docs(02-04): complete block proxy plan — upstream wiring, fallback chain, routes, Docker verified

- 02-04-SUMMARY.md: execution summary with deviations and Docker verification results
- STATE.md: Phase 2 position updated to 4/4 COMPLETE, decisions and metrics added
- ROADMAP.md: Phase 2 marked complete (4/4 plans)
- REQUIREMENTS.md: PRXY-01, PRXY-02, ENDP-02, ENDP-03 marked complete

Author: andrewklau

.planning/REQUIREMENTS.md

@@ -0,0 +1,119 @@
+# Requirements: NearBlocks Block Proxy
+
+**Defined:** 2026-03-01
+**Core Value:** All indexers can reliably fetch block data from a single proxy service with full fault tolerance across multiple upstream sources
+
+## v1 Requirements
+
+### Core Proxy
+
+- [x] **PRXY-01**: Proxy serves block data via `GET /block/:block_height` returning JSON
+- [x] **PRXY-02**: Concurrent requests for the same block height are deduplicated via in-memory singleflight — only one upstream fetch occurs
+- [x] **PRXY-03**: Block data is cached to local filesystem with atomic write-then-rename
+- [x] **PRXY-04**: Cached blocks are evicted after configurable TTL (recent blocks only)
+- [x] **PRXY-05**: Upstream sources are checked in configurable order: local cache -> S3 -> fastnear -> NEAR Lake
+- [x] **PRXY-06**: Each upstream source can be enabled/disabled via environment variables
+- [x] **PRXY-07**: Upstream sources have aggressive per-source timeouts (5-8s) to prevent cascading stalls
+- [ ] **PRXY-08**: Circuit breaker auto-disables upstream after consecutive failures with cooldown period
+- [x] **PRXY-09**: Block data is normalized to a canonical JSON format regardless of which upstream served it
+- [x] **PRXY-10**: Block data is passed through without deserialization where possible (serde_json RawValue)
+- [x] **PRXY-11**: Cached blocks are compressed with zstd to reduce disk usage
+
+### Endpoints
+
+- [x] **ENDP-01**: `GET /healthz` returns health status for Docker/K8s liveness probes
+- [x] **ENDP-02**: `GET /last_block/final` proxies to fastnear for chain tip (NOT cached, real-time)
+- [x] **ENDP-03**: Responses include `X-Upstream-Source` header indicating which source served the data
+- [ ] **ENDP-04**: `GET /stats` returns JSON with cache hit rate, dedup saves, cache size, upstream latencies
+
+### Admin & Observability
+
+- [ ] **ADMN-01**: Web admin dashboard displays upstream source status and allows toggling
+- [ ] **ADMN-02**: `POST /admin/upstreams/{source}/enable|disable` toggles sources at runtime without restart
+- [ ] **ADMN-03**: Prometheus `/metrics` endpoint exposes request counts, cache hit/miss, dedup saves, upstream latencies
+- [ ] **ADMN-04**: Admin routes are isolated from data-plane routes (separate auth/access)
+
+### TypeScript Integration
+
+- [ ] **TSIN-01**: nb-neardata package updated to fetch from `BLOCK_PROXY_URL` instead of direct fastnear
+- [ ] **TSIN-02**: nb-blocks package updated to fetch from `BLOCK_PROXY_URL` instead of direct S3/MinIO
+- [ ] **TSIN-03**: nb-neardata-raw (if applicable) updated to fetch from proxy
+- [ ] **TSIN-04**: Indexer apps require zero code changes — only package-level updates
+- [ ] **TSIN-05**: "Find final block" logic uses proxy's `/last_block/final` endpoint
+- [ ] **TSIN-06**: No fallback to direct upstream in packages — proxy is the single source
+
+### Operations
+
+- [ ] **OPER-01**: Graceful shutdown completes in-flight requests before process exit
+- [x] **OPER-02**: Structured logging via tracing crate with JSON output
+- [x] **OPER-03**: Docker image with deployment configuration (Dockerfile, compose)
