fix(ha): PR #101 HA implementation bug fixes

[poyrazK]

Summary

Bug fixes for PR #101 HA implementation:

Critical Fixes

• Timer leak in retry.go: Add defer timer.Stop() to prevent timer leak on ctx cancellation
• Inverted reclaim interval: Change provisionReclaimMs from 20min to 1min (was incorrectly > stale threshold)

High Fixes

• Goroutine deadlock in leader_elector.go: Add recover() to heartbeat goroutine to prevent deadlock on panic
• Orphaned container in pipeline_worker.go: Fail step if collectTaskLogs fails instead of just logging

Medium Fixes

• Unbounded Redis key growth: Add 24h TTL to retry keys in durable_task_queue
• DLQ message loss: Reorder deadLetter: XAdd to DLQ first, only ack/del if successful
• Reclaim race in execution_ledger.go: Use RETURNING TRUE pattern to avoid race
• Silent Update failures: Add warning logs when repo.Update fails in cluster handlers

Features

• Resilience metrics: Add Prometheus metrics for circuit breaker transitions/blocked requests and bulkhead concurrency/rejections
• Retry integration: Integrate retry wrapper into all resilient wrappers with configurable attempts and backoff

Test Plan

• go test ./internal/platform/...
• go test ./internal/workers/...
• go test ./internal/repositories/redis/...
• go test ./internal/repositories/postgres/...

[coderabbitai]

Warning

Rate limit exceeded

@poyrazK has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 32 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 6 minutes and 32 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1296886c-2e47-45dd-9da6-3c934422e47b

📥 Commits

Reviewing files that changed from the base of the PR and between 1632050 and 8f40729.

📒 Files selected for processing (42)

• .github/workflows/benchmarks.yml
• cmd/api/main.go
• cmd/api/main_test.go
• internal/api/setup/dependencies.go
• internal/core/ports/execution_ledger.go
• internal/core/ports/leader.go
• internal/core/ports/task_queue.go
• internal/core/services/vpc.go
• internal/drills/ha_drills_test.go
• internal/drills/release_gates_test.go
• internal/platform/bulkhead.go
• internal/platform/bulkhead_test.go
• internal/platform/circuit_breaker.go
• internal/platform/circuit_breaker_test.go
• internal/platform/resilience_metrics.go
• internal/platform/resilient_compute.go
• internal/platform/resilient_compute_test.go
• internal/platform/resilient_dns.go
• internal/platform/resilient_lb.go
• internal/platform/resilient_network.go
• internal/platform/resilient_storage.go
• internal/platform/retry.go
• internal/platform/retry_test.go
• internal/repositories/noop/adapters.go
• internal/repositories/postgres/execution_ledger.go
• internal/repositories/postgres/leader_elector.go
• internal/repositories/postgres/leader_elector_test.go
• internal/repositories/postgres/migrations/100_create_job_executions.down.sql
• internal/repositories/postgres/migrations/100_create_job_executions.up.sql
• internal/repositories/redis/durable_task_queue.go
• internal/repositories/redis/durable_task_queue_test.go
• internal/workers/cluster_worker.go
• internal/workers/cluster_worker_test.go
• internal/workers/leader_guard.go
• internal/workers/leader_guard_test.go
• internal/workers/pipeline_worker.go
• internal/workers/pipeline_worker_test.go
• internal/workers/provision_worker.go
• internal/workers/provision_worker_test.go
• tests/autoscaling_e2e_test.go
• tests/database_e2e_test.go
• tests/networking_e2e_test.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pr-101-ha

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR fixes several HA-related correctness issues introduced in PR #101 by moving workers to a durable queue + execution ledger model, tightening leader-election behavior, and adding resilience primitives (circuit breaker / bulkhead / retry) with metrics and drills.

Changes:

• Migrate Provision / Pipeline / Cluster workers to ports.DurableTaskQueue semantics (Receive/Ack/Nack/ReclaimStale) and add Postgres-backed ExecutionLedger for idempotency.
• Add Postgres advisory-lock leader election (PgLeaderElector) and a LeaderGuard wrapper to run singleton workers only on the elected leader.
• Introduce resilience primitives + metrics (circuit breaker, bulkhead, retry) and add drills/release-gate tests.

