Merge pull request #995 from meridianhub/meridian-unified--12--idempotency-consistency-refactor

refactor: standardize idempotency wiring across all services (meridian-unified.12)

Author: bjcoombs

services/current-account/cmd/main.go

@@ -3,6 +3,7 @@ package main
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"log/slog"
 	"net"
@@ -32,7 +33,6 @@ import (
 	"github.com/meridianhub/meridian/shared/platform/kafka"
 	"github.com/meridianhub/meridian/shared/platform/observability"
 	"github.com/meridianhub/meridian/shared/platform/ports"
-	"github.com/redis/go-redis/v9"
 	"github.com/sony/gobreaker/v2"
 	"google.golang.org/grpc/health/grpc_health_v1"
 	"google.golang.org/grpc/reflection"
@@ -46,6 +46,11 @@ var (
 	BuildDate = "unknown"
 )
 
+// Static errors for production environment requirements
+var (
+	ErrRedisRequiredInProduction = errors.New("redis required for idempotency in production environment")
+)
+
 func main() {
 	// Initialize structured logging with configurable log level
 	// Note: bootstrap.NewLogger hardcodes INFO level, so we create logger manually for LOG_LEVEL support
@@ -105,27 +110,34 @@ func run(logger *slog.Logger) error {
 	withdrawalRepo := persistence.NewWithdrawalRepository(db)
 	outboxRepo := events.NewPostgresOutboxRepository(db)
 
-	// Create Redis client lazily (optional - graceful degradation during startup).
-	// LazyClient resolves Redis in a background goroutine with exponential backoff.
-	// The idempotency service degrades gracefully (no-op) until Redis connects.
+	// Create Redis client and idempotency service.
+	// In production: fail fast if Redis is unavailable (idempotency is critical).
+	// In non-production: use NoopService for graceful degradation with metrics.
+	var idempotencyService idempotency.Service
 	redisConfig := bootstrap.DefaultRedisConfig()
 	redisConfig.Logger = logger
-	lazyRedis := bootstrap.NewLazyClient(ctx, "redis",
-		func(ctx context.Context) (*redis.Client, func(), error) {
-			client, err := bootstrap.NewRedisClient(ctx, redisConfig)
-			if err != nil {
-				return nil, nil, err
+	redisClient, redisErr := bootstrap.NewRedisClient(ctx, redisConfig)
+	if redisErr != nil {
+		if env.IsProduction() {
+			logger.Error("CRITICAL: Redis unavailable in production - failing fast", "error", redisErr)
+			return bootstrap.Permanent(fmt.Errorf("%w: %w", ErrRedisRequiredInProduction, redisErr))
+		}
+		logger.Warn("Redis not available at startup, using noop idempotency service - DEVELOPMENT ONLY",
+			"error", redisErr,
+			"environment", os.Getenv("ENVIRONMENT"))
+		idempotencyService = idempotency.NewNoopService(logger)
+		caobservability.SetNoopIdempotencyActive(true)
+		caobservability.RecordServiceDegradation(caobservability.ComponentIdempotency, caobservability.DegradationReasonStartupFallback)
+	} else {
+		idempotencyService = idempotency.NewRedisService(redisClient)
+		caobservability.SetNoopIdempotencyActive(false)
+		logger.Info("idempotency service initialized with Redis")
+		defer func() {
+			if err := redisClient.Close(); err != nil {
+				logger.Error("failed to close Redis client", "error", err)
 			}
-			return client, func() {
-				if err := client.Close(); err != nil {
-					logger.Error("failed to close Redis client", "error", err)
-				}
-				logger.Info("Redis client closed")
-			}, nil
-		},
-		bootstrap.WithLazyLogger(logger),
-	)
-	idempotencyService := idempotency.NewLazyService(lazyRedis)
+		}()
+	}
 
 	// Get Kubernetes namespace from environment (defaults to "default")
 	namespace := env.GetEnvOrDefault("K8S_NAMESPACE", "default")
@@ -309,17 +321,7 @@ func run(logger *slog.Logger) error {
 		})
 	}
 
