[2/7] Telemetry Infrastructure: CircuitBreaker and FeatureFlagCache (#325)

* Add telemetry infrastructure: CircuitBreaker and FeatureFlagCache

This is part 2 of 7 in the telemetry implementation stack.

Components:
- CircuitBreaker: Per-host endpoint protection with state management
- FeatureFlagCache: Per-host feature flag caching with reference counting
- CircuitBreakerRegistry: Manages circuit breakers per host

Circuit Breaker:
- States: CLOSED (normal), OPEN (failing), HALF_OPEN (testing recovery)
- Default: 5 failures trigger OPEN, 60s timeout, 2 successes to CLOSE
- Per-host isolation prevents cascade failures
- All state transitions logged at debug level

Feature Flag Cache:
- Per-host caching with 15-minute TTL
- Reference counting for connection lifecycle management
- Automatic cache expiration and refetch
- Context removed when refCount reaches zero

Testing:
- 32 comprehensive unit tests for CircuitBreaker
- 29 comprehensive unit tests for FeatureFlagCache
- 100% function coverage, >80% line/branch coverage
- CircuitBreakerStub for testing other components

Dependencies:
- Builds on [1/7] Types and Exception Classifier

* Add authentication support for REST API calls

Implements getAuthHeaders() method for authenticated REST API requests:
- Added getAuthHeaders() to IClientContext interface
- Implemented in DBSQLClient using authProvider.authenticate()
- Updated FeatureFlagCache to fetch from connector-service API with auth
- Added driver version support for version-specific feature flags
- Replaced placeholder implementation with actual REST API calls

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Fix feature flag and telemetry export endpoints

- Change feature flag endpoint to use NODEJS client type
- Fix telemetry endpoints to /telemetry-ext and /telemetry-unauth
- Update payload to match proto with system_configuration
- Add shared buildUrl utility for protocol handling

* Match JDBC telemetry payload format

- Change payload structure to match JDBC: uploadTime, items, protoLogs
- protoLogs contains JSON-stringified TelemetryFrontendLog objects
- Remove workspace_id (JDBC doesn't populate it)
- Remove debug logs added during testing

* Fix lint errors

- Fix import order in FeatureFlagCache
- Replace require() with import for driverVersion
- Fix variable shadowing
- Disable prefer-default-export for urlUtils

* Add missing getAuthHeaders method to ClientContextStub

Fix TypeScript compilation error by implementing getAuthHeaders
method required by IClientContext interface.

* Fix prettier formatting

* Add DRIVER_NAME constant for nodejs-sql-driver

* Add missing telemetry fields to match JDBC

Added osArch, runtimeVendor, localeName, charSetEncoding, and
processName fields to DriverConfiguration to match JDBC implementation.

* Fix TypeScript compilation: add missing fields to system_configuration interface

* Fix telemetry PR review comments from #325

Three fixes addressing review feedback:

1. Fix documentation typo (sreekanth-db comment)
   - DatabricksTelemetryExporter.ts:94
   - Changed "TelemetryFrontendLog" to "DatabricksTelemetryLog"

2. Add proxy support (jadewang-db comment)
   - DatabricksTelemetryExporter.ts:exportInternal()
   - Get HTTP agent from connection provider
   - Pass agent to fetch for proxy support
   - Follows same pattern as CloudFetchResultHandler and DBSQLSession
   - Supports http/https/socks proxies with authentication

3. Fix flush timer to prevent rate limiting (sreekanth-db comment)
   - MetricsAggregator.ts:flush()
   - Reset timer after manual flushes (batch size, terminal errors)
   - Ensures consistent 30s spacing between exports
   - Prevents rapid successive flushes (e.g., batch at 25s, timer at 30s)

All changes follow existing driver patterns and maintain backward compatibility.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Add proxy support to feature flag fetching

Feature flag fetching was also missing proxy support like telemetry
exporter was. Applied the same fix:

- Get HTTP agent from connection provider
- Pass agent to fetch call for proxy support
- Follows same pattern as CloudFetchResultHandler and DBSQLSession
- Supports http/https/socks proxies with authentication

This completes proxy support for all HTTP operations in the telemetry
system (both telemetry export and feature flag fetching).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Address PR #325 review feedback

