fix(action_status_bridge): address PR review feedback

Attribute faults to the action server node FQN (from the status publisher) so they associate with the SOVD entity; heal a still-failed action before pruning it. Per-action lifecycle, sanitized prefix, param validation, CANCELED codes. Unique test domain range, docs-build wiring, and a launch_testing integration test.

Author: mfaferek93

docs/Doxyfile

@@ -16,6 +16,8 @@ INPUT                  = ../src/ros2_medkit_gateway/include \
                          ../src/ros2_medkit_diagnostic_bridge/src \
                          ../src/ros2_medkit_log_bridge/include \
                          ../src/ros2_medkit_log_bridge/src \
+                         ../src/ros2_medkit_action_status_bridge/include \
+                         ../src/ros2_medkit_action_status_bridge/src \
                          ../src/ros2_medkit_serialization/include \
                          ../src/ros2_medkit_serialization/src \
                          ../src/ros2_medkit_msgs

docs/api/cpp.rst

@@ -91,6 +91,14 @@ Bridge node that promotes ROS 2 /rosout log entries to FaultManager faults.
 .. doxygenclass:: ros2_medkit_log_bridge::LogBridgeNode
    :members:
 
+ros2_medkit_action_status_bridge
+--------------------------------
+
+Bridge node that turns terminal ROS 2 action goal states into FaultManager faults.
+
+.. doxygenclass:: ros2_medkit_action_status_bridge::ActionStatusBridgeNode
+   :members:
+
 ros2_medkit_serialization
 -------------------------
 

docs/changelog.rst

@@ -16,6 +16,8 @@ This page aggregates changelogs from all ros2_medkit packages.
 
 .. include:: ../src/ros2_medkit_log_bridge/CHANGELOG.rst
 
+.. include:: ../src/ros2_medkit_action_status_bridge/CHANGELOG.rst
+
 .. include:: ../src/ros2_medkit_serialization/CHANGELOG.rst
 
 .. include:: ../src/ros2_medkit_msgs/CHANGELOG.rst

docs/introduction.rst

@@ -62,6 +62,9 @@ ros2_medkit consists of several ROS 2 packages:
 **ros2_medkit_log_bridge**
    Bridge node that promotes ROS 2 ``/rosout`` log entries to fault manager faults.
 
+**ros2_medkit_action_status_bridge**
+   Bridge node that turns terminal ROS 2 action goal states (aborted) into fault manager faults.
+
 **ros2_medkit_msgs**
    Message and service definitions for fault management.
 

src/ros2_medkit_action_status_bridge/CHANGELOG.rst

@@ -6,6 +6,17 @@ Forthcoming
 -----------
 * Initial release: generic action-status bridge. Watches every
   ``/<action>/_action/status`` topic and turns ABORTED goals into FaultManager
-  faults (``<PREFIX>_<ACTION>_ABORTED``), heals on SUCCEEDED, with per-goal
-  dedup. Captures the terminal action verdict that the diagnostic and log
-  bridges cannot see.
+  faults (``<PREFIX>_<ACTION>_ABORTED``), heals on a non-failing terminal state.
+  Captures the terminal action verdict that the diagnostic and log bridges
+  cannot see.
+* Fault state is per-ACTION, derived from the whole ``GoalStatusArray`` on each
+  message: a fault is raised only on the ``healthy -> failed`` transition and
+  healed only on ``failed -> healthy``, so it is order-independent and resilient
+  to dropped terminal messages. Per-goal dedup now only suppresses duplicate log
+  lines.
+* ``canceled_is_fault`` emits a status-aware ``<PREFIX>_<ACTION>_CANCELED`` code;
+  such a fault heals on the next non-failing terminal or when the canceled goal
+  ages out of the retained status array.
+* Vanished actions (lifecycle deactivate, one-shot nodes) are pruned on rescan.
+* Parameters are range-checked/normalized at load; an incompatible action status
+  QoS is now warned about instead of silently dropping faults.

