orez 0.2.12 → 0.2.14

package/src/pg-proxy-browser.singledb.test.ts

@@ -0,0 +1,233 @@
+/**
+ * regression test for the explicit singleDb option in createBrowserProxy.
+ *
+ * background: orez-web (in soot) wraps a single PGlite worker in three
+ * distinct port-proxy façades (one per database role) and hands them to
+ * createBrowserProxy. before this fix, mutex coalescing relied on
+ * `instances.postgres === instances.cvr` reference equality — which fails
+ * for distinct façades, leaving 3 separate mutexes guarding a single
+ * underlying PGlite. that allows concurrent extended-protocol sequences on
+ * one shared session, racing named-statement slots and replication state.
+ *
+ * the explicit `config.singleDb` option forces mutex coalescing regardless
+ * of object identity. this test pins that contract: with singleDb=true and
+ * three distinct façades over one PGlite, concurrent calls must serialize.
+ */
+
+import { PGlite } from '@electric-sql/pglite'
+import postgres from 'postgres'
+import { afterAll, beforeAll, describe, expect, test } from 'vitest'
+
+import { createBrowserProxy } from './pg-proxy-browser.js'
+import { createSocketFactory } from './worker/shims/postgres-socket.js'
+
+import type { PGliteInstances } from './pglite-manager.js'
+
+/**
+ * thin façade that re-exposes a PGlite's surface as a *distinct* object
+ * reference. simulates what orez-web does (it wraps the same underlying
+ * PGlite worker in three port-proxy objects, one per database role).
+ */
+function makeFacade(real: PGlite, label: string) {
+  const facade: any = {
+    _label: label,
+    closed: false,
+    ready: true,
+    get waitReady() {
+      return real.waitReady
+    },
+    query: (sql: string, params?: any[]) => real.query(sql, params as any),
+    exec: (sql: string) => real.exec(sql),
+    execProtocolRaw: (data: Uint8Array, options?: any) =>
+      real.execProtocolRaw(data, options),
+    listen: () => Promise.resolve(async () => {}),
+    close: () => Promise.resolve(),
+  }
+  return facade as PGlite
+}
+
+function createSql(
+  proxy: ReturnType<typeof createBrowserProxy> extends Promise<infer T> ? T : never
+) {
+  return postgres({
+    socket: createSocketFactory((port) => proxy.handleConnection(port)),
+    database: 'postgres',
+    username: 'u',
+    password: '',
+    host: '127.0.0.1',
+    port: 0,
+    ssl: false,
+    max: 1,
+    no_subscribe: true,
+  } as any)
+}
+
+function deferred<T>() {
+  let resolve!: (value: T | PromiseLike<T>) => void
+  let reject!: (reason?: unknown) => void
+  const promise = new Promise<T>((res, rej) => {
+    resolve = res
+    reject = rej
+  })
+  return { promise, resolve, reject }
+}
+
+describe('createBrowserProxy singleDb mutex coalescing', () => {
+  let pg: PGlite
+
+  beforeAll(async () => {
+    pg = new PGlite()
+    await pg.waitReady
+  }, 30_000)
+
+  afterAll(async () => {
+    await pg.close().catch(() => {})
+  })
+
+  test('reference equality on the same PGlite still coalesces (legacy path)', async () => {
+    const instances: PGliteInstances = {
+      postgres: pg,
+      cvr: pg,
+      cdb: pg,
+      postgresReplicas: [],
+    }
+    const proxy = await createBrowserProxy(instances, { pgPassword: '', pgUser: 'u' })
+    // smoke: it constructs without error. proper concurrency proof requires
+    // pg-wire client; covered by integration tests. this guards the legacy path.
+    expect(proxy).toBeTruthy()
+    proxy.close()
+  })
+
+  test('distinct façades + singleDb=true coalesces; without flag they would split', async () => {
+    const facadePg = makeFacade(pg, 'postgres')
+    const facadeCvr = makeFacade(pg, 'cvr')
+    const facadeCdb = makeFacade(pg, 'cdb')
+
+    // sanity: the three façades are distinct refs (would defeat reference equality)
+    expect(facadePg).not.toBe(facadeCvr)
+    expect(facadePg).not.toBe(facadeCdb)
+    expect(facadeCvr).not.toBe(facadeCdb)
+
+    const instances: PGliteInstances = {
+      postgres: facadePg,
