@hotmeshio/hotmesh 0.19.3 → 0.19.5

package/build/modules/enums.d.ts

@@ -256,6 +256,44 @@ export declare const HMSH_GUID_SIZE: number;
  * Default task queue name used when no task queue is specified
  */
 export declare const DEFAULT_TASK_QUEUE = "default";
+/**
+ * EMA smoothing factor for duress latency tracking.
+ * Higher = faster response to spikes, lower = more stable.
+ * @default 0.3
+ */
+export declare const HMSH_DURESS_ALPHA: number;
+/**
+ * Number of messages between duress evaluations.
+ * @default 10
+ */
+export declare const HMSH_DURESS_EVAL_INTERVAL: number;
+/**
+ * Max EMA (ms) below which the engine is considered healthy. No throttle applied.
+ * @default 200
+ */
+export declare const HMSH_DURESS_HEALTHY_CEILING_MS: number;
+/**
+ * Max EMA (ms) below which duress is mild. Light throttle (100-500ms).
+ * @default 1000
+ */
+export declare const HMSH_DURESS_MILD_CEILING_MS: number;
+/**
+ * Max EMA (ms) below which duress is moderate. Moderate throttle (500-2000ms).
+ * Above this threshold, duress is severe (2000-5000ms throttle).
+ * @default 5000
+ */
+export declare const HMSH_DURESS_MODERATE_CEILING_MS: number;
+/**
+ * Minimum interval (ms) between quorum duress broadcasts.
+ * @default 5000
+ */
+export declare const HMSH_DURESS_BROADCAST_INTERVAL_MS: number;
+/**
+ * Number of consecutive improving evaluations required before
+ * dropping a duress level. Prevents oscillation.
+ * @default 3
+ */
+export declare const HMSH_DURESS_HYSTERESIS_COUNT: number;
 /**
  * PostgreSQL NOTIFY payload limit. If a job message exceeds this size,
  * a reference message is sent instead and the subscriber fetches via getState.

package/build/modules/enums.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.HMSH_RESERVATION_TIMEOUT_S = exports.HMSH_ENGINE_CONCURRENCY = exports.HMSH_BATCH_SIZE_MIN = exports.HMSH_BATCH_SIZE = exports.HMSH_XPENDING_COUNT = exports.HMSH_XCLAIM_COUNT = exports.HMSH_XCLAIM_DELAY_MS = exports.HMSH_BLOCK_TIME_MS = exports.HMSH_DURABLE_INITIAL_INTERVAL = exports.HMSH_DURABLE_EXP_BACKOFF = exports.HMSH_DURABLE_MAX_INTERVAL = exports.HMSH_DURABLE_MAX_ATTEMPTS = exports.HMSH_GRADUATED_INTERVAL_MS = exports.HMSH_MAX_TIMEOUT_MS = exports.HMSH_MAX_CYCLES = exports.HMSH_POISON_MESSAGE_THRESHOLD = exports.HMSH_MAX_RETRIES = exports.MAX_DELAY = exports.MAX_STREAM_RETRIES = exports.INITIAL_STREAM_BACKOFF = exports.MAX_STREAM_BACKOFF = exports.HMSH_EXPIRE_JOB_SECONDS = exports.HMSH_OTT_WAIT_TIME = exports.HMSH_DEPLOYMENT_PAUSE = exports.HMSH_DEPLOYMENT_DELAY = exports.HMSH_ACTIVATION_MAX_RETRY = exports.HMSH_QUORUM_DELAY_MS = exports.HMSH_QUORUM_ROLLCALL_CYCLES = exports.HMSH_STATUS_UNKNOWN = exports.HMSH_CODE_DURABLE_RETRYABLE = exports.HMSH_CODE_DURABLE_FATAL = exports.HMSH_CODE_DURABLE_MAXED = exports.HMSH_CODE_DURABLE_TIMEOUT = exports.HMSH_CODE_DURABLE_WAIT = exports.HMSH_CODE_DURABLE_CONTINUE = exports.HMSH_CODE_DURABLE_PROXY = exports.HMSH_CODE_DURABLE_CHILD = exports.HMSH_CODE_DURABLE_ALL = exports.HMSH_CODE_DURABLE_SLEEP = exports.HMSH_CODE_UNACKED = exports.HMSH_CODE_TIMEOUT = exports.HMSH_CODE_UNKNOWN = exports.HMSH_CODE_INTERRUPT = exports.HMSH_CODE_NOTFOUND = exports.HMSH_CODE_PENDING = exports.HMSH_CODE_SUCCESS = exports.HMSH_PENDING_SIGNAL_EXPIRE = exports.HMSH_SIGNAL_EXPIRE = exports.HMSH_TELEMETRY = exports.HMSH_LOGLEVEL = void 0;
-exports.HMSH_ROUTER_POLL_FALLBACK_INTERVAL = exports.HMSH_NOTIFY_PAYLOAD_LIMIT = exports.DEFAULT_TASK_QUEUE = exports.HMSH_GUID_SIZE = exports.HMSH_ROUTER_SCOUT_INTERVAL_MS = exports.HMSH_ROUTER_SCOUT_INTERVAL_SECONDS = exports.HMSH_SCOUT_INTERVAL_SECONDS = exports.HMSH_FIDELITY_SECONDS = exports.HMSH_EXPIRE_DURATION = exports.HMSH_RESERVATION_TIMEOUT_MAX_S = void 0;
+exports.HMSH_ROUTER_POLL_FALLBACK_INTERVAL = exports.HMSH_NOTIFY_PAYLOAD_LIMIT = exports.HMSH_DURESS_HYSTERESIS_COUNT = exports.HMSH_DURESS_BROADCAST_INTERVAL_MS = exports.HMSH_DURESS_MODERATE_CEILING_MS = exports.HMSH_DURESS_MILD_CEILING_MS = exports.HMSH_DURESS_HEALTHY_CEILING_MS = exports.HMSH_DURESS_EVAL_INTERVAL = exports.HMSH_DURESS_ALPHA = exports.DEFAULT_TASK_QUEUE = exports.HMSH_GUID_SIZE = exports.HMSH_ROUTER_SCOUT_INTERVAL_MS = exports.HMSH_ROUTER_SCOUT_INTERVAL_SECONDS = exports.HMSH_SCOUT_INTERVAL_SECONDS = exports.HMSH_FIDELITY_SECONDS = exports.HMSH_EXPIRE_DURATION = exports.HMSH_RESERVATION_TIMEOUT_MAX_S = void 0;
 /**
  * Determines the log level for the application. The default is 'info'.
  */
@@ -288,6 +288,45 @@ exports.HMSH_GUID_SIZE = Math.min(parseInt(process.env.HMSH_GUID_SIZE, 10) || 22
  * Default task queue name used when no task queue is specified
  */
 exports.DEFAULT_TASK_QUEUE = 'default';
+// DURESS DETECTION — adaptive engine throttling based on processing latency
+/**
+ * EMA smoothing factor for duress latency tracking.
+ * Higher = faster response to spikes, lower = more stable.
+ * @default 0.3
+ */
+exports.HMSH_DURESS_ALPHA = parseFloat(process.env.HMSH_DURESS_ALPHA) || 0.3;
+/**
+ * Number of messages between duress evaluations.
+ * @default 10
+ */
+exports.HMSH_DURESS_EVAL_INTERVAL = parseInt(process.env.HMSH_DURESS_EVAL_INTERVAL, 10) || 10;
+/**
+ * Max EMA (ms) below which the engine is considered healthy. No throttle applied.
+ * @default 200
+ */
+exports.HMSH_DURESS_HEALTHY_CEILING_MS = parseInt(process.env.HMSH_DURESS_HEALTHY_CEILING_MS, 10) || 200;
+/**
+ * Max EMA (ms) below which duress is mild. Light throttle (100-500ms).
+ * @default 1000
+ */
+exports.HMSH_DURESS_MILD_CEILING_MS = parseInt(process.env.HMSH_DURESS_MILD_CEILING_MS, 10) || 1000;
+/**
+ * Max EMA (ms) below which duress is moderate. Moderate throttle (500-2000ms).
+ * Above this threshold, duress is severe (2000-5000ms throttle).
+ * @default 5000
+ */
+exports.HMSH_DURESS_MODERATE_CEILING_MS = parseInt(process.env.HMSH_DURESS_MODERATE_CEILING_MS, 10) || 5000;
+/**
+ * Minimum interval (ms) between quorum duress broadcasts.
+ * @default 5000
+ */
+exports.HMSH_DURESS_BROADCAST_INTERVAL_MS = parseInt(process.env.HMSH_DURESS_BROADCAST_INTERVAL_MS, 10) || 5000;
+/**
+ * Number of consecutive improving evaluations required before
+ * dropping a duress level. Prevents oscillation.
+ * @default 3
+ */
+exports.HMSH_DURESS_HYSTERESIS_COUNT = parseInt(process.env.HMSH_DURESS_HYSTERESIS_COUNT, 10) || 3;
 /**
  * PostgreSQL NOTIFY payload limit. If a job message exceeds this size,
  * a reference message is sent instead and the subscriber fetches via getState.