Reviewed changes

Copilot reviewed 38 out of 38 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
internal/workers/provision_worker_test.go	Updates tests to DurableQueue semantics (Ack/Nack expectations).
internal/workers/provision_worker.go	Migrates provision worker to durable queue + ledger + reclaim loop.
internal/workers/pipeline_worker_test.go	Updates pipeline worker test to pass durable message + Ack expectation.
internal/workers/pipeline_worker.go	Migrates pipeline worker to durable queue + ledger + reclaim + step failure on log-collection error.
internal/workers/leader_guard_test.go	Adds unit tests for leader-guard behavior (leader/not leader/restart/shutdown).
internal/workers/leader_guard.go	Adds LeaderGuard wrapper around workers using LeaderElector.
internal/workers/cluster_worker_test.go	Updates cluster worker tests for durable queue Ack/Nack + signature changes.
internal/workers/cluster_worker.go	Migrates cluster worker to durable queue + ledger + reclaim + improved update warnings.
internal/repositories/redis/durable_task_queue_test.go	Adds miniredis tests for durable queue group/receive/ack/nack/reclaim + legacy dequeue.
internal/repositories/redis/durable_task_queue.go	Implements Redis Streams durable queue (consumer groups, reclaim, DLQ, retry counters w/ TTL).
internal/repositories/postgres/migrations/100_create_job_executions.up.sql	Adds job_executions table for execution ledger.
internal/repositories/postgres/migrations/100_create_job_executions.down.sql	Drops job_executions table.
internal/repositories/postgres/leader_elector_test.go	Adds tests for deterministic/positive/unique lock ID hashing.
internal/repositories/postgres/leader_elector.go	Adds Postgres advisory-lock leader elector + heartbeat + panic-safe goroutine.
internal/repositories/postgres/execution_ledger.go	Adds Postgres execution ledger implementation (TryAcquire/MarkComplete/MarkFailed/GetStatus).
internal/repositories/noop/adapters.go	Extends no-op task queue to DurableTaskQueue + adds NoopExecutionLedger.
internal/platform/retry_test.go	Adds unit tests for retry behavior and backoff.
internal/platform/retry.go	Adds retry helper with exponential backoff + jitter + metrics.
internal/platform/resilient_storage.go	Adds resilient StorageBackend wrapper (CB/BH/Retry/Timeout).
internal/platform/resilient_network.go	Adds resilient NetworkBackend wrapper (CB/BH/Retry/Timeout).
internal/platform/resilient_lb.go	Adds resilient LB proxy wrapper (CB/Retry/Timeout).
internal/platform/resilient_dns.go	Adds resilient DNS backend wrapper (CB/Retry/Timeout).
internal/platform/resilient_compute_test.go	Adds tests validating compute wrapper behavior (CB/BH/timeout/passthrough).
internal/platform/resilient_compute.go	Adds resilient ComputeBackend wrapper (CB/BH/Retry/Timeout).
internal/platform/resilience_metrics.go	Adds Prometheus metrics for CB/BH/Retry.
internal/platform/circuit_breaker_test.go	Expands circuit breaker test coverage (single-flight, callbacks, successRequired, string).
internal/platform/circuit_breaker.go	Adds named/configurable CB with half-open single-flight + transition metrics.
internal/platform/bulkhead_test.go	Adds bulkhead tests (limits, rejection, context, errors, available).
internal/platform/bulkhead.go	Adds bulkhead implementation + metrics (concurrency/rejections).
internal/drills/release_gates_test.go	Adds CI-style release gates validating resilience SLO invariants.
internal/drills/ha_drills_test.go	Adds HA drill tests for CB/BH/Retry properties and transitions.
internal/core/ports/task_queue.go	Introduces DurableTaskQueue + DurableMessage; deprecates Dequeue for parallel consumers.
internal/core/ports/leader.go	Adds LeaderElector port.
internal/core/ports/execution_ledger.go	Adds ExecutionLedger port.
internal/api/setup/dependencies.go	Wires DurableQueue/Ledger into services/workers; adds LeaderGuard wrapping for singleton workers.
cmd/api/main_test.go	Adds role-mode tests; updates runApplication to return error.
cmd/api/main.go	Wraps backends with resilient decorators; introduces ROLE env; wires PgLeaderElector; worker-only mode skips HTTP.
.github/workflows/benchmarks.yml	Splits benchmark reporting for PR vs main (no auto-push on PR).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The TryAcquire comment says the stale-entry reclaim uses "FOR UPDATE SKIP LOCKED", but the implementation actually uses an optimistic compare-and-swap update on (job_key, status, started_at) with RETURNING TRUE. Adjust the comment to match the real concurrency control mechanism so future readers don't rely on locking semantics that aren't present.

