Refactor Flight ingress into server layer and harden lifecycle (#214)

* controlplane: fix flight ingress lifecycle and config

* more agents instructions

* Fix flight session reaping for active handles

Keep auth sessions alive while query/prepared handles are still active so handle TTL remains effective. Add tests for reaper behavior and file/env config precedence coverage for flight ingress duration settings.

* Finish flight ingress refactor plan

Author: bill-ph

AGENTS.md

@@ -1,3 +1,11 @@
 # AGENTS
 
+## Work Style
+- Prefer small, incremental PRs aligned to deliverables.
+- TDD with red-green cycle is required: write/adjust tests first and run them to confirm they fail (red), then implement the minimum code to make them pass (green).
+- Keep configs and flags explicit; document defaults in README.
+- Provide runbooks for local dev and failure recovery.
+- When following a plan file, mark tasks upon completion
+- When creating new branch from origin/main, do not track origin/main. 
 - Always run lint before committing.
+- Parallelize using subagents when possible.

README.md

@@ -63,6 +63,10 @@ Duckgres exposes Prometheus metrics on `:9090/metrics`. The metrics port is curr
 | `duckgres_auth_failures_total` | Counter | Total number of authentication failures |
 | `duckgres_rate_limit_rejects_total` | Counter | Total number of connections rejected due to rate limiting |
 | `duckgres_rate_limited_ips` | Gauge | Number of currently rate-limited IP addresses |
+| `duckgres_flight_auth_sessions_active` | Gauge | Number of active Flight auth sessions on the control plane |
+| `duckgres_control_plane_workers_active` | Gauge | Number of active control-plane worker processes |
+| `duckgres_flight_sessions_reaped_total{trigger}` | Counter | Number of Flight auth sessions reaped (`trigger=periodic|forced`) |
+| `duckgres_flight_max_workers_retry_total{outcome}` | Counter | Max-worker retry outcomes for Flight session creation (`outcome=attempted|succeeded|failed`) |
 
 ### Testing Metrics
 
@@ -128,6 +132,9 @@ Create a `duckgres.yaml` file (see `duckgres.example.yaml` for a complete exampl
 host: "0.0.0.0"
 port: 5432
 flight_port: 8815
+flight_session_idle_ttl: "10m"
+flight_session_reap_interval: "1m"
+flight_handle_idle_ttl: "15m"
 data_dir: "./data"
 
 tls:
@@ -166,6 +173,9 @@ Run with config file:
 | `DUCKGRES_HOST` | Host to bind to | `0.0.0.0` |
 | `DUCKGRES_PORT` | Port to listen on | `5432` |
 | `DUCKGRES_FLIGHT_PORT` | Control-plane Flight SQL ingress port (`0` disables) | `0` |
+| `DUCKGRES_FLIGHT_SESSION_IDLE_TTL` | Flight auth session idle TTL | `10m` |
+| `DUCKGRES_FLIGHT_SESSION_REAP_INTERVAL` | Flight auth session reap interval | `1m` |
+| `DUCKGRES_FLIGHT_HANDLE_IDLE_TTL` | Flight prepared/query handle idle TTL | `15m` |
 | `DUCKGRES_DATA_DIR` | Directory for DuckDB files | `./data` |
 | `DUCKGRES_CERT` | TLS certificate file | `./certs/server.crt` |
 | `DUCKGRES_KEY` | TLS private key file | `./certs/server.key` |
@@ -208,6 +218,9 @@ Options:
   -host string             Host to bind to
   -port int                Port to listen on
   -flight-port int         Control-plane Arrow Flight SQL ingress port, 0=disabled
+  -flight-session-idle-ttl string      Flight auth session idle TTL (e.g., '10m')
+  -flight-session-reap-interval string Flight auth session reap interval (e.g., '1m')
+  -flight-handle-idle-ttl string       Flight prepared/query handle idle TTL (e.g., '15m')
   -data-dir string         Directory for DuckDB files
   -cert string             TLS certificate file
   -key string              TLS private key file

config_resolution.go

@@ -10,23 +10,26 @@ import (
 type configCLIInputs struct {
 	Set map[string]bool
 
