@pafi-dev/issuer-postgres 0.2.0 → 0.4.0

package/dist/index.js

@@ -10,6 +10,7 @@ var __decorateClass = (decorators, target, key, kind) => {
 };
 
 // src/postgresPointLedger.ts
+import { MoreThan } from "typeorm";
 import { getAddress } from "viem";
 
 // src/entities/locked-mint.entity.ts
@@ -79,7 +80,22 @@ __decorateClass([
 ], LockedMintEntity.prototype, "userOpHash", 2);
 LockedMintEntity = __decorateClass([
   Entity({ name: "locked_mint_requests" }),
-  Index(["userAddress", "status"])
+  Index("IDX_locked_mint_user_token_status_expires", [
+    "userAddress",
+    "tokenAddress",
+    "status",
+    "expiresAt"
+  ]),
+  Index("IDX_locked_mint_user_token_amount_status", [
+    "userAddress",
+    "tokenAddress",
+    "amount",
+    "status"
+  ]),
+  Index("IDX_locked_mint_pending_expires", ["expiresAt"], {
+    where: `"status" = 'PENDING'`
+  }),
+  Index("IDX_locked_mint_user_op_hash", ["userOpHash"])
 ], LockedMintEntity);
 
 // src/entities/pending-credit.entity.ts
@@ -244,11 +260,22 @@ __decorateClass([
 ], LedgerJournalEntity.prototype, "createdAt", 2);
 LedgerJournalEntity = __decorateClass([
   Entity4({ name: "ledger_journal" }),
-  Index3(["userAddress", "createdAt"])
+  Index3(["userAddress", "createdAt"]),
+  Index3(
+    "UQ_ledger_journal_user_token_tx_reason",
+    ["userAddress", "tokenAddress", "txHash", "reason"],
+    {
+      unique: true,
+      where: '"tx_hash" IS NOT NULL'
+    }
+  )
 ], LedgerJournalEntity);
 
