orez 0.2.12 → 0.2.13

package/src/pg-proxy-browser.ts

@@ -245,6 +245,41 @@ function extractParseQuery(data: Uint8Array): string | null {
   return textDecoder.decode(data.subarray(queryStart, offset))
 }
 
+// parse postgres ErrorResponse fields. expects `data` to be the full
+// ErrorResponse message (including type byte and length).
+// returns { code, message } extracted from 'C' and 'M' fields.
+function parseErrorFields(
+  data: Uint8Array,
+  start: number,
+  length: number
+): {
+  code: string
+  message: string
+  severity: string
+} {
+  let code = ''
+  let message = ''
+  let severity = ''
+  // body starts after the 1-byte type + 4-byte length
+  let pos = start + 5
+  const end = start + 1 + length
+  while (pos < end) {
+    const fieldType = data[pos]
+    if (fieldType === 0) break
+    pos++
+    const strStart = pos
+    while (pos < end && data[pos] !== 0) pos++
+    const value = textDecoder.decode(data.subarray(strStart, pos))
+    pos++
+    if (fieldType === 0x43)
+      code = value // 'C' SQLSTATE
+    else if (fieldType === 0x4d)
+      message = value // 'M' message
+    else if (fieldType === 0x53) severity = value // 'S' severity
+  }
+  return { code, message, severity }
+}
+
 /**
  * rebuild a Parse message with a modified query string.
  */
@@ -704,14 +739,50 @@ function messagePortToDuplex(port: MessagePort): {
   return { duplex: { readable, writable }, rawWrite }
 }
 
+/**
+ * wire-protocol database name. anything not matching `zero_cvr` / `zero_cdb`
+ * routes to postgres (see `getDbContext`).
+ */
+export type BrowserProxyDbName = 'postgres' | 'zero_cvr' | 'zero_cdb'
+
 export interface BrowserProxy {
   handleConnection(port: MessagePort): void
   close(): void
+  /**
+   * mutex-coordinated query for out-of-band JSON callers (e.g. soot's
+   * project-server / main-thread SAB JSON channels). takes the same per-db
+   * mutex the wire-protocol path uses and rescues a stale aborted txn before
+   * running. critical in singleDb mode where wire-protocol roles share a
+   * single PGlite session with these external callers — without going through
+   * here, an external query can land on an `E`-state session left by a
+   * different role and fail with "current transaction is aborted".
+   */
+  query(
+    dbName: BrowserProxyDbName,
+    sql: string,
+    params?: unknown[]
+  ): Promise<{ rows: unknown[]; affectedRows?: number }>
+  exec(dbName: BrowserProxyDbName, sql: string): Promise<Array<{ affectedRows: number }>>
 }
 
 export async function createBrowserProxy(
   dbInput: PGlite | PGliteInstances,
-  config: { pgPassword: string; pgUser: string; pgPort?: number; logLevel?: string }
+  config: {
+    pgPassword: string
+    pgUser: string
+    pgPort?: number
+    logLevel?: string
+    /**
+     * declares that postgres/cvr/cdb are all backed by the same underlying
+     * PGlite, even if the references are distinct proxy wrappers. forces
+     * mutex coalescing so concurrent protocol messages cannot interleave on
+     * the shared instance (named-statement collisions, replication-slot races).
+     * defaults to autodetect via reference equality — set explicitly when the
+     * caller wraps one PGlite in three thin façades (e.g. orez-web's port
+     * proxies) that fool the reference check.
+     */
+    singleDb?: boolean
+  }
 ): Promise<BrowserProxy> {
   // normalize input: single PGlite instance = use it for all databases (backwards compat for tests)
   const instances: PGliteInstances =
@@ -727,8 +798,11 @@ export async function createBrowserProxy(
   // per-instance mutexes for serializing pglite access.
   // when all instances are the same object (single-db mode), share one mutex
   // to prevent concurrent protocol messages on the same pglite instance.
+  // explicit singleDb wins over reference equality — callers like orez-web
+  // hand us three distinct wrapper objects that all point at one PGlite.
   const sharedInstance =
-    instances.postgres === instances.cvr && instances.postgres === instances.cdb
+    config.singleDb === true ||
+    (instances.postgres === instances.cvr && instances.postgres === instances.cdb)
   const pgMutex = new Mutex()
   const mutexes = {
     postgres: pgMutex,
@@ -737,11 +811,18 @@ export async function createBrowserProxy(
   }
 
