Introduce NATS JetStream as event bus#4427
Merged
Merged
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces a global event bus system using NATS to publish observability events, specifically for price estimation quotes. It adds the async-nats dependency, configuration structures, and a new event_bus module in the observe crate. Critical issues were identified in the event bus implementation and configuration: the buyToken field in quote events is incorrectly mapped to the sell_token, and the default NATS URL in tests and configurations lacks a required scheme, which will cause parsing failures. Additionally, the use of an unbounded_channel for the internal message queue poses a memory exhaustion risk; it should be replaced with a bounded channel using try_send to ensure the system remains resilient under load. Finally, the subject prefix in the event bus initialization should be corrected to match the intended naming convention.
| ] | ||
|
|
||
| [event-bus] | ||
| url = "localhost:4222" |
Contributor
There was a problem hiding this comment.
The URL localhost:4222 is missing a scheme. Deserializing this into a url::Url will fail because it requires an absolute URL with a scheme (e.g., nats://).
Suggested change
| url = "localhost:4222" | |
| url = "nats://localhost:4222" |
| assert_eq!(config.volume_fee_bucket_overrides[0].tokens.len(), 2); | ||
| assert_eq!( | ||
| config.event_bus.as_ref().unwrap().url, | ||
| "localhost:4222".parse().unwrap() |
Contributor
There was a problem hiding this comment.
This assertion will panic because localhost:4222 cannot be parsed as an absolute url::Url without a scheme.
Suggested change
| "localhost:4222".parse().unwrap() | |
| "nats://localhost:4222".parse().unwrap() |
tilacog
approved these changes
May 22, 2026
Contributor
tilacog
left a comment
tilacog
left a comment
There was a problem hiding this comment.
LGTM, just commented on a small nit, nothing that should hold the PR.
Comment on lines
+84
to
+88
| /// Enqueues the event to be sent to the event bus in a background task. | ||
| pub fn publish(subject: &str, data: impl Serialize) { | ||
| let Some(bus) = BUS.get() else { | ||
| return; | ||
| }; |
Contributor
There was a problem hiding this comment.
I get that the event bus should be initialized by now, but should we be more defensive here? Maybe log a warning, or call BUS.get_or_init since it's idempotent anyway? We could even unwrap if we feel so bold.
tilacog
reviewed
May 22, 2026
tilacog
reviewed
May 22, 2026
tilacog
reviewed
May 22, 2026
Contributor
|
@claude review this PR please |
|
Claude Code is working… I'll analyze this and get back to you. |
Previously, a misconfigured or unreachable NATS would crash the orderbook and autopilot at startup via three separate .expect() calls. The event bus is observational; failures should disable it, not take the binary down. Init now logs and proceeds; publish() already no-ops when BUS is uninitialized. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The previous forwarder ignored the returned PublishAckFuture, so any server-side rejection (subject mismatch, stream limits, ...) was silently dropped. Pipeline acks via FuturesUnordered so failures are logged without adding a per-message round-trip to publish throughput. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Each failure mode (channel full, JSON serialization, NATS client publish error, JetStream ack failure) was only visible via a log line, which is hard to alert on. Expose a Prometheus counter keyed by a DropReason enum so oncall can notice degradation without grepping logs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Previously, both autopilot and orderbook had an inline .expect(...) that panicked at startup if the event bus was configured without chain-id. Move the cross-field invariant onto SharedConfig::validate and call it from each binary's config validation, so the misconfiguration is caught once with a clean error message. The runtime use sites can now safely .unwrap(). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
A previous local `mut initialized` only existed for the duration of a single init() call, so its log message could fire on every successful re-init attempt and a failed init followed by a re-init still re-ran connect(). Promote it to a static AtomicBool so calling init() multiple times is a cheap no-op once any prior call succeeded, while still allowing retries after a failure. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace the serde_json::Value mutation pattern in publish() with a small
Envelope<T> struct. The wire format ("v1") now lives in one named
constant, the requestId field is camelCased declaratively, and two unit
tests pin the wire shape (presence/absence of requestId) so regressions
break a build instead of a downstream consumer.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The forwarder loop combined two distinct concerns — pumping messages through the NATS client and awaiting JetStream's ack futures — into a single select-loop that was awkward to read. Splitting them into two tasks linked by a bounded channel gives each loop a single responsibility, lets the runtime schedule them on separate cores, and applies natural back-pressure when ack handling can't keep up. The ack waiter also drains its pending set on shutdown so server-side rejections are still surfaced. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add Envelope::new so publish() reads as a single expression. - Fix the copy-paste doc on configs::shared::EventBusConfig (was describing OpenTelemetry) and merge its duplicate derive attribute. - Promote a couple of internal failure logs from debug to warn so they show up at default verbosity, and document why the await_acks drain loop exists. - Emit `elapsed` in priceEstimate events as a number instead of a stringified one. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The closure passed to produce_results wrapped estimate() in an async block, deferring the call until the future was polled. That broke the queries_stages_sequentially test: with early-return enabled, a racing estimator could complete before later ones in the same stage were ever polled, so their .estimate() invocation — and the side-effects mocks rely on — never happened. Attach the timing / event emission via .map() instead, restoring eager invocation. Also trim emit_quote_event to take just the name and query it actually reads, dropping the unused Context generic. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
tilacog
approved these changes
May 22, 2026
jmg-duarte
reviewed
May 22, 2026
| }) | ||
| } | ||
|
|
||
| const EVENT_BUS_SIZE: usize = 1_000; |
Contributor
There was a problem hiding this comment.
not blocking: metrics over how many messages are in the queue
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds a globally-available, NATS JetStream–backed event bus for observational events. Failures must never affect the hot path.
NATS was picked over RabbitMQ because the Rust client for streams was still experimental. The JetStream stream itself is managed in the infra repo, not by the service.
Changes
observe::event_bussingleton with a syncpublish(subject, data)callable from anywhere; in-memory queue feeds two background tasks (publisher + ack-waiter) linked by a second bounded channel for back-pressure.event.<chain_id>.<name>(consumers can wildcardevent.1.>).SharedConfig::event_bus, wired into autopilot and orderbook.priceEstimateevent from each estimator in the quote competition.Robustness
AtomicBoollatch); failed attempts can still retry.PublishAckFutureis actually awaited — server-side rejections surface as logs + metrics.event_bus_dropped_events{reason}keyed by a typedDropReasonenum (channel_full/serialize/publish/ack).SharedConfig::validateenforceschain-idwheneverevent_busis set, so runtime use sites canunwrap().Wire format
Envelope<T> { version: "v1", timestamp, requestId?, body }, shape pinned by unit tests.How to test
Run the
#[ignore]-taggedsend_messagestest incrates/observe/src/event_bus/mod.rsagainst a local NATS, thennats sub "event.>"to watch them land. Two always-on tests pin the envelope shape; one inconfigs::sharedcovers the new validation.