Spec: hub-region-processing-only header for 404/1002 retries

[NaluTripician]

Summary

Adds a design spec only (no implementation) proposing functional parity with .NET PR Azure/azure-cosmos-dotnet-v3#5447: emit x-ms-cosmos-hub-region-processing-only: true on the second-and-later 404 / sub-status 1002 retry for single-master Cosmos DB accounts. This mitigates session-token storms during region failback for session-consistency reads.

The spec is published at sdk/cosmos/azure_data_cosmos/docs/HUB_REGION_PROCESSING_HEADER_SPEC.md so it can be reviewed in repo before any code lands. Tracks #4303.

Why a spec PR first

The .NET fix is a small change with subtle semantics — a per-operation latch that only activates after a specific failure shape, plus a header that opts retries into hub-region-only processing. Mirroring it in Rust touches the retry policy, header constants, and CHANGELOG, and there are at least three judgement calls (latch threshold mapping, latch lifetime, scope vs. issue text). Reviewing the spec in isolation lets us settle those before code review.

What's in the spec

• §1 Goals & Motivation — problem statement, goals, non-goals, primary target.
• §2 Architectural Overview — BackOffRetryHandler → before_send_request → should_retry flow with ASCII diagram.
• §3 Behavior Specification — trigger conditions, outbound effect, invariants preserved, worked example (East US 2 / Central US failback).
• §4 Code Changes — concrete Rust snippets for constants.rs (new cosmos_headers! entry), client_retry_policy.rs (latch field, before_send_request injection, should_retry_on_session_not_available set-point), and CHANGELOG.md.
• §5 Side Effects & Risk — SE-001…SE-005 with severity and mitigation.
• §6 Alternatives Considered — 4 alternatives with verdicts.
• §7 Testing Strategy — 7-row matrix with suggested test names plus validation gates.
• §8 Open Questions & Future Work — both pre-resolved (see below).

Pre-resolved open questions

• OQ-1 — Skip-set rotation parity. Day 1 ships .NET parity only — header + latch. Skip-set rotation is explicitly out of scope and captured under Future Work for a follow-up if post-rollout telemetry indicates the header alone is insufficient.
• OQ-2 — CHANGELOG version block. Verified ## 0.32.0 (Unreleased) already exists on main; spec instructs implementer to add a new ### Features Added subsection above the existing ### Breaking Changes, no new version block.

Convention compliance

Mirrors the in-repo spec convention established by FEED_OPERATIONS_SPEC.md (#4261): Markdown doc under <crate>/docs/, status header block, numbered TOC, numbered sections. Code snippets follow repo conventions verified against existing source — cosmos_headers! macro registration, lowercase "true" literal (matches ALLOW_TENTATIVE_WRITES precedent), test_ prefix on all tests (file-local convention in client_retry_policy.rs), CHANGELOG PR-link suffix.

Out of scope (explicitly)

• Implementation. Phase 3 lands in a follow-up PR after spec review.
• Skip-set rotation on 403/3 (NotWriteRegion). Future Work only.
• Diagnostics surface for "hub-region-only retry." Future Work pending broader diagnostics design.

Tracks #4303.

[Copilot]

Pull request overview

Adds a design-only specification for introducing x-ms-cosmos-hub-region-processing-only: true on second-and-later 404/1002 retries (single-master) to mitigate session-token storms during region failback, mirroring the .NET behavior.

Changes:

• Introduces a new Markdown design spec describing motivation, intended retry/latch behavior, and proposed code touchpoints.
• Documents suggested implementation details (constants, retry policy latch + header injection), risks, alternatives, and test matrix.

[NaluTripician]

AI Review Summary

Reviewed this spec PR against Azure/azure-cosmos-dotnet-v3#5447 and the actual Rust source on main (client_retry_policy.rs).

Headline: The central design — latch on the 2nd 1002, header rides the next retry — is structurally incompatible with Rust's current single-master retry budget. should_retry_on_session_not_available returns DoNotRetry the moment session_token_retry_count > 1 (line 294), so the latch flips on the same call that ends the operation; there is no subsequent before_send_request for the header to attach to. The spec's stated Goal #1 (.NET observable parity) is not achievable as written without also extending the read-retry budget — that change is currently absent from §4.2.

11 inline findings posted: 3 🔴 Blocking, 4 🟡 Recommendation, 3 🟢 Suggestion, 1 💬 Observation. Four of these reinforce existing unresolved comments by @Copilot and are tagged accordingly — they are intentional re-raises because the underlying design issues remain unaddressed.

Top items to resolve before code lands:

1. Choose explicitly: extend read-retry budget for true .NET parity, or change trigger point and document the parity gap.
2. Replace the per-request can_use_multiple_write_locations gate with an account-level accessor (per @Copilot).
3. Reconcile the worked example and AC-3/AC-6/AC-7 tests with whichever option above is chosen.

