docs: record unconstrained design

udmada · udmada · commit aac648c579ef · 2026-02-23T06:47:34.000+13:00
diff --git a/README.md b/README.md
@@ -64,25 +64,27 @@ flowchart LR
 ## Prerequisites
 
 - [mise](https://mise.jdx.dev/getting-started.html)
-
-- [Docker](https://www.docker.com/) (for SQL Server + LocalStack)
+  - manages .NET 10, pkl, and hk
+- [Docker](https://www.docker.com/)
+  - SQL Server (Azure Edge SQL for aarch64) + LocalStack
 
 ## Quick Start
 
 See **[docs/local-setup.md](docs/local-setup.md)** for the full setup walkthrough. In brief:
 
 ```shell
-mise i                     # Install all dependencies incl dotnet
-dotnet test                # Running Tests
-dotnet build               # Debug build
-dotnet publish -c Release  # Native AOT binary
-docker-compose up -d
+mise i                         # Install .NET 10, pkl, hk
+mise run test                  # Run tests with 80% coverage gate
+mise run build                 # Debug build
+mise run publish               # Native AOT binary
+docker-compose up -d           # Start SQL Server + LocalStack
 dotnet user-secrets set "ScanEventApi:BaseUrl" "https://your-api-host" --project src/ScanEventWorker
 dotnet run --project src/ScanEventWorker/ScanEventWorker.csproj
 ```
 
 ## Assumptions
 
+0. Scan Event API pre-exists and _all_ events are retained indefinitely — if violated, see [Known Limitation 1](#known-limitations).
 1. ~~Events are returned ordered by `EventId` ascending~~
 2. ~~`EventId` is monotonically increasing — querying `FromEventId=X` reliably returns all events with ID ≥ X~~
 3. ~~The API returns an empty `ScanEvents` array when no more events exist (end-of-feed signal)~~
@@ -111,7 +113,21 @@ dotnet run --project src/ScanEventWorker/ScanEventWorker.csproj
     - the last processed event is re-fetched on every cycle to avoid missing events if IDs have gaps
     - the idempotent MERGE absorbs the duplicate without side effects
 14. The event feed starts at `EventId=1`
-    - `ProcessingState` is seeded with `LastEventId=1` on first run d
+    - `ProcessingState` is seeded with `LastEventId=1` on first run
+
+## Known Limitations
+
+1. **Event retention** (violates [Assumption 0](#assumptions))
+   - If the API enforces a rolling retention window (e.g. 7 days), downtime longer than that window causes permanent data loss with no recovery path.
+2. **No API authentication/authorisation**
+   - `ScanEventApiClient` sends unauth HTTP requests. The spec sample shows no auth header
+   - if the production API requires one, it must be added before deployment
+3. **Poller cannot scale horizontally**
+   - `ProcessingState` is a single-row table and the startup `Mutex` enforces one poller instance
+   - Scaling the poller requires distributed locking and a different cursor model
+4. **DLQ is silent**
+   - Messages that fail 3 times move to the DLQ and die there
+   - Without monitoring they accumulate undetected
 
 ## Potential Improvements
 
@@ -134,6 +150,7 @@ dotnet run --project src/ScanEventWorker/ScanEventWorker.csproj
 - [Infrastructure](docs/infrastructure.md)
   - CDK stack
   - downstream fan-out architecture
+  - spec constraint: why polling exists, and the event-driven alternative
 - [Design Rationale](docs/design-rationale.md)
   - Domain model
   - error handling
diff --git a/docs/infrastructure.md b/docs/infrastructure.md
@@ -41,3 +41,62 @@ flowchart LR
 
