#2043 High Availability (HA) Subsystem Improvement

[robfrank]

This pull request addresses several critical issues and improvements in the High Availability (HA) subsystem, focusing on bug fixes, protocol consistency, and test reliability. The main changes include fixing alias resolution for cluster discovery, correcting type mismatches in server removal, re-enabling HTTP address propagation for client redirection, and fixing test assertions in resilience scenarios. Additionally, the CI workflow is updated to properly handle resilience tests.

HA Subsystem Bug Fixes and Improvements:

• Alias Resolution

  • Implemented a resolveAlias() method in HAServer.java to ensure that server addresses containing aliases (e.g., {arcade2}proxy:8667) are correctly resolved to actual host:port values during leader connection, fixing cluster formation issues in Docker/K8s environments.
  • Added comprehensive tests for alias resolution, including edge cases and multiple alias scenarios.

• Server Removal Consistency

  • Updated the removeServer() method in HAServer.java to accept ServerInfo objects instead of String, aligning with the migration to ServerInfo-based replica connection maps. A backward-compatible method accepting String was also added.
  • Added a helper method findByHostAndPort() to HACluster for easier ServerInfo lookups and fixed enum naming conventions for consistency.

• HTTP Address Propagation

  • Re-enabled and updated the mechanism for propagating HTTP addresses from replicas to the leader, allowing clients to be redirected to the correct replica HTTP endpoints. This includes protocol changes where replicas send their HTTP address to the leader during connection, and the leader tracks these addresses in a map.
  • Updated GetServerHandler to return the correct HTTP addresses for client redirection and ensured cleanup of HTTP address mappings when servers are removed.

Test Reliability and Workflow:

• Test Assertion Correction

  • Fixed incorrect assertions in the ThreeInstancesScenarioIT test by removing assertions on a disconnected node (arcade1) and clarifying comments to reflect the actual test scenario, ensuring the test only checks nodes that are connected and can replicate data.

• CI Workflow Update

  • Modified the GitHub Actions workflow to exclude the resilience module from the main integration test job and introduced a dedicated java-resilience-tests job to run resilience-specific tests separately. [1] [2]

These changes collectively improve the robustness, correctness, and maintainability of the HA subsystem and associated tests.

Related issues

#2043

Checklist

• I have run the build using mvn clean package command
• My unit tests cover both failure and success scenarios

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ -6.11%	✅ 19.74%

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (770d240)	103881	57037	54.91%
Head commit (0576387)	105567 (+1686)	51515 (-5522)	48.80% (-6.11%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#2062)	2153	425	19.74%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

[claude]

Code Review: PR #2062 — HA Subsystem Improvement

Overall, this PR addresses real pain points in the HA subsystem (alias resolution for Docker/K8s, server removal type-safety, HTTP address propagation, circuit breaking, leader fencing). The architectural direction is sound. However there are several issues that should be addressed before merging.

---

Critical Issues

1. Massive accumulation of AI session artifacts committed to the repo

The PR adds 40+ Markdown files that appear to be AI-generated planning notes and session summaries:

• Root-level: 2945-ha-alias-resolution.md, 2946-removeserver-type-mismatch.md, ..., 2973-add-schema-propagation-waits.md, HA_TEST_PHASE1_IMPLEMENTATION_SUMMARY.md, IMPLEMENTATION_SUMMARY_2960.md
• docs/plans/2026-01-13-ha-reliability-improvements-design.md (1485 lines), docs/plans/2026-01-13-ha-test-infrastructure-phase1.md (1571 lines), and many more
• docs/2026-01-15-ha-2server-cluster-fix-results.md, docs/2026-01-19-haserver-investigation-results.md (297 lines), etc.

These do not belong in the repository. They account for the majority of the 33k line additions and will pollute git log, git blame, and repo history permanently. They must be removed before merging.

2. Bug: HA_CIRCUIT_BREAKER_ENABLED description contradicts its default value

In GlobalConfiguration.java:

HA_CIRCUIT_BREAKER_ENABLED("arcadedb.ha.circuitBreaker.enabled", SCOPE.SERVER,
    "Enable circuit breaker ... Default is false", Boolean.class, true),  // actual default is TRUE

The description says "Default is false" but the actual default is true. Pick one and be consistent — for an experimental feature, false is the safer default.

