@syncular/server-hono 0.0.6-158 → 0.0.6-165

package/src/routes.ts

@@ -14,6 +14,7 @@ import {
   distributionSyncMetric,
   ErrorResponseSchema,
   logSyncEvent,
+  ScopeValuesSchema,
   SyncCombinedRequestSchema,
   SyncCombinedResponseSchema,
   SyncPushRequestSchema,
@@ -38,10 +39,13 @@ import {
   maybePruneSync,
   type PruneOptions,
   type PullResult,
+  parseJsonValue,
   pull,
   pushCommit,
   readSnapshotChunk,
   recordClientCursor,
+  resolveEffectiveScopesForSubscriptions,
+  scopesToSnapshotChunkScopeKey,
 } from '@syncular/server';
 import type { Context, MiddlewareHandler } from 'hono';
 import { Hono } from 'hono';
@@ -55,6 +59,7 @@ import {
   sql,
 } from 'kysely';
 import { z } from 'zod';
+import { isBenignConsoleSchemaError } from './console/schema-errors';
 import {
   createRateLimiter,
   DEFAULT_SYNC_RATE_LIMITS,
@@ -96,6 +101,27 @@ export interface SyncWebSocketConfig {
    * Default: 3
    */
   maxConnectionsPerClient?: number;
+  /**
+   * Maximum inbound websocket message size in bytes.
+   * Default: 1 MiB.
+   */
+  maxMessageBytes?: number;
+  /**
+   * Maximum inbound websocket messages allowed per connection within one window.
+   * Default: 120 messages.
+   * Set to 0 or a negative value to disable rate limiting.
+   */
+  maxMessagesPerWindow?: number;
+  /**
+   * Window size in milliseconds for inbound websocket message rate limiting.
+   * Default: 10000 ms.
+   */
+  messageRateWindowMs?: number;
+  /**
+   * Optional list of allowed websocket origins.
+   * Use '*' to allow all origins.
+   */
+  allowedOrigins?: string[] | '*';
 }
 
 export interface SyncRoutesConfigWithRateLimit {
@@ -231,6 +257,9 @@ export interface CreateSyncRoutesOptions<
 const snapshotChunkParamsSchema = z.object({
   chunkId: z.string().min(1),
 });
+const snapshotChunkQuerySchema = z.object({
+  scopes: z.string().optional(),
+});
 
 const auditCommitListQuerySchema = z.object({
   limit: z.coerce.number().int().min(1).max(200).optional(),
@@ -278,6 +307,7 @@ const auditCommitDetailResponseSchema = z.object({
 });
 
 const DEFAULT_REQUEST_PAYLOAD_SNAPSHOT_MAX_BYTES = 128 * 1024;
+const SNAPSHOT_SCOPES_HEADER = 'x-syncular-snapshot-scopes';
 
 type TraceContext = {
   traceId: string | null;
@@ -484,6 +514,18 @@ function countPullRows(response: PullResult['response']): number {
   }, 0);
 }
 
+function readSnapshotScopeValues(
+  c: Context,
+  queryScopes: string | undefined
+): Record<string, string | string[]> | null {
+  const rawValue = queryScopes ?? c.req.header(SNAPSHOT_SCOPES_HEADER);
+  if (!rawValue) return null;
+  const parsed = parseJsonValue(rawValue);
+  const validated = ScopeValuesSchema.safeParse(parsed);
+  if (!validated.success) return null;
+  return validated.data;
+}
+
 function encodePayloadSnapshot(value: unknown, maxBytes: number): string {
   try {
     const serialized = JSON.stringify(value);
@@ -575,6 +617,9 @@ export function createSyncRoutes<
       Promise.resolve())
     : Promise.resolve();
   const consoleSchemaReady = consoleSchemaReadyBase.catch((error) => {
+    if (isBenignConsoleSchemaError(error)) {
+      return;
+    }
     logSyncEvent({
       event: 'sync.console_schema_ready_failed',
       error: error instanceof Error ? error.message : String(error),
@@ -835,6 +880,178 @@ export function createSyncRoutes<
       });
   };
 
