Codecov Report

❌ Patch coverage is 83.84819% with 366 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.41%. Comparing base (14beb52) to head (d92407c).
⚠️ Report is 3 commits behind head on main.

@@            Coverage Diff             @@
##             main    #2542      +/-   ##
==========================================
- Coverage   88.46%   88.41%   -0.05%     
==========================================
  Files         618      620       +2     
  Lines      226148   228394    +2246     
==========================================
+ Hits       200066   201943    +1877     
- Misses      25558    25927     +369     
  Partials      524      524              

@lalitb In my opinion, this is moving in the right direction overall. However, my main concern is that the current enforcement path introduces process wide shared state that is consulted directly from ingress hot paths. That adds hidden cross thread coordination, which is not fully aligned with our thread-per-core, share-nothing, NUMA-aware direction.

I think a small architectural adjustment would make this fit much better: keep the global sampler and pressure classification, but propagate state transitions through the control plane and let each pinned receiver thread maintain its own local admission state. That would preserve the same high level behavior while keeping the fast path local and more predictable from a cache and NUMA perspective.

Longer term, I think we should move toward hierarchical memory budgeting with local fast-path admission: a process-wide budget, then per-NUMA or per-core budgets or leases underneath it, with the current process wide limiter acting more as a supervisory guardrail than the primary admission mechanism.

The sampler could emit a MemoryPressureChanged event only on transitions or configuration changes. Something like.

#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub struct MemoryPressureChanged {
    /// Monotonic update number assigned by the global sampler.
    pub generation: u64,

    /// Newly classified pressure level.
    pub level: MemoryPressureLevel,

    /// Receiver-facing retry hint to use while shedding ingress.
    pub retry_after_secs: u32,

    /// Most recent sampled process memory usage in bytes.
    pub usage_bytes: u64,
}

I support @lquerel's proposal.

@lquerel Thanks for the review. I agree with this direction. I will rework the enforcement path so the sampler and classification remain process-wide, but pressure transitions are propagated through the pipeline control plane and each receiver maintains receiver-local admission state.

The intended shape is:

• controller-owned global sampler/classifier remains the supervisory source of truth
• transitions are published on a controller-owned watch channel
• each pipeline runtime subscribes and fans updates out to its receiver nodes via NodeControlMsg
• each receiver updates a single receiver-local admission state object
• ingress hot paths, including Tower/HTTP clones, consult only that receiver-local state, not the process-global limiter state

That keeps the Phase 1 behavior the same while removing direct process-wide state reads from ingress hot paths and fitting the pinned/share-nothing/NUMA-aware direction better.

@lalitb please update the design document and PR description with the changes involving NodeControlMessage and local state management.

@lalitb please update the design document and PR description with the changes involving NodeControlMessage and local state management.

Thanks @jmacd, it's done now.