feat(core): integrate RetryManager into SegmentDestination upload pipeline (#1160)

* fix: add persistence validation, atomic backoff calc, and 429 precedence

- Validate persisted state in canRetry() to handle clock changes/corruption
  per SDD §Metadata Lifecycle
- Move backoff calculation inside dispatch to avoid stale retryCount from
  concurrent batch failures (handleErrorWithBackoff)
- Ensure RATE_LIMITED state is never downgraded to BACKING_OFF
- Update reset() docstring to clarify when it should be called

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: clean up RetryManager comments for post-merge readability

Simplify class docstring to describe current architecture without
referencing SDD deviations. Remove redundant inline comments, compact
JSDoc to single-line where appropriate, and ensure all comments use
present tense.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: consolidate error handlers, fix getState race, add limit signaling

- Use getState(true) for queue-safe reads to prevent race conditions
  between concurrent canRetry/handle429/handleTransientError calls
- Consolidate handleError and handleErrorWithBackoff into a single
  method that accepts a computeWaitUntilTime function
- Extract side effects (logging, Math.random) from dispatch reducers
- Return RetryResult ('rate_limited'|'backed_off'|'limit_exceeded')
  from handle429/handleTransientError so callers can drop events on
  limit exceeded
- Clear auto-flush timer in transitionToReady
- Validate state string in isPersistedStateValid

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* style: trim verbose inline comments in RetryManager

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: use enums and switch statements for clearer state handling

Replace string literals with TypeScript enums:
- RetryState enum (READY, RATE_LIMITED, BACKING_OFF)
- RetryResult enum (RATE_LIMITED, BACKED_OFF, LIMIT_EXCEEDED)

Extract helper methods for clarity:
- resolveStatePrecedence(): handles 429 taking priority over backoff
- consolidateWaitTime(): uses switch statement for clear wait time logic
- getStateDisplayName(): maps state to display names

Benefits:
- Type-safe state handling (no magic strings)
- Switch statements make control flow explicit
- Each helper method has a single, named responsibility
- Easier to test and maintain

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* refactor: remove VALID_STATES Set, use Object.values for enum validation

Use Object.values(RetryState).includes() instead of maintaining a
duplicate Set of valid states. More idiomatic TypeScript and eliminates
maintenance burden of keeping Set in sync with enum.

* test: add 429 authority test and fix autoFlush timer cleanup

- Add test verifying 429 Retry-After overrides long transient backoff
- Track RetryManager instances in autoFlush tests and destroy in
  afterEach to prevent timer leaks

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test: update tests for refactored API and add missing coverage

Update log assertions for consolidated limit-exceeded message. Add tests
for: RetryResult return values, jitter calculation, isPersistedStateValid
clock skew detection, handle429(0) edge case, and strengthened assertions
that verify behavioral state after clamping/rejection (not just log output).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add persistence validation, atomic backoff calc, and 429 precedence

- Validate persisted state in canRetry() to handle clock changes/corruption
  per SDD §Metadata Lifecycle
- Move backoff calculation inside dispatch to avoid stale retryCount from
  concurrent batch failures (handleErrorWithBackoff)
- Ensure RATE_LIMITED state is never downgraded to BACKING_OFF
- Update reset() docstring to clarify when it should be called

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: clean up RetryManager comments for post-merge readability

Simplify class docstring to describe current architecture without
referencing SDD deviations. Remove redundant inline comments, compact
JSDoc to single-line where appropriate, and ensure all comments use
present tense.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: consolidate error handlers, fix getState race, add limit signaling

- Use getState(true) for queue-safe reads to prevent race conditions
  between concurrent canRetry/handle429/handleTransientError calls
- Consolidate handleError and handleErrorWithBackoff into a single
  method that accepts a computeWaitUntilTime function
- Extract side effects (logging, Math.random) from dispatch reducers
- Return RetryResult ('rate_limited'|'backed_off'|'limit_exceeded')
  from handle429/handleTransientError so callers can drop events on
  limit exceeded
- Clear auto-flush timer in transitionToReady
- Validate state string in isPersistedStateValid

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* style: trim verbose inline comments in RetryManager

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: use enums and switch statements for clearer state handling

Replace string literals with TypeScript enums:
- RetryState enum (READY, RATE_LIMITED, BACKING_OFF)
- RetryResult enum (RATE_LIMITED, BACKED_OFF, LIMIT_EXCEEDED)