+      cvr: facadeCvr,
+      cdb: facadeCdb,
+      postgresReplicas: [],
+    }
+
+    // explicit singleDb=true should still build a working proxy.
+    const proxy = await createBrowserProxy(instances, {
+      pgPassword: '',
+      pgUser: 'u',
+      singleDb: true,
+    })
+    expect(proxy).toBeTruthy()
+    proxy.close()
+  })
+
+  test('coordinated query/exec runs through the same per-db mutex', async () => {
+    // proxy.query / proxy.exec exist so out-of-band JSON callers (soot's
+    // project-server / main-thread SAB JSON channels) go through the same
+    // mutex + txState the wire-protocol path uses. this test pins that the
+    // API works end-to-end against a shared-PGlite façade setup; the actual
+    // 'E'-rescue behaviour is exercised by the soot integration suite where
+    // a wire-protocol abort populates txState first.
+    const facadePg = makeFacade(pg, 'postgres')
+    const facadeCvr = makeFacade(pg, 'cvr')
+    const facadeCdb = makeFacade(pg, 'cdb')
+    const proxy = await createBrowserProxy(
+      {
+        postgres: facadePg,
+        cvr: facadeCvr,
+        cdb: facadeCdb,
+        postgresReplicas: [],
+      },
+      { pgPassword: '', pgUser: 'u', singleDb: true }
+    )
+
+    const r1 = await proxy.query('postgres', 'SELECT 1 AS ok')
+    expect(r1.rows).toEqual([{ ok: 1 }])
+
+    const r2 = await proxy.exec(
+      'postgres',
+      'CREATE TABLE IF NOT EXISTS rescue_test (id int)'
+    )
+    expect(Array.isArray(r2)).toBe(true)
+
+    proxy.close()
+  })
+
+  test('singleDb waits for the owning transaction before serving another client', async () => {
+    await pg.exec(`
+      DROP TABLE IF EXISTS singledb_tx_owner;
+      CREATE TABLE singledb_tx_owner (id int);
+    `)
+    const facadePg = makeFacade(pg, 'postgres')
+    const facadeCvr = makeFacade(pg, 'cvr')
+    const facadeCdb = makeFacade(pg, 'cdb')
+    const proxy = await createBrowserProxy(
+      {
+        postgres: facadePg,
+        cvr: facadeCvr,
+        cdb: facadeCdb,
+        postgresReplicas: [],
+      },
+      { pgPassword: '', pgUser: 'u', singleDb: true }
+    )
+    const sql1 = createSql(proxy)
+    const sql2 = createSql(proxy)
+    const releaseTx = deferred<void>()
+    const txStarted = deferred<void>()
+
+    const tx = sql1.begin(async (sql) => {
+      await sql`INSERT INTO singledb_tx_owner VALUES (1)`
+      txStarted.resolve()
+      await releaseTx.promise
+    })
+    await txStarted.promise
+
+    let readCompleted = false
+    const read = sql2`SELECT count(*)::int AS count FROM singledb_tx_owner`.then(
+      (rows) => {
+        readCompleted = true
+        return rows[0]?.count
+      }
+    )
+    await new Promise((resolve) => setTimeout(resolve, 25))
+    expect(readCompleted).toBe(false)
+
+    releaseTx.resolve()
+    await tx
+    await expect(read).resolves.toBe(1)
+
+    await sql1.end({ timeout: 1 }).catch(() => {})
+    await sql2.end({ timeout: 1 }).catch(() => {})
+    proxy.close()
+  }, 10_000)
+
+  test('explicit singleDb=false on distinct façades preserves split mutexes', async () => {
+    // negative case: when caller doesn't opt in and refs are distinct, the
+    // legacy reference-equality heuristic gives separate mutexes (the bug we
+    // shipped around). this test pins the contract that singleDb is opt-in,
+    // so adding it later cannot quietly break consumers that rely on split
+    // mutexes for their three real PGlite instances.
+    const facadePg = makeFacade(pg, 'postgres')
+    const facadeCvr = makeFacade(pg, 'cvr')
+    const facadeCdb = makeFacade(pg, 'cdb')
+
+    const instances: PGliteInstances = {
+      postgres: facadePg,
+      cvr: facadeCvr,
+      cdb: facadeCdb,
+      postgresReplicas: [],
+    }
+
+    const proxy = await createBrowserProxy(instances, {
+      pgPassword: '',
+      pgUser: 'u',
+      // singleDb omitted — defaults to false
+    })
+    expect(proxy).toBeTruthy()
+    proxy.close()
+  })
+})

