hypercall_api/

notification_service.rs

//! Persisted per-user notification feed.
//!
//! Postgres is the source of truth. Redis (Upstash, globally distributed)
//! holds an edge-cached `has_unread:{wallet}` bit so SSR / SSR-like reads
//! don't have to cross the Pacific to Tokyo-pg for the bell dot.
//!
//! Web Push delivery (handled by `PushNotificationService`) is a separate
//! display channel on top of this log: if the user is subscribed they get
//! an OS notification too, but the feed stays complete either way.
//!
//! **Graceful degradation:** the service stays fully functional when Redis
//! is unavailable -- pg writes/reads proceed normally; the bell cache just
//! doesn't update and SSR readers fall back to no-cached-bit behavior.
//! Publishing a fill should never fail because of Redis.
//!
//! **Backpressure:** callers on the fill hot path use [`enqueue_publish`],
//! which `try_send`s onto a bounded mpsc. A single background drainer
//! awaits inserts with bounded concurrency. Burst loads that can't keep up
//! drop the tail (counted via a `warn!` log) rather than spawning an
//! unbounded pile of detached `tokio::spawn` tasks.
//!
//! **Has-unread bit race:** `mark_*_read` clears the Redis bit *after*
//! checking pg is empty, and then re-checks pg one more time to catch a
//! concurrent `publish` that raced in during the clear. Not strictly
//! atomic (would need a Lua script with an out-of-band pg check), but
//! closes the common race window where a publisher lands between our pg
//! check and our DEL.
//!
//! **No in-process dedupe cache on the has_unread bit.** An earlier
//! revision kept a `DashSet<wallet>` to skip re-`SET`s. That cache isn't
//! invalidated across instances after a mark-read (instance B clears
//! Redis, instance A keeps suppressing), so correctness beats the
//! optimization: `SET k 1` is cheap and idempotent.
//!
//! Payloads are stored as msgpack bytes: we never query into them, and the
//! encoder is cheaper + more compact than JSON for the volumes we expect.

use anyhow::{Context, Result};
use chrono::Utc;
use redis::aio::ConnectionManager;
use redis::AsyncCommands;
use std::sync::atomic::{AtomicU64, Ordering};
use std::sync::Arc;
use std::time::Duration;
use tokio::sync::{broadcast, mpsc, Mutex};
use tracing::{debug, info, warn};

use hypercall_db::{NewNotificationInput, NotificationRecord, NotificationWriter};

const HAS_UNREAD_KEY_PREFIX: &str = "notifications:has_unread:";
const DEFAULT_LIST_LIMIT: i64 = 50;
const MAX_LIST_LIMIT: i64 = 100;
const REDIS_COMMAND_TIMEOUT: Duration = Duration::from_secs(2);
/// After a Redis connect failure we short-circuit subsequent calls for this
/// long so a transient outage doesn't burn 2s per publish waiting on the
/// timeout. One block per wallet-side call is cheap; cascading retries
/// back the drainer into a queue-full state.
const REDIS_FAILURE_BACKOFF: Duration = Duration::from_secs(30);
/// Bounded channel capacity for fire-and-forget publishes. If the drainer
/// can't keep up, new publishes are dropped with a `warn!` (best-effort
/// delivery, matching `PushNotificationService`).
const PUBLISH_QUEUE_CAPACITY: usize = 1_000;
/// Max time we give the drainer to flush pending publishes once the
/// shutdown signal fires. After this the drainer exits even if the queue
/// still has items.
const SHUTDOWN_DRAIN_TIMEOUT: Duration = Duration::from_secs(5);

fn now_ms() -> u64 {
    std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .map(|d| d.as_millis() as u64)
        .unwrap_or(0)
}

fn has_unread_key(wallet_lower: &str) -> String {
    format!("{HAS_UNREAD_KEY_PREFIX}{wallet_lower}")
}

struct PublishJob {
    wallet_lower: String,
    notification_type: String,
    payload: Vec<u8>,
}

pub struct NotificationService {
    db: Arc<dyn NotificationWriter>,
    /// Lazily-established Redis connection. `None` when the service was
    /// constructed without a Redis client -- cache ops become no-ops.
    redis_client: Option<redis::Client>,
    redis_conn: Arc<Mutex<Option<ConnectionManager>>>,
    /// ms timestamp of the last Redis connect failure; `0` means "no
    /// recent failure, try again". Atomic so every path can read without
    /// taking the Mutex.
    redis_last_failure_ms: Arc<AtomicU64>,
    publish_tx: mpsc::Sender<PublishJob>,
}

impl NotificationService {
    pub fn new(
        db: Arc<dyn NotificationWriter>,
        redis_client: Option<redis::Client>,
        shutdown_rx: broadcast::Receiver<()>,
    ) -> Arc<Self> {
        let (publish_tx, publish_rx) = mpsc::channel::<PublishJob>(PUBLISH_QUEUE_CAPACITY);
        let svc = Arc::new(Self {
            db,
            redis_client,
            redis_conn: Arc::new(Mutex::new(None)),
            redis_last_failure_ms: Arc::new(AtomicU64::new(0)),
            publish_tx,
        });
        let drainer = svc.clone();
        tokio::spawn(drain_publish_queue(drainer, publish_rx, shutdown_rx));
        svc
    }