Extract helper methods for clarity:
- resolveStatePrecedence(): handles 429 taking priority over backoff
- consolidateWaitTime(): uses switch statement for clear wait time logic
- getStateDisplayName(): maps state to display names

Benefits:
- Type-safe state handling (no magic strings)
- Switch statements make control flow explicit
- Each helper method has a single, named responsibility
- Easier to test and maintain

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* refactor: remove VALID_STATES Set, use Object.values for enum validation

Use Object.values(RetryState).includes() instead of maintaining a
duplicate Set of valid states. More idiomatic TypeScript and eliminates
maintenance burden of keeping Set in sync with enum.

* feat(core): integrate RetryManager into SegmentDestination upload pipeline

Wire RetryManager into SegmentDestination for TAPI-compliant retry
handling: uploadBatch() with error classification, event pruning on
partial failures, retry count header propagation, and QueueFlushingPlugin
error type handling updates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: partial success reset, 429 precedence, and cleanup in sendEvents

- Don't reset retry state on partial success when concurrent batches have
  429/transient errors
- Use if/else if so 429 takes precedence over transient error handling
- Remove redundant return Promise.resolve() in async function
- Fix duplicate keepalive property from master merge

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: address review issues in SegmentDestination integration

- Use res.ok instead of res.status === 200 for 2xx success range
- Remove dead dequeue() method from QueueFlushingPlugin
- Add destroy() to SegmentDestination for RetryManager timer cleanup
- Reset retry state when queue is empty at flush time or after pruning
- Call handle429 per result instead of pre-aggregating, so
  RetryManager.applyRetryStrategy respects eager/lazy consolidation
- Simplify retryAfterSeconds fallback to ?? 60

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: extract helper methods and clean up comments in SegmentDestination

Extract pruneExpiredEvents() and updateRetryState() from sendEvents to
improve readability. Remove redundant/obvious comments, merge duplicate
switch cases, and simplify return statements throughout.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: wire shutdown lifecycle, handle limit-exceeded signal, age-based pruning

- Override shutdown() instead of standalone destroy() to integrate with
  the plugin lifecycle — prevents auto-flush timer leak on client cleanup
- Handle RetryResult 'limit_exceeded' from RetryManager: log warning and
  let per-event age pruning (pruneExpiredEvents via _queuedAt) handle
  event drops rather than dropping all retryable events on global counter
  reset
- Import RetryResult type for type-safe limit checking

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: restore pre-existing comments in SegmentDestination.ts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: always apply defaultHttpConfig, drop events on retry limit exceeded

Root cause: when the CDN settings response had no httpConfig field,
analytics.ts guarded the entire merge block with if (resJson.httpConfig),
so this.httpConfig stayed undefined. This prevented RetryManager creation
in SegmentDestination, disabling all retry features (error classification
overrides, canRetry() gating, retry counting, maxRetries enforcement).

Changes:
- Remove httpConfig guard in analytics.ts — always merge defaultHttpConfig
  as baseline, with CDN and config.httpConfig overrides on top
- Add httpConfig?: DeepPartial<HttpConfig> to Config type for client-side
  overrides (e.g. maxRetries from test harness)
- Drop retryable events when retry limits exceeded in SegmentDestination
  instead of leaving them in the queue indefinitely
- Update fetchSettings test to expect defaultHttpConfig when CDN has no
  httpConfig

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* style: trim verbose inline comments in SDK plugins and types

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: remove auto-flush wiring from SegmentDestination, add CDN validation tests

Remove autoFlushOnRetryReady check, setAutoFlushCallback call, and shutdown()
method. Add tests for CDN integrations validation (null, array, string, and
no-defaults scenarios).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: increment droppedEventCount at SegmentDestination drop sites

Wire up the droppedEventCount counter (added in cli-flush-retry-loop)
at the two places SegmentDestination permanently removes events:
permanent errors and retry limit exceeded.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: treat missing CDN integrations as empty, not as fallback trigger

When CDN returns a valid 200 with no integrations field (e.g. {}),
treat it as authoritative "no integrations configured" rather than
falling back to defaultSettings. This ensures SegmentDestination is
correctly disabled when the server has no integrations.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: restore droppedEventCount property on SegmentDestination

