orez 0.0.47 → 0.0.49

package/src/pg-proxy.ts

@@ -1,9 +1,8 @@
 /**
  * tcp proxy that makes pglite speak postgresql wire protocol.
  *
- * handles the postgresql wire protocol directly using raw tcp sockets,
- * avoiding pg-gateway's Duplex.toWeb() which deadlocks under concurrent
- * connections with large responses.
+ * uses pg-gateway to handle protocol lifecycle for regular connections,
+ * and directly handles the raw socket for replication connections.
  *
  * regular connections: forwarded to pglite via execProtocolRaw()
  * replication connections: intercepted, replication protocol faked
@@ -15,6 +14,8 @@
 
 import { createServer, type Server, type Socket } from 'node:net'
 
+import { fromNodeSocket } from 'pg-gateway/node'
+
 import { log } from './log.js'
 import { Mutex } from './mutex.js'
 import { handleReplicationQuery, handleStartReplication } from './replication/handler.js'
@@ -66,7 +67,6 @@ const QUERY_REWRITES: Array<{ match: RegExp; replace: string }> = [
 // parameter status messages sent during connection handshake
 // pg_restore and other tools read these to determine server capabilities
 const SERVER_PARAMS: [string, string][] = [
-  ['server_version', '16.4'],
   ['server_encoding', 'UTF8'],
   ['client_encoding', 'UTF8'],
   ['DateStyle', 'ISO, MDY'],
@@ -76,12 +76,7 @@ const SERVER_PARAMS: [string, string][] = [
   ['IntervalStyle', 'postgres'],
 ]
 
-// queries to intercept and return no-op success (synthetic SET response)
-// pglite rejects SET TRANSACTION if any query (e.g. SET search_path) ran first
-const NOOP_QUERY_PATTERNS: RegExp[] = [/^\s*SET\s+TRANSACTION\b/i, /^\s*SET\s+SESSION\b/i]
-
-// ── wire protocol helpers ──
-
+// build a ParameterStatus wire protocol message (type 'S', 0x53)
 function buildParameterStatus(name: string, value: string): Uint8Array {
   const encoder = new TextEncoder()
   const nameBytes = encoder.encode(name)
@@ -100,64 +95,13 @@ function buildParameterStatus(name: string, value: string): Uint8Array {
   return buf
 }
 
-function buildAuthOk(): Uint8Array {
-  const buf = new Uint8Array(9)
-  buf[0] = 0x52 // 'R' AuthenticationOk
-  new DataView(buf.buffer).setInt32(1, 8)
-  new DataView(buf.buffer).setInt32(5, 0) // auth ok
-  return buf
-}
-
-function buildAuthCleartextPassword(): Uint8Array {
-  const buf = new Uint8Array(9)
-  buf[0] = 0x52 // 'R'
-  new DataView(buf.buffer).setInt32(1, 8)
-  new DataView(buf.buffer).setInt32(5, 3) // cleartext password
-  return buf
-}
-
-function buildBackendKeyData(): Uint8Array {
-  const buf = new Uint8Array(13)
-  buf[0] = 0x4b // 'K'
-  new DataView(buf.buffer).setInt32(1, 12)
-  new DataView(buf.buffer).setInt32(5, process.pid)
-  new DataView(buf.buffer).setInt32(9, 0)
-  return buf
-}
-
-function buildReadyForQuery(status: number = 0x49): Uint8Array {
-  const buf = new Uint8Array(6)
-  buf[0] = 0x5a // 'Z'
-  new DataView(buf.buffer).setInt32(1, 5)
-  buf[5] = status // 'I' = idle
-  return buf
-}
-
-function buildErrorResponse(message: string): Uint8Array {
-  const encoder = new TextEncoder()
-  const msgBytes = encoder.encode(message)
-  // S(ERROR) + C(code) + M(message) + terminator
-  const sField = new Uint8Array([0x53, ...encoder.encode('ERROR'), 0])
-  const cField = new Uint8Array([0x43, ...encoder.encode('08006'), 0])
-  const mField = new Uint8Array([0x4d, ...msgBytes, 0])
-  const terminator = new Uint8Array([0])
-  const bodyLen = 4 + sField.length + cField.length + mField.length + terminator.length
-  const buf = new Uint8Array(1 + bodyLen)
-  buf[0] = 0x45 // 'E'
-  new DataView(buf.buffer).setInt32(1, bodyLen)
-  let pos = 5
-  buf.set(sField, pos)
-  pos += sField.length
-  buf.set(cField, pos)
-  pos += cField.length
-  buf.set(mField, pos)
-  pos += mField.length
-  buf.set(terminator, pos)
-  return buf
-}
-
-// ── query helpers ──
+// queries to intercept and return no-op success (synthetic SET response)
+// pglite rejects SET TRANSACTION if any query (e.g. SET search_path) ran first
+const NOOP_QUERY_PATTERNS: RegExp[] = [/^\s*SET\s+TRANSACTION\b/i, /^\s*SET\s+SESSION\b/i]
 
