chore(pegboard): log explicit gc reason for pending requests

[NathanFlurry]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
rivetkit-serverless	Ready	Preview	Comment	Nov 4, 2025 8:26pm

3 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
rivet-cloud	Ignored			Nov 4, 2025 8:26pm
rivet-inspector	Ignored	Preview		Nov 4, 2025 8:26pm
rivet-site	Ignored	Preview		Nov 4, 2025 8:26pm

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• ci: trigger rust ci for generated bare artifacts #3346
• chore(rivetkit): debounce ws message ack #3345
• chore(rivetkit): auto-update auto-start engine version #3344
• chore(guard): handle cors on the gateway #3341
• chore(guard): add support for routing runner ws to /runners/connect #3340
• chore(guard): simplify gateway routing #3339
• fix(guard): include method in cache key #3338
• chore(engine): move smoke test to engine/tests/ #3337
• chore(rivetkit): add debug logging around sleep condition #3336
• fix(rivetkit): fix conns not being cleaned up if actor.createConn errors #3335
• fix(rivetkit): fix not pino bindings #3334
• chore(rivetkit): fmt #3331
• chore(rivetkit): correctly stringify engine runner request ids for logs #3330
• fix(rivetkit): ack ws messages #3329
• chore(runner): decrease timeout to 15s #3328
• chore(pegboard): log explicit gc reason for pending requests #3327 👈 (View in Graphite)
• fix(pegboard): fix tunnel ack from gateway #3326
• fix(rivetkit): explicitly handle errors in _onStop #3325
• chore(rivetkit): document sleep sequence better #3324
• fix(runner): close active requests after onActorStop has finished running #3323
• fix(runner): fix http requests not returning 503 when actor removed #3322
• fix(runner): dupe onActorStop call #3321
• chore: add rivetkit test writer agent #3320
• fix(rivetkit): prevent sleeping if there are any action hono requests, fixes inspector requests not resetiting sleep timer #3319
• chore(rivetkit): pass request id from driver to conn so we can correlate underlying requests with connections #3318
• chore(rivetkit): improve conn inspector properties #3317
• fix(rivetkit): don't throw error if websocket is not open, causing realtime to break after a connection disconnects #3316
• chore(smoke-test): add simple http test #3315
• chore(scripts): tee run logs to file #3314
• chore(engine): add db nuke subcommand #3313
• fix(rivetkit): fix "Method get ArrayBuffer.prototype.byteLength called on incompatible receiver #<ArrayBuffer>" #3312
• chore(scripts): add engine shell command #3311
• chore: set minimum node version to 20 #3310
• fix(fe): show connect page when there are no runner configs but runner names #3298 : 1 other dependent PR (#3306 )
• chore(rivetkit): log version with error logs #3303
• chore(rivetkit): log close code & reason in disconnect warning #3302
• feat(rivetkit): integrate websocket hibernation #3301
• fix: use correct vbare functions for runner tunnel #3300 : 1 other dependent PR (#3332 )
• feat(grafana): fix api dashboards #3193
• fix: docker compose build #3273
• chore: fix remaining warnings for all targets #3305
• fix(gas): fix from_workflow when creating standalone ctx from op ctx #3342
• ci: udpate ci filter to succeed if no relevant changes #3343
• main

---

How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

Code Review: PR #3327 - Log explicit GC reason for pending requests

Summary

This PR improves debugging visibility by adding explicit logging of the reason why in-flight requests are being garbage collected. The refactoring changes the GC logic from a boolean flag to an enum-based reason system.

Positive Aspects

✅ Improved Observability: Adding explicit GC reasons (MessageNotAcked vs WebSocketMessageNotAcked) makes debugging timeout issues much easier.

✅ Better Code Structure: The enum-based approach is more explicit and self-documenting than the previous boolean keep variable.

✅ Follows Project Conventions:

• Uses structured logging with tracing (?reason, request_id=?Uuid::from_bytes(*request_id))
• Lowercase log message ("gc collecting in flight request")
• Proper use of let-chains for nested Option checks

✅ Logic Correctness: The timeout logic has been inverted correctly (using <= instead of > and reversing the return logic).

