magick-feature-flags 1.4.2 → 1.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ce69954c64fae4d8ec9d10d177621ef508c1f0d8db98b9012849250d90cc974f
-  data.tar.gz: 41024341850d984dc1b16c8e85913160a94eb92b96f5eaf07477d9ff93a46de4
+  metadata.gz: 3e6f3b4ee81b2521e7f6975c0bd3c7a0a886ea2e23b5792b37e48cd28b08cb8d
+  data.tar.gz: 3aeb62560e637d844af0ea4e320a08a48eb72a33ebfd0653482899f42e8e2079
 SHA512:
-  metadata.gz: a16aa4722424020d4d4ab0d45c1dc5bfec6452ae6f24177d713e6f98790d33b4851bb340e39603aecf52c06bf2d669d0876c0b3835bc9ebf4f63cd92e7776ccc
-  data.tar.gz: 3a49561daaf30a060abefd7c11413dd5e87e27771b59e089d287cb2788920f5f9c334c4922e064d03c18ce692b6f37a6bfeaf419f09ba12891313c3be1eb1f8a
+  metadata.gz: 1135ba02b878e0d772259545231aa89f950e11199a0ee8d982440b9040f9c575a077567f3cd404727b27eb6eb962d811c6b301f92ad2227817289851392cf6c9
+  data.tar.gz: fb95eca4f8aa3b013298c087209818c91338ef4f9fe2a843951777df4c17fbe9bf83fdc5b1b45447503d5e718c6059d8a57b888746a36f463c929d8965526b3a

data/README.md

@@ -904,10 +904,14 @@ Magick.shutdown!          # default 5 second join timeout
 Magick.shutdown!(timeout: 1)  # more aggressive
 ```
 
-Fork-based deployments (Puma workers with `preload_app`, Unicorn) are handled
-automatically: `config.to_prepare` calls `ensure_subscriber!` and
-`ensure_async_processor!` on every prepare cycle, so children that inherit
-stale parent threads start fresh. No action required from the host app.
+Fork-based deployments (Puma workers with `preload_app!`, Unicorn) are handled
+automatically. A Rack middleware (`Magick::Rails::SubscriberMiddleware`) calls
+`ensure_subscriber!` on each request — a pid-guarded no-op once the subscriber
+is running — so a worker that inherited a dead parent thread starts its own
+subscriber on its first request. This matters because in production
+`config.to_prepare` runs **once at boot** (before workers fork), not per
+request, so it cannot revive the subscriber inside forked workers on its own.
+No action required from the host app.
 
 ## Admin UI Security
 

data/app/controllers/magick/adminui/features_controller.rb

@@ -15,6 +15,13 @@ module Magick
       layout 'application'
       before_action :authenticate_admin!
       before_action :set_feature, only: %i[show edit update enable disable enable_for_user enable_for_role disable_for_role update_targeting update_variants]
+      # Render the TRUE current state, not this process's local cache. In a
+      # multi-process / multi-container deployment the enable/disable POST and
+      # the redirected GET are load-balanced to different processes, so the
+      # process rendering the page may hold a stale memory copy until Pub/Sub
+      # catches up. These refresh from the shared backend before rendering.
+      before_action :refresh_all_features_from_source, only: %i[index]
+      before_action :refresh_feature_from_source, only: %i[show edit]
 
       # Make route helpers available in views via magick_admin_ui helper
       helper_method :magick_admin_ui, :available_roles, :available_tags, :partially_enabled?
@@ -334,6 +341,26 @@ module Magick
         obj.is_a?(Hash) || (defined?(ActionController::Parameters) && obj.is_a?(ActionController::Parameters))
       end
 
+      # Refresh every registered feature from the shared backend so the index
+      # reflects authoritative state regardless of which container serves it.
+      # Best-effort: a backend hiccup must never 500 the admin list.
+      def refresh_all_features_from_source
+        registry = Magick.adapter_registry
+        registry.refresh_all_from_source if registry.respond_to?(:refresh_all_from_source)
+        Magick.features.each_value { |f| f.reload if f.respond_to?(:reload) }
+      rescue StandardError => e
+        Rails.logger.warn "Magick: admin source refresh failed: #{e.class}: #{e.message}" if defined?(Rails)
+      end
+
+      # Refresh the single feature being viewed/edited from the shared backend.