+/**
+ * extract query text from a Parse message (0x50).
+ */
 function extractParseQuery(data: Uint8Array): string | null {
   if (data[0] !== 0x50) return null
   let offset = 5
@@ -168,6 +112,9 @@ function extractParseQuery(data: Uint8Array): string | null {
   return new TextDecoder().decode(data.subarray(queryStart, offset))
 }
 
+/**
+ * rebuild a Parse message with a modified query string.
+ */
 function rebuildParseMessage(data: Uint8Array, newQuery: string): Uint8Array {
   let offset = 5
   while (offset < data.length && data[offset] !== 0) offset++
@@ -197,6 +144,9 @@ function rebuildParseMessage(data: Uint8Array, newQuery: string): Uint8Array {
   return result
 }
 
+/**
+ * rebuild a Simple Query message with a modified query string.
+ */
 function rebuildSimpleQuery(newQuery: string): Uint8Array {
   const encoder = new TextEncoder()
   const queryBytes = encoder.encode(newQuery + '\0')
@@ -207,6 +157,9 @@ function rebuildSimpleQuery(newQuery: string): Uint8Array {
   return buf
 }
 
+/**
+ * intercept and rewrite query messages to make pglite look like real postgres.
+ */
 function interceptQuery(data: Uint8Array): Uint8Array {
   const msgType = data[0]
 
@@ -250,6 +203,9 @@ function interceptQuery(data: Uint8Array): Uint8Array {
   return data
 }
 
+/**
+ * check if a query should be intercepted as a no-op.
+ */
 function isNoopQuery(data: Uint8Array): boolean {
   let query: string | null = null
   if (data[0] === 0x51) {
@@ -263,6 +219,9 @@ function isNoopQuery(data: Uint8Array): boolean {
   return NOOP_QUERY_PATTERNS.some((p) => p.test(query!))
 }
 
+/**
+ * build a synthetic "SET" command complete response.
+ */
 function buildSetCompleteResponse(): Uint8Array {
   const encoder = new TextEncoder()
   const tag = encoder.encode('SET\0')
@@ -282,6 +241,9 @@ function buildSetCompleteResponse(): Uint8Array {
   return result
 }
 
+/**
+ * build a synthetic ParseComplete response for extended protocol no-ops.
+ */
 function buildParseCompleteResponse(): Uint8Array {
   const pc = new Uint8Array(5)
   pc[0] = 0x31 // ParseComplete
@@ -289,6 +251,9 @@ function buildParseCompleteResponse(): Uint8Array {
   return pc
 }
 
+/**
+ * strip ReadyForQuery messages from a response buffer.
+ */
 function stripReadyForQuery(data: Uint8Array): Uint8Array {
   if (data.length === 0) return data
 
@@ -320,299 +285,184 @@ function stripReadyForQuery(data: Uint8Array): Uint8Array {
   return result
 }
 
