feat(31): check invariants in release builds, add pluggable recorder

The check_invariant! macro now always evaluates the condition — not just
in debug builds. This implements Layer 4 (Production) of the verification
stack: invariant checks run in release, with results forwarded to a
pluggable InvariantRecorder for Datadog metrics emission.

- Debug builds: panic on violation (debug_assert, Layer 3)
- All builds: evaluate condition, call recorder (Layer 4)
- set_invariant_recorder() wires up statsd at process startup
- No recorder registered = no-op (single OnceLock load)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: g-talbot

quickwit/quickwit-dst/src/invariants/check.rs

@@ -17,13 +17,23 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program. If not, see <http://www.gnu.org/licenses/>.
 
-//! Invariant checking macro.
+//! Invariant checking macro — Layers 3 + 4 of the verification stack.
 //!
-//! Wraps `debug_assert!` with the invariant ID, providing a single hook point
-//! for future Datadog metrics emission (Layer 4 of the verification stack).
+//! The condition is **always evaluated** (debug and release). Results are:
+//!
+//! - **Debug builds (Layer 3 — Prevention):** panics on violation via
+//!   `debug_assert!`, catching bugs during development and testing.
+//! - **All builds (Layer 4 — Production):** forwards the result to the
+//!   registered [`InvariantRecorder`](super::recorder::InvariantRecorder)
+//!   for Datadog metrics emission. No-op if no recorder is set.
 
-/// Check an invariant condition. In debug builds, panics on violation.
-/// In release builds, currently a no-op (future: emit Datadog metric).
+/// Check an invariant condition in all build profiles.
+///
+/// The condition is always evaluated. In debug builds, a violation panics.
+/// In all builds, the result is forwarded to the registered invariant
+/// recorder for metrics emission (see [`set_invariant_recorder`]).
+///
+/// [`set_invariant_recorder`]: crate::invariants::set_invariant_recorder
 ///
 /// # Examples
 ///
@@ -36,10 +46,14 @@
 /// ```
 #[macro_export]
 macro_rules! check_invariant {
-    ($id:expr, $cond:expr) => {
-        debug_assert!($cond, "{} violated", $id);
-    };
-    ($id:expr, $cond:expr, $fmt:literal $($arg:tt)*) => {
-        debug_assert!($cond, concat!("{} violated", $fmt), $id $($arg)*);
-    };
+    ($id:expr, $cond:expr) => {{
+        let passed = $cond;
+        $crate::invariants::record_invariant_check($id, passed);
+        debug_assert!(passed, "{} violated", $id);
+    }};
+    ($id:expr, $cond:expr, $fmt:literal $($arg:tt)*) => {{
+        let passed = $cond;
+        $crate::invariants::record_invariant_check($id, passed);
+        debug_assert!(passed, concat!("{} violated", $fmt), $id $($arg)*);
+    }};
 }

quickwit/quickwit-dst/src/invariants/mod.rs

@@ -26,8 +26,10 @@
 //! No external dependencies — only `std`.
 
 mod check;
+pub mod recorder;
 pub mod registry;
 pub mod sort;
 pub mod window;
 
+pub use recorder::{record_invariant_check, set_invariant_recorder};
 pub use registry::InvariantId;