src/ros2_medkit_action_status_bridge/CMakeLists.txt

@@ -86,6 +86,7 @@ ament_export_dependencies(rclcpp action_msgs ros2_medkit_msgs ros2_medkit_fault_
 if(BUILD_TESTING)
   find_package(ament_lint_auto REQUIRED)
   find_package(ament_cmake_gtest REQUIRED)
+  find_package(launch_testing_ament_cmake REQUIRED)
 
   set(ament_cmake_clang_format_CONFIG_FILE "${CMAKE_CURRENT_SOURCE_DIR}/../../.clang-format")
   list(APPEND AMENT_LINT_AUTO_EXCLUDE ament_cmake_uncrustify ament_cmake_cpplint ament_cmake_clang_tidy)
@@ -94,7 +95,7 @@ if(BUILD_TESTING)
   ros2_medkit_clang_tidy()
 
   include(ROS2MedkitTestDomain)
-  medkit_init_test_domains(START 90 END 99)
+  medkit_init_test_domains(START 215 END 219)
 
   ament_add_gtest(test_action_status_bridge test/test_action_status_bridge.cpp)
   target_link_libraries(test_action_status_bridge action_status_bridge_lib)
@@ -106,6 +107,16 @@ if(BUILD_TESTING)
     target_link_options(test_action_status_bridge PRIVATE --coverage)
   endif()
 
+  # Integration test (launch_testing): fault_manager + bridge + synthetic status
+  install(DIRECTORY test
+    DESTINATION share/${PROJECT_NAME}
+  )
+  add_launch_test(
+    test/test_integration.test.py
+    TARGET test_integration
+    TIMEOUT 120
+  )
+
   ros2_medkit_relax_vendor_warnings()
 endif()
 

src/ros2_medkit_action_status_bridge/README.md

@@ -21,15 +21,33 @@ generically, by observing the goal-status topic.
 ## What it does
 
 - Discovers every action on the graph by scanning for `*/_action/status`
-  topics (re-scanned on a timer to catch actions that appear later).
+  topics (re-scanned on a timer to catch actions that appear later, and to drop
+  actions that vanish, e.g. a Nav2 lifecycle deactivate or a one-shot node).
 - `ABORTED (6)` -> fault (`SEVERITY_ERROR` by default).
 - `CANCELED (5)` -> fault only if `canceled_is_fault` (off by default; cancel is
-  usually intentional).
-- `SUCCEEDED (4)` -> `PASSED` to heal the action's ABORTED code (if enabled).
-- `fault_code` is `<PREFIX>_<ACTION>_ABORTED`, e.g.
-  `ACTION_NAVIGATE_TO_POSE_ABORTED`. `source_id` is the action name.
-- Per-goal dedup keyed on `goal_id` so a latched terminal status is reported
-  once, not on every status publication.
+  usually intentional). When enabled it emits a `_CANCELED` code.
+- `SUCCEEDED (4)` -> `PASSED` to heal the action's fault code (if enabled).
+- `fault_code` is `<PREFIX>_<ACTION>_ABORTED` (or `_CANCELED`), e.g.
+  `ACTION_NAVIGATE_TO_POSE_ABORTED`. `source_id` is the action **server's node
+  FQN** (resolved from the status topic's publisher, e.g. `/bt_navigator`), so
+  the fault associates with that node's SOVD entity; it falls back to the action
+  name only if no publisher is visible.
+
+## Per-action state, not per-goal
+
+The fault is a property of the **action**, not of an individual goal. On every
+status message the whole `GoalStatusArray` is scanned for the net state:
+
+- if **any** goal is `ABORTED` (or `CANCELED` when `canceled_is_fault`), the
+  action is **failed** (order of goals in the array does not matter);
+- otherwise, if the array has terminal goals and none are failing, the action is
+  **healthy**.
+
+A fault is raised only on the `healthy -> failed` transition and healed only on
+`failed -> healthy`. This means one failed goal cannot heal an action while
+another goal is still failed, and a dropped terminal message cannot leave a
+fault stuck. Per-goal dedup (keyed on `goal_id:status`) only suppresses
+duplicate log lines; it never gates the transition.
 