-// ── socket write with backpressure ──
-
-function socketWrite(socket: Socket, data: Uint8Array): Promise<void> {
-  if (data.length === 0 || socket.destroyed) return Promise.resolve()
-  return new Promise<void>((resolve, reject) => {
-    const ok = socket.write(data as any, (err) => (err ? reject(err) : resolve()))
-    // if buffer is full, the callback still fires when flushed
-    if (!ok) void 0
-  })
-}
-
-// ── startup handshake ──
-
-// parse startup message from raw bytes.
-// handles SSLRequest (8 bytes, code 80877103) and StartupMessage.
-function parseStartupMessage(buf: Buffer): {
-  isSSL: boolean
-  params: Record<string, string>
-} {
-  const dv = new DataView(buf.buffer, buf.byteOffset, buf.byteLength)
-  const len = dv.getInt32(0)
-  const code = dv.getInt32(4)
-
-  // SSL request: length=8, code=80877103
-  if (len === 8 && code === 80877103) {
-    return { isSSL: true, params: {} }
-  }
-
-  // startup message: length, protocol(196608=3.0), then key=value pairs
-  const params: Record<string, string> = {}
-  let offset = 8
-  while (offset < len) {
-    const keyStart = offset
-    while (offset < buf.length && buf[offset] !== 0) offset++
-    const key = buf.subarray(keyStart, offset).toString()
-    offset++
-    if (!key) break // double-null = end of params
-    const valStart = offset
-    while (offset < buf.length && buf[offset] !== 0) offset++
-    params[key] = buf.subarray(valStart, offset).toString()
-    offset++
-  }
-
-  return { isSSL: false, params }
-}
-
-// read exactly `n` bytes from socket
-function readBytes(socket: Socket, n: number): Promise<Buffer> {
-  return new Promise((resolve, reject) => {
-    let collected = Buffer.alloc(0)
-
-    const onData = (chunk: Buffer) => {
-      collected = Buffer.concat([collected, chunk])
-      if (collected.length >= n) {
-        socket.removeListener('data', onData)
-        socket.removeListener('error', onError)
-        socket.removeListener('close', onClose)
-        socket.pause()
-        resolve(collected)
-      }
-    }
-    const onError = (err: Error) => {
-      socket.removeListener('data', onData)
-      socket.removeListener('close', onClose)
-      reject(err)
-    }
-    const onClose = () => {
-      socket.removeListener('data', onData)
-      socket.removeListener('error', onError)
-      reject(new Error('socket closed'))
-    }
-
-    socket.on('data', onData)
-    socket.on('error', onError)
-    socket.on('close', onClose)
-    socket.resume()
-  })
-}
-
-// perform the startup handshake (SSL negotiation, auth, parameter status)
-async function performHandshake(
-  socket: Socket,
+export async function startPgProxy(
+  dbInput: PGlite | PGliteInstances,
   config: ZeroLiteConfig
-): Promise<{ params: Record<string, string> }> {
-  // read initial message length (first 4 bytes)
-  let buf = await readBytes(socket, 8)
-
-  // check for SSL request
-  const startup = parseStartupMessage(buf)
-  if (startup.isSSL) {
-    // reject SSL, client will reconnect without it
-    socket.write(Buffer.from('N'))
-    buf = await readBytes(socket, 8)
-  }
-
-  // now we have startup message header - read the rest if needed
-  const dv = new DataView(buf.buffer, buf.byteOffset, buf.byteLength)
-  const msgLen = dv.getInt32(0)
-  if (buf.length < msgLen) {
-    const rest = await readBytes(socket, msgLen - buf.length)
-    buf = Buffer.concat([buf, rest])
-  }
-
-  const { params } = parseStartupMessage(buf)
-
-  // request cleartext password
-  socket.write(buildAuthCleartextPassword())
+): Promise<Server> {
+  // normalize input: single PGlite instance = use it for all databases (backwards compat for tests)
+  const instances: PGliteInstances =
+    'postgres' in dbInput
+      ? (dbInput as PGliteInstances)
+      : { postgres: dbInput as PGlite, cvr: dbInput as PGlite, cdb: dbInput as PGlite }
 
