[PATCH] Add archive_mode=follow_primary to prevent unarchived WAL on standby promotion

From 9381683a804b17434399c0bffc280ffd371890e8 Mon Sep 17 00:00:00 2001
From: roman khapov <r.khapov@ya.ru>
Date: Mon, 22 Dec 2025 13:41:20 +0000
Subject: [PATCH v2 1/2] inproduce general polling functions for TAP tests

There are polling logic across all TAP tests, one of
the notable example is poll_query_until.

This logic must be implemented in each test in case the
test want to perform some polling actions.

This patch introduces two new functions at Utils:
 - poll_until, that make polling general condition callback
 - poll_cmd_until, that uses poll_until and makes polling for
background process results.

Existed poll_query_until rewritten to use more general poll_cmd_until,
both new functions will be used in next patch, to implement all the
waitings in tests for archive_mode=follow_primary feature.

Author: Roman Khapov <r.khapov@ya.ru>
Reviewed-by:
Discussion:
---
 src/test/perl/PostgreSQL/Test/Cluster.pm |  41 +------
 src/test/perl/PostgreSQL/Test/Utils.pm   | 146 +++++++++++++++++++++++
 2 files changed, 152 insertions(+), 35 deletions(-)

diff --git a/src/test/perl/PostgreSQL/Test/Cluster.pm b/src/test/perl/PostgreSQL/Test/Cluster.pm
index 295988b8b87..e9add0c6660 100644
--- a/src/test/perl/PostgreSQL/Test/Cluster.pm
+++ b/src/test/perl/PostgreSQL/Test/Cluster.pm
@@ -2726,7 +2726,7 @@ sub poll_query_until
 {
 	my ($self, $dbname, $query, $expected) = @_;
 
-	local %ENV = $self->_get_env();
+	my %env = $self->_get_env();
 
 	$expected = 't' unless defined($expected);    # default value
 
@@ -2736,41 +2736,12 @@ sub poll_query_until
 		'--dbname' => $self->connstr($dbname)
 	];
 	my ($stdout, $stderr);
-	my $max_attempts = 10 * $PostgreSQL::Test::Utils::timeout_default;
-	my $attempts = 0;
 
-	while ($attempts < $max_attempts)
-	{
-		my $result = IPC::Run::run $cmd,
-		  '<' => \$query,
-		  '>' => \$stdout,
-		  '2>' => \$stderr;
-
-		chomp($stdout);
-		chomp($stderr);
-
-		if ($stdout eq $expected && $stderr eq '')
-		{
-			return 1;
-		}
-
-		# Wait 0.1 second before retrying.
-		usleep(100_000);
-
-		$attempts++;
-	}
-
-	# Give up. Print the output from the last attempt, hopefully that's useful
-	# for debugging.
-	diag qq(poll_query_until timed out executing this query:
-$query
-expecting this output:
-$expected
-last actual query output:
-$stdout
-with stderr:
-$stderr);
-	return 0;
+	return PostgreSQL::Test::Utils::poll_cmd($cmd,
+		input => $query,
+		expected => $expected,
+		env => \%env
+	);
 }
 
 =pod
diff --git a/src/test/perl/PostgreSQL/Test/Utils.pm b/src/test/perl/PostgreSQL/Test/Utils.pm
index 0332d28916e..4f247b28f1b 100644
--- a/src/test/perl/PostgreSQL/Test/Utils.pm
+++ b/src/test/perl/PostgreSQL/Test/Utils.pm
@@ -57,6 +57,7 @@ use File::stat qw(stat);
 use File::Temp ();
 use IPC::Run;
 use POSIX qw(locale_h);
+use Time::HiRes qw(usleep);
 use PostgreSQL::Test::SimpleTee;
 
 # We need a version of Test::More recent enough to support subtests
@@ -562,6 +563,151 @@ sub append_to_file
 	close $fh;
 	return;
 }
+=pod
+
+=item poll_until($condition, [, %options])
+
+Run callback B<$condition> repeatedly, until it returns 1
+Continues polling if B<$condition> returns an error result.
+Times out after $PostgreSQL::Test::Utils::timeout_default seconds.
+Returns 1 if successful, 0 if timed out.
+
+=over
+
+=item interval => $number
+
+Number of microseconds to wait before next poll.
+Default is 100_000 (0.1 second).
+
+=item max_attempts => $number
+
+Maximum number of polling attempts.
+Default is B<$PostgreSQL::Test::Utils::timeout_default> / B<$interval>.
+
+=back
+
+=cut
+
+sub poll_until
+{
+	my ($condition, %args) = @_;
+
+	my $interval = $args{interval} // 100_000;
+	my $max_attempts = $args{max_attempts} // int($timeout_default * 1_000_000 / $interval);
+
+	my $attempts = 0;
+	while ($attempts < $max_attempts)
+	{
+		if ($condition->())
+		{
+			return 1;
+		}
+
+		usleep($interval);
+
+		$attempts++;
+	}
+
+	return 0;
+}
+
+=pod
+
+=item poll_cmd($cmd, %options)
+
+Run B<$cmd> repeatedly until it returns the expected result.
+Continues polling if B<$cmd> returns an error result.
+Times out after B<$PostgreSQL::Test::Utils::timeout_default> seconds.
+Returns 1 if successful, 0 if timed out.
+
+=over
+
+=item expected => $string
+
+Expected stdout output. If not provided, checks for zero return code.
+
+=item input => $string
+
+Optional input to pass to the command via stdin.
+
+=item interval => $number
+
+Number of microseconds to wait before next poll.
+Default is 100_000 (0.1 second).
+
+=item max_attempts => $number
+
+Maximum number of polling attempts.
+Default is B<$PostgreSQL::Test::Utils::timeout_default> / B<$interval>.
+
+=item env => \%hash
+
+Hash reference with environment variables to set for the command.
+
+=back
+
+=cut
+
+sub poll_cmd
+{
+	my ($cmd, %args) = @_;
+
+	my $expected = $args{expected};
+	my $input = $args{input};
+	my $env = $args{env};
+	my $max_attempts = $args{max_attempts};
+	my $interval = $args{interval};
+
+	my ($stdout, $stderr);
+
+	local %ENV = %$env if defined($env);
+
+	my $condition = sub {
+		my $result;
+
+		$result = IPC::Run::run $cmd,
+		  '<' => \$input,
+		  '>' => \$stdout,
+		  '2>' => \$stderr;
+
+		chomp($stdout);
+		chomp($stderr);
+
+		if (defined($expected))
+		{
+			return ($stdout eq $expected && $stderr eq '');
+		}
+		else
+		{
+			return $result;
+		}
+	};
+
+	my %poll_args = ();
+	$poll_args{max_attempts} = $max_attempts if defined($max_attempts);
+	$poll_args{interval} = $interval if defined($interval);
+
+	my $result = poll_until($condition, %poll_args);
+
+	if (!$result)
+	{
+		my $cmd_str = join(' ', @$cmd);
+		my $expected_str = defined($expected) ? $expected : '<successful exit code>';
+
+		diag qq(poll_cmd timed out executing this cmd:
+$cmd_str
+with input:
+$input
+expecting this output:
+$expected_str
+last actual cmd output:
+$stdout
+with stderr:
+$stderr);
+	}
+
+	return $result;
+}
 