 // src/postgresPointLedger.ts
 var RETRIABLE_PG_CODES = /* @__PURE__ */ new Set(["40P01", "40001"]);
+var UNIQUE_VIOLATION = "23505";
+var JOURNAL_IDEMPOTENCY_CONSTRAINT = "UQ_ledger_journal_user_token_tx_reason";
+var LEGACY_JOURNAL_IDEMPOTENCY_CONSTRAINT = "UQ_ledger_journal_user_tx_reason";
 function isRetriablePgError(err) {
   const e = err;
   if (!e) return false;
@@ -258,6 +285,18 @@ function isRetriablePgError(err) {
   }
   return false;
 }
+function isJournalIdempotencyViolation(err) {
+  const e = err;
+  if (!e) return false;
+  const code = e.code ?? e.driverError?.code;
+  if (code !== UNIQUE_VIOLATION) return false;
+  const constraint = e.constraint ?? e.driverError?.constraint;
+  if (constraint === JOURNAL_IDEMPOTENCY_CONSTRAINT || constraint === LEGACY_JOURNAL_IDEMPOTENCY_CONSTRAINT) {
+    return true;
+  }
+  const message = e.message ?? e.driverError?.message ?? "";
+  return message.includes(JOURNAL_IDEMPOTENCY_CONSTRAINT) || message.includes(LEGACY_JOURNAL_IDEMPOTENCY_CONSTRAINT);
+}
 async function withDeadlockRetry(dataSource, fn, maxAttempts = 3) {
   let attempt = 0;
   let delayMs = 25;
@@ -329,6 +368,40 @@ var PostgresPointLedger = class {
     }
     return swept;
   }
+  /**
+   * Audit PACI5-20 — symmetric counterpart of `markExpiredLocks` for
+   * the redeem/burn (PendingCredit) side. Marks all expired PENDING
+   * pending_credits as EXPIRED so abandoned reservations can no
+   * longer hijack later burns' attribution in `findPendingCreditLockId`.
+   *
+   * The README has always promised this sweep; the pre-fix code only
+   * shipped the mint-side `markExpiredLocks`, leaving credits to
+   * accumulate forever (storage bloat) and stay matchable past their
+   * deadline (attribution corruption). Wire it into the BurnIndexer
+   * tick the same way `markExpiredLocks` is wired into the
+   * MintIndexer tick — typically every 1-5 minutes.
+   *
+   * Defense-in-depth: `findPendingCreditLockId` also filters
+   * `expires_at > now()` so a missed-tick window can't reintroduce
+   * the hijack.
+   *
+   * @example
+   * ```ts
+   * @Interval(60_000)
+   * async sweep() {
+   *   await this.ledger.markExpiredLocks();
+   *   await this.ledger.markExpiredCredits();
+   * }
+   * ```
+   */
+  async markExpiredCredits() {
+    const result = await this.dataSource.getRepository(PendingCreditEntity).createQueryBuilder().update().set({ status: "EXPIRED" }).where("status = :pending", { pending: "PENDING" }).andWhere("expires_at <= :now", { now: /* @__PURE__ */ new Date() }).execute();
+    const swept = result.affected ?? 0;
+    if (swept > 0) {
+      this.logger?.debug?.(`markExpiredCredits: swept ${swept} pending credits`);
+    }
+    return swept;
+  }
   async getLockedRequests(userAddress, tokenAddress) {
     const { user, token } = normalize(userAddress, tokenAddress);
     const rows = await this.dataSource.getRepository(LockedMintEntity).find({
@@ -453,43 +526,72 @@ var PostgresPointLedger = class {
       throw new Error("deductBalance: amount must be positive");
     }
     const { user, token } = normalize(userAddress, tokenAddress);
-    await withDeadlockRetry(this.dataSource, async (tx) => {
-      const balance = await tx.getRepository(UserBalanceEntity).createQueryBuilder("balance").setLock("pessimistic_write").where("balance.user_address = :user", { user }).andWhere("balance.token_address = :token", { token }).getOne();
-      if (!balance || balance.balance < amount) {
-        throw new Error(
-          `Cannot deduct ${amount} from balance ${balance?.balance ?? 0n}`
+    try {
+      await withDeadlockRetry(this.dataSource, async (tx) => {
+        const balance = await tx.getRepository(UserBalanceEntity).createQueryBuilder("balance").setLock("pessimistic_write").where("balance.user_address = :user", { user }).andWhere("balance.token_address = :token", { token }).getOne();
+        const already = await tx.getRepository(LedgerJournalEntity).findOne({
+          where: {
+            userAddress: user,
+            tokenAddress: token,
+            txHash,
+            reason: "MINT_CONFIRMED"
+          }
+        });
+        if (already) {
+          this.logger?.debug?.(
+            `deductBalance: idempotent skip tx=${txHash} user=${user} token=${token}`
+          );
+          return;
+        }
+        if (!balance || balance.balance < amount) {
+          throw new Error(
+            `Cannot deduct ${amount} from balance ${balance?.balance ?? 0n}`
+          );
+        }
+        await tx.getRepository(UserBalanceEntity).update(
+          { userAddress: user, tokenAddress: token },
+          { balance: balance.balance - amount }
         );
-      }
-      await tx.getRepository(UserBalanceEntity).update(
-        { userAddress: user, tokenAddress: token },
-        { balance: balance.balance - amount }
-      );
-      await tx.getRepository(LedgerJournalEntity).insert({
-        userAddress: user,
-        tokenAddress: token,
-        delta: -amount,
-        reason: "MINT_CONFIRMED",
-        txHash
-      });
-      const match = await tx.getRepository(LockedMintEntity).findOne({
-        where: {