+  type PushRequestBody = Omit<
+    z.infer<typeof SyncPushRequestSchema>,
+    'clientId'
+  >;
+
+  type PushExecutionContext = {
+    auth: Auth;
+    clientId: string;
+    partitionId: string;
+    requestId: string;
+    traceContext: TraceContext;
+    transportPath: 'direct' | 'relay';
+    syncPath: 'http-combined' | 'ws-push';
+  };
+
+  async function executePushCommitWithSideEffects(
+    ctx: PushExecutionContext,
+    pushBody: PushRequestBody,
+    execOptions: { countConflictsMetric?: boolean } = {}
+  ): Promise<Awaited<ReturnType<typeof pushCommit>>> {
+    const timer = createSyncTimer();
+    const pushOps = pushBody.operations ?? [];
+
+    const pushed = await pushCommit({
+      db: options.db,
+      dialect: options.dialect,
+      handlers: handlerRegistry,
+      plugins: options.plugins,
+      auth: ctx.auth,
+      request: {
+        clientId: ctx.clientId,
+        clientCommitId: pushBody.clientCommitId,
+        operations: pushBody.operations,
+        schemaVersion: pushBody.schemaVersion,
+      },
+    });
+
+    const pushDurationMs = timer();
+
+    logSyncEvent({
+      event: 'sync.push',
+      userId: ctx.auth.actorId,
+      durationMs: pushDurationMs,
+      operationCount: pushOps.length,
+      status: pushed.response.status,
+      commitSeq: pushed.response.commitSeq,
+    });
+
+    recordRequestEventInBackground(() => ({
+      partitionId: ctx.partitionId,
+      requestId: ctx.requestId,
+      traceId: ctx.traceContext.traceId,
+      spanId: ctx.traceContext.spanId,
+      eventType: 'push',
+      syncPath: ctx.syncPath,
+      actorId: ctx.auth.actorId,
+      clientId: ctx.clientId,
+      transportPath: ctx.transportPath,
+      statusCode: 200,
+      outcome: pushed.response.status,
+      responseStatus: normalizeResponseStatus(200, pushed.response.status),
+      durationMs: pushDurationMs,
+      errorCode: firstPushErrorCode(pushed.response.results),
+      commitSeq: pushed.response.commitSeq,
+      operationCount: pushOps.length,
+      tables: pushed.affectedTables,
+      payloadSnapshot: shouldCaptureRequestPayloadSnapshots
+        ? {
+            request: {
+              clientId: ctx.clientId,
+              clientCommitId: pushBody.clientCommitId,
+              schemaVersion: pushBody.schemaVersion,
+              operations: pushBody.operations,
+            },
+            response: pushed.response,
+          }
+        : null,
+    }));
+
+    emitConsoleLiveEvent(consoleLiveEmitter, 'push', () => ({
+      partitionId: ctx.partitionId,
+      requestId: ctx.requestId,
+      traceId: ctx.traceContext.traceId,
+      spanId: ctx.traceContext.spanId,
+      actorId: ctx.auth.actorId,
+      clientId: ctx.clientId,
+      transportPath: ctx.transportPath,
+      syncPath: ctx.syncPath,
+      outcome: pushed.response.status,
+      statusCode: 200,
+      durationMs: pushDurationMs,
+      commitSeq: pushed.response.commitSeq ?? null,
+      operationCount: pushOps.length,
+      tables: pushed.affectedTables,
+    }));
+
+    if (execOptions.countConflictsMetric === true) {
+      const detectedConflicts = pushed.response.results.reduce(
+        (count, result) => count + (result.status === 'conflict' ? 1 : 0),
+        0
+      );
+      if (detectedConflicts > 0) {
+        countSyncMetric('sync.conflicts.detected', detectedConflicts, {
+          attributes: {
+            syncPath: ctx.syncPath,
+            transportPath: ctx.transportPath,
+          },
+        });
+      }
+    }
+
+    if (
+      wsConnectionManager &&
+      pushed.response.ok === true &&
+      pushed.response.status === 'applied' &&
+      typeof pushed.response.commitSeq === 'number'
+    ) {
+      const scopeKeys = applyPartitionToScopeKeys(
+        ctx.partitionId,
+        pushed.scopeKeys
+      );
+
+      if (scopeKeys.length > 0) {
+        wsConnectionManager.notifyScopeKeys(
+          scopeKeys,
+          pushed.response.commitSeq,
+          {
+            excludeClientIds: [ctx.clientId],
+            changes: pushed.emittedChanges,
+            actorId: pushed.commitActorId ?? ctx.auth.actorId,
+            createdAt: pushed.commitCreatedAt ?? new Date().toISOString(),
+          }
+        );
+
+        if (realtimeBroadcaster) {
+          realtimeBroadcaster
+            .publish({
+              type: 'commit',
+              commitSeq: pushed.response.commitSeq,
+              partitionId: ctx.partitionId,
+              scopeKeys,
+              sourceInstanceId: instanceId,
+            })
+            .catch((error) => {
+              logAsyncFailureOnce('sync.realtime.broadcast_publish_failed', {
+                event: 'sync.realtime.broadcast_publish_failed',
+                userId: ctx.auth.actorId,
+                clientId: ctx.clientId,
+                error: error instanceof Error ? error.message : String(error),
+              });
+            });
+        }
+      }
+    }
+
+    if (
+      pushed.response.ok === true &&
+      pushed.response.status === 'applied' &&
+      typeof pushed.response.commitSeq === 'number'
+    ) {
+      emitConsoleLiveEvent(consoleLiveEmitter, 'commit', () => ({
+        partitionId: ctx.partitionId,
+        commitSeq: pushed.response.commitSeq,
+        actorId: ctx.auth.actorId,
+        clientId: ctx.clientId,
+        affectedTables: pushed.affectedTables,
+      }));
+    }
+
+    return pushed;
+  }
+
   const authCache = new WeakMap<Context, Promise<Auth | null>>();
   const getAuth = (c: Context): Promise<Auth | null> => {
     const cached = authCache.get(c);
@@ -1143,8 +1360,8 @@ export function createSyncRoutes<
             op: change.op,
             rowVersion:
               change.row_version === null ? null : Number(change.row_version),
-            rowJson: parseJsonColumn(change.row_json),
-            scopes: parseJsonColumn(change.scopes),
+            rowJson: parseJsonValue(change.row_json),
+            scopes: parseJsonValue(change.scopes),
           })),
         },
         200
@@ -1191,6 +1408,7 @@ export function createSyncRoutes<
       const auth = await getAuth(c);
       if (!auth) return c.json({ error: 'UNAUTHENTICATED' }, 401);
       const partitionId = auth.partitionId ?? 'default';
+      const transportPath = readTransportPath(c);
 