-	Host             string
-	Port             int
-	FlightPort       int
-	DataDir          string
-	CertFile         string
-	KeyFile          string
-	ProcessIsolation bool
-	IdleTimeout      string
-	MemoryLimit      string
-	Threads          int
-	MemoryBudget     string
-	MemoryRebalance  bool
-	MaxWorkers       int
-	MinWorkers       int
-	ACMEDomain       string
-	ACMEEmail        string
-	ACMECacheDir     string
+	Host                      string
+	Port                      int
+	FlightPort                int
+	FlightSessionIdleTTL      string
+	FlightSessionReapInterval string
+	FlightHandleIdleTTL       string
+	DataDir                   string
+	CertFile                  string
+	KeyFile                   string
+	ProcessIsolation          bool
+	IdleTimeout               string
+	MemoryLimit               string
+	Threads                   int
+	MemoryBudget              string
+	MemoryRebalance           bool
+	MaxWorkers                int
+	MinWorkers                int
+	ACMEDomain                string
+	ACMEEmail                 string
+	ACMECacheDir              string
 }
 
 type resolvedConfig struct {
@@ -35,12 +38,15 @@ type resolvedConfig struct {
 
 func defaultServerConfig() server.Config {
 	return server.Config{
-		Host:        "0.0.0.0",
-		Port:        5432,
-		FlightPort:  0,
-		DataDir:     "./data",
-		TLSCertFile: "./certs/server.crt",
-		TLSKeyFile:  "./certs/server.key",
+		Host:                      "0.0.0.0",
+		Port:                      5432,
+		FlightPort:                0,
+		FlightSessionIdleTTL:      10 * time.Minute,
+		FlightSessionReapInterval: 1 * time.Minute,
+		FlightHandleIdleTTL:       15 * time.Minute,
+		DataDir:                   "./data",
+		TLSCertFile:               "./certs/server.crt",
+		TLSKeyFile:                "./certs/server.key",
 		Users: map[string]string{
 			"postgres": "postgres",
 		},
@@ -71,6 +77,27 @@ func resolveEffectiveConfig(fileCfg *FileConfig, cli configCLIInputs, getenv fun
 		if fileCfg.FlightPort != 0 {
 			cfg.FlightPort = fileCfg.FlightPort
 		}
+		if fileCfg.FlightSessionIdleTTL != "" {
+			if d, err := time.ParseDuration(fileCfg.FlightSessionIdleTTL); err == nil {
+				cfg.FlightSessionIdleTTL = d
+			} else {
+				warn("Invalid flight_session_idle_ttl duration: " + err.Error())
+			}
+		}
+		if fileCfg.FlightSessionReapInterval != "" {
+			if d, err := time.ParseDuration(fileCfg.FlightSessionReapInterval); err == nil {
+				cfg.FlightSessionReapInterval = d
+			} else {
+				warn("Invalid flight_session_reap_interval duration: " + err.Error())
+			}
+		}
+		if fileCfg.FlightHandleIdleTTL != "" {
+			if d, err := time.ParseDuration(fileCfg.FlightHandleIdleTTL); err == nil {
+				cfg.FlightHandleIdleTTL = d
+			} else {
+				warn("Invalid flight_handle_idle_ttl duration: " + err.Error())
+			}
+		}
 		if fileCfg.DataDir != "" {
 			cfg.DataDir = fileCfg.DataDir
 		}
@@ -203,6 +230,27 @@ func resolveEffectiveConfig(fileCfg *FileConfig, cli configCLIInputs, getenv fun
 			warn("Invalid DUCKGRES_FLIGHT_PORT: " + err.Error())
 		}
 	}
+	if v := getenv("DUCKGRES_FLIGHT_SESSION_IDLE_TTL"); v != "" {
+		if d, err := time.ParseDuration(v); err == nil {
+			cfg.FlightSessionIdleTTL = d
+		} else {
+			warn("Invalid DUCKGRES_FLIGHT_SESSION_IDLE_TTL duration: " + err.Error())
+		}
+	}
+	if v := getenv("DUCKGRES_FLIGHT_SESSION_REAP_INTERVAL"); v != "" {
+		if d, err := time.ParseDuration(v); err == nil {
+			cfg.FlightSessionReapInterval = d
+		} else {
+			warn("Invalid DUCKGRES_FLIGHT_SESSION_REAP_INTERVAL duration: " + err.Error())
+		}
+	}
+	if v := getenv("DUCKGRES_FLIGHT_HANDLE_IDLE_TTL"); v != "" {
+		if d, err := time.ParseDuration(v); err == nil {
+			cfg.FlightHandleIdleTTL = d
+		} else {
+			warn("Invalid DUCKGRES_FLIGHT_HANDLE_IDLE_TTL duration: " + err.Error())
+		}
+	}
 	if v := getenv("DUCKGRES_DATA_DIR"); v != "" {
 		cfg.DataDir = v
 	}
@@ -316,6 +364,27 @@ func resolveEffectiveConfig(fileCfg *FileConfig, cli configCLIInputs, getenv fun
 	if cli.Set["flight-port"] {
 		cfg.FlightPort = cli.FlightPort
 	}
+	if cli.Set["flight-session-idle-ttl"] {
+		if d, err := time.ParseDuration(cli.FlightSessionIdleTTL); err == nil {
+			cfg.FlightSessionIdleTTL = d
+		} else {
+			warn("Invalid --flight-session-idle-ttl duration: " + err.Error())
+		}
+	}
+	if cli.Set["flight-session-reap-interval"] {
+		if d, err := time.ParseDuration(cli.FlightSessionReapInterval); err == nil {
+			cfg.FlightSessionReapInterval = d
+		} else {
+			warn("Invalid --flight-session-reap-interval duration: " + err.Error())
+		}
+	}
+	if cli.Set["flight-handle-idle-ttl"] {
+		if d, err := time.ParseDuration(cli.FlightHandleIdleTTL); err == nil {
+			cfg.FlightHandleIdleTTL = d
+		} else {
+			warn("Invalid --flight-handle-idle-ttl duration: " + err.Error())
+		}
+	}
 	if cli.Set["data-dir"] {
 		cfg.DataDir = cli.DataDir
 	}

