feat: rotation-SNI discovery + rapid-eviction pin set (#603)

* feat: rotation-SNI discovery + rapid-eviction pin set

cumulative discovery used to stall on multi-backend models because the
proxy's least-connections LB collapses fresh-TCP probes onto a stable
subset of backends. We worked around this with parallelism (5 calls per
new provider, 2 per refresh cycle) and inter-model staggering, but the
shape was fundamentally O(luck): some replicas kept missing some
backends forever and got TLS-handshake-rejected when the LB later
routed them there. The customer-visible symptom is ~42% of
/v1/attestation/report calls for GLM-5.1-FP8 failing with
"error sending request".

model-proxy PR #27 published a deterministic routing knob: rotation SNI
'<canonical>-i<N>.<base>' routes to 'healthy_backends_sorted[N % healthy]',
and GET /backends/count?domain=<host> reports the current healthy count.
This PR rewrites discover_model on top of those two pieces.

Per-cycle flow:
- Fetch the healthy backend count from /backends/count.
- Fan out one fresh-TCP attestation call per backend index, in parallel,
  no stagger. Each call lands on a distinct backend by construction, so
  per-backend GPU evidence pressure per cycle is exactly one attestation
  regardless of how many models refresh together.
- Apply the cycle's verified fingerprints to the shared pin set
  according to apply_pin_update():
    * Complete coverage (no failures, verify_failures == 0, distinct
      observed fingerprints == backend_count): REPLACE the pin set with
      the observed set. A backend that just went unhealthy or had its
      cert rotated drops out of the pin set within one refresh
      interval — rapid eviction.
    * Anything less: additive merge. A transient hiccup never evicts
      verified fingerprints we just couldn't reconfirm.

Eliminates:
- ATTESTATION_DISCOVERY_PARALLELISM (was 5)
- CUMULATIVE_DISCOVERY_CALLS (was 2)
- STAGGER_MS (intra-model, was 200)
- MODEL_DISCOVERY_STAGGER_MS (inter-model, was 2_000)

discover_model loses the num_calls parameter. Both call sites (the
new-provider phase in load_inference_url_models and the cumulative
refresh path) become identical.

DiscoveryOutcome gains:
- backend_count: healthy count from /backends/count this cycle, 0 if
  the fetch failed (failure_reasons[0] then carries the reason).
- replaced_state: true iff this cycle achieved complete coverage and
  the pin set was wholesale replaced rather than additively merged.

Both fields are surfaced on the existing INFO log lines (initial
discovery, cumulative expansion, cumulative no-new-fingerprints) for
DD-side observability.

URL handling derives the base domain by stripping the leftmost DNS
label of the inference URL host. Works for every URL we have today
('*.completions{,-stg}.near.ai'); URLs that don't fit (one-label hosts,
IP literals) return an empty outcome with a 'url_parse:' failure
reason and the existing fail-closed path handles eviction.

Tests:
- spki_verifier: replace_with state transitions (Bootstrap->Pinned,
  Pinned shrink, Blocked->Pinned recovery, empty set).
- rotation: 10 URL-helper tests covering canonicals with internal
  dashes, case insensitivity, port preservation, IP/one-label
  rejection, count-URL shape.
- inference_provider_pool: 8 apply_pin_update policy tests covering
  steady state, eviction on shrinking count, partial-cycle additive
  preservation, duplicate-observation safety, verify_failure
  blocking replacement, zero-count safety, bootstrap first cycle.

Followup #600: rotation SNI for chat-completion bucket pre-warm.

* review: distinguish count_zero, cap fan-out, redact reqwest URLs

Address bot review feedback on #603:

- count_zero vs count-fetch-failure are now distinguishable in
  failure_reasons. Previously both rendered as empty / generic
  count_*:; now Ok(0) records 'count_zero: proxy reports 0 healthy
  backends' explicitly.

- Sanity-cap rotation fan-out at 256 backends per model per cycle.
  A bogus registry reading (race during deploy, partial split) would
  otherwise spawn an unbounded number of fresh-TCP TLS handshakes.
  Hitting the cap is logged and recorded in failure_reasons.

- Strip the request URL from every reqwest error in failure_reasons
  via Error::without_url(). The URLs embed our random per-call nonce,
  which would otherwise create unbounded label cardinality in DD when
  any reqwest error path fires. Full error stays available at DEBUG
  via the existing debug! lines.

- pin_update_verify_failure_blocks_replacement test now uses an input
  shape that the production caller can actually produce
  (backend_count=4, verified=3, verify_failures=1). The policy
  assertion is unchanged.

Author: Evrard-Nil

crates/inference_providers/src/spki_verifier.rs

@@ -57,6 +57,24 @@ impl FingerprintState {
         // Don't block if already Pinned — keep existing verified fingerprints
     }
 