package/build/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@hotmeshio/hotmesh",
-    "version": "0.19.3",
+    "version": "0.19.5",
     "description": "Durable Workflow",
     "main": "./build/index.js",
     "types": "./build/index.d.ts",

package/build/services/dba/index.d.ts

@@ -119,6 +119,13 @@ declare class DBA {
      * @private
      */
     constructor();
+    /**
+     * Derives a deterministic advisory lock ID from an appId.
+     * Uses a different offset than the stream/store lock IDs to
+     * avoid collisions with those deployment locks.
+     * @private
+     */
+    static getAdvisoryLockId(appId: string): number;
     /**
      * Sanitizes an appId for use as a Postgres schema name.
      * Mirrors the naming logic used during table deployment.

package/build/services/dba/index.js

@@ -122,6 +122,20 @@ class DBA {
      * @private
      */
     constructor() { }
+    /**
+     * Derives a deterministic advisory lock ID from an appId.
+     * Uses a different offset than the stream/store lock IDs to
+     * avoid collisions with those deployment locks.
+     * @private
+     */
+    static getAdvisoryLockId(appId) {
+        let hash = 0x44424130; // 'DBA0' — distinct namespace
+        for (let i = 0; i < appId.length; i++) {
+            hash = (hash << 5) - hash + appId.charCodeAt(i);
+            hash |= 0;
+        }
+        return Math.abs(hash);
+    }
     /**
      * Sanitizes an appId for use as a Postgres schema name.
      * Mirrors the naming logic used during table deployment.
@@ -345,8 +359,23 @@ class DBA {
         const schema = DBA.safeName(appId);
         const { client, release } = await DBA.getClient(connection);
         try {
-            await client.query(DBA.getMigrationSQL(schema));
-            await client.query(DBA.getPruneFunctionSQL(schema));
+            // Guard DDL with an advisory lock. CREATE INDEX IF NOT EXISTS
+            // is not atomic under concurrent transactions — two sessions
+            // can both see the index as absent, causing a unique_violation
+            // on pg_class_relname_nsp_index.
+            const lockId = DBA.getAdvisoryLockId(appId);
+            const lockResult = await client.query('SELECT pg_try_advisory_lock($1) AS locked', [lockId]);
+            if (lockResult.rows[0].locked) {
+                try {
+                    await client.query(DBA.getMigrationSQL(schema));
+                    await client.query(DBA.getPruneFunctionSQL(schema));
+                }
+                finally {
+                    await client.query('SELECT pg_advisory_unlock($1)', [lockId]);
+                }
+            }
+            // If another session holds the lock it is already running
+            // the same idempotent DDL — safe to skip.
         }
         finally {
             await release();

package/build/services/engine/index.d.ts

@@ -167,6 +167,12 @@ declare class EngineService {
      * @private
      */
     throttle(delayInMillis: number): Promise<void>;
+    /**
+     * Apply a remote duress signal from the quorum.
+     * Delegates to the router's duress manager.
+     * @private
+     */
+    applyRemoteDuress(throttleMs: number, level: string): void;
     /**
      * @private
      */

package/build/services/engine/index.js

@@ -267,6 +267,14 @@ class EngineService {
     async throttle(delayInMillis) {
         return Signal.throttle(this, delayInMillis);
     }
+    /**
+     * Apply a remote duress signal from the quorum.
+     * Delegates to the router's duress manager.
+     * @private
+     */
+    applyRemoteDuress(throttleMs, level) {
+        this.router?.applyRemoteDuress(throttleMs, level);
+    }
     // ═════════════════════════════════════════════════════════════════
     //  9. PUB/SUB — topic messaging, subscriptions, callbacks
     //     → see pubsub.ts

package/build/services/hotmesh/index.js

@@ -181,6 +181,20 @@ class HotMesh {
         instance.logger = new logger_1.LoggerService(config.appId, instance.guid, config.name || '', config.logLevel);
         await Init.initEngine(instance, config, instance.logger);
         await Init.initQuorum(instance, config, instance.engine, instance.logger);
+        // Register duress broadcast callback: engine router → quorum
+        if (instance.engine?.router && instance.quorum) {
+            const quorum = instance.quorum;
+            const engineGuid = instance.guid;
+            instance.engine.router.setDuressCallback((snapshot) => {
+                quorum.pub({
+                    type: 'duress',
+                    originator: engineGuid,
+                    duress_score_ms: snapshot.score_ms,
+                    throttle_ms: snapshot.throttle_ms,
+                    level: snapshot.level,
+                });
+            });
+        }
         await Init.doWork(instance, config, instance.logger);
         return instance;
     }

package/build/services/quorum/index.js

@@ -111,6 +111,12 @@ class QuorumService {
             else if (message.type === 'cron') {
                 self.engine.processTimeHooks();
             }
+            else if (message.type === 'duress') {
+                // Apply remote duress signal (skip our own broadcasts)
+                if (message.originator !== self.guid) {
+                    self.engine.applyRemoteDuress(message.throttle_ms, message.level);
+                }
+            }
             else if (message.type === 'rollcall') {
                 self.doRollCall(message);
             }
@@ -147,6 +153,13 @@ class QuorumService {
                 reclaimCount: this.engine.router.reclaimCount,
                 system: await (0, utils_1.getSystemHealth)(),
             };
+            // Include duress info if available (engine routers only)
+            const duressSnapshot = this.engine.router.getDuressSnapshot?.();
+            if (duressSnapshot) {
+                profile.duress_level = duressSnapshot.level;
+                profile.duress_score_ms = duressSnapshot.score_ms;
+                profile.duress_per_type = duressSnapshot.per_type;
+            }
         }
         this.subscribe.publish(hotmesh_1.KeyType.QUORUM, {
             type: 'pong',

