feat(host): readiness gates on required cluster singletons (#28, M2.14)

REQ-HOST-4a lists "required cluster singletons running (if applicable)" as a readiness criterion, but /health/ready only checked database + akka-cluster. Add a third Ready-tagged check, RequiredSingletonsHealthCheck, registered in the Central-role AddHealthChecks() chain (so it is naturally role-scoped — site nodes never run it). Probe: for each required central singleton, Ask its local ClusterSingletonProxy an Identify with a short bounded per-singleton timeout (~2s, probes run concurrently via Task.WhenAll). A non-null ActorIdentity.Subject within the timeout means the singleton is running and reachable through the proxy; a null subject or a timeout means unreachable → Unhealthy, naming the unreachable singleton(s). The check never throws (catch-all → Unhealthy) and resolves ActorSystem lazily from DI per probe (Unhealthy if Akka not yet up). Required-always set = the five singleton proxies created unconditionally in AkkaHostedService.RegisterCentralActors: notification-outbox, audit-log-ingest, site-call-audit, audit-log-purge, site-audit-reconciliation. There are no feature/config-gated central singletons today; any future gated singleton is the "if applicable" case and must NOT be added to the required set. Leadership-agnostic: the proxy reaches the singleton from either central node, so a ready standby still reports ready (readiness must not require cluster leadership — that is the Active tier's job). During a brief singleton handover the probe may time out and the node flaps to not-ready, which is correct (a node mid-handover is legitimately not fully ready); no retries, to keep the probe fast. Tests (TDD): RequiredSingletonsHealthCheckTests exercises the probe against a TestKit ActorSystem — all proxies present+reachable → Healthy; one missing → Unhealthy naming it; ActorSystem absent → Unhealthy, no throw. HealthCheckTests regression-guards the Ready tag + absence of the Active tag on the new check.
2026-06-16 06:48:52 -04:00
parent 3945789970
commit 253bec5a52
6 changed files with 311 additions and 2 deletions
@@ -14,8 +14,8 @@
    {"id": 42, "ref": "M2.10", "subject": "M2.10 #18: CI grep-guard against UPDATE/DELETE on AuditLog", "class": "small", "status": "completed", "commits": ["e7b6fe3", "9cd62aa"]},
    {"id": 43, "ref": "M2.11", "subject": "M2.11 #24: debug snapshot unknown-instance returns error", "class": "small", "status": "completed", "commits": ["dbf44b9", "d160c7f"]},
    {"id": 44, "ref": "M2.12", "subject": "M2.12 #25: recursion-limit error to site event log", "class": "small", "status": "completed", "commits": ["f08038d", "e2b31a9"]},
-    {"id": 45, "ref": "M2.13", "subject": "M2.13 #27: populate obtainable OPC UA/MxGateway transition fields", "class": "small", "status": "pending"},
-    {"id": 46, "ref": "M2.14", "subject": "M2.14 #28: readiness gate checks required cluster singletons", "class": "standard", "status": "pending"},
+    {"id": 45, "ref": "M2.13", "subject": "M2.13 #27: populate obtainable OPC UA/MxGateway transition fields", "class": "small", "status": "completed", "commits": ["722b866", "3945789"]},
+    {"id": 46, "ref": "M2.14", "subject": "M2.14 #28: readiness gate checks required cluster singletons", "class": "standard", "status": "completed", "commits": ["a4d81fa"]},
    {"id": 47, "ref": "M2.15", "subject": "M2.15 #29: register site active-node purge gate (DI)", "class": "small", "status": "pending"},
    {"id": 48, "ref": "M2.16", "subject": "M2.16 #30: Health Monitoring consumes FailedWriteCount", "class": "small", "status": "pending"},
    {"id": 49, "ref": "M2.17", "subject": "M2.17 #31: reconcile StateTransitionValidator delete-from-NotDeployed", "class": "small", "status": "pending"},
@@ -95,6 +95,8 @@ On central nodes, the ASP.NET Core web endpoints (Central UI, Inbound API) must
 - Database connectivity (MS SQL) is verified.
 - Required cluster singletons are running (if applicable).