 =pod
 
-- 
2.43.0

From 27af444b873e9773e95a39895e4eff7d9c6c17e8 Mon Sep 17 00:00:00 2001
From: roman khapov <r.khapov@ya.ru>
Date: Mon, 22 Dec 2025 13:46:12 +0000
Subject: [PATCH v2 2/2] Add archive_mode=follow_primary to prevent WAL loss on
 standby promotion

In high availability configurations using streaming replication, standbys
can be promoted before the primary archives all WAL segments. This causes
WAL history gaps in the archive, breaking point-in-time recovery.

The new archive_mode=follow_primary addresses this by having standbys
defer WAL deletion until the primary confirms archival. During recovery,
the standby creates .ready files for received WAL segments and periodically
queries the primary via the replication protocol to determine which
segments are archived. The primary responds with segments that lack .ready
files (archived or not yet ready), and the standby marks those as .done.

Upon promotion, the standby automatically begins archiving any remaining
.ready segments, ensuring archive continuity. Works with cascading
replication where each standby queries its immediate upstream.

Implementation uses two new replication protocol message types:
- 'a' (PqReplMsg_ArchiveStatusQuery): standby sends timeline+segment pairs
- 'A' (PqReplMsg_ArchiveStatusResponse): primary responds with archived pairs

The walreceiver scans archive_status at wal_receiver_status_interval and
sends queries via XLogWalRcvSendArchiveQuery(). The walsender checks for
.ready files and responds via ProcessStandbyArchiveQueryMessage(). The
archiver skips archiving during recovery when RecoveryInProgress() is true.

Author: Andrey Borodin <amborodin@acm.org>
Co-authored-by: Roman Khapov <r.khapov@ya.ru>
Reviewed-by:
Discussion:
---
 doc/src/sgml/config.sgml                      |  22 +-
 doc/src/sgml/high-availability.sgml           |  16 +
 src/backend/access/transam/xlog.c             |   1 +
 src/backend/postmaster/pgarch.c               |   9 +
 src/backend/replication/walreceiver.c         | 144 ++++++-
 src/backend/replication/walsender.c           |  84 ++++
 src/include/access/xlog.h                     |   1 +
 src/include/libpq/protocol.h                  |   2 +
 .../recovery/t/051_archive_follow_primary.pl  | 382 ++++++++++++++++++
 9 files changed, 653 insertions(+), 8 deletions(-)
 create mode 100644 src/test/recovery/t/051_archive_follow_primary.pl

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 405c9689bd0..ef5f4c615dc 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -3795,14 +3795,30 @@ include_dir 'conf.d'
         are sent to archive storage by setting
         <xref linkend="guc-archive-command"/> or
         <xref linkend="guc-archive-library"/>. In addition to <literal>off</literal>,
-        to disable, there are two modes: <literal>on</literal>, and
-        <literal>always</literal>. During normal operation, there is no
-        difference between the two modes, but when set to <literal>always</literal>
+        to disable, there are three modes: <literal>on</literal>,
+        <literal>always</literal>, and <literal>follow_primary</literal>.
+        During normal operation, there is no difference between <literal>on</literal>
+        and <literal>always</literal> modes, but when set to <literal>always</literal>
         the WAL archiver is enabled also during archive recovery or standby
         mode. In <literal>always</literal> mode, all files restored from the archive
         or streamed with streaming replication will be archived (again). See
         <xref linkend="continuous-archiving-in-standby"/> for details.
        </para>
+       <para>
+        The <literal>follow_primary</literal> mode is designed for standby servers
+        in high availability configurations. In this mode, a standby server does
+        not archive WAL segments itself during recovery. Instead, it queries the
+        primary server to determine which segments have already been archived by
+        the primary. The standby retains WAL segments until the primary confirms
+        they are archived, then marks them as done locally. This ensures that WAL
+        history is not lost if the standby is promoted to primary before the
+        primary has archived all segments. After promotion, the standby
+        automatically begins archiving any remaining WAL segments normally.
+        This mode has no effect on a primary server, which archives WAL segments
+        as if <varname>archive_mode</varname> were set to <literal>on</literal>.
+        The <literal>follow_primary</literal> mode works correctly with cascading
+        replication, where each standby queries its immediate upstream server.
+       </para>
        <para>
         <varname>archive_mode</varname> is a separate setting from
         <varname>archive_command</varname> and
diff --git a/doc/src/sgml/high-availability.sgml b/doc/src/sgml/high-availability.sgml
index 81eeadd6c47..ff81029d1ff 100644
--- a/doc/src/sgml/high-availability.sgml
+++ b/doc/src/sgml/high-availability.sgml
@@ -1469,6 +1469,22 @@ postgres=# WAIT FOR LSN '0/306EE20';
      When a server is not in recovery mode, there is no difference between
      <literal>on</literal> and <literal>always</literal> modes.
    </para>
+
+   <para>
+     The <literal>follow_primary</literal> mode addresses the gap in WAL
+     archiving for streaming replication configurations. In this mode, the
+     standby does not archive WAL segments during recovery, but it retains
+     them until the primary server confirms they have been archived. The
+     standby periodically queries the primary about the archival status of
+     its received WAL segments. This prevents WAL history loss if the standby
+     is promoted before the primary has archived all segments, which is a
+     common risk in high availability setups with streaming replication.
+     After promotion, the standby automatically begins archiving any segments
+     that were not yet archived by the primary, ensuring continuity of the
+     WAL archive. This mode is particularly useful in synchronous replication
+     configurations where a standby might be promoted while the primary still
+     has unarchived WAL segments.
+   </para>
   </sect2>
   </sect1>
 
diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c
index 430a38b1a21..a4226578397 100644
--- a/src/backend/access/transam/xlog.c
+++ b/src/backend/access/transam/xlog.c
@@ -194,6 +194,7 @@ const struct config_enum_entry archive_mode_options[] = {
 	{"always", ARCHIVE_MODE_ALWAYS, false},
 	{"on", ARCHIVE_MODE_ON, false},
 	{"off", ARCHIVE_MODE_OFF, false},
+	{"follow_primary", ARCHIVE_MODE_FOLLOW_PRIMARY, false},
 	{"true", ARCHIVE_MODE_ON, true},
 	{"false", ARCHIVE_MODE_OFF, true},
 	{"yes", ARCHIVE_MODE_ON, true},
diff --git a/src/backend/postmaster/pgarch.c b/src/backend/postmaster/pgarch.c
index 3a65d841725..97aed350940 100644
--- a/src/backend/postmaster/pgarch.c
+++ b/src/backend/postmaster/pgarch.c
@@ -386,6 +386,15 @@ pgarch_ArchiverCopyLoop(void)
 {
 	char		xlog[MAX_XFN_CHARS + 1];
 
+	/*
+	 * In follow_primary mode during recovery, the archiver doesn't actually
+	 * archive files. The walreceiver queries the primary about archive status
+	 * and marks files as .done when the primary confirms they're archived.
+	 * After promotion, the archiver starts working normally.
+	 */
+	if (XLogArchiveMode == ARCHIVE_MODE_FOLLOW_PRIMARY && RecoveryInProgress())
+		return;
+
 	/* force directory scan in the first call to pgarch_readyXlog() */
 	arch_files->arch_files_size = 0;
 
diff --git a/src/backend/replication/walreceiver.c b/src/backend/replication/walreceiver.c
index ac802ae85b4..23e12fcc178 100644
--- a/src/backend/replication/walreceiver.c
+++ b/src/backend/replication/walreceiver.c
@@ -49,6 +49,7 @@
  */
 #include "postgres.h"
 
+#include <sys/stat.h>
 #include <unistd.h>
 
 #include "access/htup_details.h"
@@ -67,6 +68,7 @@
 #include "postmaster/interrupt.h"
 #include "replication/walreceiver.h"
 #include "replication/walsender.h"
+#include "storage/fd.h"
 #include "storage/ipc.h"
 #include "storage/proc.h"
 #include "storage/procarray.h"
@@ -121,7 +123,8 @@ typedef enum WalRcvWakeupReason
 	WALRCV_WAKEUP_PING,
 	WALRCV_WAKEUP_REPLY,
 	WALRCV_WAKEUP_HSFEEDBACK,
-#define NUM_WALRCV_WAKEUPS (WALRCV_WAKEUP_HSFEEDBACK + 1)
+	WALRCV_WAKEUP_ARCHIVE_QUERY,
+#define NUM_WALRCV_WAKEUPS (WALRCV_WAKEUP_ARCHIVE_QUERY + 1)
 } WalRcvWakeupReason;
 
 /*
@@ -143,6 +146,7 @@ static void XLogWalRcvFlush(bool dying, TimeLineID tli);
 static void XLogWalRcvClose(XLogRecPtr recptr, TimeLineID tli);
 static void XLogWalRcvSendReply(bool force, bool requestReply);
 static void XLogWalRcvSendHSFeedback(bool immed);
+static void XLogWalRcvSendArchiveQuery(bool immed);
 static void ProcessWalSndrMessage(XLogRecPtr walEnd, TimestampTz sendTime);
 static void WalRcvComputeNextWakeup(WalRcvWakeupReason reason, TimestampTz now);
 
@@ -406,6 +410,7 @@ WalReceiverMain(const void *startup_data, size_t startup_data_len)
 			/* Send initial reply/feedback messages. */
 			XLogWalRcvSendReply(true, false);
 			XLogWalRcvSendHSFeedback(true);
+			XLogWalRcvSendArchiveQuery(true);
 
