Support per-backend role and destination in replication engine

[maeldonn]

Read destination bucket and role from each backends[] entry instead of the shared top-level fields, so a single source object can be replicated to multiple CRR destinations with their own role. Legacy entries without per-backend fields keep working via top-level fallback in ObjectQueueEntry's site-aware getters; MongoQueueProcessor's oplog path now matches every applicable rule and dedups backends per the design's (site, destination, role) rule.

Issue: BB-762

[bert-e]

Hello maeldonn,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options

name	description	privileged	authored
/after_pull_request	Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval	Bypass the pull request author's approval	⭐
/bypass_build_status	Bypass the build and test status	⭐
/bypass_commit_size	Bypass the check on the size of the changeset TBA	⭐
/bypass_incompatible_branch	Bypass the check on the source branch prefix	⭐
/bypass_jira_check	Bypass the Jira issue check	⭐
/bypass_peer_approval	Bypass the pull request peers' approval	⭐
/bypass_leader_approval	Bypass the pull request leaders' approval	⭐
/approve	Instruct Bert-E that the author has approved the pull request.		✍️
/create_pull_requests	Allow the creation of integration pull requests.
/create_integration_branches	Allow the creation of integration branches.
/no_octopus	Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity	Change review acceptance criteria from one reviewer at least to all reviewers
/wait	Instruct Bert-E not to run until further notice.

Available commands

name	description	privileged
/help	Print Bert-E's manual in the pull request.
/status	Print Bert-E's current status in the pull request TBA
/clear	Remove all comments from Bert-E from the history TBA
/retry	Re-start a fresh build TBA
/build	Re-start a fresh build TBA
/force_reset	Delete integration branches & pull requests, and restart merge process from the beginning.
/reset	Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

[bert-e]

Incorrect fix version

The Fix Version/s in issue BB-762 contains:

• None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

• 9.4.1

• 9.5.0

Please check the Fix Version/s of BB-762, or the target
branch of this pull request.

[codecov]

Codecov Report

❌ Patch coverage is 95.91837% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.08%. Comparing base (cd24b31) to head (0b2138b).

Files with missing lines	Patch %	Lines
...xtensions/replication/tasks/MultipleBackendTask.js	66.66%	2 Missing ⚠️
extensions/replication/tasks/ReplicateObject.js	90.47%	2 Missing ⚠️

Additional details and impacted files

Files with missing lines	Coverage Δ
extensions/mongoProcessor/MongoQueueProcessor.js	66.81% <100.00%> (-2.60%)	⬇️
...sions/replication/queueProcessor/QueueProcessor.js	75.92% <100.00%> (+2.97%)	⬆️
...sions/replication/tasks/UpdateReplicationStatus.js	81.81% <100.00%> (+6.56%)	⬆️
lib/api/BackbeatAPI.js	90.12% <100.00%> (+0.01%)	⬆️
lib/models/ObjectQueueEntry.js	94.73% <100.00%> (+3.43%)	⬆️
lib/models/QueueEntry.js	83.33% <100.00%> (+9.80%)	⬆️
...xtensions/replication/tasks/MultipleBackendTask.js	59.80% <66.66%> (+4.35%)	⬆️
extensions/replication/tasks/ReplicateObject.js	91.97% <90.47%> (+0.76%)	⬆️

... and 5 files with indirect coverage changes

Components	Coverage Δ
Bucket Notification	80.22% <ø> (ø)
Core Library	81.01% <100.00%> (-0.27%)	⬇️
Ingestion	70.13% <100.00%> (-0.51%)	⬇️
Lifecycle	79.46% <ø> (ø)
Oplog Populator	85.83% <ø> (ø)
Replication	61.64% <94.66%> (+1.90%)	⬆️
Bucket Scanner	85.76% <ø> (ø)

@@                 Coverage Diff                 @@
##           development/9.4    #2743      +/-   ##
===================================================
+ Coverage            74.88%   75.08%   +0.20%     
===================================================
  Files                  200      200              
  Lines                13670    13681      +11     
===================================================
+ Hits                 10237    10273      +36     
+ Misses                3423     3398      -25     
  Partials                10       10              

