Wires the recovery API surface and event channel. Recovery is
currently a no-op (validates policy + emits Started/Recovered
events); the real teardown + re-bind + re-advise loop is wave-3
work tracked as F16.
New
- Session::recover_connection(policy) — port of
MxNativeSession.RecoverConnectionAsync (cs:399-440). Validates
policy.max_attempts >= 1 (mirrors cs:33-36 via
RecoveryPolicy::validate). Emits RecoveryEvent::Started + Recovered
through the broadcast channel. Returns Ok(()) immediately — actual
reconnect work is F16.
- Session::recovery_events() -> broadcast::Receiver<Arc<RecoveryEvent>>
— typed observable for consumers that want to wire monitoring or
state-machine handling. Same Arc-broadcast pattern as
Session::callbacks(). Multi-subscriber safe (Arc::ptr_eq verified
in tests).
- SessionInner.recovery_tx: broadcast::Sender<Arc<RecoveryEvent>>
initialized in connect_nmx + connect_test_session.
Removed lib.rs stub (was Err(Unsupported)).
design/followups.md: F16 added (P1) covering the actual reconnect
loop. Resolves when R15's long-lived connection task lands and
SessionInner gains a subscription registry — at that point the
recover loop becomes ~50 lines slotting RecoverConnectionCore-style
work between the Started and Recovered events.
Tests (4 new in mxaccess; total 48)
- recover_connection emits Started + Recovered for the default
single-attempt policy.
- recover_connection rejects max_attempts == 0 with InvalidArgument.
- recover_connection after shutdown returns EngineNotRegistered.
- recovery_events supports multiple subscribers (Arc::ptr_eq
verifies the same allocation reaches both).
Test count delta: 520 -> 524 (+4). All four DoD gates green.
Open followups: 9 -> 10 (added F16).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Joseph Doherty
4863c6dc1f