| | | 1 | | namespace Elsa.Workflows.Runtime.Options; |
| | | 2 | | |
| | | 3 | | /// <summary> |
| | | 4 | | /// Configures the graceful-shutdown machinery of the workflow runtime: drain deadline, per-ingress-source pause timeout |
| | | 5 | | /// stimulus-queue back-pressure, and pause-persistence policy. |
| | | 6 | | /// </summary> |
| | | 7 | | public class GracefulShutdownOptions |
| | | 8 | | { |
| | | 9 | | /// <summary> |
| | | 10 | | /// Maximum wall time a drain is allowed to take before outstanding execution cycles are force-cancelled. |
| | | 11 | | /// The effective deadline is clamped to the host's own shutdown timeout minus a small safety epsilon. |
| | | 12 | | /// </summary> |
| | 239 | 13 | | public TimeSpan DrainDeadline { get; set; } = TimeSpan.FromSeconds(30); |
| | | 14 | | |
| | | 15 | | /// <summary> |
| | | 16 | | /// Default per-ingress-source pause timeout. Used by the drain orchestrator whenever a source's |
| | | 17 | | /// own <see cref="IIngressSource.PauseTimeout"/> is <see cref="TimeSpan.Zero"/> (or negative). |
| | | 18 | | /// A source that does not complete its pause within the resolved window is marked |
| | | 19 | | /// <c>PauseFailed</c> and — if it implements force-stop — escalated. |
| | | 20 | | /// </summary> |
| | | 21 | | /// <remarks> |
| | | 22 | | /// Sources may opt out of this default by exposing their own positive <see cref="IIngressSource.PauseTimeout"/>; |
| | | 23 | | /// the per-source value wins. The orchestrator additionally caps every per-source deadline at the overall |
| | | 24 | | /// drain deadline so a single misbehaving source cannot exceed the host's shutdown budget. |
| | | 25 | | /// </remarks> |
| | 246 | 26 | | public TimeSpan IngressPauseTimeout { get; set; } = TimeSpan.FromSeconds(5); |
| | | 27 | | |
| | | 28 | | /// <summary> |
| | | 29 | | /// Maximum stimulus-queue depth while the runtime is paused. Beyond this threshold, readiness degrades and |
| | | 30 | | /// <see cref="OverflowPolicy"/> determines whether new writes are rejected. <c>null</c> retains the unlimited |
| | | 31 | | /// queue behavior from before graceful shutdown shipped — useful when upstream transports already implement |
| | | 32 | | /// their own back-pressure and the operator does not want a runtime-side cap. |
| | | 33 | | /// </summary> |
| | 219 | 34 | | public int? StimulusQueueMaxDepthWhilePaused { get; set; } = 10_000; |
| | | 35 | | |
| | | 36 | | /// <summary> |
| | | 37 | | /// Policy applied when the paused stimulus queue exceeds <see cref="StimulusQueueMaxDepthWhilePaused"/>. |
| | | 38 | | /// </summary> |
| | 0 | 39 | | public StimulusQueueOverflowPolicy OverflowPolicy { get; set; } = StimulusQueueOverflowPolicy.Buffer; |
| | | 40 | | |
| | | 41 | | /// <summary> |
| | | 42 | | /// Whether an administrative pause survives a runtime generation boundary. |
| | | 43 | | /// </summary> |
| | 113 | 44 | | public PausePersistencePolicy PausePersistence { get; set; } = PausePersistencePolicy.SessionScoped; |
| | | 45 | | |
| | | 46 | | /// <summary> |
| | | 47 | | /// Cap on how many force-cancelled workflow instance IDs are reported in a <c>DrainOutcome</c>. The true count is a |
| | | 48 | | /// reported regardless of this cap. |
| | | 49 | | /// </summary> |
| | 221 | 50 | | public int MaxForceCancelledInstanceIdsReported { get; set; } = 100; |
| | | 51 | | |
| | | 52 | | } |