quickwit/quickwit-dst/src/invariants/recorder.rs

@@ -0,0 +1,130 @@
+// Copyright (C) 2024 Quickwit, Inc.
+//
+// Quickwit is offered under the AGPL v3.0 and as commercial software.
+// For commercial licensing, contact us at hello@quickwit.io.
+//
+// AGPL:
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as
+// published by the Free Software Foundation, either version 3 of the
+// License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+//! Pluggable invariant recorder — Layer 4 of the verification stack.
+//!
+//! Every call to [`check_invariant!`](crate::check_invariant) evaluates the
+//! condition in **all** build profiles (debug and release). The result is
+//! forwarded to a recorder function that can emit Datadog metrics, log
+//! violations, or take any other action.
+//!
+//! # Wiring up Datadog metrics
+//!
+//! Call [`set_invariant_recorder`] once at process startup:
+//!
+//! ```rust
+//! use quickwit_dst::invariants::{InvariantId, set_invariant_recorder};
+//!
+//! fn my_recorder(id: InvariantId, passed: bool) {
+//!     // statsd.count("pomsky.invariant.checked", 1, &[&format!("name:{}", id)]);
+//!     // if !passed {
+//!     //     statsd.count("pomsky.invariant.violated", 1, &[&format!("name:{}", id)]);
+//!     // }
+//!     if !passed {
+//!         eprintln!("{} violated in production", id);
+//!     }
+//! }
+//!
+//! set_invariant_recorder(my_recorder);
+//! ```
+
+use std::sync::OnceLock;
+
+use super::InvariantId;
+
+/// Signature for an invariant recorder function.
+///
+/// Called on every `check_invariant!` invocation with the invariant ID and
+/// whether the check passed. Implementations must be cheap — this is called
+/// on hot paths.
+pub type InvariantRecorder = fn(InvariantId, bool);
+
+/// Global recorder. When unset, [`record_invariant_check`] is a no-op.
+static RECORDER: OnceLock<InvariantRecorder> = OnceLock::new();
+
+/// Register a global invariant recorder.
+///
+/// Should be called once at process startup. Subsequent calls are ignored
+/// (first writer wins). This is safe to call from any thread.
+pub fn set_invariant_recorder(recorder: InvariantRecorder) {
+    // OnceLock::set returns Err if already initialized — that's fine.
+    let _ = RECORDER.set(recorder);
+}
+
+/// Record an invariant check result.
+///
+/// Called by [`check_invariant!`](crate::check_invariant) on every invocation,
+/// in both debug and release builds. If no recorder has been registered via
+/// [`set_invariant_recorder`], this is a no-op (single atomic load).
+#[inline]
+pub fn record_invariant_check(id: InvariantId, passed: bool) {
+    if let Some(recorder) = RECORDER.get() {
+        recorder(id, passed);
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use std::sync::atomic::{AtomicU32, Ordering};
+
+    use super::*;
+
+    // Note: these tests use a process-global OnceLock, so only the first
+    // test to run can set the recorder. We test the no-recorder path and
+    // the recorder path in a single test to avoid ordering issues.
+
+    #[test]
+    fn record_without_recorder_is_noop() {
+        // Before any recorder is set, this should not panic.
+        // (In the test binary, another test may have set it, so we just
+        // verify it doesn't panic either way.)
+        record_invariant_check(InvariantId::SS1, true);
+        record_invariant_check(InvariantId::SS1, false);
+    }
+
+    #[test]
+    fn recorder_receives_calls() {
+        static CHECKS: AtomicU32 = AtomicU32::new(0);
+        static VIOLATIONS: AtomicU32 = AtomicU32::new(0);
+
+        fn test_recorder(_id: InvariantId, passed: bool) {
+            CHECKS.fetch_add(1, Ordering::Relaxed);
+            if !passed {
+                VIOLATIONS.fetch_add(1, Ordering::Relaxed);
+            }
+        }
+
+        // May fail if another test already set the recorder — that's OK,
+        // the test still verifies the function doesn't panic.
+        let _ = RECORDER.set(test_recorder);
+
+        let before_checks = CHECKS.load(Ordering::Relaxed);
+        let before_violations = VIOLATIONS.load(Ordering::Relaxed);
+
+        record_invariant_check(InvariantId::TW2, true);
+        record_invariant_check(InvariantId::TW2, false);
+
+        // If our recorder was set, we should see the increments.
+        // If another recorder was set first, we can't assert on counts.
+        if RECORDER.get() == Some(&(test_recorder as InvariantRecorder)) {
+            assert_eq!(CHECKS.load(Ordering::Relaxed), before_checks + 2);
+            assert_eq!(VIOLATIONS.load(Ordering::Relaxed), before_violations + 1);
+        }
+    }
+}