+        await tx.getRepository(LedgerJournalEntity).insert({
           userAddress: user,
           tokenAddress: token,
-          amount,
-          status: "PENDING"
-        },
-        order: { createdAt: "ASC" }
+          delta: -amount,
+          reason: "MINT_CONFIRMED",
+          txHash
+        });
+        const match = await tx.getRepository(LockedMintEntity).findOne({
+          where: {
+            userAddress: user,
+            tokenAddress: token,
+            amount,
+            status: "PENDING"
+          },
+          order: { createdAt: "ASC" }
+        });
+        if (match) {
+          await tx.getRepository(LockedMintEntity).update({ id: match.id }, { status: "MINTED", txHash });
+        }
       });
-      if (match) {
-        await tx.getRepository(LockedMintEntity).update({ id: match.id }, { status: "MINTED", txHash });
+    } catch (err) {
+      if (isJournalIdempotencyViolation(err)) {
+        this.logger?.debug?.(
+          `deductBalance: idempotent (concurrent race) tx=${txHash} user=${user}`
+        );
+        return;
       }
-    });
+      throw err;
+    }
     this.logger?.log?.(`deduct ${user}[${token}] -${amount} tx=${txHash}`);
   }
   async updateMintStatus(lockId, status, txHash) {
     const update = { status };
     if (txHash) update.txHash = txHash;
-    await this.dataSource.getRepository(LockedMintEntity).update({ id: lockId }, update);
+    const result = await this.dataSource.getRepository(LockedMintEntity).createQueryBuilder().update().set(update).where("id = :id", { id: lockId }).andWhere("status = :pending", { pending: "PENDING" }).execute();
+    if ((result.affected ?? 0) === 0) {
+      this.logger?.debug?.(
+        `updateMintStatus: lock ${lockId} not in PENDING (terminal state), no-op`
+      );
+    }
   }
   async bindMintUserOpHash(lockId, userOpHash) {
     await this.dataSource.getRepository(LockedMintEntity).update({ id: lockId }, { userOpHash });
@@ -521,7 +623,7 @@ var PostgresPointLedger = class {
     return row.id;
   }
   async resolveCreditByBurnTx(lockId, txHash) {
-    await withDeadlockRetry(this.dataSource, async (tx) => {
+    const run = async () => withDeadlockRetry(this.dataSource, async (tx) => {
       const credit = await tx.getRepository(PendingCreditEntity).createQueryBuilder("credit").setLock("pessimistic_write").where("credit.id = :id", { id: lockId }).getOne();
       if (!credit) {
         throw new Error(
@@ -574,13 +676,46 @@ var PostgresPointLedger = class {
         { status: "RESOLVED", txHash, resolvedAt: /* @__PURE__ */ new Date() }
       );
     });
+    try {
+      await run();
+    } catch (err) {
+      if (isJournalIdempotencyViolation(err)) {
+        this.logger?.debug?.(
+          `resolveCreditByBurnTx: concurrent race on tx=${txHash} lock=${lockId}, replaying via sibling defense`
+        );
+        await run();
+      } else {
+        throw err;
+      }
+    }
     this.logger?.log?.(`resolve pending credit ${lockId} tx=${txHash}`);
   }
   /**
    * Used by `BurnIndexer.matchLockId` to resolve an on-chain burn
-   * event back to a pending credit row. Returns the oldest matching
-   * `(user, token, amount, status: PENDING)` lockId, or undefined
-   * when no match exists (unsolicited burn — indexer skips).
+   * event back to a pending credit row. Returns the **newest**
+   * matching `(user, token, amount, status: PENDING, expires_at > now)`
+   * lockId, or undefined when no match exists (unsolicited burn —
+   * indexer skips).
+   *
+   * Audit PACI5-20 — two filters narrowed since the pre-fix shipped:
+   *
+   *   1. `expires_at > now()` — abandoned PENDING reservations past
+   *      their deadline no longer hijack a fresh burn's attribution.
+   *      This is defense-in-depth in case `markExpiredCredits` hasn't
+   *      run recently (missed-tick window).
+   *
+   *   2. `ORDER BY createdAt DESC` (was ASC) — when multiple PENDING
+   *      reservations match the same (user, token, amount) within
+   *      the validity window, prefer the most recent one. Matches
+   *      user mental model: "I just submitted /redeem, my recent
+   *      reservation should win" rather than resurrecting a stale
+   *      one. With the sweep + filter the typical steady state has
+   *      at most one matching row, so this only affects edge cases
+   *      (very fast re-submit, or concurrent flows).
+   *
+   * Combined with the partial UNIQUE index on `(txHash, status =
+   * RESOLVED)` from PACI5-7, the attribution can no longer drift
+   * across sessions even under adversarial conditions.
    */
   async findPendingCreditLockId(userAddress, amount, tokenAddress) {
     const { user, token } = normalize(userAddress, tokenAddress);
@@ -589,9 +724,10 @@ var PostgresPointLedger = class {
         userAddress: user,
         tokenAddress: token,
         amount,
-        status: "PENDING"
+        status: "PENDING",
+        expiresAt: MoreThan(/* @__PURE__ */ new Date())
       },
-      order: { createdAt: "ASC" }
+      order: { createdAt: "DESC" }
     });
     return row?.id;
   }
@@ -930,10 +1066,103 @@ var CreateRedemptionHistory1746230400001 = class {
   }
 };
 