+- [ ] **OPER-04**: Startup cache pre-scan repopulates index from existing filesystem cache
+- [x] **OPER-05**: Cold-start handling with readiness probe (don't accept traffic until ready)
+
+## v2 Requirements
+
+### Enhanced Observability
+
+- **OBSV-01**: Per-upstream P50/P95 latency tracking with historical graphs
+- **OBSV-02**: Cache usage visualization in admin dashboard
+- **OBSV-03**: Block height range validation (reject invalid block numbers)
+
+### Resilience
+
+- **RESL-01**: Distributed proxy / HA mode for multi-instance deployment
+- **RESL-02**: Cache warming from historical block range on demand
+
+## Out of Scope
+
+| Feature | Reason |
+|---------|--------|
+| Redis for caching/dedup | Explicitly excluded — single-process proxy; in-memory is lower latency with no external dependency |
+| WebSocket streaming push API | Breaks existing pull-model indexer contracts; indexers request blocks, not subscribe |
+| Distributed proxy / HA | Singleflight breaks across processes; single instance with upstream fallback is sufficient for v1 |
+| Full archival cache | 100TB+ to cache all of NEAR mainnet; recent blocks only with upstream fallback for older blocks |
+| Fallback to direct upstream in packages | Proxy is the single source; no bypass logic in TypeScript packages |
+| Mobile or public-facing UI | Admin dashboard is internal only |
+
+## Traceability
+
+| Requirement | Phase | Status |
+|-------------|-------|--------|
+| PRXY-01 | Phase 2 | Complete |
+| PRXY-02 | Phase 2 | Complete |
+| PRXY-03 | Phase 2 | Complete |
+| PRXY-04 | Phase 2 | Complete |
+| PRXY-05 | Phase 2 | Complete |
+| PRXY-06 | Phase 2 | Complete |
+| PRXY-07 | Phase 2 | Complete |
+| PRXY-08 | Phase 5 | Pending |
+| PRXY-09 | Phase 2 | Complete |
+| PRXY-10 | Phase 2 | Complete |
+| PRXY-11 | Phase 2 | Complete |
+| ENDP-01 | Phase 1 | Complete |
+| ENDP-02 | Phase 2 | Complete |
+| ENDP-03 | Phase 2 | Complete |
+| ENDP-04 | Phase 4 | Pending |
+| ADMN-01 | Phase 4 | Pending |
+| ADMN-02 | Phase 4 | Pending |
+| ADMN-03 | Phase 4 | Pending |
+| ADMN-04 | Phase 4 | Pending |
+| TSIN-01 | Phase 3 | Pending |
+| TSIN-02 | Phase 3 | Pending |
+| TSIN-03 | Phase 3 | Pending |
+| TSIN-04 | Phase 3 | Pending |
+| TSIN-05 | Phase 3 | Pending |
+| TSIN-06 | Phase 3 | Pending |
+| OPER-01 | Phase 5 | Pending |
+| OPER-02 | Phase 1 | Complete |
+| OPER-03 | Phase 1 | Complete |
+| OPER-04 | Phase 5 | Pending |
+| OPER-05 | Phase 1 | Complete |
+
+**Coverage:**
+- v1 requirements: 30 total
+- Mapped to phases: 30
+- Unmapped: 0
+
+---
+*Requirements defined: 2026-03-01*
+*Last updated: 2026-03-01 after plan 01-01 completion — OPER-02, OPER-05, ENDP-01 marked complete*

.planning/ROADMAP.md

@@ -0,0 +1,103 @@
+# Roadmap: NearBlocks Block Proxy
+
+## Overview
+
+Five phases deliver a Rust-based block data proxy that replaces hosted S3 as the central data source
+for all NEAR blockchain indexers. Phase 1 establishes a compilable, deployable service shell.
+Phase 2 builds the core proxy logic — singleflight deduplication, filesystem cache, and upstream
+fallback chain. Phase 3 redirects all TypeScript indexer packages at the proxy, validating format
+compatibility end-to-end. Phase 4 adds the admin dashboard, Prometheus metrics, and runtime
+upstream toggling. Phase 5 hardens the system with circuit breakers, graceful shutdown, and
+startup cache pre-scan.
+
+## Phases
+
+**Phase Numbering:**
+- Integer phases (1, 2, 3): Planned milestone work
+- Decimal phases (2.1, 2.2): Urgent insertions (marked with INSERTED)
+
+Decimal phases appear between their surrounding integers in numeric order.