   // per-instance transaction state: tracks which connection owns the current transaction
-  // so we can auto-ROLLBACK stale aborted transactions from other connections
+  // so we can auto-ROLLBACK stale aborted transactions from other connections.
+  // shared-instance (singleDb) coalesces txState too — pglite is single-session,
+  // so an 'E' state from role A's aborted txn poisons every subsequent query
+  // unless role B can see "yes there's an aborted txn here" and ROLLBACK before
+  // its own work. without coalesce, each role's per-role txState reads idle
+  // even when pglite's actual session is in E, and the rescue at every
+  // mutex.acquire() site never fires for the foreign role.
+  const pgTxState: PgLiteTxState = { status: 0x49, owner: null }
   const txStates: Record<string, PgLiteTxState> = {
-    postgres: { status: 0x49, owner: null },
-    cvr: { status: 0x49, owner: null },
-    cdb: { status: 0x49, owner: null },
+    postgres: pgTxState,
+    cvr: sharedInstance ? pgTxState : { status: 0x49, owner: null },
+    cdb: sharedInstance ? pgTxState : { status: 0x49, owner: null },
   }
 
   // helper to get instance + mutex + tx state for a database name
@@ -943,6 +1024,9 @@ export async function createBrowserProxy(
     let pipelineMutexHeld = false
     let extWritePending = false
     let pipelineBuffer: Uint8Array[] = []
+    // remember the most recent Parse / SimpleQuery for diagnostic logging when
+    // an ErrorResponse fires. trimmed to 200 chars so we don't blow up logs.
+    let lastQueryForDiag = ''
 
     function installQueryHandler() {
       // message buffer: postgres sends multiple protocol messages in one write,
@@ -1108,11 +1192,15 @@ export async function createBrowserProxy(
             }
           }
 
-          // detect writes for replication signaling
-          if (dbName === 'postgres' && msgType === 0x50) {
-            const q = extractParseQuery(data)?.trimStart().toLowerCase()
-            if (q && /^(insert|update|delete|copy|truncate)/.test(q)) {
-              extWritePending = true
+          // detect writes for replication signaling and remember last query
+          if (msgType === 0x50) {
+            const parsed = extractParseQuery(data)
+            if (parsed) lastQueryForDiag = parsed.slice(0, 200)
+            if (dbName === 'postgres') {
+              const q = parsed?.trimStart().toLowerCase()
+              if (q && /^(insert|update|delete|copy|truncate)/.test(q)) {
+                extWritePending = true
+              }
             }
           }
 
@@ -1195,9 +1283,12 @@ export async function createBrowserProxy(
               const t = result[pos]
               const l = readInt32BE(result, pos + 1)
               if (t === 0x45) {
-                // ErrorResponse
+                const errFields = parseErrorFields(result, pos, l)
                 console.warn(
-                  `[pg-proxy-raw] ErrorResponse in Sync! db=${dbName} rfq=${rfq === 0x49 ? 'I' : rfq === 0x45 ? 'E' : rfq}`
+                  `[pg-proxy-raw] ErrorResponse in Sync! db=${dbName} rfq=${rfq === 0x49 ? 'I' : rfq === 0x45 ? 'E' : rfq} ` +
+                    `code=${errFields.code} severity=${errFields.severity} ` +
+                    `msg=${JSON.stringify(errFields.message)} ` +
+                    `query=${JSON.stringify(lastQueryForDiag)}`
                 )
               }
               pos += 1 + l
@@ -1287,19 +1378,30 @@ export async function createBrowserProxy(
     // connection closed flag
     let connClosed = false
 
