musora-content-services 2.122.3 → 2.122.4

package/CHANGELOG.md

@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [2.122.4](https://github.com/railroadmedia/musora-content-services/compare/v2.122.3...v2.122.4) (2026-01-26)
+
+
+### Bug Fixes
+
+* melon data user isolation ([#717](https://github.com/railroadmedia/musora-content-services/issues/717)) ([6893c3c](https://github.com/railroadmedia/musora-content-services/commit/6893c3c644e1eefcfeeb6439b460a46d853616d6))
+
 ### [2.122.3](https://github.com/railroadmedia/musora-content-services/compare/v2.122.2...v2.122.3) (2026-01-23)
 
 ### [2.122.2](https://github.com/railroadmedia/musora-content-services/compare/v2.122.1...v2.122.2) (2026-01-23)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "musora-content-services",
-  "version": "2.122.3",
+  "version": "2.122.4",
   "description": "A package for Musoras content services ",
   "main": "src/index.js",
   "type": "module",

package/src/services/contentProgress.js

@@ -444,8 +444,8 @@ export async function flushWatchSession(sessionToFlush = null, shouldClearInterv
     sessionToFlush.pushInterval = null
   }
 
-  db.contentProgress.requestPushUnsynced()
-  db.practices.requestPushUnsynced()
+  db.contentProgress.requestPushUnsynced('flush-watch-session')
+  db.practices.requestPushUnsynced('flush-watch-session')
 }
 
 async function trackPractice(contentId, secondsPlayed, practiceSession, details = {}) {
@@ -515,7 +515,7 @@ async function saveContentProgress(contentId, collection, progress, currentSecon
 
   // skip bubbling if progress hasnt changed
   if (progress === currentProgress) {
-    if (!skipPush) db.contentProgress.requestPushUnsynced()
+    if (!skipPush) db.contentProgress.requestPushUnsynced('save-content-progress')
     return
   }
 
@@ -549,7 +549,7 @@ async function saveContentProgress(contentId, collection, progress, currentSecon
     }
   }
 
-  if (!skipPush) db.contentProgress.requestPushUnsynced()
+  if (!skipPush) db.contentProgress.requestPushUnsynced('save-content-progress')
 
   return response
 }
@@ -582,7 +582,7 @@ async function setStartedOrCompletedStatus(contentId, collection, isCompleted, {
     }
   }
 
-  if (!skipPush) db.contentProgress.requestPushUnsynced()
+  if (!skipPush) db.contentProgress.requestPushUnsynced('set-started-or-completed-status')
 
   return response
 }
@@ -627,7 +627,7 @@ async function setStartedOrCompletedStatusMany(contentIds, collection, isComplet
     }
   }
 
-  if (!skipPush) db.contentProgress.requestPushUnsynced()
+  if (!skipPush) db.contentProgress.requestPushUnsynced('set-started-or-completed-status-many')
 
   return response
 }
@@ -665,7 +665,7 @@ async function resetStatus(contentId, collection = null, {skipPush = false} = {}
     await duplicateLearningPathProgressToExternalContents(progresses, collection, hierarchy, {skipPush: true})
   }
 
-  if (!skipPush) db.contentProgress.requestPushUnsynced()
+  if (!skipPush) db.contentProgress.requestPushUnsynced('reset-status')
 
   return response
 }

package/src/services/sync/adapters/factory.ts

@@ -1,10 +1,10 @@
 import schema from '../schema'
+import type { SyncUserScope } from '../index'
+import { SyncError } from '../errors'
 
 import type SQLiteAdapter from '@nozbe/watermelondb/adapters/sqlite'
 import type LokiJSAdapter from '@nozbe/watermelondb/adapters/lokijs'
 
-import { SyncTelemetry } from '../telemetry'
-
 export type DatabaseAdapter = SQLiteAdapter | LokiJSAdapter
 
 type SQLiteAdapterOptions = ConstructorParameters<typeof SQLiteAdapter>[0]
@@ -14,13 +14,28 @@ type DatabaseAdapterOptions = SQLiteAdapterOptions & LokiJSAdapterOptions
 
