Thanks @Baunsgaard for taking a look, you're right about the double-logging.
I've pushed an update with your recommended changes, please take a look when you get a chance. Thanks!

Done, removed the comment block.

Thanks for the thorough review @laskoviymishka. Addressed all points:

1. Rethrow original exception: no longer wrapping in RuntimeException. The original CommitFailedException (or whatever the commit throws) is logged at ERROR and rethrown directly, preserving the type for alerting.

2. Partial-commit gating: rethrow is now gated on !partialCommit. Transient failures during partial commits are logged but not fatal, matching the previous retry behavior. Only full-commit failures terminate the coordinator.

3. Updated test assertions: tests now expect the original exception types directly.

Will update the PR description to accurately reflect the narrowed catch and the mechanism for task FAILED transition.

@laskoviymishka @Baunsgaard Heads up — I made a change after your approvals that I want to flag:

The exception handling now uses a tiered approach instead of rethrowing everything:

1. CommitFailedException / CommitStateUnknownException → log + retry (transient conflicts)
2. Other CleanableFailure exceptions → log + retry (Iceberg's marker for recoverable errors)
3. Everything else → log ERROR + rethrow (fatal, kills the coordinator)

The reason: rethrowing ALL non-CommitFailedException exceptions was killing the coordinator on transient errors during the integration tests (the commit path can throw various CleanableFailure subtypes during normal catalog contention). The CleanableFailure interface is Iceberg's built-in classification for retryable exceptions, so using it as the boundary felt like the right approach.

CI is now green. Let me know if you'd prefer a different approach — e.g., a consecutive-failure counter that rethrows after N failures regardless of exception type.

that's quite a swing @yadavay-amzn, and the new strategy changed enough that I need to flip to request some changes / questions.

The new behavior is basically:

“If a commit fails with an Iceberg-shaped exception, WARN and hope the next cycle fixes it. Only fail on unexpected exceptions.”

I don’t think that’s safe. The previous direction was closer to correct:

“If the real commit fails, kill the coordinator. If cleanup/partial commit fails, swallow it.”

Main issues:

1. CommitStateUnknownException is now swallowed. That one explicitly says retrying can create duplicates. Since the same files can still be retried from commitBuffer, this is exactly the bad case the exception warns about.

2. CleanableFailure is the wrong boundary. It means “metadata can be cleaned up,” not “safe to retry.” It also includes permanent errors like 400/401/403. With this change, bad credentials can loop forever at WARN, which is pretty close to the original bug.

3. CommitFailedException is still swallowed. That’s the exact exception from [Kafka Connect] Connector enters silent broken state after CommitFailedException (Glue concurrent update) — no data written, no error surfaced #15878. The “retry next cycle” story depends on a pretty fragile buffer/offset ordering assumption, and if a rebalance happens after offsets are committed, the in-memory state is gone and the failure is invisible.

I’d rather go back to the old shape: rethrow on full commit failure, swallow only the timed-out partial commit cleanup failure.

If we really want retries here, I think we need to explicitly list retryable exception types, bound the retries, and document the buffer lifecycle. Also the PR description drifted from the code again, so that needs an update too.

@AnatolyPopov — still interested in your read on the worker/coordinator offset ordering, since that’s the key assumption behind “retry next cycle.”

@laskoviymishka You're right, the CleanableFailure approach was too permissive. Reverted to the simpler and safer design:

• Full commit failure: rethrow everything (kills coordinator -> task FAILED)
• Partial commit failure (timed-out cleanup): WARN + swallow (retry next cycle)

This matches your original direction (please correct me if I'm wrong).

The CleanableFailure detour was me trying to work around a CI integration test failure that turned out to be transient. The test passes 10/10 locally with this approach. PR description updated.

On the test coverage point (coordinatorTest skipping the production CoordinatorThread path), agreed that an end-to-end test through CoordinatorThread + CommitterImpl would be stronger. Happy to add that in this PR or as a follow-up, whichever you prefer.

Addressed all three nits:

1. Fixed SLF4J double-printing -- removed e.getMessage() from format args, added taskId to WARN for symmetry.
2. testCommitError -- added producer.history().hasSize(1) and table.snapshots().isEmpty() assertions.
3. testCoordinatorCommittedOffsetValidation -- added post-throw assertions that table still has 2 snapshots and offsets unchanged.

Thanks @laskoviymishka!

Thanks @AnatolyPopov for the thorough review and the context on the offset ordering! And thanks @laskoviymishka for driving this to a good shape.

Agreed on the follow-ups, I will create issues to track:

1. Metrics for partial commit failures (operator visibility)
2. Bounded retry on transient exceptions (avoid operator intervention for transitive errors)

Both are additive and can land independently.