---

_{⚠️ AI-generated review — may be incorrect. Agree? → resolve the conversation. Disagree? → reply with your reasoning.}

[NaluTripician]

Review feedback addressed — spec revision pushed (4ae40ee76)

All 15 review threads accepted; zero rejections. Each item was traced to a specific code anchor on main and verified before fixing. Resolution map below — please mark threads resolved as you confirm.

Blockers (🔴) — fixed, please verify and resolve

Thread	Path/Line	Fix
Latch has no outbound effect (Findings #1 & #3 in AI summary)	§3.1, §3.4, §4.2(c), §7.1	Trigger moved from session_token_retry_count >= 2 to == 1. Verified client_retry_policy.rs:294 returns DoNotRetry once > 1, so the prior trigger flipped on the call that ended the operation — header never reached the wire. New trigger latches on the same call that returns Retry for the one permitted retry; header rides that retry.
Wrong gate (can_use_multiple_write_locations per-request)	§3.1 #3, §4.2(c)	Replaced with account-level LocationCache::can_use_multiple_write_locations() (verified: location_cache.rs:381, write_endpoints().len() > 1). Spec now explicitly forbids the two per-request variants and explains why.
@Copilot reinforcement on the same gate	§3.1 #3	Same fix — single change resolves both.

Recommendations (🟡) — fixed

Thread	Fix
Inaccurate baseline in Problem Statement	§1.1 rewritten to describe single-retry-via-write-locations behavior, citing the actual code (!can_use_multiple_write_locations branch returning DoNotRetry on > 1).
@Copilot reinforcement on same	Same fix.
Wire-format mismatch ("true" vs "True")	§3.2, §3.3, §4.2(b), AC-2 wording: header value now "True" (capitalized) matching .NET bool.TrueString. §3.3 explains why this deliberately diverges from the adjacent ALLOW_TENTATIVE_WRITES "true" precedent (different header, different parser, no shared contract).
Sub-status name wrong	§4.2(d), SE-005: 404/1002 = READ_SESSION_NOT_AVAILABLE. The PARTITION_KEY_RANGE_GONE reference (which is 410/1002) is removed.
Trigger boundary fragile	§4.2(c): mandatory inline comment at the session_token_retry_count += 1; site cross-referencing the spec. AC-3 added: boundary-pinning regression test that pins counter==1 → header, counter==2 → no header.

Suggestions (🟢) — fixed

Thread	Fix
Latch placement ambiguity	Moot under the new design — latch site is now a single if immediately after the increment, no branch ambiguity. §4.2(c) shows the exact code.
Threading model (plain bool vs volatile bool)	One-sentence justification added in §3.1 and §4.2(a) doc comment: "plain bool is correct because ClientRetryPolicy is mutated through &mut self for the duration of an operation." Also surfaced as AG-4 in §7.4 acceptance gates.
@Copilot reinforcement on §4.3/OQ-2 contradiction	§4.3 rewritten: insert ### Features Added above the existing ### Breaking Changes in the existing ## 0.32.0 (Unreleased) block. No new version block. Matches OQ-2.

Observation (💬) — fixed

Thread	Fix
Promote SE-003 to acceptance gate	New §7.4 Acceptance Gates block (AG-1..AG-4) makes per-operation construction (AG-1), cross-operation isolation test (AG-2), within-operation persistence (AG-3), and the &mut self-only invariant (AG-4) blocking for the implementation PR.

Architectural decision: parity vs retry-budget

The headline blocker (Finding #1 in the AI review) gave us two paths:

• (A) Extend Rust's read-retry budget to mirror .NET's sessionTokenRetryCount > ReadEndpoints.Count and keep the latch on the second 1002.
• (B) Latch on the first 1002 and accept that Rust's existing single-master read budget runs the header on the one permitted retry.

Picked (B). Rationale documented in the new §1.2 Goals (re-scoped to "header-emission parity within Rust's existing retry budget") and as a new ALT-5 in §6 with full reasoning. (A) is preserved as a Future Work item with a concrete implementation outline. Bundling a retry-budget extension with header injection couples two unrelated risks and changes the read contract for every read in the SDK, not just 404/1002 — the same scope-discipline argument that kept skip-set rotation out of OQ-1.

CI

The Build Analyze failure is the only red on this PR; all 5 build/test matrix jobs (windows_stable, ubuntu_stable, ubuntu_nightly, ubuntu_msrv, macos_stable) pass. Logs are on Azure DevOps and not fetchable from outside, but spec-only PRs with no Rust source change typically fail Build Analyze on workspace-wide compliance scans (no version bump in any crate, no Cargo.lock change). Per the original PR scope (spec only) I'm leaving this as known-noise; happy to investigate the actual log if you can paste it.

Diff stats

4ae40ee76: 1 file changed, 199 insertions(+), 64 deletions(-).

[NaluTripician]

Second-pass review addressed — 86dc5f167

All four findings accepted. Verified each against main source before applying.