- Fix CircuitBreaker HALF_OPEN: any failure now immediately reopens the
  circuit instead of accumulating to failureThreshold, aligning with
  Resilience4j behavior used in the JDBC driver
- Add maxPendingMetrics bound to MetricsAggregator (default 500) to
  prevent unbounded buffer growth when exports keep failing
- Inline buildUrl into DatabricksTelemetryExporter and FeatureFlagCache;
  remove urlUtils.ts (single-use utility)
- Add missing unit tests for DatabricksTelemetryExporter, MetricsAggregator,
  and TelemetryEventEmitter (HTTP calls, retry logic, batching, flush
  timers, event routing)

Co-authored-by: Isaac

* refactor: replace node-fetch injection with sendRequest via connection provider

Address PR #325 review feedback: instead of accepting a `fetchFunction`
constructor parameter, `DatabricksTelemetryExporter` now delegates HTTP
calls to a private `sendRequest()` method that retrieves the agent from
`IConnectionProvider.getAgent()` — the same pattern used by
`CloudFetchResultHandler` and `DBSQLSession`. This keeps proxy support
intact while removing the direct `node-fetch` coupling from the public API.

Tests updated to stub `sendRequest` on the instance via sinon instead of
injecting a fetch function through the constructor.

Co-authored-by: Isaac

* style: fix prettier formatting in telemetry files

Co-authored-by: Isaac

* fix: address telemetry code review issues

- ExceptionClassifier: classify ECONNREFUSED, ENOTFOUND, EHOSTUNREACH,
  ECONNRESET as retryable — these are transient network failures that
  were previously falling through as non-retryable and silently dropped
- DatabricksTelemetryExporter: read driver version from lib/version.ts
  instead of hardcoded '1.0.0'; use uuid.v4() instead of hand-rolled
  UUID generation which had incorrect version/variant bits

Co-authored-by: Isaac

* fix: address code review findings for telemetry infrastructure

- Add workspace_id to telemetry log serialization (was silently dropped)
- Fix socket leak: consume HTTP response body on success and error paths
- Add 10s timeout to all telemetry/feature-flag fetch calls
- Fix thundering herd: deduplicate concurrent feature flag fetches
- Add Promise.resolve().catch() to flush() to prevent unhandled rejections
- Add HALF_OPEN inflight guard to CircuitBreaker (limit to 1 probe)
- Rename TelemetryEventType.ERROR to 'telemetry.error' (avoid EventEmitter collision)
- Extract shared buildTelemetryUrl utility enforcing HTTPS
- Clamp server-provided TTL to [60, 3600] seconds
- Skip export silently when auth headers are missing
- Log circuit breaker OPEN transitions at warn level
- Fix CircuitBreakerStub HALF_OPEN behavior to match real implementation
- Snapshot Map keys before iteration in close()
- Remove unnecessary 'as any' cast and '| string' type widening

Co-authored-by: Isaac

* style: fix prettier formatting in CircuitBreaker.ts

Co-authored-by: Isaac

* fix: resolve ESLint errors in telemetry modules

Use dot notation for Authorization header access and convert
buildTelemetryUrl to default export to satisfy lint rules.

Co-authored-by: Isaac

* fix: harden telemetry security + address code-review-squad findings

Security (Critical):
- buildTelemetryUrl now rejects protocol-relative //prefix, zero-width
  and BOM codepoints, CR/LF/tab, userinfo, path/query/fragment, and
  loopback/RFC1918/IMDS/localhost/GCP+Azure-metadata hosts. Defeats
  the SSRF-shaped Bearer-token exfil vector an attacker-influenced
  host (env var, tampered config) could trigger.
- redactSensitive now covers real Databricks secret shapes: dapi/
  dkea/dskea/dsapi/dose PATs, JWT triplets, JSON-quoted access_token/
  client_secret/refresh_token/id_token/password/api_key, Basic auth,
  URL-embedded credentials. Re-applies after truncation.
- Unauthenticated export now omits system_configuration entirely,
  strips userAgentEntry from User-Agent, and blanks stack_trace, so
  on-path observers cannot re-identify clients on the unauth path.
- sanitizeProcessName drops argv tail (handles node --db-password=X
  app.js shape).

Correctness (High):
- MetricsAggregator gained a closed flag; close() no longer races
  with batch-triggered flushes that would resurrect the interval.
- evictExpiredStatements now runs from the periodic flush timer so
  idle clients actually reclaim orphan statement entries.
- Evicted statements emit their buffered error events as standalone
  metrics before being dropped — first-failure signal survives.
- Batch-size and terminal-error flush paths pass resetTimer=false so
  sustained overflow cant starve the periodic tail drain.
- TelemetryTerminalError introduced for host-validation refusals,
  separating that taxonomy from AuthenticationError.
- authMissingWarned re-arms after a successful export so operators
  see a fresh signal the next time auth breaks.
- Retry log denominator uses totalAttempts (not maxRetries); negative
  maxRetries falls back to default; retry log includes the redacted
  failing error so ops can see whats being retried.