+      def refresh_feature_from_source
+        return unless @feature
+
+        @feature.reload_from_source! if @feature.respond_to?(:reload_from_source!)
+      rescue StandardError => e
+        Rails.logger.warn "Magick: admin source refresh failed: #{e.class}: #{e.message}" if defined?(Rails)
+      end
+
       def set_feature
         feature_name = params[:id].to_s
         # Do NOT fall back to Magick[feature_name] — that would lazily create

data/lib/magick/adapters/registry.rb

@@ -24,7 +24,6 @@ module Magick
         @subscriber_thread = nil
         @subscriber = nil
         @refresh_thread = nil
-        @last_reload_times = {} # Track last reload time per feature for debouncing
         @local_writes = {} # Track recent local writes to skip self-invalidation
         @reload_mutex = Mutex.new
         @stopping = false
@@ -217,6 +216,39 @@ module Magick
         {}
       end
 
+      # Read a feature's complete data straight from the shared, authoritative
+      # backend — ActiveRecord first (it is written synchronously on every
+      # set/set_all_data), then Redis — bypassing this process's local memory
+      # cache, and refresh memory with the result.
+      #
+      # The Admin UI uses this so a toggle is reflected immediately on whichever
+      # process/container serves the (load-balanced) request after the write,
+      # instead of rendering this process's possibly-stale memory cache while it
+      # waits for Pub/Sub invalidation to arrive.
+      def authoritative_get_all_data(feature_name)
+        data = read_from_source(feature_name)
+        if data && !data.empty?
+          memory_adapter&.set_all_data(feature_name, data)
+          return data
+        end
+
+        # Source unavailable (Redis/AR down, or feature absent there) — fall back
+        # to whatever this process already has rather than wiping a usable cache.
+        memory_adapter ? memory_adapter.get_all_data(feature_name) : {}
+      end
+
+      # Bulk variant of #authoritative_get_all_data: refresh the local memory
+      # cache for EVERY feature from the shared backend in 1-2 queries. Returns
+      # the loaded data. Used by the Admin UI index so the full list reflects
+      # authoritative state regardless of which container serves it.
+      def refresh_all_from_source
+        data = load_all_from_source
+        if memory_adapter && !data.empty?
+          data.each { |feature_name, feature_data| memory_adapter.set_all_data(feature_name, feature_data) }
+        end
+        data
+      end
+
       # Bulk load ALL features into memory cache in minimal queries.
       # Call this after configuration to warm the cache.
       def preload!
@@ -371,6 +403,101 @@ module Magick
         thread
       end
 
+      # Handle one cache-invalidation message: refresh this process's view of
+      # the feature from the shared backend. Returns true when the message was
+      # acted on, false when it was rejected/skipped (used by specs).
+      #
+      # Every VALID, non-self message triggers a full-state reload. We do NOT
+      # debounce by a time window: a single enable/disable emits two publishes
+      # (targeting then value), and dropping the second would leave this process
+      # holding the old value until its memory TTL expires. Each reload reads the
+      # feature's COMPLETE current state, so processing every message is
+      # idempotent, and feature-flag writes are admin-rate — redundant reloads
+      # are cheap and rare.
+      def process_cache_invalidation(feature_name)
+        feature_name_str = feature_name.to_s
+
+        # Reject malformed payloads before doing anything with them. A shared
+        # Redis DB is not a trust boundary — reject anything that isn't a
+        # plausible feature identifier.
+        unless FEATURE_NAME_PATTERN.match?(feature_name_str)
+          warn "Magick: ignoring malformed pubsub payload (#{feature_name_str.bytesize}B)" if rails_development?
+          return false
+        end
+
+        # Skip self-invalidation: if this process just wrote this feature, memory
+        # already has the correct value. Reloading would revert it to stale data
+        # (especially with async writes that publish after the Redis write).
+        if local_write?(feature_name_str)
+          Rails.logger.debug "Magick: Skipping self-invalidation for '#{feature_name_str}'" if rails_development?
