You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Spun off from #2615, which proposed a burst-volume runner to exercise the 60 req/s sustained / 300 req/s burst idempotency-cache rate-limit ceiling. Burst-volume testing has structural non-determinism (CI runner jitter, agent cold-start variance, game-able passing floor) and the cost-benefit doesn't justify the runner infrastructure absent a reported violation.
What is genuinely testable and worth landing: the replay invariant — a RATE_LIMITED response on insert MUST NOT be cached as the canonical response for that idempotency key. Otherwise a client that retries after retry_after gets the cached rate-limit error forever, defeating the point of retry_after.
Shape
Deterministic two-request phase, no burst:
Drive enough fresh-key inserts in a tight window to trip rate-limiting on a target mutating op. Record the idempotency key from the first request that received RATE_LIMITED.
Sleep retry_after seconds.
Re-submit the same idempotency key with the same payload.
Assert: response is the real handler's success/error result for that input, not a cached replay of RATE_LIMITED.
The "drive enough to trip" step is the only flaky part. Mitigation: scope it to a single agent-declared cheap mutating op (default log_event) and accept that some implementations may need to declare a lower-cost op in their test-kit manifest. If the trip step skips (rate limit not hit), grade not_applicable for that phase — same gating pattern as webhook-receiver-runner.
Scope (target ops)
The phase MUST cover any mutating op the agent declares it supports, including:
Direct attestation of the 60/300 req/s thresholds — the spec text in docs/building/implementation/security.mdx covers this normatively; runtime grading is deferred until a real implementation violates the threshold.
Acceptance
New phase in static/compliance/source/universal/idempotency.yaml exercising the replay invariant
Phase grades not_applicable when the trip step doesn't elicit a RATE_LIMITED response (with reason documented in runner output)
Why
Spun off from #2615, which proposed a burst-volume runner to exercise the 60 req/s sustained / 300 req/s burst idempotency-cache rate-limit ceiling. Burst-volume testing has structural non-determinism (CI runner jitter, agent cold-start variance, game-able passing floor) and the cost-benefit doesn't justify the runner infrastructure absent a reported violation.
What is genuinely testable and worth landing: the replay invariant — a RATE_LIMITED response on insert MUST NOT be cached as the canonical response for that idempotency key. Otherwise a client that retries after
retry_aftergets the cached rate-limit error forever, defeating the point ofretry_after.Shape
Deterministic two-request phase, no burst:
RATE_LIMITED.retry_afterseconds.RATE_LIMITED.The "drive enough to trip" step is the only flaky part. Mitigation: scope it to a single agent-declared cheap mutating op (default
log_event) and accept that some implementations may need to declare a lower-cost op in their test-kit manifest. If the trip step skips (rate limit not hit), gradenot_applicablefor that phase — same gating pattern aswebhook-receiver-runner.Scope (target ops)
The phase MUST cover any mutating op the agent declares it supports, including:
log_event,sync_audiences,sync_catalogs,sync_creatives,sync_event_sources(existing)build_creative,validate_inputintroduced by RFC: Creative Formats v2 — canonical formats live on products, composition primitives, validate_input #3305 (Creative Formats v2) — these are new mutating ops in 3.1 preview and inherit the idempotency MUSTsStoryboard runs the replay-invariant assertion against whichever ops the agent claims to support via
get_adcp_capabilities.What we are NOT building
static/compliance/source/test-kits/burst-runner.yaml— dropped; non-deterministic and game-able (see compliance: burst-runner test-kit contract for idempotency insert-rate ceiling #2615 close).docs/building/implementation/security.mdxcovers this normatively; runtime grading is deferred until a real implementation violates the threshold.Acceptance
static/compliance/source/universal/idempotency.yamlexercising the replay invariantnot_applicablewhen the trip step doesn't elicit aRATE_LIMITEDresponse (with reason documented in runner output)build_creative,validate_input)Related
docs/building/implementation/security.mdx:296bullet 8 (idempotency rate-limit normative text)