API / hygiene:
- CircuitBreakerOpenError, CIRCUIT_BREAKER_OPEN_CODE, and
  TelemetryTerminalError re-exported from lib/index.ts so consumers
  can instanceof-check.
- DBSQLClient.getAuthProvider marked @internal.
- DEFAULT_TELEMETRY_CONFIG / DEFAULT_CIRCUIT_BREAKER_CONFIG frozen.
- pushBoundedError uses if instead of while.
- CIRCUIT_BREAKER_OPEN_CODE typed as const.
- Default export on buildTelemetryUrl removed (no callers).
- Dropped wasted new Error allocation in processErrorEvent.

Tests:
- New telemetryUtils.test.ts (53 tests): URL-rejection table covering
  every known bypass, redactor shapes, sanitize process name.
- DatabricksTelemetryExporter: 13 new tests covering Authorization
  on-the-wire, authMissingWarned idempotency + re-arm, unauth
  correlation/system_configuration/userAgentEntry/stack_trace
  stripping, malformed-host drop, loopback drop, dispose idempotency,
  errorStack to redacted stack_trace flow.
- MetricsAggregator: 2 new tests for async close() awaiting the
  exporter promise (prevents process.exit truncation) and no timer
  resurrection after close.

700 unit tests pass, ESLint clean.

Co-authored-by: Isaac
Signed-off-by: samikshya-chand_data <samikshya.chand@databricks.com>

* test: document synthetic-JWT source pattern in redactSensitive test

Clarify that the JWT string in the redactor test is intentionally fake
and is built from parts so the assembled token never appears as a
source literal (to satisfy pre-commit secret scanners).

Co-authored-by: Isaac
Signed-off-by: samikshya-chand_data <samikshya.chand@databricks.com>

* fix: stringify sinon.Call.args[1] before regex test

CI's TypeScript was stricter than the local version and rejected the
untyped `c.args[1]` passed to `RegExp.test()`. Wrap in `String(...)`
so the tests compile on Node 14/16/18/20 runners.

Co-authored-by: Isaac
Signed-off-by: samikshya-chand_data <samikshya.chand@databricks.com>

* fix: address Jade's review comments

- ExceptionClassifier: remove ENOTFOUND from retryable (DNS "not found"
  is deterministic — retrying just pushes load at the resolver without
  any expectation of success). Add ETIMEDOUT and EAI_AGAIN per Jade's
  follow-up list.
- Extract shared `normalizeHeaders` + `hasAuthorization` helpers into
  telemetryUtils; DatabricksTelemetryExporter and FeatureFlagCache both
  use them — eliminates the ~40-line duplication Jade flagged.
- normalizeHeaders now guards `typeof raw === 'object'` before
  Object.entries, preventing Object.entries('some-string') index entries
  from leaking in as headers (Jade: "should we do type check here?").
- FeatureFlagCache.fetchFeatureFlag: add single-retry on transient errors
  (classified via ExceptionClassifier). Without a retry, one DNS hiccup
  would disable telemetry for the full 15-minute cache TTL; one retry
  gives an ephemeral failure a second chance without pushing sustained
  load at a broken endpoint.
- Drop the private hasAuthorization/normalizeHeaders on the exporter;
  drop the inlined branching in FFC getAuthHeaders.
- Update ExceptionClassifier tests: invert ENOTFOUND expectation with
  a comment explaining why; add cases for ETIMEDOUT and EAI_AGAIN.

702 unit tests pass, ESLint clean.

Co-authored-by: Isaac
Signed-off-by: samikshya-chand_data <samikshya.chand@databricks.com>

---------

Signed-off-by: samikshya-chand_data <samikshya.chand@databricks.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: samikshya-db

lib/DBSQLClient.ts

@@ -238,6 +238,12 @@ export default class DBSQLClient extends EventEmitter implements IDBSQLClient, I
       this.config.enableMetricViewMetadata = options.enableMetricViewMetadata;
     }
 