-  // read password message: type(1) + len(4) + password + null
-  const pwBuf = await readBytes(socket, 5)
-  const pwDv = new DataView(pwBuf.buffer, pwBuf.byteOffset, pwBuf.byteLength)
-  const pwLen = pwDv.getInt32(1)
-  let fullPwBuf = pwBuf
-  if (fullPwBuf.length < 1 + pwLen) {
-    const rest = await readBytes(socket, 1 + pwLen - fullPwBuf.length)
-    fullPwBuf = Buffer.concat([fullPwBuf, rest])
-  }
-  const password = fullPwBuf.subarray(5, 1 + pwLen - 1).toString()
-
-  // validate credentials
-  if (params.user !== config.pgUser || password !== config.pgPassword) {
-    socket.write(buildErrorResponse('authentication failed'))
-    socket.write(buildReadyForQuery())
-    socket.destroy()
-    throw new Error('auth failed')
+  // per-instance mutexes for serializing pglite access
+  const mutexes = {
+    postgres: new Mutex(),
+    cvr: new Mutex(),
+    cdb: new Mutex(),
   }
 
-  // auth ok
-  socket.write(buildAuthOk())
-
-  // send parameter status messages
-  for (const [name, value] of SERVER_PARAMS) {
-    socket.write(buildParameterStatus(name, value))
+  // helper to get instance + mutex for a database name
+  function getDbContext(dbName: string): { db: PGlite; mutex: Mutex } {
+    if (dbName === 'zero_cvr') return { db: instances.cvr, mutex: mutexes.cvr }
+    if (dbName === 'zero_cdb') return { db: instances.cdb, mutex: mutexes.cdb }
+    return { db: instances.postgres, mutex: mutexes.postgres }
   }
 
-  // backend key data
-  socket.write(buildBackendKeyData())
-
-  // ready for query
-  socket.write(buildReadyForQuery())
-
-  return { params }
-}
+  const server = createServer(async (socket: Socket) => {
+    // prevent idle timeouts from killing connections
+    socket.setKeepAlive(true, 30000)
+    socket.setTimeout(0)
 
-// ── connection tracking ──
+    let dbName = 'postgres'
+    let isReplicationConnection = false
 
-// per-database active connection count. pglite is single-session so all
-// connections share one transaction context. we skip ROLLBACK on close when
-// other connections are still active to avoid killing their transactions.
-const activeConns: Record<string, number> = {}
-let connCounter = 0
+    // clean up pglite transaction state when a client disconnects
+    socket.on('close', async () => {
+      const { db, mutex } = getDbContext(dbName)
+      await mutex.acquire()
+      try {
+        await db.exec('ROLLBACK')
+      } catch {
+        // no transaction to rollback
+      } finally {
+        mutex.release()
+      }
+    })
 
-// ── message loop ──
+    try {
+      const connection = await fromNodeSocket(socket, {
+        serverVersion: '16.4',
+        auth: {
+          method: 'password',
+          getClearTextPassword() {
+            return config.pgPassword
+          },
+          validateCredentials(credentials: {
+            username: string
+            password: string
+            clearTextPassword: string
+          }) {
+            return (
+              credentials.password === credentials.clearTextPassword &&
+              credentials.username === config.pgUser
+            )
+          },
+        },
+
+        // send ParameterStatus messages that standard postgres tools expect
+        // pg-gateway sends server_version via the serverVersion option above,
+        // but tools like pg_restore also need encoding, datestyle, etc.
+        onAuthenticated() {
+          for (const [name, value] of SERVER_PARAMS) {
+            socket.write(buildParameterStatus(name, value))
+          }
+        },
 
