neonctl 2.22.2 → 2.23.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/README.md +84 -0
  2. package/analytics.js +5 -2
  3. package/commands/branches.js +9 -1
  4. package/commands/connection_string.js +9 -1
  5. package/commands/functions.js +268 -0
  6. package/commands/index.js +4 -0
  7. package/commands/neon_auth.js +1013 -0
  8. package/commands/projects.js +9 -1
  9. package/commands/psql.js +6 -1
  10. package/functions_api.js +43 -0
  11. package/package.json +15 -5
  12. package/psql/cli.js +51 -0
  13. package/psql/command/cmd_cond.js +437 -0
  14. package/psql/command/cmd_connect.js +815 -0
  15. package/psql/command/cmd_copy.js +1025 -0
  16. package/psql/command/cmd_describe.js +1810 -0
  17. package/psql/command/cmd_format.js +909 -0
  18. package/psql/command/cmd_io.js +2187 -0
  19. package/psql/command/cmd_lo.js +385 -0
  20. package/psql/command/cmd_meta.js +970 -0
  21. package/psql/command/cmd_misc.js +187 -0
  22. package/psql/command/cmd_pipeline.js +1141 -0
  23. package/psql/command/cmd_restrict.js +171 -0
  24. package/psql/command/cmd_show.js +751 -0
  25. package/psql/command/dispatch.js +343 -0
  26. package/psql/command/inputQueue.js +42 -0
  27. package/psql/command/shared.js +71 -0
  28. package/psql/complete/filenames.js +139 -0
  29. package/psql/complete/index.js +104 -0
  30. package/psql/complete/matcher.js +314 -0
  31. package/psql/complete/psqlVars.js +247 -0
  32. package/psql/complete/queries.js +491 -0
  33. package/psql/complete/rules.js +2387 -0
  34. package/psql/core/common.js +1250 -0
  35. package/psql/core/help.js +576 -0
  36. package/psql/core/mainloop.js +1353 -0
  37. package/psql/core/prompt.js +437 -0
  38. package/psql/core/settings.js +684 -0
  39. package/psql/core/sqlHelp.js +1066 -0
  40. package/psql/core/startup.js +840 -0
  41. package/psql/core/syncVars.js +116 -0
  42. package/psql/core/variables.js +287 -0
  43. package/psql/describe/formatters.js +1277 -0
  44. package/psql/describe/processNamePattern.js +270 -0
  45. package/psql/describe/queries.js +2373 -0
  46. package/psql/describe/versionGate.js +43 -0
  47. package/psql/index.js +2005 -0
  48. package/psql/io/history.js +299 -0
  49. package/psql/io/input.js +120 -0
  50. package/psql/io/lineEditor/buffer.js +323 -0
  51. package/psql/io/lineEditor/complete.js +227 -0
  52. package/psql/io/lineEditor/filename.js +159 -0
  53. package/psql/io/lineEditor/index.js +891 -0
  54. package/psql/io/lineEditor/keymap.js +738 -0
  55. package/psql/io/lineEditor/vt100.js +363 -0
  56. package/psql/io/pgpass.js +202 -0
  57. package/psql/io/pgservice.js +194 -0
  58. package/psql/io/psqlrc.js +422 -0
  59. package/psql/print/aligned.js +1756 -0
  60. package/psql/print/asciidoc.js +248 -0
  61. package/psql/print/crosstab.js +460 -0
  62. package/psql/print/csv.js +92 -0
  63. package/psql/print/html.js +258 -0
  64. package/psql/print/json.js +96 -0
  65. package/psql/print/latex.js +396 -0
  66. package/psql/print/pager.js +265 -0
  67. package/psql/print/troff.js +258 -0
  68. package/psql/print/unaligned.js +118 -0
  69. package/psql/print/units.js +135 -0
  70. package/psql/scanner/slash.js +513 -0
  71. package/psql/scanner/sql.js +910 -0
  72. package/psql/scanner/stringutils.js +390 -0
  73. package/psql/types/backslash.js +1 -0
  74. package/psql/types/connection.js +1 -0
  75. package/psql/types/index.js +7 -0
  76. package/psql/types/printer.js +1 -0
  77. package/psql/types/repl.js +1 -0
  78. package/psql/types/scanner.js +24 -0
  79. package/psql/types/settings.js +1 -0
  80. package/psql/types/variables.js +1 -0
  81. package/psql/wire/connection.js +2844 -0
  82. package/psql/wire/copy.js +108 -0
  83. package/psql/wire/notify.js +59 -0
  84. package/psql/wire/pipeline.js +519 -0
  85. package/psql/wire/protocol.js +466 -0
  86. package/psql/wire/sasl.js +296 -0
  87. package/psql/wire/tls.js +596 -0
  88. package/test_utils/fixtures.js +1 -0
  89. package/utils/esbuild.js +147 -0
  90. package/utils/psql.js +107 -11
  91. package/utils/zip.js +4 -0
  92. package/writer.js +1 -1
  93. package/commands/auth.test.js +0 -211
  94. package/commands/branches.test.js +0 -460
  95. package/commands/checkout.test.js +0 -170
  96. package/commands/connection_string.test.js +0 -196
  97. package/commands/data_api.test.js +0 -169
  98. package/commands/databases.test.js +0 -39
  99. package/commands/help.test.js +0 -9
  100. package/commands/init.test.js +0 -56
  101. package/commands/ip_allow.test.js +0 -59
  102. package/commands/link.test.js +0 -381
  103. package/commands/operations.test.js +0 -7
  104. package/commands/orgs.test.js +0 -7
  105. package/commands/projects.test.js +0 -144
  106. package/commands/psql.test.js +0 -49
  107. package/commands/roles.test.js +0 -37
  108. package/commands/set_context.test.js +0 -159
  109. package/commands/vpc_endpoints.test.js +0 -69
  110. package/context.test.js +0 -119
  111. package/env.test.js +0 -55
  112. package/utils/formats.test.js +0 -32
  113. package/writer.test.js +0 -104
@@ -0,0 +1,2844 @@
1
+ /**
2
+ * PgConnection — the wire-layer Connection implementation (WP-02 + WP-16).
3
+ *
4
+ * Implements `Connection` (frozen WP-00 interface in
5
+ * `src/psql/types/connection.ts`) on top of a single TCP / TLS socket. The
6
+ * class is essentially a state machine:
7
+ *
8
+ * auth → drive Authentication* messages
9
+ * await-ready → collect ParameterStatus + BackendKeyData
10
+ * idle → ready for a Query / extended-protocol cycle
11
+ * in-query → simple Query in flight, accumulating ResultSets
12
+ * in-copy-in → COPY FROM STDIN data transfer in progress (WP-16)
13
+ * in-copy-out → COPY TO STDOUT data transfer in progress (WP-16)
14
+ * closed → socket gone
15
+ *
16
+ * What this module owns:
17
+ * - Socket lifecycle (open, optional TLS, Terminate, close).
18
+ * - Auth: Cleartext, MD5, SASL/SCRAM (delegating to ./sasl.ts).
19
+ * - Tracking server `serverVersion` from ParameterStatus.
20
+ * - Simple-query path (`execSimple`) — collect RowDescription/DataRow/
21
+ * CommandComplete tuples into ResultSet[].
22
+ * - Async messages (Notice, Notification) routed through ./notify.ts.
23
+ * - ErrorResponse → rejected promise mapped to ConnectError shape.
24
+ * - Async cancel via a side connection (CancelRequest).
25
+ * - COPY streaming (WP-16): `startCopyIn` returns a `CopyInStream` that
26
+ * wires CopyData / CopyDone / CopyFail; `startCopyOut` returns an
27
+ * `AsyncIterable<Buffer>` that drains CopyData messages from the wire.
28
+ * The state machine threads through `in-copy-in` / `in-copy-out`.
29
+ *
30
+ * What is stubbed / deferred:
31
+ * - Extended-query protocol (Parse/Bind/Execute/Sync). The framing is in
32
+ * protocol.ts but the high-level path (parameterised `query()`, prepared
33
+ * statements, pipeline) is WP-21. We throw clearly when called.
34
+ */
35
+ import * as dns from 'node:dns/promises';
36
+ import * as net from 'node:net';
37
+ import * as tls from 'node:tls';
38
+ import { createHash } from 'node:crypto';
39
+ import { Buffer } from 'node:buffer';
40
+ import { Bind, CancelRequest, Close, CopyData, CopyDone, CopyFail, Describe, Execute, fieldsToNotice, MessageParser, Parse, PasswordMessage, Query, SASLInitialResponse, SASLResponse, StartupMessage, Sync, Terminate, } from './protocol.js';
41
+ import { PipelineSession } from './pipeline.js';
42
+ import { createScramClient } from './sasl.js';
43
+ import { negotiateTls } from './tls.js';
44
+ import { NoticeMultiplexer } from './notify.js';
45
+ /**
46
+ * Map a Notice-flavoured fields map into a `ConnectError` that includes a
47
+ * recognizable `message` plus a `cause` slot for the raw record.
48
+ */
49
+ function fieldsToConnectError(fields) {
50
+ return { ...fieldsToNotice(fields), cause: fields };
51
+ }
52
+ /**
53
+ * Synthetic ConnectError used as the rejection reason for queued
54
+ * pipeline ops that the server skipped after a preceding ErrorResponse.
55
+ * Mirrors libpq's `PGRES_PIPELINE_ABORTED` result — the message text
56
+ * matches the string libpq stamps onto skipped ops so the cmd layer
57
+ * can render it byte-identically with vanilla psql's `\getresults` /
58
+ * `\endpipeline` output.
59
+ */
60
+ function pipelineAbortedError() {
61
+ return {
62
+ severity: 'ERROR',
63
+ code: '',
64
+ message: 'Pipeline aborted, command did not run',
65
+ pipelineAborted: true,
66
+ };
67
+ }
68
+ /** Parse "PostgreSQL 16.2 …" into a numeric `major * 10000 + minor * 100`. */
69
+ function parseServerVersion(value) {
70
+ // libpq's PQserverVersion returns NNNNNN (e.g. 160002 for 16.2). For
71
+ // pre-10 versions the layout was NNMMSS (e.g. 90608 for 9.6.8). Our
72
+ // consumers only need monotonic comparability and a major-version
73
+ // accessor; the libpq formula is the simplest match.
74
+ const m = /^([0-9]+)(?:\.([0-9]+))?(?:\.([0-9]+))?/.exec(value);
75
+ if (!m)
76
+ return 0;
77
+ const major = parseInt(m[1], 10);
78
+ const minor = m[2] !== undefined ? parseInt(m[2], 10) : 0;
79
+ if (major >= 10) {
80
+ return major * 10000 + minor;
81
+ }
82
+ const patch = m[3] !== undefined ? parseInt(m[3], 10) : 0;
83
+ return major * 10000 + minor * 100 + patch;
84
+ }
85
+ /**
86
+ * MD5 auth: `'md5' + md5( md5(password + user) || salt )`. Inner hash uses
87
+ * the username; outer is salted. PG uses lowercase hex everywhere.
88
+ */
89
+ function md5AuthPayload(user, password, salt) {
90
+ const inner = createHash('md5')
91
+ .update(password + user, 'utf8')
92
+ .digest('hex');
93
+ const outer = createHash('md5')
94
+ .update(inner, 'utf8')
95
+ .update(salt)
96
+ .digest('hex');
97
+ return 'md5' + outer;
98
+ }
99
+ /**
100
+ * Fisher-Yates in-place shuffle of the candidate hosts list. Used by
101
+ * `load_balance_hosts=random`. Hook the random source so tests can inject a
102
+ * deterministic permutation.
103
+ */
104
+ function shuffleInPlace(arr, rng = Math.random) {
105
+ for (let i = arr.length - 1; i > 0; i -= 1) {
106
+ const j = Math.floor(rng() * (i + 1));
107
+ const tmp = arr[i];
108
+ arr[i] = arr[j];
109
+ arr[j] = tmp;
110
+ }
111
+ }
112
+ /**
113
+ * After a successful handshake, decide whether this connection matches the
114
+ * caller's `target_session_attrs` constraint by running
115
+ * `SELECT pg_is_in_recovery()`. Returns `true` if the connection is
116
+ * acceptable, `false` if it should be torn down and the next host tried.
117
+ *
118
+ * - 'any' (or undefined) — always accepts.
119
+ * - 'read-write' / 'primary' — accepts when NOT in recovery.
120
+ * - 'read-only' / 'standby' — accepts when IN recovery.
121
+ *
122
+ * If the probe query itself fails we treat the connection as unacceptable
123
+ * (returns false) so the orchestrator falls through to the next candidate
124
+ * rather than handing the caller a half-broken connection.
125
+ */
126
+ async function checkSessionAttrs(conn, tsa) {
127
+ if (tsa === undefined || tsa === 'any')
128
+ return true;
129
+ let inRecovery;
130
+ try {
131
+ const sets = await conn.execSimple('SELECT pg_is_in_recovery()');
132
+ if (sets.length === 0 || sets[0].rows.length === 0) {
133
+ return false;
134
+ }
135
+ const raw = sets[0].rows[0][0];
136
+ // pg_is_in_recovery returns boolean; text-format rows surface as
137
+ // 't' / 'f'. Be liberal: also handle 'true' / 'false'.
138
+ if (raw === true) {
139
+ inRecovery = true;
140
+ }
141
+ else if (raw === false) {
142
+ inRecovery = false;
143
+ }
144
+ else if (typeof raw === 'string') {
145
+ inRecovery = raw === 't' || raw.toLowerCase() === 'true';
146
+ }
147
+ else {
148
+ return false;
149
+ }
150
+ }
151
+ catch {
152
+ return false;
153
+ }
154
+ switch (tsa) {
155
+ case 'read-write':
156
+ case 'primary':
157
+ return !inRecovery;
158
+ case 'read-only':
159
+ case 'standby':
160
+ return inRecovery;
161
+ // 'prefer-standby' is unwrapped by the orchestrator into two passes
162
+ // ('standby' then 'any'), so we never see it here. Fall through to
163
+ // accept-any for safety.
164
+ default:
165
+ return true;
166
+ }
167
+ }
168
+ /**
169
+ * COPY-OUT backpressure thresholds (bytes). When buffered data exceeds the
170
+ * high-water mark we pause the socket; the consumer's `next()` resumes it once
171
+ * it drains below the low-water mark. Bounds RSS for a server that produces
172
+ * rows faster than the sink consumes them (review item #11).
173
+ */
174
+ const COPY_OUT_HWM = 8 * 1024 * 1024;
175
+ const COPY_OUT_LWM = 1 * 1024 * 1024;
176
+ export class PgConnection {
177
+ /**
178
+ * Queue one COPY-FROM-STDIN data block. Call once per expected
179
+ * CopyInResponse, in the order they will arrive during the upcoming
180
+ * `execSimple`. The mainloop owns the parsing of `\.`-terminated stdin
181
+ * blocks; we just buffer the raw bytes and ship them when the server is
182
+ * ready.
183
+ */
184
+ queueCopyInData(data) {
185
+ this.copyInMidBatchQueue.push(data);
186
+ }
187
+ /** Drop any queued COPY-FROM-STDIN data blocks. */
188
+ clearCopyInDataQueue() {
189
+ this.copyInMidBatchQueue.length = 0;
190
+ }
191
+ constructor(socket, opts, channelBindingData) {
192
+ this.parser = new MessageParser();
193
+ // -- Backend state
194
+ this.serverVersion = 0;
195
+ this.params = new Map();
196
+ this.processId = 0;
197
+ this.secretKey = 0;
198
+ this.txStatus = 'I';
199
+ // -- Connection state machine
200
+ this.state = 'auth';
201
+ this.pendingQuery = null;
202
+ this.extDriver = null;
203
+ /** True when `pipeline()` has handed out a PipelineSession (WP-21). */
204
+ this._extPipelineActive = false;
205
+ this.copyIn = null;
206
+ this.copyOut = null;
207
+ /**
208
+ * Resolver for `startCopyIn` / `startCopyOut`. Captured when the caller has
209
+ * already wired the `Query(COPY …)` and is now waiting for the server's
210
+ * CopyInResponse / CopyOutResponse to confirm that the protocol switched.
