fix(foundation): prevent integer overflow in RetryPolicy::get_delay

[kshirajahere]

Summary

RetryPolicy::get_delay in mofa-foundation used bare u64::pow() and * for exponential backoff, causing integer overflow when retry_count is large.

• Debug builds: arithmetic-overflow panic -> process crash
• Release builds: silent wraparound -> delay collapses to 0 -> zero-delay retry loop -> unthrottled retry storm (self-DoS + downstream DoS)

Replace with checked_pow + checked_mul, saturating at max_delay_ms on overflow (which is the intentional cap anyway).

Related Issues

Closes #1325

Context

retry_count is a u32 parameter and max_retries in RetryPolicy is also u32. Any workflow config with max_retries >= 55 (combined with the default retry_delay_ms = 1000) will trigger the overflow in the exponential path. The existing unit test only exercised counts 0-10, leaving the overflow undetected.

Changes

crates/mofa-foundation/src/workflow/node.rs

• RetryPolicy::get_delay: replace self.retry_delay_ms * 2u64.pow(retry_count) with checked_pow + checked_mul, unwrapping to max_delay_ms on overflow
• Add test_retry_policy_large_count_does_not_overflow regression test covering counts 55, 63, 64, 65, 100, 1000, and u32::MAX

How you Tested

cargo test -p mofa-foundation test_retry_policy

Results:

• test workflow::node::tests::test_retry_policy ... ok
• test workflow::node::tests::test_retry_policy_large_count_does_not_overflow ... ok

Screenshots / Logs

running 5 tests
test recovery::tests::test_retry_policy_no_retry ... ok
test recovery::tests::test_retry_policy_default ... ok
test recovery::tests::test_retry_policy_builder ... ok
test workflow::node::tests::test_retry_policy ... ok
test workflow::node::tests::test_retry_policy_large_count_does_not_overflow ... ok
test result: ok. 5 passed; 0 failed; 0 ignored; 0 measured

Breaking Changes

• No breaking changes

The fix changes only the internal arithmetic. The public API, default values, and observable behaviour for normal retry counts (0-53 with default delay) are identical.

Checklist

Code Quality

• Code follows Rust idioms and project conventions
• cargo fmt run
• cargo clippy passes without warnings

Testing

• Tests added/updated
• cargo test passes locally without any error

Documentation

• Public APIs documented
• README / docs updated (if needed)

PR Hygiene

• PR is small and focused (one logical change)
• Branch is up to date with main
• No unrelated commits
• Commit messages explain why, not only what

Deployment Notes

No migration required. Single crate, single function, no API change.

Additional Notes for Reviewers

The unwrap_or(self.max_delay_ms) default is intentional: if the arithmetic would overflow, the delay is already beyond the configured maximum, so returning max_delay_ms is both mathematically correct and safe. The subsequent .min(self.max_delay_ms) is kept as a belt-and-suspenders guard for the normal (non-overflow) path.

[kshirajahere]

ignore

[kshirajahere]

Please ignore my previous one-word review comment (ignore). It was an accidental tooling artifact.