package/build/services/router/config/index.d.ts

@@ -1,4 +1,4 @@
-import { HMSH_BLOCK_TIME_MS, HMSH_MAX_RETRIES, HMSH_MAX_TIMEOUT_MS, HMSH_GRADUATED_INTERVAL_MS, HMSH_CODE_UNACKED, HMSH_CODE_UNKNOWN, HMSH_STATUS_UNKNOWN, HMSH_XCLAIM_COUNT, HMSH_XCLAIM_DELAY_MS, HMSH_XPENDING_COUNT, HMSH_BATCH_SIZE, HMSH_BATCH_SIZE_MIN, HMSH_RESERVATION_TIMEOUT_S, HMSH_RESERVATION_TIMEOUT_MAX_S, MAX_DELAY, MAX_STREAM_BACKOFF, INITIAL_STREAM_BACKOFF, MAX_STREAM_RETRIES, HMSH_POISON_MESSAGE_THRESHOLD } from '../../../modules/enums';
+import { HMSH_BLOCK_TIME_MS, HMSH_MAX_RETRIES, HMSH_MAX_TIMEOUT_MS, HMSH_GRADUATED_INTERVAL_MS, HMSH_CODE_UNACKED, HMSH_CODE_UNKNOWN, HMSH_STATUS_UNKNOWN, HMSH_XCLAIM_COUNT, HMSH_XCLAIM_DELAY_MS, HMSH_XPENDING_COUNT, HMSH_BATCH_SIZE, HMSH_BATCH_SIZE_MIN, HMSH_RESERVATION_TIMEOUT_S, HMSH_RESERVATION_TIMEOUT_MAX_S, MAX_DELAY, MAX_STREAM_BACKOFF, INITIAL_STREAM_BACKOFF, MAX_STREAM_RETRIES, HMSH_POISON_MESSAGE_THRESHOLD, HMSH_DURESS_ALPHA, HMSH_DURESS_EVAL_INTERVAL, HMSH_DURESS_HEALTHY_CEILING_MS, HMSH_DURESS_MILD_CEILING_MS, HMSH_DURESS_MODERATE_CEILING_MS, HMSH_DURESS_BROADCAST_INTERVAL_MS, HMSH_DURESS_HYSTERESIS_COUNT } from '../../../modules/enums';
 import { RouterConfig } from '../../../types/stream';
 export declare class RouterConfigManager {
     static validateThrottle(delayInMillis: number): void;
@@ -8,4 +8,4 @@ export declare class RouterConfigManager {
         readonly: boolean;
     };
 }
-export { HMSH_BLOCK_TIME_MS, HMSH_MAX_RETRIES, HMSH_MAX_TIMEOUT_MS, HMSH_GRADUATED_INTERVAL_MS, HMSH_CODE_UNACKED, HMSH_CODE_UNKNOWN, HMSH_STATUS_UNKNOWN, HMSH_XCLAIM_COUNT, HMSH_XCLAIM_DELAY_MS, HMSH_XPENDING_COUNT, HMSH_BATCH_SIZE, HMSH_BATCH_SIZE_MIN, HMSH_RESERVATION_TIMEOUT_S, HMSH_RESERVATION_TIMEOUT_MAX_S, MAX_DELAY, MAX_STREAM_BACKOFF, INITIAL_STREAM_BACKOFF, MAX_STREAM_RETRIES, HMSH_POISON_MESSAGE_THRESHOLD, };
+export { HMSH_BLOCK_TIME_MS, HMSH_MAX_RETRIES, HMSH_MAX_TIMEOUT_MS, HMSH_GRADUATED_INTERVAL_MS, HMSH_CODE_UNACKED, HMSH_CODE_UNKNOWN, HMSH_STATUS_UNKNOWN, HMSH_XCLAIM_COUNT, HMSH_XCLAIM_DELAY_MS, HMSH_XPENDING_COUNT, HMSH_BATCH_SIZE, HMSH_BATCH_SIZE_MIN, HMSH_RESERVATION_TIMEOUT_S, HMSH_RESERVATION_TIMEOUT_MAX_S, MAX_DELAY, MAX_STREAM_BACKOFF, INITIAL_STREAM_BACKOFF, MAX_STREAM_RETRIES, HMSH_POISON_MESSAGE_THRESHOLD, HMSH_DURESS_ALPHA, HMSH_DURESS_EVAL_INTERVAL, HMSH_DURESS_HEALTHY_CEILING_MS, HMSH_DURESS_MILD_CEILING_MS, HMSH_DURESS_MODERATE_CEILING_MS, HMSH_DURESS_BROADCAST_INTERVAL_MS, HMSH_DURESS_HYSTERESIS_COUNT, };