Flag	Coverage Δ
api:retry	9.16% <5.10%> (+0.01%)	⬆️
api:routes	8.96% <0.00%> (-0.01%)	⬇️
bucket-scanner	85.76% <ø> (ø)
ft_test:queuepopulator	9.13% <0.00%> (-1.84%)	⬇️
ingestion	12.37% <9.18%> (-0.20%)	⬇️
lib	7.77% <0.00%> (-0.01%)	⬇️
lifecycle	18.90% <0.00%> (-0.03%)	⬇️
notification	1.02% <0.00%> (-0.01%)	⬇️
oplogPopulator	0.14% <0.00%> (-0.01%)	⬇️
unit	53.04% <95.91%> (+1.65%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

• ReplicateObject.js:310 — Rule matching via Rules.find() does not consider priority, while MongoQueueProcessor sorts by priority descending. If multiple rules target the same site with different Destination.Account values, the derived expectedDestRole may not match the entry's role, causing a spurious BadRole error.
  - tests/unit/lib/models/ObjectQueueEntry.spec.js — File shows as a binary diff in this PR, which typically indicates a BOM or encoding issue. Verify the file is clean UTF-8.
  
  Review by Claude Code

[claude]

• Overall: well-structured refactor — per-backend roles/destinations are correctly propagated through MongoQueueProcessor, QueueProcessor, and the replication task chain. Legacy fallbacks tested. No critical issues found.
  - extensions/replication/tasks/ReplicateObject.js:270 — Minor: roles.length < 1 is unreachable because String.split(',') always returns an array with at least one element. Could simplify to roles.length > 2.
  - extensions/replication/tasks/MultipleBackendTask.js:59 — Note: entry.getReplicationRoles() is called without this.site, while the parent ReplicateObject._setupRolesOnce was updated to pass this.site. This appears intentional since cloud backends don't carry per-backend roles, but worth a comment or assertion to make the design choice explicit.
  
  LGTM
  
  Review by Claude Code

[claude]

• package.json:57 — arsenal pinned to raw commit SHA instead of a tag; should use the resolved version tag (8.4.2) for consistency with other git-based deps
  
  The rest of the PR looks solid: per-backend role/destination plumbing is consistent across MongoQueueProcessor, QueueProcessor, ReplicateObject, and MultipleBackendTask. Legacy fallback paths are well-tested. The deletion of getLocationsFromStorageClass is safe — no remaining callers in production code.
  
  Review by Claude Code

[claude]

• package.json:57 — Arsenal is pinned to a commit hash (39c1a64...) instead of a tag. The yarn.lock resolves to version 8.4.3, so please pin to the tag for consistency with other git-based deps.
  - extensions/replication/tasks/MultipleBackendTask.js:59 — _setupRolesOnce calls getReplicationRoles() without this.site, unlike the parent ReplicateObject._setupRolesOnce which was updated to pass it. This works today because cloud backends don't carry per-backend roles, but consider passing this.site for forward-compatibility with multi-destination CRR on cloud targets.
  
  Review by Claude Code

[claude]

• extensions/replication/tasks/ReplicateObject.js:298 — matchingRule lookup uses bare rule.Prefix but the replicationEnabled check above uses rule.Filter?.Prefix ?? rule.Prefix ?? ''. V2 rules with Filter.Prefix will never match, silently falling back to the legacy destination role instead of the per-account substituted role.
  - package.json:57 — Arsenal pinned to a commit hash instead of a tag (yarn.lock resolves to 8.4.3).
  
  Review by Claude Code

[claude]

• extensions/replication/tasks/ReplicateObject.js:298 — Bug: matchingRule lookup uses rule.Prefix directly but should use rule.Filter?.Prefix ?? rule.Prefix ?? '' like the replicationEnabled check above it. V2 rules with Filter.Prefix will never match, causing the Account-based role resolution to silently fall through to the legacy comparison and reject valid entries with BadRole.
  - package.json:57 — Arsenal pinned to commit hash instead of a tag (resolved version 8.4.3).
  
  Review by Claude Code

[claude]

PR Review Summary

• QueueProcessor.js:912 — Bug: this.replicationBackends is undefined (never set on the instance). Cloud backends will always use ReplicateObject instead of MultipleBackendTask. Should use the module-level replicationBackends constant imported at line 42.
• package.json:57 — Arsenal pinned to a bare commit hash instead of a version tag, which violates project conventions for git-based deps.

