orez 0.1.6 → 0.1.7

package/src/integration/test-permissions.ts

@@ -0,0 +1,111 @@
+import type { PGlite } from '@electric-sql/pglite'
+
+type DbLike = Pick<PGlite, 'query' | 'exec'>
+
+const ALLOW_ALL_CONDITION = { type: 'and', conditions: [] as unknown[] }
+const ALLOW_ALL_POLICY = [['allow', ALLOW_ALL_CONDITION]]
+const DEFAULT_APP_ID = process.env.ZERO_APP_ID?.trim() || 'zero'
+
+export async function installAllowAllPermissions(
+  db: DbLike,
+  tables: string[]
+): Promise<void> {
+  const schemas = await findPermissionsSchemas(db)
+  if (schemas.length === 0) {
+    schemas.push(DEFAULT_APP_ID)
+  }
+
+  for (const schema of schemas) {
+    const quotedSchema = '"' + schema.replace(/"/g, '""') + '"'
+
+    // Bootstrap the same global permissions table shape zero-cache expects.
+    await db.exec(`
+    CREATE SCHEMA IF NOT EXISTS ${quotedSchema};
+
+    CREATE TABLE IF NOT EXISTS ${quotedSchema}.permissions (
+      "permissions" JSONB,
+      "hash"        TEXT,
+      "lock" BOOL PRIMARY KEY DEFAULT true CHECK (lock)
+    );
+
+    CREATE OR REPLACE FUNCTION ${quotedSchema}.set_permissions_hash()
+    RETURNS TRIGGER AS $$
+    BEGIN
+        NEW.hash = md5(NEW.permissions::text);
+        RETURN NEW;
+    END;
+    $$ LANGUAGE plpgsql;
+
+    DROP TRIGGER IF EXISTS on_set_permissions ON ${quotedSchema}.permissions;
+    CREATE TRIGGER on_set_permissions
+      BEFORE INSERT OR UPDATE ON ${quotedSchema}.permissions
+      FOR EACH ROW
+      EXECUTE FUNCTION ${quotedSchema}.set_permissions_hash();
+
+    INSERT INTO ${quotedSchema}.permissions ("permissions")
+      VALUES (NULL)
+      ON CONFLICT DO NOTHING;
+  `)
+
+    const existing = await db.query<{ permissions: unknown }>(
+      `SELECT permissions FROM ${quotedSchema}.permissions WHERE lock = true LIMIT 1`
+    )
+    const existingPermissions = parsePermissions(existing.rows[0]?.permissions)
+
+    const tablesToAdd = Object.fromEntries(
+      tables.map((table) => [
+        table,
+        {
+          row: {
+            select: ALLOW_ALL_POLICY,
+            insert: ALLOW_ALL_POLICY,
+            update: {
+              preMutation: ALLOW_ALL_POLICY,
+              postMutation: ALLOW_ALL_POLICY,
+            },
+            delete: ALLOW_ALL_POLICY,
+          },
+        },
+      ])
+    )
+
+    const permissions = {
+      ...existingPermissions,
+      tables: {
+        ...(existingPermissions.tables || {}),
+        ...tablesToAdd,
+      },
+    }
+
+    await db.query(
+      `UPDATE ${quotedSchema}.permissions SET permissions = $1 WHERE lock = true`,
+      [JSON.stringify(permissions)]
+    )
+  }
+}
+
+function parsePermissions(value: unknown): { tables?: Record<string, unknown> } {
+  if (!value) return {}
+  if (typeof value === 'string') {
+    try {
+      return JSON.parse(value)
+    } catch {
+      return {}
+    }
+  }
+  if (typeof value === 'object') return value as { tables?: Record<string, unknown> }
+  return {}
+}
+
+async function findPermissionsSchemas(db: DbLike): Promise<string[]> {
+  const result = await db.query<{ schemaname: string }>(
+    `SELECT schemaname
+     FROM pg_tables
+     WHERE tablename = 'permissions'
+       AND schemaname NOT IN ('pg_catalog', 'information_schema')
+       AND schemaname NOT LIKE 'pg_%'
+     ORDER BY CASE WHEN schemaname = $1 THEN 0 ELSE 1 END, schemaname`,
+    [DEFAULT_APP_ID]
+  )
+  return result.rows.map((r) => r.schemaname)
+}