Property declaration was lost during branch rebase.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: replace droppedEventCount with reportInternalError at drop sites

Report EventsDropped errors via errorHandler at all three drop sites:
expired events, permanent HTTP errors, and retry limit exceeded.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add metadata to EventsDropped errors with droppedCount and reason

Pass structured metadata at all three drop sites so consumers can
access droppedCount and reason without parsing strings.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: remove retryStrategy param, update tests for eager behavior

* refactor: improve SegmentDestination readability

- Extract error classification into classifyBatchResult method
- Add helper methods for config access (getRateLimitConfig, getBackoffConfig)
- Consolidate drop reporting into reportDroppedEvents helper
- Extract upload result processing into processUploadResults method
- Use early returns in sendEvents for clearer control flow

* fix: remove leftover activeManager reference from rebase

* chore: remove review-agent-commit.sh and add *.local.sh to gitignore

* fix: remove duplicate isPersistedStateValid calls in canRetry

* refactor: extract httpConfig merging into reusable helper

Consolidate duplicate 3-way config merging logic (default < CDN < client)
into mergeHttpConfig() helper in config-validation.ts. Reduces analytics.ts
by 42 lines and makes the merging logic testable and maintainable.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: omit X-Retry-Count header on first request attempt

The X-Retry-Count header should only be sent on retry attempts (count > 0),
not on the initial request. This aligns with updated e2e test expectations
and standard retry header conventions.

Changes:
- api.ts: conditionally add X-Retry-Count only when retryCount > 0
- api.test.ts: update tests to verify header is omitted on first attempt
- e2e-config.json: enable retry test suite

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: abueide

.gitignore

@@ -97,5 +97,8 @@ packages/core/src/info.ts
 
 AGENTS.md
 
+# Local files (not for commit)
+*.local.sh
+
 # Notes and research (not for commit)
 notes/

e2e-cli/e2e-config.json

@@ -1,6 +1,6 @@
 {
   "sdk": "react-native",
-  "test_suites": "basic,settings",
+  "test_suites": "basic,settings,retry",
   "auto_settings": true,
   "patch": null,
   "env": {

packages/core/src/__tests__/api.test.ts

@@ -25,7 +25,11 @@ describe('#sendEvents', () => {
       .mockReturnValue('2001-01-01T00:00:00.000Z');
   });
 
-  async function sendAnEventPer(writeKey: string, toUrl: string) {
+  async function sendAnEventPer(
+    writeKey: string,
+    toUrl: string,
+    retryCount?: number
+  ) {
     const mockResponse = Promise.resolve('MANOS');
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-ignore
@@ -60,9 +64,19 @@ describe('#sendEvents', () => {
       writeKey: writeKey,
       url: toUrl,
       events: [event],
+      retryCount,
     });
 
-    expect(fetch).toHaveBeenCalledWith(toUrl, {
+    return event;
+  }
+
+  it('sends an event', async () => {
+    const toSegmentBatchApi = 'https://api.segment.io/v1.b';
+    const writeKey = 'SEGMENT_KEY';
+
+    const event = await sendAnEventPer(writeKey, toSegmentBatchApi);
+
+    expect(fetch).toHaveBeenCalledWith(toSegmentBatchApi, {
       method: 'POST',
       keepalive: true,
       body: JSON.stringify({
@@ -74,19 +88,58 @@ describe('#sendEvents', () => {
         'Content-Type': 'application/json; charset=utf-8',
       },
     });
-  }
-
-  it('sends an event', async () => {
-    const toSegmentBatchApi = 'https://api.segment.io/v1.b';
-    const writeKey = 'SEGMENT_KEY';
-
-    await sendAnEventPer(writeKey, toSegmentBatchApi);
   });
 
   it('sends an event to proxy', async () => {
     const toProxyUrl = 'https://myprox.io/b';
     const writeKey = 'SEGMENT_KEY';
 
