Remove Layer 3b CPU fallback (0% recovery rate, dead code)

[totalslacker]

Summary

• Removes the CPU fallback path (Layer 3b) from T5CoreMLEmbedder — it had a measured 0% recovery rate across 1,038 failures in production.
• The proactive reload (Layer 2) is the only mitigation that recovers from ANE IOSurface exhaustion. Layer 3b was adding per-failure overhead (one extra MLModel load + predict call) with no benefit.
• Adds two new stub-based tests for Layer 3a (reactive reload + ANE retry) to fill the coverage gap left by removing the three CPU fallback tests.

Key changes

Sources/SwitchcraftCoreML/T5CoreMLEmbedder.swift

• Removed cpuPredictorFactory stored property and all init wiring from all three init paths.
• Removed the Layer 3b block from predictWindow. The Layer 3a failure catch now calls logNativeException + throw nativeError instead of falling through to CPU fallback (previously errors would have been silently swallowed if this path was hit after Layer 3b removal).
• Deleted logRecoveredIOSurface, logCPUFallbackFailed, and extractCPUErrorFields (no callers after Layer 3b removal).
• Updated doc-comments to reflect the simplified two-layer recovery model.

Tests/SwitchcraftTests/T5CoreMLEmbedderStressTests.swift

• Removed testIOSurfaceFallbackLogsRecovery, testCPUFactoryThrowsLogsDistinctError, testCPUPredictThrowsLogsDistinctError.
• Added testANERetrySucceedsAfterReload: factory returns a failing predictor on first call (init), succeeding predictor on second call (Layer 3a reload) — encode must not throw, no JSONL row.
• Added testANERetryFailsLogsErrorRow: factory always returns failing predictor — encode must throw CoreMLNativeError, JSONL row with category: "error" (no cpu_fallback_failed).

adrs/021-ane-iosurface-pool-exhaustion-mitigation.md

• Second addendum: production evidence (0/1,038), Layer 3b removal rationale, simplified two-active-category JSONL scheme, note that ADR 010 §(g) no longer applies.

How to test

# Run the affected test suites
swift test --filter "T5CoreMLEmbedder stress"
swift test --filter "T5CoreMLEmbedder failure-log"

# Confirm no cpu_fallback_failed category appears anywhere
swift test --filter "T5CoreMLEmbedder"

All 18 T5CoreMLEmbedder tests pass. The two SQLiteStorage WAL Concurrency failures in the full suite are pre-existing flaky timing tests with explicit CI-skip annotations — unrelated to this PR.

Closes #93

[totalslacker]

🏭 Fabrik — stage: Implement
branch: fabrik/issue-93 | commit: 25a0257 | main: d814646 | 2026-05-07 20:40 UTC

All 9 tasks complete. PR #94 created at #94.

Removed the Layer 3b CPU fallback path from T5CoreMLEmbedder — production evidence showed 0/1,038 recovery rate, making it pure dead weight. Key changes: cpuPredictorFactory property and all init wiring deleted; predictWindow catch block simplified so Layer 3a failure now explicitly logs + rethrows (preventing silent error swallow); three dead private methods (logRecoveredIOSurface, logCPUFallbackFailed, extractCPUErrorFields) deleted; the three CPU fallback stress tests replaced with two new Layer 3a stub tests (testANERetrySucceedsAfterReload, testANERetryFailsLogsErrorRow); ADR 021 amended with second addendum documenting the production evidence and simplified two-category JSONL scheme. All 18 T5CoreMLEmbedder tests pass.

---

Used 48/250 turns, 0k input / 24k output tokens.

[Copilot]

Pull request overview

This PR removes the Layer 3b .cpuOnly fallback path from T5CoreMLEmbedder’s IOSurface-exhaustion mitigation, keeping proactive reload (Layer 2) and reactive reload + ANE retry (Layer 3a) as the only recovery mechanisms, based on production evidence that CPU fallback never recovered.

Changes:

• Removed CPU fallback wiring (cpuPredictorFactory) and the Layer 3b branch from predictWindow, rethrowing/logging the original native error when Layer 3a also fails.
• Replaced CPU-fallback stress tests with two stub-based tests covering Layer 3a success/failure behavior.
• Documented the production evidence and decision in ADR 021 and recorded the milestone in docs/Plan.md.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
Sources/SwitchcraftCoreML/T5CoreMLEmbedder.swift	Removes CPU fallback factory/state and deletes the CPU fallback execution/logging path; updates doc-comments to match the new behavior.
Tests/SwitchcraftTests/T5CoreMLEmbedderStressTests.swift	Drops CPU fallback tests and adds Layer 3a retry success/failure tests with JSONL expectations.
adrs/021-ane-iosurface-pool-exhaustion-mitigation.md	Adds a 2026-05-07 addendum documenting the 0% CPU fallback recovery rate and the removal rationale.
docs/Plan.md	Adds a completed plan item summarizing the Layer 3b removal work.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[totalslacker]

🏭 Fabrik — stage: Review
branch: fabrik/issue-93 | commit: f2046ae | main: d814646 | 2026-05-07 20:51 UTC

Review Findings

Fixed

• Copilot finding [1] — ADR status date stale: The ## Status line read "Amended (2026-05-06 — see addendum below)" despite a new 2026-05-07 addendum having been added by this PR. Updated to "Amended (2026-05-06, 2026-05-07 — see addenda below)" and changed "addendum" to "addenda" (plural).