-    // clean up pglite transaction state when the connection ends
+    // clean up pglite transaction state when the connection ends.
+    // CRITICAL: only ROLLBACK if THIS connection owns the current pglite
+    // transaction. pglite is single-session and the singleDb path coalesces
+    // txState across roles, so an unconditional ROLLBACK here clobbers any
+    // OTHER connection's active transaction — exactly the cross-role
+    // pollution that 2eb1873 fixed on the node side. browser cleanup was
+    // missed and showed up as "current transaction is aborted, commands
+    // ignored" when a foreign connection closed mid-someone-else's-txn.
     const cleanup = async () => {
       if (connClosed) return
       connClosed = true
       // replication connections don't own a transaction — skip ROLLBACK
       if (isReplicationConnection) return
       try {
-        const { db, mutex } = getDbContext(dbName)
+        const { db, mutex, txState } = getDbContext(dbName)
         await mutex.acquire()
         try {
-          await db.exec('ROLLBACK')
+          if (txState.owner === connId && txState.status !== 0x49) {
+            await db.exec('ROLLBACK')
+            txState.status = 0x49
+            txState.owner = null
+          }
         } catch {
-          // no transaction to rollback, or db is closed
+          // db is closed or rollback failed — ignore
         } finally {
           mutex.release()
         }
@@ -1619,12 +1721,81 @@ export async function createBrowserProxy(
     }
   }
 
+  // rescue any stale aborted txn left on the shared session before running an
+  // out-of-band JSON query. external callers don't own a transaction (each
+  // call is a single statement), so we always rescue when status is 'E' —
+  // there's no "is this mine" check like the wire path has.
+  async function rescueStaleAborted(db: PGlite, txState: PgLiteTxState) {
+    if (txState.status === 0x45) {
+      try {
+        await db.exec('ROLLBACK')
+      } catch (err) {
+        // surfaced for diagnosis only — a failing ROLLBACK still leaves us in
+        // a state where the next statement will get 25P02; that's the signal
+        // the caller needs anyway.
+        log.proxy(
+          `[pg-proxy] rescueStaleAborted: ROLLBACK failed: ${(err as Error)?.message || err}`
+        )
+      }
+      txState.status = 0x49
+      txState.owner = null
+    }
+  }
+
+  // detect writes that need replication signaling. wire path does this on
+  // postgres-bound INSERT/UPDATE/DELETE/COPY/TRUNCATE — same rule applies to
+  // out-of-band callers. without it, a project-server write via SAB JSON
+  // wouldn't wake up the replication stream until the next wire-protocol
+  // write came along.
+  function maybeSignalWriteForExternal(dbName: string, sql: string) {
+    if (dbName !== 'postgres' && dbName !== '') return
+    const head = sql.trimStart().toLowerCase()
+    if (/^(insert|update|delete|copy|truncate)/.test(head)) {
+      signalWrite()
+    }
+  }
+
+  async function externalQuery(dbName: string, sql: string, params?: unknown[]) {
+    if (closed) throw new Error('pg-proxy is closed')
+    const { db, mutex, txState } = getDbContext(dbName)
+    await mutex.acquire()
+    try {
+      await rescueStaleAborted(db, txState)
+      const result = await db.query(sql, params as Array<unknown> | undefined)
+      maybeSignalWriteForExternal(dbName, sql)
+      return {
+        rows: result.rows as unknown[],
+        affectedRows: result.affectedRows,
+      }
+    } finally {
+      mutex.release()
+    }
+  }
+
+  async function externalExec(dbName: string, sql: string) {
+    if (closed) throw new Error('pg-proxy is closed')
+    const { db, mutex, txState } = getDbContext(dbName)
+    await mutex.acquire()
+    try {
+      await rescueStaleAborted(db, txState)
+      const result = await db.exec(sql)
+      maybeSignalWriteForExternal(dbName, sql)
+      return result.map((r: { affectedRows?: number }) => ({
+        affectedRows: r.affectedRows ?? 0,
+      }))
+    } finally {
+      mutex.release()
+    }
+  }
+
   return {
     handleConnection,
     close() {
       closed = true
       signalPending = false
     },
+    query: externalQuery,
+    exec: externalExec,
   }
 }
 

package/src/pg-proxy.ts

@@ -560,8 +560,11 @@ export async function startPgProxy(
   // per-instance mutexes for serializing pglite access.
   // when all instances are the same object (single-db mode), share one mutex
   // to prevent concurrent protocol messages on the same pglite instance.
+  // explicit config.singleDb wins over reference equality — callers that wrap
+  // one PGlite in three distinct façades still need coalesced mutexes.
   const sharedInstance =
-    instances.postgres === instances.cvr && instances.postgres === instances.cdb
+    config.singleDb === true ||
+    (instances.postgres === instances.cvr && instances.postgres === instances.cdb)
   const pgMutex = new Mutex()
   const mutexes = {
     postgres: pgMutex,
@@ -570,11 +573,15 @@ export async function startPgProxy(
   }
 
