perf(retry): add jitter to all retry/backoff delays

[ariel-formance]

Summary

• Replace deterministic fixed waits with base + rand(0, base/2) jitter across all retry and periodic-wait sites
• Prevents thundering herd when multiple ledger instances recover from the same failure simultaneously
• Affected sites: TooManyClient DB retries, replication pipeline push-error and pull-error retries, replication manager sync period, driver facade startup retries

Changed files

File	Site
internal/controller/ledger/controller_with_too_many_client_handling.go	DB too-many-clients retry
internal/replication/pipeline.go	push-error retry + pull-error retry
internal/replication/manager.go	pipeline sync loop
internal/replication/driver_facade.go	exporter startup retry

Skipped: cron-scheduled workers (naturally staggered), deadlock retry (intentionally immediate), client SDK (already has ±25% jitter).

Test plan

• Existing unit tests pass (go test ./internal/...)
• Replication integration tests pass
• Manual: start multiple worker instances against a shared DB; confirm retry storms no longer pile up on the same tick in logs

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: be3eecb2-4e4e-435a-b8e7-cbdc338f05bf

📥 Commits

Reviewing files that changed from the base of the PR and between b0f251f and 4083cd3.

📒 Files selected for processing (1)

• internal/replication/manager_test.go

---

Walkthrough

Adds randomized jitter (about up to half the base interval) to retry and periodic timers in the ledger controller and replication subsystem; several period setters are clamped to a minimum of 2. No public APIs or signatures changed.

Changes

Retry and Timer Jitter Additions

Layer / File(s)	Summary
Ledger controller retry backoff jitter internal/controller/ledger/controller_with_too_many_client_handling.go	Retries for postgres.ErrTooManyClient now wait delay + rand.Int63n(max(delay/2, 1)) instead of a fixed delay.
DriverFacade startup retry jitter internal/replication/driver_facade.go	Startup retry loop now waits retryInterval + rand.Int63n(retryInterval/2) and newDriverFacade clamps retryInterval to >= 2.
Manager periodic sync jitter internal/replication/manager.go	Manager Run uses m.syncPeriod + rand.Int63n(m.syncPeriod/2) for periodic wakeups; WithSyncPeriod clamps values < 2 to 2.
Pipeline fetch and push-retry jitter and clamps internal/replication/pipeline.go	Fetch loop and exporter push-retry waits now add jitter up to half the base interval; WithPullPeriod and WithPushRetryPeriod clamp durations < 2 to 2.
Tests and imports internal/controller/ledger/controller_with_too_many_client_handling_test.go, internal/replication/manager_test.go, internal/replication/pipeline_test.go	Added cancellable-context subtest for retry cancellation and unit tests asserting minimum duration enforcement and pipeline retry/stop behaviors.

Sequence Diagram — DriverFacade startup retry

sequenceDiagram
  participant DriverFacade
  participant Timer
  participant Driver
  DriverFacade->>Driver: Start()
  Driver-->>DriverFacade: error (startup failure)
  DriverFacade->>Timer: wait retryInterval + jitter
  Timer-->>DriverFacade: timer fires
  DriverFacade->>Driver: Start() (retry)

Loading

Sequence Diagram — Pipeline fetch and push-retry

sequenceDiagram
  participant Manager
  participant Storage
  participant PipelineHandler
  participant TimerPull
  participant Exporter
  participant TimerPushRetry

  Manager->>Storage: ListEnabledPipelines()
  Storage-->>Manager: pipelines
  Manager->>PipelineHandler: start fetch loop
  PipelineHandler->>TimerPull: wait PullInterval + jitter
  TimerPull-->>PipelineHandler: timer fires -> ListLogs
  PipelineHandler->>Exporter: Accept(log)
  Exporter-->>PipelineHandler: error
  PipelineHandler->>TimerPushRetry: wait PushRetryPeriod + jitter
  TimerPushRetry-->>PipelineHandler: retry Accept

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I nibble logs and count the ticks,
A jittered hop avoids the mix,
Retries now wander, soft and small,
Timers dance so none may fall,
Hoppy code keeps systems brisk. 🐰

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding jitter to retry and backoff delays across the codebase to prevent thundering herd problems.
Description check	✅ Passed	The description is directly related to the changeset, clearly explaining the purpose, affected sites, and test plan for adding jitter to retry delays.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch perf/retry-jitter

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/controller/ledger/controller_with_too_many_client_handling.go (1)

232-239: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Guard jitter bounds in handleRetry to prevent rand.Int63n(0/negative) panics

internal/controller/ledger/controller_with_too_many_client_handling.go checks only delay == 0, but delay == 1ns makes int64(delay/2)==0, so rand.Int63n(0) panics (same for any negative delay). The retry jitter needs a delay/2 > 0 guard.