211
+ */
212
+ this.copyStartResolve = null;
213
+ this.copyStartReject = null;
214
+ /**
215
+ * Last-COPY command tag (e.g. `"COPY 17"`), or `null` if no COPY has run
216
+ * since connection startup. Used by the `\copy` command runner to print the
217
+ * upstream-style "COPY N" footer.
218
+ */
219
+ this.lastCopyTag = null;
220
+ /**
221
+ * Pre-buffered CopyData payloads keyed to the order of CopyInResponse
222
+ * messages we expect to see during the next `execSimple`. Used to drive
223
+ * `COPY ... FROM STDIN` segments that appear as part of a `\;`-chained
224
+ * simple-query batch — the mainloop pre-scans its input for `\.`-terminated
225
+ * COPY data blocks, hands the bytes in here, and the in-query dispatcher
226
+ * pops the head buffer when a CopyInResponse arrives. Each buffer becomes
227
+ * one CopyData frame followed by CopyDone (the upstream wire shape).
228
+ *
229
+ * If the queue is empty when CopyInResponse arrives, the wire layer falls
230
+ * back to CopyFail so the connection doesn't deadlock.
231
+ */
232
+ this.copyInMidBatchQueue = [];
233
+ /**
234
+ * Sink for COPY-TO-STDOUT mid-batch data. When `COPY ... TO STDOUT` is one
235
+ * segment of a `\;`-chained simple-query batch, the server pushes CopyData
236
+ * messages to us mid-`execSimple`. With no `startCopyOut` driver active,
237
+ * upstream `handleCopyOut` would write the bytes verbatim to the caller's
238
+ * output stream. We expose a settable sink so the mainloop can wire stdout
239
+ * (or any other WritableStream); if unset, the bytes are dropped (matching
240
+ * libpq's behaviour when `PQexec` lacks a copy handler — the data still
241
+ * gets consumed off the wire so the protocol stays in sync, but is
242
+ * silently discarded).
243
+ */
244
+ this.copyOutMidBatchSink = null;
245
+ /**
246
+ * Mid-batch COPY-OUT state. While `true`, CopyData/CopyDone messages
247
+ * arriving in `handleQueryMessage` are routed to the sink rather than
248
+ * triggering the "unexpected message" diagnostic. Flipped on by
249
+ * CopyOutResponse and off again when CopyDone arrives.
250
+ */
251
+ this.copyOutMidBatchActive = false;
252
+ /**
253
+ * Set to `true` once we actually respond to a server password challenge
254
+ * (cleartext, MD5, or the SASL/SCRAM exchange). Mirrors libpq's
255
+ * `conn->password_needed`, which `\conninfo` reports as "Password Used".
256
+ * A trust/cert/peer login leaves this `false` — the password may have been
257
+ * supplied but was never sent.
258
+ */
259
+ this.passwordUsed = false;
260
+ // -- Async messages
261
+ this.notify = new NoticeMultiplexer();
262
+ // -- Auth state (only used during state=auth)
263
+ this.scram = null;
264
+ /**
265
+ * True once the server has sent ANY authentication challenge (Cleartext,
266
+ * MD5, SASL, ...). Used by the AuthenticationOk handler to distinguish
267
+ * "server picked trust/cert auth" (no challenge, method=`none`) from
268
+ * "server just completed a SASL exchange" (challenge seen, method
269
+ * already validated when the challenge arrived).
270
+ */
271
+ this.authChallengeSeen = false;
272
+ /**
273
+ * True once `AuthenticationSASLFinal` arrived AND `scram.finish()` verified
274
+ * the server signature (RFC 5802 §3 mutual auth). Used to reject an
275
+ * `AuthenticationOk` that skips SASLFinal — a rogue/MITM server that doesn't
276
+ * know the password could otherwise send SASLContinue then jump straight to
277
+ * AuthenticationOk and never have its signature checked (review item #8).
278
+ */
279
+ this.saslFinalSeen = false;
280
+ // -- Error-after-close guard
281
+ this.socketError = null;
282
+ this.startupResolve = null;
283
+ this.startupReject = null;
284
+ this.socket = socket;
285
+ this.opts = opts;
286
+ this.channelBindingData = channelBindingData;
287
+ this._password = opts.password ?? null;
288
+ socket.on('data', (chunk) => {
289
+ this.onData(chunk);
290
+ });
291
+ socket.on('error', (err) => {
292
+ this.socketError = err;
293
+ this.failPending(err);
294
+ });
295
+ socket.on('close', () => {
296
+ if (this.state !== 'closed') {
297
+ this.state = 'closed';
298
+ this.failPending(this.socketError ?? new Error('Socket closed'));
299
+ }
300
+ });
301
+ }
302
+ /**
303
+ * Open a Postgres connection. Supports multi-host (`opts.hosts`) with
304
+ * sequential or random iteration, a `target_session_attrs` filter, and the
305
+ * libpq-style `prefer-standby` two-pass fallback.
306
+ *
307
+ * Iteration semantics:
308
+ * 1. Build the candidate list from `opts.hosts` (preferred) or
309
+ * `[{host: opts.host, port: opts.port}]`.
310
+ * 2. If `loadBalanceHosts === 'random'`, Fisher-Yates shuffle in place.
311
+ * 3. For each candidate (in order), attempt: openSocket → TLS → auth →
312
+ * startup. On failure, record the error and try the next.
313
+ * 4. On successful handshake, if `target_session_attrs` is restrictive,
314
+ * run `SELECT pg_is_in_recovery()`. If the role doesn't match, close
315
+ * this connection and try the next.
316
+ * 5. `prefer-standby` runs TWO passes: first accepting only standbys,
317
+ * second falling back to any host.
318
+ * 6. If no candidate succeeds, throw the LAST encountered error
319
+ * (preserves the most-recent failure mode for diagnostics).
320
+ */
321
+ static async connect(opts) {
322
+ const seed = opts.hosts !== undefined && opts.hosts.length > 0
323
+ ? [...opts.hosts]
324
+ : [{ host: opts.host, port: opts.port }];
325
+ // DNS fan-out: a single hostname can resolve to multiple A/AAAA records,
326
+ // and libpq treats each resulting IP as its own candidate so the
327
+ // iteration walks the FLAT (ip, port) list, not the (hostname, port)
328
+ // list. Each candidate carries BOTH the original hostname (for TLS
329
+ // SNI / SAN verification + `conn.host` reporting) AND the resolved
330
+ // address (used only by `net.connect`). Unix-domain socket paths
331
+ // and IP literals bypass the lookup — they become `{host, port}`
332
+ // with no address override.
333
+ //
334
+ // Active for every mode, not just `load_balance_hosts=random`: even
335
+ // `disable` benefits from the fall-through behaviour when the first
336
+ // A record is dead. Mirrors upstream `004_load_balance_dns.pl`.
337
+ //
338
+ // `hostaddr` short-circuits the lookup entirely: libpq connects to the
339
+ // fixed IP without consulting DNS while still using `host` for TLS SNI /
340
+ // certificate hostname verification. We map this onto the same
341
+ // `addressOverride` seam the DNS fan-out uses — the literal IP becomes
342
+ // the candidate's `address`, and `host` (the user-typed name) is
343
+ // preserved for SNI / `conn.host`. Only the single-host form carries a
344
+ // `hostaddr`; libpq does not support a hostaddr-per-host list here.
345
+ const candidates = opts.hostaddr !== undefined && opts.hostaddr !== ''
346
+ ? seed.map((c) => ({
347
+ host: c.host,
348
+ address: opts.hostaddr,
349
+ port: c.port,
350
+ }))
351
+ : await expandHostsViaDns(seed);
352
+ if (opts.loadBalanceHosts === 'random') {
353
+ shuffleInPlace(candidates, PgConnection._loadBalanceRng ?? Math.random);
354
+ }
355
+ const tsa = opts.targetSessionAttrs ?? 'any';
356
+ // `prefer-standby` runs two passes: first 'standby', then 'any'. Every
357
+ // other mode runs a single pass with the literal target.
358
+ const passes = tsa === 'prefer-standby' ? ['standby', 'any'] : [tsa];
359
+ let lastErr = null;
360
+ for (const passTsa of passes) {
361
+ for (const candidate of candidates) {
362
+ const candidateOpts = {
363
+ ...opts,
364
+ host: candidate.host,
365
+ port: candidate.port,
366
+ };
367
+ let conn;
368
+ try {
369
+ conn = await PgConnection.connectSingle(candidateOpts, candidate.address);
370
+ }
371
+ catch (err) {
372
+ lastErr = err;
373
+ continue;
374
+ }
375
+ // Apply target_session_attrs filter via pg_is_in_recovery().
376
+ const accepted = await checkSessionAttrs(conn, passTsa);
377
+ if (accepted) {
378
+ return conn;
379
+ }
380
+ // Mismatch: close this connection and move on.
381
+ try {
382
+ await conn.close();
383
+ }
384
+ catch {
385
+ // ignore
386
+ }
387
+ lastErr = new Error(`target_session_attrs=${String(passTsa)} did not match host ${candidate.host}:${String(candidate.port)}`);
388
+ }
389
+ }
390
+ if (lastErr !== null) {
391
+ // `throw lastErr` would trip the `only-throw-error` lint rule because
392
+ // `lastErr` is typed `unknown`. Normalise to an Error for the throw
393
+ // while preserving the original via `cause` so callers can introspect.
394
+ if (lastErr instanceof Error)
395
+ throw lastErr;
396
+ let message;
397
+ if (typeof lastErr === 'object' &&
398
+ lastErr !== null &&
399
+ 'message' in lastErr &&
400
+ typeof lastErr.message === 'string') {
401
+ message = lastErr.message;
402
+ }
403
+ else if (typeof lastErr === 'string' ||
404
+ typeof lastErr === 'number' ||
405
+ typeof lastErr === 'boolean') {
406
+ message = String(lastErr);
407
+ }
408
+ else {
409
+ message = 'PgConnection.connect: unknown error';
410
+ }
411
+ const wrapped = new Error(message);
412
+ wrapped.cause = lastErr;
413
+ throw wrapped;
414
+ }
415
+ throw new Error('PgConnection.connect: no candidate hosts configured');
416
+ }
417
+ /**
418
+ * Per-host connect attempt: open the socket, negotiate TLS, run the auth
419
+ * dance, complete startup. Same shape as the pre-multihost `connect()`;
420
+ * the multi-host orchestrator above wraps this for each candidate.
421
+ */
422
+ static async connectSingle(opts,
423
+ /**
424
+ * Optional resolved IP address. When set, `openSocket` uses it for the
425
+ * actual `net.connect({host: address})`. `opts.host` remains the
426
+ * user-typed hostname so TLS SNI / SAN verification and `conn.host`
427
+ * report the original identity. Set by the DNS fan-out in `connect()`.
428
+ */
429
+ addressOverride) {
430
+ // TLS over Unix-domain sockets is meaningless (the kernel guarantees
431
+ // the channel) and libpq refuses `sslmode=require|verify-*` for socket
432
+ // connections. We mirror the early rejection so a misconfigured caller
433
+ // gets a clear diagnostic instead of a confused TLS handshake.
434
+ if (isUnixSocketHost(opts.host) &&
435
+ (opts.ssl === 'require' ||
436
+ opts.ssl === 'verify-ca' ||
437
+ opts.ssl === 'verify-full')) {
438
+ throw new Error(`sslmode=${opts.ssl} is not supported over Unix-domain sockets (host=${opts.host})`);
439
+ }
440
+ // libpq `requirepeer`: for Unix-domain sockets, libpq verifies the server
441
+ // process runs as the named OS user via peer credentials (getpeereid /
442
+ // SO_PEERCRED). Node exposes NO portable peer-credential API for Unix
443
+ // sockets, so we CANNOT enforce this. We honestly do NOT verify it — to
444
+ // avoid pretending a security check passed, we reject the connection with
445
+ // a clear diagnostic when `requirepeer` is set on a socket connection,
446
+ // rather than silently connecting as if the check had succeeded. (TCP
447
+ // connections ignore `requirepeer`, matching libpq.)
448
+ if (isUnixSocketHost(opts.host) &&
449
+ opts.requirepeer !== undefined &&
450
+ opts.requirepeer !== '') {
451
+ throw new Error(`requirepeer="${opts.requirepeer}" cannot be enforced: Node provides no ` +
452
+ `Unix-domain socket peer-credential API; refusing to connect rather ` +
453
+ `than skip the check`);
454
+ }
455
+ const rawSocket = await openSocket(opts, addressOverride);
456
+ let socket = rawSocket;
457
+ let channelBindingData = null;
458
+ try {
459
+ // verify-ca skips hostname check; verify-full = default Node behavior.
460
+ // require/prefer/allow accept any cert chain (libpq default).
461
+ // NOTE: do NOT set `checkServerIdentity: undefined` — newer Node
462
+ // versions reject that with "must be of type function". Omit the
463
+ // property when verify-full so the default validator runs.
464
+ // libpq `sslsni=0` suppresses the TLS SNI extension: omit `servername`
465
+ // entirely so no hostname is sent in the ClientHello. Default (unset /
466
+ // true) sends SNI = the connection host, as libpq does.
467
+ const servername = tlsServername(opts);
468
+ const tlsConnectionOptions = {
469
+ ...(servername !== undefined ? { servername } : {}),
470
+ rejectUnauthorized: opts.ssl === 'verify-ca' || opts.ssl === 'verify-full',
471
+ // PG 17+ advertises ALPN for the 'postgresql' protocol; libpq sets
472
+ // this so a future-proof TLS proxy can route on ALPN instead of
473
+ // probing the wire. Always offer it — older servers ignore.
474
+ ALPNProtocols: ['postgresql'],
475
+ // Cipher preference is left to the runtime's TLS library. Our
476
+ // ClientHello offers the byte-identical TLS-1.3 ciphersuite list and
477
+ // order as libpq (AES-256-GCM, ChaCha20, AES-128-GCM), so the suite
478
+ // is the server's choice from an identical offer. Under Node
479
+ // (OpenSSL) that lands on AES-256-GCM, matching vanilla psql; under
480
+ // Bun (BoringSSL) it lands on AES-128-GCM. Both are TLS-1.3 AEAD
481
+ // suites with no practical security difference, and neither runtime
482
+ // exposes a client-side knob to steer TLS-1.3 selection (`ciphers`
483
+ // is TLS-1.2-only; `ciphersuites`/secureContext are ignored for the
484
+ // client offer), so this is left as-is.
485
+ };
486
+ if (opts.ssl !== 'verify-full') {
487
+ tlsConnectionOptions.checkServerIdentity = () => undefined;
488
+ }
489
+ else if (opts.sslsni === false) {
490
+ // verify-full still verifies the peer name against `host`, but with
491
+ // SNI suppressed Node has no `servername` to drive its default
492
+ // identity check — so verify explicitly against the connection host.
493
+ // (libpq decouples SNI (sslsni) from peer-name verification (sslmode);
494
+ // we mirror that here.)
495
+ tlsConnectionOptions.checkServerIdentity = (_host, cert) => tls.checkServerIdentity(opts.host, cert);
496
+ }
497
+ applyTlsProtocolVersionRange(tlsConnectionOptions, opts);
498
+ const tlsResult = await negotiateTls(rawSocket,
499
+ // libpq refuses TLS on a socket connection even for sslmode=allow /
500
+ // prefer — instead of negotiating it just stays plain. We short-
501
+ // circuit by passing 'disable' to negotiateTls; the caller's
502
+ // requested sslmode is preserved on opts for error reporting.
503
+ isUnixSocketHost(opts.host) ? 'disable' : opts.ssl, tlsConnectionOptions, {
504
+ sslcert: opts.sslcert,
505
+ sslkey: opts.sslkey,
506
+ sslcertmode: opts.sslcertmode,
507
+ sslpassword: opts.sslpassword,
508
+ sslrootcert: opts.sslrootcert,
509
+ sslcrl: opts.sslcrl,
510
+ sslcrldir: opts.sslcrldir,
511
+ sslkeylogfile: opts.sslkeylogfile,
512
+ },
513
+ // libpq `sslnegotiation=direct` (PG 17+): start TLS without the
514
+ // SSLRequest probe. Never reached for Unix-domain sockets (forced to
515
+ // sslmode 'disable' above) — direct SSL is a TCP-only concept. The
516
+ // ALPN protocol is already on `tlsConnectionOptions` for both paths.