+    // Persist userAgentEntry so telemetry and feature-flag call sites reuse
+    // the same value as the primary Thrift connection's User-Agent.
+    if (options.userAgentEntry !== undefined) {
+      this.config.userAgentEntry = options.userAgentEntry;
+    }
+
     this.authProvider = this.createAuthProvider(options, authProvider);
 
     this.connectionProvider = this.createConnectionProvider(options);
@@ -352,4 +358,15 @@ export default class DBSQLClient extends EventEmitter implements IDBSQLClient, I
   public async getDriver(): Promise<IDriver> {
     return this.driver;
   }
+
+  /**
+   * Returns the authentication provider associated with this client, if any.
+   * Intended for internal telemetry/feature-flag call sites that need to
+   * obtain auth headers directly without routing through `IClientContext`.
+   *
+   * @internal Not part of the public API. May change without notice.
+   */
+  public getAuthProvider(): IAuthentication | undefined {
+    return this.authProvider;
+  }
 }

lib/contracts/IClientContext.ts

@@ -28,9 +28,16 @@ export interface ClientConfig {
   telemetryBatchSize?: number;
   telemetryFlushIntervalMs?: number;
   telemetryMaxRetries?: number;
+  telemetryBackoffBaseMs?: number;
+  telemetryBackoffMaxMs?: number;
+  telemetryBackoffJitterMs?: number;
   telemetryAuthenticatedExport?: boolean;
   telemetryCircuitBreakerThreshold?: number;
   telemetryCircuitBreakerTimeout?: number;
+  telemetryMaxPendingMetrics?: number;
+  telemetryMaxErrorsPerStatement?: number;
+  telemetryStatementTtlMs?: number;
+  userAgentEntry?: string;
 }
 
 export default interface IClientContext {

lib/index.ts

@@ -23,6 +23,11 @@ import { LogLevel } from './contracts/IDBSQLLogger';
 // Re-export types for TypeScript users
 export type { default as ITokenProvider } from './connection/auth/tokenProvider/ITokenProvider';
 
+// Re-export telemetry error classes so consumers can instanceof-check rather
+// than string-matching error messages.
+export { CircuitBreakerOpenError, CIRCUIT_BREAKER_OPEN_CODE } from './telemetry/CircuitBreaker';
+export { TelemetryTerminalError } from './telemetry/DatabricksTelemetryExporter';
+
 export const auth = {
   PlainHttpAuthentication,
   // Token provider classes for custom authentication