+These are implemented as three `Ready`-tagged health checks registered in the Central-role branch of `Program.cs` (so they are naturally role-scoped — site nodes do not run them): `database` (`DatabaseHealthCheck<ScadaBridgeDbContext>`), `akka-cluster` (`AkkaClusterHealthCheck`), and `required-singletons` (`RequiredSingletonsHealthCheck`). The last verifies each *required-always* central singleton is reachable by Asking its local `ClusterSingletonProxy` an `Identify` with a short bounded timeout (~2s, probes run concurrently) and treating a non-null `ActorIdentity.Subject` as reachable; any unreachable required singleton degrades the check to **Unhealthy**, naming it. The required-always set is the five unconditional central singletons: notification-outbox, audit-log-ingest, site-call-audit, audit-log-purge, and site-audit-reconciliation. Feature-gated singletons are the "if applicable" case and are not probed when their feature is off. The check is leadership-agnostic — the proxy reaches the singleton from either central node, so a ready standby still reports ready (readiness must NOT require cluster leadership; that is the `Active` tier's job). During a brief singleton handover the probe may momentarily time out and the node may flap to not-ready, which is correct: a node mid-handover is legitimately not fully ready (no retries are used, to keep readiness polling fast).
+
 A standard ASP.NET Core health check endpoint (`/health/ready`) reports readiness status. The load balancer uses this endpoint to determine when to route traffic to the node. During startup or failover, the node returns `503 Service Unavailable` until ready.

 ### REQ-HOST-5: Windows Service Hosting
@@ -0,0 +1,177 @@
+using Akka.Actor;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Diagnostics.HealthChecks;
+using Microsoft.Extensions.Logging;
+
+namespace ZB.MOM.WW.ScadaBridge.Host.Health;
+
+/// <summary>
+/// M2.14 (#28): readiness check that verifies every <b>required central cluster
+/// singleton</b> is reachable from this node, satisfying the "required cluster
+/// singletons running (if applicable)" clause of REQ-HOST-4a. Register it
+/// <see cref="ZB.MOM.WW.Health.ZbHealthTags.Ready"/>-tagged in the Central-role
+/// <c>AddHealthChecks()</c> chain only, so it is naturally role-scoped (site nodes
+/// never register it).
+/// </summary>
+/// <remarks>
+/// <para>
+/// <b>Probe strategy.</b> Each central singleton has a local
+/// <c>ClusterSingletonProxy</c> actor (created unconditionally in
+/// <c>AkkaHostedService.RegisterCentralActors</c>). The proxy actor exists locally
+/// as soon as it is created, so merely resolving its path proves nothing about the
+/// singleton itself. Instead we <see cref="ActorRefImplicitSenderExtensions.Ask{T}(ICanTell, object, TimeSpan?)"/>
+/// the proxy an <see cref="Identify"/> with a short bounded per-singleton timeout and
+/// expect an <see cref="ActorIdentity"/> whose <see cref="ActorIdentity.Subject"/> is
+/// non-null. The proxy buffers and forwards to the live singleton, so a non-null
+/// Subject within the timeout means the singleton is running and reachable; a null
+/// Subject or a timeout means it is unreachable. Probes run concurrently
+/// (<see cref="Task.WhenAll(System.Collections.Generic.IEnumerable{Task})"/>) so the
+/// whole check stays cheap and readiness polling stays fast.
+/// </para>
+/// <para>
+/// <b>Required-always vs if-applicable.</b> All five central singleton proxies are
+/// created unconditionally on a central node (there is no feature/config gate around
+/// any of them), so all five are treated as required-always here. If a future
+/// singleton is created behind a feature flag, it should NOT be added to
+/// <see cref="RequiredSingletonProxyNames"/> — "if applicable" means skip when its
+/// feature is off.
+/// </para>
+/// <para>
+/// <b>Failover flakiness.</b> During a brief singleton handover the singleton may be
+/// momentarily unreachable through the proxy. The bounded per-singleton timeout maps
+/// that to Unhealthy (we never throw and never retry — retries would make the probe
+/// slow). Readiness flapping briefly during a failover is acceptable and correct: a
+/// node mid-handover is legitimately not fully ready. We deliberately accept that
+/// tradeoff rather than masking it with retries.