package/src/pg-proxy.ts

@@ -57,10 +57,10 @@ const QUERY_REWRITES: Array<{ match: RegExp; replace: string }> = [
     match: /\bSET\s+TRANSACTION\s*;/gi,
     replace: ';',
   },
-  // redirect pg_replication_slots to our fake table
+  // redirect pg_replication_slots to our fake table in _orez schema
   {
     match: /\bpg_replication_slots\b/g,
-    replace: 'public._zero_replication_slots',
+    replace: '_orez._zero_replication_slots',
   },
 ]
 

package/src/replication/change-tracker.test.ts

@@ -150,7 +150,7 @@ describe('change-tracker', () => {
     try {
       await db.exec(`CREATE PUBLICATION "zero_scope"`)
       await installChangeTracking(db) // reinstall picks up publication scope
-      await db.exec(`TRUNCATE public._zero_changes`)
+      await db.exec(`TRUNCATE _orez._zero_changes`)
 
       await db.exec(`INSERT INTO public.items (name, value) VALUES ('x', 1)`)
       const changes = await getChangesSince(db, 0)

package/src/replication/change-tracker.ts

@@ -13,13 +13,16 @@ export interface ChangeRecord {
 }
 
 export async function installChangeTracking(db: PGlite): Promise<void> {
+  // use _orez schema for internal tables - survives pg_restore of public schema
+  await db.exec(`CREATE SCHEMA IF NOT EXISTS _orez`)
+
   // create changes table and watermark sequence
   await db.exec(`
-    CREATE SEQUENCE IF NOT EXISTS public._zero_watermark;
+    CREATE SEQUENCE IF NOT EXISTS _orez._zero_watermark;
 
-    CREATE TABLE IF NOT EXISTS public._zero_changes (
+    CREATE TABLE IF NOT EXISTS _orez._zero_changes (
       id BIGSERIAL PRIMARY KEY,
-      watermark BIGINT NOT NULL DEFAULT nextval('public._zero_watermark'),
+      watermark BIGINT NOT NULL DEFAULT nextval('_orez._zero_watermark'),
       table_name TEXT NOT NULL,
       op TEXT NOT NULL,
       row_data JSONB,
@@ -27,9 +30,9 @@ export async function installChangeTracking(db: PGlite): Promise<void> {
       changed_at TIMESTAMPTZ DEFAULT NOW()
     );
 
-    CREATE INDEX IF NOT EXISTS _zero_changes_watermark_idx ON public._zero_changes (watermark);
+    CREATE INDEX IF NOT EXISTS _zero_changes_watermark_idx ON _orez._zero_changes (watermark);
 
-    CREATE TABLE IF NOT EXISTS public._zero_replication_slots (
+    CREATE TABLE IF NOT EXISTS _orez._zero_replication_slots (
       slot_name TEXT PRIMARY KEY,
       restart_lsn TEXT NOT NULL DEFAULT '0/1000000',
       confirmed_flush_lsn TEXT NOT NULL DEFAULT '0/1000000',
@@ -42,7 +45,7 @@ export async function installChangeTracking(db: PGlite): Promise<void> {
     );
   `)
 
-  // create trigger function
+  // create trigger function (writes to _orez schema)
   await db.exec(`
     CREATE OR REPLACE FUNCTION public._zero_track_change() RETURNS TRIGGER AS $$
     DECLARE
@@ -50,15 +53,15 @@ export async function installChangeTracking(db: PGlite): Promise<void> {
     BEGIN
       qualified_name := TG_TABLE_SCHEMA || '.' || TG_TABLE_NAME;
       IF TG_OP = 'DELETE' THEN
-        INSERT INTO public._zero_changes (table_name, op, old_data)
+        INSERT INTO _orez._zero_changes (table_name, op, old_data)
         VALUES (qualified_name, 'DELETE', row_to_json(OLD)::jsonb);
         RETURN OLD;
       ELSIF TG_OP = 'UPDATE' THEN
-        INSERT INTO public._zero_changes (table_name, op, row_data, old_data)
+        INSERT INTO _orez._zero_changes (table_name, op, row_data, old_data)
         VALUES (qualified_name, 'UPDATE', row_to_json(NEW)::jsonb, row_to_json(OLD)::jsonb);
         RETURN NEW;
       ELSIF TG_OP = 'INSERT' THEN
-        INSERT INTO public._zero_changes (table_name, op, row_data)
+        INSERT INTO _orez._zero_changes (table_name, op, row_data)
         VALUES (qualified_name, 'INSERT', row_to_json(NEW)::jsonb);
         RETURN NEW;
       END IF;
@@ -98,7 +101,7 @@ async function installTriggersOnAllTables(db: PGlite): Promise<void> {
     const all = await db.query<{ tablename: string }>(
       `SELECT tablename FROM pg_tables
        WHERE schemaname = 'public'
-         AND tablename NOT IN ('migrations', '_zero_changes')
+         AND tablename NOT IN ('migrations')
          AND tablename NOT LIKE '_zero_%'`
     )
     tables = all.rows
@@ -208,7 +211,7 @@ export async function getChangesSince(
   limit = 1000
 ): Promise<ChangeRecord[]> {
   const result = await db.query<ChangeRecord>(
-    'SELECT * FROM public._zero_changes WHERE watermark > $1 ORDER BY watermark LIMIT $2',
+    'SELECT * FROM _orez._zero_changes WHERE watermark > $1 ORDER BY watermark LIMIT $2',
     [watermark, limit]
   )
   return result.rows
@@ -219,7 +222,7 @@ export async function purgeConsumedChanges(
   watermark: number
 ): Promise<number> {
   const result = await db.query<{ count: string }>(
-    'WITH deleted AS (DELETE FROM public._zero_changes WHERE watermark <= $1 RETURNING 1) SELECT count(*)::text AS count FROM deleted',
+    'WITH deleted AS (DELETE FROM _orez._zero_changes WHERE watermark <= $1 RETURNING 1) SELECT count(*)::text AS count FROM deleted',
     [watermark]
   )
   return Number(result.rows[0]?.count || 0)
@@ -227,7 +230,7 @@ export async function purgeConsumedChanges(
 