Issues & Concerns

🐛 Critical Logic Bug

Lines 428-432 and 438-442: The timeout comparison logic is inverted. The current code breaks to return Some(reason) when the duration is less than or equal to the timeout, which means requests that are still within the valid time window will be marked for GC.

Current (incorrect) logic:

if now.duration_since(earliest_pending_msg.send_instant) <= MESSAGE_ACK_TIMEOUT {
    break 'reason Some(MsgGcReason::MessageNotAcked);  // Wrong!
}

Should be:

if now.duration_since(earliest_pending_msg.send_instant) > MESSAGE_ACK_TIMEOUT {
    break 'reason Some(MsgGcReason::MessageNotAcked);
}

This will cause premature garbage collection of requests that are still waiting for acknowledgments within the valid 30-second timeout window.

Original code comparison:

// Old code (correct):
keep = now.duration_since(earliest_pending_msg.send_instant) > MESSAGE_ACK_TIMEOUT;
// If duration > timeout, keep=true (don't GC)
// If duration <= timeout, keep=false (do GC) ❌ Wait, this was also wrong!

Actually, reviewing the original code more carefully:

keep = now.duration_since(earliest_pending_msg.send_instant) > MESSAGE_ACK_TIMEOUT;
// Then at the end: if !keep { gc() }

So the original logic was: if duration > timeout, then keep=true (don't GC). The new code should maintain this behavior.

The new code returns reason.is_none() to indicate keep, so:

• None = keep (don't GC)
• Some(reason) = don't keep (do GC)

Therefore, you want to set Some(reason) when duration exceeds timeout:

if now.duration_since(earliest_pending_msg.send_instant) > MESSAGE_ACK_TIMEOUT {
    break 'reason Some(MsgGcReason::MessageNotAcked);
}

⚠️ Minor: Named Loop Label

Line 426: Using a labeled block 'reason: is clever but might be less idiomatic. Consider extracting this into a helper method for better readability:

fn check_gc_reason(req: &InFlightRequest, now: Instant) -> Option<MsgGcReason> {
    if let Some(earliest_pending_msg) = req.pending_msgs.first() {
        if now.duration_since(earliest_pending_msg.send_instant) > MESSAGE_ACK_TIMEOUT {
            return Some(MsgGcReason::MessageNotAcked);
        }
    }

    if let Some(hs) = &req.hibernation_state
        && let Some(earliest_pending_ws_msg) = hs.pending_ws_msgs.first()
    {
        if now.duration_since(earliest_pending_ws_msg.send_instant) > MESSAGE_ACK_TIMEOUT {
            return Some(MsgGcReason::WebSocketMessageNotAcked);
        }
    }

    None
}

This would make the main GC loop cleaner and easier to test.

Recommendations

1. Fix the timeout comparison logic (critical - see above)
2. Consider adding unit tests for the GC logic to prevent regression
3. Consider extracting the reason check into a separate function for testability

Test Coverage

No tests are modified in this PR. Given that this changes critical timeout logic, consider adding tests for:

• GC behavior when messages timeout
• GC behavior when messages are still within timeout window
• Different GC reasons being logged correctly

---

Overall, the approach is good and improves debugging capabilities, but the logic bug needs to be fixed before merging.

🤖 Generated with Claude Code

[claude]

Code Review

Summary

This PR improves observability in the garbage collection process by adding explicit logging for why pending requests are being GC'd. The refactoring makes the timeout logic clearer and adds structured logging to track which condition triggered the cleanup.

Positive Observations

✅ Improved Observability: Adding the MsgGcReason enum with debug logging significantly improves troubleshooting capabilities. This will make it much easier to diagnose timeout issues in production.

✅ Better Code Structure: The refactored logic using a labeled block ('reason:) is cleaner and more explicit than the previous approach with the keep flag.

✅ Structured Logging: Following the project's structured logging conventions correctly (using ?reason instead of formatting into the message).

✅ Correct Naming: Using lowercase log messages per CLAUDE.md conventions.