 export default function syncAdapterFactory<T extends DatabaseAdapter>(
   AdapterClass: new (options: DatabaseAdapterOptions) => T,
-  _namespace: string,
   opts: Omit<DatabaseAdapterOptions, 'schema' | 'migrations'>
-): () => T {
-  return () => new AdapterClass({
-    ...opts,
-    dbName: `sync`, // don't use user namespace for now
-    schema,
-    migrations: undefined
-  })
+): (userScope: SyncUserScope) => T {
+  // IMPORTANT: we rely on namespaced databases to prevent data clobbering
+  // when localStorage.userId somehow changes outside of an explicit, app-managed logout
+  // the system always checks on writes, pushes, and pulls that the localstorage.userId matches the userScope.initialId
+  // but without namespaced dbs, that would not be sufficient to prevent a database with data for user A
+  // from later masquerading as a database for user B
+
+  // This also allows us to keep the entire setup flow synchronous and lazy
+  // i.e., no checks necessary on database initialization comparing the previous/stored userId to the new/intended/current userId
+  // (and a panicked resetting if those checks fail)
+
+  return (userScope: SyncUserScope) => {
+    if (!userScope.initialId) {
+      throw new SyncError('User ID is required to construct database adapter')
+    }
+
+    return new AdapterClass({
+      ...opts,
+      dbName: `sync:${userScope.initialId}`,
+      schema,
+      migrations: undefined
+    })
+  }
 }

package/src/services/sync/adapters/lokijs.ts

@@ -3,7 +3,7 @@ import { SyncTelemetry } from '../telemetry'
 import LokiJSAdapter from '@nozbe/watermelondb/adapters/lokijs'
 export { LokiJSAdapter as default }
 
-import { deleteDatabase } from '@nozbe/watermelondb/adapters/lokijs/worker/lokiExtensions'
+import { deleteDatabase, lokiFatalError } from '@nozbe/watermelondb/adapters/lokijs/worker/lokiExtensions'
 
 /**
  * Mute impending driver errors that are expected after sync adapter failure
@@ -75,6 +75,12 @@ export function simulateIndexedDBQuotaExceeded() {
   })
 }
 
+export function abortWritesToDatabase(adapter: LokiJSAdapter) {
+  // acts as handy helper to disable loki's save methods entirely
+  lokiFatalError(adapter._driver.loki)
+  return Promise.resolve()
+}
+
 /**
  * Completely destroy database, as opposed to watermelon's reset
  * (which merely clears all records but re-initializes the database schema)
@@ -84,18 +90,18 @@ export function simulateIndexedDBQuotaExceeded() {
 export function destroyDatabase(dbName: string, adapter: LokiJSAdapter): Promise<void> {
   return new Promise(async (resolve, reject) => {
     if (adapter._driver) {
-      // try {
-      //   // good manners to clear the cache, even though this adapter will likely be discarded
-      //   adapter._clearCachedRecords();
-      // } catch (err: unknown) {
-      //   SyncTelemetry.getInstance()?.capture(err)
-      // }
+      try {
+        // good manners to clear the cache, even though this adapter will likely be discarded
+        adapter._clearCachedRecords();
+      } catch (err: unknown) {
+        SyncTelemetry.getInstance()?.capture(err)
+      }
 
       try {
         await deleteDatabase(adapter._driver.loki)
         return resolve();
       } catch (err: unknown) {
-        SyncTelemetry.getInstance()?.capture(err as Error)
+        SyncTelemetry.getInstance()?.capture(err)
         return reject(err);
       }
     }

package/src/services/sync/database/factory.ts

@@ -1,12 +1,13 @@
 import type { DatabaseAdapter } from '../adapters/factory'
-import { Database, } from '@nozbe/watermelondb'
+import { Database } from '@nozbe/watermelondb'
 import * as modelClasses from '../models'
+import type { SyncUserScope } from '../index'
 
-export default function syncDatabaseFactory(adapter: () => DatabaseAdapter, { onInitError }: { onInitError?: (error: Error) => void } = {}) {
-  return () => {
+export default function syncDatabaseFactory(adapter: (userScope: SyncUserScope) => DatabaseAdapter, { onInitError }: { onInitError?: (error: Error) => void } = {}) {
+  return (userScope: SyncUserScope) => {
     try {
       return new Database({
-        adapter: adapter(),
+        adapter: adapter(userScope),
         modelClasses: Object.values(modelClasses)
       })
     } catch (error) {

package/src/services/sync/fetch.ts

@@ -69,7 +69,8 @@ type SyncPullSuccessResponse = SyncResponseBase & {
   ok: true
   entries: SyncEntry[]
   token: SyncToken
-  previousToken: SyncToken | null
+  previousToken: SyncToken | null,
+  intendedUserId: number
 }
 export type SyncPullFetchFailureResponse = SyncResponseBase & {
   ok: false,
@@ -117,8 +118,8 @@ interface ServerPushPayload {
   }[]
 }
 
-export function makeFetchRequest(input: RequestInfo, init?: RequestInit): (session: BaseSessionProvider) => Request {
-  return (session) => new Request(globalConfig.baseUrl + input, {
+export function makeFetchRequest(input: RequestInfo, init?: RequestInit): (userId: number, session: BaseSessionProvider) => Request {
+  return (userId, session) => new Request(globalConfig.baseUrl + input, {
     ...init,
     headers: {
       ...init?.headers,
@@ -129,14 +130,15 @@ export function makeFetchRequest(input: RequestInfo, init?: RequestInit): (sessi
       'X-Sync-Client-Id': session.getClientId(),
       ...(session.getSessionId() ? {
         'X-Sync-Client-Session-Id': session.getSessionId()!
-      } : {})
+      } : {}),
+      'X-Sync-Intended-User-Id': userId.toString()
     }
   })
 }
 