517
+ isUnixSocketHost(opts.host)
518
+ ? 'postgres'
519
+ : (opts.sslnegotiation ?? 'postgres'));
520
+ if (tlsResult.kind === 'tls') {
521
+ socket = tlsResult.socket;
522
+ channelBindingData = tlsResult.channelBindingData;
523
+ }
524
+ else {
525
+ socket = tlsResult.socket;
526
+ }
527
+ }
528
+ catch (err) {
529
+ try {
530
+ rawSocket.destroy();
531
+ }
532
+ catch {
533
+ // ignore
534
+ }
535
+ throw err;
536
+ }
537
+ const conn = new PgConnection(socket, opts, channelBindingData);
538
+ await conn.startup();
539
+ return conn;
540
+ }
541
+ // -------------------------------------------------------------------------
542
+ // Connection interface — public methods
543
+ // -------------------------------------------------------------------------
544
+ parameterStatus(name) {
545
+ return this.params.get(name);
546
+ }
547
+ /**
548
+ * Expose the connection target as `meta.database` / `meta.user` / `meta.host`
549
+ * / `meta.port` / `meta.pid` so the prompt renderer (which duck-types these
550
+ * via `MaybeWithMeta`) can render `%/`, `%n`, `%m`, `%>`, `%p` without
551
+ * additional plumbing. Postgres doesn't emit a `database` ParameterStatus,
552
+ * so these come from the connect opts / BackendKeyData.
553
+ */
554
+ get database() {
555
+ return this.opts.database;
556
+ }
557
+ get user() {
558
+ return this.opts.user;
559
+ }
560
+ get host() {
561
+ return this.opts.host;
562
+ }
563
+ get port() {
564
+ return this.opts.port;
565
+ }
566
+ get pid() {
567
+ return this.processId;
568
+ }
569
+ /**
570
+ * The password supplied at connect time (or `null`). Mirrors libpq's
571
+ * retention of the password on the live `PGconn` so `\c <newdb>` can
572
+ * reconnect transparently. Read-only by design — the field is set once in
573
+ * the constructor and never mutated.
574
+ */
575
+ get password() {
576
+ return this._password;
577
+ }
578
+ /**
579
+ * If the connection was upgraded to TLS during negotiation, return the
580
+ * cipher info for the active session. Returns `null` for plain-text
581
+ * connections. Used by the startup banner to render an `SSL connection
582
+ * (protocol: …, cipher: …)` line that mirrors upstream psql, and by
583
+ * `\conninfo` (PG18 connection-information table) to fill the SSL rows.
584
+ */
585
+ getTlsInfo() {
586
+ const s = this.socket;
587
+ if (typeof s.getCipher !== 'function')
588
+ return null;
589
+ try {
590
+ const cipher = s.getCipher();
591
+ const protocol = s.getProtocol?.() ?? cipher.version ?? 'unknown';
592
+ if (!cipher.name)
593
+ return null;
594
+ // TLS compression has been disabled by every modern stack since CRIME
595
+ // (2012); Node's TLS doesn't expose a compression accessor, so we
596
+ // always report "off". libpq does the same.
597
+ const compression = 'off';
598
+ // Node exposes the negotiated ALPN protocol on TLSSocket.alpnProtocol
599
+ // (string when negotiated, false when not). Postgres 17+ uses
600
+ // 'postgresql' here.
601
+ const alpnRaw = s
602
+ .alpnProtocol;
603
+ const alpn = typeof alpnRaw === 'string' && alpnRaw.length > 0 ? alpnRaw : null;
604
+ return {
605
+ protocol: String(protocol),
606
+ cipher: cipher.standardName ?? cipher.name,
607
+ standardName: cipher.standardName,
608
+ compression,
609
+ alpn,
610
+ library: 'OpenSSL',
611
+ keyBits: sslKeyBitsFromCipher(cipher.standardName ?? cipher.name),
612
+ };
613
+ }
614
+ catch {
615
+ return null;
616
+ }
617
+ }
618
+ /**
619
+ * Static connection facts for the PG18 `\conninfo` table, sourced from the
620
+ * connect opts and the live socket (no SQL is issued):
621
+ *
622
+ * - `host` / `port` / `options`: from the connect opts.
623
+ * - `hostaddr`: the resolved peer IP — `opts.hostaddr` if the caller
624
+ * fixed one, else the TCP socket's `remoteAddress` (undefined for a
625
+ * Unix-domain socket → `null`).
626
+ * - `backendPid`: the backend process id from BackendKeyData.
627
+ * - `passwordUsed`: whether a password was actually sent during auth.
628
+ * - `gssapiUsed`: always `false` — we have no GSSAPI support.
629
+ */
630
+ getConnectionInfo() {
631
+ const remote = this.opts.hostaddr !== undefined && this.opts.hostaddr !== ''
632
+ ? this.opts.hostaddr
633
+ : (this.socket.remoteAddress ?? null);
634
+ return {
635
+ host: this.opts.host,
636
+ hostaddr: remote,
637
+ port: this.opts.port,
638
+ options: this.opts.options ?? null,
639
+ backendPid: this.processId,
640
+ passwordUsed: this.passwordUsed,
641
+ gssapiUsed: false,
642
+ };
643
+ }
644
+ async query(sql, params) {
645
+ // `params === undefined` → caller has no intent to use extended protocol
646
+ // (e.g. a buffered SQL run without `\bind`). Use the simple-query path so
647
+ // chained `\;`-separated statements still work via `PQexec`-shaped
648
+ // semantics.
649
+ //
650
+ // `params` defined (even as `[]`) → caller staged a `\bind` (or a
651
+ // describe-formatter explicitly asking for the extended path). The
652
+ // extended protocol sends a single Parse message verbatim; the server
653
+ // rejects multi-statement SQL with SQLSTATE 42601 / "cannot insert
654
+ // multiple commands into a prepared statement", which is the upstream
655
+ // contract for `\bind`/`\parse`. Switching on length === 0 would silently
656
+ // fall back to simple-query and mask that diagnostic.
657
+ if (params === undefined) {
658
+ const sets = await this.execSimple(sql);
659
+ if (sets.length === 0) {
660
+ throw new Error('PgConnection.query: server returned no result sets');
661
+ }
662
+ return sets[sets.length - 1];
663
+ }
664
+ // Extended-protocol single-shot: Parse('', sql, []) → Bind('', '', [],
665
+ // text-encoded params, [text]) → Describe('P', '') → Execute('', 0) →
666
+ // Sync. Every param goes out in text format and the server coerces.
667
+ this.ensureIdle();
668
+ const encoded = encodeParams(params);
669
+ this.startExtendedBatch();
670
+ const parseP = this.enqueueParse();
671
+ const bindP = this.enqueueBind();
672
+ const descP = this.enqueueDescribePortalIntoNextExecute();
673
+ const execP = this.enqueueExecute();
674
+ const syncP = this.enqueueSync();
675
+ this.socket.write(Parse('', sql, []));
676
+ this.socket.write(Bind('', '', [], encoded, [0]));
677
+ this.socket.write(Describe('P', ''));
678
+ this.socket.write(Execute('', 0));
679
+ this.socket.write(Sync());
680
+ let firstErr = null;
681
+ const cap = (e) => {
682
+ if (firstErr === null)
683
+ firstErr = e;
684
+ };
685
+ parseP.catch(cap);
686
+ bindP.catch(cap);
687
+ descP.catch(cap);
688
+ let result = null;
689
+ execP.then((rs) => {
690
+ result = rs;
691
+ }, cap);
692
+ await syncP.catch(cap);
693
+ if (firstErr !== null)
694
+ throw asThrowable(firstErr);
695
+ if (result === null) {
696
+ throw new Error('PgConnection.query: server returned no result');
697
+ }
698
+ return result;
699
+ }
700
+ async execSimple(sql) {
701
+ this.ensureIdle();
702
+ return new Promise((resolve, reject) => {
703
+ this.pendingQuery = {
704
+ resolve,
705
+ reject,
706
+ current: null,
707
+ finished: [],
708
+ notices: [],
709
+ error: null,
710
+ };
711
+ this.state = 'in-query';
712
+ this.socket.write(Query(sql));
713
+ });
714
+ }
715
+ async prepare(name, sql, paramTypes) {
716
+ this.ensureIdle();
717
+ const oids = paramTypes ?? [];
718
+ this.startExtendedBatch();
719
+ const parseP = this.enqueueParse();
720
+ const descP = this.enqueueDescribeStatement();
721
+ const syncP = this.enqueueSync();
722
+ this.socket.write(Parse(name, sql, oids));
723
+ this.socket.write(Describe('S', name));
724
+ this.socket.write(Sync());
725
+ let firstErr = null;
726
+ const cap = (e) => {
727
+ if (firstErr === null)
728
+ firstErr = e;
729
+ };
730
+ parseP.catch(cap);
731
+ let descResult = null;
732
+ descP.then((r) => {
733
+ descResult = r;
734
+ }, cap);
735
+ await syncP.catch(cap);
736
+ if (firstErr !== null)
737
+ throw asThrowable(firstErr);
738
+ if (descResult === null) {
739
+ throw new Error('PgConnection.prepare: server returned no parameter description');
740
+ }
741
+ const { paramOids, fields } = descResult;
742
+ // eslint-disable-next-line @typescript-eslint/no-this-alias
743
+ const conn = this;
744
+ return {
745
+ name,
746
+ paramTypes: paramOids,
747
+ async bind(values, paramFormats) {
748
+ conn.ensureIdle();
749
+ const encoded = encodeParams(values);
750
+ conn.startExtendedBatch();
751
+ const bP = conn.enqueueBind();
752
+ const sP = conn.enqueueSync();
753
+ conn.socket.write(Bind('', name, paramFormats ?? [], encoded, [0]));
754
+ conn.socket.write(Sync());
755
+ let err = null;
756
+ bP.catch((e) => {
757
+ if (err === null)
758
+ err = e;
759
+ });
760
+ await sP.catch((e) => {
761
+ if (err === null)
762
+ err = e;
763
+ });
764
+ if (err !== null)
765
+ throw asThrowable(err);
766
+ },
767
+ describe() {
768
+ return Promise.resolve(fields);
769
+ },
770
+ async execute(maxRows) {
771
+ conn.ensureIdle();
772
+ conn.startExtendedBatch();
773
+ const eP = conn.enqueueExecuteWithFields(fields);
774
+ const sP = conn.enqueueSync();
775
+ conn.socket.write(Execute('', maxRows ?? 0));
776
+ conn.socket.write(Sync());
777
+ let err = null;
778
+ let rs = null;
779
+ eP.then((r) => {
780
+ rs = r;
781
+ }, (e) => {
782
+ if (err === null)
783
+ err = e;
784
+ });
785
+ await sP.catch((e) => {
786
+ if (err === null)
787
+ err = e;
788
+ });
789
+ if (err !== null)
790
+ throw asThrowable(err);
791
+ if (rs === null) {
792
+ throw new Error('PgConnection.prepare.execute: server returned no result');
793
+ }
794
+ return rs;
795
+ },
796
+ async bindAndExecute(values, maxRows, paramFormats) {
797
+ conn.ensureIdle();
798
+ const encoded = encodeParams(values);
799
+ conn.startExtendedBatch();
800
+ const bP = conn.enqueueBind();
801
+ const eP = conn.enqueueExecuteWithFields(fields);
802
+ const sP = conn.enqueueSync();
803
+ conn.socket.write(Bind('', name, paramFormats ?? [], encoded, [0]));
804
+ conn.socket.write(Execute('', maxRows ?? 0));
805
+ conn.socket.write(Sync());
806
+ let err = null;
807
+ let rs = null;
808
+ bP.catch((e) => {
809
+ if (err === null)
810
+ err = e;
811
+ });
812
+ eP.then((r) => {
813
+ rs = r;
814
+ }, (e) => {
815
+ if (err === null)
816
+ err = e;
817
+ });
818
+ await sP.catch((e) => {
819
+ if (err === null)
820
+ err = e;
821
+ });
822
+ if (err !== null)
823
+ throw asThrowable(err);
824
+ if (rs === null) {
825
+ throw new Error('PgConnection.prepare.bindAndExecute: server returned no result');
826
+ }
827
+ return rs;
828
+ },
829
+ async close() {
830
+ conn.ensureIdle();
831
+ conn.startExtendedBatch();
832
+ const cP = conn.enqueueClose();
833
+ const sP = conn.enqueueSync();
834
+ conn.socket.write(Close('S', name));
835
+ conn.socket.write(Sync());
836
+ let err = null;
837
+ cP.catch((e) => {
838
+ if (err === null)
839
+ err = e;
840
+ });
841
+ await sP.catch((e) => {
842
+ if (err === null)
843
+ err = e;
844
+ });
845
+ if (err !== null)
846
+ throw asThrowable(err);
847
+ },
848
+ };
849
+ }
850
+ /**
851
+ * Issue `Close('S', name) + Sync` directly, without a preceding Parse.
852
+ * The server responds with CloseComplete + ReadyForQuery (even when
853
+ * the named statement doesn't exist — PG treats unknown-name Close as
854
+ * a no-op). Used by `\close_prepared NAME` so we don't have to fake a
855
+ * Parse just to reach the Close step.
856
+ */
857
+ async closePreparedStatement(name) {
858
+ this.ensureIdle();
859
+ this.startExtendedBatch();
860
+ const cP = this.enqueueClose();
861
+ const sP = this.enqueueSync();
862
+ this.socket.write(Close('S', name));
863
+ this.socket.write(Sync());
864
+ let err = null;
865
+ cP.catch((e) => {
866
+ if (err === null)
867
+ err = e;
868
+ });
869
+ await sP.catch((e) => {
870
+ if (err === null)
871
+ err = e;
872
+ });
873
+ if (err !== null)
874
+ throw asThrowable(err);
875
+ }
876
+ startCopyIn(sql) {
877
+ this.ensureIdle();
878
+ // COPY mid-pipeline is rejected by libpq with a fixed diagnostic; we
879
+ // mirror that synchronously so callers don't need a round-trip to learn
880
+ // their command is invalid. The wire-level dispatch also guards this
881
+ // (see handleCopyStartMessage) for any path that bypasses this check.
882
+ if (this._extPipelineActive) {
883
+ this.abortForCopyInPipeline();
884
+ return Promise.reject(Object.assign(new Error('COPY in a pipeline is not supported, aborting connection'), { severity: 'FATAL' }));
885
+ }
886
+ // The driver waits in `in-query` state until CopyInResponse arrives — at
887
+ // which point the protocol switches and we move to `in-copy-in`. The
888
+ // server can also reply with an ErrorResponse (e.g. "no such table"),
889
+ // which we surface as a rejected promise.
890
+ return new Promise((resolve, reject) => {
891
+ this.copyIn = {
892
+ resolveDone: null,
893
+ rejectDone: null,
894
+ error: null,
895
+ commandTag: null,
896
+ closed: false,
897
+ };
898
+ this.copyStartResolve = () => {
899
+ // The protocol-switch landed; hand the caller a usable stream.
900
+ resolve(this.makeCopyInStream());
901
+ };
902
+ this.copyStartReject = reject;
903
+ this.state = 'in-query';
904
+ this.socket.write(Query(sql));
905
+ });
906
+ }
907
+ startCopyOut(sql) {
908
+ this.ensureIdle();
909
+ if (this._extPipelineActive) {
910
+ this.abortForCopyInPipeline();
911
+ return Promise.reject(Object.assign(new Error('COPY in a pipeline is not supported, aborting connection'), { severity: 'FATAL' }));
912
+ }
913
+ return new Promise((resolve, reject) => {
914
+ this.copyOut = {
915
+ queue: [],
916
+ queuedBytes: 0,
917
+ waker: null,
918
+ done: false,
919
+ abandoned: false,
920
+ error: null,
921
+ commandTag: null,
922
+ };
923
+ this.copyStartResolve = () => {
924
+ resolve(this.makeCopyOutStream());
925
+ };
926
+ this.copyStartReject = reject;
927
+ this.state = 'in-query';
928
+ this.socket.write(Query(sql));
929
+ });
930
+ }
931
+ pipeline() {
932
+ this.ensureIdle();
933
+ return new PipelineSession(this);
934
+ }
935
+ /**
936
+ * Cancel whatever the connection is currently doing.