💡 Proposed fix

 			delay := delayCalculator.Next(count)
-			if delay == 0 {
+			if delay <= 0 {
 				return err
 			}
+			wait := delay
+			if delay > 1 {
+				wait += time.Duration(rand.Int63n(int64(delay / 2)))
+			}
 			select {
 			case <-ctx.Done():
 				return ctx.Err()
-			case <-time.After(delay + time.Duration(rand.Int63n(int64(delay/2)))):
+			case <-time.After(wait):
 				count++
 				span.SetAttributes(attribute.Int("retry", count))
 				continue

Similar unguarded rand.Int63n(interval/2) jitter patterns exist in internal/replication/pipeline.go, internal/replication/driver_facade.go, and internal/replication/manager.go.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/controller/ledger/controller_with_too_many_client_handling.go`
around lines 232 - 239, The retry jitter uses rand.Int63n(delay/2) and can panic
when delay <= 1ns (or negative); update handleRetry to compute a safe
jitterBound = int64(delay/2) and only call rand.Int63n(jitterBound) when
jitterBound > 0 (otherwise use zero jitter or a fixed minimal sleep), and
replace the current time.After(delay +
time.Duration(rand.Int63n(int64(delay/2)))) with time.After(delay +
time.Duration(jitter)) where jitter is guarded. Apply the same safe-guarded
pattern to the similar jitter uses in internal/replication/pipeline.go,
internal/replication/driver_facade.go, and internal/replication/manager.go (look
for rand.Int63n(interval/2) occurrences).

🧹 Nitpick comments (1)

internal/replication/driver_facade.go (1)

45-45: ⚡ Quick win

Retry jitter Int63n panics only if retryInterval <= 0; current code path is safe

rand.Int63n(int64(c.retryInterval/2)) would panic when c.retryInterval/2 <= 0 (at internal/replication/driver_facade.go:45), but DriverFacade is only constructed in internal/replication/manager.go with 2*time.Second, so this should not occur today. Add a small validation/guard in newDriverFacade to prevent future regressions.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/replication/driver_facade.go` at line 45, The retry jitter
expression can panic if retryInterval/2 <= 0; add a guard in newDriverFacade to
validate and normalize the provided retryInterval (e.g., if c.retryInterval <= 0
then set it to a sensible default like 2*time.Second or return an error) before
constructing the DriverFacade so that the field used by the select case
(retryInterval) is guaranteed > 0; update newDriverFacade to enforce this
invariant for DriverFacade.retryInterval to prevent rand.Int63n panics.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/replication/manager.go`:
- Line 278: The sync timer jitter can panic when m.syncPeriod/2 <= 0; update the
code that sets m.syncPeriod (the WithSyncPeriod method and any place using
cfg.SyncPeriod) to validate and clamp the provided period to a safe positive
minimum (e.g., enforce m.syncPeriod > 0), and ensure the jitter calculation
before time.After uses a non‑zero positive value (compute jitter using a
max(minJitter, m.syncPeriod/2) or otherwise ensure the argument to rand.Int63n
is > 0) so the time.After expression with rand.Int63n cannot panic.

---

Outside diff comments:
In `@internal/controller/ledger/controller_with_too_many_client_handling.go`:
- Around line 232-239: The retry jitter uses rand.Int63n(delay/2) and can panic
when delay <= 1ns (or negative); update handleRetry to compute a safe
jitterBound = int64(delay/2) and only call rand.Int63n(jitterBound) when
jitterBound > 0 (otherwise use zero jitter or a fixed minimal sleep), and
replace the current time.After(delay +
time.Duration(rand.Int63n(int64(delay/2)))) with time.After(delay +
time.Duration(jitter)) where jitter is guarded. Apply the same safe-guarded
pattern to the similar jitter uses in internal/replication/pipeline.go,
internal/replication/driver_facade.go, and internal/replication/manager.go (look
for rand.Int63n(interval/2) occurrences).