       const body = c.req.valid('json');
       const clientId = body.clientId;
@@ -1215,142 +1433,18 @@ export function createSyncRoutes<
             400
           );
         }
-
-        const timer = createSyncTimer();
-
-        const pushed = await pushCommit({
-          db: options.db,
-          dialect: options.dialect,
-          handlers: handlerRegistry,
-          plugins: options.plugins,
-          auth,
-          request: {
+        const pushed = await executePushCommitWithSideEffects(
+          {
+            auth,
             clientId,
-            clientCommitId: pushBody.clientCommitId,
-            operations: pushBody.operations,
-            schemaVersion: pushBody.schemaVersion,
-          },
-        });
-
-        const pushDurationMs = timer();
-
-        logSyncEvent({
-          event: 'sync.push',
-          userId: auth.actorId,
-          durationMs: pushDurationMs,
-          operationCount: pushOps.length,
-          status: pushed.response.status,
-          commitSeq: pushed.response.commitSeq,
-        });
-
-        recordRequestEventInBackground(() => ({
-          partitionId,
-          requestId,
-          traceId: traceContext.traceId,
-          spanId: traceContext.spanId,
-          eventType: 'push',
-          syncPath: 'http-combined',
-          actorId: auth.actorId,
-          clientId,
-          transportPath: readTransportPath(c),
-          statusCode: 200,
-          outcome: pushed.response.status,
-          responseStatus: normalizeResponseStatus(200, pushed.response.status),
-          durationMs: pushDurationMs,
-          errorCode: firstPushErrorCode(pushed.response.results),
-          commitSeq: pushed.response.commitSeq,
-          operationCount: pushOps.length,
-          tables: pushed.affectedTables,
-          payloadSnapshot: shouldCaptureRequestPayloadSnapshots
-            ? {
-                request: {
-                  clientId,
-                  clientCommitId: pushBody.clientCommitId,
-                  schemaVersion: pushBody.schemaVersion,
-                  operations: pushBody.operations,
-                },
-                response: pushed.response,
-              }
-            : null,
-        }));
-        emitConsoleLiveEvent(consoleLiveEmitter, 'push', () => ({
-          partitionId,
-          requestId,
-          traceId: traceContext.traceId,
-          spanId: traceContext.spanId,
-          actorId: auth.actorId,
-          clientId,
-          transportPath: readTransportPath(c),
-          syncPath: 'http-combined',
-          outcome: pushed.response.status,
-          statusCode: 200,
-          durationMs: pushDurationMs,
-          commitSeq: pushed.response.commitSeq ?? null,
-          operationCount: pushOps.length,
-          tables: pushed.affectedTables,
-        }));
-
-        // WS notifications
-        if (
-          wsConnectionManager &&
-          pushed.response.ok === true &&
-          pushed.response.status === 'applied' &&
-          typeof pushed.response.commitSeq === 'number'
-        ) {
-          const scopeKeys = applyPartitionToScopeKeys(
-            partitionId,
-            pushed.scopeKeys
-          );
-          if (scopeKeys.length > 0) {
-            wsConnectionManager.notifyScopeKeys(
-              scopeKeys,
-              pushed.response.commitSeq,
-              {
-                excludeClientIds: [clientId],
-                changes: pushed.emittedChanges,
-                actorId: pushed.commitActorId ?? auth.actorId,
-                createdAt: pushed.commitCreatedAt ?? new Date().toISOString(),
-              }
-            );
-
-            if (realtimeBroadcaster) {
-              realtimeBroadcaster
-                .publish({
-                  type: 'commit',
-                  commitSeq: pushed.response.commitSeq,
-                  partitionId,
-                  scopeKeys,
-                  sourceInstanceId: instanceId,
-                })
-                .catch((error) => {
-                  logAsyncFailureOnce(
-                    'sync.realtime.broadcast_publish_failed',
-                    {
-                      event: 'sync.realtime.broadcast_publish_failed',
-                      userId: auth.actorId,
-                      clientId,
-                      error:
-                        error instanceof Error ? error.message : String(error),
-                    }
-                  );
-                });
-            }
-          }
-        }
-
-        if (
-          pushed.response.ok === true &&
-          pushed.response.status === 'applied' &&
-          typeof pushed.response.commitSeq === 'number'
-        ) {
-          emitConsoleLiveEvent(consoleLiveEmitter, 'commit', () => ({
             partitionId,
-            commitSeq: pushed.response.commitSeq,
-            actorId: auth.actorId,
-            clientId,
-            affectedTables: pushed.affectedTables,
-          }));
-        }
+            requestId,
+            traceContext,
+            transportPath,
+            syncPath: 'http-combined',
+          },
+          pushBody
+        );
 