   // per-instance transaction state: tracks which socket owns the current transaction
-  // so we can auto-ROLLBACK stale aborted transactions from other connections
+  // so we can auto-ROLLBACK stale aborted transactions from other connections.
+  // shared-instance (singleDb) coalesces txState — pglite is single-session,
+  // so an 'E' state from role A's aborted txn poisons every subsequent query
+  // unless role B can see the aborted state and ROLLBACK before its own work.
+  const pgTxState: PgLiteTxState = { status: 0x49, owner: null }
   const txStates: Record<string, PgLiteTxState> = {
-    postgres: { status: 0x49, owner: null },
-    cvr: { status: 0x49, owner: null },
-    cdb: { status: 0x49, owner: null },
+    postgres: pgTxState,
+    cvr: sharedInstance ? pgTxState : { status: 0x49, owner: null },
+    cdb: sharedInstance ? pgTxState : { status: 0x49, owner: null },
   }
 
   // helper to get instance + mutex + tx state for a database name

package/src/replication/handler.test.ts

@@ -4,8 +4,10 @@ import { describe, it, expect, beforeEach, afterEach } from 'vitest'
 import { Mutex } from '../mutex'
 import { installChangeTracking } from './change-tracker'
 import {
+  extractStartLsn,
   handleReplicationQuery,
   handleStartReplication,
+  lsnFromString,
   resetReplicationState,
   signalReplicationChange,
   type ReplicationWriter,
@@ -404,3 +406,71 @@ describe('InProcessWriter', () => {
     expect(rw.closed).toBe(false)
   })
 })
+
+describe('lsnFromString', () => {
+  it('parses 0/0 to 0n', () => {
+    expect(lsnFromString('0/0')).toBe(0n)
+  })
+
+  it('parses simple LSN', () => {
+    expect(lsnFromString('0/1000000')).toBe(0x1000000n)
+  })
+
+  it('combines high and low halves', () => {
+    expect(lsnFromString('1/0')).toBe(0x100000000n)
+    expect(lsnFromString('1/1')).toBe(0x100000001n)
+    expect(lsnFromString('A/B')).toBe(0xa0000000bn)
+  })
+
+  it('is case-insensitive', () => {
+    expect(lsnFromString('0/ff')).toBe(0xffn)
+    expect(lsnFromString('0/FF')).toBe(0xffn)
+  })
+
+  it('tolerates surrounding whitespace', () => {
+    expect(lsnFromString('  0/100  ')).toBe(0x100n)
+  })
+
+  it('returns null for malformed input', () => {
+    expect(lsnFromString('0')).toBeNull()
+    expect(lsnFromString('0/')).toBeNull()
+    expect(lsnFromString('/0')).toBeNull()
+    expect(lsnFromString('xyz')).toBeNull()
+    expect(lsnFromString('')).toBeNull()
+  })
+})
+
+describe('extractStartLsn', () => {
+  it('extracts from a basic START_REPLICATION query', () => {
+    expect(extractStartLsn('START_REPLICATION SLOT "zero" LOGICAL 0/01000300')).toBe(
+      0x1000300n
+    )
+  })
+
+  it('handles trailing options', () => {
+    expect(
+      extractStartLsn(
+        `START_REPLICATION SLOT "zero" LOGICAL 0/01000300 (proto_version '4', publication_names 'orez_zero_public')`
+      )
+    ).toBe(0x1000300n)
+  })
+
+  it('handles 0/0 (fresh slot)', () => {
+    expect(extractStartLsn('START_REPLICATION SLOT "zero" LOGICAL 0/0')).toBe(0n)
+  })
+
+  it('handles quoted LSN', () => {
+    expect(extractStartLsn(`START_REPLICATION SLOT "zero" LOGICAL '0/01000300'`)).toBe(
+      0x1000300n
+    )
+  })
+
+  it('is case-insensitive on the keyword', () => {
+    expect(extractStartLsn('start_replication slot "z" logical 0/abc')).toBe(0xabcn)
+  })
+
+  it('returns null when no LSN is present', () => {
+    expect(extractStartLsn('START_REPLICATION SLOT "z"')).toBeNull()
+    expect(extractStartLsn('IDENTIFY_SYSTEM')).toBeNull()
+  })
+})

package/src/replication/handler.ts

@@ -133,6 +133,30 @@ function lsnToString(lsn: bigint): string {
   return `${high.toString(16).toUpperCase()}/${low.toString(16).toUpperCase()}`
 }
 