+/// </para>
+/// <para>
+/// <b>No leadership requirement.</b> The proxy reaches the singleton from either node
+/// (active or standby), so a ready standby still reports Healthy here — readiness must
+/// NOT require cluster leadership (that is the Active tier's job).
+/// </para>
+/// <para>
+/// The <see cref="ActorSystem"/> is resolved lazily from DI per probe, mirroring
+/// <c>AkkaClusterHealthCheck</c>; if it is not yet available (startup race) the check
+/// returns Unhealthy rather than throwing.
+/// </para>
+/// </remarks>
+public sealed class RequiredSingletonsHealthCheck : IHealthCheck
+{
+    /// <summary>
+    /// Local actor names (under <c>/user</c>) of the <c>ClusterSingletonProxy</c>
+    /// actors for the singletons that must always be running on a central node.
+    /// Matches the unconditional proxy registrations in
+    /// <c>AkkaHostedService.RegisterCentralActors</c>.
+    /// </summary>
+    public static readonly IReadOnlyList<string> RequiredSingletonProxyNames = new[]
+    {
+        "notification-outbox-proxy",
+        "audit-log-ingest-proxy",
+        "site-call-audit-proxy",
+        "audit-log-purge-proxy",
+        "site-audit-reconciliation-proxy",
+    };
+
+    // Short, bounded per-singleton timeout. Kept small so readiness polling stays
+    // fast; a singleton in mid-handover that does not answer within this window is
+    // (correctly) treated as momentarily unreachable. Do NOT add retries here.
+    private static readonly TimeSpan ProbeTimeout = TimeSpan.FromSeconds(2);
+
+    private readonly IServiceProvider _serviceProvider;
+    private readonly ILogger<RequiredSingletonsHealthCheck> _logger;
+
+    /// <summary>Initializes a new <see cref="RequiredSingletonsHealthCheck"/>.</summary>
+    /// <param name="serviceProvider">
+    /// Application service provider; the <see cref="ActorSystem"/> is resolved lazily so the
+    /// check is startup-safe (Unhealthy, never throwing, if Akka is not yet up).
+    /// </param>
+    /// <param name="logger">Logger for diagnostic detail on unreachable singletons.</param>
+    public RequiredSingletonsHealthCheck(
+        IServiceProvider serviceProvider,
+        ILogger<RequiredSingletonsHealthCheck> logger)
+    {
+        _serviceProvider = serviceProvider ?? throw new ArgumentNullException(nameof(serviceProvider));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    /// <inheritdoc />
+    public async Task<HealthCheckResult> CheckHealthAsync(
+        HealthCheckContext context,
+        CancellationToken cancellationToken = default)
+    {
+        // CheckHealthAsync must NEVER throw — catch everything and map to Unhealthy
+        // with a descriptive message. An escaping exception would be recorded as
+        // Unhealthy anyway, but a thrown exception loses the descriptive message.
+        try
+        {
+            var system = _serviceProvider.GetService<ActorSystem>();
+            if (system is null)
+                return HealthCheckResult.Unhealthy("ActorSystem not yet available.");
+
+            // Probe each required singleton concurrently so the whole check is bounded
+            // by ~ProbeTimeout, not the sum of the per-singleton timeouts.
+            var probes = RequiredSingletonProxyNames
+                .Select(name => ProbeAsync(system, name, cancellationToken))
+                .ToArray();
+
+            var results = await Task.WhenAll(probes).ConfigureAwait(false);
+
+            var unreachable = results
+                .Where(r => !r.Reachable)
+                .Select(r => r.Name)
+                .ToList();
+
+            if (unreachable.Count == 0)
+                return HealthCheckResult.Healthy(
+                    $"All {RequiredSingletonProxyNames.Count} required cluster singletons are reachable.");
+
+            var joined = string.Join(", ", unreachable);
+            _logger.LogWarning(
+                "Readiness degraded: required cluster singleton(s) unreachable: {Unreachable}",
+                joined);
+            return HealthCheckResult.Unhealthy(
+                $"Required cluster singleton(s) unreachable: {joined}.");
+        }
+        catch (Exception ex)
+        {
+            // Defensive: any unexpected failure (including OperationCanceledException
+            // on shutdown) degrades readiness rather than escaping the check.