---

Nitpick comments:
In `@internal/replication/driver_facade.go`:
- Line 45: The retry jitter expression can panic if retryInterval/2 <= 0; add a
guard in newDriverFacade to validate and normalize the provided retryInterval
(e.g., if c.retryInterval <= 0 then set it to a sensible default like
2*time.Second or return an error) before constructing the DriverFacade so that
the field used by the select case (retryInterval) is guaranteed > 0; update
newDriverFacade to enforce this invariant for DriverFacade.retryInterval to
prevent rand.Int63n panics.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1988a191-aab6-4038-90dd-bf55e452eb2e

📥 Commits

Reviewing files that changed from the base of the PR and between 01ccc04 and a67b538.

📒 Files selected for processing (4)

• internal/controller/ledger/controller_with_too_many_client_handling.go
• internal/replication/driver_facade.go
• internal/replication/manager.go
• internal/replication/pipeline.go

[codecov]

Codecov Report

❌ Patch coverage is 76.92308% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 81.20%. Comparing base (d81ce89) to head (b0f251f).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/replication/driver_facade.go	66.66%	1 Missing ⚠️
internal/replication/manager.go	66.66%	1 Missing ⚠️
internal/replication/pipeline.go	83.33%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1354      +/-   ##
==========================================
+ Coverage   80.36%   81.20%   +0.83%     
==========================================
  Files         205      205              
  Lines       11104    11109       +5     
==========================================
+ Hits         8924     9021      +97     
+ Misses       1585     1550      -35     
+ Partials      595      538      -57     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gfyrag]

the jitter is legit on the retry following too many clients, but the orh

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/replication/manager_test.go`:
- Around line 50-58: The test TestNewDriverFacadeMinimumRetryInterval asserts
the wrong time unit for facade.retryInterval; change the expectation from
time.Duration(2) (2 nanoseconds) to 2 * time.Second so it matches the intended
minimum retry interval used by newDriverFacade and the retryInterval field.
- Around line 42-48: The test TestWithSyncPeriodMinimum asserts the wrong unit
(2 nanoseconds) for the minimum sync period; update the assertion to expect 2
seconds instead. Locate the test function TestWithSyncPeriodMinimum, which
constructs m := &Manager{} and calls WithSyncPeriod(1)(m), and change the
require.Equal call to compare m.syncPeriod with time.Duration(2)*time.Second (or
simply 2*time.Second) so the minimum syncPeriod is asserted in seconds rather
than nanoseconds.

In `@internal/replication/pipeline_test.go`:
- Around line 48-54: The test TestWithPushRetryPeriodMinimum asserts the wrong
time unit (2 nanoseconds) for the minimum push retry period; update the
expectation to use seconds by asserting config.PushRetryPeriod equals 2 *
time.Second after calling WithPushRetryPeriod(1) on PipelineHandlerConfig so the
test checks a 2-second minimum instead of time.Duration(2); locate the assertion
in TestWithPushRetryPeriodMinimum and replace time.Duration(2) with 2 *
time.Second referencing PipelineHandlerConfig, WithPushRetryPeriod and
PushRetryPeriod.
- Around line 40-46: The test TestWithPullPeriodMinimum is asserting
time.Duration(2) (2 nanoseconds) instead of a 2-second minimum; update the
assertion to compare config.PullInterval against 2 * time.Second so the
PipelineHandlerConfig minimum pull interval set by WithPullPeriod is validated
in seconds (e.g., require.Equal(t, 2 * time.Second, config.PullInterval)),
keeping references to TestWithPullPeriodMinimum, PipelineHandlerConfig,
WithPullPeriod and config.PullInterval to locate the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a1ddceb2-e7be-4327-933b-64421aace7f4

📥 Commits

Reviewing files that changed from the base of the PR and between 0065790 and 567cf9b.

📒 Files selected for processing (3)

• internal/controller/ledger/controller_with_too_many_client_handling_test.go
• internal/replication/manager_test.go
• internal/replication/pipeline_test.go

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Incorrect time unit in assertion.