 			/* Loop until end-of-streaming or error */
 			for (;;)
@@ -439,6 +444,7 @@ WalReceiverMain(const void *startup_data, size_t startup_data_len)
 					for (int i = 0; i < NUM_WALRCV_WAKEUPS; ++i)
 						WalRcvComputeNextWakeup(i, now);
 					XLogWalRcvSendHSFeedback(true);
+					XLogWalRcvSendArchiveQuery(true);
 				}
 
 				/* See if we can read data immediately */
@@ -584,6 +590,7 @@ WalReceiverMain(const void *startup_data, size_t startup_data_len)
 
 					XLogWalRcvSendReply(requestReply, requestReply);
 					XLogWalRcvSendHSFeedback(false);
+					XLogWalRcvSendArchiveQuery(false);
 				}
 			}
 
@@ -875,6 +882,37 @@ XLogWalRcvProcessMsg(unsigned char type, char *buf, Size len, TimeLineID tli)
 					XLogWalRcvSendReply(true, false);
 				break;
 			}
+		case PqReplMsg_ArchiveStatusResponse:
+			{
+				StringInfoData incoming_message;
+				int			num_segments;
+				char		xlogfname[MAXFNAMELEN];
+
+				/* initialize a StringInfo with the given buffer */
+				initReadOnlyStringInfo(&incoming_message, buf, len);
+
+				/* read the count */
+				num_segments = pq_getmsgint(&incoming_message, 4);
+
+				elog(DEBUG2, "received archive status response for %d segments",
+					 num_segments);
+
+				/* Mark each segment as .done */
+				for (int i = 0; i < num_segments; i++)
+				{
+					XLogSegNo	segno;
+					TimeLineID	seg_tli;
+
+					seg_tli = pq_getmsgint(&incoming_message, 4);
+					segno = pq_getmsgint64(&incoming_message);
+
+					/* Construct filename and mark as archived */
+					XLogFileName(xlogfname, seg_tli, segno, wal_segment_size);
+					XLogArchiveForceDone(xlogfname);
+					elog(DEBUG2, "marked WAL segment %s as archived", xlogfname);
+				}
+				break;
+			}
 		default:
 			ereport(ERROR,
 					(errcode(ERRCODE_PROTOCOL_VIOLATION),
@@ -1065,12 +1103,14 @@ XLogWalRcvClose(XLogRecPtr recptr, TimeLineID tli)
 
 	/*
 	 * Create .done file forcibly to prevent the streamed segment from being
-	 * archived later.
+	 * archived later, except in follow_primary mode where we create .ready
+	 * files so the standby can query the primary about archive status.
 	 */
-	if (XLogArchiveMode != ARCHIVE_MODE_ALWAYS)
-		XLogArchiveForceDone(xlogfname);
-	else
+	if (XLogArchiveMode == ARCHIVE_MODE_ALWAYS ||
+		XLogArchiveMode == ARCHIVE_MODE_FOLLOW_PRIMARY)
 		XLogArchiveNotify(xlogfname);
+	else
+		XLogArchiveForceDone(xlogfname);
 
 	recvFile = -1;
 }
@@ -1247,6 +1287,93 @@ XLogWalRcvSendHSFeedback(bool immed)
 		primary_has_standby_xmin = false;
 }
 
+/*
+ * Send archive status query to primary.
+ *
+ * Scans archive_status directory for .ready files and sends their segment
+ * numbers to the primary, which will respond with which segments can be
+ * marked as .done.
+ */
+static void
+XLogWalRcvSendArchiveQuery(bool immed)
+{
+	TimestampTz now;
+	DIR		   *dir;
+	struct dirent *de;
+	char		archiveStatusPath[MAXPGPATH];
+	XLogSegNo	ready_segments[64];	/* Limit to avoid oversized messages */
+	TimeLineID	ready_timelines[64];
+	int			num_segments = 0;
+
+	/* Only send queries when in follow_primary mode and in recovery */
+	if (XLogArchiveMode != ARCHIVE_MODE_FOLLOW_PRIMARY || !RecoveryInProgress())
+		return;
+
+	/* Get current timestamp. */
+	now = GetCurrentTimestamp();
+
+	/* Send query at most once per wal_receiver_status_interval. */
+	if (!immed && now < wakeup[WALRCV_WAKEUP_ARCHIVE_QUERY])
+		return;
+
+	/* Make sure we wake up when it's time to send query again. */
+	WalRcvComputeNextWakeup(WALRCV_WAKEUP_ARCHIVE_QUERY, now);
+
+	/* Scan archive_status directory for .ready files */
+	snprintf(archiveStatusPath, MAXPGPATH, XLOGDIR "/archive_status");
+	dir = AllocateDir(archiveStatusPath);
+	if (dir == NULL)
+	{
+		ereport(LOG,
+				(errcode_for_file_access(),
+				 errmsg("could not open archive status directory \"%s\": %m",
+						archiveStatusPath)));
+		return;
+	}
+
+	while (num_segments < 64 && (de = ReadDir(dir, archiveStatusPath)) != NULL)
+	{
+		char	   *extension;
+		XLogSegNo	segno;
+		TimeLineID	tli;
+		unsigned int log,
+					seg;
+
+		/* Skip files without .ready extension */
+		extension = strstr(de->d_name, ".ready");
+		if (extension == NULL || strcmp(extension, ".ready") != 0)
+			continue;
+
+		/* Parse WAL filename to get timeline and segment number */
+		if (sscanf(de->d_name, "%08X%08X%08X", &tli, &log, &seg) == 3)
+		{
+			segno = (uint64) log * XLogSegmentsPerXLogId(wal_segment_size) + seg;
+			ready_timelines[num_segments] = tli;
+			ready_segments[num_segments] = segno;
+			num_segments++;
+		}
+	}
+
+	FreeDir(dir);
+
+	/* If no .ready files found, nothing to query */
+	if (num_segments == 0)
+		return;
+
+	elog(DEBUG2, "sending archive status query for %d segments", num_segments);
+
+	/* Construct the message and send it. */
+	resetStringInfo(&reply_message);
+	pq_sendbyte(&reply_message, PqReplMsg_ArchiveStatusQuery);
+	pq_sendint32(&reply_message, num_segments);
+	for (int i = 0; i < num_segments; i++)
+	{
+		pq_sendint32(&reply_message, ready_timelines[i]);
+		pq_sendint64(&reply_message, ready_segments[i]);
+	}
+	walrcv_send(wrconn, reply_message.data, reply_message.len);
+}
+
 /*
  * Update shared memory status upon receiving a message from primary.
  *
@@ -1334,6 +1461,13 @@ WalRcvComputeNextWakeup(WalRcvWakeupReason reason, TimestampTz now)
 			else
 				wakeup[reason] = TimestampTzPlusSeconds(now, wal_receiver_status_interval);
 			break;
+		case WALRCV_WAKEUP_ARCHIVE_QUERY:
+			if (XLogArchiveMode != ARCHIVE_MODE_FOLLOW_PRIMARY ||
+				wal_receiver_status_interval <= 0)
+				wakeup[reason] = TIMESTAMP_INFINITY;
+			else
+				wakeup[reason] = TimestampTzPlusSeconds(now, wal_receiver_status_interval);
+			break;
 			/* there's intentionally no default: here */
 	}
 }
diff --git a/src/backend/replication/walsender.c b/src/backend/replication/walsender.c
index 449632ad1aa..0707381814c 100644
--- a/src/backend/replication/walsender.c
+++ b/src/backend/replication/walsender.c
@@ -47,6 +47,7 @@
 #include "postgres.h"
 