 - **Outbox pattern** — write events to an outbox table, dedicated publisher reads and publishes to SNS/SQS. Stronger consistency guarantee but adds DB coupling and latency.
 - **CDC (Change Data Capture)** — enable SQL Server CDC on `ParcelSummary`, stream changes via Kafka Connect. Best for consumers that need the DB state, not the raw events.
+
+---
+
+## Spec Constraint: Why Polling Exists
+
+The entire `ApiPollerWorker` exists solely because the spec defines a **pull-only GET endpoint**. This is the root architectural constraint, and it has a cascading effect on every design decision in this codebase.
+
+### What Polling Costs
+
+| Property            | Polling (current)                               | Event-driven (ideal)                |
+| ------------------- | ----------------------------------------------- | ----------------------------------- |
+| Scaling             | Single-instance (shared `LastEventId` cursor)   | Stateless consumers — scale to zero |
+| Latency             | Up to `PollingIntervalSeconds` (5 s)            | Sub-second                          |
+| Fan-out             | Requires this worker to forward to SNS/SQS      | Native via EventBridge rules        |
+| Fault model         | Long-running process; crash = gap until restart | Lambda retries per-invocation       |
+| Infrastructure cost | Always-on ECS/EC2 task                          | Pay-per-invocation                  |
+| Operational burden  | Cursor state in SQL, DLQ monitoring             | Managed by the platform             |
+
+Polling is a workaround, not a design choice. If the upstream offered a push mechanism, `ApiPollerWorker`, `ProcessingState`, and `SqsMessageQueue` could all be deleted.
+
+### The Unconstrained Design
+
+If the scan event source could emit events (webhook, DynamoDB Streams, EventBridge, or S3 notifications), the architecture collapses into a fully serverless, event-driven pipeline:
+
+```mermaid
+architecture-beta
+    service source(internet)[Scan Event Source]
+
+    group aws(logos:aws)[AWS]
+
+    service eb(logos:aws-eventbridge)[EventBridge or SNS] in aws
+    service sfn(logos:aws-stepfunctions)[Step Functions] in aws
+    service fn(logos:aws-lambda)[Lambda durable functions] in aws
+    service db(logos:aws-dynamodb)[DynamoDB] in aws
+    service s3(logos:aws-s3)[S3] in aws
+
+    source:R --> L:eb
+    eb:R --> L:sfn
+    sfn:T --> T:fn
+    eb:B --> T:fn
+    sfn:R --> L:db
+    sfn:B --> T:s3
+```
+
+**Each component earns its place:**
+
+- **EventBridge / SNS** — zero-config fan-out; downstream consumers subscribe without any changes to the producer
+- **AWS Step Functions** — replaces `EventProcessorWorker`'s manual retry/DLQ logic with durable, visual orchestration; retries, catch blocks, and compensating transactions are declared, not coded
+- **DynamoDB** — replaces SQL Server with a serverless, horizontally scaled store; DynamoDB Streams can trigger further Lambdas for free, enabling second-order fan-out with no extra infrastructure
+- **S3** — each raw event lands in an S3 object on arrival; satisfies compliance audit requirements without any schema migration
+- **Lambda** — each invocation is independent; a crash affects one event, not the entire feed; cold-start latency is acceptable at 5-second polling granularity anyway
+
+### Why This Matters for Microservices
+
+The polling model creates a centralised bottleneck: exactly one process owns the cursor, owns the queue writes, and owns the fan-out decision. In a microservices context this is an anti-pattern — every downstream team depends on this worker staying healthy.
+
+An event-driven source eliminates the coupling entirely. Downstream services subscribe to EventBridge or SNS directly; the scan event producer has no knowledge of consumers, and neither does this worker.
+
+The current SQS abstraction (`IMessageQueue`) was designed with this migration in mind: replacing `SqsMessageQueue` with an EventBridge publisher requires changing one DI registration in `Program.cs`.
diff --git a/docs/local-setup.md b/docs/local-setup.md
@@ -2,12 +2,22 @@
 
 ## Prerequisites
 
-- [.NET 10 SDK](https://dotnet.microsoft.com/download)
-- [Docker](https://www.docker.com/) (for SQL Server + LocalStack)
+- [mise](https://mise.jdx.dev/getting-started.html)
+  - manages .NET 10, pkl, and hk
+- [Docker](https://www.docker.com/)
+  - for SQL Server + LocalStack
 
 ## Steps
 
-### 1. Start infrastructure
+### 1. Install tools
+
+```bash
+mise i
+```
+
+This installs .NET 10, pkl, and hk as declared in `mise.toml`.
+
+### 2. Start infrastructure
 
 ```bash
 docker-compose up -d
@@ -16,9 +26,9 @@ docker-compose up -d
 This starts:
 
 - **Azure SQL Edge** on `localhost:1433` (ARM64-compatible SQL Server)
-- **LocalStack** on `localhost:4566` (local SQS emulator — queues auto-created via `scripts/init-localstack.sh`)
+- **LocalStack** on `localhost:4566` (local SQS emulator - queues auto-created via `scripts/init-localstack.sh`)
 
-### 2. Create the database
+### 3. Create the database
 
 ```bash
 docker exec -it $(docker ps -q -f ancestor=mcr.microsoft.com/azure-sql-edge) \
@@ -28,14 +38,14 @@ docker exec -it $(docker ps -q -f ancestor=mcr.microsoft.com/azure-sql-edge) \
 
 The worker auto-creates the `ProcessingState` and `ParcelSummary` tables on startup via `DatabaseInitialiser`.
 
-### 3. Set dummy AWS credentials (LocalStack doesn't validate them)
+### 4. Set dummy AWS credentials (LocalStack doesn't validate them)
 
 ```bash
 export AWS_ACCESS_KEY_ID=test
 export AWS_SECRET_ACCESS_KEY=test
 ```
 
-### 4. Configure the API base URL (required)
+### 5. Configure the API base URL (required)
 
 The worker cannot connect without this. Set it via user-secrets:
 
@@ -46,13 +56,13 @@ dotnet user-secrets set "ScanEventApi:BaseUrl" "https://your-api-host" \
 
 Or edit `ScanEventApi:BaseUrl` directly in `src/ScanEventWorker/appsettings.json`.
 
-### 5. Run the worker
+### 6. Run the worker
 
 ```bash
 dotnet run --project src/ScanEventWorker/ScanEventWorker.csproj
 ```
 
-### 6. Verify resumability
+### 7. Verify resumability
 
 Stop the worker (`Ctrl+C`) and restart it. The log will show:
 