-export function handlePull(callback: (session: BaseSessionProvider) => Request) {
-  return async function(session: BaseSessionProvider, lastFetchToken: SyncToken | null, signal?: AbortSignal): Promise<SyncPullResponse> {
-    const generatedRequest = callback(session)
+export function handlePull(callback: (userId: number, session: BaseSessionProvider) => Request) {
+  return async function(userId: number, session: BaseSessionProvider, lastFetchToken: SyncToken | null, signal?: AbortSignal): Promise<SyncPullResponse> {
+    const generatedRequest = callback(userId, session)
     const url = serializePullUrlQuery(generatedRequest.url, lastFetchToken)
     const request = new Request(url, {
       credentials: 'include',
@@ -163,6 +165,11 @@ export function handlePull(callback: (session: BaseSessionProvider) => Request)
       }
     }
 
+    if (!response.headers.get('X-Sync-Intended-User-Id')) {
+      throw new Error('Missing X-Sync-Intended-User-Id header')
+    }
+    const intendedUserId = +response.headers.get('X-Sync-Intended-User-Id')!
+
     const json = await response.json() as RawPullResponse
     const data = deserializePullResponse(json)
 
@@ -177,14 +184,15 @@ export function handlePull(callback: (session: BaseSessionProvider) => Request)
       ok: true,
       entries,
       token,
-      previousToken
+      previousToken,
+      intendedUserId
     }
   }
 }
 
-export function handlePush(callback: (session: BaseSessionProvider) => Request) {
-  return async function(session: BaseSessionProvider, payload: PushPayload, signal?: AbortSignal): Promise<SyncPushResponse> {
-    const generatedRequest = callback(session)
+export function handlePush(callback: (userId: number, session: BaseSessionProvider) => Request) {
+  return async function(userId: number, session: BaseSessionProvider, payload: PushPayload, signal?: AbortSignal): Promise<SyncPushResponse> {
+    const generatedRequest = callback(userId, session)
     const serverPayload = serializePushPayload(payload)
     const request = new Request(generatedRequest, {
       credentials: 'include',

package/src/services/sync/index.ts

@@ -4,6 +4,8 @@ import { Q, RecordId } from "@nozbe/watermelondb"
 import { type ModelSerialized, type RawSerialized } from "./serializers"
 import BaseModel from "./models/Base"
 
+export type SyncUserScope = { initialId: number, getCurrentId: () => number }
+
 export { default as db } from './repository-proxy'
 export { Q }
 

package/src/services/sync/manager.ts

@@ -5,7 +5,7 @@ import SyncRunScope from './run-scope'
 import { SyncStrategy } from './strategies'
 import { default as SyncStore, SyncStoreConfig } from './store'
 
-import { ModelClass } from './index'
+import { ModelClass, SyncUserScope } from './index'
 import SyncRetry from './retry'
 import SyncContext from './context'
 import { SyncError } from './errors'
@@ -14,6 +14,8 @@ import { SyncTelemetry } from './telemetry/index'
 import createStoreConfigs from './store-configs'
 import { contentProgressObserver } from '../awards/internal/content-progress-observer'
 
+export type SyncTeardownMode = 'reset' | 'destroyOrReset' | 'abortWrites'
+
 export default class SyncManager {
   private static counter = 0
   private static instance: SyncManager | null = null
@@ -22,13 +24,13 @@ export default class SyncManager {
     if (SyncManager.instance) {
       throw new SyncError('SyncManager already initialized')
     }
-
     SyncManager.instance = instance
+
     const teardown = instance.setup()
 
-    return (force = false) => {
+    return async (mode: SyncTeardownMode = 'reset') => {
       SyncManager.instance = null
-      return teardown(force).catch(error => {
+      return teardown(mode).catch((error) => {
         SyncManager.instance = instance // restore instance on teardown failure
         throw error
       })
@@ -49,6 +51,8 @@ export default class SyncManager {
   private id: string
   public telemetry: SyncTelemetry
   private context: SyncContext
+  private userScope: SyncUserScope
+
   private storeConfigsRegistry: Record<string, SyncStoreConfig<any>>
   private storesRegistry: Record<string, SyncStore<any>>
   private runScope: SyncRunScope
@@ -56,17 +60,30 @@ export default class SyncManager {
   private strategyMap: { models: ModelClass[]; strategies: SyncStrategy[] }[]
   private effectMap: { models: ModelClass[]; effects: SyncEffect[] }[]
 