+// src/migrations/1747500000000-AddJournalIdempotencyIndex.ts
+var AddJournalIdempotencyIndex1747500000000 = class {
+  name = "AddJournalIdempotencyIndex1747500000000";
+  async up(queryRunner) {
+    await queryRunner.query(`
+      CREATE UNIQUE INDEX IF NOT EXISTS "UQ_ledger_journal_user_tx_reason"
+        ON "ledger_journal" ("user_address", "tx_hash", "reason")
+        WHERE "tx_hash" IS NOT NULL
+    `);
+  }
+  async down(queryRunner) {
+    await queryRunner.query(
+      `DROP INDEX IF EXISTS "UQ_ledger_journal_user_tx_reason"`
+    );
+  }
+};
+
+// src/migrations/1747600000000-AddLockedMintCompositeIndexes.ts
+var AddLockedMintCompositeIndexes1747600000000 = class {
+  name = "AddLockedMintCompositeIndexes1747600000000";
+  /**
+   * CONCURRENTLY index DDL cannot run inside a transaction. Tell
+   * TypeORM to issue these statements directly.
+   */
+  transaction = false;
+  async up(queryRunner) {
+    await queryRunner.query(`
+      CREATE INDEX CONCURRENTLY IF NOT EXISTS
+        "IDX_locked_mint_user_token_status_expires"
+      ON "locked_mint_requests"
+        ("user_address", "token_address", "status", "expires_at")
+    `);
+    await queryRunner.query(`
+      CREATE INDEX CONCURRENTLY IF NOT EXISTS
+        "IDX_locked_mint_user_token_amount_status"
+      ON "locked_mint_requests"
+        ("user_address", "token_address", "amount", "status")
+    `);
+    await queryRunner.query(`
+      CREATE INDEX CONCURRENTLY IF NOT EXISTS
+        "IDX_locked_mint_pending_expires"
+      ON "locked_mint_requests" ("expires_at")
+      WHERE "status" = 'PENDING'
+    `);
+    await queryRunner.query(
+      `DROP INDEX CONCURRENTLY IF EXISTS "IDX_locked_mint_user_status"`
+    );
+  }
+  async down(queryRunner) {
+    await queryRunner.query(`
+      CREATE INDEX CONCURRENTLY IF NOT EXISTS "IDX_locked_mint_user_status"
+      ON "locked_mint_requests" ("user_address", "token_address", "status")
+    `);
+    await queryRunner.query(
+      `DROP INDEX CONCURRENTLY IF EXISTS "IDX_locked_mint_pending_expires"`
+    );
+    await queryRunner.query(
+      `DROP INDEX CONCURRENTLY IF EXISTS "IDX_locked_mint_user_token_amount_status"`
+    );
+    await queryRunner.query(
+      `DROP INDEX CONCURRENTLY IF EXISTS "IDX_locked_mint_user_token_status_expires"`
+    );
+  }
+};
+
+// src/migrations/1747700000000-FixIdempotencyAddTokenAddress.ts
+var FixIdempotencyAddTokenAddress1747700000000 = class {
+  name = "FixIdempotencyAddTokenAddress1747700000000";
+  async up(queryRunner) {
+    await queryRunner.query(
+      `DROP INDEX IF EXISTS "UQ_ledger_journal_user_tx_reason"`
+    );
+    await queryRunner.query(`
+      CREATE UNIQUE INDEX IF NOT EXISTS "UQ_ledger_journal_user_token_tx_reason"
+        ON "ledger_journal" ("user_address", "token_address", "tx_hash", "reason")
+        WHERE "tx_hash" IS NOT NULL
+    `);
+  }
+  async down(queryRunner) {
+    await queryRunner.query(
+      `DROP INDEX IF EXISTS "UQ_ledger_journal_user_token_tx_reason"`
+    );
+    await queryRunner.query(`
+      CREATE UNIQUE INDEX IF NOT EXISTS "UQ_ledger_journal_user_tx_reason"
+        ON "ledger_journal" ("user_address", "tx_hash", "reason")
+        WHERE "tx_hash" IS NOT NULL
+    `);
+  }
+};
+
 // src/migrations/index.ts
 var PAFI_MIGRATIONS = [
   InitialSchema1700000000000,
-  CreateRedemptionHistory1746230400001
+  CreateRedemptionHistory1746230400001,
+  AddJournalIdempotencyIndex1747500000000,
+  AddLockedMintCompositeIndexes1747600000000,
+  FixIdempotencyAddTokenAddress1747700000000
 ];
 export {
   CreateRedemptionHistory1746230400001,