+            return HealthCheckResult.Unhealthy(
+                "Failed to probe required cluster singletons.", ex);
+        }
+    }
+
+    /// <summary>
+    /// Asks the named local proxy an <see cref="Identify"/> with a bounded timeout.
+    /// Reachable iff a non-null <see cref="ActorIdentity.Subject"/> comes back in time.
+    /// A null Subject (path not present) or a timeout/exception → not reachable. This
+    /// method itself never throws.
+    /// </summary>
+    private async Task<(string Name, bool Reachable)> ProbeAsync(
+        ActorSystem system,
+        string proxyName,
+        CancellationToken cancellationToken)
+    {
+        try
+        {
+            // ActorSelection so a missing path resolves an ActorIdentity with a null
+            // Subject (rather than throwing) within the bounded timeout.
+            var selection = system.ActorSelection($"/user/{proxyName}");
+            using var cts = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
+            cts.CancelAfter(ProbeTimeout);
+
+            var identity = await selection
+                .Ask<ActorIdentity>(new Identify(proxyName), ProbeTimeout, cts.Token)
+                .ConfigureAwait(false);
+
+            return (proxyName, identity.Subject is not null);
+        }
+        catch (Exception)
+        {
+            // Timeout / cancellation / any failure → momentarily unreachable. Bounded,
+            // no retry — readiness may briefly flap during a singleton handover, which
+            // is the correct signal for a node mid-handover.
+            return (proxyName, false);
+        }
+    }
+}
@@ -202,6 +202,18 @@ try
                failureStatus: null,
                tags: new[] { ZbHealthTags.Ready },
                args: AkkaClusterStatusPolicy.Default)
+            // M2.14 (#28): readiness ALSO reflects "required cluster singletons running"
+            // (REQ-HOST-4a). Probes each central singleton's local ClusterSingletonProxy
+            // with a bounded Identify and degrades to Unhealthy if any required singleton
+            // is unreachable. Registered inside the Central-role branch (this is it) so the
+            // check is naturally role-scoped — site nodes never run it. It resolves
+            // ActorSystem from DI per probe, like the akka-cluster check above, and is
+            // leadership-agnostic so a ready standby still reports ready (the proxy reaches
+            // the singleton from either node).
+            .AddTypeActivatedCheck<RequiredSingletonsHealthCheck>(
+                "required-singletons",
+                failureStatus: null,
+                tags: new[] { ZbHealthTags.Ready })
            .AddTypeActivatedCheck<ActiveNodeHealthCheck>(
                "active-node",
                failureStatus: null,
@@ -158,6 +158,15 @@ public class HealthCheckTests : IDisposable
            Assert.Contains(ZbHealthTags.Ready, registrations["database"].Tags);
            Assert.Contains(ZbHealthTags.Ready, registrations["akka-cluster"].Tags);

+            // M2.14 (#28): readiness ALSO reflects "required cluster singletons running"
+            // (REQ-HOST-4a). The Central-only required-singletons check is Ready-tagged so
+            // it gates /health/ready alongside database + akka-cluster, but is leadership-
+            // agnostic (it does NOT carry the Active tag), so a ready standby stays ready.
+            Assert.True(registrations.ContainsKey("required-singletons"),
+                "Expected a 'required-singletons' health check.");
+            Assert.Contains(ZbHealthTags.Ready, registrations["required-singletons"].Tags);
+            Assert.DoesNotContain(ZbHealthTags.Active, registrations["required-singletons"].Tags);
+
            // The leader-only active-node check must NOT be on the readiness tier.
            Assert.DoesNotContain(ZbHealthTags.Ready, registrations["active-node"].Tags);
        }
@@ -0,0 +1,109 @@
+using Akka.Actor;
+using Akka.TestKit.Xunit2;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Diagnostics.HealthChecks;
+using Microsoft.Extensions.Logging.Abstractions;
+using ZB.MOM.WW.ScadaBridge.Host.Health;
+
+namespace ZB.MOM.WW.ScadaBridge.Host.Tests;
+
+/// <summary>
+/// M2.14 (#28): unit tests for <see cref="RequiredSingletonsHealthCheck"/>.