-  private initDatabase: () => Database
+  private initDatabase: (userScope: SyncUserScope) => Database
   private destroyDatabase?: (dbName: string, adapter: DatabaseAdapter) => Promise<void>
-
-  constructor(context: SyncContext, initDatabase: () => Database, destroyDatabase?: (dbName: string, adapter: DatabaseAdapter) => Promise<void>) {
+  private abortWritesToDatabase?: (adapter: DatabaseAdapter) => Promise<void>
+
+  private teardownPromise: Promise<void> | null = null
+
+  constructor(
+    userScope: SyncUserScope,
+    context: SyncContext,
+    initDatabase: (userScope: SyncUserScope) => Database,
+    teardownDatabase: {
+      destroy?: (dbName: string, adapter: DatabaseAdapter) => Promise<void>
+      abort?: (adapter: DatabaseAdapter) => Promise<void>
+    } = {}
+  ) {
     this.id = (SyncManager.counter++).toString()
 
     this.telemetry = SyncTelemetry.getInstance()!
     this.context = context
+    this.userScope = userScope
 
     this.initDatabase = initDatabase
-    this.destroyDatabase = destroyDatabase
+    this.destroyDatabase = teardownDatabase.destroy
+    this.abortWritesToDatabase = teardownDatabase.abort
 
     this.storeConfigsRegistry = this.registerStoreConfigs(createStoreConfigs())
     this.storesRegistry = {}
@@ -88,6 +105,7 @@ export default class SyncManager {
   createStore(config: SyncStoreConfig, database: Database) {
     return new SyncStore(
       config,
+      this.userScope,
       this.context,
       database,
       this.retry,
@@ -124,7 +142,10 @@ export default class SyncManager {
 
     // can fail synchronously immediately (e.g., schema/migration validation errors)
     // or asynchronously (e.g., indexedDB errors synchronously OR asynchronously (!))
-    const database = this.telemetry.trace({ name: 'db:init', attributes: { ...this.context.session.toJSON() } }, this.initDatabase)
+    const database = this.telemetry.trace(
+      { name: 'db:init', attributes: { ...this.context.session.toJSON() } },
+      () => this.initDatabase(this.userScope)
+    )
 
     Object.entries(this.storeConfigsRegistry).forEach(([table, storeConfig]) => {
       this.storesRegistry[table] = this.createStore(storeConfig, database)
@@ -146,49 +167,101 @@ export default class SyncManager {
     })
 
     const effectTeardowns = this.effectMap.flatMap(({ models, effects }) => {
-      return effects.map((effect) => effect(this.context, models.map(model => this.storesRegistry[model.table])))
-    });
+      return effects.map((effect) =>
+        effect(
+          this.context,
+          models.map((model) => this.storesRegistry[model.table])
+        )
+      )
+    })
 
     contentProgressObserver.start(database).catch((error) => {
       this.telemetry.error('[SyncManager] Failed to start contentProgressObserver', error)
     })
 
-    const teardown = async (force = false) => {
-      this.telemetry.debug('[SyncManager] Tearing down')
+    const teardown = async (mode: SyncTeardownMode = 'reset') => {
+      if (this.teardownPromise) {
+        this.telemetry.debug(
+          '[SyncManager] Teardown already in progress, returning existing promise'
+        )
+        return this.teardownPromise
+      }
 
-      const clear = (force = false) => {
-        if (force && this.destroyDatabase && database.adapter.dbName && database.adapter.underlyingAdapter) {
-          return this.destroyDatabase(database.adapter.dbName, database.adapter.underlyingAdapter)
-        } else {
-          return database.write(() => database.unsafeResetDatabase())
+      this.teardownPromise = (async () => {
+        this.telemetry.debug('[SyncManager] Tearing down')
+
+        const clear = (mode: SyncTeardownMode) => {
+          if (mode === 'abortWrites') {
+            if (!this.abortWritesToDatabase) {
+              throw new SyncError('Cannot abort writes to database - implementation not provided')
+            }
+            if (!database.adapter.underlyingAdapter) {
+              throw new SyncError('Cannot abort writes to database - adapter not available')
+            }
+
+            return this.abortWritesToDatabase(database.adapter.underlyingAdapter)
+          }
+
+          if (mode === 'destroyOrReset') {
+            try {
+              if (!this.destroyDatabase) {
+                throw new SyncError(
+                  'Cannot destroy or reset database - destroy implementation not provided'
+                )
+              }
+              if (!database.adapter.underlyingAdapter) {
+                throw new SyncError('Cannot destroy database - adapter not available')
+              }
+              if (!database.adapter.dbName) {
+                throw new SyncError('Cannot destroy database - dbName not available')
+              }
+              return this.destroyDatabase(
+                database.adapter.dbName,
+                database.adapter.underlyingAdapter
+              )
+            } catch (err: unknown) {
+              this.telemetry.capture(err)
+              return database.write(() => database.unsafeResetDatabase())
+            }
+          }
+
+          return database.write(() => database.unsafeResetDatabase()).then(() =>{
+            // destroy the db anyways
+            // useful if we're using user-namespaced dbs
+            if (this.destroyDatabase && database.adapter.dbName && database.adapter.underlyingAdapter) {
+              return this.destroyDatabase(
+                database.adapter.dbName,
+                database.adapter.underlyingAdapter
+              )
+            }
+          })
         }
-      }
 
