[iris] Add slice lifecycle state machine for autoscaler transitions

[rjpower]

Summary

• Slice lifecycle in the autoscaler becomes an explicit state machine: a (from_state, type(event)) → to_state transition table, typed event dataclasses carrying exactly the payload each transition needs, and a sum-type outcome (NoOp | InternalTransition | BecameReady | BecameFailed) that callers consume via a single match statement.
• ScalingGroup.dispatch() folds the short-lived-failure → group-backoff cascade into the same lock as the slice mutation, so consecutive_failures / backoff_until stay consistent with _slices under concurrent failures (see test_concurrent_failures_account_atomically).
• SliceLifecycleState and SliceState move from scaling_group.py to models.py so the transition table can import them without creating a cycle.

Behavior change

FAILED transitions now atomically remove the slice from _slices and return the SliceHandle to the caller (via BecameFailed.handle). Callers unregister workers and async-terminate the handle. Consequences:

• slice_state_counts() and to_status() will never observe a FAILED slice for this group. Failure is surfaced via the returned outcome, a slice_failed / worker_failed entry in the action log, and the slice_transition … →failed structured log line.
• The old code left FAILED slices tracked until a separate cleanup pass; in practice both paths removed them within the same refresh cycle, so downstream consumers (dashboards, RPC status) observe no regression. Callers that depend on visible FAILED state must reach for the action log.

Changes

File	What
slice_lifecycle.py	Typed SliceEvent hierarchy, TRANSITIONS table, cloud_event() helper, TransitionOutcome sum type. No StrEnum, no context: dict[str, Any], no separate BACKOFF_TRIGGERS set (each event type carries counts_toward_backoff).
models.py	Owns SliceLifecycleState (StrEnum with enum.auto()) and SliceState.
scaling_group.py	New dispatch(slice_id, event) method. Short-lived-failure backoff cascade is atomic with the slice detach under _slices_lock.
runtime.py	Single _apply(outcome, group) method matches on outcome type and owns all external side effects (worker registry, async terminate, action-log entries). refresh() / terminate_slices_for_workers() lose their scattered if new_state == … switches. operations.py folded back into Autoscaler.
test_slice_lifecycle.py	Parametrized table sanity, READY/FAILED invariants, exponential backoff, exhaustiveness, and a new test_concurrent_failures_account_atomically covering the lock widening.

Test plan

• tests/cluster/controller/test_slice_lifecycle.py — 20+ cases including concurrent-failure atomicity
• tests/cluster/controller/ tests/cluster/providers/ — 1359 tests pass
• ./infra/pre-commit.py --fix — ruff, black, pyrefly, license headers clean

Refs: #4754

[claude]

Claude finished @rjpower's task in 3m 58s —— View job

---

Review of PR #4816: Slice lifecycle state machine

• Read all changed files and gather context
• Review the state machine design (slice_lifecycle.py)
• Review migration (0033_slice_transitions.py)
• Review integration points (runtime.py, operations.py, scaling_group.py)
• Review model changes and import updates
• Review tests (test_slice_lifecycle.py)
• Post review feedback

---

Overall

Good design — the (from_state, event) → (to_state, side_effects) table is clean and testable, the audit trail will be valuable for debugging, and the model extraction to models.py is a sensible separation. The exhaustiveness test is a nice touch.

Issues

1. Behavioral regression: bootstrap failures in refresh() no longer trigger backoff (P1)

The old refresh() code called group.record_failure() unconditionally when CLOUD_STATE_FAILED or CLOUD_STATE_UNKNOWN_TIMEOUT was observed. The new code dispatches through the state machine, where _on_bootstrap_failed / _on_timeout only emit RECORD_GROUP_FAILURE if ctx.get("is_short_lived") — but refresh() never passes is_short_lived in context. Net effect: bootstrap failures observed during polling no longer trigger exponential backoff.