-// process messages from a connected, authenticated client.
-// uses callback-based 'data' events instead of async iterators
-// for reliable behavior across runtimes (node.js, bun).
-function messageLoop(
-  socket: Socket,
-  db: PGlite,
-  mutex: Mutex,
-  isReplicationConnection: boolean,
-  replicationDb: PGlite,
-  replicationMutex: Mutex
-): Promise<void> {
-  return new Promise<void>((resolve, reject) => {
-    let buffer: Buffer = Buffer.alloc(0)
-    let processing = false
-
-    async function processBuffer() {
-      if (processing) return
-      processing = true
-      socket.pause()
+        async onStartup(state) {
+          const params = state.clientParams
+          if (params?.replication === 'database') {
+            isReplicationConnection = true
+          }
+          dbName = params?.database || 'postgres'
+          log.debug.proxy(
+            `connection: db=${dbName} user=${params?.user} replication=${params?.replication || 'none'}`
+          )
+          const { db } = getDbContext(dbName)
+          await db.waitReady
+        },
 
-      try {
-        while (buffer.length >= 5) {
-          const msgType = buffer[0]
-          const dv = new DataView(buffer.buffer, buffer.byteOffset, buffer.byteLength)
-          const msgLen = dv.getInt32(1)
-          const totalLen = 1 + msgLen
+        async onMessage(data, state) {
+          if (!state.isAuthenticated) return
 
-          if (buffer.length < totalLen) break // need more data
+          // handle replication connections (always go to postgres instance)
+          if (isReplicationConnection) {
+            if (data[0] === 0x51) {
+              const view = new DataView(data.buffer, data.byteOffset, data.byteLength)
+              const len = view.getInt32(1)
+              const query = new TextDecoder()
+                .decode(data.subarray(5, 1 + len - 1))
+                .replace(/\0$/, '')
+              log.debug.proxy(`repl query: ${query.slice(0, 200)}`)
+            }
+            return handleReplicationMessage(
+              data,
+              socket,
+              instances.postgres,
+              mutexes.postgres,
+              connection
+            )
+          }
 
-          // copy message out before modifying buffer
-          const message = new Uint8Array(
-            buffer.buffer.slice(buffer.byteOffset, buffer.byteOffset + totalLen)
-          )
-          buffer = buffer.subarray(totalLen)
+          // check for no-op queries
+          if (isNoopQuery(data)) {
+            if (data[0] === 0x51) {
+              return buildSetCompleteResponse()
+            } else if (data[0] === 0x50) {
+              return buildParseCompleteResponse()
+            }
+          }
 
-          // handle Terminate message
-          if (msgType === 0x58) {
-            resolve()
-            return
+          // intercept and rewrite queries
+          data = interceptQuery(data)
+
+          // message-level locking on the connection's pglite instance
+          const { db, mutex } = getDbContext(dbName)
+          await mutex.acquire()
+
+          let result: Uint8Array
+          try {
+            result = await db.execProtocolRaw(data, {
+              throwOnError: false,
+            })
+          } catch (err) {
+            mutex.release()
+            throw err
           }
 
-          // handle replication connections
-          if (isReplicationConnection) {
-            await handleReplicationMsg(message, socket, replicationDb, replicationMutex)
-            continue
+          // strip ReadyForQuery from non-Sync/non-SimpleQuery responses
+          if (data[0] !== 0x53 && data[0] !== 0x51) {
+            result = stripReadyForQuery(result)
           }
 
-          // handle regular messages
-          await handleRegularMessage(message, socket, db, mutex)
-        }
-      } catch (err) {
-        reject(err)
-        return
+          mutex.release()
+          return result
+        },
+      })
+    } catch (err) {
+      if (!socket.destroyed) {
+        socket.destroy()
       }
-
-      processing = false
-      socket.resume()
     }
+  })
 
-    socket.on('data', (chunk: Buffer) => {
-      buffer = buffer.length > 0 ? Buffer.concat([buffer, chunk]) : chunk
-      processBuffer()
+  return new Promise((resolve, reject) => {
+    server.listen(config.pgPort, '127.0.0.1', () => {
+      log.debug.proxy(`listening on port ${config.pgPort}`)
+      resolve(server)
     })
-
-    socket.on('end', () => resolve())
-    socket.on('error', (err) => reject(err))
-    socket.on('close', () => resolve())
-
-    socket.resume()
+    server.on('error', reject)
   })
 }
 