-      try {
-        Object.values(this.storesRegistry).forEach((store) => {
-          store.destroy()
-        })
+        try {
+          Object.values(this.storesRegistry).forEach((store) => {
+            store.destroy()
+          })
 
-        this.runScope.abort()
-        this.strategyMap.forEach(({ strategies }) => strategies.forEach((strategy) => strategy.stop()))
-        effectTeardowns.forEach((teardown) => teardown())
-        this.retry.stop()
-        this.context.stop()
+          this.runScope.abort()
+          this.strategyMap.forEach(({ strategies }) =>
+            strategies.forEach((strategy) => strategy.stop())
+          )
+          effectTeardowns.forEach((teardown) => teardown())
+          this.retry.stop()
+          this.context.stop()
+
+          contentProgressObserver.stop()
+        } catch (error) {
+          // capture, but don't rethrow
+          this.telemetry.capture(error)
+        }
 
-        contentProgressObserver.stop()
-      } catch (error) {
-        // capture, but don't rethrow
-        this.telemetry.capture(error)
-      }
+        return clear(mode)
+      })().finally(() => {
+        this.teardownPromise = null
+      })
 
-      try {
-        return clear(force);
-      } catch (error) {
-        if (!force) {
-          return clear(true);
-        }
-        throw error
-      }
+      return this.teardownPromise
     }
 
     return teardown

package/src/services/sync/repositories/base.ts

@@ -242,7 +242,7 @@ export default class SyncRepository<TModel extends BaseModel> {
     return result
   }
 
-  requestPushUnsynced() {
-    this.store.pushUnsyncedWithRetry()
+  requestPushUnsynced(cause?: string) {
+    this.store.pushUnsyncedWithRetry(undefined, { type: 'repo-push-request', cause })
   }
 }

package/src/services/sync/store/index.ts

@@ -1,6 +1,6 @@
 import { Database, Q, Query, type Collection, type RecordId } from '@nozbe/watermelondb'
 import { RawSerializer, ModelSerializer } from '../serializers'
-import { ModelClass, SyncToken, SyncEntry,  SyncContext, EpochMs } from '..'
+import { ModelClass, SyncToken, SyncEntry, SyncUserScope, SyncContext, EpochMs } from '..'
 import { SyncPullResponse, SyncPushResponse, SyncPullFetchFailureResponse, PushPayload, SyncStorePushResultSuccess, SyncStorePushResultFailure } from '../fetch'
 import type SyncRetry from '../retry'
 import type SyncRunScope from '../run-scope'
@@ -18,11 +18,13 @@ import type LokiJSAdapter from '@nozbe/watermelondb/adapters/lokijs'
 import { SyncError } from '../errors'
 
 type SyncPull = (
+  intendedUserId: number,
   session: BaseSessionProvider,
   previousFetchToken: SyncToken | null,
   signal: AbortSignal
 ) => Promise<SyncPullResponse>
 type SyncPush = (
+  intendedUserId: number,
   session: BaseSessionProvider,
   payload: PushPayload,
   signal: AbortSignal
@@ -42,6 +44,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
   static readonly CLEANUP_INTERVAL = 60_000 * 60 // 1hr
 
   readonly telemetry: SyncTelemetry
+  readonly userScope: SyncUserScope
   readonly context: SyncContext
   readonly retry: SyncRetry
   readonly runScope: SyncRunScope
@@ -67,12 +70,14 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
 
   constructor(
     { model, comparator, pull, push }: SyncStoreConfig<TModel>,
+    userScope: SyncUserScope,
     context: SyncContext,
     db: Database,
     retry: SyncRetry,
     runScope: SyncRunScope,
     telemetry: SyncTelemetry
   ) {
+    this.userScope = userScope
     this.context = context
     this.retry = retry
     this.runScope = runScope
@@ -113,7 +118,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
           let pushError: any = null
 