Suggested change

	// Reclaim the stale entry using FOR UPDATE SKIP LOCKED.
	// This prevents two reclaimers from racing to reclaim the same stale entry.
	// If another reclaimer holds the lock (already reclaimed), we skip it.
	// Reclaim the stale entry with an optimistic compare-and-swap update.
	// The UPDATE only succeeds if the row is still in the previously observed
	// (job_key, status='running', started_at) state; otherwise another worker
	// updated it first and RETURNING yields no row.

[Copilot]

When TryAcquire returns false, ClusterWorker immediately acks the message as a "duplicate cluster job". This is unsafe if the existing ledger row is status='running' but not yet past clusterStaleThreshold (e.g., the original worker crashed soon after acquiring the ledger). In that case, acking here drops the only durable copy of the job, so it can't be retried once the ledger entry becomes stale. Mirror the Provision/Pipeline pattern: call GetStatus and only Ack when status is 'completed' (or 'failed' if you want to drop), otherwise leave the message unacked/pending so it can be reclaimed and retried later.

[Copilot]

PgLeaderElector uses Postgres session-level advisory locks, but all Acquire/Release/heartbeat calls go through the generic DB interface (compatible with *pgxpool.Pool). With a pool, each QueryRow/Exec may run on a different connection, so the lock may not actually be held (or released) by the same session; the heartbeat check can also run on a different session and produce incorrect results. To make session-scoped advisory locks correct, RunAsLeader should pin a single connection for the full leadership term (e.g., pool.Acquire → use that conn for pg_try_advisory_lock/pg_advisory_unlock/heartbeat, then Close the conn on release), or otherwise ensure all lock operations use the same underlying connection.

[Copilot]

ReclaimStale ignores the error from pipe.Exec and then blindly indexes/type-asserts pipeResults[0]. If Exec returns an error (network issue, Redis down, ctx cancelled), this can panic or record an incorrect attempts count. Capture and handle the Exec error (and validate the returned cmds) before using the results; if it fails, return the error or at least skip processing the claimed ID so the reclaim loop can retry safely.

Suggested change

	pipe.HIncrBy(ctx, retryKey, "count", 1)
	pipe.Expire(ctx, retryKey, 24*time.Hour)
	pipeResults, _ := pipe.Exec(ctx)
	attempts := pipeResults[0].(*redis.IntCmd).Val()
	attemptsCmd := pipe.HIncrBy(ctx, retryKey, "count", 1)
	pipe.Expire(ctx, retryKey, 24*time.Hour)
	if _, err := pipe.Exec(ctx); err != nil {
	return nil, fmt.Errorf("increment retry counter for %s/%s/%s: %w", queueName, groupName, msgID, err)
	}
	attempts := attemptsCmd.Val()

[Copilot]

deadLetter logs and returns nil when the post-DLQ XAck/XDel pipeline fails. That leaves the original message pending in the PEL while also having a DLQ copy, which can lead to repeated DLQ entries on subsequent reclaim cycles and unbounded pending growth. Consider making the DLQ move idempotent/atomic (e.g., Lua script or MULTI/EXEC transaction for XADD+XACK+XDEL), or at minimum return an error when ack/del fails so the caller can retry cleanup deterministically.