-    await sendAnEventPer(writeKey, toProxyUrl);
+    const event = await sendAnEventPer(writeKey, toProxyUrl);
+
+    expect(fetch).toHaveBeenCalledWith(toProxyUrl, {
+      method: 'POST',
+      body: JSON.stringify({
+        batch: [event],
+        sentAt: '2001-01-01T00:00:00.000Z',
+        writeKey: 'SEGMENT_KEY',
+      }),
+      headers: {
+        'Content-Type': 'application/json; charset=utf-8',
+      },
+      keepalive: true,
+    });
+  });
+
+  it('does not send X-Retry-Count header on first attempt (retryCount=0)', async () => {
+    const url = 'https://api.segment.io/v1.b';
+    await sendAnEventPer('KEY', url);
+
+    const callArgs = (fetch as jest.Mock).mock.calls[0];
+    const headers = callArgs[1].headers;
+    expect(headers['X-Retry-Count']).toBeUndefined();
+  });
+
+  it('sends X-Retry-Count header with provided retry count', async () => {
+    const url = 'https://api.segment.io/v1.b';
+    await sendAnEventPer('KEY', url, 5);
+
+    expect(fetch).toHaveBeenCalledWith(
+      url,
+      expect.objectContaining({
+        headers: expect.objectContaining({
+          'X-Retry-Count': '5',
+        }),
+      })
+    );
+  });
+
+  it('sends X-Retry-Count as string format', async () => {
+    const url = 'https://api.segment.io/v1.b';
+    await sendAnEventPer('KEY', url, 42);
+
+    const callArgs = (fetch as jest.Mock).mock.calls[0];
+    const headers = callArgs[1].headers;
+    expect(typeof headers['X-Retry-Count']).toBe('string');
+    expect(headers['X-Retry-Count']).toBe('42');
   });
 });

packages/core/src/__tests__/internal/fetchSettings.test.ts

@@ -1,5 +1,5 @@
 import { SegmentClient } from '../../analytics';
-import { settingsCDN } from '../../constants';
+import { settingsCDN, defaultHttpConfig } from '../../constants';
 import { SEGMENT_DESTINATION_KEY } from '../../plugins/SegmentDestination';
 import { getMockLogger, MockSegmentStore } from '../../test-helpers';
 import { getURL } from '../../util';
@@ -436,6 +436,80 @@ describe('internal #getSettings', () => {
     });
   });
 
+  describe('CDN integrations validation', () => {
+    it('treats null integrations as empty (no integrations configured)', async () => {
+      (fetch as jest.MockedFunction<typeof fetch>).mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve({ integrations: null }),
+        status: 200,
+      } as Response);
+
+      const client = new SegmentClient(clientArgs);
+      await client.fetchSettings();
+
+      expect(setSettingsSpy).toHaveBeenCalledWith({});
+    });
+
+    it('treats missing integrations as empty (no integrations configured)', async () => {
+      (fetch as jest.MockedFunction<typeof fetch>).mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve({}),
+        status: 200,
+      } as Response);
+
+      const client = new SegmentClient(clientArgs);
+      await client.fetchSettings();
+
+      expect(setSettingsSpy).toHaveBeenCalledWith({});
+    });
+
+    it('falls back to defaults when CDN returns integrations as an array', async () => {
+      (fetch as jest.MockedFunction<typeof fetch>).mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve({ integrations: ['invalid'] }),
+        status: 200,
+      } as Response);
+
+      const client = new SegmentClient(clientArgs);
+      await client.fetchSettings();
+
+      expect(setSettingsSpy).toHaveBeenCalledWith(
+        defaultIntegrationSettings.integrations
+      );
+    });
+
+    it('falls back to defaults when CDN returns integrations as a string', async () => {
+      (fetch as jest.MockedFunction<typeof fetch>).mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve({ integrations: 'invalid' }),
+        status: 200,
+      } as Response);
+
+      const client = new SegmentClient(clientArgs);
+      await client.fetchSettings();
+
+      expect(setSettingsSpy).toHaveBeenCalledWith(
+        defaultIntegrationSettings.integrations
+      );
+    });
+
+    it('stores empty integrations when CDN returns null integrations and no defaults', async () => {
+      (fetch as jest.MockedFunction<typeof fetch>).mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve({ integrations: null }),
+        status: 200,
+      } as Response);
+
+      const client = new SegmentClient({
+        ...clientArgs,
+        config: { ...clientArgs.config, defaultSettings: undefined },
+      });
+      await client.fetchSettings();
+
+      expect(setSettingsSpy).toHaveBeenCalledWith({});
+    });
+  });
+
   describe('httpConfig extraction', () => {
     it('extracts httpConfig from CDN response and merges with defaults', async () => {
       const serverHttpConfig = {
@@ -483,7 +557,7 @@ describe('internal #getSettings', () => {
       expect(result?.backoffConfig?.jitterPercent).toBe(20);
     });
 