package/build/services/router/config/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.HMSH_POISON_MESSAGE_THRESHOLD = exports.MAX_STREAM_RETRIES = exports.INITIAL_STREAM_BACKOFF = exports.MAX_STREAM_BACKOFF = exports.MAX_DELAY = exports.HMSH_RESERVATION_TIMEOUT_MAX_S = exports.HMSH_RESERVATION_TIMEOUT_S = exports.HMSH_BATCH_SIZE_MIN = exports.HMSH_BATCH_SIZE = exports.HMSH_XPENDING_COUNT = exports.HMSH_XCLAIM_DELAY_MS = exports.HMSH_XCLAIM_COUNT = exports.HMSH_STATUS_UNKNOWN = exports.HMSH_CODE_UNKNOWN = exports.HMSH_CODE_UNACKED = exports.HMSH_GRADUATED_INTERVAL_MS = exports.HMSH_MAX_TIMEOUT_MS = exports.HMSH_MAX_RETRIES = exports.HMSH_BLOCK_TIME_MS = exports.RouterConfigManager = void 0;
+exports.HMSH_DURESS_HYSTERESIS_COUNT = exports.HMSH_DURESS_BROADCAST_INTERVAL_MS = exports.HMSH_DURESS_MODERATE_CEILING_MS = exports.HMSH_DURESS_MILD_CEILING_MS = exports.HMSH_DURESS_HEALTHY_CEILING_MS = exports.HMSH_DURESS_EVAL_INTERVAL = exports.HMSH_DURESS_ALPHA = exports.HMSH_POISON_MESSAGE_THRESHOLD = exports.MAX_STREAM_RETRIES = exports.INITIAL_STREAM_BACKOFF = exports.MAX_STREAM_BACKOFF = exports.MAX_DELAY = exports.HMSH_RESERVATION_TIMEOUT_MAX_S = exports.HMSH_RESERVATION_TIMEOUT_S = exports.HMSH_BATCH_SIZE_MIN = exports.HMSH_BATCH_SIZE = exports.HMSH_XPENDING_COUNT = exports.HMSH_XCLAIM_DELAY_MS = exports.HMSH_XCLAIM_COUNT = exports.HMSH_STATUS_UNKNOWN = exports.HMSH_CODE_UNKNOWN = exports.HMSH_CODE_UNACKED = exports.HMSH_GRADUATED_INTERVAL_MS = exports.HMSH_MAX_TIMEOUT_MS = exports.HMSH_MAX_RETRIES = exports.HMSH_BLOCK_TIME_MS = exports.RouterConfigManager = void 0;
 const enums_1 = require("../../../modules/enums");
 Object.defineProperty(exports, "HMSH_BLOCK_TIME_MS", { enumerable: true, get: function () { return enums_1.HMSH_BLOCK_TIME_MS; } });
 Object.defineProperty(exports, "HMSH_MAX_RETRIES", { enumerable: true, get: function () { return enums_1.HMSH_MAX_RETRIES; } });
@@ -21,6 +21,13 @@ Object.defineProperty(exports, "MAX_STREAM_BACKOFF", { enumerable: true, get: fu
 Object.defineProperty(exports, "INITIAL_STREAM_BACKOFF", { enumerable: true, get: function () { return enums_1.INITIAL_STREAM_BACKOFF; } });
 Object.defineProperty(exports, "MAX_STREAM_RETRIES", { enumerable: true, get: function () { return enums_1.MAX_STREAM_RETRIES; } });
 Object.defineProperty(exports, "HMSH_POISON_MESSAGE_THRESHOLD", { enumerable: true, get: function () { return enums_1.HMSH_POISON_MESSAGE_THRESHOLD; } });
+Object.defineProperty(exports, "HMSH_DURESS_ALPHA", { enumerable: true, get: function () { return enums_1.HMSH_DURESS_ALPHA; } });
+Object.defineProperty(exports, "HMSH_DURESS_EVAL_INTERVAL", { enumerable: true, get: function () { return enums_1.HMSH_DURESS_EVAL_INTERVAL; } });
+Object.defineProperty(exports, "HMSH_DURESS_HEALTHY_CEILING_MS", { enumerable: true, get: function () { return enums_1.HMSH_DURESS_HEALTHY_CEILING_MS; } });
+Object.defineProperty(exports, "HMSH_DURESS_MILD_CEILING_MS", { enumerable: true, get: function () { return enums_1.HMSH_DURESS_MILD_CEILING_MS; } });
+Object.defineProperty(exports, "HMSH_DURESS_MODERATE_CEILING_MS", { enumerable: true, get: function () { return enums_1.HMSH_DURESS_MODERATE_CEILING_MS; } });
+Object.defineProperty(exports, "HMSH_DURESS_BROADCAST_INTERVAL_MS", { enumerable: true, get: function () { return enums_1.HMSH_DURESS_BROADCAST_INTERVAL_MS; } });
+Object.defineProperty(exports, "HMSH_DURESS_HYSTERESIS_COUNT", { enumerable: true, get: function () { return enums_1.HMSH_DURESS_HYSTERESIS_COUNT; } });
 class RouterConfigManager {
     static validateThrottle(delayInMillis) {
         if (!Number.isInteger(delayInMillis) ||

package/build/services/router/consumption/index.d.ts

@@ -3,6 +3,7 @@ import { StreamService } from '../../stream';
 import { ThrottleManager } from '../throttling';
 import { ErrorHandler } from '../error-handling';
 import { LifecycleManager } from '../lifecycle';
+import { DuressManager, DuressSnapshot } from '../duress';
 import { StreamData, StreamDataResponse } from '../../../types/stream';
 import { ProviderClient, ProviderTransaction } from '../../../types/provider';
 export declare class ConsumptionManager<S extends StreamService<ProviderClient, ProviderTransaction>> {
@@ -26,6 +27,9 @@ export declare class ConsumptionManager<S extends StreamService<ProviderClient,
     private set hasReachedMaxBackoff(value);
     private router;
     private retry;
+    private duressManager?;
+    private onDuressChange?;
+    private messagesSinceLastEval;
     private adaptiveReservationTimeout;
     private adaptiveBatchSize;
     private lastDepthCheckAt;
@@ -33,7 +37,8 @@ export declare class ConsumptionManager<S extends StreamService<ProviderClient,
     private static readonly DEPTH_SCALE_UP_THRESHOLD;
     private static readonly DEPTH_SCALE_DOWN_THRESHOLD;
     private static readonly LEASE_BUFFER_S;
-    constructor(stream: S, logger: ILogger, throttleManager: ThrottleManager, errorHandler: ErrorHandler, lifecycleManager: LifecycleManager<S>, reclaimDelay: number, reclaimCount: number, appId: string, role: any, router: any, retry?: import('../../../types/stream').RetryPolicy);
+    constructor(stream: S, logger: ILogger, throttleManager: ThrottleManager, errorHandler: ErrorHandler, lifecycleManager: LifecycleManager<S>, reclaimDelay: number, reclaimCount: number, appId: string, role: any, router: any, retry?: import('../../../types/stream').RetryPolicy, duressManager?: DuressManager);
+    setDuressCallback(callback: (snapshot: DuressSnapshot) => void): void;
     /**
      * Adjusts reservation timeout based on stream depth. Called periodically
      * from the consume loop. When depth is high:

package/build/services/router/consumption/index.js

@@ -17,7 +17,8 @@ class ConsumptionManager {
     get counts() { return this.router.counts; }
     get hasReachedMaxBackoff() { return this.router.hasReachedMaxBackoff; }
     set hasReachedMaxBackoff(v) { this.router.hasReachedMaxBackoff = v; }
-    constructor(stream, logger, throttleManager, errorHandler, lifecycleManager, reclaimDelay, reclaimCount, appId, role, router, retry) {
+    constructor(stream, logger, throttleManager, errorHandler, lifecycleManager, reclaimDelay, reclaimCount, appId, role, router, retry, duressManager) {
+        this.messagesSinceLastEval = 0;
         // Adaptive consumption pressure — scales reservation timeout AND batch
         // size based on stream depth. Under load: timeout grows (prevents
         // duplicate re-reservation) and batch size shrinks (reduces in-memory
@@ -37,6 +38,10 @@ class ConsumptionManager {
         this.role = role;
         this.router = router;
         this.retry = retry;
+        this.duressManager = duressManager;
+    }
+    setDuressCallback(callback) {
+        this.onDuressChange = callback;
     }
     /**
      * Adjusts reservation timeout based on stream depth. Called periodically
@@ -500,6 +505,7 @@ class ConsumptionManager {
         const deadlineMs = this.adaptiveReservationTimeout * 1000;
         let output;
         const telemetry = new telemetry_1.RouterTelemetry(this.appId);
+        const processingStart = Date.now();
         try {
             telemetry.startStreamSpan(input, this.role);
             let deadlineTimer;
@@ -549,6 +555,34 @@ class ConsumptionManager {
             telemetry.setStreamErrorFromException(err);
             output = this.errorHandler.structureUnhandledError(input, err instanceof Error ? err : new Error(String(err)));
         }
+        // Record processing latency for duress detection (engine routers only).
+        // This measures the actual time spent in execStreamLeg — the causal
+        // signal. The prior depth-based mechanism (adjustConsumptionPressure)
+        // responds to queue backlog; this responds to *why* the backlog exists.
+        // Evaluation is amortized over HMSH_DURESS_EVAL_INTERVAL messages to
+        // avoid per-message overhead.
+        if (this.duressManager && input.type) {
+            const processingDuration = Date.now() - processingStart;
+            this.duressManager.recordLatency(input.type, processingDuration);
+            if (++this.messagesSinceLastEval >= config_1.HMSH_DURESS_EVAL_INTERVAL) {
+                this.messagesSinceLastEval = 0;
+                const snapshot = this.duressManager.evaluate();
+                this.throttleManager.setDuressFloor(snapshot.throttle_ms);
+                if (snapshot.level !== 'healthy') {
+                    this.logger.info('stream-duress-detected', {
+                        stream,
+                        level: snapshot.level,
+                        score_ms: snapshot.score_ms,
+                        throttle_ms: snapshot.throttle_ms,
+                        per_type: snapshot.per_type,
+                    });
+                }
+                if (this.duressManager.shouldBroadcast() && this.onDuressChange) {
+                    this.duressManager.markBroadcast();
+                    this.onDuressChange(snapshot);
+                }
+            }
+        }
         try {
             // When the ENGINE encounters an infrastructure error (schema not found,
             // subscription missing — code 598), the message is permanently unprocessable.