+    /// Replace the pinned set wholesale.
+    ///
+    /// Called once per discovery cycle when the cycle achieved complete
+    /// coverage (every healthy backend produced exactly one verified
+    /// fingerprint). Lets the pin set track the *current* healthy set rather
+    /// than accumulating every backend the proxy ever routed to — when a
+    /// backend goes unhealthy or its cert rotates, its old fingerprint is
+    /// dropped within one refresh interval.
+    ///
+    /// Transitions Bootstrap → Pinned and Blocked → Pinned, matching
+    /// `add_fingerprint`. An empty `fps` is permitted; callers treat that as
+    /// "no healthy backends right now" and the provider-level fail-closed
+    /// path keeps connections rejected until a future cycle re-pins
+    /// something.
+    pub fn replace_with(&mut self, fps: HashSet<String>) {
+        *self = FingerprintState::Pinned(fps);
+    }
+
     /// Number of pinned fingerprints (0 for Bootstrap/Blocked).
     pub fn pinned_count(&self) -> usize {
         match self {
@@ -266,4 +284,65 @@ mod tests {
         assert!(matches!(state, FingerprintState::Pinned(_)));
         assert_eq!(state.pinned_count(), 1);
     }
+
+    #[test]
+    fn test_replace_with_from_bootstrap() {
+        let mut state = FingerprintState::Bootstrap;
+        let mut fps = HashSet::new();
+        fps.insert("a".to_string());
+        fps.insert("b".to_string());
+        state.replace_with(fps);
+        assert!(matches!(state, FingerprintState::Pinned(_)));
+        assert_eq!(state.pinned_count(), 2);
+    }
+
+    #[test]
+    fn test_replace_with_shrinks_pinned() {
+        let mut state = FingerprintState::Bootstrap;
+        for fp in ["a", "b", "c", "d", "e"] {
+            state.add_fingerprint(fp.to_string());
+        }
+        assert_eq!(state.pinned_count(), 5);
+
+        // Backend went away — pin set tracks the new healthy set.
+        let mut shrunk = HashSet::new();
+        shrunk.insert("a".to_string());
+        shrunk.insert("b".to_string());
+        shrunk.insert("c".to_string());
+        shrunk.insert("d".to_string());
+        state.replace_with(shrunk);
+        assert_eq!(state.pinned_count(), 4);
+        if let FingerprintState::Pinned(set) = &state {
+            assert!(set.contains("a"));
+            assert!(!set.contains("e"), "evicted fingerprint must be gone");
+        } else {
+            panic!("expected Pinned");
+        }
+    }
+
+    #[test]
+    fn test_replace_with_from_blocked() {
+        // Blocked → Pinned mirrors add_fingerprint's recovery path.
+        let mut state = FingerprintState::Bootstrap;
+        state.block();
+        assert!(matches!(state, FingerprintState::Blocked));
+
+        let mut fps = HashSet::new();
+        fps.insert("recovered".to_string());
+        state.replace_with(fps);
+        assert!(matches!(state, FingerprintState::Pinned(_)));
+        assert_eq!(state.pinned_count(), 1);
+    }
+
+    #[test]
+    fn test_replace_with_empty_set_is_permitted() {
+        // Caller may pass an empty set to express "no healthy backends".
+        // The provider-level fail-closed path is responsible for rejecting
+        // connections; FingerprintState just stores the (empty) Pinned set.
+        let mut state = FingerprintState::Bootstrap;
+        state.add_fingerprint("a".to_string());
+        state.replace_with(HashSet::new());
+        assert!(matches!(state, FingerprintState::Pinned(_)));
+        assert_eq!(state.pinned_count(), 0);
+    }
 }

crates/services/src/attestation/verification.rs

@@ -8,41 +8,6 @@ use std::collections::HashSet;
 
 const NVIDIA_NRAS_URL: &str = "https://nras.attestation.nvidia.com/v3/attest/gpu";
 
-/// Number of parallel attestation calls per model to discover TLS fingerprints
-/// from multiple backends behind L4 load balancing.
-///
-/// Each cloud-api instance runs its own discovery, so the effective load on a
-/// model is `PARALLELISM * cloud-api instance count` per refresh cycle. Keep
-/// this modest to avoid piling attestation work on inference backends.
-pub const ATTESTATION_DISCOVERY_PARALLELISM: usize = 5;
-
-/// Number of cumulative attestation calls per reused provider on each refresh.
-///
-/// Each cycle adds a small number of fresh-TCP discovery calls to a reused
-/// provider, which accumulates new backend fingerprints into the shared
-/// `FingerprintState`. Over several cycles this covers every backend behind
-/// the L4 LB, even when the initial discovery only hit one. Kept small so
-/// steady-state refresh load stays low.
-pub const CUMULATIVE_DISCOVERY_CALLS: usize = 2;
-
-/// Inter-model stagger for cumulative discovery on each refresh cycle (milliseconds).
-///
-/// When the provider pool refreshes, it runs cumulative attestation discovery
-/// for every reused model. Without staggering, all models fire their first
-/// discovery call at t=0, creating a burst that saturates the GPU evidence
-/// worker on dense hosts (e.g. gpu04 runs 8+ model instances).
-///
-/// With this stagger, model i starts its discovery after `i * MODEL_DISCOVERY_STAGGER_MS`
-/// delay. At 2 s/model the burst is spread across tens of seconds rather than
-/// a single wall-clock instant, while still completing well within the 5-minute
-/// refresh interval even for large pools.
-///
-/// Note: the cumulative discovery loop runs inside `buffer_unordered(10)`, so
-/// tasks at index >= 10 begin their sleep only after a concurrency slot opens.
-/// Their effective wall-clock delay is therefore ≥ i × STAGGER_MS, making the
-/// spread more conservative (not less) for pools larger than 10 models.
-pub const MODEL_DISCOVERY_STAGGER_MS: u64 = 2_000;
-
 /// Result of verifying an attestation report from an inference backend.
 #[derive(Debug, Clone)]
 pub struct VerifiedAttestation {