-    it('returns undefined httpConfig when CDN has no httpConfig', async () => {
+    it('returns defaultHttpConfig when CDN has no httpConfig', async () => {
       (fetch as jest.MockedFunction<typeof fetch>).mockResolvedValueOnce({
         ok: true,
         json: () => Promise.resolve(defaultIntegrationSettings),
@@ -496,7 +570,17 @@ describe('internal #getSettings', () => {
       });
 
       await anotherClient.fetchSettings();
-      expect(anotherClient.getHttpConfig()).toBeUndefined();
+      const result = anotherClient.getHttpConfig();
+      expect(result).toBeDefined();
+      expect(result?.rateLimitConfig?.enabled).toBe(
+        defaultHttpConfig.rateLimitConfig!.enabled
+      );
+      expect(result?.backoffConfig?.enabled).toBe(
+        defaultHttpConfig.backoffConfig!.enabled
+      );
+      expect(result?.backoffConfig?.statusCodeOverrides).toEqual(
+        defaultHttpConfig.backoffConfig!.statusCodeOverrides
+      );
     });
 
     it('returns undefined httpConfig when fetch fails', async () => {

packages/core/src/analytics.ts

@@ -12,6 +12,7 @@ import {
   defaultFlushAt,
   maxPendingEvents,
 } from './constants';
+import { mergeHttpConfig } from './config-validation';
 import { getContext } from './context';
 import {
   createAliasEvent,
@@ -73,7 +74,7 @@ import {
   SegmentError,
   translateHTTPError,
 } from './errors';
-import { validateIntegrations, extractHttpConfig } from './config-validation';
+import { validateIntegrations } from './config-validation';
 import { QueueFlushingPlugin } from './plugins/QueueFlushingPlugin';
 import { WaitingPlugin } from './plugin';
 
@@ -198,8 +199,8 @@ export class SegmentClient {
   }
 
   /**
-   * Retrieves the server-side httpConfig from CDN settings.
-   * Returns undefined if the CDN did not provide httpConfig (retry features disabled).
+   * Retrieves the merged httpConfig (defaultHttpConfig ← CDN ← config overrides).
+   * Returns undefined only if settings have not yet been fetched.
    */
   getHttpConfig(): HttpConfig | undefined {
     return this.httpConfig;
@@ -418,8 +419,13 @@ export class SegmentClient {
         resJson.middlewareSettings?.routingRules ?? []
       );
 
+      // Merge httpConfig: defaultHttpConfig ← CDN ← config overrides
+      this.httpConfig = mergeHttpConfig(
+        resJson.httpConfig,
+        this.config.httpConfig,
+        this.logger
+      );
       if (resJson.httpConfig) {
-        this.httpConfig = extractHttpConfig(resJson.httpConfig, this.logger);
         this.logger.info('Loaded httpConfig from CDN settings.');
       }
 

packages/core/src/api.ts

@@ -4,11 +4,22 @@ export const uploadEvents = async ({
   writeKey,
   url,
   events,
+  retryCount = 0,
 }: {
   writeKey: string;
   url: string;
   events: SegmentEvent[];
+  retryCount?: number;
 }) => {
+  const headers: Record<string, string> = {
+    'Content-Type': 'application/json; charset=utf-8',
+  };
+
+  // Only send X-Retry-Count on retries (count > 0), omit on first attempt
+  if (retryCount > 0) {
+    headers['X-Retry-Count'] = retryCount.toString();
+  }
+
   return await fetch(url, {
     method: 'POST',
     keepalive: true,
@@ -17,8 +28,6 @@ export const uploadEvents = async ({
       sentAt: new Date().toISOString(),
       writeKey: writeKey,
     }),
-    headers: {
-      'Content-Type': 'application/json; charset=utf-8',
-    },
+    headers,
   });
 };

packages/core/src/backoff/RetryManager.ts

@@ -126,14 +126,6 @@ export class RetryManager {
       return true;
     }
 
-    if (!this.isPersistedStateValid(state, now)) {
-      this.logger?.warn(
-        'Persisted retry state failed validation, resetting to READY'
-      );
-      await this.reset();
-      return true;
-    }
-
     if (now >= state.waitUntilTime) {
       await this.transitionToReady();
       return true;