+
+- [x] **Phase 1: Foundation** - Compilable axum skeleton with Docker, health check, and structured logging (completed 2026-03-01)
+- [x] **Phase 2: Core Proxy** - Block serving endpoint with singleflight dedup, filesystem cache, and upstream fallback chain (completed 2026-03-01)
+- [ ] **Phase 3: TypeScript Integration** - nb-neardata and nb-blocks packages updated to route through proxy; zero indexer code changes
+- [ ] **Phase 4: Observability and Admin** - Admin dashboard, Prometheus metrics, runtime upstream toggle, and stats endpoint
+- [ ] **Phase 5: Hardening and Operations** - Circuit breaker, graceful shutdown, startup cache pre-scan
+
+## Phase Details
+
+### Phase 1: Foundation
+**Goal**: A deployable Rust service skeleton is running and reachable in Docker with health probes passing
+**Depends on**: Nothing (first phase)
+**Requirements**: OPER-02, OPER-03, OPER-05, ENDP-01
+**Success Criteria** (what must be TRUE):
+  1. `GET /healthz` returns 200 from the running container
+  2. Docker compose brings the proxy up and it is reachable from other containers on the network
+  3. Structured JSON logs are visible in container output for every request
+  4. Readiness probe blocks traffic until service initialization is complete (returns non-200 until ready)
+  5. All env-var config values load at startup and log their effective values
+**Plans**: 2 plans
+  - [x] 01-01-PLAN.md — Rust service skeleton with config, logging, state, and health/readiness endpoints
+  - [x] 01-02-PLAN.md — Docker deployment with cargo-chef Dockerfile and mainnet/testnet compose files
+
+### Phase 2: Core Proxy
+**Goal**: Indexers can request any block by height and receive correct JSON, with concurrent deduplication, local caching, and transparent upstream fallback
+**Depends on**: Phase 1
+**Requirements**: PRXY-01, PRXY-02, PRXY-03, PRXY-04, PRXY-05, PRXY-06, PRXY-07, PRXY-09, PRXY-10, PRXY-11, ENDP-02, ENDP-03
+**Success Criteria** (what must be TRUE):
+  1. `GET /block/:height` returns valid NEAR block JSON; 10 simultaneous requests for the same height produce exactly 1 upstream fetch
+  2. A block fetched once is served from local filesystem cache on subsequent requests (observable via `X-Upstream-Source: cache` response header)
+  3. Disabling S3 via env var causes requests to fall through to fastnear without error; disabling fastnear causes fallback to NEAR Lake
+  4. `GET /last_block/final` returns the current chain tip in real time (no cached value)
+  5. A single upstream source timing out does not stall the request beyond the per-source timeout window; the next source in the chain is tried
+**Plans**: 4 plans
+  - [ ] 02-01-PLAN.md — Dependencies, Config extension, AppError, and AppState foundation
+  - [ ] 02-02-PLAN.md — Filesystem cache with zstd compression, atomic writes, and background eviction
+  - [ ] 02-03-PLAN.md — Upstream fetcher modules (S3/MinIO, fastnear, NEAR Lake with shard assembly)
+  - [ ] 02-04-PLAN.md — Singleflight dedup, fallback chain orchestrator, and route handlers
+
+### Phase 3: TypeScript Integration
+**Goal**: All TypeScript indexer packages fetch blocks exclusively from the proxy; at least one indexer (indexer-events) runs against the proxy for 500+ consecutive blocks with zero deserialization errors
+**Depends on**: Phase 2
+**Requirements**: TSIN-01, TSIN-02, TSIN-03, TSIN-04, TSIN-05, TSIN-06
+**Success Criteria** (what must be TRUE):
+  1. Setting `BLOCK_PROXY_URL` in the environment redirects nb-neardata and nb-blocks to the proxy without any changes to indexer app code
+  2. indexer-events processes 500+ consecutive blocks through the proxy with no errors or deserialization failures
+  3. The canonical block JSON format is documented and an integration test asserts the proxy response matches what nb-neardata/nb-blocks expect
+  4. Removing direct S3/fastnear credentials from an indexer environment does not cause errors — the proxy is the only required endpoint