package/build/services/router/duress/index.d.ts

@@ -0,0 +1,91 @@
+import { StreamDataType } from '../../../types/stream';
+import { DuressLevel } from '../../../types/quorum';
+export interface DuressSnapshot {
+    level: DuressLevel;
+    score_ms: number;
+    throttle_ms: number;
+    per_type: Record<string, number>;
+}
+/**
+ * Adaptive engine duress detection via processing latency.
+ *
+ * ## Why this exists
+ *
+ * Prior fixes responded to queue *depth* (a symptom) — doubling reservation
+ * timeouts and halving batch sizes when the stream backed up. A deep queue
+ * doesn't necessarily mean duress (it could be a burst of external triggers),
+ * and a shallow queue doesn't necessarily mean health. This module responds
+ * to the *cause*: actual processing latency per message type.
+ *
+ * ## How it works
+ *
+ * Each engine router tracks an exponential moving average (EMA) of how long
+ * each canonical message type (transition, timehook, webhook, worker response,
+ * etc.) takes to process. When healthy, these are sub-50ms. When the max EMA
+ * crosses configurable thresholds (200ms → mild, 1s → moderate, 5s → severe),
+ * the manager computes a proportional throttle delay that the ThrottleManager
+ * applies as a floor on engine consumption rate.
+ *
+ * ## Hysteresis (asymmetric by design)
+ *
+ * Escalation is immediate — if the engine suddenly enters duress, the throttle
+ * kicks in on the next evaluation. De-escalation requires `HYSTERESIS_COUNT`
+ * (default 3) consecutive improving evaluations before dropping a level. This
+ * prevents oscillation: throttle → drain → un-throttle → refill → throttle.
+ * The EMA already smooths individual outliers; hysteresis gates the recovery
+ * path specifically.
+ *
+ * ## Quorum coordination
+ *
+ * When a router detects a level change (or remains in duress), it broadcasts
+ * a `'duress'` message via the quorum. Peers adopt the signal only if it's
+ * worse than their local state, so the mesh converges on the worst-case
+ * throttle without coordination.
+ *
+ * ## What this does NOT do
+ *
+ * External messages (triggers, signalIn/webhooks from the outside world) are
+ * never throttled. They always enter `engine_streams`. Only the engine
+ * routers' pull rate slows down, giving the system breathing room.
+ */
+export declare class DuressManager {
+    private emas;
+    private sampleCounts;
+    private currentLevel;
+    private belowThresholdCount;
+    private duressThrottle;
+    private lastBroadcastAt;
+    private lastBroadcastLevel;
+    /**
+     * Record a processing duration for a message type.
+     * Updates the exponential moving average for that type.
+     */
+    recordLatency(type: StreamDataType, durationMs: number): void;
+    /**
+     * Evaluate duress state from current EMAs.
+     * Returns a snapshot with level, score, recommended throttle,
+     * and per-type latencies.
+     */
+    evaluate(): DuressSnapshot;
+    getDuressThrottle(): number;
+    getCurrentLevel(): DuressLevel;
+    /**
+     * Apply a duress snapshot received from another engine via quorum.
+     * Adopts the remote signal only if it indicates worse duress than local.
+     */
+    applyRemoteDuress(throttleMs: number, level: DuressLevel): void;
+    /**
+     * Whether a quorum broadcast is warranted.
+     * Rate-limited and only fires when level changes or duress is active.
+     */
+    shouldBroadcast(): boolean;
+    markBroadcast(): void;
+    /**
+     * Returns a snapshot for inclusion in quorum rollcall profiles.
+     */
+    getSnapshot(): DuressSnapshot;
+    private scoreToLevel;
+    private scoreToThrottle;
+    private lerp;
+    private levelOrdinal;
+}