           try {
-            await this.pushUnsyncedWithRetry(span)
+            await this.pushUnsyncedWithRetry(span, { type: 'sync-request', reason })
           } catch (err) {
             pushError = err
           }
@@ -135,7 +140,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
       this.telemetry.trace(
         { name: `sync:${this.model.table}`, op: 'push', attributes: { ...ctx, ...this.context.session.toJSON() } },
         async span => {
-          await this.pushUnsyncedWithRetry(span)
+          await this.pushUnsyncedWithRetry(span, { type: 'push-request', reason })
         }
       )
     }, { table: this.model.table, reason })
@@ -199,14 +204,14 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
 
   async insertOne(builder: (record: TModel) => void, span?: Span) {
     return await this.runScope.abortable(async () => {
-      const record = await this.telemeterizedWrite(span, async () => {
+      const record = await this.paranoidWrite(span, async () => {
         return this.collection.create(rec => {
           builder(rec)
         })
       })
       this.emit('upserted', [record])
 
-      this.pushUnsyncedWithRetry(span)
+      this.pushUnsyncedWithRetry(span, { type: 'insertOne', recordId: record.id })
       await this.ensurePersistence()
 
       return this.modelSerializer.toPlainObject(record)
@@ -221,12 +226,12 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
         throw new SyncError('Record not found', { id })
       }
 
-      const record = await this.telemeterizedWrite(span, async () => {
+      const record = await this.paranoidWrite(span, async () => {
         return found.update(builder)
       })
       this.emit('upserted', [record])
 
-      this.pushUnsyncedWithRetry(span)
+      this.pushUnsyncedWithRetry(span, { type: 'updateOneId', recordId: record.id })
       await this.ensurePersistence()
 
       return this.modelSerializer.toPlainObject(record)
@@ -239,7 +244,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
     return await this.runScope.abortable(async () => {
       const ids = Object.keys(builders)
 
-      const records = await this.telemeterizedWrite(span, async writer => {
+      const records = await this.paranoidWrite(span, async writer => {
         const existing = await writer.callReader(() => this.queryMaybeDeletedRecords(Q.where('id', Q.oneOf(ids))))
         const existingMap = existing.reduce((map, record) => map.set(record.id, record), new Map<RecordId, TModel>())
 
@@ -297,7 +302,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
       this.emit('upserted', records)
 
       if (!skipPush) {
-        this.pushUnsyncedWithRetry(span)
+        this.pushUnsyncedWithRetry(span, { type: 'upsertSome', recordIds: records.map(r => r.id).join(',') })
       }
       await this.ensurePersistence()
 
@@ -324,7 +329,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
     return await this.runScope.abortable(async () => {
       let record: TModel | null = null
 
-      await this.telemeterizedWrite(span, async writer => {
+      await this.paranoidWrite(span, async writer => {
         const existing = await writer.callReader(() => this.queryMaybeDeletedRecords(Q.where('id', id))).then(
           (records) => records[0] || null
         )
@@ -346,7 +351,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
       this.emit('deleted', [id])
 
       if (!skipPush) {
-        this.pushUnsyncedWithRetry(span)
+        this.pushUnsyncedWithRetry(span, { type: 'deleteOne', recordId: id })
       }
       await this.ensurePersistence()
 
@@ -356,7 +361,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
 
   async deleteSome(ids: RecordId[], span?: Span, { skipPush = false } = {}) {
     return this.runScope.abortable(async () => {
-      await this.telemeterizedWrite(span, async writer => {
+      await this.paranoidWrite(span, async writer => {
         const existing = await this.queryRecords(Q.where('id', Q.oneOf(ids)))
 
         await writer.batch(...existing.map(record => record.prepareMarkAsDeleted()))
@@ -365,7 +370,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
       this.emit('deleted', ids)
 
       if (!skipPush) {
-        this.pushUnsyncedWithRetry(span)
+        this.pushUnsyncedWithRetry(span, { type: 'deleteSome', recordIds: ids.join(',') })
       }
       await this.ensurePersistence()
 
@@ -379,7 +384,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
 
   async restoreSome(ids: RecordId[], span?: Span) {
     return this.runScope.abortable(async () => {
-      const records = await this.telemeterizedWrite(span, async writer => {
+      const records = await this.paranoidWrite(span, async writer => {
         const records = await writer.callReader(() => this.queryMaybeDeletedRecords(
           Q.where('id', Q.oneOf(ids)),
           Q.where('_status', 'deleted')
@@ -401,7 +406,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
 
       this.emit('upserted', records)
 