+          return false
+        end
+
+        # Invalidate the local memory cache, then reload the registered feature
+        # instance from the shared backend (the publisher writes Redis/AR BEFORE
+        # publishing, so fresh data is available by now).
+        memory_adapter&.delete(feature_name_str)
+        if defined?(Magick) && Magick.respond_to?(:features) && Magick.features.key?(feature_name_str)
+          feature = Magick.features[feature_name_str]
+          if feature.respond_to?(:reload)
+            feature.reload
+            Rails.logger.debug "Magick: Reloaded '#{feature_name_str}' after cache invalidation" if rails_development?
+          end
+        end
+        true
+      end
+
+      def rails_development?
+        defined?(Rails) && Rails.respond_to?(:env) && Rails.env.development?
+      end
+
+      # Read a feature's full data from the shared, authoritative backend,
+      # skipping the local memory cache. ActiveRecord is preferred because it is
+      # written synchronously on every set (Redis may lag under async_updates).
+      def read_from_source(feature_name)
+        if active_record_adapter
+          begin
+            data = active_record_adapter.get_all_data(feature_name)
+            return data if data && !data.empty?
+          rescue StandardError, AdapterError
+            # fall through to Redis
+          end
+        end
+
+        if redis_adapter
+          begin
+            return circuit_breaker.call { redis_adapter.get_all_data(feature_name) }
+          rescue StandardError, AdapterError
+            nil
+          end
+        end
+
+        nil
+      end
+
+      # Bulk read ALL features from the shared, authoritative backend, skipping
+      # the local memory cache. AR preferred (synchronous), Redis fallback.
+      def load_all_from_source
+        if active_record_adapter
+          begin
+            data = active_record_adapter.load_all_features_data
+            return data if data && !data.empty?
+          rescue StandardError, AdapterError
+            # fall through to Redis
+          end
+        end
+
+        if redis_adapter
+          begin
+            return circuit_breaker.call { redis_adapter.load_all_features_data } || {}
+          rescue StandardError, AdapterError
+            {}
+          end
+        end
+
+        {}
+      end
+
       # Record that this process just wrote a feature, so the subscriber
       # ignores its own Pub/Sub messages and doesn't revert the correct in-memory state.
       def record_local_write(feature_name)
@@ -378,7 +505,7 @@ module Magick
           @local_writes[feature_name.to_s] = Time.now.to_f
           # Also sweep stale tracking entries on the write path — a write-heavy
           # process that rarely reads would otherwise never trigger cleanup,
-          # letting @local_writes and @last_reload_times grow unboundedly.
+          # letting @local_writes grow unboundedly.
           cleanup_stale_tracking_entries
         end
       end
@@ -408,7 +535,6 @@ module Magick
 
         @last_tracking_cleanup = now
         @local_writes.delete_if { |_, wrote_at| (now - wrote_at) >= LOCAL_WRITE_TTL }
-        @last_reload_times.delete_if { |_, reload_at| (now - reload_at) >= 10.0 }
       end
 
       # Start a background thread to listen for cache invalidation messages
@@ -442,56 +568,7 @@ module Magick
 
           @subscriber.subscribe(CACHE_INVALIDATION_CHANNEL) do |on|
             on.message do |_channel, feature_name|
-              feature_name_str = feature_name.to_s
-
-              # Reject malformed payloads before doing anything with them.
-              # A shared Redis DB is not a trust boundary — reject anything
-              # that isn't a plausible feature identifier.
-              unless FEATURE_NAME_PATTERN.match?(feature_name_str)
-                if defined?(Rails) && Rails.env.development?
-                  warn "Magick: ignoring malformed pubsub payload (#{feature_name_str.bytesize}B)"
-                end
-                next
-              end
-
-              # Skip self-invalidation: if this process just wrote this feature,
-              # memory already has the correct value. Reloading from Redis would
-              # revert it to stale data (especially with async writes).
-              if local_write?(feature_name_str)
-                if defined?(Rails) && Rails.env.development?