    /// Are we inside the "recently failed" backoff window?
    fn in_redis_backoff(&self) -> bool {
        let last = self.redis_last_failure_ms.load(Ordering::Relaxed);
        if last == 0 {
            return false;
        }
        now_ms().saturating_sub(last) < REDIS_FAILURE_BACKOFF.as_millis() as u64
    }

    fn mark_redis_failure(&self) {
        self.redis_last_failure_ms
            .store(now_ms(), Ordering::Relaxed);
    }

    fn clear_redis_failure(&self) {
        self.redis_last_failure_ms.store(0, Ordering::Relaxed);
    }

    async fn conn(&self) -> Option<ConnectionManager> {
        let client = self.redis_client.as_ref()?;
        // Fail fast while we're still inside the backoff window from a
        // recent connect failure -- otherwise a Redis outage would stall
        // every publish 2s at the ConnectionManager::new timeout, which
        // in turn blocks the drainer and fills up the publish queue.
        if self.in_redis_backoff() {
            return None;
        }
        let mut guard = self.redis_conn.lock().await;
        if let Some(existing) = guard.as_ref() {
            return Some(existing.clone());
        }
        let conn = match tokio::time::timeout(
            REDIS_COMMAND_TIMEOUT,
            ConnectionManager::new(client.clone()),
        )
        .await
        {
            Ok(Ok(c)) => c,
            Ok(Err(e)) => {
                self.mark_redis_failure();
                warn!(error = %e, "notifications: failed to open Redis ConnectionManager; bell cache disabled, backing off");
                return None;
            }
            Err(_) => {
                self.mark_redis_failure();
                warn!("notifications: timed out opening Redis ConnectionManager; bell cache disabled, backing off");
                return None;
            }
        };
        *guard = Some(conn.clone());
        self.clear_redis_failure();
        Some(conn)
    }

    async fn set_has_unread(&self, wallet_lower: &str) {
        let Some(mut conn) = self.conn().await else {
            return;
        };
        let key = has_unread_key(wallet_lower);
        let res: redis::RedisResult<()> =
            tokio::time::timeout(REDIS_COMMAND_TIMEOUT, conn.set(&key, 1i32))
                .await
                .unwrap_or_else(|_| {
                    Err(redis::RedisError::from((
                        redis::ErrorKind::IoError,
                        "timeout",
                    )))
                });
        match res {
            Ok(()) => debug!(wallet = wallet_lower, "notifications: has_unread bit set"),
            Err(e) => {
                warn!(error = %e, wallet = wallet_lower, "notifications: has_unread SET failed")
            }
        }
    }

    async fn clear_has_unread(&self, wallet_lower: &str) {
        let Some(mut conn) = self.conn().await else {
            return;
        };
        let key = has_unread_key(wallet_lower);
        let res: redis::RedisResult<()> =
            tokio::time::timeout(REDIS_COMMAND_TIMEOUT, conn.del(&key))
                .await
                .unwrap_or_else(|_| {
                    Err(redis::RedisError::from((
                        redis::ErrorKind::IoError,
                        "timeout",
                    )))
                });
        if let Err(e) = res {
            warn!(error = %e, wallet = wallet_lower, "notifications: has_unread DEL failed");
        }
    }

    /// After a mark-read batch clears the Redis bit, a concurrent `publish`
    /// may have landed between our pg `count_unread` and our Redis `DEL`.
    /// Re-check pg; if pg now has unread, re-`SET` so we don't leave the
    /// bell stuck at cleared while rows are actually unread.
    async fn reconcile_has_unread_after_clear(&self, wallet_lower: &str) {
        match self.count_unread(wallet_lower).await {
            Ok(0) => {}
            Ok(_) => {
                self.set_has_unread(wallet_lower).await;
            }
            Err(e) => {
                warn!(error = %e, wallet = wallet_lower, "notifications: post-clear reconcile count_unread failed");
            }
        }
    }