 #include <signal.h>
+#include <sys/stat.h>
 #include <unistd.h>
 
 #include "access/timeline.h"
@@ -275,6 +276,7 @@ static void StartLogicalReplication(StartReplicationCmd *cmd);
 static void ProcessStandbyMessage(void);
 static void ProcessStandbyReplyMessage(void);
 static void ProcessStandbyHSFeedbackMessage(void);
+static void ProcessStandbyArchiveQueryMessage(void);
 static void ProcessStandbyPSRequestMessage(void);
 static void ProcessRepliesIfAny(void);
 static void ProcessPendingWrites(void);
@@ -2376,6 +2378,10 @@ ProcessStandbyMessage(void)
 			ProcessStandbyHSFeedbackMessage();
 			break;
 
+		case PqReplMsg_ArchiveStatusQuery:
+			ProcessStandbyArchiveQueryMessage();
+			break;
+
 		case PqReplMsg_PrimaryStatusRequest:
 			ProcessStandbyPSRequestMessage();
 			break;
@@ -2726,6 +2732,84 @@ ProcessStandbyHSFeedbackMessage(void)
 	}
 }
 
+/*
+ * Process archive status query from standby.
+ *
+ * Standby sends us segment numbers for which it has .ready files, and we
+ * respond with the subset that don't have .ready files on the primary
+ * (meaning they're either archived or not yet ready for archiving).
+ */
+static void
+ProcessStandbyArchiveQueryMessage(void)
+{
+	int				num_segments;
+	int				num_archived = 0;
+	StringInfoData	response_message;
+	StringInfoData	segments_message;
+
+	/* Read the count of segments from the standby */
+	num_segments = pq_getmsgint(&reply_message, 4);
+
+	elog(DEBUG2, "received archive status query for %d segments", num_segments);
+
+	initStringInfoExt(&segments_message,
+					  num_segments * (sizeof(XLogSegNo) + sizeof(TimeLineID)));
+
+	/* Process each segment */
+	for (int i = 0; i < num_segments; i++)
+	{
+		XLogSegNo	segno;
+		TimeLineID	tli;
+		char		xlogfname[MAXFNAMELEN];
+		char		archiveReady[MAXPGPATH];
+		struct stat stat_buf;
+
+		tli = pq_getmsgint(&reply_message, 4);
+		segno = pq_getmsgint64(&reply_message);
+
+		/* Check for .ready file on the primary */
+		XLogFileName(xlogfname, tli, segno, wal_segment_size);
+		StatusFilePath(archiveReady, xlogfname, ".ready");
+
+		/*
+		 * If the .ready file does not exist on the primary (ENOENT), this
+		 * segment is either already archived or not yet ready for archiving.
+		 * The standby can safely mark it as .done.
+		 *
+		 * If stat() fails for other reasons (permissions, I/O error, etc.),
+		 * we don't include the segment in the response to be conservative.
+		 */
+		if (stat(archiveReady, &stat_buf) != 0)
+		{
+			if (errno == ENOENT)
+			{
+				pq_sendint32(&segments_message, tli);
+				pq_sendint64(&segments_message, segno);
+				num_archived++;
+				elog(DEBUG2, "segment %s has no .ready file, can be marked .done",
+					 xlogfname);
+			}
+			else
+			{
+				elog(DEBUG2, "could not stat archive status file \"%s\": %m, skipping",
+					 archiveReady);
+			}
+		}
+	}
+
+	elog(DEBUG2, "responding with %d archived segments", num_archived);
+
+	/* Send response to standby */
+	pq_beginmessage(&response_message, PqMsg_CopyData);
+	pq_sendbyte(&response_message, PqReplMsg_ArchiveStatusResponse);
+	pq_sendint32(&response_message, num_archived);
+	pq_sendbytes(&response_message, segments_message.data, segments_message.len);
+	pq_endmessage(&response_message);
+	pq_flush();
+
+	destroyStringInfo(&segments_message);
+}
+
 /*
  * Process the request for a primary status update message.
  */
diff --git a/src/include/access/xlog.h b/src/include/access/xlog.h
index 605280ed8fb..ecd3f757beb 100644
--- a/src/include/access/xlog.h
+++ b/src/include/access/xlog.h
@@ -65,6 +65,7 @@ typedef enum ArchiveMode
 	ARCHIVE_MODE_OFF = 0,		/* disabled */
 	ARCHIVE_MODE_ON,			/* enabled while server is running normally */
 	ARCHIVE_MODE_ALWAYS,		/* enabled always (even during recovery) */
+	ARCHIVE_MODE_FOLLOW_PRIMARY,	/* enabled on standby, follow primary's archive status */
 } ArchiveMode;
 extern PGDLLIMPORT int XLogArchiveMode;
 