lib/telemetry/CircuitBreaker.ts

@@ -0,0 +1,216 @@
+/**
+ * Copyright (c) 2025 Databricks Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import IClientContext from '../contracts/IClientContext';
+import { LogLevel } from '../contracts/IDBSQLLogger';
+
+export enum CircuitBreakerState {
+  CLOSED = 'CLOSED',
+  OPEN = 'OPEN',
+  HALF_OPEN = 'HALF_OPEN',
+}
+
+export interface CircuitBreakerConfig {
+  failureThreshold: number;
+  timeout: number;
+  successThreshold: number;
+}
+
+export const DEFAULT_CIRCUIT_BREAKER_CONFIG: Readonly<CircuitBreakerConfig> = Object.freeze({
+  failureThreshold: 5,
+  timeout: 60000,
+  successThreshold: 2,
+});
+
+export const CIRCUIT_BREAKER_OPEN_CODE = 'CIRCUIT_BREAKER_OPEN' as const;
+
+/**
+ * Thrown when execute() is called while the breaker is OPEN or a HALF_OPEN
+ * probe is already in flight. Callers identify the condition via
+ * `instanceof CircuitBreakerOpenError` or `err.code === CIRCUIT_BREAKER_OPEN_CODE`
+ * rather than string-matching the message.
+ */
+export class CircuitBreakerOpenError extends Error {
+  readonly code = CIRCUIT_BREAKER_OPEN_CODE;
+
+  constructor(message = 'Circuit breaker OPEN') {
+    super(message);
+    this.name = 'CircuitBreakerOpenError';
+  }
+}
+
+export class CircuitBreaker {
+  private state: CircuitBreakerState = CircuitBreakerState.CLOSED;
+
+  private failureCount = 0;
+
+  private successCount = 0;
+
+  private nextAttempt?: Date;
+
+  private halfOpenInflight = 0;
+
+  private readonly config: CircuitBreakerConfig;
+
+  constructor(private context: IClientContext, config?: Partial<CircuitBreakerConfig>) {
+    this.config = {
+      ...DEFAULT_CIRCUIT_BREAKER_CONFIG,
+      ...config,
+    };
+  }
+
+  async execute<T>(operation: () => Promise<T>): Promise<T> {
+    const admitted = this.tryAdmit();
+    if (!admitted) {
+      throw new CircuitBreakerOpenError();
+    }
+
+    const { wasHalfOpenProbe } = admitted;
+
+    try {
+      const result = await operation();
+      this.onSuccess();
+      return result;
+    } catch (error) {
+      this.onFailure();
+      throw error;
+    } finally {
+      if (wasHalfOpenProbe && this.halfOpenInflight > 0) {
+        this.halfOpenInflight -= 1;
+      }
+    }
+  }
+
+  /**
+   * Synchronous admission check. Returning `null` means "reject". Returning
+   * an object means the caller is admitted; `wasHalfOpenProbe` indicates
+   * whether this admission consumed the single HALF_OPEN probe slot so the
+   * caller can decrement it in `finally`.
+   *
+   * Running this as a single synchronous block is what prevents the
+   * concurrent-probe race that existed in the previous implementation.
+   */
+  private tryAdmit(): { wasHalfOpenProbe: boolean } | null {
+    const logger = this.context.getLogger();
+
+    if (this.state === CircuitBreakerState.OPEN) {
+      if (this.nextAttempt && Date.now() < this.nextAttempt.getTime()) {
+        return null;
+      }
+      this.state = CircuitBreakerState.HALF_OPEN;
+      this.successCount = 0;
+      this.halfOpenInflight = 0;
+      logger.log(LogLevel.debug, 'Circuit breaker transitioned to HALF_OPEN');
+    }
+
+    if (this.state === CircuitBreakerState.HALF_OPEN) {
+      if (this.halfOpenInflight > 0) {
+        return null;
+      }
+      this.halfOpenInflight += 1;
+      return { wasHalfOpenProbe: true };
+    }
+
+    return { wasHalfOpenProbe: false };
+  }
+
+  getState(): CircuitBreakerState {
+    return this.state;
+  }
+
+  getFailureCount(): number {
+    return this.failureCount;
+  }
+
+  getSuccessCount(): number {
+    return this.successCount;
+  }
+
+  private onSuccess(): void {
+    const logger = this.context.getLogger();
+
+    this.failureCount = 0;
+
+    if (this.state === CircuitBreakerState.HALF_OPEN) {
+      this.successCount += 1;
+      logger.log(
+        LogLevel.debug,
+        `Circuit breaker success in HALF_OPEN (${this.successCount}/${this.config.successThreshold})`,
+      );
+
+      if (this.successCount >= this.config.successThreshold) {
+        this.state = CircuitBreakerState.CLOSED;
+        this.successCount = 0;
+        this.nextAttempt = undefined;
+        logger.log(LogLevel.debug, 'Circuit breaker transitioned to CLOSED');
+      }
+    }
+  }
+
+  private onFailure(): void {
+    const logger = this.context.getLogger();
+
+    this.failureCount += 1;
+    this.successCount = 0;
+
+    logger.log(LogLevel.debug, `Circuit breaker failure (${this.failureCount}/${this.config.failureThreshold})`);
+
+    if (this.state === CircuitBreakerState.HALF_OPEN || this.failureCount >= this.config.failureThreshold) {
+      this.state = CircuitBreakerState.OPEN;
+      this.nextAttempt = new Date(Date.now() + this.config.timeout);
+      logger.log(
+        LogLevel.warn,
+        `Telemetry circuit breaker OPEN after ${this.failureCount} failures (will retry after ${this.config.timeout}ms)`,
+      );
+    }
+  }
+}
+
+export class CircuitBreakerRegistry {
+  private breakers: Map<string, CircuitBreaker>;
+
+  constructor(private context: IClientContext) {
+    this.breakers = new Map();
+  }
+
+  getCircuitBreaker(host: string, config?: Partial<CircuitBreakerConfig>): CircuitBreaker {
+    let breaker = this.breakers.get(host);
+    if (!breaker) {
+      breaker = new CircuitBreaker(this.context, config);
+      this.breakers.set(host, breaker);
+      const logger = this.context.getLogger();
+      logger.log(LogLevel.debug, `Created circuit breaker for host: ${host}`);
+    } else if (config) {
+      const logger = this.context.getLogger();
+      logger.log(LogLevel.debug, `Circuit breaker for host ${host} already exists; provided config will be ignored`);
+    }
+    return breaker;
+  }
+
+  getAllBreakers(): Map<string, CircuitBreaker> {
+    return new Map(this.breakers);
+  }
+
+  removeCircuitBreaker(host: string): void {
+    this.breakers.delete(host);
+    const logger = this.context.getLogger();
+    logger.log(LogLevel.debug, `Removed circuit breaker for host: ${host}`);
+  }
+
+  clear(): void {
+    this.breakers.clear();
+  }
+}