         pushResponse = pushed.response;
       }
@@ -1513,7 +1607,7 @@ export function createSyncRoutes<
             syncPath: 'http-combined',
             actorId: auth.actorId,
             clientId,
-            transportPath: readTransportPath(c),
+            transportPath,
             statusCode: 200,
             outcome: 'applied',
             responseStatus: normalizeResponseStatus(200, 'applied'),
@@ -1535,7 +1629,7 @@ export function createSyncRoutes<
             spanId: traceContext.spanId,
             actorId: auth.actorId,
             clientId,
-            transportPath: readTransportPath(c),
+            transportPath,
             syncPath: 'http-combined',
             outcome: 'applied',
             statusCode: 200,
@@ -1609,10 +1703,13 @@ export function createSyncRoutes<
       },
     }),
     zValidator('param', snapshotChunkParamsSchema),
+    zValidator('query', snapshotChunkQuerySchema),
     async (c) => {
       const auth = await getAuth(c);
       if (!auth) return c.json({ error: 'UNAUTHENTICATED' }, 401);
       const partitionId = auth.partitionId ?? 'default';
+      const query = c.req.valid('query');
+      const requestedChunkScopes = readSnapshotScopeValues(c, query.scopes);
 
       const { chunkId } = c.req.valid('param');
 
@@ -1629,9 +1726,40 @@ export function createSyncRoutes<
         return c.json({ error: 'NOT_FOUND' }, 404);
       }
 
-      // Note: Snapshot chunks are created during authorized pull requests
-      // and have opaque IDs that expire. Additional authorization is handled
-      // at the pull layer via table-level resolveScopes.
+      if (requestedChunkScopes) {
+        try {
+          const resolved = await resolveEffectiveScopesForSubscriptions({
+            db: options.db,
+            auth,
+            subscriptions: [
+              {
+                id: 'snapshot-chunk-authz',
+                table: chunk.scope,
+                scopes: requestedChunkScopes,
+                cursor: 0,
+              },
+            ],
+            handlers: handlerRegistry,
+            scopeCache: options.scopeCache,
+          });
+          const scopeAuth = resolved[0];
+          if (!scopeAuth || scopeAuth.status !== 'active') {
+            return c.json({ error: 'FORBIDDEN' }, 403);
+          }
+
+          const scopeKey = `${partitionId}:${await scopesToSnapshotChunkScopeKey(
+            scopeAuth.scopes
+          )}`;
+          if (scopeKey !== chunk.scopeKey) {
+            return c.json({ error: 'FORBIDDEN' }, 403);
+          }
+        } catch (error) {
+          if (error instanceof InvalidSubscriptionScopeError) {
+            return c.json({ error: 'FORBIDDEN' }, 403);
+          }
+          throw error;
+        }
+      }
 
       const etag = `"sha256:${chunk.sha256}"`;
       const ifNoneMatch = c.req.header('if-none-match');
@@ -1672,6 +1800,9 @@ export function createSyncRoutes<
     routes.get('/realtime', async (c) => {
       const auth = await getAuth(c);
       if (!auth) return c.json({ error: 'UNAUTHENTICATED' }, 401);
+      if (!isWebSocketOriginAllowed(c, websocketConfig.allowedOrigins)) {
+        return c.json({ error: 'FORBIDDEN_ORIGIN' }, 403);
+      }
       const partitionId = auth.partitionId ?? 'default';
 
       const clientId = c.req.query('clientId');
@@ -1733,6 +1864,11 @@ export function createSyncRoutes<
       const maxConnectionsTotal = websocketConfig.maxConnectionsTotal ?? 5000;
       const maxConnectionsPerClient =
         websocketConfig.maxConnectionsPerClient ?? 3;
+      const maxMessageBytes = websocketConfig.maxMessageBytes ?? 1024 * 1024;
+      const maxMessagesPerWindow = websocketConfig.maxMessagesPerWindow ?? 120;
+      const messageRateWindowMs = websocketConfig.messageRateWindowMs ?? 10000;
+      let messageRateWindowStartedAtMs = Date.now();
+      let messageRateWindowCount = 0;
 
       if (
         maxConnectionsTotal > 0 &&
@@ -1790,6 +1926,35 @@ export function createSyncRoutes<
         });
       };
 