If this is intentional (e.g., only applying backoff for short-lived worker failures), document it. If not, refresh() needs to compute and pass is_short_lived the same way operations.py does. See inline comment.

2. Inconsistent side-effect execution in operations.py (P2)

terminate_slices_for_workers() dispatches WORKER_FAILURE_REPORTED but only handles the RECORD_GROUP_FAILURE side effect, ignoring DEREGISTER_WORKERS and TERMINATE_SLICE (which it does manually). This works today but undermines the state machine contract — new side effects added to _on_worker_failure won't execute here. See inline comment.

3. Unused events and transitions (P3)

PLATFORM_CALL_STARTED, TEARDOWN_COMPLETE, CLOUD_STATE_INITIALIZING, and IDLE_TIMEOUT are defined but never dispatched. Per repo conventions on dead code, consider removing until wired up or adding a comment referencing the plan. See inline comment.

4. Side effects computed outside the lock (P3)

In dispatch_slice_event(), line 191 calls transition.side_effects(state, context) after releasing _slices_lock. Current side-effect functions only read ctx so it's safe, but state is a mutable reference. Worth a comment or moving inside the lock. See inline comment.

Smaller notes

• _on_timeout is a trivial delegation to _on_bootstrap_failed; could use the function directly in the transition table.
• error_message is no longer set on SliceState through the dispatch path (old mark_slice_failed did this). Since failed slices get deleted by scale_down/detach_slice, this is likely fine — the error context lives in the audit trail instead.
• Migration 0033 is clean. Consider adding a LIMIT-based retention policy later if the audit table grows unbounded.
• Tests are thorough. The exhaustiveness check on line 239-249 is a good pattern.

Summary

The core state machine design is solid and the audit trail is a clear win for debuggability. The main concern is the behavioral change around backoff (#1 above) — please clarify whether it's intentional or needs a fix before merging.

[claude]

🤖 Behavioral change in refresh() — bootstrap failures no longer trigger backoff

The old refresh() code called group.record_failure() unconditionally on CLOUD_STATE_FAILED and CLOUD_STATE_UNKNOWN_TIMEOUT. This function gates RECORD_GROUP_FAILURE on ctx.get("is_short_lived"), but refresh() never passes is_short_lived in its context dict:

# runtime.py refresh() dispatches:
result = group.dispatch(
    slice_id,
    SliceEvent.CLOUD_STATE_FAILED,
    {"error_message": status.error_message},  # no is_short_lived!
    now=timestamp,
)

So bootstrap failures observed during refresh() no longer trigger backoff. If this is intentional (only applying backoff for short-lived worker failures from operations.py), it should be documented. If not, refresh() needs to compute and pass is_short_lived just like operations.py does.

[claude]

🤖 Partial side-effect execution undermines the state machine contract

This loop only handles RECORD_GROUP_FAILURE, ignoring DEREGISTER_WORKERS and TERMINATE_SLICE that the transition table returns for WORKER_FAILURE_REPORTED. The actual deregistration and termination happen a few lines below via detach_slice + unregister_slice_workers.

This works correctly, but it means the caller is cherry-picking which side effects to honor rather than executing them all. The state machine says "deregister workers and terminate the slice," but the caller silently ignores that and does its own thing. If someone later adds a new side effect to _on_worker_failure, they'd expect it to run here — but it wouldn't.

Consider either:

1. Using a shared _execute_side_effects helper (like runtime.py does), or
2. Having the transition for WORKER_FAILURE_REPORTED only return the side effects that actually get executed here (just RECORD_GROUP_FAILURE), and documenting that operations.py handles teardown itself

Also, age_ms on line 145 is only defined when slice_handle is not None (line 125). It's safe today because is_short_lived=False when handle is None, so RECORD_GROUP_FAILURE won't fire, but it's fragile.

[claude]

🤖 Side effects computed outside the lock

The state mutation (state.lifecycle = transition.to_state) happens under the lock, but transition.side_effects(state, context) runs after the lock is released. The current side-effect functions only read from context, not from state, so this is safe. But state is a mutable reference that other threads could modify. Worth a brief comment noting this invariant (side-effect functions must not read mutable fields from state), or compute side effects inside the lock to be safe.