-	// Close lazily-resolved Redis client if it was resolved
-	orchestrator.AddCleanup(func() error {
-		if client, err := lazyRedis.Get(); err == nil {
-			if closeErr := client.Close(); closeErr != nil {
-				logger.Error("failed to close Redis client", "error", closeErr)
-				return closeErr
-			}
-			logger.Info("Redis client closed")
-		}
-		return nil
-	})
+	// No additional Redis cleanup needed here — Redis client is closed via defer above when available
 	orchestrator.AddCleanup(func() error {
 		bootstrap.CloseDatabase(db, logger)
 		return nil

services/current-account/observability/metrics.go

@@ -147,6 +147,22 @@ var (
 		[]string{"clearing_type"},
 	)
 
+	// NoOp fallback metrics - indicates degraded service functionality
+	noopIdempotencyActive = promauto.NewGauge(
+		prometheus.GaugeOpts{
+			Name: "current_account_noop_idempotency_active",
+			Help: "1 if NoOp idempotency service is active (production risk), 0 otherwise",
+		},
+	)
+
+	serviceDegradationEvents = promauto.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: "current_account_service_degradation_events_total",
+			Help: "Total number of service degradation events by component",
+		},
+		[]string{"component", "reason"},
+	)
+
 	// Webhook delivery metrics - tracks delivery attempts and failures for regulatory notifications
 	webhookDeliveryAttempts = promauto.NewCounterVec(
 		prometheus.CounterOpts{
@@ -319,6 +335,38 @@ func RecordWebhookDeliveryRetry(eventType string) {
 	webhookDeliveryRetries.WithLabelValues(eventType).Inc()
 }
 
+// Service component constants for degradation metrics.
+const (
+	ComponentIdempotency = "idempotency"
+)
+
+// Degradation reason constants.
+const (
+	DegradationReasonStartupFallback = "startup_fallback"
+)
+
+// SetNoopIdempotencyActive sets the gauge indicating whether NoOp idempotency is active.
+// This metric MUST trigger a critical alert in production environments.
+//
+// ALERTING: This metric MUST have a Prometheus alert configured:
+//
+//	alert: NoopIdempotencyActiveInProduction
+//	expr: current_account_noop_idempotency_active == 1 AND environment == "production"
+//	severity: critical
+//	runbook: docs/runbooks/noop-fallback-active.md
+func SetNoopIdempotencyActive(active bool) {
+	if active {
+		noopIdempotencyActive.Set(1)
+	} else {
+		noopIdempotencyActive.Set(0)
+	}
+}
+
+// RecordServiceDegradation records a service degradation event.
+func RecordServiceDegradation(component, reason string) {
+	serviceDegradationEvents.WithLabelValues(component, reason).Inc()
+}
+
 // RecordWebhookDeliveryExhausted records when webhook delivery retries are exhausted.
 // This indicates a regulatory compliance risk - freeze/close notifications not delivered.
 //

services/financial-accounting/cmd/main.go

@@ -251,10 +251,9 @@ func run(logger *slog.Logger) error {
 
 	// Create Redis client and idempotency service.
 	// In production: fail fast if Redis is unavailable (idempotency is critical).
-	// In non-production: use LazyClient for graceful degradation during startup.
+	// In non-production: use NoopService for graceful degradation with metrics.
 	var idempotencySvc idempotency.Service
 	var redisSvc *idempotency.RedisService // Keep reference for cleanup worker
-	var lazyRedis *bootstrap.LazyClient[*redis.Client]
 	var usingNoopIdempotency bool
 	redisClient, err := createRedisClient(logger)
 	if err != nil {
@@ -263,27 +262,11 @@ func run(logger *slog.Logger) error {
 				"error", err)
 			return bootstrap.Permanent(fmt.Errorf("%w: %w", ErrRedisRequiredInProduction, err))
 		}
-		// Non-production: use lazy Redis resolution instead of noop
-		logger.Warn("Redis not available at startup, using lazy resolution - DEVELOPMENT ONLY",
+		logger.Warn("Redis not available at startup, using noop idempotency service - DEVELOPMENT ONLY",
 			"error", err,
 			"environment", os.Getenv("ENVIRONMENT"))
-		lazyRedis = bootstrap.NewLazyClient(ctx, "redis",
-			func(_ context.Context) (*redis.Client, func(), error) {
-				//nolint:contextcheck // createRedisClient manages its own timeout context
-				client, redisErr := createRedisClient(logger)
-				if redisErr != nil {
-					return nil, nil, redisErr
-				}
-				return client, func() {
-					if closeErr := client.Close(); closeErr != nil {
-						logger.Error("failed to close Redis client", "error", closeErr)
-					}
-				}, nil
-			},
-			bootstrap.WithLazyLogger(logger),
-		)
-		idempotencySvc = idempotency.NewLazyService(lazyRedis)
-		usingNoopIdempotency = true // Tracks that we're in degraded mode initially
+		idempotencySvc = idempotency.NewNoopService(logger)
+		usingNoopIdempotency = true
 		serviceobs.SetNoopIdempotencyActive(true)
 		serviceobs.RecordServiceDegradation(serviceobs.ComponentIdempotency, serviceobs.DegradationReasonStartupFallback)
 	} else {
@@ -536,17 +519,6 @@ func run(logger *slog.Logger) error {
 		logger.Info("idempotency cleanup worker stopped")
 	}
 
