The maintenance/data pump functions should not be able to fill a queue indefinitely. For example, a CLA that has become "up" may, but certainly may not, be able to transfer all the stored data that is routed through it. So in particular, a storage service that is filling the queue should implement some work limits, where it fetches some number of bundles from storage, but then yields to allow those bundles to be pushed through the system, before resuming work to fetch more bundles.
A basic prerequisite of implementing something like this is to put depth limits on the various flow queues.
The maintenance/data pump functions should not be able to fill a queue indefinitely. For example, a CLA that has become "up" may, but certainly may not, be able to transfer all the stored data that is routed through it. So in particular, a storage service that is filling the queue should implement some work limits, where it fetches some number of bundles from storage, but then yields to allow those bundles to be pushed through the system, before resuming work to fetch more bundles.
A basic prerequisite of implementing something like this is to put depth limits on the various flow queues.