bunsane 0.4.0 → 0.5.1

package/core/entity/saveEntity.ts

@@ -254,8 +254,13 @@ export async function doSave(entity: Entity, trx: SQL, signal?: AbortSignal): Pr
                 (comp as any).setPersisted(true);
                 (comp as any).setDirty(false);
             } else if ((comp as any)._dirty) {
+                // Full columns so the batched upsert below can encode every row
+                // through the same sql(arr, cols) path as the INSERT batch.
                 componentsToUpdate.push({
                     id: comp.id,
+                    entity_id: entity.id,
+                    name: compName,
+                    type_id: comp.getTypeID(),
                     data: comp.serializableData()
                 });
                 (comp as any).setDirty(false);
@@ -267,10 +272,15 @@ export async function doSave(entity: Entity, trx: SQL, signal?: AbortSignal): Pr
             await run(saveTrx`INSERT INTO components ${sql(componentsToInsert, 'id', 'entity_id', 'name', 'type_id', 'data')}`);
         }
 
-        // Perform updates. Validate all ids up front (synchronous, fails
-        // fast), then fire the UPDATEs together via Promise.all so they
-        // pipeline on the transaction connection instead of paying one
-        // serial round-trip per dirty component.
+        // Perform updates as a SINGLE batched upsert. Dirty components already
+        // exist (persisted, live), so the ON CONFLICT path always fires and
+        // updates `data` for every row in one round-trip — replacing the
+        // previous N sequential UPDATEs (N wire round-trips inside the txn).
+        // Conflict target is the (id, type_id) PRIMARY KEY, which contains the
+        // partition key `type_id` — required for ON CONFLICT on the partitioned
+        // `components` table. Reuses the same sql(arr, cols) encoder as the
+        // INSERT batch, so jsonb encoding is identical across PostgreSQL and
+        // PGlite. `created_at` is preserved (DO UPDATE only touches `data`).
         if (componentsToUpdate.length > 0) {
             const traceEnabled = logger.isLevelEnabled?.('trace') === true;
             for (const comp of componentsToUpdate) {
@@ -285,11 +295,7 @@ export async function doSave(entity: Entity, trx: SQL, signal?: AbortSignal): Pr
                     logger.trace({ componentId: comp.id, data: comp.data }, `[Entity.doSave] Updating component`);
                 }
             }
-            await Promise.all(
-                componentsToUpdate.map(comp =>
-                    run(saveTrx`UPDATE components SET data = ${comp.data} WHERE id = ${comp.id}`)
-                )
-            );
+            await run(saveTrx`INSERT INTO components ${sql(componentsToUpdate, 'id', 'entity_id', 'name', 'type_id', 'data')} ON CONFLICT (id, type_id) DO UPDATE SET data = EXCLUDED.data`);
         }
     };
 
@@ -322,19 +328,17 @@ export async function doDelete(entity: Entity, force: boolean = false): Promise<
 
     try {
         await db.transaction(async (trx) => {
-            // Independent tables, no FK constraints — pipeline the
-            // statements on the transaction connection instead of paying
-            // serial round-trips while holding the connection.
+            // Independent tables, no FK constraints. Issued sequentially:
+            // multiple concurrent in-flight queries on one connection
+            // deadlock single-backend servers (PGlite test harness), and a
+            // single wire serializes them anyway — Promise.all gave no real
+            // pipelining here.
             if (force) {
-                await Promise.all([
-                    run(trx`DELETE FROM components WHERE entity_id = ${entity.id}`),
-                    run(trx`DELETE FROM entities WHERE id = ${entity.id}`),
-                ]);
+                await run(trx`DELETE FROM components WHERE entity_id = ${entity.id}`);
+                await run(trx`DELETE FROM entities WHERE id = ${entity.id}`);
             } else {
-                await Promise.all([
-                    run(trx`UPDATE entities SET deleted_at = CURRENT_TIMESTAMP WHERE id = ${entity.id} AND deleted_at IS NULL`),
-                    run(trx`UPDATE components SET deleted_at = CURRENT_TIMESTAMP WHERE entity_id = ${entity.id} AND deleted_at IS NULL`),
-                ]);
+                await run(trx`UPDATE entities SET deleted_at = CURRENT_TIMESTAMP WHERE id = ${entity.id} AND deleted_at IS NULL`);
+                await run(trx`UPDATE components SET deleted_at = CURRENT_TIMESTAMP WHERE entity_id = ${entity.id} AND deleted_at IS NULL`);
             }
         });
         clearTimeout(timeoutHandle);

package/core/health.ts

@@ -1,4 +1,5 @@
 import db from "../database";
+import { runWithSignal } from "../database/cancellable";
 import { CacheManager } from "./cache/CacheManager";
 
 export interface CheckResult {
@@ -13,6 +14,14 @@ export interface HealthResponse {
     checks: {
         database: CheckResult;
         cache: CheckResult;
+        /**
+         * Present only when the DB write probe is enabled (default on).
+         * Exercises the real `db.transaction()` write path so a wedged write
+         * pool — a stuck pooled client or exhausted pool that leaves reads
+         * (`SELECT 1`) healthy — fails the liveness check and the orchestrator
+         * restarts the container instead of it serving 504s indefinitely.
+         */
+        database_write?: CheckResult;
     };
 }
 