#	Severity	Finding	Resolution
New-1	🔴 Correctness	location_cache: Mutex<LocationCache> so &LocationCache can't escape the lock guard	§4.2(c) now mandates a forwarding method on GlobalEndpointManager: pub(crate) fn account_supports_multi_write(&self) -> bool { self.location_cache.lock().unwrap().can_use_multiple_write_locations() }. Pattern matches existing .lock().unwrap() callers at lines 283 and 354. The latch condition is now !self.global_endpoint_manager.account_supports_multi_write().
New-2	🔴 Lint	... == false would trip bool_comparison and §7.3 mandates -D warnings	§4.2(c) sample uses !.... Spec example now passes the gate it requires of implementations.
New-3	🟡 Precision	"before any return" contradicts the enable_endpoint_discovery early-return at the top of the function	§4.2(c) tightened to "after the discovery-enabled early return and the counter increment, before the budget/gating conditionals."
New-4	🟢 Wording	"non-counted under MAX_RETRY_COUNT_ON_CONNECTION_FAILURE" reads as if connection-failure retries are unbounded	§3.2 and AC-6 row reworded to "tracked under a separate budget, MAX_RETRY_COUNT_ON_CONNECTION_FAILURE, rather than the session_token_retry_count budget."

Diff: 4ae40ee76..86dc5f167 (1 file, +40/-22). §3.4, §6 ALT-5, §7.1, §7.4 unchanged.

[NaluTripician]

Driver-aligned rework (commits 36fe8ccca -> fb47493fc)

Per feedback that "transport and routing has moved into azure_data_cosmos_driver but this spec is mostly touching the SDK," the spec was reworked to acknowledge the two-crate landscape on main and then iterated through two passes of deep review.

Rework (commit 36fe8ccca)

• New crate-boundary metadata (Crate (interim home) / Crate (forward target)) at top.
• New section 1.5 Two-crate landscape with a responsibility table mapping each concern to SDK vs driver and noting the SDK does not yet depend on the driver crate on main.
• New Forward target subsection in section 2 with a second Mermaid diagram for the driver pipeline.
• New section 4 crate-boundary note prefacing all SDK file paths.
• New SE-006 (crate-boundary drift) in Side Effects.
• New ALT-6 enumerating three concrete driver prerequisites (no status-code retry, no account-metadata fetch / topology tracking, mismatched per-operation state model) with a 1:1 cross-walk for the eventual migration.
• New AG-5 acceptance gate requiring // TODO(driver-migration): anchors at the latch declaration and emission sites.
• New Driver migration bullet leading section 8 Future Work.

Wire output and Day-1 SDK implementation are unchanged: the SDK is still the only crate where the trigger's prerequisites exist on main.

Pass 1 deep-review findings (commit fb47493fc addresses)

#	Severity	Finding	Resolution
1	Blocking	Driver-crate citations used bare cosmos_driver.rs instead of canonical driver/cosmos_driver.rs	All paths fixed; convention noted in confidence header
2	Blocking	ALT-6 prerequisite #2 ("no account topology surface") was overstated since Region exists	Reworded to "no account-metadata fetch or topology tracking"; underscore-prefix placeholder semantic called out
3	Blocking	ALT-6 cross-walk hand-waved missing subsystem (driver retry hook) as if mechanical	Added Status column; trigger and single-master-gate rows flagged Design-pending (gated on prerequisites #1/#2)
4	Blocking	Forward-target Mermaid showed a 404/1002 feedback arrow that doesn't exist on main	Replaced with honest diagram showing current driver pipeline + three prerequisite gaps as a separate Gap subgraph
5	Recommend	section 1.5 SDK->Driver dependency row formatting was ambiguous	Renamed to SDK consumes driver with explicit Not yet
6	Recommend	SE-006 mitigation didn't explain why double-emission can't occur	Added: SDK->driver migration removes ClientRetryPolicy's status-code retry as part of the same change set
7	Recommend	Confidence header ("migration not yet designed") contradicted section 8 (which had a design)	Split claim: header-emission relocation is straightforward; only the driver-side retry shape is design-pending
8	Suggest	section 4 crate-boundary callout was redundant with section 1.5	Trimmed to one sentence
9	Suggest	AC-6 mixed "connection failure" / "transport failure" terminology	Clarified "connection failure" as the SDK's term for transport-layer failure
10	Suggest	Arrow style inconsistency in Mermaid labels	Resolved as part of #4 (ALT-6 diagram rewrite)

Pass 2 deep-review verdict

Reviewable. All four blockers resolved, all six lower-severity findings resolved, no new findings, no approach-level concerns. The reviewer's approach-level note: "The spec remains correctly scoped: a surgical SDK-side implementation with explicit forward-looking documentation of the driver-side migration, gated on prerequisites that are out of scope for this work item."

Ready for another team pass.

[NaluTripician]

Closing in favor of #4320, which retargets this spec to release/azure_data_cosmos-previews. The Cosmos previews branch is where the feature actually needs to land and is 79 commits ahead of main. Deep-review findings against the previews-branch source will be posted as inline comments on #4320.