 ## Scope: the terminal verdict, not the reason
 
@@ -57,4 +75,37 @@ ros2 launch ros2_medkit_action_status_bridge action_status_bridge.launch.py
 | `code_prefix` | `ACTION` | prefix for generated codes |
 | `exclude_actions` | `[]` | action-name substrings to skip |
 | `include_only_actions` | `[]` | if set, only watch these |
-| `dedup_capacity` | `4096` | remembered goal/status keys |
+| `dedup_capacity` | `4096` | remembered goal/status log keys |
+
+`exclude_actions` / `include_only_actions` match as **unanchored substrings** of
+the fully-qualified action name (e.g. `nav` matches `/navigate_to_pose`). Use a
+longer fragment (or the full name) for exact targeting.
+
+`aborted_severity`, `code_prefix` and `dedup_capacity` are range-checked and
+normalized at load (out-of-range severity clamps to ERROR, a non-snake-case
+`code_prefix` is upper-snake-cased, a non-positive `dedup_capacity` falls back to
+the default), with a warning.
+
+## Limitations
+
+- **Flapping**: a retry loop that issues a fresh `goal_id` each attempt does not
+  re-raise while the action stays failed (only net-state changes transition),
+  but a true flap (fail -> succeed -> fail) does produce one raise + heal per
+  cycle. There is no per-code rate throttle in this bridge; lower noise via the
+  FaultReporter local filter if needed.
+- **No per-code throttle**: every action-level transition is forwarded.
+- **CANCELED heal semantics**: with `canceled_is_fault`, a canceled action heals
+  on the next non-failing terminal (a later SUCCEEDED), or when the canceled goal
+  ages out of the action server's retained status array and a non-failed terminal
+  remains. It is not healed by an explicit "uncancel" because none exists.
+- **QoS**: the bridge requests the standard action status QoS (reliable +
+  transient_local). A non-standard server (volatile/best-effort) is logged with
+  an incompatible-QoS warning rather than silently yielding zero faults.
+- **Vanish while failed**: if an action that is currently failed disappears from
+  the graph (lifecycle deactivate, one-shot node), the bridge heals its fault
+  before forgetting it (when `heal_on_succeeded` is set), so it is not left stuck
+  active. With healing disabled the fault persists by design.
+- **Healing threshold**: the bridge emits one `PASSED` per recovery (a discrete
+  event, not a stream), so a fault reaches `HEALED` only when the FaultManager's
+  `healing_threshold` is `0`. With a higher threshold the fault stays `CONFIRMED`
+  after the action recovers.

src/ros2_medkit_action_status_bridge/config/action_status_bridge.yaml

@@ -2,18 +2,19 @@ action_status_bridge:
   ros__parameters:
     # Severity for an ABORTED goal (0=INFO 1=WARN 2=ERROR 3=CRITICAL).
     aborted_severity: 2
-    # Treat a CANCELED goal as a fault. Off by default (cancel is usually
-    # an intentional operator/client action, not a failure).
+    # Treat a CANCELED goal as a fault (emits a _CANCELED code). Off by default
+    # (cancel is usually an intentional operator/client action, not a failure).
     canceled_is_fault: false
-    # On a SUCCEEDED goal, send PASSED to heal the action's ABORTED fault code.
+    # On a non-failing terminal state, send PASSED to heal the action's fault.
     heal_on_succeeded: true
-    # How often to rescan the graph for new action status topics.
+    # How often to rescan the graph for new (and vanished) action status topics.
     rescan_period_sec: 2.0
-    # Prefix for generated fault codes (<PREFIX>_<ACTION>_ABORTED).
+    # Prefix for generated fault codes (<PREFIX>_<ACTION>_ABORTED/_CANCELED).
+    # Normalized to UPPER_SNAKE at load.
     code_prefix: "ACTION"
-    # Action-name substrings to skip.
+    # Action-name substrings to skip (unanchored substring match).
     exclude_actions: []
     # If non-empty, ONLY watch actions matching these substrings.
     include_only_actions: []
-    # Max remembered (goal_id:status) keys for dedup.
+    # Max remembered (goal_id:status) keys for log dedup.
     dedup_capacity: 4096