937
+ *
938
+ * The routing is state-aware so the mainloop SIGINT handler can call this
939
+ * blindly without knowing the protocol phase:
940
+ *
941
+ * - `in-copy-in`: we hold the writing end of the data stream, so the
942
+ * correct action is a client-initiated CopyFail on the *same* socket.
943
+ * Sending a side CancelRequest would race with our own pending writes;
944
+ * CopyFail is the spec-blessed abort path. The server replies with
945
+ * ErrorResponse + ReadyForQuery and we transition back to idle.
946
+ * - `in-copy-out`: the server is pushing data at us. CopyFail is not a
947
+ * valid client message here, so we fall back to the side CancelRequest
948
+ * path that normal queries use. PG will surface an ErrorResponse and
949
+ * tear the COPY down.
950
+ * - everything else: side CancelRequest, the historical behaviour.
951
+ *
952
+ * Best-effort. We don't reject if BackendKeyData hasn't arrived yet
953
+ * during the auth dance — there's nothing to cancel; we just return.
954
+ */
955
+ async cancel() {
956
+ // In-copy-in: send CopyFail on the live socket so the server returns
957
+ // to ReadyForQuery cleanly. This is the same abort path the upstream
958
+ // SIGINT handler in `copy.c::handleCopyIn` triggers via longjmp.
959
+ if (this.state === 'in-copy-in' && this.copyIn && !this.copyIn.closed) {
960
+ this.copyIn.closed = true;
961
+ try {
962
+ this.socket.write(CopyFail('canceled by user'));
963
+ }
964
+ catch {
965
+ // Socket may have died — failPending() will surface that.
966
+ }
967
+ return;
968
+ }
969
+ if (this.processId === 0) {
970
+ // Nothing to cancel — startup hasn't reached BackendKeyData. Be
971
+ // forgiving: the mainloop SIGINT handler shouldn't crash on cancel
972
+ // during a half-open connection.
973
+ return;
974
+ }
975
+ // Per the PG protocol, CancelRequest is sent on a *fresh* connection,
976
+ // not the one running the query. We TLS-negotiate against the same
977
+ // sslmode but we don't auth — we just write the request and close.
978
+ // Honour `hostaddr` on the cancel connection too: dial the fixed IP while
979
+ // keeping the user-typed host for SNI / cert verification, mirroring the
980
+ // primary connect path's `addressOverride`.
981
+ const cancelSocket = await openSocket(this.opts, this.opts.hostaddr !== undefined && this.opts.hostaddr !== ''
982
+ ? this.opts.hostaddr
983
+ : undefined);
984
+ let writeSocket = cancelSocket;
985
+ try {
986
+ // sslsni=0 suppresses SNI on the cancel connection too (mirrors the
987
+ // primary connect path).
988
+ const cancelServername = tlsServername(this.opts);
989
+ const cancelTlsOpts = {
990
+ ...(cancelServername !== undefined
991
+ ? { servername: cancelServername }
992
+ : {}),
993
+ rejectUnauthorized: this.opts.ssl === 'verify-ca' || this.opts.ssl === 'verify-full',
994
+ ALPNProtocols: ['postgresql'],
995
+ };
996
+ if (this.opts.ssl !== 'verify-full') {
997
+ cancelTlsOpts.checkServerIdentity = () => undefined;
998
+ }
999
+ else if (this.opts.sslsni === false) {
1000
+ const host = this.opts.host;
1001
+ cancelTlsOpts.checkServerIdentity = (_h, cert) => tls.checkServerIdentity(host, cert);
1002
+ }
1003
+ applyTlsProtocolVersionRange(cancelTlsOpts, this.opts);
1004
+ const t = await negotiateTls(cancelSocket,
1005
+ // Unix-domain socket: no TLS, regardless of caller's sslmode.
1006
+ isUnixSocketHost(this.opts.host) ? 'disable' : this.opts.ssl, cancelTlsOpts, {
1007
+ sslcert: this.opts.sslcert,
1008
+ sslkey: this.opts.sslkey,
1009
+ sslcertmode: this.opts.sslcertmode,
1010
+ sslpassword: this.opts.sslpassword,
1011
+ sslrootcert: this.opts.sslrootcert,
1012
+ sslcrl: this.opts.sslcrl,
1013
+ sslcrldir: this.opts.sslcrldir,
1014
+ sslkeylogfile: this.opts.sslkeylogfile,
1015
+ },
1016
+ // Mirror the primary connect path's negotiation mode so a server
1017
+ // configured for direct SSL also accepts the cancel connection.
1018
+ isUnixSocketHost(this.opts.host)
1019
+ ? 'postgres'
1020
+ : (this.opts.sslnegotiation ?? 'postgres'));
1021
+ writeSocket = t.kind === 'tls' ? t.socket : t.socket;
1022
+ await new Promise((resolve, reject) => {
1023
+ writeSocket.write(CancelRequest(this.processId, this.secretKey), (err) => {
1024
+ if (err)
1025
+ reject(err);
1026
+ else
1027
+ resolve();
1028
+ });
1029
+ });
1030
+ }
1031
+ finally {
1032
+ try {
1033
+ writeSocket.end();
1034
+ }
1035
+ catch {
1036
+ // ignore
1037
+ }
1038
+ try {
1039
+ cancelSocket.destroy();
1040
+ }
1041
+ catch {
1042
+ // ignore
1043
+ }
1044
+ }
1045
+ }
1046
+ escapeIdentifier(value) {
1047
+ return '"' + value.replace(/"/g, '""') + '"';
1048
+ }
1049
+ escapeLiteral(value) {
1050
+ // Per PG docs: doubled single-quotes always; if the string contains a
1051
+ // backslash, use the E'...' escape-string syntax so backslashes don't
1052
+ // depend on `standard_conforming_strings`.
1053
+ const doubled = value.replace(/'/g, "''");
1054
+ if (value.includes('\\')) {
1055
+ return "E'" + doubled.replace(/\\/g, '\\\\') + "'";
1056
+ }
1057
+ return "'" + doubled + "'";
1058
+ }
1059
+ async setClientEncoding(name) {
1060
+ // libpq's PQsetClientEncoding sends `SET client_encoding TO '<value>'`
1061
+ // down the wire (see fe-connect.c). We do the same via the simple-query
1062
+ // path, quoting the value as a string literal so encoding names are
1063
+ // never mistaken for SQL tokens. On success the server emits a
1064
+ // `client_encoding` ParameterStatus which the message loop folds into
1065
+ // `this.params` (see the ParameterStatus cases), so
1066
+ // `parameterStatus('client_encoding')` is up to date afterwards.
1067
+ //
1068
+ // We keep no separate client-side decoder state: text-format values are
1069
+ // always decoded as UTF-8 in `decodeDataRow`, matching how the rest of
1070
+ // this client treats backend text. Tracking only the ParameterStatus is
1071
+ // therefore sufficient. A non-zero `SET` failure (e.g. a name the server
1072
+ // rejects) surfaces as a thrown ConnectError from `execSimple`.
1073
+ await this.execSimple(`SET client_encoding TO ${this.escapeLiteral(name)}`);
1074
+ }
1075
+ onNotice(handler) {
1076
+ return this.notify.onNotice(handler);
1077
+ }
1078
+ onNotification(handler) {
1079
+ return this.notify.onNotification(handler);
1080
+ }
1081
+ async close() {
1082
+ if (this.state === 'closed')
1083
+ return;
1084
+ try {
1085
+ this.socket.write(Terminate());
1086
+ }
1087
+ catch {
1088
+ // socket may already be dead; we still want to mark closed
1089
+ }
1090
+ this.state = 'closed';
1091
+ this.notify.clear();
1092
+ await new Promise((resolve) => {
1093
+ this.socket.once('close', () => {
1094
+ resolve();
1095
+ });
1096
+ try {
1097
+ this.socket.end();
1098
+ }
1099
+ catch {
1100
+ resolve();
1101
+ }
1102
+ });
1103
+ }
1104
+ isClosed() {
1105
+ return this.state === 'closed';
1106
+ }
1107
+ // -------------------------------------------------------------------------
1108
+ // Startup / auth state machine
1109
+ // -------------------------------------------------------------------------
1110
+ startup() {
1111
+ return new Promise((resolve, reject) => {
1112
+ const params = {
1113
+ user: this.opts.user,
1114
+ database: this.opts.database,
1115
+ // psql sends client_encoding=UTF8 by default; we follow.
1116
+ client_encoding: this.opts.clientEncoding ?? 'UTF8',
1117
+ };
1118
+ if (this.opts.applicationName !== undefined) {
1119
+ params.application_name = this.opts.applicationName;
1120
+ }
1121
+ if (this.opts.options !== undefined) {
1122
+ params.options = this.opts.options;
1123
+ }
1124
+ // Walsender (replication) mode: the server enters a restricted
1125
+ // command set (IDENTIFY_SYSTEM, START_REPLICATION, etc.) keyed off
1126
+ // this startup parameter. Values mirror libpq's normalisation:
1127
+ // 'true' for physical, 'database' for logical. We do not stream the
1128
+ // CopyBoth phase — the Query path still surfaces ErrorResponse and
1129
+ // any pre-streaming ResultSet, which is enough for the negative
1130
+ // conformance test (`psql -c 'START_REPLICATION 0/1'` must exit
1131
+ // non-zero with a syntax error from the server).
1132
+ if (this.opts.replication !== undefined) {
1133
+ params.replication = this.opts.replication;
1134
+ }
1135
+ this.startupResolve = resolve;
1136
+ this.startupReject = reject;
1137
+ this.socket.write(StartupMessage(params));
1138
+ });
1139
+ }
1140
+ /**
1141
+ * Enforce `require_auth` against an observed server-requested method.
1142
+ * Returns true when the connection should proceed; false (with
1143
+ * {@link failStartup} already called) when the policy was violated.
1144
+ */
1145
+ checkRequireAuth(observed) {
1146
+ const policy = this.opts.requireAuth;
1147
+ if (policy === undefined)
1148
+ return true;
1149
+ const hit = policy.methods.has(observed);
1150
+ const allowed = policy.negated ? !hit : hit;
1151
+ if (!allowed) {
1152
+ this.failStartup(new Error(`auth method "${observed}" requirement failed`));
1153
+ return false;
1154
+ }
1155
+ return true;
1156
+ }
1157
+ handleAuthMessage(msg) {
1158
+ switch (msg.type) {
1159
+ case 'AuthenticationOk': {
1160
+ // libpq parity: channel_binding=require demands that some prior
1161
+ // auth step actually negotiated channel binding. A bare
1162
+ // AuthenticationOk after no challenge ("trust") or after a cert
1163
+ // exchange ("cert" HBA, clientcert=verify-full) means no SCRAM
1164
+ // happened and we must refuse.
1165
+ if (this.opts.channelBinding === 'require' &&
1166
+ (this.scram === null || this.scram.mechanism !== 'SCRAM-SHA-256-PLUS')) {
1167
+ this.failStartup(new Error('channel binding required, but server authenticated client without channel binding'));
1168
+ return;
1169
+ }
1170
+ // Mutual-auth integrity: if a SCRAM exchange was started it MUST have
1171
+ // completed via AuthenticationSASLFinal (where the server signature is
1172
+ // verified). A server that sends SASLContinue then jumps to
1173
+ // AuthenticationOk never proves it knows the password (review #8).
1174
+ if (this.scram !== null && !this.saslFinalSeen) {
1175
+ this.failStartup(new Error('server sent AuthenticationOk without completing SCRAM ' +
1176
+ 'authentication (server signature not verified)'));
1177
+ return;
1178
+ }
1179
+ // require_auth=none allows trust auth; anything else is rejected
1180
+ // here. If a prior challenge was sent and validated, skip — that
1181
+ // method was already accepted by the check at its own branch.
1182
+ if (!this.authChallengeSeen && !this.checkRequireAuth('none')) {
1183
+ return;
1184
+ }
1185
+ this.state = 'await-ready';
1186
+ return;
1187
+ }
1188
+ case 'AuthenticationCleartextPassword': {
1189
+ this.authChallengeSeen = true;
1190
+ if (this.opts.channelBinding === 'require') {
1191
+ this.failStartup(new Error("channel binding required but not supported by server's authentication request"));
1192
+ return;
1193
+ }
1194
+ if (!this.checkRequireAuth('password'))
1195
+ return;
1196
+ if (this.opts.password === undefined) {
1197
+ this.failStartup(new Error('Server requested cleartext password but no password was provided'));
1198
+ return;
1199
+ }
1200
+ this.passwordUsed = true;
1201
+ this.socket.write(PasswordMessage(this.opts.password));
1202
+ return;
1203
+ }
1204
+ case 'AuthenticationMD5Password': {
1205
+ this.authChallengeSeen = true;
1206
+ if (this.opts.channelBinding === 'require') {
1207
+ this.failStartup(new Error("channel binding required but not supported by server's authentication request"));
1208
+ return;
1209
+ }
1210
+ if (!this.checkRequireAuth('md5'))
1211
+ return;
1212
+ if (this.opts.password === undefined) {
1213
+ this.failStartup(new Error('Server requested MD5 password but no password was provided'));
1214
+ return;
1215
+ }
1216
+ const payload = md5AuthPayload(this.opts.user, this.opts.password, msg.salt);
1217
+ this.passwordUsed = true;
1218
+ this.socket.write(PasswordMessage(payload));
1219
+ return;
1220
+ }
1221
+ case 'AuthenticationSASL': {
1222
+ this.authChallengeSeen = true;
1223
+ if (this.opts.password === undefined) {
1224
+ this.failStartup(new Error('Server requested SASL auth but no password was provided'));
1225
+ return;
1226
+ }
1227
+ if (!this.checkRequireAuth('scram-sha-256'))
1228
+ return;
1229
+ // channel_binding=require AND server didn't offer the PLUS
1230
+ // variant — refuse before the SASL handshake starts. The check
1231
+ // is split between here (no PLUS in the mechanism list) and
1232
+ // chooseMechanism's fallback (PLUS present but no binding data).
1233
+ if (this.opts.channelBinding === 'require' &&
1234
+ !msg.mechanisms.includes('SCRAM-SHA-256-PLUS')) {
1235
+ this.failStartup(new Error("channel binding required but not supported by server's authentication request"));
1236
+ return;
1237
+ }
1238
+ if (this.opts.channelBinding === 'require' &&
1239
+ this.channelBindingData === null) {
1240
+ this.failStartup(new Error("channel binding required but not supported by server's authentication request"));
1241
+ return;
1242
+ }
1243
+ try {
1244
+ this.scram = createScramClient({
1245
+ user: this.opts.user,
1246
+ password: this.opts.password,
1247
+ mechanisms: msg.mechanisms,
1248
+ channelBinding: this.channelBindingData !== null &&
1249
+ this.opts.channelBinding !== 'disable'
1250
+ ? {
1251
+ type: 'tls-server-end-point',
1252
+ data: this.channelBindingData,
1253
+ }
1254
+ : undefined,
1255
+ });
1256
+ const { mechanism, clientFirstMessage } = this.scram.start();
1257
+ this.passwordUsed = true;
1258
+ this.socket.write(SASLInitialResponse(mechanism, clientFirstMessage));
1259
+ }
1260
+ catch (err) {
1261
+ this.failStartup(err);
1262
+ }
1263
+ return;
1264
+ }
1265
+ case 'AuthenticationSASLContinue': {
1266
+ if (!this.scram) {
1267
+ this.failStartup(new Error('Received AuthenticationSASLContinue without an active SCRAM client'));
1268
+ return;
1269
+ }
1270
+ try {
1271
+ const reply = this.scram.continue(msg.data);
1272
+ this.socket.write(SASLResponse(reply));
1273
+ }
1274
+ catch (err) {
1275
+ this.failStartup(err);
1276
+ }
1277
+ return;
1278
+ }
1279
+ case 'AuthenticationSASLFinal': {
1280
+ if (!this.scram) {
1281
+ this.failStartup(new Error('Received AuthenticationSASLFinal without an active SCRAM client'));
1282
+ return;
1283
+ }
1284
+ try {
1285
+ this.scram.finish(msg.data);
1286
+ this.saslFinalSeen = true;
1287
+ }
1288
+ catch (err) {
1289
+ this.failStartup(err);
1290
+ }
1291
+ return;
1292
+ }
1293
+ case 'ErrorResponse':
1294
+ this.failStartup(fieldsToConnectError(msg.fields));
1295
+ return;
1296
+ case 'NoticeResponse':
1297
+ this.notify.emit(fieldsToNotice(msg.fields));
1298
+ return;
1299
+ default:
1300
+ // ParameterStatus / BackendKeyData / ReadyForQuery may arrive in
1301
+ // `await-ready`; auth state shouldn't see them, but we tolerate by
1302
+ // forwarding to the post-auth handler if so.