+      const teardownRealtimeConnection = (args: {
+        reason: 'closed' | 'error';
+        action: 'realtime_disconnected' | 'realtime_error';
+      }) => {
+        unregister?.();
+        unregister = null;
+        connRef = null;
+        finishRealtimeSession(args.reason);
+        logSyncEvent({
+          event: 'sync.realtime.disconnect',
+          userId: auth.actorId,
+        });
+        emitConsoleLiveEvent(consoleLiveEmitter, 'client_update', () => ({
+          action: args.action,
+          actorId: auth.actorId,
+          clientId,
+          partitionId,
+        }));
+      };
+
+      const logPresenceRejected = (scopeKey: string) => {
+        logSyncEvent({
+          event: 'sync.realtime.presence.rejected',
+          userId: auth.actorId,
+          reason: 'scope_not_authorized',
+          scopeKey,
+        });
+      };
+
       const upgradeWebSocket = websocketConfig.upgradeWebSocket;
       if (!upgradeWebSocket) {
         return c.json({ error: 'WEBSOCKET_NOT_CONFIGURED' }, 500);
@@ -1830,40 +1995,41 @@ export function createSyncRoutes<
           }));
         },
         onClose(_evt, _ws) {
-          unregister?.();
-          unregister = null;
-          connRef = null;
-          finishRealtimeSession('closed');
-          logSyncEvent({
-            event: 'sync.realtime.disconnect',
-            userId: auth.actorId,
-          });
-          emitConsoleLiveEvent(consoleLiveEmitter, 'client_update', () => ({
+          teardownRealtimeConnection({
+            reason: 'closed',
             action: 'realtime_disconnected',
-            actorId: auth.actorId,
-            clientId,
-            partitionId,
-          }));
+          });
         },
         onError(_evt, _ws) {
-          unregister?.();
-          unregister = null;
-          connRef = null;
-          finishRealtimeSession('error');
-          logSyncEvent({
-            event: 'sync.realtime.disconnect',
-            userId: auth.actorId,
-          });
-          emitConsoleLiveEvent(consoleLiveEmitter, 'client_update', () => ({
+          teardownRealtimeConnection({
+            reason: 'error',
             action: 'realtime_error',
-            actorId: auth.actorId,
-            clientId,
-            partitionId,
-          }));
+          });
         },
         onMessage(evt, _ws) {
           if (!connRef) return;
           try {
+            const messageBytes = measureWebSocketMessageBytes(evt.data);
+            if (messageBytes > maxMessageBytes) {
+              connRef.sendError(
+                `WebSocket message exceeds max size (${maxMessageBytes} bytes)`
+              );
+              return;
+            }
+            if (maxMessagesPerWindow > 0 && messageRateWindowMs > 0) {
+              const nowMs = Date.now();
+              if (nowMs - messageRateWindowStartedAtMs >= messageRateWindowMs) {
+                messageRateWindowStartedAtMs = nowMs;
+                messageRateWindowCount = 0;
+              }
+              messageRateWindowCount += 1;
+              if (messageRateWindowCount > maxMessagesPerWindow) {
+                connRef.sendError(
+                  `WebSocket message rate exceeded (${maxMessagesPerWindow}/${messageRateWindowMs}ms)`
+                );
+                return;
+              }
+            }
             const raw =
               typeof evt.data === 'string' ? evt.data : String(evt.data);
             const msg = JSON.parse(raw);
@@ -1891,12 +2057,7 @@ export function createSyncRoutes<
                     msg.metadata
                   )
                 ) {
-                  logSyncEvent({
-                    event: 'sync.realtime.presence.rejected',
-                    userId: auth.actorId,
-                    reason: 'scope_not_authorized',
-                    scopeKey,
-                  });
+                  logPresenceRejected(scopeKey);
                   return;
                 }
                 // Send presence snapshot back to the joining client
@@ -1924,12 +2085,7 @@ export function createSyncRoutes<
                     scopeKey
                   )
                 ) {
-                  logSyncEvent({
-                    event: 'sync.realtime.presence.rejected',
-                    userId: auth.actorId,
-                    reason: 'scope_not_authorized',
-                    scopeKey,
-                  });
+                  logPresenceRejected(scopeKey);
                 }
                 break;
             }
@@ -1941,8 +2097,6 @@ export function createSyncRoutes<
     });
   }
 