    /// Fire-and-forget publish: enqueue onto the bounded channel. Returns
    /// `Err` only if the channel is full (drainer can't keep up). The
    /// caller is expected to warn + drop rather than block the trading
    /// event pipeline.
    pub fn enqueue_publish(
        &self,
        wallet: &str,
        notification_type: &str,
        payload_msgpack: Vec<u8>,
    ) -> Result<(), ()> {
        let job = PublishJob {
            wallet_lower: wallet.to_lowercase(),
            notification_type: notification_type.to_string(),
            payload: payload_msgpack,
        };
        self.publish_tx.try_send(job).map_err(|e| {
            warn!(error = %e, "notifications: publish queue full; dropping event");
        })
    }

    /// Synchronous publish -- insert a notification and update the Redis
    /// bit. Prefer [`enqueue_publish`] on the fill hot path; this method
    /// is mainly for tests and paths where the caller genuinely wants to
    /// wait on the insert.
    pub async fn publish(
        &self,
        wallet: &str,
        notification_type: &str,
        payload_msgpack: Vec<u8>,
    ) -> Result<NotificationRecord> {
        let wallet_lower = wallet.to_lowercase();

        let row = self
            .db
            .insert_notification(NewNotificationInput {
                wallet_address: wallet_lower.clone(),
                notification_type: notification_type.to_string(),
                payload: payload_msgpack,
            })
            .await
            .context("Failed to insert notification")?;

        // Best-effort cache update -- never propagate Redis failures back
        // up to the caller; the pg insert is the source of truth.
        self.set_has_unread(&wallet_lower).await;

        Ok(row)
    }

    pub async fn list(
        &self,
        wallet: &str,
        before_id: Option<i64>,
        limit: Option<i64>,
    ) -> Result<Vec<NotificationRecord>> {
        let effective_limit = limit.unwrap_or(DEFAULT_LIST_LIMIT).clamp(1, MAX_LIST_LIMIT);
        let wallet_lower = wallet.to_lowercase();

        self.db
            .list_notifications(&wallet_lower, before_id, effective_limit)
            .await
            .context("Failed to list notifications")
    }

    pub async fn count_unread(&self, wallet: &str) -> Result<i64> {
        let wallet_lower = wallet.to_lowercase();
        self.db
            .count_unread_notifications(&wallet_lower)
            .await
            .context("Failed to count unread notifications")
    }

    pub async fn mark_read(&self, wallet: &str, ids: &[i64]) -> Result<usize> {
        if ids.is_empty() {
            return Ok(0);
        }
        let wallet_lower = wallet.to_lowercase();

        let updated = self
            .db
            .mark_notifications_read(&wallet_lower, ids, Utc::now())
            .await
            .context("Failed to mark notifications read")?;

        if updated > 0 {
            if let Ok(remaining) = self.count_unread(&wallet_lower).await {
                if remaining == 0 {
                    self.clear_has_unread(&wallet_lower).await;
                    self.reconcile_has_unread_after_clear(&wallet_lower).await;
                }
            }
        }
        Ok(updated)
    }

    pub async fn mark_all_read(&self, wallet: &str) -> Result<usize> {
        let wallet_lower = wallet.to_lowercase();

        let updated = self
            .db
            .mark_all_notifications_read(&wallet_lower, Utc::now())
            .await
            .context("Failed to mark all notifications read")?;

        self.clear_has_unread(&wallet_lower).await;
        self.reconcile_has_unread_after_clear(&wallet_lower).await;
        Ok(updated)
    }
}

async fn drain_publish_queue(
    svc: Arc<NotificationService>,
    mut rx: mpsc::Receiver<PublishJob>,
    mut shutdown_rx: broadcast::Receiver<()>,
) {
    loop {
        tokio::select! {
            maybe_job = rx.recv() => {
                let Some(job) = maybe_job else { break };
                drain_one(&svc, job).await;
            }
            _ = shutdown_rx.recv() => {
                info!("notifications: shutdown signal received; flushing pending publishes");
                // Try to flush everything already enqueued up to a bounded
                // deadline, then exit.
                let deadline = tokio::time::Instant::now() + SHUTDOWN_DRAIN_TIMEOUT;
                loop {
                    match tokio::time::timeout_at(deadline, rx.recv()).await {
                        Ok(Some(job)) => drain_one(&svc, job).await,
                        Ok(None) => break,
                        Err(_) => {
                            let remaining = rx.len();
                            if remaining > 0 {
                                warn!(
                                    remaining,
                                    "notifications: shutdown drain timed out; dropping pending publishes"
                                );
                            }
                            break;
                        }
                    }
                }
                break;
            }
        }
    }
    info!("notifications: publish drainer exiting");
}

async fn drain_one(svc: &NotificationService, job: PublishJob) {
    let PublishJob {
        wallet_lower: wallet,
        notification_type: kind,
        payload,
    } = job;
    if let Err(e) = svc.publish(&wallet, &kind, payload).await {
        warn!(error = %e, wallet = wallet, kind = kind, "notifications: fire-and-forget publish failed");
    }
}