1303
+ this.handleAwaitReady(msg);
1304
+ return;
1305
+ }
1306
+ }
1307
+ handleAwaitReady(msg) {
1308
+ switch (msg.type) {
1309
+ case 'ParameterStatus':
1310
+ this.params.set(msg.name, msg.value);
1311
+ if (msg.name === 'server_version') {
1312
+ this.serverVersion = parseServerVersion(msg.value);
1313
+ }
1314
+ return;
1315
+ case 'BackendKeyData':
1316
+ this.processId = msg.processId;
1317
+ this.secretKey = msg.secretKey;
1318
+ return;
1319
+ case 'ReadyForQuery':
1320
+ this.txStatus = msg.status;
1321
+ this.state = 'idle';
1322
+ if (this.startupResolve) {
1323
+ const r = this.startupResolve;
1324
+ this.startupResolve = null;
1325
+ this.startupReject = null;
1326
+ r();
1327
+ }
1328
+ return;
1329
+ case 'ErrorResponse':
1330
+ this.failStartup(fieldsToConnectError(msg.fields));
1331
+ return;
1332
+ case 'NoticeResponse':
1333
+ this.notify.emit(fieldsToNotice(msg.fields));
1334
+ return;
1335
+ default:
1336
+ this.failStartup(new Error(`Unexpected message ${msg.type} during connection startup`));
1337
+ return;
1338
+ }
1339
+ }
1340
+ failStartup(err) {
1341
+ if (this.startupReject) {
1342
+ const r = this.startupReject;
1343
+ this.startupResolve = null;
1344
+ this.startupReject = null;
1345
+ r(err);
1346
+ }
1347
+ try {
1348
+ this.socket.destroy();
1349
+ }
1350
+ catch {
1351
+ // ignore
1352
+ }
1353
+ this.state = 'closed';
1354
+ }
1355
+ // -------------------------------------------------------------------------
1356
+ // COPY state machine (WP-16).
1357
+ //
1358
+ // The frontend transitions through:
1359
+ // idle → in-query (after writing Query("COPY …"))
1360
+ // in-query → in-copy-in on CopyInResponse
1361
+ // in-query → in-copy-out on CopyOutResponse
1362
+ // in-copy-in → idle on ReadyForQuery (after our CopyDone/CopyFail +
1363
+ // server CommandComplete)
1364
+ // in-copy-out → idle on ReadyForQuery (after server CopyDone +
1365
+ // CommandComplete)
1366
+ //
1367
+ // ErrorResponse may arrive at any point; we drain until ReadyForQuery and
1368
+ // then surface as a rejected promise.
1369
+ // -------------------------------------------------------------------------
1370
+ makeCopyInStream() {
1371
+ const driver = this.copyIn;
1372
+ if (!driver) {
1373
+ throw new Error('PgConnection: makeCopyInStream called without driver');
1374
+ }
1375
+ return {
1376
+ write: (chunk) => {
1377
+ if (this.state === 'closed') {
1378
+ return Promise.reject(new Error('Connection closed'));
1379
+ }
1380
+ if (driver.closed) {
1381
+ return Promise.reject(new Error('CopyInStream already closed'));
1382
+ }
1383
+ const data = typeof chunk === 'string' ? Buffer.from(chunk, 'utf8') : chunk;
1384
+ return new Promise((resolve, reject) => {
1385
+ this.socket.write(CopyData(data), (err) => {
1386
+ if (err)
1387
+ reject(err);
1388
+ else
1389
+ resolve();
1390
+ });
1391
+ });
1392
+ },
1393
+ end: () => {
1394
+ if (driver.closed) {
1395
+ return Promise.reject(new Error('CopyInStream already closed'));
1396
+ }
1397
+ driver.closed = true;
1398
+ return new Promise((resolve, reject) => {
1399
+ driver.resolveDone = resolve;
1400
+ driver.rejectDone = reject;
1401
+ this.socket.write(CopyDone());
1402
+ });
1403
+ },
1404
+ fail: (reason) => {
1405
+ if (driver.closed) {
1406
+ return Promise.reject(new Error('CopyInStream already closed'));
1407
+ }
1408
+ driver.closed = true;
1409
+ return new Promise((resolve, reject) => {
1410
+ // The server is expected to reject with an ErrorResponse echoing
1411
+ // our reason; we still resolve so callers can move on. We wire the
1412
+ // resolver after the socket flush so a fast-close error surfaces.
1413
+ driver.resolveDone = () => {
1414
+ resolve();
1415
+ };
1416
+ driver.rejectDone = reject;
1417
+ this.socket.write(CopyFail(reason));
1418
+ });
1419
+ },
1420
+ };
1421
+ }
1422
+ makeCopyOutStream() {
1423
+ const driver = this.copyOut;
1424
+ if (!driver) {
1425
+ throw new Error('PgConnection: makeCopyOutStream called without driver');
1426
+ }
1427
+ // Capture the state-getter as a closure so the iterator can observe
1428
+ // connection close without holding a `this` alias (no-this-alias rule).
1429
+ const isClosed = () => this.state === 'closed';
1430
+ // Resume reading once the buffered data drains — paired with the
1431
+ // pause() the CopyData handler applies at the high-water mark (#11).
1432
+ const resumeSocket = () => {
1433
+ this.socket.resume?.();
1434
+ };
1435
+ return {
1436
+ [Symbol.asyncIterator]() {
1437
+ return {
1438
+ async next() {
1439
+ for (;;) {
1440
+ if (driver.queue.length > 0) {
1441
+ const next = driver.queue.shift();
1442
+ if (next === undefined)
1443
+ continue;
1444
+ driver.queuedBytes -= next.length;
1445
+ if (driver.queuedBytes <= COPY_OUT_LWM)
1446
+ resumeSocket();
1447
+ return { value: next, done: false };
1448
+ }
1449
+ if (driver.error) {
1450
+ // ConnectError isn't strictly an Error instance; the rule
1451
+ // wants a real Error. Wrap once before throwing.
1452
+ const ce = driver.error;
1453
+ const wrapped = new Error(ce.message);
1454
+ wrapped.cause = ce;
1455
+ throw wrapped;
1456
+ }
1457
+ if (driver.done) {
1458
+ return { value: undefined, done: true };
1459
+ }
1460
+ if (isClosed()) {
1461
+ throw new Error('Connection closed mid-COPY-OUT');
1462
+ }
1463
+ await new Promise((resolve) => {
1464
+ driver.waker = resolve;
1465
+ });
1466
+ }
1467
+ },
1468
+ return() {
1469
+ // Consumer broke early. We must keep reading the wire until
1470
+ // ReadyForQuery to clear the protocol state, but we mark the
1471
+ // stream abandoned (so the handler DROPS further CopyData rather
1472
+ // than buffering it) and free what's queued — otherwise RSS grows
1473
+ // to the full result size (review item #11). Resume in case the
1474
+ // socket was paused at the high-water mark.
1475
+ driver.abandoned = true;
1476
+ driver.queue.length = 0;
1477
+ driver.queuedBytes = 0;
1478
+ resumeSocket();
1479
+ return Promise.resolve({ value: undefined, done: true });
1480
+ },
1481
+ };
1482
+ },
1483
+ };
1484
+ }
1485
+ /**
1486
+ * Handle messages arriving in `in-query` state when there is no
1487
+ * `pendingQuery` — i.e. the caller invoked `startCopyIn` / `startCopyOut`
1488
+ * and is waiting for the server to switch into copy mode.
1489
+ */
1490
+ handleCopyStartMessage(msg) {
1491
+ switch (msg.type) {
1492
+ case 'CopyInResponse':
1493
+ // COPY-in-pipeline: libpq aborts the connection with this exact
1494
+ // diagnostic (matching upstream psql's behaviour). The `\copy`
1495
+ // command layer detects pipeline-active and fails fast before
1496
+ // reaching the wire, but if anything else slips through we abort
1497
+ // here as a defence-in-depth.
1498
+ if (this._extPipelineActive) {
1499
+ this.abortForCopyInPipeline();
1500
+ return;
1501
+ }
1502
+ if (this.copyIn) {
1503
+ this.state = 'in-copy-in';
1504
+ const r = this.copyStartResolve;
1505
+ this.copyStartResolve = null;
1506
+ this.copyStartReject = null;
1507
+ if (r)
1508
+ r();
1509
+ }
1510
+ return;
1511
+ case 'CopyOutResponse':
1512
+ if (this._extPipelineActive) {
1513
+ this.abortForCopyInPipeline();
1514
+ return;
1515
+ }
1516
+ if (this.copyOut) {
1517
+ this.state = 'in-copy-out';
1518
+ const r = this.copyStartResolve;
1519
+ this.copyStartResolve = null;
1520
+ this.copyStartReject = null;
1521
+ if (r)
1522
+ r();
1523
+ }
1524
+ return;
1525
+ case 'ErrorResponse': {
1526
+ const err = fieldsToConnectError(msg.fields);
1527
+ if (this.copyIn) {
1528
+ if (this.copyStartReject)
1529
+ this.copyStartReject(err);
1530
+ this.copyStartResolve = null;
1531
+ this.copyStartReject = null;
1532
+ this.copyIn = null;
1533
+ }
1534
+ if (this.copyOut) {
1535
+ if (this.copyStartReject)
1536
+ this.copyStartReject(err);
1537
+ this.copyStartResolve = null;
1538
+ this.copyStartReject = null;
1539
+ this.copyOut = null;
1540
+ }
1541
+ // Stay in `in-query` until ReadyForQuery, then return to idle below.
1542
+ return;
1543
+ }
1544
+ case 'ReadyForQuery':
1545
+ // ReadyForQuery without a prior CopyXxxResponse means the server
1546
+ // immediately rejected the COPY (we surfaced the ErrorResponse just
1547
+ // above) — return to idle so the next command can fire.
1548
+ this.txStatus = msg.status;
1549
+ this.state = 'idle';
1550
+ return;
1551
+ case 'NoticeResponse':
1552
+ this.notify.emit(fieldsToNotice(msg.fields));
1553
+ return;
1554
+ case 'ParameterStatus':
1555
+ this.params.set(msg.name, msg.value);
1556
+ return;
1557
+ default:
1558
+ if (this.copyStartReject) {
1559
+ this.copyStartReject(new Error(`Unexpected backend message before COPY response: ${msg.type}`));
1560
+ }
1561
+ this.copyStartResolve = null;
1562
+ this.copyStartReject = null;
1563
+ return;
1564
+ }
1565
+ }
1566
+ handleCopyInMessage(msg) {
1567
+ const driver = this.copyIn;
1568
+ if (!driver)
1569
+ return;
1570
+ switch (msg.type) {
1571
+ case 'CommandComplete':
1572
+ driver.commandTag = msg.tag;
1573
+ this.lastCopyTag = msg.tag;
1574
+ return;
1575
+ case 'ErrorResponse':
1576
+ driver.error = fieldsToConnectError(msg.fields);
1577
+ return;
1578
+ case 'NoticeResponse':
1579
+ this.notify.emit(fieldsToNotice(msg.fields));
1580
+ return;
1581
+ case 'ParameterStatus':
1582
+ this.params.set(msg.name, msg.value);
1583
+ return;
1584
+ case 'ReadyForQuery':
1585
+ this.txStatus = msg.status;
1586
+ this.state = 'idle';
1587
+ this.copyIn = null;
1588
+ if (driver.error) {
1589
+ if (driver.rejectDone)
1590
+ driver.rejectDone(driver.error);
1591
+ }
1592
+ else if (driver.resolveDone) {
1593
+ driver.resolveDone();
1594
+ }
1595
+ return;
1596
+ default:
1597
+ // Unknown messages mid-COPY-IN are protocol errors; record and let
1598
+ // the trailing ReadyForQuery flush the state.
1599
+ driver.error = {
1600
+ severity: 'ERROR',
1601
+ message: `Unexpected backend message during COPY IN: ${msg.type}`,
1602
+ };
1603
+ return;
1604
+ }
1605
+ }
1606
+ handleCopyOutMessage(msg) {
1607
+ const driver = this.copyOut;
1608
+ if (!driver)
1609
+ return;
1610
+ switch (msg.type) {
1611
+ case 'CopyData': {
1612
+ // Consumer broke early: drop instead of buffering (review item #11).
1613
+ if (driver.abandoned)
1614
+ return;
1615
+ driver.queue.push(msg.data);
1616
+ driver.queuedBytes += msg.data.length;
1617
+ // Apply backpressure when the sink falls behind: pause the socket so
1618
+ // the server stops flooding us. `next()` resumes at the low-water
1619
+ // mark. (No-op if the socket doesn't expose pause(), e.g. a mock.)
1620
+ if (driver.queuedBytes >= COPY_OUT_HWM) {
1621
+ this.socket.pause?.();
1622
+ }
1623
+ if (driver.waker) {
1624
+ const w = driver.waker;
1625
+ driver.waker = null;
1626
+ w();
1627
+ }
1628
+ return;
1629
+ }
1630
+ case 'CopyDone':
1631
+ // Server signals it's done sending — we now expect CommandComplete +
1632
+ // ReadyForQuery. Stay in in-copy-out until ReadyForQuery; the queue
1633
+ // may still drain via the consumer.
1634
+ return;
1635
+ case 'CommandComplete':
1636
+ driver.commandTag = msg.tag;
1637
+ this.lastCopyTag = msg.tag;
1638
+ return;
1639
+ case 'ErrorResponse':
1640
+ driver.error = fieldsToConnectError(msg.fields);
1641
+ return;
1642
+ case 'NoticeResponse':
1643
+ this.notify.emit(fieldsToNotice(msg.fields));
1644
+ return;
1645
+ case 'ParameterStatus':
1646
+ this.params.set(msg.name, msg.value);
1647
+ return;
1648
+ case 'ReadyForQuery':
1649
+ this.txStatus = msg.status;
1650
+ this.state = 'idle';
1651
+ driver.done = true;
1652
+ this.copyOut = null;
1653
+ if (driver.waker) {
1654
+ const w = driver.waker;
1655
+ driver.waker = null;
1656
+ w();
1657
+ }
1658
+ return;
1659
+ default:
1660
+ driver.error = {
1661
+ severity: 'ERROR',
1662
+ message: `Unexpected backend message during COPY OUT: ${msg.type}`,
1663
+ };
1664
+ if (driver.waker) {
1665
+ const w = driver.waker;
1666
+ driver.waker = null;
1667
+ w();
1668
+ }
1669
+ return;
1670
+ }
1671
+ }
1672
+ // -------------------------------------------------------------------------
1673
+ // Query state machine
1674
+ // -------------------------------------------------------------------------
1675
+ handleQueryMessage(msg) {
1676
+ const q = this.pendingQuery;
1677
+ if (!q) {
1678
+ // No active execSimple — we must be in the "starting a COPY" phase
1679
+ // where the caller wrote Query("COPY …") via startCopyIn/startCopyOut.
1680
+ this.handleCopyStartMessage(msg);
1681
+ return;
1682
+ }
1683
+ switch (msg.type) {
1684
+ case 'RowDescription':
1685
+ q.current = {
1686
+ command: '',
1687
+ rowCount: null,
1688
+ oid: null,
1689
+ fields: msg.fields,
1690
+ rows: [],
1691
+ notices: [],
1692
+ };
1693
+ return;
1694
+ case 'DataRow': {
1695
+ if (!q.current) {
1696
+ // Server sent rows without a prior description — extremely rare
1697
+ // (only for some legacy COPY error paths). Treat as empty desc.