[claude]

🤖 Nit: _on_timeout is a one-line delegation to _on_bootstrap_failed with identical behavior. Consider using _on_bootstrap_failed directly in the transition table entry for CLOUD_STATE_UNKNOWN_TIMEOUT and dropping this wrapper. If you want to keep them separate for future divergence, a comment noting the intent would help.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 73ae17bf52

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Preserve failure backoff on cloud bootstrap failures

refresh() now dispatches CLOUD_STATE_FAILED without any short-lived metadata, but the new transition handlers only emit RECORD_GROUP_FAILURE when is_short_lived is true. As a result, normal bootstrap failures (and similarly UNKNOWN-timeout failures) stop calling group.record_failure(), which removes exponential backoff and can cause repeated scale-up retries against a persistently failing provider.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Update slice state when registering READY workers

The REGISTER_WORKERS side effect only updates the worker registry and never writes worker IDs (or activity timestamp) into the ScalingGroup slice state. ScalingGroup.find_slice_for_worker() and idle-scale-down checks read from state.worker_ids, so slices that become READY via this path are no longer discoverable for worker-failure teardown and can fail idle verification.

Useful? React with 👍 / 👎.

[ravwojdyla-agent]

🤖 ## Design review

I walked through the diff, checked out the branch (pr-4816), compared to main, and traced call sites through runtime.py → scaling_group.py. Major concerns, prioritized.

---

1. The PR description is stale in load-bearing ways

Two claims in the description are now wrong:

• "Adds a slice_transitions audit table (migration 0033) that logs every state change with timestamp, event, and context — enables answering 'why didn't group X scale up from 2:30–3:45pm?'"
  This is the headline motivation. It is not in the PR. Commit 2552b17dc ("Drop slice_transitions audit table: rely on structured log lines") removed it. No 0033_slice_transitions.py exists in the diff, and migration 0033 is already taken by 0033_worker_task_history_fk_cascade.py. What's left is a single logger.info("slice transition …") line — much less than an audit table; you can't SQL-query log lines retroactively.

• "Existing mark_slice_ready/mark_slice_failed methods preserved for the scale_down_if_idle path and backward compat with tests"
  Not true — both methods are deleted. Every caller was rewritten to dispatch(…, SliceEvent.CLOUD_STATE_READY, {"worker_ids": …}).

Please update the description before merge, otherwise reviewers who read only the summary get a materially wrong picture of what's shipping.

---

2. Hidden behavior change: FAILED slices now disappear from tracking

Not described as a semantic change but it is one:

• main: mark_slice_failed() sets state.lifecycle = FAILED, keeps the slice in _slices with error_message, and a separate scale_down() later removes it. slice_state_counts()[FAILED] is observable. to_status() renders FAILED slices with their error in the RPC proto.
• PR: dispatch(…, _FAILED) atomically removes the slice from _slices and hands the handle to the caller. slice_state_counts()[FAILED] is now always 0. The test test_failed_takes_precedence was renamed to test_failed_slice_detached_atomically and its invariant inverted:

# asserts counts[FAILED] == 1 on main → asserts counts[FAILED] == 0 in PR
assert counts[SliceLifecycleState.FAILED] == 0
assert group.slice_count() == 0

Callers that relied on the FAILED state being visible (status UI, dashboards, snapshots) will silently see fewer slices. Given the stated motivation is debuggability, dropping FAILED visibility from to_status() and slice_state_counts() cuts against that motivation. Either (a) call out the change explicitly and confirm no downstream consumer cares, or (b) keep FAILED in tracking with a separate cleanup pass, matching main.