package/build/services/router/duress/index.js

@@ -0,0 +1,217 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DuressManager = void 0;
+const config_1 = require("../config");
+// Throttle band boundaries (ms)
+const MILD_THROTTLE_MIN = 100;
+const MILD_THROTTLE_MAX = 500;
+const MODERATE_THROTTLE_MIN = 500;
+const MODERATE_THROTTLE_MAX = 2000;
+const SEVERE_THROTTLE_MIN = 2000;
+const SEVERE_THROTTLE_MAX = 5000;
+/**
+ * Adaptive engine duress detection via processing latency.
+ *
+ * ## Why this exists
+ *
+ * Prior fixes responded to queue *depth* (a symptom) — doubling reservation
+ * timeouts and halving batch sizes when the stream backed up. A deep queue
+ * doesn't necessarily mean duress (it could be a burst of external triggers),
+ * and a shallow queue doesn't necessarily mean health. This module responds
+ * to the *cause*: actual processing latency per message type.
+ *
+ * ## How it works
+ *
+ * Each engine router tracks an exponential moving average (EMA) of how long
+ * each canonical message type (transition, timehook, webhook, worker response,
+ * etc.) takes to process. When healthy, these are sub-50ms. When the max EMA
+ * crosses configurable thresholds (200ms → mild, 1s → moderate, 5s → severe),
+ * the manager computes a proportional throttle delay that the ThrottleManager
+ * applies as a floor on engine consumption rate.
+ *
+ * ## Hysteresis (asymmetric by design)
+ *
+ * Escalation is immediate — if the engine suddenly enters duress, the throttle
+ * kicks in on the next evaluation. De-escalation requires `HYSTERESIS_COUNT`
+ * (default 3) consecutive improving evaluations before dropping a level. This
+ * prevents oscillation: throttle → drain → un-throttle → refill → throttle.
+ * The EMA already smooths individual outliers; hysteresis gates the recovery
+ * path specifically.
+ *
+ * ## Quorum coordination
+ *
+ * When a router detects a level change (or remains in duress), it broadcasts
+ * a `'duress'` message via the quorum. Peers adopt the signal only if it's
+ * worse than their local state, so the mesh converges on the worst-case
+ * throttle without coordination.
+ *
+ * ## What this does NOT do
+ *
+ * External messages (triggers, signalIn/webhooks from the outside world) are
+ * never throttled. They always enter `engine_streams`. Only the engine
+ * routers' pull rate slows down, giving the system breathing room.
+ */
+class DuressManager {
+    constructor() {
+        // Per-message-type exponential moving averages
+        this.emas = new Map();
+        this.sampleCounts = new Map();
+        // Hysteresis state
+        this.currentLevel = 'healthy';
+        this.belowThresholdCount = 0;
+        // Computed duress throttle floor
+        this.duressThrottle = 0;
+        // Broadcast rate limiting
+        this.lastBroadcastAt = 0;
+        this.lastBroadcastLevel = 'healthy';
+    }
+    /**
+     * Record a processing duration for a message type.
+     * Updates the exponential moving average for that type.
+     */
+    recordLatency(type, durationMs) {
+        const key = type;
+        const count = this.sampleCounts.get(key) || 0;
+        if (count === 0) {
+            // First sample: seed the EMA directly
+            this.emas.set(key, durationMs);
+        }
+        else {
+            const prev = this.emas.get(key);
+            this.emas.set(key, config_1.HMSH_DURESS_ALPHA * durationMs + (1 - config_1.HMSH_DURESS_ALPHA) * prev);
+        }
+        this.sampleCounts.set(key, count + 1);
+    }
+    /**
+     * Evaluate duress state from current EMAs.
+     * Returns a snapshot with level, score, recommended throttle,
+     * and per-type latencies.
+     */
+    evaluate() {
+        // Aggregate: max EMA across all tracked types
+        let maxEma = 0;
+        const perType = {};
+        for (const [type, ema] of this.emas) {
+            perType[type] = Math.round(ema);
+            if (ema > maxEma)
+                maxEma = ema;
+        }
+        const rawLevel = this.scoreToLevel(maxEma);
+        // Hysteresis: only drop level after sustained improvement
+        if (this.levelOrdinal(rawLevel) < this.levelOrdinal(this.currentLevel)) {
+            this.belowThresholdCount++;
+            if (this.belowThresholdCount >= config_1.HMSH_DURESS_HYSTERESIS_COUNT) {
+                this.currentLevel = rawLevel;
+                this.belowThresholdCount = 0;
+            }
+            // Keep current (higher) level until hysteresis clears
+        }
+        else {
+            // Same or worse: reset hysteresis counter, adopt immediately
+            this.belowThresholdCount = 0;
+            this.currentLevel = rawLevel;
+        }
+        this.duressThrottle =
+            this.currentLevel === 'healthy'
+                ? 0
+                : this.scoreToThrottle(maxEma, this.currentLevel);
+        return {
+            level: this.currentLevel,
+            score_ms: Math.round(maxEma),
+            throttle_ms: this.duressThrottle,
+            per_type: perType,
+        };
+    }
+    getDuressThrottle() {
+        return this.duressThrottle;
+    }
+    getCurrentLevel() {
+        return this.currentLevel;
+    }
+    /**
+     * Apply a duress snapshot received from another engine via quorum.
+     * Adopts the remote signal only if it indicates worse duress than local.
+     */
+    applyRemoteDuress(throttleMs, level) {
+        if (this.levelOrdinal(level) > this.levelOrdinal(this.currentLevel)) {
+            this.currentLevel = level;
+            this.duressThrottle = throttleMs;
+            this.belowThresholdCount = 0;
+        }
+    }
+    /**
+     * Whether a quorum broadcast is warranted.
+     * Rate-limited and only fires when level changes or duress is active.
+     */
+    shouldBroadcast() {
+        const now = Date.now();
+        if (now - this.lastBroadcastAt < config_1.HMSH_DURESS_BROADCAST_INTERVAL_MS) {
+            return false;
+        }
+        return (this.currentLevel !== this.lastBroadcastLevel ||
+            this.currentLevel !== 'healthy');
+    }
+    markBroadcast() {
+        this.lastBroadcastAt = Date.now();
+        this.lastBroadcastLevel = this.currentLevel;
+    }
+    /**
+     * Returns a snapshot for inclusion in quorum rollcall profiles.
+     */
+    getSnapshot() {
+        let maxEma = 0;
+        const perType = {};
+        for (const [type, ema] of this.emas) {
+            perType[type] = Math.round(ema);
+            if (ema > maxEma)
+                maxEma = ema;
+        }
+        return {
+            level: this.currentLevel,
+            score_ms: Math.round(maxEma),
+            throttle_ms: this.duressThrottle,
+            per_type: perType,
+        };
+    }
+    // --- Private helpers ---
+    scoreToLevel(ms) {
+        if (ms < config_1.HMSH_DURESS_HEALTHY_CEILING_MS)
+            return 'healthy';
+        if (ms < config_1.HMSH_DURESS_MILD_CEILING_MS)
+            return 'mild';
+        if (ms < config_1.HMSH_DURESS_MODERATE_CEILING_MS)
+            return 'moderate';
+        return 'severe';
+    }
+    scoreToThrottle(ms, level) {
+        // Linear interpolation within the band for the given level
+        switch (level) {
+            case 'healthy':
+                return 0;
+            case 'mild':
+                return this.lerp(ms, config_1.HMSH_DURESS_HEALTHY_CEILING_MS, config_1.HMSH_DURESS_MILD_CEILING_MS, MILD_THROTTLE_MIN, MILD_THROTTLE_MAX);
+            case 'moderate':
+                return this.lerp(ms, config_1.HMSH_DURESS_MILD_CEILING_MS, config_1.HMSH_DURESS_MODERATE_CEILING_MS, MODERATE_THROTTLE_MIN, MODERATE_THROTTLE_MAX);
+            case 'severe':
+                // Clamp to severe band max; beyond the ceiling is still severe
+                return this.lerp(ms, config_1.HMSH_DURESS_MODERATE_CEILING_MS, config_1.HMSH_DURESS_MODERATE_CEILING_MS * 2, SEVERE_THROTTLE_MIN, SEVERE_THROTTLE_MAX);
+        }
+    }
+    lerp(value, inMin, inMax, outMin, outMax) {
+        const t = Math.min(Math.max((value - inMin) / (inMax - inMin), 0), 1);
+        return Math.round(outMin + t * (outMax - outMin));
+    }
+    levelOrdinal(level) {
+        switch (level) {
+            case 'healthy':
+                return 0;
+            case 'mild':
+                return 1;
+            case 'moderate':
+                return 2;
+            case 'severe':
+                return 3;
+        }
+    }
+}
+exports.DuressManager = DuressManager;

package/build/services/router/index.d.ts

@@ -2,7 +2,9 @@
 import { ILogger } from '../logger';
 import { StreamService } from '../stream';
 import { RouterConfig, StreamData, StreamDataResponse, StreamRole } from '../../types/stream';
+import { DuressLevel } from '../../types/quorum';
 import { ProviderClient, ProviderTransaction } from '../../types/provider';
+import { DuressSnapshot } from './duress';
 declare class Router<S extends StreamService<ProviderClient, ProviderTransaction>> {
     appId: string;
     guid: string;
@@ -29,6 +31,8 @@ declare class Router<S extends StreamService<ProviderClient, ProviderTransaction
     private errorHandler;
     private lifecycleManager;
     private consumptionManager;
+    private duressManager?;
+    private _pendingDuressSnapshot?;
     constructor(config: RouterConfig, stream: S, logger: ILogger);
     get throttle(): number;
     get shouldConsume(): boolean;
@@ -49,6 +53,9 @@ declare class Router<S extends StreamService<ProviderClient, ProviderTransaction
     structureUnhandledError(input: StreamData, err: Error): StreamDataResponse;
     structureUnacknowledgedError(input: StreamData): StreamDataResponse;
     structureError(input: StreamData, output: StreamDataResponse): StreamDataResponse;
+    setDuressCallback(callback: (snapshot: DuressSnapshot) => void): void;
+    applyRemoteDuress(throttleMs: number, level: DuressLevel): void;
+    getDuressSnapshot(): DuressSnapshot | undefined;
     static stopConsuming(): Promise<void>;
     stopConsuming(): Promise<void>;
     cancelThrottle(): void;