+///
+/// The check probes each required central singleton through its local
+/// <c>ClusterSingletonProxy</c> by Asking an <see cref="Identify"/> with a short
+/// bounded timeout and treating a non-null <see cref="ActorIdentity.Subject"/> as
+/// "reachable". These tests exercise that probe logic directly against a TestKit
+/// <see cref="ActorSystem"/>:
+/// <list type="bullet">
+/// <item>present + reachable proxy paths (live echo actors) → Healthy;</item>
+/// <item>a missing proxy path (ActorSelection resolves a null Subject) → Unhealthy
+/// naming the unreachable singleton.</item>
+/// </list>
+/// No WebApplicationFactory / DB / formed cluster is needed — the probe is just an
+/// in-process Identify round-trip, so the tests are deterministic and fast.
+/// </summary>
+public class RequiredSingletonsHealthCheckTests : TestKit
+{
+    /// <summary>A minimal live actor that does nothing — its mere existence makes
+    /// an <see cref="Identify"/> resolve a non-null Subject (i.e. "reachable").</summary>
+    private sealed class EchoActor : ReceiveActor
+    {
+    }
+
+    private IServiceProvider ProviderReturning(ActorSystem system)
+    {
+        var services = new ServiceCollection();
+        services.AddSingleton(system);
+        return services.BuildServiceProvider();
+    }
+
+    private static async Task<HealthCheckResult> RunAsync(RequiredSingletonsHealthCheck check)
+    {
+        var context = new HealthCheckContext
+        {
+            Registration = new HealthCheckRegistration(
+                "required-singletons", check, failureStatus: null, tags: null),
+        };
+        return await check.CheckHealthAsync(context, CancellationToken.None);
+    }
+
+    [Fact]
+    public async Task AllRequiredSingletonProxiesReachable_ReportsHealthy()
+    {
+        // Create a live actor at every required proxy path so each Identify resolves
+        // a non-null Subject.
+        foreach (var name in RequiredSingletonsHealthCheck.RequiredSingletonProxyNames)
+        {
+            Sys.ActorOf(Props.Create(() => new EchoActor()), name);
+        }
+
+        var check = new RequiredSingletonsHealthCheck(
+            ProviderReturning(Sys),
+            NullLogger<RequiredSingletonsHealthCheck>.Instance);
+
+        var result = await RunAsync(check);
+
+        Assert.Equal(HealthStatus.Healthy, result.Status);
+    }
+
+    [Fact]
+    public async Task OneRequiredSingletonUnreachable_ReportsUnhealthyNamingIt()
+    {
+        // Create all but one proxy. The missing one's ActorSelection resolves an
+        // ActorIdentity with a null Subject within the bounded timeout → unreachable.
+        var missing = RequiredSingletonsHealthCheck.RequiredSingletonProxyNames[0];
+        foreach (var name in RequiredSingletonsHealthCheck.RequiredSingletonProxyNames)
+        {
+            if (name == missing)
+                continue;
+            Sys.ActorOf(Props.Create(() => new EchoActor()), name);
+        }
+
+        var check = new RequiredSingletonsHealthCheck(
+            ProviderReturning(Sys),
+            NullLogger<RequiredSingletonsHealthCheck>.Instance);
+
+        var result = await RunAsync(check);
+
+        Assert.Equal(HealthStatus.Unhealthy, result.Status);
+        Assert.NotNull(result.Description);
+        Assert.Contains(missing, result.Description!);
+    }
+
+    [Fact]
+    public async Task ActorSystemNotYetAvailable_ReportsUnhealthy_DoesNotThrow()
+    {
+        // Startup race: ActorSystem not yet bridged into DI. The check must map this
+        // to Unhealthy (the node is not ready to serve) rather than throwing.
+        var emptyProvider = new ServiceCollection().BuildServiceProvider();
+
+        var check = new RequiredSingletonsHealthCheck(
+            emptyProvider,
+            NullLogger<RequiredSingletonsHealthCheck>.Instance);
+
+        var result = await RunAsync(check);
+
+        Assert.Equal(HealthStatus.Unhealthy, result.Status);
+    }
+}