---

3. The abstraction is heavier than the 11 transitions warrant

TRANSITIONS is 11 entries, and every to_state is one of INITIALIZING / READY / FAILED. To consume this you stitch together:

1. cloud_state_to_event() in slice_lifecycle.py — maps CloudSliceState → SliceEvent (with a hidden timeout check for UNKNOWN).
2. TRANSITIONS[(state, event)] — tells you the new state.
3. dispatch() in scaling_group.py — switches on to_state for side effects inside the lock (worker_ids, last_active, error_message, detach, _apply_failure_locked, pop, last_scale_down).
4. _handle_transition() in runtime.py — switches on new_state again for side effects outside the lock (register/unregister workers, spawn terminate, log action).
5. Each call site in refresh() / terminate_slices_for_workers() — switches on new_state a third time to pick log text.

The original imperative code (if status.state == READY: mark_ready(); register_workers()) required a single read. The state-machine version triples the number of if new_state == … branches and scatters them across three modules. For a state machine with 2 non-terminal states and 3 terminal outcomes, this is over-engineered — a couple of typed methods (mark_ready, mark_failed, mark_idle) with the transition check inlined would express the same invariants with less surface.

---

4. context: dict[str, Any] defeats typing at the API boundary

dispatch(slice_id, event, context: dict[str, Any] | None = None, *, now=…) pushes typed information through an untyped dict. Concrete consequences:

• Inconsistent payload shape for the same event: production passes {"workers": [RemoteWorkerHandle, …]}, but tests and conftest pass {"worker_ids": ["10.0.0.1", …]}. dispatch() branches on ctx.get("worker_ids") or [w.worker_id for w in workers] to paper over this. Direct sign the API boundary is wrong.
• Dead payload: terminate_slices_for_workers passes {"failed_workers": sorted(…)}. dispatch() never reads it.
• No static guarantee that FAILED events carry error_message, that READY events carry workers, etc. A typo silently yields "" or [].

Cleaner fix: discriminated event dataclass (CloudReady(workers=…), CloudFailed(error=…), IdleTimeout(), etc.) — or just typed methods given the small number of call shapes.

Pyrefly won't catch any of this today because of Any, and the repo's own guidance (AGENTS.md) calls out avoiding Any.

---

5. "Atomic cross-machine cascade" lock widening — real race?

Rationale for folding _apply_failure_locked inside _slices_lock: "short-lived slice failures bump consecutive_failures and extend backoff_until atomically with the FAILED transition." But:

• _consecutive_failures / _backoff_until are read in availability(), which doesn't require consistency with _slices (readers already tolerate partial views across unrelated fields).
• No test asserts the atomicity invariant; no race is cited in a commit message.
• Holding _slices_lock while mutating _backoff_until widens lock scope and makes future lock-discipline reasoning harder.

If there's no concrete reader that observes the inconsistency as a bug, the invariant is aspirational and not worth the lock widening.

---

6. Minor: operations.py dissolution is a partial reversion

This PR deletes operations.py (the module that extracted restart_worker and terminate_slices_for_workers as free functions) and inlines the logic back into Autoscaler. The final commit (1b567c0f3) reverts restart_worker to main's behavior verbatim — net effect on restart_worker is ~30 lines moved module-to-module with no behavior change. Would read more honestly split into its own PR or commit.

---

Recommendation

1. Fix the PR description (no audit table, no preserved mark_slice_* methods).
2. Acknowledge + justify the "FAILED disappears from _slices" semantic change, or restore main's behavior.
3. Replace context: dict[str, Any] with typed methods or typed event payloads; drop the dead failed_workers key.
4. Either drop the lock widening around _apply_failure_locked or add a test demonstrating the atomicity invariant matters.
5. Split the operations.py → runtime.py move into its own PR (or at least its own commit with no behavior changes mixed in).

The underlying idea — turning slice lifecycle into a table so transitions are reviewable at a glance — is reasonable. The execution adds more indirection than the 11 transitions repay, and the description oversells what actually ships.

[ravwojdyla]

Top level makes sense!

[ravwojdyla]

nit: you can use enum.auto