3. ConsistencyMonitor is shipped as dead code

The ConsistencyMonitor.collectChecksums() has a clear TODO stating replica checksum collection requires a new replication protocol command that is not yet implemented. Without cross-replica comparison, the consistency monitor cannot detect drift — its entire purpose. It runs as a background thread wasting resources on leader nodes and querying databases with zero benefit. Either implement it fully or don't merge it yet. Keeping it disabled by default (HA_CONSISTENCY_CHECK_ENABLED defaults to false) reduces the runtime impact, but the incomplete code still adds complexity with no value.

---

Notable Issues

4. LeaderNetworkListener.ready flag race condition

In the constructor:

listen(hostName, hostPortRange);   // binds socket
start();                           // starts thread — can immediately accept connections
ready = true;                      // set AFTER thread has started

The thread's run() loop checks ready and logs a warning if false, but the accepted connection is still processed. Because ready is volatile, the thread can see false during the window between start() and ready = true. The logging is cosmetic; the actual risk is that handleConnection() is called before full initialization is complete. Consider setting ready = true inside listen() after the socket is bound (before start()), or using a CountDownLatch.

5. Unit tests missing for most new components

The PR description mentions "comprehensive tests for alias resolution" but the only new non-Docker tests appear to be in HostUtilTest.java (17 additions). The following new classes have no visible unit tests in server/src/test/:

• LeaderFence — the epoch CAS loop and fencing state machine are non-trivial
• ReplicaCircuitBreaker — state transitions (CLOSED→OPEN→HALF_OPEN→CLOSED) need coverage
• HAServer.resolveAlias() and HAServer.determineServerAliasAndAddress()
• ExceptionCategory categorization logic in Leader2ReplicaNetworkExecutor.categorizeException()

The CLAUDE.md guidance is explicit: "all new server-side code must be tested with a test case" and "write a regression test".

6. HA_ENHANCED_RECONNECTION is EXPERIMENTAL and defaults to false

The config description literally says EXPERIMENTAL: Recovery strategies still being refined. Shipping experimental code guarded by a feature flag is acceptable, but the description and the risk should be documented more clearly in the config itself, and there should be a plan for when it will be promoted or removed.

7. LeaderFence liveness concern: stuck-fenced state

In LeaderFence.validateAndMaybeFence(), if the code detects a newer leader epoch it calls fence(), preventing the current node from accepting writes. unfence() is only called from becomeLeader(). If the new election does not complete (e.g., network partition), the node may remain permanently fenced with no automatic recovery path. Consider a timeout or a reset() path triggered by a watchdog.

---

Minor Issues

8. ServerInfo record could use validation

The ServerInfo record has no validation on construction (empty host, negative port, etc.). Since it represents a replication peer, malformed addresses will produce confusing runtime errors. Adding compact constructor validation would help.

9. DateUtils.formatElapsed() — is this used anywhere?

The method is added but it's not clear it's referenced from production code. If it's only used in tests, it should be in a test utility class. If it's unused, remove it.

10. ConsistencyMonitor.sampleRecords() uses Thread.sleep directly

Thread.sleep(10);  // small delay between type queries

This should use the interrupted flag properly. In a daemon thread that could be shut down, Thread.sleep can throw InterruptedException. The catch block should restore the interrupt flag: Thread.currentThread().interrupt().

11. replicaConnections synchronization in HAServer

replicaConnections is stored as a ConcurrentHashMap (good), but multi-step operations like "check if key exists, then put" appear in several places without compound atomic operations. Consider whether computeIfAbsent / computeIfPresent would be safer than separate containsKey + put calls.

---

Positive Observations

• The resolveAlias() fix for Docker/K8s environments is a real correctness bug and the solution is clean.
• The ServerInfo record with getConnectHost()/getConnectPort() properly distinguishing configured vs. actual addresses is a good design.
• Splitting the resilience tests into a separate CI job (java-resilience-tests) is the right call.
• LeaderEpoch as an immutable record with supersedes() and next() is idiomatic and correct.
• ReplicaCircuitBreaker follows the standard pattern correctly and is readable.
• The state machine in Leader2ReplicaNetworkExecutor.STATUS with validated transitions (canTransitionTo()) prevents invalid state changes.
• Fixing the ThreeInstancesScenarioIT assertion on a disconnected node is a legitimate bug fix.

---

Summary

The PR must remove all the AI-generated .md artifacts before it can be considered for merging. Additionally, the ConsistencyMonitor should either be completed or deferred, the HA_CIRCUIT_BREAKER_ENABLED default/description mismatch must be fixed, and unit tests for the new server-side components are required per project guidelines.