Suggested change

	pipe.XAck(ctx, queueName, groupName, msgID)
	pipe.XDel(ctx, queueName, msgID)
	if _, err := pipe.Exec(ctx); err != nil {
	// DLQ entry was added but original ack/del failed.
	// Log but don't return error — message is in DLQ and original is still in PEL.
	q.logger.Warn("dead-letter: failed to ack/del original message",
	"msg_id", msgID, "dlq_id", added, "error", err)
	}
	ackCmd := pipe.XAck(ctx, queueName, groupName, msgID)
	delCmd := pipe.XDel(ctx, queueName, msgID)
	if _, err := pipe.Exec(ctx); err != nil {
	return fmt.Errorf("dead-letter cleanup failed after dlq add (msg_id=%s, dlq_id=%s): %w", msgID, added, err)
	}
	acked, err := ackCmd.Result()
	if err != nil {
	return fmt.Errorf("dead-letter xack result failed after dlq add (msg_id=%s, dlq_id=%s): %w", msgID, added, err)
	}
	if acked == 0 {
	return fmt.Errorf("dead-letter xack affected 0 messages after dlq add (msg_id=%s, dlq_id=%s)", msgID, added)
	}
	deleted, err := delCmd.Result()
	if err != nil {
	return fmt.Errorf("dead-letter xdel result failed after dlq add (msg_id=%s, dlq_id=%s): %w", msgID, added, err)
	}
	if deleted == 0 {
	return fmt.Errorf("dead-letter xdel affected 0 messages after dlq add (msg_id=%s, dlq_id=%s)", msgID, added)
	}

[Copilot]

Retry creates a new timer on each backoff iteration but uses defer timer.Stop() inside the retry loop. Defers in a loop accumulate until Retry returns, which can retain timers longer than necessary under high MaxAttempts and defeats the intent of promptly releasing timer resources. Prefer stopping the timer explicitly after the select (and draining the channel when needed) instead of deferring inside the loop.

Suggested change

	defer timer.Stop()
	select {
	case <-ctx.Done():
	select {
	case <-ctx.Done():
	if !timer.Stop() {
	select {
	case <-timer.C:
	default:
	}
	}

[Copilot]

The comment above provisionReclaimMs says the reclaim idle time "must be longer than provisionStaleThreshold (15m)", but the value is 1 minute. Given the surrounding logic, this looks like the comment is inverted/outdated and may mislead future tuning. Please update the comment to reflect the intended relationship between PEL reclaim idle time and the execution-ledger stale threshold (and why).

[Copilot]

Pull request overview

Copilot reviewed 49 out of 49 changed files in this pull request and generated 8 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In reclaimLoop, sem <- struct{}{} can block forever under saturation and ignores ctx.Done(), which can deadlock shutdown. Consider acquiring the semaphore with select { case sem<-...: case <-ctx.Done(): return } (or skipping reclaimed work when shutting down).

[Copilot]

In reclaimLoop, sem <- struct{}{} can block forever under high load and ignores ctx.Done(), which can deadlock shutdown. Acquire the semaphore with a select on ctx.Done() or skip scheduling reclaimed jobs once shutdown has started.

[Copilot]

The comment says this reclaim uses “FOR UPDATE SKIP LOCKED”, but the implementation is an UPDATE ... WHERE started_at = $2 RETURNING TRUE compare-and-swap. Please update the comment to match the actual mechanism (or change the query) so future readers don’t assume row locking semantics that aren’t present.

[Copilot]

pipe.Exec(ctx) errors are ignored here. If Exec fails, pipeResults can be nil/short and pipeResults[0].(*redis.IntCmd) can panic, potentially breaking the reclaim loop and leaving messages stuck. Handle the Exec error and validate result length/types before reading attempts (or use the returned *IntCmd from HIncrBy directly).

[Copilot]

sem <- struct{}{} can block indefinitely when the semaphore is full, and that send does not respect ctx.Done(). This can prevent the worker from shutting down cleanly (Run goroutine stuck on semaphore send even after context cancellation). Acquire the semaphore with a select that also listens for ctx.Done() (or move acquisition into the goroutine with a cancellable select).