Review by Claude Code

[claude]

• package.json:57 — arsenal pinned to commit hash instead of a tag; pin to 8.4.3 tag if available

The rest of the PR looks solid. The per-backend key abstraction (site + destination + role) is well-designed, backward compatibility is properly handled via top-level fallback in the site-aware getters, and the async/await migration in QueueProcessor.processReplicationEntry is clean. Test coverage is thorough, including same-site multi-destination disambiguation, retry round-tripping, and mixed CRR + cloud backend scenarios.

Review by Claude Code

[claude]

Arsenal is pinned to a commit hash instead of a tag. The yarn.lock shows this resolves to version 8.4.3 — pin to the tag instead for consistency with the project's dependency pinning convention.

— Claude Code

[claude]

• package.json:57 — arsenal pinned to commit hash instead of tag; use 8.4.3 per project convention
  - extensions/replication/tasks/MultipleBackendTask.js:59 — getReplicationRoles() called without backend key, unlike the parent class ReplicateObject._setupRolesOnce which now uses entry.getReplicationRoles(entry.getBackendKey()). Safe today because cloud backends don't carry per-backend roles, but inconsistent and could silently break if that changes.
  
  Review by Claude Code

[claude]

arsenal is pinned to a commit hash instead of a tag. The resolved version is 8.4.3 — if that tag exists, pin to it for consistency with the other git-based deps (breakbeat, httpagent, etc.).

— Claude Code

[claude]

• package.json:57 — arsenal pinned to a commit hash instead of a tag; use the 8.4.3 tag if available

The code changes themselves are solid. The per-backend routing in QueueProcessor, the backendKey-based disambiguation in ObjectQueueEntry, the role-validation expansion in ReplicateObject._setupRolesOnce, and the callbackify bridge for the async migration are all well-structured. Legacy backward compatibility (top-level fallback when backends lack destination/role) is covered by tests. The Kafka message format extension (adding destination/role fields) is additive and safe for rolling upgrades.

Review by Claude Code

[claude]

MultipleBackendTask._setupRolesOnce still calls entry.getReplicationRoles() without passing the backend key, while the parent ReplicateObject._setupRolesOnce was updated to entry.getReplicationRoles(entry.getBackendKey()). If arsenal's getReplicationRoles(key) resolves a per-backend role when a key is provided, this cloud-backend path will silently use the top-level (legacy) role string instead of the per-backend one, defeating the purpose of this PR for cloud destinations.

— Claude Code

[claude]

Several calls in MultipleBackendTask.processQueueEntry still use this.site (a plain string) for per-backend lookups instead of the key object:\n- Line 1220: refreshedEntry.getReplicationSiteStatus(this.site) should be refreshedEntry.getReplicationSiteStatus(sourceEntry.getBackendKey())\n- Line 1240: sourceEntry.getReplicationSiteDataStoreVersionId(this.site) should also use the backend key\n\nThese were not updated to match the pattern applied in ReplicateObject and UpdateReplicationStatus. If arsenal's methods now support the key object, this will miss per-backend state.

— Claude Code

[claude]

The _updateReplicationInfo call on line 349 sets role: ReplicationConfiguration.resolveSourceRole(bucketRepInfo.role) but doesn't set destination or storageClass in the replication info object. The old code set both destination and storageClass. If these fields are now handled inside ReplicationConfiguration.resolveBackends at the backend level, this is fine — but please confirm the downstream consumers (queue populator, status processor) don't rely on the top-level destination / storageClass fields being present.

— Claude Code

[claude]

The sequential for...of loop processes backends one at a time. If one backend's taskScheduler.push rejects, the await will throw and subsequent backends will be skipped entirely (the error propagates to callbackify which calls done(err)). This means a transient failure replicating to destination A will prevent replication to destinations B and C for this Kafka entry. Consider whether each backend should be attempted independently (catching errors per-backend) so one failure doesn't block the others.

— Claude Code

[SylvainSenechal]

Good raised question ?