 export async function getCurrentWatermark(db: PGlite): Promise<number> {
   const result = await db.query<{ last_value: string; is_called: boolean }>(
-    'SELECT last_value, is_called FROM public._zero_watermark'
+    'SELECT last_value, is_called FROM _orez._zero_watermark'
   )
   const { last_value, is_called } = result.rows[0]
   if (!is_called) return 0

package/src/replication/handler.test.ts

@@ -74,7 +74,7 @@ describe('handleReplicationQuery', () => {
     expect(parsed!.values[3]).toBe('pgoutput')
 
     const slots = await db.query<{ slot_name: string }>(
-      `SELECT slot_name FROM public._zero_replication_slots WHERE slot_name = 'test_slot'`
+      `SELECT slot_name FROM _orez._zero_replication_slots WHERE slot_name = 'test_slot'`
     )
     expect(slots.rows).toHaveLength(1)
   })
@@ -87,7 +87,7 @@ describe('handleReplicationQuery', () => {
     await handleReplicationQuery('DROP_REPLICATION_SLOT "drop_me"', db)
 
     const slots = await db.query<{ count: string }>(
-      `SELECT count(*) as count FROM public._zero_replication_slots WHERE slot_name = 'drop_me'`
+      `SELECT count(*) as count FROM _orez._zero_replication_slots WHERE slot_name = 'drop_me'`
     )
     expect(Number(slots.rows[0].count)).toBe(0)
   })

package/src/replication/handler.ts

@@ -210,7 +210,7 @@ export async function handleReplicationQuery(
 
     // persist slot so pg_replication_slots queries find it
     await db.query(
-      `INSERT INTO public._zero_replication_slots (slot_name, restart_lsn, confirmed_flush_lsn)
+      `INSERT INTO _orez._zero_replication_slots (slot_name, restart_lsn, confirmed_flush_lsn)
        VALUES ($1, $2, $2)
        ON CONFLICT (slot_name) DO UPDATE SET restart_lsn = $2, confirmed_flush_lsn = $2`,
       [slotName, lsn]
@@ -226,7 +226,7 @@ export async function handleReplicationQuery(
     const match = trimmed.match(/DROP_REPLICATION_SLOT\s+(?:"([^"]+)"|'([^']+)'|(\S+))/i)
     const slotName = match?.[1] || match?.[2] || match?.[3]
     if (slotName) {
-      await db.query(`DELETE FROM public._zero_replication_slots WHERE slot_name = $1`, [
+      await db.query(`DELETE FROM _orez._zero_replication_slots WHERE slot_name = $1`, [
         slotName,
       ])
     }
@@ -612,6 +612,17 @@ async function streamChanges(
       }
     }
 
+    // zero-cache expects specific camel-cased keys in shard clients rows.
+    // Some upstream paths can surface lower-cased variants; normalize them.
+    if (schema !== 'public' && tableName === 'clients') {
+      const sample = rowData || oldData
+      if (sample) {
+        log.debug.proxy(`shard clients keys: ${Object.keys(sample).join(', ')}`)
+      }
+      rowData = normalizeShardClientsRow(rowData)
+      oldData = normalizeShardClientsRow(oldData)
+    }
+
     const row = rowData || oldData
     if (!row) continue
 