-  return routes;
-
   async function handleRealtimeEvent(event: SyncRealtimeEvent): Promise<void> {
     if (!wsConnectionManager) return;
     if (event.type !== 'commit') return;
@@ -1959,6 +2113,58 @@ export function createSyncRoutes<
     wsConnectionManager.notifyScopeKeys(scopeKeys, commitSeq);
   }
 
+  const recordWsPushFailure = (args: {
+    partitionId: string;
+    requestId: string;
+    traceContext: TraceContext;
+    actorId: string;
+    clientId: string;
+    transportPath: 'direct' | 'relay';
+    statusCode: number;
+    outcome: 'rejected' | 'error';
+    durationMs: number;
+    errorCode: string;
+    errorMessage: string;
+    operationCount?: number | null;
+    payloadSnapshot?: RequestPayloadSnapshot | null;
+  }): void => {
+    recordRequestEventInBackground(() => ({
+      partitionId: args.partitionId,
+      requestId: args.requestId,
+      traceId: args.traceContext.traceId,
+      spanId: args.traceContext.spanId,
+      eventType: 'push',
+      syncPath: 'ws-push',
+      actorId: args.actorId,
+      clientId: args.clientId,
+      transportPath: args.transportPath,
+      statusCode: args.statusCode,
+      outcome: args.outcome,
+      responseStatus: normalizeResponseStatus(args.statusCode, args.outcome),
+      durationMs: args.durationMs,
+      errorCode: args.errorCode,
+      errorMessage: args.errorMessage,
+      operationCount: args.operationCount ?? null,
+      payloadSnapshot: args.payloadSnapshot ?? null,
+    }));
+
+    emitConsoleLiveEvent(consoleLiveEmitter, 'push', () => ({
+      partitionId: args.partitionId,
+      requestId: args.requestId,
+      traceId: args.traceContext.traceId,
+      spanId: args.traceContext.spanId,
+      actorId: args.actorId,
+      clientId: args.clientId,
+      transportPath: args.transportPath,
+      syncPath: 'ws-push',
+      outcome: args.outcome,
+      statusCode: args.statusCode,
+      durationMs: args.durationMs,
+      operationCount: args.operationCount ?? null,
+      errorCode: args.errorCode,
+    }));
+  };
+
   async function handleWsPush(
     msg: Record<string, unknown>,
     conn: WebSocketConnection,
@@ -1979,30 +2185,25 @@ export function createSyncRoutes<
       );
       if (!parsed.success) {
         const invalidDurationMs = timer();
+        const errorMessage = 'Invalid push payload';
         conn.sendPushResponse({
           requestId,
           ok: false,
           status: 'rejected',
-          results: [
-            { opIndex: 0, status: 'error', error: 'Invalid push payload' },
-          ],
+          results: [{ opIndex: 0, status: 'error', error: errorMessage }],
         });
-        recordRequestEventInBackground(() => ({
+        recordWsPushFailure({
           partitionId,
           requestId,
-          traceId: traceContext.traceId,
-          spanId: traceContext.spanId,
-          eventType: 'push',
-          syncPath: 'ws-push',
           actorId,
           clientId,
           transportPath: conn.transportPath,
           statusCode: 400,
           outcome: 'rejected',
-          responseStatus: normalizeResponseStatus(400, 'rejected'),
           durationMs: invalidDurationMs,
           errorCode: 'INVALID_PUSH_PAYLOAD',
-          errorMessage: 'Invalid push payload',
+          errorMessage,
+          traceContext,
           payloadSnapshot: shouldCaptureRequestPayloadSnapshots
             ? {
                 request: msg,
@@ -2013,27 +2214,14 @@ export function createSyncRoutes<
                 },
               }
             : null,
-        }));
-        emitConsoleLiveEvent(consoleLiveEmitter, 'push', () => ({
-          partitionId,
-          requestId,
-          traceId: traceContext.traceId,
-          spanId: traceContext.spanId,
-          actorId,
-          clientId,
-          transportPath: conn.transportPath,
-          syncPath: 'ws-push',
-          outcome: 'rejected',
-          statusCode: 400,
-          durationMs: invalidDurationMs,
-          errorCode: 'INVALID_PUSH_PAYLOAD',
-        }));
+        });
         return;
       }
 
