docs(auditlog): mark follow-ups complete in roadmap; refresh stale comments

2026-05-21 06:39:49 -04:00
parent c503df4c4c
commit 7a386a80ce
5 changed files with 44 additions and 18 deletions
--- a/src/ScadaLink.AuditLog/Site/Telemetry/CachedCallTelemetryForwarder.cs
+++ b/src/ScadaLink.AuditLog/Site/Telemetry/CachedCallTelemetryForwarder.cs
@@ -34,15 +34,17 @@ namespace ScadaLink.AuditLog.Site.Telemetry;
 /// returns normally.
 /// </para>
 /// <para>
-/// <b>Wire push deferred to M6.</b> M3 keeps this forwarder synchronous
-/// against the local stores: there is no site→central gRPC channel yet, so
-/// the <see cref="ISiteStreamAuditClient.IngestCachedTelemetryAsync"/> RPC
-/// is registered on the interface (Bundle E1) but the production binding
-/// remains <c>NoOpSiteStreamAuditClient</c>. Once M6 wires a real client the
-/// drain pattern from <c>SiteAuditTelemetryActor</c> can be reused — the
-/// <c>AuditEvent</c> rows already live in SQLite tagged
-/// <see cref="AuditForwardState.Pending"/>, so a single drain loop sweeps
-/// both M2 and M3 emissions.
+/// <b>Local-write only — the wire push is the drain actor's job.</b> This
+/// forwarder is deliberately synchronous against the two site-local SQLite
+/// stores and never pushes to central itself. The site→central transport is
+/// now live: <c>ClusterClientSiteAuditClient</c> is the production binding of
+/// <see cref="ISiteStreamAuditClient"/> on site roles (with
+/// <c>NoOpSiteStreamAuditClient</c> retained only for central/test composition
+/// roots). The push happens out-of-band: <see cref="SiteAuditTelemetryActor"/>
+/// sweeps the <c>AuditEvent</c> rows this forwarder wrote — they live in SQLite
+/// tagged <see cref="AuditForwardState.Pending"/> — and drains them to central
+/// via that client. A single drain loop therefore covers both the audit-only
+/// emissions and the cached-call emissions this forwarder produces.
 /// </para>
 /// </remarks>
 public sealed class CachedCallTelemetryForwarder : ICachedCallTelemetryForwarder
--- a/src/ScadaLink.Communication/CommunicationService.cs
+++ b/src/ScadaLink.Communication/CommunicationService.cs
@@ -355,6 +355,14 @@ public class CommunicationService
    /// owning site and replies a <see cref="RetrySiteCallResponse"/> carrying a
    /// distinct site-unreachable outcome. Central never mutates the central
    /// <c>SiteCalls</c> mirror row.
+    /// <para>
+    /// This outer Ask uses <see cref="CommunicationOptions.QueryTimeout"/>
+    /// (default 30s), which must outlive the inner site relay Ask the
+    /// <c>SiteCallAuditActor</c> issues with <c>SiteCallAuditOptions.RelayTimeout</c>
+    /// (default 10s). The inner relay must time out first so its distinct
+    /// <c>SiteUnreachable</c> outcome reaches us; were this outer Ask to expire
+    /// first, that outcome would be lost to a generic Ask-timeout exception.
+    /// </para>
    /// </summary>
    public async Task<RetrySiteCallResponse> RetrySiteCallAsync(
        RetrySiteCallRequest request, CancellationToken cancellationToken = default)
--- a/src/ScadaLink.Host/Actors/AkkaHostedService.cs
+++ b/src/ScadaLink.Host/Actors/AkkaHostedService.cs
@@ -681,9 +681,10 @@ akka {{
        // Per Bundle E's brief: the SiteAuditTelemetryActor takes its
        // collaborators through its constructor, so we resolve them from DI
        // and pass them in via Props.Create rather than relying on a future
-        // FactoryProvider. This also lets the M6 follow-up swap the
-        // NoOpSiteStreamAuditClient registration for the real gRPC client
-        // without touching this site wiring.
+        // FactoryProvider. The real site→central client is constructed and
+        // wired immediately below: a ClusterClientSiteAuditClient (ClusterClient
+        // transport, not gRPC) replaces the DI-default NoOpSiteStreamAuditClient
+        // for site roles, without disturbing the rest of this wiring.
        var siteAuditOptions = _serviceProvider
            .GetRequiredService<IOptions<ScadaLink.AuditLog.Site.Telemetry.SiteAuditTelemetryOptions>>();
        var siteAuditQueue = _serviceProvider
--- a/src/ScadaLink.SiteCallAudit/SiteCallAuditOptions.cs
+++ b/src/ScadaLink.SiteCallAudit/SiteCallAuditOptions.cs
@@ -32,6 +32,16 @@ public class SiteCallAuditOptions
    /// reports a <c>SiteUnreachable</c> outcome. Default 10 seconds: long enough
    /// to absorb a healthy cross-cluster round-trip, short enough that an
    /// operator clicking Retry on an offline site gets a fast, honest answer.
+    /// <para>
+    /// <b>Ordering invariant:</b> <c>RelayTimeout</c> must stay below
+    /// <c>CommunicationOptions.QueryTimeout</c> (default 30s), the timeout the
+    /// outer <c>CommunicationService.RetrySiteCallAsync</c>/<c>DiscardSiteCallAsync</c>
+    /// Ask of the <c>SiteCallAuditActor</c> uses. The outer Ask must outlive this
+    /// inner site relay Ask so the inner relay times out first and yields the
+    /// distinct <c>SiteUnreachable</c> outcome; if the outer Ask expired first,
+    /// that outcome would be lost to a generic Ask-timeout exception. The
+    /// defaults (10s &lt; 30s) satisfy this — keep the gap when tuning either.
+    /// </para>
    /// </summary>
    public TimeSpan RelayTimeout { get; set; } = TimeSpan.FromSeconds(10);
 }