src/ros2_medkit_action_status_bridge/include/ros2_medkit_action_status_bridge/action_status_bridge_node.hpp

@@ -14,6 +14,7 @@
 
 #pragma once
 
+#include <array>
 #include <cstdint>
 #include <deque>
 #include <map>
@@ -43,37 +44,71 @@ namespace ros2_medkit_action_status_bridge {
 /// Status mapping (action_msgs/msg/GoalStatus):
 ///   - ABORTED (6)  -> fault (severity configurable, default ERROR)
 ///   - CANCELED (5) -> fault only if canceled_is_fault (usually intentional)
-///   - SUCCEEDED (4)-> PASSED (heals the per-action ABORTED code) if enabled
+///   - SUCCEEDED (4)-> PASSED (heals the per-action fault code) if enabled
+///
+/// Fault state is per-ACTION, not per-goal: every message is scanned for the net
+/// state of the whole GoalStatusArray and a fault is raised/healed only on the
+/// action-level transition. See `derive_state`.
 class ActionStatusBridgeNode : public rclcpp::Node {
  public:
   explicit ActionStatusBridgeNode(const rclcpp::NodeOptions & options = rclcpp::NodeOptions());
 
+  /// Net fault state of an action, derived from a whole GoalStatusArray.
+  ///   - kUnknown: no terminal goal in the array yet (no transition)
+  ///   - kHealthy: array has terminal goals and none of them are failing
+  ///   - kFailed:  at least one goal is failing (ABORTED, or CANCELED when
+  ///               canceled_is_fault)
+  enum class ActionState { kUnknown, kHealthy, kFailed };
+
   /// Derive the action name from a `/<action>/_action/status` topic name.
   /// Returns empty when the topic is not an action status topic.
   static std::string action_name_from_status_topic(const std::string & topic);
 
-  /// Build the ABORTED fault code for an action name.
-  /// Format: <PREFIX>_<ACTION>_ABORTED, charset/length per medkit rules.
-  std::string aborted_fault_code(const std::string & action_name) const;
+  /// Build the fault code for an action name and terminal status.
+  /// Format: <PREFIX>_<ACTION>_<ABORTED|CANCELED>, charset/length per medkit
+  /// rules. `canceled` selects the CANCELED suffix.
+  std::string fault_code_for(const std::string & action_name, bool canceled) const;
 
   /// Lowercase hex of a 16-byte goal UUID, for dedup keys and short display.
   static std::string uuid_to_hex(const std::array<uint8_t, 16> & uuid);
 
+  /// Scan a whole GoalStatusArray and return the action-level net state.
+  /// `canceled_is_fault` decides whether CANCELED counts as failing. Order of
+  /// the goals in the array does not affect the result (any failing goal wins).
+  static ActionState derive_state(const action_msgs::msg::GoalStatusArray & msg, bool canceled_is_fault);
+
+  /// Update per-action state from a message and act on the transition only.
+  /// Returns the state that was reported on (kFailed on raise, kHealthy on
+  /// heal) or kUnknown when nothing was reported. Side-effect free w.r.t.
+  /// reporting when `reporter` is null (test seam): the transition decision and
+  /// stored per-action state still update, so tests assert on the return value.
+  ActionState apply_message(const std::string & action_name, const action_msgs::msg::GoalStatusArray & msg,
+                            ros2_medkit_fault_reporter::FaultReporter * reporter);
+
  private:
   void rescan_actions();
-  void status_callback(const std::string & action_name,
-                       const action_msgs::msg::GoalStatusArray::ConstSharedPtr & msg);
+  void status_callback(const std::string & action_name, const action_msgs::msg::GoalStatusArray::ConstSharedPtr & msg);
 
   ros2_medkit_fault_reporter::FaultReporter * reporter_for(const std::string & action_name);
 