@@ -658,4 +669,21 @@ async function streamChanges(
   writer.write(wrapCopyData(commitMsg))
 }
 
+function normalizeShardClientsRow(
+  row: Record<string, unknown> | null
+): Record<string, unknown> | null {
+  if (!row) return row
+  const out: Record<string, unknown> = { ...row }
+  if (out.clientGroupID === undefined && out.clientgroupid !== undefined) {
+    out.clientGroupID = out.clientgroupid
+  }
+  if (out.clientID === undefined && out.clientid !== undefined) {
+    out.clientID = out.clientid
+  }
+  if (out.lastMutationID === undefined && out.lastmutationid !== undefined) {
+    out.lastMutationID = out.lastmutationid
+  }
+  return out
+}
+
 export { buildErrorResponse }

package/src/sqlite-mode/index.ts

@@ -12,3 +12,4 @@ export * from './types.js'
 export * from './resolve-mode.js'
 export * from './apply-mode.js'
 export * from './shim-template.js'
+export * from './native-binary.js'

package/src/sqlite-mode/native-binary.ts

@@ -0,0 +1,89 @@
+import { existsSync, readFileSync } from 'node:fs'
+import { dirname, resolve } from 'node:path'
+
+import { resolvePackage } from './resolve-mode.js'
+
+const NATIVE_BINARY_RELATIVE_PATHS = ['build/Release/better_sqlite3.node']
+
+export interface NativeBinaryCheckResult {
+  packageEntryPath: string
+  packageRoot: string
+  expectedPaths: string[]
+  existingPaths: string[]
+  found: boolean
+}
+
+function findPackageRoot(entryPath: string): string {
+  if (!entryPath) return ''
+
+  let dir = dirname(entryPath)
+  for (let i = 0; i < 12; i++) {
+    const pkgJson = resolve(dir, 'package.json')
+    if (existsSync(pkgJson)) {
+      try {
+        const pkg = JSON.parse(readFileSync(pkgJson, 'utf-8'))
+        if (pkg?.name === '@rocicorp/zero-sqlite3') {
+          return dir
+        }
+      } catch {
+        // ignore malformed package.json and continue searching upward
+      }
+    }
+
+    const parent = dirname(dir)
+    if (parent === dir) break
+    dir = parent
+  }
+
+  return ''
+}
+
+export function inspectNativeSqliteBinary(): NativeBinaryCheckResult {
+  const packageEntryPath = resolvePackage('@rocicorp/zero-sqlite3')
+  const packageRoot = findPackageRoot(packageEntryPath)
+  const expectedPaths = packageRoot
+    ? NATIVE_BINARY_RELATIVE_PATHS.map((relativePath) =>
+        resolve(packageRoot, relativePath)
+      )
+    : []
+  const existingPaths = expectedPaths.filter((filePath) => existsSync(filePath))
+
+  return {
+    packageEntryPath,
+    packageRoot,
+    expectedPaths,
+    existingPaths,
+    found: existingPaths.length > 0,
+  }
+}
+
+export function hasMissingNativeBinarySignature(message: string): boolean {
+  const text = message.toLowerCase()
+  return (
+    text.includes('better_sqlite3.node') ||
+    (text.includes('could not locate the bindings file') &&
+      text.includes('zero-sqlite3')) ||
+    (text.includes('err_dlopen_failed') && text.includes('better_sqlite3')) ||
+    (text.includes('no native build was found') && text.includes('sqlite'))
+  )
+}
+
+export function formatNativeBootstrapInstructions(
+  result: NativeBinaryCheckResult
+): string {
+  const expectedList =
+    result.expectedPaths.length > 0
+      ? result.expectedPaths.map((filePath) => `  - ${filePath}`).join('\n')
+      : '  - <unable to resolve @rocicorp/zero-sqlite3 package root>'
+
+  return [
+    'native sqlite binary is missing.',
+    `resolved package entry: ${result.packageEntryPath || '<not resolved>'}`,
+    'expected native binary path(s):',
+    expectedList,
+    'fix:',
+    '  bun i @rocicorp/zero-sqlite3',
+    '  bun run native:bootstrap',
+    'manual emergency fallback (not automated): copy a known-good better_sqlite3.node into build/Release and re-run native:bootstrap.',
+  ].join('\n')
+}