Issues & Concerns

🐛 Critical Bug: Inverted Logic

Lines 428-432 and 438-442: The timeout logic appears to be inverted. The code currently GCs requests when the duration is less than or equal to the timeout, but it should GC when the duration is greater than:

// Current (incorrect):
if now.duration_since(earliest_pending_msg.send_instant) <= MESSAGE_ACK_TIMEOUT {
    break 'reason Some(MsgGcReason::MessageNotAcked);
}

// Should be:
if now.duration_since(earliest_pending_msg.send_instant) > MESSAGE_ACK_TIMEOUT {
    break 'reason Some(MsgGcReason::MessageNotAcked);
}

The original code had:

keep = now.duration_since(earliest_pending_msg.send_instant) > MESSAGE_ACK_TIMEOUT;

Which meant "keep the request if the timeout has NOT been exceeded" (duration is still within timeout). The new logic incorrectly inverts this.

Impact: This will cause requests to be GC'd immediately if they're within the timeout period, rather than waiting for them to actually timeout. This is a critical functional regression.

Recommendation: Change both <= operators to > on lines 429 and 439.

📝 Minor: Incomplete Logging Context

The request_id is logged, but additional context like send_instant or elapsed_duration could be helpful for debugging timeout issues:

tracing::debug!(
    request_id=?Uuid::from_bytes(*request_id),
    ?reason,
    elapsed_ms = now.duration_since(earliest_send_instant).as_millis(),
    "gc collecting in flight request"
);

This would help operators understand how far past the timeout a request was when collected.

Testing Recommendations

• Add a unit test to verify requests are only GC'd after MESSAGE_ACK_TIMEOUT has elapsed, not before
• Verify the logging output in logs to ensure the reason is captured correctly
• Test both GC paths (regular messages and WebSocket messages)

Performance Considerations

No performance concerns - the refactoring maintains similar performance characteristics.

Security Considerations

No security issues identified.

---

Verdict: ❌ Request Changes - The inverted timeout logic is a critical bug that needs to be fixed before merging.

[claude]

Code Review

Summary

This PR improves observability in the garbage collection logic by adding explicit logging of GC reasons when pending requests timeout. The changes refactor the conditional logic to be more explicit and easier to debug.

Positive Changes ✓

1. Better Observability: Adding structured logging with explicit GC reasons makes debugging timeout issues much easier
2. Improved Code Clarity: The refactored logic using a labeled block ('reason) makes the intent clearer than the previous keep variable approach
3. Structured Logging: Correctly uses tracing's structured logging pattern with ?reason and request_id=?Uuid::from_bytes(*request_id), following the project conventions from CLAUDE.md
4. Documentation: The enum variants include doc comments explaining what each GC reason represents

Logic Issue Found ⚠️

There's a critical logic bug in the timeout comparison operators. The conditions are inverted:

Lines 428-430 and 438-440:

if now.duration_since(earliest_pending_msg.send_instant) <= MESSAGE_ACK_TIMEOUT {
    break 'reason Some(MsgGcReason::MessageNotAcked);
}

This says "if the message age is less than or equal to the timeout, mark it for GC". This is backwards!

Expected behavior: Messages should be GC'd when they've been pending longer than the timeout
Current behavior: Messages are GC'd when they're newer than the timeout

Fix Required

Change <= to > in both comparisons:

if now.duration_since(earliest_pending_msg.send_instant) > MESSAGE_ACK_TIMEOUT {
    break 'reason Some(MsgGcReason::MessageNotAcked);
}

And similarly for line 438-440 with WebSocketMessageNotAcked.

Original Logic Verification

Looking at the original code, it used:

keep = now.duration_since(earliest_pending_msg.send_instant) > MESSAGE_ACK_TIMEOUT;

This was correct - it kept messages that hadn't exceeded the timeout (> returns false for old messages). The refactor accidentally inverted this by using <= instead of >.

Additional Observations

1. Let-chain usage: Good use of let-chain syntax on lines 435-436 combining optional checks
2. Comment clarity: The comment on line 457 "Return true if the request was not gc'd" is helpful
3. Consistent style: Code follows project formatting with hard tabs

Recommendation

Fix the comparison operators before merging to prevent incorrect GC behavior that would cause requests to be prematurely terminated.

[vercel]

Deployment failed with the following error:

Too many requests - try again in 5 minutes (more than 120, code: "api-deployments-flood-pro").