package/build/services/router/index.js

@@ -1,12 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Router = void 0;
+const stream_1 = require("../../types/stream");
 // Import the new submodules
 const config_1 = require("./config");
 const throttling_1 = require("./throttling");
 const error_handling_1 = require("./error-handling");
 const lifecycle_1 = require("./lifecycle");
 const consumption_1 = require("./consumption");
+const duress_1 = require("./duress");
 class Router {
     constructor(config, stream, logger) {
         // Legacy properties for backward compatibility
@@ -34,7 +36,11 @@ class Router {
         this.throttleManager = new throttling_1.ThrottleManager(enhancedConfig.throttle);
         this.errorHandler = new error_handling_1.ErrorHandler();
         this.lifecycleManager = new lifecycle_1.LifecycleManager(this.readonly, this.topic, this.logger, this.stream);
-        this.consumptionManager = new consumption_1.ConsumptionManager(this.stream, this.logger, this.throttleManager, this.errorHandler, this.lifecycleManager, this.reclaimDelay, this.reclaimCount, this.appId, this.role, this, this.retry);
+        // Engine routers get duress detection; workers do not
+        if (this.role === stream_1.StreamRole.ENGINE) {
+            this.duressManager = new duress_1.DuressManager();
+        }
+        this.consumptionManager = new consumption_1.ConsumptionManager(this.stream, this.logger, this.throttleManager, this.errorHandler, this.lifecycleManager, this.reclaimDelay, this.reclaimCount, this.appId, this.role, this, this.retry, this.duressManager);
         this.resetThrottleState();
     }
     // Legacy compatibility methods
@@ -99,6 +105,17 @@ class Router {
     structureError(input, output) {
         return this.errorHandler.structureError(input, output);
     }
+    // Duress detection methods (engine routers only)
+    setDuressCallback(callback) {
+        this.consumptionManager.setDuressCallback(callback);
+    }
+    applyRemoteDuress(throttleMs, level) {
+        this.duressManager?.applyRemoteDuress(throttleMs, level);
+        this.throttleManager.setDuressFloor(throttleMs);
+    }
+    getDuressSnapshot() {
+        return this.duressManager?.getSnapshot();
+    }
     // Static methods for instance management
     static async stopConsuming() {
         return lifecycle_1.InstanceRegistry.stopAll();

package/build/services/router/throttling/index.d.ts

@@ -1,11 +1,39 @@
+/**
+ * Elastic throttle with two independent inputs:
+ *
+ * 1. **User throttle** — set explicitly via quorum `throttle` command.
+ *    Absolute value: 0 = resume, >0 = delay per message, -1 = pause.
+ *
+ * 2. **Duress floor** — set automatically by the DuressManager based on
+ *    processing latency. The effective throttle is `max(user, duress)`,
+ *    so duress never reduces below what the user set, and pause always
+ *    takes precedence. When duress clears (floor returns to 0), the
+ *    user's original throttle remains in effect.
+ *
+ * `customSleep()` uses the effective throttle, supports dynamic
+ * interruption (if the throttle decreases mid-sleep, the router wakes
+ * early), and handles pause via a bare promise with no timer.
+ */
 export declare class ThrottleManager {
     private throttle;
+    private duressFloor;
     private isSleeping;
     private sleepPromiseResolve;
     private innerPromiseResolve;
     private sleepTimeout;
     constructor(initialThrottle?: number);
     getThrottle(): number;
+    /**
+     * Set the duress-computed throttle floor. The effective throttle
+     * is max(userThrottle, duressFloor). Pause (throttle < 0) overrides.
+     */
+    setDuressFloor(delayMs: number): void;
+    getDuressFloor(): number;
+    /**
+     * Returns the effective throttle: max of user-set throttle and
+     * duress floor. Pause (negative) always takes precedence.
+     */
+    getEffectiveThrottle(): number;
     setThrottle(delayInMillis: number): void;
     isPaused(): boolean;
     /**

package/build/services/router/throttling/index.js

@@ -1,9 +1,26 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ThrottleManager = void 0;
+/**
+ * Elastic throttle with two independent inputs:
+ *
+ * 1. **User throttle** — set explicitly via quorum `throttle` command.
+ *    Absolute value: 0 = resume, >0 = delay per message, -1 = pause.
+ *
+ * 2. **Duress floor** — set automatically by the DuressManager based on
+ *    processing latency. The effective throttle is `max(user, duress)`,
+ *    so duress never reduces below what the user set, and pause always
+ *    takes precedence. When duress clears (floor returns to 0), the
+ *    user's original throttle remains in effect.
+ *
+ * `customSleep()` uses the effective throttle, supports dynamic
+ * interruption (if the throttle decreases mid-sleep, the router wakes
+ * early), and handles pause via a bare promise with no timer.
+ */
 class ThrottleManager {
     constructor(initialThrottle = 0) {
         this.throttle = 0;
+        this.duressFloor = 0;
         this.isSleeping = false;
         this.sleepPromiseResolve = null;
         this.innerPromiseResolve = null;
@@ -13,6 +30,25 @@ class ThrottleManager {
     getThrottle() {
         return this.throttle;
     }
+    /**
+     * Set the duress-computed throttle floor. The effective throttle
+     * is max(userThrottle, duressFloor). Pause (throttle < 0) overrides.
+     */
+    setDuressFloor(delayMs) {
+        this.duressFloor = Math.max(0, delayMs);
+    }
+    getDuressFloor() {
+        return this.duressFloor;
+    }
+    /**
+     * Returns the effective throttle: max of user-set throttle and
+     * duress floor. Pause (negative) always takes precedence.
+     */
+    getEffectiveThrottle() {
+        if (this.throttle < 0)
+            return this.throttle; // pause overrides
+        return Math.max(this.throttle, this.duressFloor);
+    }
     setThrottle(delayInMillis) {
         const wasPaused = this.throttle < 0;
         const wasDecreased = delayInMillis < this.throttle;
@@ -45,12 +81,13 @@ class ThrottleManager {
      * setThrottle() is called with a non-negative value.
      */
     async customSleep() {
-        if (this.throttle === 0)
+        const effective = this.getEffectiveThrottle();
+        if (effective === 0)
             return;
         if (this.isSleeping)
             return;
         this.isSleeping = true;
-        if (this.throttle < 0) {
+        if (effective < 0) {
             // Paused: wait indefinitely until setThrottle interrupts
             await new Promise((resolve) => {
                 this.innerPromiseResolve = resolve;
@@ -62,12 +99,14 @@ class ThrottleManager {
         await new Promise(async (outerResolve) => {
             this.sleepPromiseResolve = outerResolve;
             let elapsedTime = Date.now() - startTime;
-            while (elapsedTime < this.throttle && this.throttle > 0) {
+            let target = this.getEffectiveThrottle();
+            while (elapsedTime < target && target > 0) {
                 await new Promise((innerResolve) => {
                     this.innerPromiseResolve = innerResolve;
-                    this.sleepTimeout = setTimeout(innerResolve, this.throttle - elapsedTime);
+                    this.sleepTimeout = setTimeout(innerResolve, target - elapsedTime);
                 });
                 elapsedTime = Date.now() - startTime;
+                target = this.getEffectiveThrottle();
             }
             this.resetThrottleState();
             outerResolve();