1698
+ q.current = {
1699
+ command: '',
1700
+ rowCount: null,
1701
+ oid: null,
1702
+ fields: [],
1703
+ rows: [],
1704
+ notices: [],
1705
+ };
1706
+ }
1707
+ q.current.rows.push(decodeDataRow(msg.values, q.current.fields));
1708
+ return;
1709
+ }
1710
+ case 'CommandComplete': {
1711
+ const { command, rowCount, oid } = parseCommandTag(msg.tag);
1712
+ const set = q.current ?? {
1713
+ command,
1714
+ rowCount: rowCount,
1715
+ oid,
1716
+ fields: [],
1717
+ rows: [],
1718
+ notices: [],
1719
+ };
1720
+ set.command = command;
1721
+ set.rowCount = rowCount;
1722
+ set.oid = oid;
1723
+ set.notices = q.notices.splice(0);
1724
+ q.finished.push(set);
1725
+ q.current = null;
1726
+ return;
1727
+ }
1728
+ case 'EmptyQueryResponse': {
1729
+ const set = {
1730
+ command: '',
1731
+ rowCount: null,
1732
+ oid: null,
1733
+ fields: [],
1734
+ rows: [],
1735
+ notices: q.notices.splice(0),
1736
+ };
1737
+ q.finished.push(set);
1738
+ q.current = null;
1739
+ return;
1740
+ }
1741
+ case 'ParameterStatus':
1742
+ this.params.set(msg.name, msg.value);
1743
+ if (msg.name === 'server_version') {
1744
+ this.serverVersion = parseServerVersion(msg.value);
1745
+ }
1746
+ return;
1747
+ case 'NoticeResponse': {
1748
+ const notice = fieldsToNotice(msg.fields);
1749
+ q.notices.push(notice);
1750
+ this.notify.emit(notice);
1751
+ return;
1752
+ }
1753
+ case 'NotificationResponse':
1754
+ this.notify.emitNotification(msg.channel, msg.payload, msg.processId);
1755
+ return;
1756
+ case 'ErrorResponse': {
1757
+ q.error = fieldsToConnectError(msg.fields);
1758
+ // Don't reject yet — ReadyForQuery will arrive shortly and we want
1759
+ // to drain queued NoticeResponse messages first.
1760
+ return;
1761
+ }
1762
+ case 'ReadyForQuery': {
1763
+ this.txStatus = msg.status;
1764
+ this.state = 'idle';
1765
+ this.pendingQuery = null;
1766
+ if (q.error) {
1767
+ // Mirror libpq's behaviour: the result list contains every
1768
+ // PGresult the server produced before the ErrorResponse — for
1769
+ // a `\;`-chained simple-query batch, that's all the statements
1770
+ // before the failing one. We surface them by attaching the
1771
+ // accumulated `finished[]` to the thrown Error so callers
1772
+ // (`executeAndPrint`) can render the pre-error rows in order
1773
+ // before printing the error itself.
1774
+ const err = asThrowable(q.error);
1775
+ err.partialResults =
1776
+ q.finished;
1777
+ q.reject(err);
1778
+ }
1779
+ else {
1780
+ q.resolve(q.finished);
1781
+ }
1782
+ return;
1783
+ }
1784
+ case 'CopyInResponse': {
1785
+ // PG 17 added pipeline + COPY support but libpq still rejects the
1786
+ // combination ("COPY in a pipeline is not supported, aborting
1787
+ // connection"). Upstream psql surfaces that diagnostic and tears down
1788
+ // the connection. We mirror the behaviour: if the user fires a COPY
1789
+ // statement via execSimple while a pipeline is active, abort.
1790
+ if (this._extPipelineActive) {
1791
+ this.abortForCopyInPipeline();
1792
+ return;
1793
+ }
1794
+ // CopyInResponse during execSimple (no active CopyIn driver) — the
1795
+ // common path is `COPY ... FROM STDIN` as one segment of a `\;`-chained
1796
+ // simple-query batch. Upstream psql pumps stdin lines until `\.`; the
1797
+ // mainloop pre-scans its input and buffers the bytes into
1798
+ // `copyInMidBatchQueue` before calling execSimple. We pop the head
1799
+ // buffer and ship it as CopyData + CopyDone. If no buffer is queued
1800
+ // (caller forgot to seed, or scan was inaccurate), CopyFail so the
1801
+ // server returns to ReadyForQuery rather than blocking.
1802
+ const data = this.copyInMidBatchQueue.shift();
1803
+ if (data !== undefined) {
1804
+ try {
1805
+ // Empty payload still needs a CopyDone — the server transitions
1806
+ // back to CopyIn-done state on CopyDone regardless of byte
1807
+ // count. Wrapping a zero-length CopyData is harmless.
1808
+ if (data.length > 0) {
1809
+ this.socket.write(CopyData(data));
1810
+ }
1811
+ this.socket.write(CopyDone());
1812
+ }
1813
+ catch {
1814
+ // Write failures are surfaced via socket 'error' / 'close'
1815
+ // handlers which will fail the pending query.
1816
+ }
1817
+ return;
1818
+ }
1819
+ q.error = {
1820
+ severity: 'ERROR',
1821
+ message: 'COPY FROM STDIN not supported via execSimple — use \\copy or startCopyIn',
1822
+ };
1823
+ try {
1824
+ this.socket.write(CopyFail('COPY FROM STDIN not driven by client'));
1825
+ }
1826
+ catch {
1827
+ // Write failures are surfaced via socket 'error' / 'close' handlers
1828
+ // which will fail the pending query — nothing to do here.
1829
+ }
1830
+ return;
1831
+ }
1832
+ case 'CopyOutResponse': {
1833
+ if (this._extPipelineActive) {
1834
+ this.abortForCopyInPipeline();
1835
+ return;
1836
+ }
1837
+ // CopyOutResponse during execSimple (no active CopyOut driver) — the
1838
+ // common path is `COPY ... TO STDOUT` as one segment of a `\;`-chained
1839
+ // simple-query batch. We accumulate the CopyData payloads onto the
1840
+ // current ResultSet's `copyOutBytes` so the renderer emits them at
1841
+ // the result's position in the chain — instead of streaming them
1842
+ // straight to a sink at receive time, which would hoist the COPY
1843
+ // bytes above any tuples-producing results that haven't been
1844
+ // rendered yet (see hunk 5722-5730 in regress/psql).
1845
+ this.copyOutMidBatchActive = true;
1846
+ q.current = q.current ?? {
1847
+ command: '',
1848
+ rowCount: null,
1849
+ oid: null,
1850
+ fields: [],
1851
+ rows: [],
1852
+ notices: [],
1853
+ };
1854
+ q.current.copyOutBytes = q.current.copyOutBytes ?? [];
1855
+ return;
1856
+ }
1857
+ case 'CopyData': {
1858
+ // CopyData arrives during execSimple only when we're in the mid-batch
1859
+ // COPY-OUT phase (CopyOutResponse flipped the flag above). Stash the
1860
+ // payload on the current result's `copyOutBytes` so the caller can
1861
+ // render in order. Anything else is a protocol error.
1862
+ if (this.copyOutMidBatchActive) {
1863
+ const cur = q.current;
1864
+ if (cur) {
1865
+ cur.copyOutBytes = cur.copyOutBytes ?? [];
1866
+ cur.copyOutBytes.push(msg.data);
1867
+ }
1868
+ return;
1869
+ }
1870
+ q.error = {
1871
+ severity: 'ERROR',
1872
+ message: 'Unexpected backend message during query: CopyData',
1873
+ };
1874
+ return;
1875
+ }
1876
+ case 'CopyDone': {
1877
+ // Server signals end of COPY-OUT data — next message will be
1878
+ // CommandComplete for the COPY statement, then the batch resumes.
1879
+ if (this.copyOutMidBatchActive) {
1880
+ this.copyOutMidBatchActive = false;
1881
+ return;
1882
+ }
1883
+ q.error = {
1884
+ severity: 'ERROR',
1885
+ message: 'Unexpected backend message during query: CopyDone',
1886
+ };
1887
+ return;
1888
+ }
1889
+ case 'CopyBothResponse': {
1890
+ // Walsender (`replication=database` / `replication=true`) commands
1891
+ // such as `START_REPLICATION` transition the connection into a
1892
+ // CopyBoth streaming phase (WAL records flowing from server +
1893
+ // keepalive replies flowing from client). This client does not
1894
+ // implement WAL streaming — upstream libpq's `PQexec` similarly
1895
+ // refuses to handle PGRES_COPY_BOTH and surfaces a diagnostic. We
1896
+ // mirror that: reject the pending query with a "syntax error" style
1897
+ // message (matching the conformance assertion) and tear the socket
1898
+ // down so the next query / process exit is clean.
1899
+ const cbErr = {
1900
+ severity: 'ERROR',
1901
+ code: '0A000',
1902
+ message: 'syntax error: unexpected CopyBothResponse from server (replication streaming is not supported by this client)',
1903
+ };
1904
+ q.error = cbErr;
1905
+ q.reject(asThrowable(cbErr));
1906
+ this.pendingQuery = null;
1907
+ this.socketError = new Error(cbErr.message);
1908
+ try {
1909
+ this.socket.destroy();
1910
+ }
1911
+ catch {
1912
+ // ignore
1913
+ }
1914
+ this.state = 'closed';
1915
+ return;
1916
+ }
1917
+ default:
1918
+ // Unknown messages during a query are protocol errors but not fatal
1919
+ // for the connection — record them.
1920
+ q.error = {
1921
+ severity: 'ERROR',
1922
+ message: `Unexpected backend message during query: ${msg.type}`,
1923
+ };
1924
+ return;
1925
+ }
1926
+ }
1927
+ // -------------------------------------------------------------------------
1928
+ // Socket → parser → state dispatch
1929
+ // -------------------------------------------------------------------------
1930
+ onData(chunk) {
1931
+ let messages;
1932
+ try {
1933
+ messages = this.parser.feed(chunk);
1934
+ }
1935
+ catch (err) {
1936
+ this.socketError = err instanceof Error ? err : new Error(String(err));
1937
+ this.failPending(this.socketError);
1938
+ try {
1939
+ this.socket.destroy();
1940
+ }
1941
+ catch {
1942
+ // ignore
1943
+ }
1944
+ this.state = 'closed';
1945
+ return;
1946
+ }
1947
+ for (const msg of messages) {
1948
+ this.dispatch(msg);
1949
+ if (this.state === 'closed')
1950
+ break;
1951
+ }
1952
+ }
1953
+ dispatch(msg) {
1954
+ // Async backend messages always allowed. NotificationResponse can arrive
1955
+ // in *any* state since LISTEN payloads come in whenever a NOTIFY fires.
1956
+ if (msg.type === 'NotificationResponse') {
1957
+ this.notify.emitNotification(msg.channel, msg.payload, msg.processId);
1958
+ return;
1959
+ }
1960
+ switch (this.state) {
1961
+ case 'auth':
1962
+ this.handleAuthMessage(msg);
1963
+ return;
1964
+ case 'await-ready':
1965
+ this.handleAwaitReady(msg);
1966
+ return;
1967
+ case 'idle':
1968
+ // ParameterStatus changes can arrive asynchronously (SET).
1969
+ if (msg.type === 'ParameterStatus') {
1970
+ this.params.set(msg.name, msg.value);
1971
+ if (msg.name === 'server_version') {
1972
+ this.serverVersion = parseServerVersion(msg.value);
1973
+ }
1974
+ return;
1975
+ }
1976
+ if (msg.type === 'NoticeResponse') {
1977
+ this.notify.emit(fieldsToNotice(msg.fields));
1978
+ return;
1979
+ }
1980
+ // (NotificationResponse is handled by the early-out above.)
1981
+ // Anything else in idle is unexpected.
1982
+ this.socketError = new Error(`Unexpected ${msg.type} in idle state`);
1983
+ try {
1984
+ this.socket.destroy();
1985
+ }
1986
+ catch {
1987
+ // ignore
1988
+ }
1989
+ this.state = 'closed';
1990
+ return;
1991
+ case 'in-query':
1992
+ this.handleQueryMessage(msg);
1993
+ return;
1994
+ case 'in-extended':
1995
+ this.handleExtendedMessage(msg);
1996
+ return;
1997
+ case 'in-copy-in':
1998
+ this.handleCopyInMessage(msg);
1999
+ return;
2000
+ case 'in-copy-out':
2001
+ this.handleCopyOutMessage(msg);
2002
+ return;
2003
+ case 'closed':
2004
+ return;
2005
+ }
2006
+ }
2007
+ failPending(err) {
2008
+ if (this.pendingQuery) {
2009
+ const q = this.pendingQuery;
2010
+ this.pendingQuery = null;
2011
+ // If the server delivered an ErrorResponse just before the socket
2012
+ // closed (e.g. a FATAL "terminating connection due to administrator
2013
+ // command" when the backend is killed mid-query), prefer that
2014
+ // structured error over the generic "Socket closed" fallback so the
2015
+ // diagnostic carries the server's wording. Mirrors libpq's behaviour
2016
+ // where `PQexec` surfaces the FATAL message and `PQerrorMessage`
2017
+ // returns the server-supplied text.
2018
+ //
2019
+ // `q.error` is initialised to `null` by `execSimple`; only a non-null
2020
+ // value indicates a server-side ErrorResponse was actually captured.
2021
+ q.reject(q.error != null ? asThrowable(q.error) : err);
2022
+ }
2023
+ if (this.extDriver) {
2024
+ const d = this.extDriver;
2025
+ this.extDriver = null;
2026
+ for (const op of d.queue)
2027
+ op.reject(err);
2028
+ }
2029
+ if (this.startupReject) {
2030
+ const r = this.startupReject;
2031
+ this.startupResolve = null;
2032
+ this.startupReject = null;
2033
+ r(err);
2034
+ }
2035
+ if (this.copyStartReject) {
2036
+ const r = this.copyStartReject;
2037
+ this.copyStartResolve = null;
2038
+ this.copyStartReject = null;
2039
+ r(err);
2040
+ }
2041
+ if (this.copyIn) {
2042
+ const d = this.copyIn;
2043
+ this.copyIn = null;
2044
+ if (d.rejectDone)
2045
+ d.rejectDone(err);
2046
+ }
2047
+ if (this.copyOut) {
2048
+ const d = this.copyOut;
2049
+ this.copyOut = null;
2050
+ d.error =
2051
+ err instanceof Error
2052
+ ? { severity: 'ERROR', message: err.message }
2053
+ : { severity: 'ERROR', message: String(err) };
2054
+ if (d.waker) {
2055
+ const w = d.waker;
2056
+ d.waker = null;
2057
+ w();
2058
+ }
2059
+ }
2060
+ }
2061
+ ensureIdle() {
2062
+ if (this.state === 'closed') {
2063
+ throw new Error('PgConnection: connection is closed');
2064
+ }
2065
+ if (this.state !== 'idle' && this.state !== 'in-extended') {
2066
+ throw new Error(`PgConnection: cannot start query in state ${this.state}`);
2067
+ }
2068
+ }
2069
+ // -------------------------------------------------------------------------
2070
+ // Extended-protocol driver (WP-21).
2071
+ //
2072
+ // Each public enqueueX method appends one op to `extDriver.queue` and
2073
+ // returns a Promise that resolves when the op's terminator backend message
2074
+ // arrives. The caller is responsible for writing the matching wire frame
2075
+ // (Parse/Bind/Describe/Execute/Close/Sync) to the socket.