The test expects time.Duration(2), which equals 2 nanoseconds. For a pull period minimum, this should be 2 * time.Second. A 2-nanosecond minimum makes no practical sense in this polling context.

🐛 Proposed fix

 func TestWithPullPeriodMinimum(t *testing.T) {
 	t.Parallel()
 
 	config := PipelineHandlerConfig{}
 	WithPullPeriod(1)(&config)
-	require.Equal(t, time.Duration(2), config.PullInterval)
+	require.Equal(t, 2*time.Second, config.PullInterval)
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func TestWithPullPeriodMinimum(t *testing.T) {
	t.Parallel()
	config := PipelineHandlerConfig{}
	WithPullPeriod(1)(&config)
	require.Equal(t, time.Duration(2), config.PullInterval)
	}
	func TestWithPullPeriodMinimum(t *testing.T) {
	t.Parallel()
	config := PipelineHandlerConfig{}
	WithPullPeriod(1)(&config)
	require.Equal(t, 2*time.Second, config.PullInterval)
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/replication/pipeline_test.go` around lines 40 - 46, The test
TestWithPullPeriodMinimum is asserting time.Duration(2) (2 nanoseconds) instead
of a 2-second minimum; update the assertion to compare config.PullInterval
against 2 * time.Second so the PipelineHandlerConfig minimum pull interval set
by WithPullPeriod is validated in seconds (e.g., require.Equal(t, 2 *
time.Second, config.PullInterval)), keeping references to
TestWithPullPeriodMinimum, PipelineHandlerConfig, WithPullPeriod and
config.PullInterval to locate the change.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Incorrect time unit in assertion.

The test expects time.Duration(2), which equals 2 nanoseconds. For a push retry period minimum, this should be 2 * time.Second. A 2-nanosecond minimum makes no practical sense in this retry context.

🐛 Proposed fix

 func TestWithPushRetryPeriodMinimum(t *testing.T) {
 	t.Parallel()
 
 	config := PipelineHandlerConfig{}
 	WithPushRetryPeriod(1)(&config)
-	require.Equal(t, time.Duration(2), config.PushRetryPeriod)
+	require.Equal(t, 2*time.Second, config.PushRetryPeriod)
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/replication/pipeline_test.go` around lines 48 - 54, The test
TestWithPushRetryPeriodMinimum asserts the wrong time unit (2 nanoseconds) for
the minimum push retry period; update the expectation to use seconds by
asserting config.PushRetryPeriod equals 2 * time.Second after calling
WithPushRetryPeriod(1) on PipelineHandlerConfig so the test checks a 2-second
minimum instead of time.Duration(2); locate the assertion in
TestWithPushRetryPeriodMinimum and replace time.Duration(2) with 2 * time.Second
referencing PipelineHandlerConfig, WithPushRetryPeriod and PushRetryPeriod.

[ariel-formance]

the jitter is legit on the retry following too many clients, but the orh

What is orh?

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/replication/manager_test.go`:
- Around line 73-90: The test is racing because Stop may run before Start is
actually entered; modify the mock Start expectation to signal when Start begins
(e.g., create a startedChan and in
mockDriver.EXPECT().Start(...).DoAndReturn(func(ctx context.Context) error {
startedChan <- struct{}{}; <-blockStart; return ctx.Err() }) ) then wait on that
startedChan after calling facade.Run() and before cancelling stopCtx/calling
facade.Stop so the test deterministically exercises stopping while the driver is
starting; keep the existing blockStart, facade.Run, and facade.Stop usage but
add the startedChan synchronization.

🪄 Autofix (Beta)

✅ Autofix completed

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2a1a9470-9f66-4ed7-9c17-ae77090feb99

📥 Commits

Reviewing files that changed from the base of the PR and between 567cf9b and b0f251f.

📒 Files selected for processing (2)

• internal/replication/manager_test.go
• internal/replication/pipeline_test.go

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Fixes Applied Successfully

Fixed 1 file(s) based on 1 unresolved review comment.

Files modified:

• internal/replication/manager_test.go

Commit: 4083cd3009a42b1b5bba3997de52b54142f7f850

The changes have been pushed to the perf/retry-jitter branch.

Time taken: 2m 36s