diff --git a/src/include/libpq/protocol.h b/src/include/libpq/protocol.h
index 7bf90053bcb..0b46b21dfb7 100644
--- a/src/include/libpq/protocol.h
+++ b/src/include/libpq/protocol.h
@@ -72,6 +72,7 @@
 
 /* Replication codes sent by the primary (wrapped in CopyData messages). */
 
+#define PqReplMsg_ArchiveStatusResponse 'A'
 #define PqReplMsg_Keepalive			'k'
 #define PqReplMsg_PrimaryStatusUpdate 's'
 #define PqReplMsg_WALData			'w'
@@ -79,6 +80,7 @@
 
 /* Replication codes sent by the standby (wrapped in CopyData messages). */
 
+#define PqReplMsg_ArchiveStatusQuery 'a'
 #define PqReplMsg_HotStandbyFeedback 'h'
 #define PqReplMsg_PrimaryStatusRequest 'p'
 #define PqReplMsg_StandbyStatusUpdate 'r'
diff --git a/src/test/recovery/t/051_archive_follow_primary.pl b/src/test/recovery/t/051_archive_follow_primary.pl
new file mode 100644
index 00000000000..540400d3ba9
--- /dev/null
+++ b/src/test/recovery/t/051_archive_follow_primary.pl
@@ -0,0 +1,382 @@
+
+# Copyright (c) 2021-2025, PostgreSQL Global Development Group
+
+# Test for archive_mode=follow_primary
+#
+# This test validates that a standby with archive_mode=follow_primary
+# defers WAL deletion until the primary confirms archival, preventing
+# WAL loss during standby promotions.
+
+use strict;
+use warnings FATAL => 'all';
+use PostgreSQL::Test::Cluster;
+use PostgreSQL::Test::Utils;
+use Test::More;
+use File::Path qw(rmtree);
+
+# Initialize primary node with archiving enabled
+my $node_primary = PostgreSQL::Test::Cluster->new('primary');
+$node_primary->init(has_archiving => 1, allows_streaming => 1);
+
+# Get the archive directory path
+my $archive_dir = $node_primary->archive_dir;
+
+# Configure primary to keep enough WAL for standby
+$node_primary->append_conf('postgresql.conf', qq(
+wal_keep_size = 128MB
+max_wal_senders = 10
+));
+
+# Start primary
+$node_primary->start;
+
+# Create some initial data
+$node_primary->safe_psql('postgres',
+	"CREATE TABLE test_table (id int, data text);");
+$node_primary->safe_psql('postgres',
+	"INSERT INTO test_table SELECT i, 'data_' || i FROM generate_series(1, 1000) i;");
+
+# Take a backup for standby
+my $backup_name = 'backup1';
+$node_primary->backup($backup_name);
+
+# Initialize standby with archive_mode=follow_primary
+my $node_standby = PostgreSQL::Test::Cluster->new('standby');
+$node_standby->init_from_backup($node_primary, $backup_name,
+	has_streaming => 1);
+
+# Configure standby with follow_primary mode
+$node_standby->append_conf('postgresql.conf', qq(
+archive_mode = follow_primary
+archive_command = 'cp %p $archive_dir/%f'
+wal_receiver_status_interval = 1
+));
+
+$node_standby->start;
+
+# Wait for standby to catch up
+$node_primary->wait_for_replay_catchup($node_standby);
+
+note "Testing basic follow_primary behavior";
+
+# Generate WAL on primary with smaller batches, ensuring standby keeps up
+for (my $i = 0; $i < 3; $i++)
+{
+	$node_primary->safe_psql('postgres',
+		"INSERT INTO test_table SELECT i, 'more_data_' || i FROM generate_series(1001 + $i*500, 1500 + $i*500) i;");
+	$node_primary->safe_psql('postgres', "SELECT pg_switch_wal();");
+	# Let standby catch up after each batch
+	$node_primary->wait_for_replay_catchup($node_standby);
+}
+
+# Get LSN for final catchup
+my $current_lsn = $node_primary->safe_psql('postgres', "SELECT pg_current_wal_lsn();");
+
+# Wait for standby to catch up
+my $caughtup_query = "SELECT '$current_lsn'::pg_lsn <= pg_last_wal_replay_lsn()";
+$node_standby->poll_query_until('postgres', $caughtup_query)
+	or die "Timed out while waiting for standby to catch up";
+
+# Check that standby has .ready files initially (created by walreceiver)
+my $standby_archive_status = $node_standby->data_dir . '/pg_wal/archive_status';
+
+# Poll for .ready files to appear
+my $ready_files_found = PostgreSQL::Test::Utils::poll_until(
+	sub {
+		opendir(my $dh, $standby_archive_status) or die "Cannot open $standby_archive_status: $!";
+		my @ready_files = grep { /\.ready$/ } readdir($dh);
+		closedir($dh);
+		
+		if (scalar(@ready_files) > 0)
+		{
+			note "standby has " . scalar(@ready_files) . " .ready files";
+			return 1;
+		}
+
+		return 0;
+	}
+);
+
+ok($ready_files_found, "ready files must appear in standby archive_status directory");
+
+# Wait for primary to archive the segments
+# Poll until we see the segments archived on primary
+my $archived_on_primary = PostgreSQL::Test::Utils::poll_until(
+	sub {
+		opendir(my $adh, $archive_dir) or die "Cannot open $archive_dir: $!";
+		my @archived = grep { /^[0-9A-F]{24}$/ } readdir($adh);
+		closedir($adh);
+		if (scalar(@archived) > 0)
+		{
+			return 1;
+		}
+
+		return 0;
+	},
+	interval => 1_000_000
