ensures the refuse() callback isn't missed if leadership
is gained between the check and registration. Reference:
admin.RegisterLeaderAcquiredCallback, admin.State(), refuse().

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1c809151-22b1-4912-9ca5-c83d5b143f5f

📥 Commits

Reviewing files that changed from the base of the PR and between e9f33eb and fe99a43.

📒 Files selected for processing (7)

• adapter/sqs.go
• internal/raftengine/engine.go
• internal/raftengine/etcd/engine.go
• internal/raftengine/etcd/leader_acquired_callback_test.go
• main.go
• main_sqs_leadership_refusal.go
• main_sqs_leadership_refusal_test.go

[bootjp]

@claude review

Round 2 — all four round 1 findings addressed:

P1 (Codex) / HIGH (Gemini) — real data race in gatherLeaderCallbacks. My round 1 refactor passed the slice by value (cbs []leaderCallbackSlot), so the slice header was dereferenced at the call site BEFORE mu.Lock() ran inside the helper. Concurrent registerLeaderCallback could mutate the header during that window. Fix: signature changed to *[]leaderCallbackSlot; both call sites updated. The dereference now happens inside the locked section.

MEDIUM (Gemini) / Claude finding 1 — invokeLeaderAcquiredCallback panic log now matches invokeLeaderLossCallback (node_id / raft_node_id / panic / debug.Stack).

Claude finding 2 (TOCTOU) — installSQSLeadershipRefusal now re-checks State() after RegisterLeaderAcquiredCallback returns. If the engine wins an election in the registration window, refuse() fires for that in-flight acquisition. refuse() is idempotent so a double-fire across the boundary is safe.

Claude finding 3 (branch coverage) — 4 new installSQSLeadershipRefusalAcrossGroups tests cover composite deregister fan-out, empty partition map, nil-runtime / nil-engine guard, and engine-doesn't-implement-observer. Plus TestInstallSQSLeadershipRefusal_TOCTOUWindowCovered directly exercises fix #2.

Lessons-learned audit: semantic change is gatherLeaderCallbacks signature. grep -rn confirmed only the two fire*Callbacks methods call it; both updated together. No external callers.

go test -race ./kv/... ./internal/raftengine/etcd/ . and golangci-lint clean.

[claude]

Claude finished @bootjp's task in 3m 7s —— View job

---

Review: Round 2 — Phase 3.D PR 4-B-3b

• Read changed files (post-634fbcf)
• Verify fix Configure Renovate #1: gatherLeaderCallbacks slice pointer race
• Verify fix Update dependency go to v1.21.4 #2: invokeLeaderAcquiredCallback panic log parity
• Verify fix Update docker/setup-qemu-action action to v3 #3: TOCTOU order flip in installSQSLeadershipRefusal
• Verify fix Dependency Dashboard #4: new branch-coverage tests
• Check for any new issues introduced by the fixes
• Post final review

---

All four Round 1 findings are correctly addressed. No new issues introduced.

Fix #1 — gatherLeaderCallbacks slice pointer race ✅

internal/raftengine/etcd/engine.go:1039

Signature is now gatherLeaderCallbacks(mu *sync.Mutex, cbs *[]leaderCallbackSlot). The slice header (pointer, length, capacity) is now dereferenced as *cbs inside mu.Lock(). Both callers pass &e.leaderLossCbs and &e.leaderAcquiredCbs. The comment at lines 1028–1038 explains the race and traces it to the Codex P1 / Gemini HIGH finding — useful for future auditors. Clean fix.

Fix #2 — invokeLeaderAcquiredCallback panic log parity ✅

internal/raftengine/etcd/engine.go:1095–1113

The recovery block now logs slog.String("node_id", e.localID), slog.Uint64("raft_node_id", e.nodeID), slog.Any("panic", r), and slog.String("stack", string(debug.Stack())). Leader-acquired and leader-loss panic handlers are now structurally identical. The comment at lines 1098–1103 correctly attributes this to the Gemini/Claude finding and explains why the fields matter for production triage.