       const pushOps = parsed.data.operations ?? [];
       if (pushOps.length > maxOperationsPerPush) {
         const rejectedDurationMs = timer();
+        const errorMessage = `Maximum ${maxOperationsPerPush} operations per push`;
         conn.sendPushResponse({
           requestId,
           ok: false,
@@ -2042,26 +2230,22 @@ export function createSyncRoutes<
             {
               opIndex: 0,
               status: 'error',
-              error: `Maximum ${maxOperationsPerPush} operations per push`,
+              error: errorMessage,
             },
           ],
         });
-        recordRequestEventInBackground(() => ({
+        recordWsPushFailure({
           partitionId,
           requestId,
-          traceId: traceContext.traceId,
-          spanId: traceContext.spanId,
-          eventType: 'push',
-          syncPath: 'ws-push',
           actorId,
           clientId,
           transportPath: conn.transportPath,
           statusCode: 400,
           outcome: 'rejected',
-          responseStatus: normalizeResponseStatus(400, 'rejected'),
           durationMs: rejectedDurationMs,
           errorCode: 'MAX_OPERATIONS_EXCEEDED',
-          errorMessage: `Maximum ${maxOperationsPerPush} operations per push`,
+          errorMessage,
+          traceContext,
           operationCount: pushOps.length,
           payloadSnapshot: shouldCaptureRequestPayloadSnapshots
             ? {
@@ -2078,167 +2262,27 @@ export function createSyncRoutes<
                 },
               }
             : null,
-        }));
-        emitConsoleLiveEvent(consoleLiveEmitter, 'push', () => ({
-          partitionId,
-          requestId,
-          traceId: traceContext.traceId,
-          spanId: traceContext.spanId,
-          actorId,
-          clientId,
-          transportPath: conn.transportPath,
-          syncPath: 'ws-push',
-          outcome: 'rejected',
-          statusCode: 400,
-          durationMs: rejectedDurationMs,
-          operationCount: pushOps.length,
-          errorCode: 'MAX_OPERATIONS_EXCEEDED',
-        }));
+        });
         return;
       }
 
-      const pushed = await pushCommit({
-        db: options.db,
-        dialect: options.dialect,
-        handlers: handlerRegistry,
-        plugins: options.plugins,
-        auth,
-        request: {
+      const pushed = await executePushCommitWithSideEffects(
+        {
+          auth,
           clientId,
+          partitionId,
+          requestId,
+          traceContext,
+          transportPath: conn.transportPath,
+          syncPath: 'ws-push',
+        },
+        {
           clientCommitId: parsed.data.clientCommitId,
           operations: parsed.data.operations,
           schemaVersion: parsed.data.schemaVersion,
         },
-      });
-
-      const pushDurationMs = timer();
-
-      logSyncEvent({
-        event: 'sync.push',
-        userId: actorId,
-        durationMs: pushDurationMs,
-        operationCount: pushOps.length,
-        status: pushed.response.status,
-        commitSeq: pushed.response.commitSeq,
-      });
-
-      recordRequestEventInBackground(() => ({
-        partitionId,
-        requestId,
-        traceId: traceContext.traceId,
-        spanId: traceContext.spanId,
-        eventType: 'push',
-        syncPath: 'ws-push',
-        actorId,
-        clientId,
-        transportPath: conn.transportPath,
-        statusCode: 200,
-        outcome: pushed.response.status,
-        responseStatus: normalizeResponseStatus(200, pushed.response.status),
-        durationMs: pushDurationMs,
-        errorCode: firstPushErrorCode(pushed.response.results),
-        commitSeq: pushed.response.commitSeq,
-        operationCount: pushOps.length,
-        tables: pushed.affectedTables,
-        payloadSnapshot: shouldCaptureRequestPayloadSnapshots
-          ? {
-              request: {
-                clientId,
-                clientCommitId: parsed.data.clientCommitId,
-                schemaVersion: parsed.data.schemaVersion,
-                operations: parsed.data.operations,
-              },
-              response: pushed.response,
-            }
-          : null,
-      }));
-      emitConsoleLiveEvent(consoleLiveEmitter, 'push', () => ({
-        partitionId,
-        requestId,
-        traceId: traceContext.traceId,
-        spanId: traceContext.spanId,
-        actorId,
-        clientId,
-        transportPath: conn.transportPath,
-        syncPath: 'ws-push',
-        outcome: pushed.response.status,
-        statusCode: 200,
-        durationMs: pushDurationMs,
-        commitSeq: pushed.response.commitSeq ?? null,
-        operationCount: pushOps.length,
-        tables: pushed.affectedTables,
-      }));
-
-      const detectedConflicts = pushed.response.results.reduce(
-        (count, result) => count + (result.status === 'conflict' ? 1 : 0),
-        0
+        { countConflictsMetric: true }
       );
-      if (detectedConflicts > 0) {
-        countSyncMetric('sync.conflicts.detected', detectedConflicts, {
-          attributes: {
-            syncPath: 'ws-push',
-            transportPath: conn.transportPath,
-          },
-        });
-      }
-
-      // WS notifications to other clients
-      if (
-        wsConnectionManager &&
-        pushed.response.ok === true &&
-        pushed.response.status === 'applied' &&
-        typeof pushed.response.commitSeq === 'number'
-      ) {
-        const scopeKeys = applyPartitionToScopeKeys(
-          partitionId,
-          pushed.scopeKeys
-        );
-        if (scopeKeys.length > 0) {
-          wsConnectionManager.notifyScopeKeys(
-            scopeKeys,
-            pushed.response.commitSeq,
-            {
-              excludeClientIds: [clientId],
-              changes: pushed.emittedChanges,
-              actorId: pushed.commitActorId ?? actorId,
-              createdAt: pushed.commitCreatedAt ?? new Date().toISOString(),
-            }
-          );
-
-          if (realtimeBroadcaster) {
-            realtimeBroadcaster
-              .publish({
-                type: 'commit',
-                commitSeq: pushed.response.commitSeq,
-                partitionId,
-                scopeKeys,
-                sourceInstanceId: instanceId,
-              })
-              .catch((error) => {
-                logAsyncFailureOnce('sync.realtime.broadcast_publish_failed', {
-                  event: 'sync.realtime.broadcast_publish_failed',
-                  userId: actorId,
-                  clientId,
-                  error: error instanceof Error ? error.message : String(error),
-                });
-              });
-          }
-        }
-      }
-
-      if (
-        pushed.response.ok === true &&
-        pushed.response.status === 'applied' &&
-        typeof pushed.response.commitSeq === 'number'
-      ) {
-        emitConsoleLiveEvent(consoleLiveEmitter, 'commit', () => ({
-          partitionId,
-          commitSeq: pushed.response.commitSeq,
-          actorId,
-          clientId,
-          affectedTables: pushed.affectedTables,
-        }));
-      }
 