+**Plans**: TBD
+
+### Phase 4: Observability and Admin
+**Goal**: Operators can view proxy health and cache stats at a glance, toggle upstream sources at runtime without a restart, and Prometheus metrics are being scraped
+**Depends on**: Phase 3
+**Requirements**: ADMN-01, ADMN-02, ADMN-03, ADMN-04, ENDP-04
+**Success Criteria** (what must be TRUE):
+  1. The web admin dashboard shows current upstream source status (enabled/disabled) and cache hit rate without requiring any CLI access
+  2. `POST /admin/upstreams/s3/disable` disables S3 and subsequent block requests skip it immediately, without a service restart
+  3. `GET /metrics` returns Prometheus-formatted counters including request count, cache hit/miss, dedup saves, and per-upstream latency
+  4. `GET /stats` returns a JSON snapshot of cache hit rate, dedup saves, cache size, and upstream latencies
+  5. Admin endpoints are not reachable on the same port/path as data-plane endpoints
+**Plans**: TBD
+
+### Phase 5: Hardening and Operations
+**Goal**: The proxy handles upstream failures automatically, shuts down cleanly under load, and restarts without a cold-start thundering herd from an empty cache
+**Depends on**: Phase 4
+**Requirements**: PRXY-08, OPER-01, OPER-04
+**Success Criteria** (what must be TRUE):
+  1. An upstream that fails 3 consecutive times is auto-disabled for a cooldown period; it re-enables automatically after cooldown without operator intervention
+  2. Sending SIGTERM to the proxy allows in-flight block requests to complete before the process exits (no 50x errors during graceful shutdown)
+  3. Restarting the proxy with an existing cache directory repopulates the in-memory cache index at startup, serving cache hits immediately rather than treating all blocks as misses
+**Plans**: TBD
+
+## Progress
+
+**Execution Order:**
+Phases execute in numeric order: 1 -> 2 -> 3 -> 4 -> 5
+
+| Phase | Plans Complete | Status | Completed |
+|-------|----------------|--------|-----------|
+| 1. Foundation | 2/2 | Complete   | 2026-03-01 |
+| 2. Core Proxy | 4/4 | Complete   | 2026-03-01 |
+| 3. TypeScript Integration | 0/? | Not started | - |
+| 4. Observability and Admin | 0/? | Not started | - |
+| 5. Hardening and Operations | 0/? | Not started | - |

.planning/STATE.md

@@ -0,0 +1,103 @@
+---
+gsd_state_version: 1.0
+milestone: v1.0
+milestone_name: milestone
+status: unknown
+last_updated: "2026-03-01T10:36:23.434Z"
+progress:
+  total_phases: 2
+  completed_phases: 2
+  total_plans: 6
+  completed_plans: 6
+---
+
+# Project State
+
+## Project Reference
+
+See: .planning/PROJECT.md (updated 2026-03-01)
+
+**Core value:** All indexers can reliably and efficiently fetch block data from a single proxy service with full fault tolerance — if any upstream source fails, the system transparently falls back to alternatives without indexer downtime.
+**Current focus:** Phase 2 — Core Proxy
+
+## Current Position
+
+Phase: 2 of 5 (Core Proxy)
+Plan: 4 of 4 in current phase (COMPLETE — Phase 2 done)
+Status: Phase 2 complete
+Last activity: 2026-03-01 — Completed Plan 02-04: Wire upstream clients, fallback chain orchestrator, block/last_block route handlers; Docker verified with cache, fastnear, structured logs
+
+Progress: [██████░░░░] 60%
+
+## Performance Metrics
+
+**Velocity:**
+- Total plans completed: 5
+- Average duration: 4.2 min
+- Total execution time: 0.4 hours
+
+**By Phase:**
+
+| Phase | Plans | Total | Avg/Plan |
+|-------|-------|-------|----------|
+| 1. Foundation | 2 | 11 min | 5.5 min |
+| 2. Core Proxy | 4 | 47 min | 11.8 min |
+
+**Recent Trend:**
+- Last 5 plans: 01-02 (5 min), 02-01 (5 min), 02-02 (3 min), 02-03 (3 min), 02-04 (36 min)
+- Trend: Plan 04 longer due to Docker verification + 2 runtime bug fixes
+
+*Updated after each plan completion*
+
+## Accumulated Context
+
+### Decisions
+
+Decisions are logged in PROJECT.md Key Decisions table.