-      this.pushUnsyncedWithRetry(span)
+      this.pushUnsyncedWithRetry(span, { type: 'restoreSome', recordIds: ids.join(',') })
       await this.ensurePersistence()
 
       return records.map((record) => this.modelSerializer.toPlainObject(record))
@@ -410,7 +415,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
 
   async importUpsert(recordRaws: TModel['_raw'][]) {
     await this.runScope.abortable(async () => {
-      await this.telemeterizedWrite(undefined, async writer => {
+      await this.paranoidWrite(undefined, async writer => {
         const ids = recordRaws.map(r => r.id)
         const existingMap = await writer.callReader(() => this.queryMaybeDeletedRecords(Q.where('id', Q.oneOf(ids)))).then(records => {
           return records.reduce((map, record) => map.set(record.id, record), new Map<RecordId, TModel>())
@@ -469,7 +474,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
   }
   async importDeletion(ids: RecordId[]) {
     await this.runScope.abortable(async () => {
-      await this.telemeterizedWrite(undefined, async writer => {
+      await this.paranoidWrite(undefined, async writer => {
         const existingMap = await writer.callReader(() => this.queryMaybeDeletedRecords(Q.where('id', Q.oneOf(ids)))).then(records => {
           return records.reduce((map, record) => map.set(record.id, record), new Map<RecordId, TModel>())
         })
@@ -516,7 +521,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
     )()
   }
 
-  public async pushUnsyncedWithRetry(span?: Span) {
+  public async pushUnsyncedWithRetry(span?: Span, cause?: string | Record<string, string>) {
     const records = await this.queryMaybeDeletedRecords(Q.where('_status', Q.notEq('synced')))
 
     if (records.length) {
@@ -529,8 +534,9 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
       this.pushCoalescer.push(
         records,
         queueThrottle({ state: this.pushThrottleState }, () => {
+          const causeAttrs = typeof cause === 'string' ? { type: cause } : cause ?? {}
           return this.retry.request<SyncPushResponse>(
-            { name: `push:${this.model.table}`, op: 'push', parentSpan: span },
+            { name: `push:${this.model.table}`, op: 'push', parentSpan: span, attributes: { ...causeAttrs } },
             async (span) => {
               // re-query records since this fn may be deferred due to throttling/retries
               const currentRecords = await this.queryMaybeDeletedRecords(Q.where('id', Q.oneOf(recordIds)))
@@ -571,10 +577,21 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
             attributes: { lastFetchToken: lastFetchToken ?? undefined, ...this.context.session.toJSON() },
             parentSpan: pullSpan,
           },
-          () => this.puller(this.context.session, lastFetchToken, this.runScope.signal)
+          () => this.puller(this.userScope.initialId, this.context.session, lastFetchToken, this.runScope.signal)
         )
 
         if (response.ok) {
+          const initialId = this.userScope.initialId
+          const currentId = this.userScope.getCurrentId()
+
+          if (response.intendedUserId !== initialId || response.intendedUserId !== currentId) {
+            throw new SyncError('Intended user ID does not match', {
+              intendedUserId: response.intendedUserId,
+              initialUserId: initialId,
+              currentUserId: currentId
+            })
+          }
+
           await this.writeEntries(response.entries, !response.previousToken, pullSpan)
           await this.setLastFetchToken(response.token)
 
@@ -604,7 +621,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
             attributes: { ...this.context.session.toJSON() },
             parentSpan: pushSpan,
           },
-          () => this.pusher(this.context.session, payload, this.runScope.signal)
+          () => this.pusher(this.userScope.initialId, this.context.session, payload, this.runScope.signal)
         )
 
         if (response.ok) {
@@ -620,7 +637,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
           if (failedResults.length) {
             this.telemetry.warn(
               `[store:${this.model.table}] Push completed with failed records`,
-              { results: failedResults }
+              { results: failedResults, resultsJSON: JSON.stringify(failedResults) }
             )
           }
 
@@ -775,10 +792,22 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
     })
   }
 
-  private telemeterizedWrite<T>(
+  /**
+   * Performs telemetry-wrapped write, crucially checking if the user has changed
+   */
+  private paranoidWrite<T>(
     parentSpan: Span | undefined,
     work: (writer: WriterInterface) => Promise<T>
   ): Promise<T> {
+    const initialId = this.userScope.initialId
+    const currentId = this.userScope.getCurrentId()
+    if (initialId !== currentId) {
+      throw new SyncError('Aborted cross-user write operation', {
+        initialId,
+        currentId,
+      })
+    }
+
     return this.telemetry.trace(
       { name: `write:${this.model.table}`, op: 'write', parentSpan, attributes: { ...this.context.session.toJSON() } },
       (writeSpan) => {
@@ -799,7 +828,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
 
   private async writeEntries(entries: SyncEntry[], freshSync: boolean = false, parentSpan?: Span) {
     await this.runScope.abortable(async () => {
-      return this.telemeterizedWrite(parentSpan, async (writer) => {
+      return this.paranoidWrite(parentSpan, async (writer) => {
         const batches = await this.buildWriteBatchesFromEntries(writer, entries, freshSync)
 
         for (const batch of batches) {
@@ -945,7 +974,7 @@ export default class SyncStore<TModel extends BaseModel = BaseModel> {
   private startCleanupTimer() {
     this.cleanupTimer = setInterval(() => {
       this.runScope.abortable(async () => {
-        this.telemeterizedWrite(undefined, async (writer) => {
+        this.paranoidWrite(undefined, async (writer) => {
           await this.cleanupOldDeletedRecords(writer)
         })
       })

package/src/services/sync/telemetry/index.ts

@@ -1,3 +1,4 @@
+import { SyncUserScope } from '../index'
 import watermelonLogger from '@nozbe/watermelondb/utils/common/logger'
 import { SyncError, SyncUnexpectedError } from '../errors'
 