-	// Close lazily-resolved Redis client if it was resolved
-	if lazyRedis != nil {
-		if client, getErr := lazyRedis.Get(); getErr == nil {
-			if closeErr := client.Close(); closeErr != nil {
-				logger.Error("failed to close lazy Redis client", "error", closeErr)
-			} else {
-				logger.Info("lazy Redis client closed")
-			}
-		}
-	}
-
 	// Stop outbox worker first (stop processing before closing Kafka producer)
 	if outboxWorker != nil {
 		logger.Info("stopping outbox worker...")

services/payment-order/cmd/main.go

@@ -24,6 +24,7 @@ import (
 	"github.com/meridianhub/meridian/services/payment-order/adapters/persistence"
 	"github.com/meridianhub/meridian/services/payment-order/config"
 	"github.com/meridianhub/meridian/services/payment-order/domain"
+	poobservability "github.com/meridianhub/meridian/services/payment-order/observability"
 	"github.com/meridianhub/meridian/services/payment-order/service"
 	"github.com/meridianhub/meridian/services/payment-order/worker"
 	sharedclients "github.com/meridianhub/meridian/shared/pkg/clients"
@@ -66,6 +67,9 @@ var (
 // ErrMissingHMACSecret is returned when the WEBHOOK_HMAC_SECRET environment variable is not set.
 var ErrMissingHMACSecret = errors.New("WEBHOOK_HMAC_SECRET environment variable is required")
 
+// ErrRedisRequiredInProduction is returned when Redis is unavailable in production environments.
+var ErrRedisRequiredInProduction = errors.New("redis required for idempotency in production environment")
+
 func main() {
 	// Initialize structured logging with configurable log level
 	// Note: bootstrap.NewLogger hardcodes INFO level, so we create logger manually for LOG_LEVEL support
@@ -178,17 +182,32 @@ func run(logger *slog.Logger) error {
 	}
 	defer kafkaProducer.Close()
 
-	// Create Redis client and idempotency service
-	redisClient, err := createRedisClient(logger)
-	if err != nil {
-		return fmt.Errorf("failed to create Redis client: %w", err)
-	}
-	defer func() {
-		if err := redisClient.Close(); err != nil {
-			logger.Error("failed to close Redis client", "error", err)
+	// Create Redis client and idempotency service.
+	// In production: fail fast if Redis is unavailable (idempotency is critical).
+	// In non-production: use NoopService for graceful degradation with metrics.
+	var idempotencyService idempotency.Service
+	redisClient, redisErr := createRedisClient(logger)
+	if redisErr != nil {
+		if env.IsProduction() {
+			logger.Error("CRITICAL: Redis unavailable in production - failing fast", "error", redisErr)
+			return bootstrap.Permanent(fmt.Errorf("%w: %w", ErrRedisRequiredInProduction, redisErr))
 		}
-	}()
-	idempotencyService := idempotency.NewRedisService(redisClient)
+		logger.Warn("Redis not available at startup, using noop idempotency service - DEVELOPMENT ONLY",
+			"error", redisErr,
+			"environment", os.Getenv("ENVIRONMENT"))
+		idempotencyService = idempotency.NewNoopService(logger)
+		poobservability.SetNoopIdempotencyActive(true)
+		poobservability.RecordServiceDegradation(poobservability.ComponentIdempotency, poobservability.DegradationReasonStartupFallback)
+	} else {
+		idempotencyService = idempotency.NewRedisService(redisClient)
+		poobservability.SetNoopIdempotencyActive(false)
+		logger.Info("idempotency service initialized with Redis")
+		defer func() {
+			if err := redisClient.Close(); err != nil {
+				logger.Error("failed to close Redis client", "error", err)
+			}
+		}()
+	}
 