[Copilot]

In reclaimLoop, sem <- struct{}{} can also block forever when the worker is saturated, and it similarly ignores ctx.Done(). On shutdown this can deadlock the reclaim loop and keep the process alive. Use a select on ctx.Done() when acquiring the semaphore (and consider skipping reclaimed work when shutting down).

[Copilot]

sem <- struct{}{} can block indefinitely when the worker is at max concurrency, and that send doesn’t observe ctx.Done(). This can prevent graceful shutdown (Run loop stuck trying to acquire a slot). Acquire the semaphore with a select including ctx.Done() or restructure so shutdown can always progress.

[Copilot]

sem <- struct{}{} can block indefinitely when the worker is saturated, and the send doesn’t respect ctx.Done(). That can prevent the cluster worker from stopping cleanly (Run loop stuck on semaphore send). Acquire the semaphore with a select that also listens for ctx.Done() (or move acquisition into a cancellable goroutine).

[Copilot]

Pull request overview

Copilot reviewed 38 out of 38 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

initBackends builds rawLBProxy using rawCompute (see setup.InitLBProxy for libvirt path). Since compute is wrapped after initBackends, the LB proxy’s internal compute calls won’t benefit from the compute bulkhead/timeouts in the libvirt case, even though ResilientLB’s comment assumes compute bulkhead already limits container/VM creation. Consider wrapping compute before calling InitLBProxy (or re-initializing LBProxy using the resilient compute backend) so LB proxy operations are subject to the same resilience limits.

[Copilot]

TestReleaseGate_CircuitBreakerFailFast asserts an average latency <1ms across 100 iterations. This is very sensitive to CI host load/scheduling and can be flaky even when fail-fast behavior is correct. Consider relaxing the threshold, using a higher-latency budget/percentile, gating via env/build tag, or converting this to a benchmark instead of a default-running test.

Suggested change

	if avgLatency > 1*time.Millisecond {
	t.Fatalf("average fail-fast latency %v exceeds 1ms SLO", avgLatency)
	}
	t.Logf("PASS: avg fail-fast latency = %v (SLO: <1ms)", avgLatency)
	if avgLatency > 5*time.Millisecond {
	t.Fatalf("average fail-fast latency %v exceeds 5ms SLO", avgLatency)
	}
	t.Logf("PASS: avg fail-fast latency = %v (SLO: <5ms)", avgLatency)

[Copilot]

provisionReclaimMs is set to 1 minute, but provisioning work can run up to 10 minutes (processJob timeout) and the ledger stale threshold is 15 minutes. Reclaiming after 1 minute will repeatedly XAUTOCLAIM in-flight messages, increment retry counters, and can eventually dead-letter work that is still actively being processed. Increase the reclaim idle threshold to exceed the maximum expected job runtime (or at least align it with the ledger stale threshold) and update the comment accordingly.

[Copilot]

Cluster deprovision success path ignores errors from repo.Delete. If Delete fails, the worker will Ack the queue message (in processJob) and MarkComplete in the ledger, leaving a cluster record that will never be retried/cleaned up. Consider handling the delete error (return it so the message is nacked/retried, or at least log+leave the job in a state that can be reconciled).

[Copilot]

Pull request overview

Copilot reviewed 41 out of 41 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This leader elector uses session-level advisory locks, but it calls pg_try_advisory_lock/pg_advisory_unlock via the generic DB interface (typically backed by *pgxpool.Pool). With a pool, each call may use a different underlying connection, which breaks session-scoped lock semantics (locks can remain held on an idle pooled connection, Release may run on a different session and not unlock, and heartbeat may check the wrong session). Consider having PgLeaderElector hold a dedicated *pgxpool.Conn (or pgx.Conn) for the lifetime of leadership and run Acquire/heartbeat/Release on that same connection.

[Copilot]

time.NewTimer is created inside the retry loop, but defer timer.Stop() is also inside the loop. This defers all Stop() calls until Retry returns, which can accumulate many deferred calls and keep timer resources alive longer than necessary. Stop (and if needed drain) the timer per-iteration instead of deferring inside the loop (or use time.After / a reusable timer).