       triggerAutoMaintenance({
         actorId,
@@ -2264,22 +2308,18 @@ export function createSyncRoutes<
       });
       const message =
         err instanceof Error ? err.message : 'Internal server error';
-      recordRequestEventInBackground(() => ({
+      recordWsPushFailure({
         partitionId,
         requestId,
-        traceId: traceContext.traceId,
-        spanId: traceContext.spanId,
-        eventType: 'push',
-        syncPath: 'ws-push',
         actorId,
         clientId,
         transportPath: conn.transportPath,
         statusCode: 500,
         outcome: 'error',
-        responseStatus: normalizeResponseStatus(500, 'error'),
         durationMs: failedDurationMs,
         errorCode: 'INTERNAL_SERVER_ERROR',
         errorMessage: message,
+        traceContext,
         payloadSnapshot: shouldCaptureRequestPayloadSnapshots
           ? {
               request: msg,
@@ -2291,21 +2331,7 @@ export function createSyncRoutes<
               },
             }
           : null,
-      }));
-      emitConsoleLiveEvent(consoleLiveEmitter, 'push', () => ({
-        partitionId,
-        requestId,
-        traceId: traceContext.traceId,
-        spanId: traceContext.spanId,
-        actorId,
-        clientId,
-        transportPath: conn.transportPath,
-        syncPath: 'ws-push',
-        outcome: 'error',
-        statusCode: 500,
-        durationMs: failedDurationMs,
-        errorCode: 'INTERNAL_SERVER_ERROR',
-      }));
+      });
       conn.sendPushResponse({
         requestId,
         ok: false,
@@ -2314,6 +2340,8 @@ export function createSyncRoutes<
       });
     }
   }
+
+  return routes;
 }
 
 export function getSyncWebSocketConnectionManager(
@@ -2332,6 +2360,40 @@ function clampInt(value: number, min: number, max: number): number {
   return Math.max(min, Math.min(max, value));
 }
 
+function isWebSocketOriginAllowed(
+  c: Context,
+  allowedOrigins?: string[] | '*'
+): boolean {
+  if (!allowedOrigins) return true;
+  if (allowedOrigins === '*') return true;
+
+  const origin = c.req.header('origin');
+  if (!origin) return false;
+
+  try {
+    const normalizedOrigin = new URL(origin).origin;
+    return allowedOrigins.includes(normalizedOrigin);
+  } catch {
+    return false;
+  }
+}
+
+function measureWebSocketMessageBytes(data: unknown): number {
+  if (typeof data === 'string') {
+    return new TextEncoder().encode(data).byteLength;
+  }
+  if (data instanceof ArrayBuffer) {
+    return data.byteLength;
+  }
+  if (ArrayBuffer.isView(data)) {
+    return data.byteLength;
+  }
+  if (typeof Blob !== 'undefined' && data instanceof Blob) {
+    return data.size;
+  }
+  return new TextEncoder().encode(String(data)).byteLength;
+}
+
 function readTransportPath(
   c: Context,
   queryValue?: string | null
@@ -2348,15 +2410,6 @@ function readTransportPath(
   return 'direct';
 }
 
-function parseJsonColumn(value: unknown): unknown {
-  if (typeof value !== 'string') return value;
-  try {
-    return JSON.parse(value);
-  } catch {
-    return value;
-  }
-}
-
 function scopeValuesToScopeKeys(scopes: unknown): string[] {
   if (!scopes || typeof scopes !== 'object') return [];
   const scopeKeys = new Set<string>();