Learn More: https://vercel.com/docs/limits#rate-limits

[claude]

Code Review

Summary

This PR improves observability in the pegboard gateway's garbage collection logic by adding explicit logging when in-flight requests are collected, along with the specific reason for collection.

Positive Changes

✅ Improved Observability: The addition of explicit GC reasons (MessageNotAcked vs WebSocketMessageNotAcked) makes debugging much easier. When requests are timing out, you'll now know exactly which type of message failed to be acknowledged.

✅ Better Code Structure: The refactoring using a labeled block ('reason) and enum makes the control flow clearer and more maintainable than the previous boolean-based approach.

✅ Follows Logging Conventions: The logging follows the project's structured logging patterns correctly:

• Uses tracing::debug! appropriately for GC events
• Properly formats the message in lowercase: "gc collecting in flight request"
• Uses structured fields with ?reason and request_id rather than string interpolation

✅ Logic Correctness: The timeout logic has been inverted correctly. The old code kept requests when duration > timeout (incorrect), while the new code GCs requests when duration > timeout (correct, based on the logic inversion at line 458).

Minor Observations

Logic Clarity: The condition on lines 428-431 might be slightly confusing on first read:

The code breaks with a GC reason when the message is not yet timed out, which feels counterintuitive. However, this is correct because the final check inverts the logic - requests are kept when reason.is_none(), meaning they haven't exceeded the timeout yet.

Consider adding a clarifying comment to make it more explicit that we're checking if the timeout has been exceeded, but this is optional - the current implementation is correct.

Test Coverage

No tests were added, but this is reasonable for a logging/observability improvement that doesn't change functional behavior.

Performance & Security

• ✅ No performance concerns - the enum is zero-cost and only instantiated when GC occurs
• ✅ No security concerns

Conclusion

Approved - This is a solid observability improvement that will help with debugging timeout issues in production. The code is correct, follows conventions, and makes the GC logic more maintainable.

---

🤖 Review generated by Claude Code

[claude]

Code Review

Summary

This PR improves observability in the garbage collection process by adding explicit logging for the reason why pending requests are being collected. The changes introduce a MsgGcReason enum to distinguish between two timeout scenarios.

Positive Aspects ✅

1. Improved Observability: The addition of explicit GC reason logging will make debugging timeout issues significantly easier. Being able to distinguish between regular message timeouts and WebSocket message timeouts is valuable for troubleshooting.

2. Code Clarity: The refactored logic using labeled blocks ('reason) is more explicit about the control flow and makes the timeout detection logic easier to follow.

3. Follows Logging Conventions: The logging properly uses structured logging with ?reason and request_id, following the tracing patterns from CLAUDE.md.

Issues & Concerns ⚠️

Critical: Logic Inversion Bug 🐛

Location: Lines 428-432 and 438-442

The timeout logic appears to be inverted. The current code breaks with Some(MsgGcReason::...) when the duration is LESS THAN OR EQUAL TO the timeout, but it should be the opposite.

Current (incorrect) logic:

if now.duration_since(earliest_pending_msg.send_instant) <= MESSAGE_ACK_TIMEOUT {
    break 'reason Some(MsgGcReason::MessageNotAcked);
}

This means:

• If the message is fresh (< 30s old) → it gets marked for GC ❌
• If the message is stale (> 30s old) → it stays alive ❌

Expected (correct) logic:

if now.duration_since(earliest_pending_msg.send_instant) > MESSAGE_ACK_TIMEOUT {
    break 'reason Some(MsgGcReason::MessageNotAcked);
}

Original code for comparison:
The original code used:

keep = now.duration_since(earliest_pending_msg.send_instant) > MESSAGE_ACK_TIMEOUT;

Where keep = true means "keep the request" and keep = false means "GC it". The new code inverted this by checking <= MESSAGE_ACK_TIMEOUT instead of > MESSAGE_ACK_TIMEOUT.

Impact: This is a critical bug that would cause premature GC of active requests and keep stale requests alive indefinitely.