 	// Create Starlark handler registry with service client handlers.
 	// This enables saga scripts to call real services (not mocks).
@@ -297,7 +316,7 @@ func run(logger *slog.Logger) error {
 	var billingCronScheduler *scheduler.CronScheduler
 	var dunningWorker *worker.DunningWorker
 
-	if svcConfig.BillingEnabled {
+	if svcConfig.BillingEnabled && redisClient != nil {
 		billingRepo := persistence.NewBillingRepository(db)
 		billingMetrics := worker.NewBillingMetrics()
 
@@ -387,6 +406,8 @@ func run(logger *slog.Logger) error {
 			"shadow_mode", svcConfig.BillingShadowMode,
 			"dunning_poll_interval", svcConfig.DunningPollInterval,
 			"tenant_id", tenantID)
+	} else if svcConfig.BillingEnabled && redisClient == nil {
+		logger.Warn("billing workers disabled — Redis unavailable (DEVELOPMENT ONLY)")
 	} else {
 		logger.Info("billing workers disabled (BILLING_ENABLED=false)")
 	}
@@ -456,13 +477,19 @@ func run(logger *slog.Logger) error {
 		return fmt.Errorf("failed to create webhook handler: %w", err)
 	}
 
-	// Create Stripe event processor for webhook idempotency and dunning
-	eventProcessor, err := webhookhttp.NewStripeEventProcessor(webhookhttp.StripeEventProcessorConfig{
-		RedisClient: redisClient,
-		Logger:      logger,
-	})
-	if err != nil {
-		return fmt.Errorf("failed to create stripe event processor: %w", err)
+	// Create Stripe event processor for webhook idempotency and dunning.
+	// Requires Redis; if Redis is unavailable in non-production, skip Stripe webhook processing.
+	var eventProcessor *webhookhttp.StripeEventProcessor
+	if redisClient != nil {
+		eventProcessor, err = webhookhttp.NewStripeEventProcessor(webhookhttp.StripeEventProcessorConfig{
+			RedisClient: redisClient,
+			Logger:      logger,
+		})
+		if err != nil {
+			return fmt.Errorf("failed to create stripe event processor: %w", err)
+		}
+	} else {
+		logger.Warn("Stripe event processor disabled — Redis unavailable (DEVELOPMENT ONLY)")
 	}
 
 	// Create Stripe webhook handler (optional - only if STRIPE_API_KEY is configured)

services/payment-order/observability/metrics.go

@@ -280,8 +280,56 @@ var (
 			Help: "Total number of payment orders where lien execution retries were exhausted",
 		},
 	)
+
+	// NoOp fallback metrics - indicates degraded service functionality
+	noopIdempotencyActive = promauto.NewGauge(
+		prometheus.GaugeOpts{
+			Name: "payment_order_noop_idempotency_active",
+			Help: "1 if NoOp idempotency service is active (production risk), 0 otherwise",
+		},
+	)
+
+	serviceDegradationEvents = promauto.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: "payment_order_service_degradation_events_total",
+			Help: "Total number of service degradation events by component",
+		},
+		[]string{"component", "reason"},
+	)
+)
+
+// Service component constants for degradation metrics.
+const (
+	ComponentIdempotency = "idempotency"
+)
+
+// Degradation reason constants.
+const (
+	DegradationReasonStartupFallback = "startup_fallback"
 )
 
+// SetNoopIdempotencyActive sets the gauge indicating whether NoOp idempotency is active.
+// This metric MUST trigger a critical alert in production environments.
+//
+// ALERTING: This metric MUST have a Prometheus alert configured:
+//
+//	alert: NoopIdempotencyActiveInProduction
+//	expr: payment_order_noop_idempotency_active == 1 AND environment == "production"
+//	severity: critical
+//	runbook: docs/runbooks/noop-fallback-active.md
+func SetNoopIdempotencyActive(active bool) {
+	if active {
+		noopIdempotencyActive.Set(1)
+	} else {
+		noopIdempotencyActive.Set(0)
+	}
+}
+
+// RecordServiceDegradation records a service degradation event.
+func RecordServiceDegradation(component, reason string) {
+	serviceDegradationEvents.WithLabelValues(component, reason).Inc()
+}
+
 // RecordPaymentOrder records a payment order by status.
 func RecordPaymentOrder(status string) {
 	paymentOrdersTotal.WithLabelValues(status).Inc()