+);
+
+ok($archived_on_primary, "primary has archived WAL segments");
+
+# Poll for .done files to appear after archive status exchange
+# The standby should query at wal_receiver_status_interval (1 second)
+my $done_files_appeared = PostgreSQL::Test::Utils::poll_until(
+	sub {
+		opendir(my $dh, $standby_archive_status) or die "Cannot open $standby_archive_status: $!";
+		my @done_files = grep { /\.done$/ } readdir($dh);
+		closedir($dh);
+		
+		if (scalar(@done_files) > 0)
+		{
+			note "standby has " . scalar(@done_files) . " .done files after archive query";
+			return 1;
+		}
+
+		return 0;
+	},
+	interval => 200_000
+);
+ok($done_files_appeared > 0, "standby archive status check completed");
+
+note "Testing standby promotion with pending .ready files";
+
+# Create more data to ensure we have .ready files at promotion time
+$node_primary->safe_psql('postgres',
+	"INSERT INTO test_table SELECT i, 'final_data_' || i FROM generate_series(2001, 3000) i;");
+$node_primary->safe_psql('postgres', "SELECT pg_switch_wal();");
+
+# Wait a bit for replication
+sleep(1);
+
+# Count .ready files on standby before promotion
+opendir(my $dh, $standby_archive_status) or die "Cannot open $standby_archive_status: $!";
+my @ready_before_promote = grep { /\.ready$/ } readdir($dh);
+closedir($dh);
+my $ready_count_before = scalar(@ready_before_promote);
+
+note "standby has $ready_count_before .ready files before promotion";
+
+# Promote standby
+$node_standby->promote;
+$node_standby->poll_query_until('postgres', "SELECT NOT pg_is_in_recovery();")
+	or die "Timed out waiting for promotion";
+
+# Poll for archiver to start processing .ready files
+# Should poll only if there is ready files
+if ($ready_count_before > 0)
+{
+	my $ready_count_after = $ready_count_before;
+	PostgreSQL::Test::Utils::poll_until(
+		sub {
+			opendir(my $dh, $standby_archive_status) or die "Cannot open $standby_archive_status: $!";
+			my @ready_after_promote = grep { /\.ready$/ } readdir($dh);
+			closedir($dh);
+			$ready_count_after = scalar(@ready_after_promote);
+			
+			# Break if we see fewer .ready files (archiver is working)
+			if ($ready_count_after < $ready_count_before)
+			{
+				return 1;
+			}
+
+			return 0;
+		},
+		interval => 200_000
+	);
+
+	note "standby has $ready_count_before .ready files before promotion";
+	note "standby has $ready_count_after .ready files after promotion";
+
+	# We expect fewer .ready files after promotion (some archived)
+	ok($ready_count_after < $ready_count_before,
+		"archiver processes .ready files after promotion");
+}
+
+# Verify data is intact after promotion
+my $count = $node_standby->safe_psql('postgres', "SELECT count(*) FROM test_table;");
+# We had 1000 initial + 1500 from the loop + 1000 more = 3500
+ok($count >= 2500, "data present after promotion (got $count rows)");
+
+note "Testing cascading standby configuration";
+
+# Now use the promoted standby as primary for a cascading standby
+my $node_cascade = PostgreSQL::Test::Cluster->new('cascade');
+my $promoted_backup = 'backup_promoted';
+$node_standby->backup($promoted_backup);
+
+$node_cascade->init_from_backup($node_standby, $promoted_backup,
+	has_streaming => 1);
+
+# Configure cascading standby with follow_primary mode
+$node_cascade->append_conf('postgresql.conf', qq(
+archive_mode = follow_primary
+archive_command = 'cp %p $archive_dir/%f'
+wal_receiver_status_interval = 1
+));
+
+$node_cascade->start;
+
+# Generate some WAL on the promoted standby (now acting as primary)
+$node_standby->safe_psql('postgres',
+	"INSERT INTO test_table SELECT i, 'cascade_data_' || i FROM generate_series(1, 500) i;");
+$node_standby->safe_psql('postgres', "SELECT pg_switch_wal();");
+
+# Wait for cascade to catch up
+$node_standby->wait_for_replay_catchup($node_cascade);
+
+# Poll for .done files on cascading standby
+my $cascade_archive_status = $node_cascade->data_dir . '/pg_wal/archive_status';
+my $cascade_done_found = PostgreSQL::Test::Utils::poll_until(
+	sub {
+		opendir(my $dh, $cascade_archive_status) or die "Cannot open $cascade_archive_status: $!";
+		my @cascade_done_files = grep { /\.done$/ } readdir($dh);
+		closedir($dh);
+		
+		if (scalar(@cascade_done_files) > 0)
+		{
+			note "cascading standby has " . scalar(@cascade_done_files) . " .done files";
+			return 1;
+		}
+
+		return 0;
+	},
+	interval => 200_000
+);
+
+ok($cascade_done_found > 0,
+	"cascading standby marks segments as .done based on upstream");
+
+# Verify cascading standby has the data
+my $cascade_count = $node_cascade->safe_psql('postgres', "SELECT count(*) FROM test_table;");
+ok($cascade_count >= 2500, "cascading standby has data (got $cascade_count rows)");
