Auto-unsubscribe after 3 consecutive permanent fan-out failures #7

New issue

Open

opened 2026-05-13 18:45:36 +02:00 by arne · 0 comments

arne commented

2026-05-13 18:45:36 +02:00

Owner

What to build

Operational hygiene for the fan-out outbox: drop subscribers whose URLs have clearly gone away.

State:

Add `consecutive_perm_failures INT DEFAULT 0` column to `subscribers`.

Outbox-loop behaviour (extends posta/web#4):

On a successful fan-out attempt (HTTP 2xx) to subscriber `S`: reset `S.consecutive_perm_failures` to `0`.
On a permanent failure to `S` (404, 410, 401 `unknown-key`, 401 `bad-signature`, 421 `wrong-recipient`): increment `S.consecutive_perm_failures`.
When the counter reaches `3`, remove `S` from `subscribers` in the same transaction. They are now eligible to be re-added by the implicit-subscribe rule on their next valid POST.
Transient failures (network errors, 5xx, `internal`, `rate-limited`) do not touch the counter; the retry schedule handles them.

Implementation goes in the outbox loop's outcome dispatch, alongside the per-row state transitions from posta/web#4.

Acceptance criteria

A subscriber with a 404 URL is removed from `subscribers` after three messages have each attempted fan-out and returned a permanent failure
A subscriber with intermittent transient failures (e.g. one 503 then one success) does not have their counter incremented
A successful 204 fan-out resets the counter to 0 even if there were prior permanent failures
After auto-removal, the subscriber's next valid POST re-adds them via the implicit-subscribe rule
Tests use a controllable HTTP client (or test server) to script success / transient / permanent sequences and assert subscriber-set transitions

Blocked by

posta/web#4 (needs the fan-out outbox loop)

## What to build Operational hygiene for the fan-out outbox: drop subscribers whose URLs have clearly gone away. State: - Add \`consecutive_perm_failures INT DEFAULT 0\` column to \`subscribers\`. Outbox-loop behaviour (extends posta/web#4): - On a successful fan-out attempt (HTTP 2xx) to subscriber \`S\`: reset \`S.consecutive_perm_failures\` to \`0\`. - On a permanent failure to \`S\` (404, 410, 401 \`unknown-key\`, 401 \`bad-signature\`, 421 \`wrong-recipient\`): increment \`S.consecutive_perm_failures\`. - When the counter reaches \`3\`, remove \`S\` from \`subscribers\` in the same transaction. They are now eligible to be re-added by the implicit-subscribe rule on their next valid POST. - Transient failures (network errors, 5xx, \`internal\`, \`rate-limited\`) do **not** touch the counter; the retry schedule handles them. Implementation goes in the outbox loop's outcome dispatch, alongside the per-row state transitions from posta/web#4. ## Acceptance criteria - [ ] A subscriber with a 404 URL is removed from \`subscribers\` after three messages have each attempted fan-out and returned a permanent failure - [ ] A subscriber with intermittent transient failures (e.g. one 503 then one success) does not have their counter incremented - [ ] A successful 204 fan-out resets the counter to 0 even if there were prior permanent failures - [ ] After auto-removal, the subscriber's next valid POST re-adds them via the implicit-subscribe rule - [ ] Tests use a controllable HTTP client (or test server) to script success / transient / permanent sequences and assert subscriber-set transitions ## Blocked by - posta/web#4 (needs the fan-out outbox loop)

arne referenced this issue from a commit

2026-05-13 22:06:24 +02:00

feedback: auto-unsubscribe on consecutive permanent failures (#7)

arne referenced this issue from a commit

2026-05-13 23:13:56 +02:00

feedback: auto-unsubscribe on consecutive permanent failures (#7)

arne referenced this issue from a commit

2026-05-13 23:14:23 +02:00

feedback room: /feedback as a Posta participant inside posta-web