@@ -24,6 +33,71 @@ export interface HealthResult {
 export interface HealthDeps {
     pingDb: () => Promise<boolean>;
     pingCache: () => Promise<boolean>;
+    /**
+     * Write-path probe. Optional: when omitted (e.g. tests passing custom
+     * deps) the write check is skipped and behavior matches the read-only
+     * health check. `defaultDeps` supplies the real probe.
+     */
+    pingDbWrite?: () => Promise<boolean>;
+}
+
+// Independent, short timeout for the write probe so a wedged write path is
+// caught fast (and the container restarted) rather than blocking on the 30s
+// request/save timeout. Configurable via DB_HEALTH_WRITE_TIMEOUT.
+const WRITE_PROBE_TIMEOUT_MS = parseInt(process.env.DB_HEALTH_WRITE_TIMEOUT ?? "5000", 10);
+
+function writeProbeDisabled(): boolean {
+    return process.env.HEALTH_DB_WRITE_PROBE === "false";
+}
+
+/**
+ * Exercises a genuine write through the same `db.transaction()` acquisition
+ * path `Entity.save` uses. A wedged write pool (stuck pooled client, pool
+ * exhausted by leaked transactions) hangs here while `SELECT 1` stays healthy
+ * on any idle read connection — exactly the false-healthy scenario that kept a
+ * timed-out container "healthy" and unrestarted.
+ *
+ * The whole transaction is raced against an independent timeout so even a hang
+ * during connection *acquisition* (which runWithSignal alone cannot interrupt,
+ * since it only wraps in-flight queries) is caught. The temp table is dropped
+ * at COMMIT, so the probe has no persistent side effect.
+ */
+async function probeDbWrite(): Promise<boolean> {
+    const timeoutMs = WRITE_PROBE_TIMEOUT_MS;
+    const controller = new AbortController();
+    let handle: ReturnType<typeof setTimeout> | undefined;
+    const timeoutPromise = new Promise<never>((_, reject) => {
+        handle = setTimeout(() => {
+            const err = new Error(`DB write health probe timeout after ${timeoutMs}ms`);
+            controller.abort(err);
+            reject(err);
+        }, timeoutMs);
+        (handle as any).unref?.();
+    });
+
+    const txn = db.transaction(async (trx) => {
+        await runWithSignal(
+            trx`CREATE TEMP TABLE IF NOT EXISTS _bunsane_health_write (probed_at timestamptz NOT NULL) ON COMMIT DROP`,
+            controller.signal,
+        );
+        await runWithSignal(
+            trx`INSERT INTO _bunsane_health_write (probed_at) VALUES (now())`,
+            controller.signal,
+        );
+    });
+
+    try {
+        await Promise.race([txn, timeoutPromise]);
+        return true;
+    } finally {
+        if (handle) clearTimeout(handle);
+        // Abort any in-flight query so the transaction rolls back and the
+        // pooled connection is released even when the timeout won the race.
+        if (!controller.signal.aborted) controller.abort();
+        // Swallow a late transaction settle after a lost race so it cannot
+        // surface as an unhandled rejection.
+        Promise.resolve(txn).catch(() => { /* ignore post-timeout settle */ });
+    }
 }
 
 const defaultDeps: HealthDeps = {
@@ -32,6 +106,7 @@ const defaultDeps: HealthDeps = {
         return true;
     },
     pingCache: () => CacheManager.getInstance().ping(),
+    pingDbWrite: probeDbWrite,
 };
 
 async function checkDatabase(pingDb: () => Promise<boolean>): Promise<CheckResult> {
@@ -55,24 +130,30 @@ async function checkCache(pingCache: () => Promise<boolean>): Promise<CheckResul
 }
 
 export async function deepHealthCheck(deps: HealthDeps = defaultDeps): Promise<HealthResult> {
-    const [database, cache] = await Promise.all([
+    const runWrite = !!deps.pingDbWrite && !writeProbeDisabled();
+
+    const [database, cache, databaseWrite] = await Promise.all([
         checkDatabase(deps.pingDb),
         checkCache(deps.pingCache),
+        runWrite ? checkDatabase(deps.pingDbWrite!) : Promise.resolve(undefined),
     ]);
 
     const dbUp = database.status === "up";
+    const writeUp = !databaseWrite || databaseWrite.status === "up";
     const cacheUp = cache.status === "up";
 
     let status: HealthResponse["status"];
     let httpStatus: number;
 
-    if (dbUp && cacheUp) {
+    if (dbUp && writeUp && cacheUp) {
         status = "ok";
         httpStatus = 200;
-    } else if (dbUp && !cacheUp) {
+    } else if (dbUp && writeUp && !cacheUp) {
         status = "degraded";
         httpStatus = 200;
     } else {
+        // DB read OR write down → unavailable. A wedged write path (reads fine,
+        // writes hang) lands here so liveness fails and the container restarts.
         status = "unavailable";
         httpStatus = 503;
     }
@@ -82,7 +163,11 @@ export async function deepHealthCheck(deps: HealthDeps = defaultDeps): Promise<H
             status,
             timestamp: new Date().toISOString(),
             uptime: process.uptime(),
-            checks: { database, cache },
+            checks: {
+                database,
+                cache,
+                ...(databaseWrite ? { database_write: databaseWrite } : {}),
+            },
         },
         httpStatus,
     };
@@ -94,6 +179,7 @@ export async function readinessCheck(
     deps: HealthDeps = defaultDeps,
 ): Promise<HealthResult> {
     if (!isReady || isShuttingDown) {
+        const includeWrite = !!deps.pingDbWrite && !writeProbeDisabled();
         return {
             result: {
                 status: "unavailable",
@@ -102,6 +188,9 @@ export async function readinessCheck(
                 checks: {
                     database: { status: "unknown", latency_ms: 0 },
                     cache: { status: "unknown", latency_ms: 0 },
+                    ...(includeWrite
+                        ? { database_write: { status: "unknown", latency_ms: 0 } }
+                        : {}),
                 },
             },
             httpStatus: 503,