--- name: v083-broker-quic-deadline description: "v0.8.3 PR#19 — broker-side QUIC-op bound (pump-IPC-deadline B-half), PR-ready awaiting doyle gate" metadata: node_type: memory type: project originSessionId: 1e7c582d-c03a-4db0-bd84-c7b3b7959ea0 --- v0.8.3 (PATCH 0.8.2→0.8.3) = the deferred **B-half** of REQ-HAZARD-PUMP-IPC-DEADLINE ([[peer-pump-stall-bhalf-confirmed]], DEFERRED.md:42). doyle DISPATCH 2026-06-16 (I own end-to-end exec, doyle gates, deployah releases). Branch `v0.8.3-broker-quic-deadline` off main@v0.8.2. **PR #19 base main = doyle GATE-PASS (2026-06-16, full source code-read, all 4 invariants verified at source + both int tests confirmed non-vacuous, CI green both runners). Handed to deployah for release counter 19. todlando CLEAR — nothing pending.** Minted **REQ-HAZARD-BROKER-QUIC-DEADLINE**. Root cause: a DEAD roster peer → broker's brain-facing QUIC op (dial/open_stream/send_stream) awaits unbounded; A-half bounds only the brain READ → 30s stall + pump restart re-dials same dead peer + re-wedges. Recurred hfenduleam 2026-06-16. FIX: `NetHost::bounded_block_on` wraps the 3 QUIC await sites in `tokio::time::timeout` under `quic_op_timeout` (default `BROKER_QUIC_OP_TIMEOUT_MS`=10s; test-override `set_quic_op_timeout`, off NetConfig like set_roster_exchange). On elapse → future DROPPED (cancels op, nothing half-registered) → non-TimedOut io::Error → broker REPLIES ordinary error frame. 4 invariants: (1) ordinary err not TimedOut — brain maps BrokerEvent::Error→io::Error::other=ErrorKind::Other → peer_outcome per-peer arm, NOT brain's own recv-deadline TimedOut (A-half poison path). (2) 10s < brain's 30s PUMP_PEER_IO_TIMEOUT so broker fires first (20s margin). (3) exactly-once: QUIC call is INSIDE apply_once closure → timeout→closure Err→effect()? before applied.insert → no phantom conn/stream id. (4) happy path zero added latency. Tests: unit nethost (never-completing→prompt non-TimedOut err; ready untouched); int netbroker (membership-mismatch black hole: A=membership Some, B=None → A's prove_membership hangs → broker ordinary err in bound + exactly-once-on-timeout: !is_applied, applied_count 0, conn_count 0, redial clean); int pump (production pump vs dead peer → heartbeat monotonic-advances + run_peer_pump exits Ok, no PEER_PUMP_RESTART; pre-fix freezes ≥30s, 20s window catches). Membership-mismatch = the documented native black hole (nethost docs: "both peers must agree or the side expecting the control stream would hang"). **doyle GATE PASS @ PR#19 (full source code-read, not rubber-stamp) → deployah RELEASE GO (counter 19).** Verified all 4 invariants at source: (1) ordinary-error chain end-to-end (bounded_block_on→Error::other→send_error→KIND_ERROR→brain Error::other=Other→peer_outcome ordinary arm; broker fires 10s so brain's own recv-deadline TimedOut @brain.rs:1141 never trips); (2) 10s<30s margin; (3) exactly-once timeout-inside-apply_once (int proves !is_applied/applied_count0/conn_count0/clean-redial); (4) happy-path transparent. INT NON-VACUOUS confirmed (v0.8.2 lesson): pump test captures `first` heartbeat written loop-top BEFORE dial → requires ADVANCE → pre-fix dial wedges forever→loop never re-tops→frozen→assert fails (genuinely catches today's freeze). Linchpin verified: every net handler Err→send_error frame (broker.rs:735-756). CI green both runners, mergeable, seam-sweep green, clippy-workspace clean. Docs version-framed (no codes). Relayed VETTED CHANGELOG body + [0.8.3] intro to deployah. doyle on-call for hash check. **PUBLISHED 2026-06-16 (counter 19, publisher leg 13× clean, no retag).** deployah full self-drive: merge PR#19 (0548c48) → bump b6470c1 (vetted [0.8.3] intro verbatim + Cargo.lock 11 first-party only, spared acto/compact_str/dlopen2/litemap/yoke-derive) → CI green both → tag v0.8.3 → sign+publish. Hashes: linux 65325788… win 7229cf07… signed rel-primary-2026, update-set v19. doyle hash-check ✓. B-half now on fleet update path → dead-peer pump wedge cured on next daemon restart/update. 3 commits: mint 69af744 → impl+unit+int cece4a6 → docs f4dc053. Docs: KNOWN-HAZARDS 7.8 NEW + 7.6 B-half-fixed reword + conformance row, DEFERRED:42 RESOLVED, CHANGELOG [Unreleased]. Gate bar preflighted: clippy --workspace -D warnings clean · traceable EXIT 0 [doc,impl,unit,int] · seam-sweep green (netbroker/pump/mesh/replicate/wanmsg/attach/daemon_lifecycle_real_brain + 314 lib) · docs-drift OK (CRLF-only). CARGO.LOCK bump = deployah's at release.