Fix #3 — TOCTOU order flip in installSQSLeadershipRefusal ✅

main_sqs_leadership_refusal.go:97–119

The new sequence:

1. wasLeaderBefore = admin.State() — pre-registration snapshot
2. If already leader → refuse() immediately
3. deregister = admin.RegisterLeaderAcquiredCallback(refuse) — subscribe
4. if !wasLeaderBefore && admin.State() == raftengine.StateLeader — post-registration check

The !wasLeaderBefore guard on step 4 is correct: it prevents a double-fire in the wasLeaderBefore=true path (where we already called refuse() in step 2), while still catching the race window where the node wins an election between steps 1 and 3.

One residual theoretical race not covered: if wasLeaderBefore=true and the TransferLeadership goroutine is in-flight when the node loses leadership and then wins it again during the microsecond of RegisterLeaderAcquiredCallback's execution — the !wasLeaderBefore guard skips the second check. In that case, the next subsequent election will be caught by the registered callback. This is acceptable: the window is sub-microsecond, refuse() is idempotent, and the callback guarantees eventual step-down.

TestInstallSQSLeadershipRefusal_TOCTOUWindowCovered exercises this directly via stateAfterRegister: raftengine.StateLeader, which flips state to leader exactly when RegisterLeaderAcquiredCallback is called. The test's awaitTransferCallsAtLeastOne is correct given refuse() is asynchronous.

Fix #4 — Branch coverage for installSQSLeadershipRefusalAcrossGroups ✅

main_sqs_leadership_refusal_test.go:290–392

Four new tests cover the previously-untested guard paths:

• ComposesDeregisters — confirms N per-group install calls and composite deregister fan-out across two runtimes
• NoPartitionedQueueIsNoOp — empty partition map returns early with no registrations
• SkipsNilRuntimes — nil runtime entry and nil engine entry are skipped; valid entry still gets registered
• SkipsEngineWithoutObserver — engineWithoutAcquiredObserver (embeds raftengine.Engine but lacks RegisterLeaderAcquiredCallback) triggers the type-assertion-miss path without panicking

The engineWithoutAcquiredObserver type-assertion approach is the right design for the test double.

Additional observations (non-blocking)

Cleanup LIFO ordering confirmed: CleanupStack.Run() is LIFO (internal/cleanup.go:3). leadershipRefusalDeregister is added at line 336, which is after the rt.Close() group at line 309. LIFO means deregister runs first → callbacks are cleanly removed before the engine closes.

partitionedGroupSet empty-groups edge case: if partitionMap has entries where all queues have empty groups arrays, the function returns a non-nil but empty map[uint64]bool{}. The len(partGroups) == 0 check in installSQSLeadershipRefusalAcrossGroups correctly handles this (returns early). No issue.

adapter/sqs.go flag flip: htfifoCapabilityAdvertised = true as a const is the right choice — a var would be mutable at runtime. AdvertisesHTFIFO() is a clean accessor.

---

Verdict: All Round 1 blocking issues resolved. The implementation is correct, the tests are comprehensive, and the code is ready to merge.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 634fbcf954

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Fail closed when leadership transfer is rejected

When advertisesHTFIFO is false and this hook fires, a failed TransferLeadership (for example, no eligible transferee in a single-voter group or peers unavailable) is only logged and then ignored. In that case the node remains leader and continues serving despite the hook deciding it is unsafe to lead, which defeats the downgrade-protection guarantee and can still allow incorrect behavior on partitioned queues.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Exclude single-partition routes from refusal group set

partitionedGroupSet currently marks groups from every --sqsFifoPartitionMap entry, but PartitionCount=1 is valid input and is not a partitioned queue in the HT-FIFO sense. This makes the refusal hook run for groups that only host single-partition routes, causing unnecessary leadership transfers (and possible avoidable unavailability on constrained groups) without any data-safety benefit.

Useful? React with 👍 / 👎.