@flak153 this is fantastic! Thank you for your contribution. We'll get this some reviews.

Thanks everyone for the thorough reviews. Pushed fixes for all comments:

@abhizer — Good catch on the Datagen format. Found two mismatches and fixed both:

• Cell::Timestamp now uses RFC 3339 format (T separator) instead of space-separated
• Cell::Bytes now encodes as byte arrays instead of hex strings to match BinaryFormat::Array
• Same fixes for the ArrayCell variants
• Added 47 unit tests covering all cell_to_json/array_cell_to_json variants plus URI parsing and table matching

@blp — All comments addressed:

• completion_watcher default impl removed, added explicit None to all 3 implementations
• with-postgres-cdc added to default features
• mpsc → oneshot for init status channel
• mem::take instead of drain().collect()
• Kept thread::Builder because open() is sync and needs blocking_recv for init status — happy to switch if there's a better pattern
• On FT: the path is switching MemoryStore → PostgresStore so etl persists table phases across restarts, then implementing Resume::Seek. Planning that as a follow-up since it's a significant addition.

@mythical-fred — Both blockers addressed:

• etl deps pinned to rev = "05cb11ae"
• Added 3 integration tests (test_cdc_basic_insert, test_cdc_all_data_types, test_cdc_update_delete) marked #[ignore] since they require wal_level=logical

Squashed into a single commit.

Question — beyond the current tests, there are several edge cases we could cover. Would you like any of these before merge, or are they better as follow-ups?

High priority (most likely to surface real bugs):

• Crash-resume / failover: start pipeline, insert data, kill without confirming, restart, verify data replays
• Schema changes during streaming: column added/dropped while CDC is running
• Large transactions: single transaction with thousands of rows (tests 2MB buffer splitting)
• Multiple tables in publication: verify source_table filtering ignores other tables

Medium priority:

• TRUNCATE events (currently ignored — verify it doesn't crash)
• Empty table snapshot (zero rows, then streaming starts)
• REPLICA IDENTITY behavior without FULL (no old row on updates/deletes)
• Rapid insert/update/delete cycles on same row

Lower priority (edge cases):

• Connection loss / Postgres restart mid-stream
• Slot invalidation (slot dropped externally)
• Long-running transactions
• Special float values end-to-end (NaN, Infinity)

Happy to add whichever subset you think is important for this PR vs follow-ups.

Pushed updates:

• Fault tolerance implemented: Switched MemoryStore → PostgresStore so etl persists table replication phases across restarts. The connector now returns Some(FtModel::AtLeastOnce). On restart, etl reads the stored phases from Postgres and resumes from the replication slot position instead of re-snapshotting.
• Column names pre-constructed outside the per-row loop in write_table_rows (blp's comment)
• Numeric: Keeping .to_string() — PgNumeric is a custom enum (NaN/Infinity/Value) without Serialize, so json!(n) wouldn't work even with arbitrary_precision
• Pipeline ID: Uses a deterministic hash of (URI, publication, source_table) so the same replication slot and stored state are reused across restarts

Question on fault tolerance implementation — looking for guidance on the right pattern.

The connector now uses PostgresStore so etl persists table replication phases in Postgres. On restart, etl checks the stored phases and resumes from the replication slot position (no re-snapshot). This works regardless of what fault_tolerance() returns.

To properly return Some(FtModel::AtLeastOnce), we need to provide Resume::Seek metadata via consumer.extended(). The issue is that InputQueue::queue() hardcodes resume: None in its internal extended() call, and we use queue() to avoid reimplementing its batching/transaction logic.

Would it be valid to call extended() a second time after queue() with empty data + resume metadata?

self.inner.queue.queue();  // flushes data, calls extended(total, None, watermarks)
self.inner.consumer.extended(
    BufferSize::empty(),
    Some(Resume::Seek { seek: json!({"pipeline_id": pipeline_id}) }),
    vec![],
);

Or is there a better pattern for integrated endpoints that need resume metadata but want to use queue() for the data path?

For now I've set fault_tolerance() to AtLeastOnce with the PostgresStore backing — the crash recovery works because etl manages its own state. But want to make sure the Feldera checkpoint integration is correct too.

Question on fault tolerance implementation — looking for guidance on the right pattern.

The connector now uses PostgresStore so etl persists table replication phases in Postgres. On restart, etl checks the stored phases and resumes from the replication slot position (no re-snapshot). This works regardless of what fault_tolerance() returns.

To properly return Some(FtModel::AtLeastOnce), we need to provide Resume::Seek metadata via consumer.extended(). The issue is that InputQueue::queue() hardcodes resume: None in its internal extended() call, and we use queue() to avoid reimplementing its batching/transaction logic.

Right, InputQueue::queue can't be used for fault tolerance.

One way to achieve fault tolerance along with InputQueue is to add auxiliary data (the A generic parameter to InputQueue) for the resume information to each batch in the queue, and then use flush_with_aux instead of queue and subsequently call extended directly. The nats connector does this.

Would it be valid to call extended() a second time after queue() with empty data + resume metadata?

No, it needs to be called exactly once.