-async function handleRegularMessage(
-  data: Uint8Array,
-  socket: Socket,
-  db: PGlite,
-  mutex: Mutex
-): Promise<void> {
-  // check for no-op queries
-  if (isNoopQuery(data)) {
-    if (data[0] === 0x51) {
-      await socketWrite(socket, buildSetCompleteResponse())
-      return
-    } else if (data[0] === 0x50) {
-      await socketWrite(socket, buildParseCompleteResponse())
-      return
-    }
-  }
-
-  // intercept and rewrite queries
-  data = interceptQuery(data)
-
-  // serialize pglite access
-  await mutex.acquire()
-  let result: Uint8Array
-  try {
-    result = await db.execProtocolRaw(data, { throwOnError: false })
-  } catch (err: any) {
-    mutex.release()
-    // send error response instead of killing the connection — PGlite internal
-    // errors shouldn't terminate the client's tcp session
-    log.debug.proxy(`execProtocolRaw error: ${err?.message || err}`)
-    const errMsg = err?.message || 'internal error'
-    const errResp = buildErrorResponse(errMsg)
-    const rfq = buildReadyForQuery(0x45) // 'E' = failed transaction
-    const combined = new Uint8Array(errResp.length + rfq.length)
-    combined.set(errResp, 0)
-    combined.set(rfq, errResp.length)
-    await socketWrite(socket, combined)
-    return
-  }
-
-  // strip ReadyForQuery from non-Sync/non-SimpleQuery responses
-  if (data[0] !== 0x53 && data[0] !== 0x51) {
-    result = stripReadyForQuery(result)
-  }
-
-  mutex.release()
-
-  // write response directly to socket
-  await socketWrite(socket, result)
-}
-
-async function handleReplicationMsg(
+async function handleReplicationMessage(
   data: Uint8Array,
   socket: Socket,
   db: PGlite,
-  mutex: Mutex
-): Promise<void> {
-  if (data[0] !== 0x51) return
+  mutex: Mutex,
+  connection: Awaited<ReturnType<typeof fromNodeSocket>>
+): Promise<Uint8Array | undefined> {
+  if (data[0] !== 0x51) return undefined
 
   const view = new DataView(data.buffer, data.byteOffset, data.byteLength)
   const len = view.getInt32(1)
   const query = new TextDecoder().decode(data.subarray(5, 1 + len - 1)).replace(/\0$/, '')
   const upper = query.trim().toUpperCase()
 
-  log.debug.proxy(`repl query: ${query.slice(0, 200)}`)
-
+  // check if this is a START_REPLICATION command
   if (upper.startsWith('START_REPLICATION')) {
+    await connection.detach()
+
     const writer = {
       write(chunk: Uint8Array) {
         if (!socket.destroyed) {
@@ -623,143 +473,31 @@ async function handleReplicationMsg(
 
     // drain incoming standby status updates
     socket.on('data', (_chunk: Buffer) => {})
-    socket.on('close', () => socket.destroy())
 
-    // this runs indefinitely until the socket closes
-    await handleStartReplication(query, writer, db, mutex).catch((err) => {
+    socket.on('close', () => {
+      socket.destroy()
+    })
+
+    handleStartReplication(query, writer, db, mutex).catch((err) => {
       log.debug.proxy(`replication stream ended: ${err}`)
     })
-    return
+    return undefined
   }
 
-  // handle replication queries + fallthrough to pglite
+  // handle replication queries + fallthrough to pglite, all under mutex
   await mutex.acquire()
   try {
     const response = await handleReplicationQuery(query, db)
-    if (response) {
-      await socketWrite(socket, response)
-      return
-    }
+    if (response) return response
 
     // apply query rewrites before forwarding
     data = interceptQuery(data)
 