[claude]

The toRetryEntry method now uses this._findBackend(key) but the method _findBackend is not defined on ObjectQueueEntry — it must be on the parent ObjectMD in arsenal. Please confirm this method exists in the arsenal commit being pinned (c3f3bff), since it's not possible to verify from this repo alone.

— Claude Code

[claude]

• package.json:57 — Arsenal pinned to a commit hash instead of a tag; should pin to a release tag per project conventions.
  - extensions/replication/tasks/MultipleBackendTask.js:59 — _setupRolesOnce calls entry.getReplicationRoles() without the backend key, inconsistent with the updated ReplicateObject._setupRolesOnce which passes entry.getBackendKey(). May miss per-backend roles for cloud destinations.
  - extensions/replication/tasks/MultipleBackendTask.js:1220,1240 — processQueueEntry still uses this.site (plain string) for getReplicationSiteStatus and getReplicationSiteDataStoreVersionId instead of the backend key object, inconsistent with the other task files.
  - extensions/mongoProcessor/MongoQueueProcessor.js:345-351 — _updateReplicationInfo no longer sets destination, storageClass, or storageType on the replication info object (the old code set all three). Confirm downstream code doesn't rely on these top-level fields.
  - extensions/replication/queueProcessor/QueueProcessor.js:915-934 — Sequential for...of loop over backends means a failure on one backend aborts processing of subsequent backends for the same Kafka entry.
  - lib/models/ObjectQueueEntry.js:243 — toRetryEntry calls this._findBackend(key) which must be defined on the arsenal ObjectMD parent. Not verifiable without the arsenal commit — please confirm it exists.
  
  Review by Claude Code

[claude]

Arsenal is pinned to a commit hash instead of a release tag. Per project policy, git-based deps must pin to a tag, not a branch or commit. This should be updated to a tagged release before merging.

— Claude Code

[claude]

• package.json:57 — Arsenal pinned to commit hash instead of a release tag. Must pin to a tag before merging.
  - extensions/replication/tasks/MultipleBackendTask.js:1220 — refreshedEntry.getReplicationSiteStatus(this.site) still uses the string this.site instead of sourceEntry.getBackendKey(). The rest of the PR migrated getReplicationSiteStatus calls to use the backend key object for correct multi-destination matching. In a config where the same site has multiple backends with different destinations/roles, this would match the wrong backend. Same issue at line 1240 with getReplicationSiteDataStoreVersionId(this.site).
  
  Review by Claude Code

[claude]

Arsenal dependency is pinned to a bare commit hash instead of a version tag. Per project conventions, git-based deps (arsenal, vaultclient, etc.) should pin to a tag for clarity and reproducibility. If this commit corresponds to a release, pin to that tag instead.

— Claude Code

[claude]

Inconsistent indentation — these two lines use 6 extra leading spaces (14 total) instead of the file's 4-space indent (12 expected at this nesting level).

— Claude Code

[claude]

PR Review Summary

• package.json:57 — Arsenal dependency pinned to a bare commit hash (724d062...) instead of a version tag. Git-based deps should pin to a tag per project conventions.
• QueueProcessor.js:908-909 — Inconsistent indentation (14 spaces instead of 12) inside the pendingBackends.length === 0 block.

Observations (non-blocking):

• The top-level destination, storageClass, storageType, and dataStoreVersionId fields are no longer set in the replication info by MongoQueueProcessor._setEntryReplicationInfo. This is intentional (these are now per-backend), but worth documenting as a breaking change to the replication info format in case other services or tooling read these top-level fields.
• The processReplicationEntry async migration with callbackify looks correct — error propagation, skip semantics, and sequential backend processing are all handled properly.
• The clone() method doesn't preserve destination and role (same as site), but all callers correctly re-set them after cloning. Consistent pattern.
• Good test coverage for the new multi-destination disambiguation (ObjectQueueEntry.spec.js, QueueProcessor.spec.js, MongoQueueProcessor.spec.js).

Review by Claude Code

[SylvainSenechal]

Is this a change of behavior with older version because of the '' fallback ?

edit: Ok i guess startWith('') is always true, so I guess its fine unless we want to treat an empty prefix filter as invalid ?

[SylvainSenechal]

nit: check len == 1 || 2 ?
But also, are you sure we shouldn't just enforce === 2 ? In what case could it be 1