-                  Rails.logger.debug "Magick: Skipping self-invalidation for '#{feature_name_str}'"
-                end
-                next
-              end
-
-              # Debounce: only reload if we haven't reloaded this feature in the last 100ms
-              should_reload = @reload_mutex.synchronize do
-                last_reload = @last_reload_times[feature_name_str]
-                now = Time.now.to_f
-                if last_reload.nil? || (now - last_reload) > 0.1 # 100ms debounce
-                  @last_reload_times[feature_name_str] = now
-                  true
-                else
-                  false
-                end
-              end
-
-              next unless should_reload
-
-              # Invalidate memory cache for this feature
-              memory_adapter.delete(feature_name_str) if memory_adapter
-
-              # Reload the feature instance from the adapter (Redis should have fresh data
-              # since remote processes publish AFTER their Redis write completes)
-              if defined?(Magick) && Magick.features.key?(feature_name_str)
-                feature = Magick.features[feature_name_str]
-                if feature.respond_to?(:reload)
-                  feature.reload
-                  if defined?(Rails) && Rails.env.development?
-                    Rails.logger.debug "Magick: Reloaded feature '#{feature_name_str}' after cache invalidation"
-                  end
-                end
-              end
+              process_cache_invalidation(feature_name)
             rescue StandardError => e
               # Log error but don't crash the subscriber thread
               # Skip logging RSpec mock errors in test environments

data/lib/magick/feature.rb

@@ -624,6 +624,15 @@ module Magick
       true
     end
 
+    # Reload feature state from the shared, authoritative backend (ActiveRecord/
+    # Redis), bypassing this process's local in-process memory cache. Used by the
+    # Admin UI so a toggle performed on another process/container is reflected
+    # immediately, without waiting for Pub/Sub cache invalidation to arrive.
+    def reload_from_source!
+      adapter_registry.authoritative_get_all_data(name) if adapter_registry.respond_to?(:authoritative_get_all_data)
+      reload
+    end
+
     # Reload feature state from adapter (useful when feature is changed externally)
     def reload
       load_from_adapter

data/lib/magick/rails/railtie.rb

@@ -132,6 +132,18 @@ if defined?(Rails)
           end
         end
 
+        # Revive the Pub/Sub subscriber in forked workers. `config.to_prepare`
+        # only re-runs per request in development; in production it runs once at
+        # boot, BEFORE Puma forks its workers under `preload_app!`. Those workers
+        # inherit a dead subscriber thread and would never receive cross-process
+        # cache invalidations. This middleware calls `ensure_subscriber!` (a
+        # pid-guarded no-op once the subscriber is running) on each request, so a
+        # forked worker starts its own subscriber on its first request. In
+        # single-mode Puma (no fork) it is effectively free.
+        initializer 'magick.subscriber_middleware' do |app|
+          app.middleware.use Magick::Rails::SubscriberMiddleware
+        end
+
         # Terminate the Pub/Sub subscriber + async metrics thread on process exit.
         # Without this, Ruby waits on the blocking `Redis#subscribe` call inside
         # the subscriber thread and Puma/Rails shutdown stalls.
@@ -145,6 +157,26 @@ if defined?(Rails)
       end
     end
 
+    # Ensures each process (including Puma workers forked under `preload_app!`)
+    # has a live Redis Pub/Sub subscriber for cross-process cache invalidation.
+    # `ensure_subscriber!` returns immediately once `@owner_pid == Process.pid`,
+    # so the per-request cost is a single pid comparison after the first call.
+    class SubscriberMiddleware
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        begin
+          registry = Magick.adapter_registry
+          registry.ensure_subscriber! if registry.respond_to?(:ensure_subscriber!)
+        rescue StandardError
+          # Best-effort: never break a request over subscriber bookkeeping.
+        end
+        @app.call(env)
+      end
+    end
+
     # Request store integration
     module RequestStoreIntegration
       def self.included(base)

data/lib/magick/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Magick
-  VERSION = '1.4.2'
+  VERSION = '1.4.3'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: magick-feature-flags
 version: !ruby/object:Gem::Version
-  version: 1.4.2
+  version: 1.4.3
 platform: ruby
 authors:
 - Andrew Lobanov