package/build/services/store/providers/postgres/kvtables.js

@@ -23,28 +23,33 @@ const KVTables = (context) => ({
             client = transactionClient;
         }
         try {
-            // First, check if tables already exist (no lock needed)
             const tablesExist = await this.checkIfTablesExist(client, appName);
-            if (tablesExist) {
-                // Tables exist; apply any pending migrations
-                await this.migrate(client, appName);
-                return;
-            }
-            // Tables don't exist, need to acquire lock and create them
+            // Acquire advisory lock for ALL DDL: table creation and
+            // migrations. CREATE INDEX IF NOT EXISTS is not atomic under
+            // concurrent transactions — two sessions can both see the
+            // index as absent and both attempt creation, causing a
+            // unique_violation on pg_class_relname_nsp_index.
             const lockId = this.getAdvisoryLockId(appName);
             const lockResult = await client.query('SELECT pg_try_advisory_lock($1) AS locked', [lockId]);
             if (lockResult.rows[0].locked) {
-                // Begin transaction
-                await client.query('BEGIN');
-                // Double-check tables don't exist (race condition safety)
-                const tablesStillMissing = !(await this.checkIfTablesExist(client, appName));
-                if (tablesStillMissing) {
-                    await this.createTables(client, appName);
+                try {
+                    if (!tablesExist) {
+                        // Begin transaction
+                        await client.query('BEGIN');
+                        // Double-check tables don't exist (race condition safety)
+                        const tablesStillMissing = !(await this.checkIfTablesExist(client, appName));
+                        if (tablesStillMissing) {
+                            await this.createTables(client, appName);
+                        }
+                        // Commit transaction
+                        await client.query('COMMIT');
+                    }
+                    // Always run migrations under the lock
+                    await this.migrate(client, appName);
+                }
+                finally {
+                    await client.query('SELECT pg_advisory_unlock($1)', [lockId]);
                 }
-                // Commit transaction
-                await client.query('COMMIT');
-                // Release the lock
-                await client.query('SELECT pg_advisory_unlock($1)', [lockId]);
             }
             else {
                 // Release the client before waiting
@@ -172,6 +177,11 @@ const KVTables = (context) => ({
                 const fullTableName = `${tableDef.schema}.${tableDef.name}`;
                 switch (tableDef.type) {
                     case 'relational_app':
+                        // Public tables are shared across all appIds. Use a fixed
+                        // advisory lock to prevent concurrent CREATE TABLE races
+                        // from different appId deployments (each has its own
+                        // per-appId lock, but those don't overlap).
+                        await client.query('SELECT pg_advisory_xact_lock($1)', [0x484D5348]);
                         await client.query(`
               CREATE TABLE IF NOT EXISTS ${fullTableName} (
                 app_id TEXT PRIMARY KEY,

package/build/services/stream/providers/postgres/kvtables.js

@@ -11,25 +11,28 @@ async function deploySchema(streamClient, appId, logger) {
     const releaseClient = isPool;
     try {
         const schemaName = appId.replace(/[^a-zA-Z0-9_]/g, '_');
-        // First, check if tables already exist (no lock needed)
         const tablesExist = await checkIfTablesExist(client, schemaName);
-        if (tablesExist) {
-            await ensureIndexes(client, schemaName);
-            return;
-        }
-        // Tables don't exist, need to acquire lock and create them
+        // Acquire advisory lock for ALL DDL: table creation, index
+        // migrations, and trigger setup. CREATE INDEX IF NOT EXISTS is
+        // not atomic under concurrent transactions — two sessions can
+        // both see the index as absent and both attempt creation,
+        // causing a unique_violation on pg_class_relname_nsp_index.
         const lockId = getAdvisoryLockId(appId);
         const lockResult = await client.query('SELECT pg_try_advisory_lock($1) AS locked', [lockId]);
         if (lockResult.rows[0].locked) {
             try {
-                await client.query('BEGIN');
-                // Double-check tables don't exist (race condition safety)
-                const tablesStillMissing = !(await checkIfTablesExist(client, schemaName));
-                if (tablesStillMissing) {
-                    await createTables(client, schemaName);
-                    await createNotificationTriggers(client, schemaName);
+                if (!tablesExist) {
+                    await client.query('BEGIN');
+                    // Double-check tables don't exist (race condition safety)
+                    const tablesStillMissing = !(await checkIfTablesExist(client, schemaName));
+                    if (tablesStillMissing) {
+                        await createTables(client, schemaName);
+                        await createNotificationTriggers(client, schemaName);
+                    }
+                    await client.query('COMMIT');
                 }
-                await client.query('COMMIT');
+                // Always run index migrations under the lock
+                await ensureIndexes(client, schemaName);
             }
             finally {
                 await client.query('SELECT pg_advisory_unlock($1)', [lockId]);

package/build/types/quorum.d.ts

@@ -1,5 +1,7 @@
 import { JobOutput } from './job';
 import { StringAnyType } from './serializer';
+/** Duress severity level for adaptive engine throttling. */
+export type DuressLevel = 'healthy' | 'mild' | 'moderate' | 'severe';
 export interface CPULoad {
     [cpu: string]: string;
 }
@@ -86,6 +88,12 @@ export interface QuorumProfile {
     system?: SystemHealth;
     /** Stringified worker callback function (only if `signature: true` in rollcall). */
     signature?: string;
+    /** Current duress level. Engine routers only. */
+    duress_level?: DuressLevel;
+    /** Current duress score in ms (max EMA across message types). Engine routers only. */
+    duress_score_ms?: number;
+    /** Per-message-type EMA latencies in ms. Engine routers only. */
+    duress_per_type?: Record<string, number>;
 }
 interface QuorumMessageBase {
     entity?: string;
@@ -138,6 +146,17 @@ export interface ThrottleMessage extends QuorumMessageBase {
     topic?: string;
     throttle: number;
 }
+export interface DuressMessage extends QuorumMessageBase {
+    type: 'duress';
+    /** GUID of the engine that detected duress */
+    originator: string;
+    /** Aggregate duress score (max EMA across message types) in ms */
+    duress_score_ms: number;
+    /** Recommended throttle delay in ms */
+    throttle_ms: number;
+    /** Duress severity level */
+    level: DuressLevel;
+}
 export interface RollCallMessage extends QuorumMessageBase {
     type: 'rollcall';
     guid?: string;
@@ -169,5 +188,5 @@ export type SubscriptionOptions = {
  * These messages serve to coordinate the cache invalidation and switch-over
  * to the new version without any downtime and a coordinating parent server.
  */
-export type QuorumMessage = PingMessage | PongMessage | ActivateMessage | WorkMessage | JobMessage | ThrottleMessage | RollCallMessage | CronMessage | UserMessage;
+export type QuorumMessage = PingMessage | PongMessage | ActivateMessage | WorkMessage | JobMessage | ThrottleMessage | DuressMessage | RollCallMessage | CronMessage | UserMessage;
 export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hotmeshio/hotmesh",
-  "version": "0.19.3",
+  "version": "0.19.5",
   "description": "Durable Workflow",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",