2076
+ // -------------------------------------------------------------------------
2077
+ startExtendedBatch() {
2078
+ if (this.state === 'idle') {
2079
+ this.state = 'in-extended';
2080
+ this.extDriver = { queue: [], error: null };
2081
+ }
2082
+ else if (this.state !== 'in-extended') {
2083
+ throw new Error(`PgConnection: cannot start extended batch in state ${this.state}`);
2084
+ }
2085
+ else if (!this.extDriver) {
2086
+ this.extDriver = { queue: [], error: null };
2087
+ }
2088
+ }
2089
+ writeRaw(buf) {
2090
+ this.socket.write(buf);
2091
+ }
2092
+ enqueueParse() {
2093
+ return this.enqueueOp({
2094
+ kind: 'parse',
2095
+ resolve: () => undefined,
2096
+ reject: () => undefined,
2097
+ });
2098
+ }
2099
+ enqueueBind() {
2100
+ return this.enqueueOp({
2101
+ kind: 'bind',
2102
+ resolve: () => undefined,
2103
+ reject: () => undefined,
2104
+ });
2105
+ }
2106
+ enqueueDescribeStatement() {
2107
+ return this.enqueueOp({
2108
+ kind: 'describeS',
2109
+ resolve: () => undefined,
2110
+ reject: () => undefined,
2111
+ paramOids: null,
2112
+ });
2113
+ }
2114
+ enqueueDescribePortal() {
2115
+ return this.enqueueOp({
2116
+ kind: 'describeP',
2117
+ resolve: () => undefined,
2118
+ reject: () => undefined,
2119
+ });
2120
+ }
2121
+ /**
2122
+ * Variant of {@link enqueueDescribePortal} that pipes the resolved fields
2123
+ * onto the very next `execute` op already (or yet to be) on the queue.
2124
+ */
2125
+ enqueueDescribePortalIntoNextExecute() {
2126
+ const driver = this.extDriver;
2127
+ if (!driver) {
2128
+ return Promise.reject(new Error('enqueueDescribePortalIntoNextExecute: not in extended state'));
2129
+ }
2130
+ return new Promise((resolve, reject) => {
2131
+ driver.queue.push({
2132
+ kind: 'describeP',
2133
+ resolve: (v) => {
2134
+ const fields = v;
2135
+ for (const op of driver.queue) {
2136
+ if (op.kind === 'execute' && op.fields === null) {
2137
+ op.fields = fields;
2138
+ break;
2139
+ }
2140
+ }
2141
+ resolve();
2142
+ },
2143
+ reject,
2144
+ });
2145
+ });
2146
+ }
2147
+ enqueueExecute() {
2148
+ return this.enqueueOp({
2149
+ kind: 'execute',
2150
+ resolve: () => undefined,
2151
+ reject: () => undefined,
2152
+ current: null,
2153
+ notices: [],
2154
+ fields: null,
2155
+ });
2156
+ }
2157
+ enqueueExecuteWithFields(fields) {
2158
+ return this.enqueueOp({
2159
+ kind: 'execute',
2160
+ resolve: () => undefined,
2161
+ reject: () => undefined,
2162
+ current: null,
2163
+ notices: [],
2164
+ fields,
2165
+ });
2166
+ }
2167
+ enqueueClose() {
2168
+ return this.enqueueOp({
2169
+ kind: 'close',
2170
+ resolve: () => undefined,
2171
+ reject: () => undefined,
2172
+ });
2173
+ }
2174
+ enqueueSync() {
2175
+ return this.enqueueOp({
2176
+ kind: 'sync',
2177
+ resolve: () => undefined,
2178
+ reject: () => undefined,
2179
+ });
2180
+ }
2181
+ enqueueOp(opSkeleton) {
2182
+ if (!this.extDriver) {
2183
+ return Promise.reject(new Error('enqueueOp: not in extended state'));
2184
+ }
2185
+ const driver = this.extDriver;
2186
+ return new Promise((resolve, reject) => {
2187
+ const op = opSkeleton;
2188
+ op.resolve = resolve;
2189
+ op.reject = reject;
2190
+ driver.queue.push(op);
2191
+ });
2192
+ }
2193
+ handleExtendedMessage(msg) {
2194
+ const driver = this.extDriver;
2195
+ if (!driver)
2196
+ return;
2197
+ if (msg.type === 'ParameterStatus') {
2198
+ this.params.set(msg.name, msg.value);
2199
+ if (msg.name === 'server_version') {
2200
+ this.serverVersion = parseServerVersion(msg.value);
2201
+ }
2202
+ return;
2203
+ }
2204
+ if (msg.type === 'NoticeResponse') {
2205
+ const notice = fieldsToNotice(msg.fields);
2206
+ this.notify.emit(notice);
2207
+ const head = driver.queue[0];
2208
+ if (head && head.kind === 'execute')
2209
+ head.notices.push(notice);
2210
+ return;
2211
+ }
2212
+ if (msg.type === 'NotificationResponse') {
2213
+ this.notify.emitNotification(msg.channel, msg.payload, msg.processId);
2214
+ return;
2215
+ }
2216
+ if (msg.type === 'ErrorResponse') {
2217
+ driver.error = fieldsToConnectError(msg.fields);
2218
+ // Reject ALL queued non-sync ops eagerly. Upstream server semantics:
2219
+ // once a P/B/D/E op errors, the server skips every subsequent message
2220
+ // until the next Sync. If the client (e.g. `\flushrequest` + `\getresults`
2221
+ // after an aborted bind) doesn't issue Sync next, no further wire
2222
+ // messages will arrive — so we must cascade-reject the rest of the
2223
+ // queue NOW or those promises hang forever.
2224
+ //
2225
+ // Mirror libpq's `PGRES_PIPELINE_ABORTED` marker for follow-on ops:
2226
+ // the FIRST failing op carries the real `ErrorResponse` payload,
2227
+ // every subsequent op gets a synthetic "Pipeline aborted, command
2228
+ // did not run" error so `\getresults` / `\endpipeline` can
2229
+ // distinguish the originating ERROR from the cascaded skips. See
2230
+ // upstream `pqPipelineProcessQueue` in `fe-exec.c`.
2231
+ let first = true;
2232
+ while (driver.queue.length > 0) {
2233
+ const head = driver.queue[0];
2234
+ if (head.kind === 'sync')
2235
+ break;
2236
+ driver.queue.shift();
2237
+ if (first) {
2238
+ head.reject(driver.error);
2239
+ first = false;
2240
+ }
2241
+ else {
2242
+ head.reject(pipelineAbortedError());
2243
+ }
2244
+ }
2245
+ return;
2246
+ }
2247
+ // COPY-in-pipeline: when an `Execute` in pipeline mode hits a
2248
+ // `COPY ... FROM STDIN` / `COPY ... TO STDOUT`, the server replies
2249
+ // with `CopyInResponse` / `CopyOutResponse` instead of the usual
2250
+ // result-stream messages. Upstream libpq refuses the combination
2251
+ // with "COPY in a pipeline is not supported, aborting connection"
2252
+ // and tears the connection down. Mirror that so `\startpipeline +
2253
+ // COPY ...` surfaces the expected fatal error rather than hanging
2254
+ // on a response the extended driver doesn't know how to consume.
2255
+ if (msg.type === 'CopyInResponse' || msg.type === 'CopyOutResponse') {
2256
+ this.abortForCopyInPipeline();
2257
+ return;
2258
+ }
2259
+ // Drain any ops added to the queue AFTER the initial cascade-reject
2260
+ // (e.g. a `\sendpipeline` issued by the user once `\getresults`
2261
+ // returned the first ErrorResponse) — those ops were never visible
2262
+ // to the original cascade loop, but the server skipped them too
2263
+ // because it stays in PIPELINE_ABORTED until the next Sync. Mark
2264
+ // them as cascaded (`pipelineAborted`) rather than the real error:
2265
+ // libpq surfaces the real error only on the OP that actually
2266
+ // failed, and stamps every subsequent skipped op with the
2267
+ // PGRES_PIPELINE_ABORTED marker. The cmd layer's `\getresults` /
2268
+ // `\endpipeline` paths render the marker as
2269
+ // `Pipeline aborted, command did not run` (no `ERROR:` prefix).
2270
+ while (driver.error !== null) {
2271
+ const head = driver.queue[0];
2272
+ if (!head || head.kind === 'sync')
2273
+ break;
2274
+ driver.queue.shift();
2275
+ head.reject(pipelineAbortedError());
2276
+ }
2277
+ const head = driver.queue[0];
2278
+ if (!head) {
2279
+ this.protocolFail(new Error(`Unexpected backend message ${msg.type} in in-extended`));
2280
+ return;
2281
+ }
2282
+ switch (msg.type) {
2283
+ case 'ParseComplete':
2284
+ if (head.kind !== 'parse') {
2285
+ this.protocolFail(new Error('ParseComplete arrived but head op is ' + head.kind));
2286
+ return;
2287
+ }
2288
+ driver.queue.shift();
2289
+ head.resolve(undefined);
2290
+ return;
2291
+ case 'BindComplete':
2292
+ if (head.kind !== 'bind') {
2293
+ this.protocolFail(new Error('BindComplete arrived but head op is ' + head.kind));
2294
+ return;
2295
+ }
2296
+ driver.queue.shift();
2297
+ head.resolve(undefined);
2298
+ return;
2299
+ case 'CloseComplete':
2300
+ if (head.kind !== 'close') {
2301
+ this.protocolFail(new Error('CloseComplete arrived but head op is ' + head.kind));
2302
+ return;
2303
+ }
2304
+ driver.queue.shift();
2305
+ head.resolve(undefined);
2306
+ return;
2307
+ case 'ParameterDescription':
2308
+ if (head.kind !== 'describeS') {
2309
+ this.protocolFail(new Error('ParameterDescription arrived but head op is ' + head.kind));
2310
+ return;
2311
+ }
2312
+ head.paramOids = msg.oids;
2313
+ return;
2314
+ case 'RowDescription':
2315
+ if (head.kind === 'describeS') {
2316
+ driver.queue.shift();
2317
+ head.resolve({
2318
+ paramOids: head.paramOids ?? [],
2319
+ fields: msg.fields,
2320
+ });
2321
+ return;
2322
+ }
2323
+ if (head.kind === 'describeP') {
2324
+ driver.queue.shift();
2325
+ head.resolve(msg.fields);
2326
+ return;
2327
+ }
2328
+ if (head.kind === 'execute') {
2329
+ head.current = {
2330
+ command: '',
2331
+ rowCount: null,
2332
+ oid: null,
2333
+ fields: msg.fields,
2334
+ rows: [],
2335
+ notices: [],
2336
+ };
2337
+ head.fields = msg.fields;
2338
+ return;
2339
+ }
2340
+ this.protocolFail(new Error('Unexpected RowDescription at head op ' + head.kind));
2341
+ return;
2342
+ case 'NoData':
2343
+ if (head.kind === 'describeS') {
2344
+ driver.queue.shift();
2345
+ head.resolve({ paramOids: head.paramOids ?? [], fields: [] });
2346
+ return;
2347
+ }
2348
+ if (head.kind === 'describeP') {
2349
+ driver.queue.shift();
2350
+ head.resolve([]);
2351
+ return;
2352
+ }
2353
+ this.protocolFail(new Error('Unexpected NoData at head op ' + head.kind));
2354
+ return;
2355
+ case 'DataRow': {
2356
+ if (head.kind !== 'execute') {
2357
+ this.protocolFail(new Error('DataRow at head op ' + head.kind));
2358
+ return;
2359
+ }
2360
+ const fields = head.fields ?? head.current?.fields ?? [];
2361
+ if (!head.current) {
2362
+ head.current = {
2363
+ command: '',
2364
+ rowCount: null,
2365
+ oid: null,
2366
+ fields,
2367
+ rows: [],
2368
+ notices: [],
2369
+ };
2370
+ }
2371
+ head.current.rows.push(decodeDataRow(msg.values, fields));
2372
+ return;
2373
+ }
2374
+ case 'CommandComplete': {
2375
+ if (head.kind !== 'execute') {
2376
+ this.protocolFail(new Error('CommandComplete at head op ' + head.kind));
2377
+ return;
2378
+ }
2379
+ const { command, rowCount, oid } = parseCommandTag(msg.tag);
2380
+ const set = head.current ?? {
2381
+ command,
2382
+ rowCount,
2383
+ oid,
2384
+ fields: head.fields ?? [],
2385
+ rows: [],
2386
+ notices: [],
2387
+ };
2388
+ set.command = command;
2389
+ set.rowCount = rowCount;
2390
+ set.oid = oid;
2391
+ set.notices = head.notices.splice(0);
2392
+ driver.queue.shift();
2393
+ head.resolve(set);
2394
+ return;
2395
+ }
2396
+ case 'EmptyQueryResponse': {
2397
+ if (head.kind !== 'execute') {
2398
+ this.protocolFail(new Error('EmptyQueryResponse at head op ' + head.kind));
2399
+ return;
2400
+ }
2401
+ const set = {
2402
+ command: '',
2403
+ rowCount: null,
2404
+ oid: null,
2405
+ fields: [],
2406
+ rows: [],
2407
+ notices: head.notices.splice(0),
2408
+ };
2409
+ driver.queue.shift();
2410
+ head.resolve(set);
2411
+ return;
2412
+ }
2413
+ case 'PortalSuspended': {
2414
+ if (head.kind !== 'execute') {
2415
+ this.protocolFail(new Error('PortalSuspended at head op ' + head.kind));
2416
+ return;
2417
+ }
2418
+ const set = head.current ?? {
2419
+ command: '',
2420
+ rowCount: null,
2421
+ oid: null,
2422
+ fields: head.fields ?? [],
2423
+ rows: [],
2424
+ notices: head.notices.splice(0),
2425
+ };
2426
+ set.notices = head.notices.splice(0);
2427
+ driver.queue.shift();
2428
+ head.resolve(set);
2429
+ return;
2430
+ }
2431
+ case 'ReadyForQuery': {
2432
+ this.txStatus = msg.status;
2433
+ if (head.kind !== 'sync') {
2434
+ this.protocolFail(new Error('ReadyForQuery but head op is ' + head.kind));
2435
+ return;
2436
+ }
2437
+ driver.queue.shift();
2438
+ const stickyErr = driver.error;
2439
+ driver.error = null;
2440
+ if (stickyErr) {
2441
+ head.reject(stickyErr);
2442
+ }
2443
+ else {
2444
+ head.resolve(undefined);
2445
+ }
2446
+ if (driver.queue.length === 0 && !this._extPipelineActive) {
2447
+ this.state = 'idle';
2448
+ this.extDriver = null;
2449
+ }
2450
+ return;
2451
+ }
2452
+ default:
2453
+ this.protocolFail(new Error(`Unexpected ${msg.type} in in-extended state`));
2454
+ return;
2455
+ }
2456
+ }
2457
+ protocolFail(err) {
2458
+ this.socketError = err;
2459
+ this.failPending(err);
2460
+ try {
2461
+ this.socket.destroy();
2462
+ }
2463
+ catch {
2464
+ // ignore
2465
+ }
2466
+ this.state = 'closed';
2467
+ }
2468
+ /**
2469
+ * Abort the connection because the server replied with CopyInResponse /
2470
+ * CopyOutResponse while a pipeline (`_extPipelineActive`) was active.
2471
+ * Upstream libpq emits the exact diagnostic
2472
+ * `"COPY in a pipeline is not supported, aborting connection"` and tears
2473
+ * the socket down — we mirror that. Pending operations are rejected; the
2474
+ * connection is left in `closed` so subsequent commands fail cleanly
2475
+ * (matching the "aborting connection" promise).
2476
+ */
2477
+ abortForCopyInPipeline() {
2478
+ const err = {
2479
+ severity: 'FATAL',
2480
+ message: 'COPY in a pipeline is not supported, aborting connection',
2481
+ };
2482
+ this.socketError = new Error(err.message);
2483
+ this.failPending(err);
2484
+ try {
2485
+ this.socket.destroy();
2486
+ }
2487
+ catch {
2488
+ // ignore
2489
+ }
2490
+ this.state = 'closed';
2491
+ }
2492
+ }
2493
+ // -------------------------------------------------------------------------
2494
+ // Public factory
2495
+ // -------------------------------------------------------------------------
2496
+ /**
2497
+ * Pluggable random source for `load_balance_hosts=random`. Public so tests
2498
+ * can inject a deterministic permutation; production code leaves it `null`
2499
+ * and falls back to `Math.random`. NOT part of the connection's external
2500
+ * contract — internal-only escape hatch.