Recommendations

1. Fix the logic inversion by changing <= to > on lines 428-429 and 438-439
2. Add unit tests for the GC logic to prevent similar issues. Consider testing:
   • Requests with messages within timeout window should be kept
   • Requests with messages beyond timeout should be GC'd
   • WebSocket hibernation timeout scenarios
   • Closed channel handling
3. Consider integration testing with actual timeout scenarios to validate the end-to-end behavior

Minor Suggestions

1. The comment on line 406 says "Any tunnel message not acked (TunnelAck)" but could be clearer as "Tunnel message exceeded ack timeout"
2. Consider adding a metric counter for GC events by reason to track this in production

Style & Conventions ✅

• Follows Rust formatting conventions
• Proper use of structured logging per CLAUDE.md
• Good use of labeled blocks for early exit logic
• Enum naming follows conventions

---

Action Required: Please fix the logic inversion bug before merging. This is blocking.

[graphite-app]

Merge activity

• Nov 4, 8:09 PM UTC: NathanFlurry added this pull request to the Graphite merge queue.
• Nov 4, 8:11 PM UTC: CI is running for this pull request on a draft pull request (#3349) due to your merge queue CI optimization settings.
• Nov 4, 8:41 PM UTC: The Graphite merge queue removed this pull request due to removal of a downstack PR #3342.
• Nov 4, 8:52 PM UTC: NathanFlurry added this pull request to the Graphite merge queue.
• Nov 4, 8:53 PM UTC: CI is running for this pull request on a draft pull request (#3353) due to your merge queue CI optimization settings.
• Nov 4, 8:56 PM UTC: Merged by the Graphite merge queue via draft PR: #3353.

[claude]

PR Review: Log explicit GC reason for pending requests

Summary

This PR improves observability in the garbage collection logic by adding explicit logging of why in-flight requests are being collected. The refactoring makes the code more maintainable and debuggable.

Positive Aspects

✅ Improved Observability: Adding explicit logging with the GC reason (MessageNotAcked vs WebSocketMessageNotAcked) will make debugging timeout issues much easier.

✅ Better Code Structure: The refactoring from a mutable keep flag to an explicit reason: Option<MsgGcReason> makes the control flow clearer and easier to reason about.

✅ Follows Logging Conventions: The logging follows the repository's structured logging patterns using tracing::debug! with field parameters (request_id=?, ?reason).

✅ Appropriate Debug Level: Using debug! level for GC collection events is appropriate - this is detailed operational information that's useful for troubleshooting but not critical for normal operation.

Issues Found

🐛 Critical Bug: Inverted Timeout Logic

The timeout comparison logic is inverted on lines 428-430 and 438-440:

if now.duration_since(earliest_pending_msg.send_instant) <= MESSAGE_ACK_TIMEOUT {
    break 'reason Some(MsgGcReason::MessageNotAcked);
}

This says "if the message age is less than or equal to the timeout, mark it for GC". This is backwards!

Expected behavior: GC should happen when duration > MESSAGE_ACK_TIMEOUT (message is too old)
Current behavior: GC happens when duration <= MESSAGE_ACK_TIMEOUT (message is still fresh)

The original code had:

keep = now.duration_since(earliest_pending_msg.send_instant) > MESSAGE_ACK_TIMEOUT;

Which correctly kept the request when duration was greater than timeout (meaning it should be GC'd).

Fix: Change both conditions from <= to >:

if now.duration_since(earliest_pending_msg.send_instant) > MESSAGE_ACK_TIMEOUT {
    break 'reason Some(MsgGcReason::MessageNotAcked);
}

And similarly for the WebSocket message check.

Minor Suggestions

Documentation: Consider adding a doc comment to the MsgGcReason enum explaining the timeout threshold (30s) and what "not acked" means in this context.

Variable Naming: The variable reason might be more clearly named gc_reason to be explicit about what it represents.

Test Coverage

⚠️ Testing Recommendation: This bug would likely be caught by integration tests that verify:

1. Requests are NOT GC'd before MESSAGE_ACK_TIMEOUT (30s)
2. Requests ARE GC'd after MESSAGE_ACK_TIMEOUT
3. The correct timeout reason is logged

Consider adding tests in /home/runner/work/rivet/rivet/engine/packages/pegboard-gateway/tests/ to verify this behavior.

Security & Performance

✔️ Security: No security concerns identified
✔️ Performance: The refactoring has minimal performance impact. The additional enum allocation is negligible.

---

Action Required: Please fix the inverted timeout logic before merging.