+
+note "Testing multiple standbys from same primary";
+
+# Stop the cascading setup and test multiple standbys from original primary
+$node_cascade->stop;
+$node_standby->stop;
+
+# Primary should still be running from the earlier part of the test
+# Don't restart it
+
+# Create two standbys from the primary
+my $backup2 = 'backup2';
+$node_primary->backup($backup2);
+
+my $node_standby2 = PostgreSQL::Test::Cluster->new('standby2');
+$node_standby2->init_from_backup($node_primary, $backup2, has_streaming => 1);
+$node_standby2->append_conf('postgresql.conf', qq(
+archive_mode = follow_primary
+archive_command = 'cp %p $archive_dir/%f'
+wal_receiver_status_interval = 1
+));
+
+my $node_standby3 = PostgreSQL::Test::Cluster->new('standby3');
+$node_standby3->init_from_backup($node_primary, $backup2, has_streaming => 1);
+$node_standby3->append_conf('postgresql.conf', qq(
+archive_mode = follow_primary
+archive_command = 'cp %p $archive_dir/%f'
+wal_receiver_status_interval = 1
+));
+
+$node_standby2->start;
+$node_standby3->start;
+
+# Generate more WAL on primary to ensure segment switches on standbys
+for (my $i = 0; $i < 3; $i++)
+{
+	$node_primary->safe_psql('postgres',
+		"INSERT INTO test_table SELECT i, 'multi_standby_' || i FROM generate_series(1 + $i*500, 500 + $i*500) i;");
+	$node_primary->safe_psql('postgres', "SELECT pg_switch_wal();");
+}
+
+# Wait for both standbys to catch up
+$node_primary->wait_for_replay_catchup($node_standby2);
+$node_primary->wait_for_replay_catchup($node_standby3);
+
+# Check if standbys have .ready files at all
+my $standby2_archive_status = $node_standby2->data_dir . '/pg_wal/archive_status';
+my $standby3_archive_status = $node_standby3->data_dir . '/pg_wal/archive_status';
+
+opendir(my $s2dh, $standby2_archive_status) or die "Cannot open $standby2_archive_status: $!";
+my @s2_ready = grep { /\.ready$/ } readdir($s2dh);
+closedir($s2dh);
+
+opendir(my $s3dh, $standby3_archive_status) or die "Cannot open $standby3_archive_status: $!";
+my @s3_ready = grep { /\.ready$/ } readdir($s3dh);
+closedir($s3dh);
+
+note "standby2 has " . scalar(@s2_ready) . " .ready files";
+note "standby3 has " . scalar(@s3_ready) . " .ready files";
+
+# Wait for primary to archive segments
+my $primary_archived = PostgreSQL::Test::Utils::poll_until(
+	sub {
+		opendir(my $adh, $archive_dir) or die "Cannot open $archive_dir: $!";
+		my @archived = grep { /^[0-9A-F]{24}$/ } readdir($adh);
+		closedir($adh);
+		if (scalar(@archived) > 5)  # Should have several archived by now
+		{
+			return 1;
+		}
+
+		return 0;
+	},
+	interval => 500_000
+);
+
+ok($primary_archived > 0,
+	"primary has archived segments for multiple standbys test");
+
+# Poll for .done files on both standbys
+# Give more time since archive query happens at wal_receiver_status_interval (1 sec)
+# and we need time for: query -> response -> marking as .done
+my $standby2_done_found = PostgreSQL::Test::Utils::poll_until(
+	sub {
+		opendir(my $dh, $standby2_archive_status) or die "Cannot open $standby2_archive_status: $!";
+		my @standby2_done = grep { /\.done$/ } readdir($dh);
+		closedir($dh);
+		if (scalar(@standby2_done) > 0)
+		{
+			note "standby2 has " . scalar(@standby2_done) . " .done files";
+			return 1;
+		}
+
+		return 0;
+	},
+	interval => 200_000
+);
+my $standby3_done_found = PostgreSQL::Test::Utils::poll_until(
+	sub {
+		opendir(my $dh, $standby3_archive_status) or die "Cannot open $standby3_archive_status: $!";
+		my @standby3_done = grep { /\.done$/ } readdir($dh);
+		closedir($dh);
+		if (scalar(@standby3_done) > 0)
+		{
+			note "standby3 has " . scalar(@standby3_done) . " .done files";
+			return 1;
+		}
+
+		return 0;
+	},
+	interval => 200_000
+);
+
+# Note: Fresh standbys might need more time to establish archive query protocol
+# The earlier tests validate the core functionality works
+ok($standby2_done_found > 0, "standby2 archive query check completed (found: $standby2_done_found)");
+ok($standby3_done_found > 0, "standby3 archive query check completed (found: $standby3_done_found)");
+
+# Verify both standbys have the data
+my $s2_count = $node_standby2->safe_psql('postgres', "SELECT count(*) FROM test_table;");
+my $s3_count = $node_standby3->safe_psql('postgres', "SELECT count(*) FROM test_table;");
+
+# They're created from backup2 which is from the original primary with 1000 rows,
+# plus the multi_standby insert of 1500 (3 batches × 500) = 2500 total
+ok($s2_count >= 1000, "standby2 has data (got $s2_count rows)");
+ok($s3_count >= 1000, "standby3 has data (got $s3_count rows)");
+
+note "All tests completed successfully";
+
+done_testing();
+
-- 
2.43.0