2501
+ */
2502
+ PgConnection._loadBalanceRng = null;
2503
+ /**
2504
+ * Pluggable DNS resolver for the multi-IP host fan-out (libpq's
2505
+ * `getaddrinfo`-then-iterate behaviour, exercised by upstream's
2506
+ * `004_load_balance_dns.pl`). Tests inject a fake to drive a hostname
2507
+ * through a fixed IP set without touching the real resolver; production
2508
+ * code leaves it `null` and falls back to `dns.lookup(host, {all: true})`.
2509
+ * Returning an empty array signals "treat as unresolvable" and the
2510
+ * candidate is dropped from the iteration set (matching libpq's "no
2511
+ * results from getaddrinfo" path).
2512
+ */
2513
+ PgConnection._dnsLookupAll = null;
2514
+ // ---------------------------------------------------------------------------
2515
+ // Socket open helper. Supports TCP (default) and Unix-domain sockets when
2516
+ // `opts.host` starts with `/` — matching libpq's `pqUnixSocketPath()` which
2517
+ // reads the directory from PGHOST and builds `<dir>/.s.PGSQL.<port>` as the
2518
+ // actual filesystem socket path.
2519
+ // ---------------------------------------------------------------------------
2520
+ /**
2521
+ * `true` if the host value should be interpreted as a Unix-domain socket
2522
+ * directory. libpq's rule: any value starting with `/` is a path.
2523
+ */
2524
+ export function isUnixSocketHost(host) {
2525
+ return host.startsWith('/');
2526
+ }
2527
+ /**
2528
+ * Build the actual filesystem path Postgres listens on under a socket
2529
+ * directory: `<dir>/.s.PGSQL.<port>`. Mirrors the libpq layout so any
2530
+ * server started with `unix_socket_directories=<dir>` is reachable.
2531
+ */
2532
+ export function unixSocketPath(dir, port) {
2533
+ return `${dir}/.s.PGSQL.${String(port)}`;
2534
+ }
2535
+ /**
2536
+ * Expand the configured (host, port) list by resolving each hostname to
2537
+ * its full set of A/AAAA records. Mirrors libpq's `getaddrinfo`-then-
2538
+ * iterate-all behaviour exercised by upstream's
2539
+ * `src/interfaces/libpq/t/004_load_balance_dns.pl`. Without this step a
2540
+ * single hostname that resolves to N IPs would only ever produce one
2541
+ * candidate (Node's `net.connect({host})` picks one address from the
2542
+ * lookup result), so `load_balance_hosts=random` couldn't shuffle across
2543
+ * the DNS-returned set.
2544
+ *
2545
+ * - Unix-domain socket paths (`/var/run/postgres`) are passed through
2546
+ * unchanged — they don't participate in DNS at all.
2547
+ * - IPv4/IPv6 literals are passed through unchanged — DNS resolution
2548
+ * would just round-trip them.
2549
+ * - Hostnames are resolved via `dns.lookup(host, {all: true})`. The
2550
+ * test seam `PgConnection._dnsLookupAll` overrides the resolver so
2551
+ * unit tests can drive a hostname through a fixed IP set without
2552
+ * touching the real DNS.
2553
+ * - A hostname that fails to resolve (or returns zero records) is
2554
+ * dropped from the iteration set. The connect loop's `lastErr`
2555
+ * surfaces the original error if every host fails.
2556
+ */
2557
+ async function expandHostsViaDns(seed) {
2558
+ const out = [];
2559
+ for (const c of seed) {
2560
+ if (isUnixSocketHost(c.host) || net.isIP(c.host) !== 0) {
2561
+ // Unix-domain socket paths and IP literals don't go through DNS.
2562
+ // Leave `address` undefined so `openSocket` uses `host` directly.
2563
+ out.push({ host: c.host, port: c.port });
2564
+ continue;
2565
+ }
2566
+ let addrs;
2567
+ try {
2568
+ addrs = PgConnection._dnsLookupAll
2569
+ ? await PgConnection._dnsLookupAll(c.host)
2570
+ : await dns.lookup(c.host, { all: true, family: 0 });
2571
+ }
2572
+ catch {
2573
+ // dns.lookup rejects with ENOTFOUND / EAI_AGAIN / EAI_NONAME on
2574
+ // resolution failure. Skip this host; the outer connect loop will
2575
+ // surface the failure via `lastErr` if every candidate is dropped.
2576
+ continue;
2577
+ }
2578
+ for (const a of addrs) {
2579
+ // Keep the ORIGINAL hostname on `host` so TLS SNI / verify-full
2580
+ // and `conn.host` see the user-typed name. The IP goes on
2581
+ // `address`, used only by `openSocket` for the actual TCP connect.
2582
+ out.push({ host: c.host, address: a.address, port: c.port });
2583
+ }
2584
+ }
2585
+ return out;
2586
+ }
2587
+ /**
2588
+ * Map a libpq protocol-version string (`TLSv1` / `TLSv1.1` / `TLSv1.2` /
2589
+ * `TLSv1.3`) to Node's `SecureVersion` literal. Returns `undefined` for
2590
+ * unset / empty input. Unknown values shouldn't reach here (the parsing
2591
+ * layer in `index.ts` validates them), but we return `undefined` rather than
2592
+ * casting so a stray value can't smuggle a bogus literal into Node's TLS
2593
+ * options.
2594
+ */
2595
+ function toSecureVersion(value) {
2596
+ switch (value) {
2597
+ case 'TLSv1':
2598
+ case 'TLSv1.1':
2599
+ case 'TLSv1.2':
2600
+ case 'TLSv1.3':
2601
+ return value;
2602
+ default:
2603
+ return undefined;
2604
+ }
2605
+ }
2606
+ /**
2607
+ * Map libpq's `ssl_min_protocol_version` / `ssl_max_protocol_version` onto
2608
+ * Node's `tls.connect` `minVersion` / `maxVersion`. Unset values leave Node's
2609
+ * compiled-in defaults in place.
2610
+ */
2611
+ function applyTlsProtocolVersionRange(tlsOpts, opts) {
2612
+ const min = toSecureVersion(opts.sslMinProtocolVersion);
2613
+ if (min !== undefined)
2614
+ tlsOpts.minVersion = min;
2615
+ const max = toSecureVersion(opts.sslMaxProtocolVersion);
2616
+ if (max !== undefined)
2617
+ tlsOpts.maxVersion = max;
2618
+ }
2619
+ /**
2620
+ * libpq `sslsni`: the TLS SNI servername to send, or `undefined` to suppress
2621
+ * the SNI extension entirely. `sslsni=0` (`opts.sslsni === false`) suppresses
2622
+ * it; unset / `sslsni=1` sends `opts.host` (libpq's default). Returned value
2623
+ * is spread into the `tls.connect` options as `servername`.
2624
+ *
2625
+ * Exported for unit tests.
2626
+ */
2627
+ export function tlsServername(opts) {
2628
+ return opts.sslsni === false ? undefined : opts.host;
2629
+ }
2630
+ /**
2631
+ * Translate libpq's `keepalives` / `keepalives_idle` into the arguments for
2632
+ * Node's `socket.setKeepAlive(enable, initialDelay)`:
2633
+ * - `enable`: `false` only when `keepalives === false` (libpq `keepalives=0`);
2634
+ * unset / `true` keeps keepalives on (libpq default).
2635
+ * - `initialDelayMs`: `keepalives_idle` seconds → milliseconds, or
2636
+ * `undefined` to leave the OS default.
2637
+ *
2638
+ * libpq's `keepalives_interval` and `keepalives_count` have NO Node net API
2639
+ * equivalent (`setKeepAlive` exposes only enable + initial delay), so they are
2640
+ * intentionally not represented here.
2641
+ *
2642
+ * Exported for unit tests.
2643
+ */
2644
+ export function keepAliveArgs(opts) {
2645
+ return {
2646
+ enable: opts.keepalives !== false,
2647
+ initialDelayMs: opts.keepalivesIdle !== undefined
2648
+ ? opts.keepalivesIdle * 1000
2649
+ : undefined,
2650
+ };
2651
+ }
2652
+ /**
2653
+ * Derive the symmetric key length (in bits) from a negotiated TLS cipher
2654
+ * name, for the PG18 `\conninfo` "SSL Key Bits" row. Node's TLS API doesn't
2655
+ * expose the key length directly, so we parse it out of the cipher name the
2656
+ * way upstream's `SSL_CIPHER_get_bits` effectively reports it:
2657
+ *
2658
+ * - `AES_256` / `CHACHA20` → 256
2659
+ * - `AES_128` → 128
2660
+ * - otherwise, the first run of digits in the standard name (`…128…` etc.)
2661
+ * - `null` when no length can be determined.
2662
+ *
2663
+ * Both the OpenSSL standard name (`TLS_AES_256_GCM_SHA384`,
2664
+ * `ECDHE-RSA-AES128-GCM-SHA256`) and Node's IANA-style name are handled by
2665
+ * uppercasing and matching the keyword forms first. Exported for unit tests.
2666
+ */
2667
+ export function sslKeyBitsFromCipher(name) {
2668
+ const upper = name.toUpperCase();
2669
+ if (upper.includes('CHACHA20'))
2670
+ return 256;
2671
+ if (upper.includes('AES_256') || upper.includes('AES256'))
2672
+ return 256;
2673
+ if (upper.includes('AES_128') || upper.includes('AES128'))
2674
+ return 128;
2675
+ if (upper.includes('AES_192') || upper.includes('AES192'))
2676
+ return 192;
2677
+ const digits = /(\d{2,4})/.exec(upper);
2678
+ if (digits) {
2679
+ const n = parseInt(digits[1], 10);
2680
+ if (Number.isFinite(n) && n > 0)
2681
+ return n;
2682
+ }
2683
+ return null;
2684
+ }
2685
+ function openSocket(opts,
2686
+ /**
2687
+ * Pre-resolved IP. When set, used for `net.connect({host})` instead
2688
+ * of `opts.host` — lets DNS fan-out direct the TCP connect to a
2689
+ * specific A record while keeping the user-typed hostname elsewhere
2690
+ * (TLS SNI / `conn.host`). Ignored for Unix-domain socket paths,
2691
+ * which take their address from `opts.host` directly.
2692
+ */
2693
+ addressOverride) {
2694
+ return new Promise((resolve, reject) => {
2695
+ const isUnix = isUnixSocketHost(opts.host);
2696
+ const socket = isUnix
2697
+ ? net.connect({ path: unixSocketPath(opts.host, opts.port) })
2698
+ : net.connect({
2699
+ host: addressOverride ?? opts.host,
2700
+ port: opts.port,
2701
+ });
2702
+ // libpq TCP keepalives (no-op for Unix-domain sockets, matching libpq,
2703
+ // which only applies SO_KEEPALIVE on TCP).
2704
+ if (!isUnix) {
2705
+ const { enable, initialDelayMs } = keepAliveArgs(opts);
2706
+ if (initialDelayMs !== undefined) {
2707
+ socket.setKeepAlive(enable, initialDelayMs);
2708
+ }
2709
+ else {
2710
+ socket.setKeepAlive(enable);
2711
+ }
2712
+ }
2713
+ const timeout = opts.connectTimeoutMs;
2714
+ let timer = null;
2715
+ if (timeout !== undefined && timeout > 0) {
2716
+ timer = setTimeout(() => {
2717
+ socket.destroy(new Error(`Connect timed out after ${String(timeout)} ms`));
2718
+ }, timeout);
2719
+ }
2720
+ const cleanup = () => {
2721
+ if (timer)
2722
+ clearTimeout(timer);
2723
+ socket.removeListener('error', onError);
2724
+ socket.removeListener('connect', onConnect);
2725
+ };
2726
+ const onError = (err) => {
2727
+ cleanup();
2728
+ reject(err);
2729
+ };
2730
+ const onConnect = () => {
2731
+ cleanup();
2732
+ resolve(socket);
2733
+ };
2734
+ socket.once('error', onError);
2735
+ socket.once('connect', onConnect);
2736
+ });
2737
+ }
2738
+ // ---------------------------------------------------------------------------
2739
+ // Result decoding helpers
2740
+ // ---------------------------------------------------------------------------
2741
+ /**
2742
+ * Decode a wire-protocol DataRow into JS values. We follow the simple psql
2743
+ * policy: text format → utf-8 string, binary format → Buffer. Type-aware
2744
+ * decoding (timestamps, arrays, etc.) is the caller's responsibility — that
2745
+ * matches `psql` which prints raw server text.
2746
+ */
2747
+ function decodeDataRow(values, fields) {
2748
+ const out = new Array(values.length);
2749
+ for (let i = 0; i < values.length; i++) {
2750
+ const v = values[i];
2751
+ if (v === null) {
2752
+ out[i] = null;
2753
+ continue;
2754
+ }
2755
+ const fmt = fields[i]?.format ?? 0;
2756
+ out[i] = fmt === 1 ? v : v.toString('utf8');
2757
+ }
2758
+ return out;
2759
+ }
2760
+ /**
2761
+ * Parse the CommandComplete tag — examples:
2762
+ * "SELECT 17"
2763
+ * "INSERT 0 1" (oid is 0 in modern PG; second number is rowCount)
2764
+ * "UPDATE 3"
2765
+ * "CREATE TABLE" (no rowCount)
2766
+ *
2767
+ * Anything that doesn't match → command = the whole tag, rowCount = null.
2768
+ */
2769
+ function parseCommandTag(tag) {
2770
+ const trimmed = tag.trim();
2771
+ // INSERT is the only tag with the legacy oid + rowCount layout.
2772
+ const insertMatch = /^INSERT (\d+) (\d+)$/.exec(trimmed);
2773
+ if (insertMatch) {
2774
+ return {
2775
+ command: 'INSERT',
2776
+ oid: parseInt(insertMatch[1], 10),
2777
+ rowCount: parseInt(insertMatch[2], 10),
2778
+ };
2779
+ }
2780
+ const m = /^([A-Z][A-Z ]*?)(?: (\d+))?$/.exec(trimmed);
2781
+ if (!m)
2782
+ return { command: trimmed, rowCount: null, oid: null };
2783
+ return {
2784
+ command: m[1],
2785
+ rowCount: m[2] !== undefined ? parseInt(m[2], 10) : null,
2786
+ oid: null,
2787
+ };
2788
+ }
2789
+ /**
2790
+ * Encode JS values into the (Buffer | string | null)[] format that
2791
+ * {@link Bind} accepts. Text-format only — server coerces. Matches psql's
2792
+ * default `\bind` behaviour.
2793
+ */
2794
+ export function encodeParams(values) {
2795
+ return values.map((v) => {
2796
+ if (v === null || v === undefined)
2797
+ return null;
2798
+ if (Buffer.isBuffer(v))
2799
+ return v;
2800
+ if (typeof v === 'string')
2801
+ return v;
2802
+ if (typeof v === 'boolean')
2803
+ return v ? 't' : 'f';
2804
+ if (typeof v === 'number' || typeof v === 'bigint')
2805
+ return v.toString();
2806
+ try {
2807
+ return JSON.stringify(v);
2808
+ }
2809
+ catch {
2810
+ return '';
2811
+ }
2812
+ });
2813
+ }
2814
+ /**
2815
+ * Coerce arbitrary rejection values to a thrown `Error`.
2816
+ *
2817
+ * For our `ConnectError` shape (`{ severity, code, message, … }`), the
2818
+ * resulting Error preserves every enumerable field of the source object as
2819
+ * own properties — so callers can still read `.code`, `.severity`, `.hint`,
2820
+ * `.position`, etc. directly off the thrown value while also getting a proper
2821
+ * `Error` instance (so `instanceof Error` works and `.message` / `.stack` are
2822
+ * populated for generic loggers).
2823
+ */
2824
+ function asThrowable(v) {
2825
+ if (v instanceof Error)
2826
+ return v;
2827
+ if (typeof v === 'object' &&
2828
+ v !== null &&
2829
+ 'message' in v &&
2830
+ typeof v.message === 'string') {
2831
+ const source = v;
2832
+ const err = new Error(source.message);
2833
+ // Copy every own enumerable field (severity, code, detail, hint, …) onto
2834
+ // the Error so structural consumers keep working.
2835
+ for (const key of Object.keys(source)) {
2836
+ if (key === 'message')
2837
+ continue;
2838
+ err[key] = source[key];
2839
+ }
2840
+ err.cause = v;
2841
+ return err;
2842
+ }
2843
+ return new Error(String(v));
2844
+ }