@@ -6,6 +7,7 @@ export type SentryBrowserOptions = NonNullable<Parameters<typeof InjectedSentry.
 
 export type SentryLike = {
   captureException: typeof InjectedSentry.captureException
+  captureMessage: typeof InjectedSentry.captureMessage
   addBreadcrumb: typeof InjectedSentry.addBreadcrumb
   startSpan: typeof InjectedSentry.startSpan
 }
@@ -24,6 +26,15 @@ export enum SeverityLevel {
   FATAL = 5,
 }
 
+const severityLevelToSentryLevel: Record<SeverityLevel, 'fatal' | 'error' | 'warning' | 'log' | 'info' | 'debug'> = {
+  [SeverityLevel.DEBUG]: 'debug',
+  [SeverityLevel.INFO]: 'info',
+  [SeverityLevel.LOG]: 'log',
+  [SeverityLevel.WARNING]: 'warning',
+  [SeverityLevel.ERROR]: 'error',
+  [SeverityLevel.FATAL]: 'fatal',
+}
+
 export class SyncTelemetry {
   private static instance: SyncTelemetry | null = null
 
@@ -40,7 +51,7 @@ export class SyncTelemetry {
     SyncTelemetry.instance = null
   }
 
-  private userId: string
+  private userScope: SyncUserScope
   private Sentry: SentryLike
   private level: SeverityLevel
   private pretty: boolean
@@ -51,14 +62,14 @@ export class SyncTelemetry {
   private _ignoreConsole = false
 
   constructor(
-    userId: string,
+    userScope: SyncUserScope,
     {
       Sentry,
       level,
       pretty,
     }: { Sentry: SentryLike; level?: keyof typeof SeverityLevel; pretty?: boolean }
   ) {
-    this.userId = userId
+    this.userScope = userScope
     this.Sentry = Sentry
     this.level =
       typeof level !== 'undefined' && level in SeverityLevel
@@ -78,7 +89,8 @@ export class SyncTelemetry {
       op: `${SYNC_TELEMETRY_TRACE_PREFIX}${opts.op}`,
       attributes: {
         ...opts.attributes,
-        userId: this.userId,
+        'user.initialId': this.userScope.initialId,
+        'user.currentId': this.userScope.getCurrentId(),
       },
     }
     return this.Sentry.startSpan<T>(options, (span) => {
@@ -93,7 +105,7 @@ export class SyncTelemetry {
     })
   }
 
-  capture(err: Error, context = {}) {
+  capture(err: unknown, context = {}) {
     const wrapped =
       err instanceof SyncError ? err : new SyncUnexpectedError((err as Error).message, context)
 
@@ -110,7 +122,7 @@ export class SyncTelemetry {
     )
 
     this._ignoreConsole = true
-    this.error(err.message)
+    this.error(err instanceof Error ? err.message : String(err))
     this._ignoreConsole = false
   }
 
@@ -155,11 +167,11 @@ export class SyncTelemetry {
     this._log(SeverityLevel.WARNING, 'warn', message, extra)
   }
 
-  error(message: unknown[], extra?: any) {
+  error(message: unknown, extra?: any) {
     this._log(SeverityLevel.ERROR, 'error', message, extra)
   }
 
-  fatal(message: unknown[], extra?: any) {
+  fatal(message: unknown, extra?: any) {
     this._log(SeverityLevel.FATAL, 'error', message, extra)
   }
 
@@ -169,7 +181,12 @@ export class SyncTelemetry {
     this._ignoreConsole = true
     console[consoleMethod](...this.formattedConsoleMessage(message, extra))
     this._ignoreConsole = false
-    this.Sentry.captureMessage(message instanceof Error ? message.message : String(message), level)
+
+    if (level >= SeverityLevel.WARNING) {
+      this.Sentry.captureMessage(message instanceof Error ? message.message : String(message), severityLevelToSentryLevel[level])
+    } else {
+      this.Sentry.addBreadcrumb({ message: message instanceof Error ? message.message : String(message), level: severityLevelToSentryLevel[level] })
+    }
   }
 
   private formattedConsoleMessage(message: unknown, extra: any) {