Suggested change

	defer timer.Stop()
	select {
	case <-ctx.Done():
	select {
	case <-ctx.Done():
	if !timer.Stop() {
	select {
	case <-timer.C:
	default:
	}
	}

[Copilot]

The comment says the PEL reclaim idle time "must be longer than provisionStaleThreshold (15m)", but provisionReclaimMs is set to 1 minute. More importantly, with ReclaimStale incrementing retry attempts on every reclaim and maxRetries defaulting to 5, reclaiming every 1 minute can dead-letter a legitimately long-running provision (worker timeout is 10m) before it finishes. Consider setting provisionReclaimMs to a value comfortably larger than the expected max processing time (or change retry counting so it only increments on actual failures) and update the comment accordingly.

[Copilot]

CircuitBreaker.Execute sets halfOpenInFlight in allowRequest(), but if fn() panics, recordSuccess/recordFailure won't run and halfOpenInFlight can remain true indefinitely, causing the breaker to reject all future requests in half-open. Consider wrapping fn() with a defer that clears halfOpenInFlight (likely via recordFailure) on panic, and decide whether to re-panic or convert it into an error.

[Copilot]

TryAcquire can return false not only for already-completed jobs but also when another worker currently owns a non-stale running execution. In that case, immediately Acking here can delete the only queue message while the other worker is still processing; if that worker crashes before MarkComplete, the job will be stuck as running in the ledger with no message left to retry. Mirror the provision/pipeline pattern: only ack when ledger status is completed (or otherwise terminal), and leave the message unacked when the job is actively running elsewhere.

[Copilot]

Pull request overview

Copilot reviewed 42 out of 42 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

pipelineReclaimMs (10 minutes) is shorter than the 30-minute job timeout; long-running builds will be auto-claimed while still processing, which can lead to duplicate execution attempts or message churn. Consider setting pipelineReclaimMs >= worst-case build duration (or >= pipelineStaleThreshold) or implementing a periodic "lease renewal" (XCLAIM-to-self) while a build is running.

[Copilot]

clusterReclaimMs (5 minutes) is shorter than clusterStaleThreshold (15 minutes) and likely shorter than real cluster provision/upgrade runtimes. That means in-progress jobs can be auto-claimed and treated as stale while still running. Consider aligning clusterReclaimMs with the expected max job duration (or with clusterStaleThreshold), or add a lease-renewal mechanism while work is in flight.

[Copilot]

defer timer.Stop() is inside the retry loop. Because defer runs only when Retry returns, this accumulates one deferred call per attempt and can retain timers longer than needed. Prefer stopping the timer explicitly at the end of each iteration (and draining timer.C if Stop() returns false) rather than deferring inside the loop.

Suggested change

	defer timer.Stop()
	select {
	case <-ctx.Done():
	return lastErr
	case <-timer.C:
	}
	select {
	case <-ctx.Done():
	if !timer.Stop() {
	select {
	case <-timer.C:
	default:
	}
	}
	return lastErr
	case <-timer.C:
	}
	if !timer.Stop() {
	select {
	case <-timer.C:
	default:
	}
	}

[Copilot]

When TryAcquire returns false and the ledger status is not completed, the worker returns without ack/nack. This leaves the message pending under the current consumer; with reclaim enabled it can cause repeated reclaims/processing attempts and an ever-growing PEL if the job never becomes acked. Consider explicitly handling the running vs failed cases (e.g., re-check later, or only leave pending when you can guarantee it won't be reclaimed prematurely; otherwise ack duplicates safely).

[Copilot]

When TryAcquire returns false and the ledger status isn't completed, the code returns without ack/nack. This leaves the message stuck pending for this consumer and relies entirely on the reclaim loop to make progress, which can cause repeated reclaim churn. Consider explicitly deciding what to do for running vs failed (e.g., defer processing but ensure the message won't be reclaimed prematurely, or ack known-duplicate messages once it's safe).

[Copilot]

The comment says the stale-running reclaim uses "FOR UPDATE SKIP LOCKED", but the implementation is an UPDATE ... WHERE ... started_at = $2 RETURNING TRUE without any FOR UPDATE. Either update the comment to match the actual approach or switch to a locking strategy if that was the intent.