-  /// Returns true if this (goal, status) pair was not handled before, marking
-  /// it handled. Bounded to avoid unbounded growth.
-  bool mark_handled(const std::string & goal_status_key);
+  /// Resolve the action server's node FQN from its status-topic publisher, for
+  /// use as the fault source_id so faults associate with the gateway's SOVD
+  /// entity. Falls back to the action name if no publisher is visible.
+  std::string server_fqn_for_action(const std::string & action_name);
+
+  /// Returns true if this (goal, status) pair was not logged before, marking it
+  /// logged. Bounded to avoid unbounded growth. Suppresses duplicate LOG lines
+  /// only; never gates the action-level state transition.
+  bool mark_logged(const std::string & goal_status_key);
 
   bool action_is_eligible(const std::string & action_name) const;
 
   void load_parameters();
 
+  /// Drop subscriptions, reporters and per-action state for actions whose status
+  /// topic has vanished from `present_topics`.
+  void prune_vanished(const std::map<std::string, std::string> & present_topics);
+
   static std::string to_upper_snake(const std::string & in, size_t max_len);
 
   rclcpp::TimerBase::SharedPtr rescan_timer_;
@@ -82,11 +117,15 @@ class ActionStatusBridgeNode : public rclcpp::Node {
   std::map<std::string, std::unique_ptr<ros2_medkit_fault_reporter::FaultReporter>> reporters_;
   std::mutex reporters_mutex_;
 
-  // Bounded dedup of handled (goal_id:status) keys.
-  std::unordered_set<std::string> handled_;
-  std::deque<std::string> handled_order_;
-  std::mutex handled_mutex_;
-  size_t handled_capacity_;
+  // Last reported action-level state, keyed by action name. Drives transitions.
+  std::map<std::string, ActionState> last_reported_state_;
+  std::mutex state_mutex_;
+
+  // Bounded dedup of logged (goal_id:status) keys (LOG suppression only).
+  std::unordered_set<std::string> logged_;
+  std::deque<std::string> logged_order_;
+  std::mutex logged_mutex_;
+  size_t logged_capacity_;
 
   // Configuration
   uint8_t aborted_severity_;
@@ -96,6 +135,29 @@ class ActionStatusBridgeNode : public rclcpp::Node {
   std::string code_prefix_;
   std::vector<std::string> exclude_actions_;
   std::vector<std::string> include_only_actions_;
+
+  friend class ActionStatusBridgeTestAccess;
+};
+
+/// Test-only accessor for the bridge's private maps and prune path. Lets unit
+/// tests exercise rescan add+prune without a live action graph.
+class ActionStatusBridgeTestAccess {
+ public:
+  explicit ActionStatusBridgeTestAccess(ActionStatusBridgeNode * node) : node_(node) {
+  }
+
+  /// Seed a watched action (subscription placeholder + per-action state) as if
+  /// rescan had discovered its `/<action>/_action/status` topic.
+  void add_watched(const std::string & action_name);
+
+  /// Run the prune pass against a set of still-present action names.
+  void prune_to(const std::vector<std::string> & present_action_names);
+
+  bool is_watched(const std::string & action_name) const;
+  bool has_state(const std::string & action_name) const;
+
+ private:
+  ActionStatusBridgeNode * node_;
 };
 
 }  // namespace ros2_medkit_action_status_bridge