• Copilot finding [2] — ADR self-contradiction on layer count: The 2026-05-07 addendum declared "the three-layer model becomes a two-layer model" then immediately listed three layers (Layer 1, Layer 2, Layer 3a). The claim was wrong — the original model was three layers (1, 2, 3); Layer 3 had two sub-paths (3a and 3b). With 3b removed, Layer 3 is simplified to a single path — the model is still three layers, not two. Rewrote the paragraph to accurately describe the simplification. As part of this fix, renamed the "Layer 3a" sub-label to "Layer 3" throughout the ADR, production source (T5CoreMLEmbedder.swift), and test file (T5CoreMLEmbedderStressTests.swift) for internal consistency.

Verified

• All 18 T5CoreMLEmbedder tests pass (suites: failure-log, stress and reload, re-entrancy guard, overflow guard).
• Branch is up to date with origin/main (no rebase needed — branch was already current).
• No remaining inconsistent "Layer 3a" references in current-tense code or doc content.
• Implementation correctness confirmed via diff review: cpuPredictorFactory fully removed from all three init paths; Layer 3b branch deleted; Layer 3 (formerly 3a) failure path explicitly calls logNativeException + rethrows (preventing silent error swallow); three dead private methods deleted; three CPU fallback tests replaced by two Layer 3 stub tests; ADR 021 and docs/Plan.md updated.

Reviewed the Layer 3b CPU fallback removal (issue #93). Fixed two Copilot findings against ADR 021: (1) status date didn't reflect the new 2026-05-07 addendum, (2) the addendum incorrectly claimed "three-layer becomes two-layer" while still listing three layers. Both fixed, plus "Layer 3a" sub-label renamed to "Layer 3" throughout source and tests for consistency. All 18 T5CoreMLEmbedder tests pass. PR is ready for human review.

---

Used 37/50 turns, 0k input / 10k output tokens.

[totalslacker]

🏭 Fabrik — stage: Validate
branch: fabrik/issue-93 | commit: f2046ae | main: d814646 | 2026-05-07 20:56 UTC

All checks pass. The PR is ready to merge.

Validation Report

Requirements: 7/7 passed

• cpuPredictorFactory property removed from T5CoreMLEmbedder — grep finds zero references in production code
• Layer 3b CPU fallback branch removed from predictWindow — predictWindow now has only Layer 3 (reactive reload + ANE retry)
• Layer 3 failure path explicitly logs + rethrows nativeError — confirmed at lines 517-521; no silent swallow
• ADR 021 amended — second addendum at lines 204-262 documents 0/1,038 production evidence, Layer 3b removal, cpu_fallback_failed retirement, ADR 010 §(g) now moot
• Three CPU fallback tests deleted — testIOSurfaceFallbackLogsRecovery, testCPUFactoryThrowsLogsDistinctError, testCPUPredictThrowsLogsDistinctError absent; two new Layer 3a stub tests added (testANERetrySucceedsAfterReload, testANERetryFailsLogsErrorRow)
• All remaining T5CoreMLEmbedder tests pass — 18/18 across failure-log, stress-and-reload, re-entrancy, overflow-guard suites
• No public API changes — cpuPredictorFactory was never a public parameter

Test Suite: 269/271 passed (2 pre-existing failures)

• 18 T5CoreMLEmbedder tests: all pass
• 2 failures are timing-sensitive tests in files untouched by this PR:
  • SQLiteStorage WAL Concurrency / "Bulk write loop..." — pre-existing flaky microbench (explicitly annotated in PR description and prior CI-skip commits)
  • LSM Indexer / "indexing 5000 single-token 128-dim chunks completes within 5s" — performance test; took 36.5s vs 10s debug limit due to host load; IndexerTests.swift is not in git diff origin/main..HEAD
• Build: clean
• No regressions introduced by this PR

Regressions: None

Changed files: T5CoreMLEmbedder.swift, T5CoreMLEmbedderStressTests.swift, adrs/021-ane-iosurface-pool-exhaustion-mitigation.md, docs/Plan.md. No shared interfaces or types modified.

Branch state

• On fabrik/issue-93, up to date with origin/fabrik/issue-93
• Rebased onto origin/main (already current)
• All changes committed and pushed
• PR Remove Layer 3b CPU fallback (0% recovery rate, dead code) #94 open with Closes #93

Verdict: READY TO MERGE

All 18 T5CoreMLEmbedder tests pass. Every requirement is met: cpuPredictorFactory and all Layer 3b code are removed, the Layer 3 ANE-retry failure path correctly logs and rethrows (no silent swallow), three CPU fallback tests are replaced by two new Layer 3a stub tests, ADR 021 has the second addendum documenting the 0/1,038 production evidence, and docs/Plan.md is updated. The two full-suite failures are pre-existing timing-sensitive tests in files untouched by this PR. PR #94 is ready to merge.

---

Used 31/50 turns, 0k input / 6k output tokens.