ReviveBench

What happens when OAuth dies mid-run?

An executable study of checkpoint recovery, account binding, stale-worker fencing and side-effect safety.

EXECUTIONS
40
five recovery cases
PASSED
40
observed invariant checks
FAILED
0
retained in the report

The product under test

A credential provider can issue a new token. A workflow runtime can resume a checkpoint. Revive connects those events to the same account, run and pending action.

01
Detect
Provider rejects refresh
02
Park
Save run and action
03
Verify
Match provider identity
04
Fence
Advance lease generation
05
Resume
Signal the same run

Evaluation setup

Every case invokes the repository's real engine, durable SQLite store and HTTP provider client. The provider is a local OAuth fixture, not Microsoft Entra production.

RUNNER
sidecar/benchmarks/revivebench.py
PROVIDER TRANSPORT
Real localhost HTTP requests
DURABLE STATE
SQLite checkpoints and leases
ITERATIONS
8 per recovery case
SOURCE
b2ea69d with local changes
GENERATED
7/1/2026, 6:24:02 PM

Five failures, forty executions.

same-run-resume

Same logical run resumes

The access token expires and the refresh token is rejected after two completed workflow steps.

Pass condition

The engine parks at the failed step, accepts a new provider grant and completes the original run ID.

PASSED
8/8
P50
2.589 ms
P95
2.765 ms
worker-restart

Recovery survives worker replacement

The worker that created the checkpoint is replaced before reauthorization completes.

Pass condition

A new engine instance reads SQLite state and resumes without in-memory routing data.

PASSED
8/8
P50
2.483 ms
P95
2.528 ms
identity-binding

Wrong provider subject is rejected

A reauthorization reply returns a different provider subject from the original connection.

Pass condition

The reply is rejected before the one-time recovery capability is consumed.

PASSED
8/8
P50
1.669 ms
P95
1.748 ms
generation-fencing

Old credential generation is fenced

An old worker wakes up with credential generation 1 after recovery advanced the lease to generation 2.

Pass condition

The durable lease store rejects generation 1 before the worker can execute a step.

PASSED
8/8
P50
2.204 ms
P95
2.415 ms
side-effect-reconcile

Ambiguous side effect reconciles before replay

An action is marked started, but the worker cannot tell whether the remote mutation committed.

Pass condition

The reconciliation callback confirms the remote action and the mutation function is not called again.

PASSED
8/8
P50
0.111 ms
P95
0.121 ms

What the result shows

In this harness, Revive preserved the logical run, rejected the wrong account and stale credential generation, survived worker replacement, and reconciled an ambiguous mutation before replay.

What it does not show

  • customer production recovery rate
  • provider-wide compatibility
  • cost savings
  • availability or throughput SLOs

The millisecond timings below describe a local process. They are included for reproducibility, not as a production latency claim.

Reproduce every run

The command rewrites the JSON report from fresh executions. A failed assertion is recorded and returns a non-zero exit code.

npm run bench:revive
python3 -m unittest discover -s sidecar/tests -v