+/**
+ * parse an LSN string like "0/01000300" into a bigint.
+ * returns null if the string doesn't match (e.g. "0/0" still parses to 0n).
+ */
+function lsnFromString(s: string): bigint | null {
+  const m = s.trim().match(/^([0-9a-f]+)\/([0-9a-f]+)$/i)
+  if (!m) return null
+  return (BigInt('0x' + m[1]) << 32n) | BigInt('0x' + m[2])
+}
+
+/**
+ * extract the client-supplied LSN from a START_REPLICATION query.
+ * format: START_REPLICATION SLOT name LOGICAL <high>/<low> [proto_version 'N', publication_names 'X']
+ * accepts optional surrounding quotes (some clients send `LOGICAL '0/0'`).
+ * returns null if no parseable LSN is found.
+ */
+export function extractStartLsn(query: string): bigint | null {
+  const m = query.match(/\bLOGICAL\s+'?([0-9a-f]+\/[0-9a-f]+)'?/i)
+  if (!m) return null
+  return lsnFromString(m[1])
+}
+
+export { lsnFromString }
+
 function nowMicros(): bigint {
   return BigInt(Date.now()) * 1000n
 }
@@ -359,6 +383,23 @@ export async function handleStartReplication(
 ): Promise<void> {
   log.debug.repl('entering streaming mode')
 
+  // honor zero-cache's resume LSN. without this, after a page reload the
+  // in-memory currentLsn / lastStreamedWatermark are reset to defaults but
+  // changeLog persists with prior LSNs — re-streaming from BIGINT 0 makes
+  // the change-streamer try to INSERT (watermark, pos) tuples that already
+  // exist, hitting `changeLog_pkey` violations and tearing down the loop.
+  // by advancing currentLsn past the client's last-seen LSN we guarantee
+  // newly-emitted batches use strictly higher LSNs, and by jumping
+  // lastStreamedWatermark to the current sequence value we skip already-
+  // streamed _zero_changes rows.
+  const clientStartLsn = extractStartLsn(query)
+  if (clientStartLsn !== null && clientStartLsn > currentLsn) {
+    log.debug.repl(
+      `advancing currentLsn ${lsnToString(currentLsn)} → ${lsnToString(clientStartLsn)} from client START_REPLICATION`
+    )
+    currentLsn = clientStartLsn
+  }
+
   // send CopyBothResponse to enter streaming mode
   const copyBoth = new Uint8Array(1 + 4 + 1 + 2)
   copyBoth[0] = 0x57 // 'W' CopyBothResponse
@@ -368,7 +409,29 @@ export async function handleStartReplication(
   writer.write(copyBoth)
 
   // resume from where the previous handler left off to avoid
-  // replaying already-streamed changes after reconnect
+  // replaying already-streamed changes after reconnect.
+  // when client supplied a NON-ZERO LSN (i.e. this is a reconnect to an
+  // existing slot with prior progress), also bump lastStreamedWatermark to
+  // the current sequence value — anything before that has already been
+  // written to changeLog, so re-streaming would just produce duplicate-key
+  // errors. `0/0` indicates "fresh slot" and must NOT trigger this jump,
+  // otherwise we'd skip rows that legitimately need to be streamed for the
+  // initial sync.
+  if (clientStartLsn !== null && clientStartLsn > 0n) {
+    try {
+      const currentWm = await getCurrentWatermark(db)
+      if (currentWm > lastStreamedWatermark) {
+        log.debug.repl(
+          `advancing lastStreamedWatermark ${lastStreamedWatermark} → ${currentWm} on reconnect`
+        )
+        lastStreamedWatermark = currentWm
+      }
+    } catch (err) {
+      log.repl(
+        `getCurrentWatermark failed on reconnect: ${(err as Error)?.message || err}`
+      )
+    }
+  }
   let lastWatermark = lastStreamedWatermark
 
   // use cached setup results on reconnect to avoid holding the mutex