controlplane/control.go

@@ -170,7 +170,11 @@ func RunControlPlane(cfg ControlPlaneConfig) {
 	// It is intentionally started after pre-warm to avoid concurrent worker
 	// creation races between pre-warm and first external Flight requests.
 	if cfg.FlightPort > 0 {
-		flightIngress, err := NewFlightIngress(cfg.Host, cfg.FlightPort, tlsCfg, cfg.Users, sessions)
+		flightIngress, err := NewFlightIngress(cfg.Host, cfg.FlightPort, tlsCfg, cfg.Users, sessions, FlightIngressConfig{
+			SessionIdleTTL:  cfg.FlightSessionIdleTTL,
+			SessionReapTick: cfg.FlightSessionReapInterval,
+			HandleIdleTTL:   cfg.FlightHandleIdleTTL,
+		})
 		if err != nil {
 			slog.Error("Failed to initialize Flight ingress.", "error", err)
 			os.Exit(1)
@@ -731,7 +735,11 @@ func (cp *ControlPlane) recoverFlightIngressAfterFailedReload() {
 		return
 	}
 
-	flightIngress, err := NewFlightIngress(cp.cfg.Host, cp.cfg.FlightPort, cp.tlsConfig, cp.cfg.Users, cp.sessions)
+	flightIngress, err := NewFlightIngress(cp.cfg.Host, cp.cfg.FlightPort, cp.tlsConfig, cp.cfg.Users, cp.sessions, FlightIngressConfig{
+		SessionIdleTTL:  cp.cfg.FlightSessionIdleTTL,
+		SessionReapTick: cp.cfg.FlightSessionReapInterval,
+		HandleIdleTTL:   cp.cfg.FlightHandleIdleTTL,
+	})
 	if err != nil {
 		slog.Error("Failed to recover Flight ingress after reload failure.", "error", err)
 		return