+Recent decisions affecting current work:
+
+- [Pre-phase]: Rust for proxy service — high-concurrency in-memory locking, no GC pauses
+- [Pre-phase]: async_singleflight over manual DashMap — DashMap references held across .await cause deadlocks
+- [Pre-phase]: Filesystem cache over database — simple, bounded, no extra infra
+- [Pre-phase]: Fallback chain local -> S3 -> fastnear -> near lake — ordered by latency/reliability
+- [Pre-phase]: Package-level changes only — indexers require zero app code changes
+- [01-01]: PinoFormat custom FormatEvent — numeric level integers (not strings) to match pino consumers
+- [01-01]: JsonVisitor with serde_json::Map — proper typed field collection (not all-string Debug output)
+- [01-01]: set_ready() called after TcpListener::bind() succeeds, never before — prevents premature traffic
+- [01-01]: Cargo.lock committed — binary crate convention for reproducible builds
+- [Phase 01-02]: cargo-chef three-stage build: planner recipe.json -> builder cook+compile -> debian:bookworm-slim runtime
+- [Phase 01-02]: debian:bookworm-slim runtime base (not alpine) — Rust glibc linking; musl cross-compilation not needed
+- [Phase 01-02]: curl installed in runtime image for Docker healthcheck CMD — matches monorepo pattern
+- [Phase 01-02]: Port 3015 (mainnet) and 3016 (testnet) — avoids conflicts with existing services on 3003-3013
+- [Phase 02-core-proxy]: Arc<Config> in AppState: config is immutable after startup, Arc enables cheap Clone without data copy
+- [Phase 02-core-proxy]: AppError pattern: blanket From<E: Into<anyhow::Error>> so ? operator works in any axum handler automatically
+- [Phase 02-core-proxy]: BlockResult = (Bytes, &'static str): decouples block data from source label for X-Upstream-Source header injection
+- [02-02]: block_height_to_path sharding: dir1=first 6 digits, dir2=next 3 digits — max 1000 files per leaf, handles 200M+ blocks
+- [02-02]: Temp file for atomic write must be in same directory as target — cross-filesystem rename is not atomic
+- [02-02]: write_background is NOT async — spawns and returns immediately so cache writes never add latency to response path
+- [02-02]: Historical blocks (outside recent_block_window of tip) are never evicted — only recent blocks with expired TTL
+- [02-03]: tokio::time::timeout() wraps entire S3/NEAR Lake async block — AWS SDK has no per-request timeout API
+- [02-03]: FastnearUpstream uses per-request .timeout() on reqwest RequestBuilder, not client-level timeout
+- [02-03]: NearLakeUpstream::new() is async (aws_config::load_defaults is async) — Plan 04 must await constructor
+- [02-03]: get_object_owned(String) pattern: owned key avoids Rust E0515 lifetime issue in try_join_all futures
+- [02-03]: NEAR Lake shard count defaults to 4 when chunks_included field missing (NEAR mainnet has 4 shards)
+- [Phase 02-04]: async_singleflight DefaultGroup::work() returns Result<T, Option<E>>: leader gets full errors, followers get Err(None) — handled with synthetic UpstreamError
+- [Phase 02-04]: axum 0.8 path syntax requires {param} not :param — runtime panic not compile error, Docker verified
+- [Phase 02-04]: cargo-chef:latest-rust-1-bookworm pinned for builder/runtime glibc compatibility (trixie=2.41 vs bookworm=2.36)
+
+### Pending Todos
+
+None yet.
+
+### Blockers/Concerns
+
+- [Phase 2]: Upstream endpoint URLs for fastnear and NEAR Lake must be confirmed against live endpoints before implementing upstream fetcher
+- [Phase 2]: Cache directory sharding strategy (subdirectory by height prefix) must be decided before filesystem write path is implemented — retrofitting is painful
+- [Phase 2]: Disk usage cap / eviction trigger parameter must be defined before eviction task is implemented
+- [Phase 3]: Canonical block JSON format (unified schema across S3 split format and fastnear unified format) must be formally specified before integration tests can be written
+
+## Session Continuity
+
+Last session: 2026-03-01
+Stopped at: Completed 02-04-PLAN.md — Wire upstream clients, fallback chain orchestrator, block/last_block route handlers, Docker verified; Phase 2 complete
+Resume file: None