-    const result = await db.execProtocolRaw(data, { throwOnError: false })
-    await socketWrite(socket, result)
+    // fall through to pglite for unrecognized queries
+    return await db.execProtocolRaw(data, {
+      throwOnError: false,
+    })
   } finally {
     mutex.release()
   }
 }
-
-// ── main entry point ──
-
-export async function startPgProxy(
-  dbInput: PGlite | PGliteInstances,
-  config: ZeroLiteConfig
-): Promise<Server> {
-  // normalize input: single PGlite instance = use it for all databases (backwards compat for tests)
-  const instances: PGliteInstances =
-    'postgres' in dbInput
-      ? (dbInput as PGliteInstances)
-      : { postgres: dbInput as PGlite, cvr: dbInput as PGlite, cdb: dbInput as PGlite }
-
-  // per-instance mutexes for serializing pglite access
-  const mutexes = {
-    postgres: new Mutex(),
-    cvr: new Mutex(),
-    cdb: new Mutex(),
-  }
-  function getDbContext(dbName: string): { db: PGlite; mutex: Mutex } {
-    if (dbName === 'zero_cvr') return { db: instances.cvr, mutex: mutexes.cvr }
-    if (dbName === 'zero_cdb') return { db: instances.cdb, mutex: mutexes.cdb }
-    return { db: instances.postgres, mutex: mutexes.postgres }
-  }
-
-  const server = createServer(async (socket: Socket) => {
-    socket.setKeepAlive(true, 30000)
-    socket.setTimeout(0)
-    socket.setNoDelay(true)
-
-    let dbName = 'postgres'
-    let isReplicationConnection = false
-    const connId = ++connCounter
-
-    try {
-      // perform startup handshake
-      const { params } = await performHandshake(socket, config)
-
-      dbName = params.database || 'postgres'
-      isReplicationConnection = params.replication === 'database'
-
-      // track active connections per database
-      activeConns[dbName] = (activeConns[dbName] || 0) + 1
-
-      console.info(`[orez-proxy#${connId}] connect db=${dbName} repl=${params.replication || 'none'}`)
-
-      const { db } = getDbContext(dbName)
-      await db.waitReady
-
-      // clean up pglite session state when client disconnects.
-      // pglite is single-session — all connections share one session.
-      // only ROLLBACK + reset when this is the LAST connection for this db,
-      // to avoid killing another connection's active transaction.
-      socket.on('close', async () => {
-        activeConns[dbName] = Math.max(0, (activeConns[dbName] || 1) - 1)
-        const remaining = activeConns[dbName]
-        const shouldRollback = remaining === 0
-
-        console.info(
-          `[orez-proxy#${connId}] close [${dbName}] (remaining=${remaining}, shouldRollback=${shouldRollback})`
-        )
-
-        if (!shouldRollback) return
-
-        const { db: closeDb, mutex: closeMutex } = getDbContext(dbName)
-        await closeMutex.acquire()
-        try {
-          await closeDb.exec('ROLLBACK')
-        } catch {
-          // no transaction to rollback
-        }
-        try {
-          await closeDb.exec(`SET search_path TO public`)
-          await closeDb.exec(`RESET statement_timeout`)
-          await closeDb.exec(`RESET lock_timeout`)
-          await closeDb.exec(`RESET idle_in_transaction_session_timeout`)
-        } catch {
-          // best-effort reset
-        } finally {
-          closeMutex.release()
-        }
-      })
-
-      // enter message processing loop
-      const { db: msgDb, mutex: msgMutex } = getDbContext(dbName)
-      await messageLoop(
-        socket,
-        msgDb,
-        msgMutex,
-        isReplicationConnection,
-        instances.postgres,
-        mutexes.postgres
-      )
-    } catch (err: any) {
-      const msg = err?.message || err
-      // suppress expected errors (client disconnected, auth failures)
-      if (msg !== 'auth failed' && msg !== 'socket closed') {
-        log.debug.proxy(`connection error: ${msg}`)
-      }
-      if (!socket.destroyed) {
-        socket.destroy()
-      }
-    }
-  })
-
-  return new Promise((resolve, reject) => {
-    server.listen(config.pgPort, '127.0.0.1', () => {
-      log.debug.proxy(`listening on port ${config.pgPort}`)
-      resolve(server)
-    })
-    server.on('error', reject)
-  })
-}