package/src/pg-proxy-browser.ts

@@ -245,6 +245,41 @@ function extractParseQuery(data: Uint8Array): string | null {
   return textDecoder.decode(data.subarray(queryStart, offset))
 }
 
+// parse postgres ErrorResponse fields. expects `data` to be the full
+// ErrorResponse message (including type byte and length).
+// returns { code, message } extracted from 'C' and 'M' fields.
+function parseErrorFields(
+  data: Uint8Array,
+  start: number,
+  length: number
+): {
+  code: string
+  message: string
+  severity: string
+} {
+  let code = ''
+  let message = ''
+  let severity = ''
+  // body starts after the 1-byte type + 4-byte length
+  let pos = start + 5
+  const end = start + 1 + length
+  while (pos < end) {
+    const fieldType = data[pos]
+    if (fieldType === 0) break
+    pos++
+    const strStart = pos
+    while (pos < end && data[pos] !== 0) pos++
+    const value = textDecoder.decode(data.subarray(strStart, pos))
+    pos++
+    if (fieldType === 0x43)
+      code = value // 'C' SQLSTATE
+    else if (fieldType === 0x4d)
+      message = value // 'M' message
+    else if (fieldType === 0x53) severity = value // 'S' severity
+  }
+  return { code, message, severity }
+}
+
 /**
  * rebuild a Parse message with a modified query string.
  */
@@ -704,14 +739,50 @@ function messagePortToDuplex(port: MessagePort): {
   return { duplex: { readable, writable }, rawWrite }
 }
 
+/**
+ * wire-protocol database name. anything not matching `zero_cvr` / `zero_cdb`
+ * routes to postgres (see `getDbContext`).
+ */
+export type BrowserProxyDbName = 'postgres' | 'zero_cvr' | 'zero_cdb'
+
 export interface BrowserProxy {
   handleConnection(port: MessagePort): void
   close(): void
+  /**
+   * mutex-coordinated query for out-of-band JSON callers (e.g. soot's
+   * project-server / main-thread SAB JSON channels). takes the same per-db
+   * mutex the wire-protocol path uses and rescues a stale aborted txn before
+   * running. critical in singleDb mode where wire-protocol roles share a
+   * single PGlite session with these external callers — without going through
+   * here, an external query can land on an `E`-state session left by a
+   * different role and fail with "current transaction is aborted".
+   */
+  query(
+    dbName: BrowserProxyDbName,
+    sql: string,
+    params?: unknown[]
+  ): Promise<{ rows: unknown[]; affectedRows?: number }>
+  exec(dbName: BrowserProxyDbName, sql: string): Promise<Array<{ affectedRows: number }>>
 }
 
 export async function createBrowserProxy(
   dbInput: PGlite | PGliteInstances,
-  config: { pgPassword: string; pgUser: string; pgPort?: number; logLevel?: string }
+  config: {
+    pgPassword: string
+    pgUser: string
+    pgPort?: number
+    logLevel?: string
+    /**
+     * declares that postgres/cvr/cdb are all backed by the same underlying
+     * PGlite, even if the references are distinct proxy wrappers. forces
+     * mutex coalescing so concurrent protocol messages cannot interleave on
+     * the shared instance (named-statement collisions, replication-slot races).
+     * defaults to autodetect via reference equality — set explicitly when the
+     * caller wraps one PGlite in three thin façades (e.g. orez-web's port
+     * proxies) that fool the reference check.
+     */
+    singleDb?: boolean
+  }
 ): Promise<BrowserProxy> {
   // normalize input: single PGlite instance = use it for all databases (backwards compat for tests)
   const instances: PGliteInstances =
@@ -727,8 +798,11 @@ export async function createBrowserProxy(
   // per-instance mutexes for serializing pglite access.
   // when all instances are the same object (single-db mode), share one mutex
   // to prevent concurrent protocol messages on the same pglite instance.
+  // explicit singleDb wins over reference equality — callers like orez-web
+  // hand us three distinct wrapper objects that all point at one PGlite.
   const sharedInstance =
-    instances.postgres === instances.cvr && instances.postgres === instances.cdb
+    config.singleDb === true ||
+    (instances.postgres === instances.cvr && instances.postgres === instances.cdb)
   const pgMutex = new Mutex()
   const mutexes = {
     postgres: pgMutex,
@@ -737,11 +811,18 @@ export async function createBrowserProxy(
   }
 
   // per-instance transaction state: tracks which connection owns the current transaction
-  // so we can auto-ROLLBACK stale aborted transactions from other connections
+  // so we can auto-ROLLBACK stale aborted transactions from other connections.
+  // shared-instance (singleDb) coalesces txState too — pglite is single-session,
+  // so an 'E' state from role A's aborted txn poisons every subsequent query
+  // unless role B can see "yes there's an aborted txn here" and ROLLBACK before
+  // its own work. without coalesce, each role's per-role txState reads idle
+  // even when pglite's actual session is in E, and the rescue at every
+  // mutex.acquire() site never fires for the foreign role.
+  const pgTxState: PgLiteTxState = { status: 0x49, owner: null }
   const txStates: Record<string, PgLiteTxState> = {
-    postgres: { status: 0x49, owner: null },
-    cvr: { status: 0x49, owner: null },
-    cdb: { status: 0x49, owner: null },
+    postgres: pgTxState,
+    cvr: sharedInstance ? pgTxState : { status: 0x49, owner: null },
+    cdb: sharedInstance ? pgTxState : { status: 0x49, owner: null },
   }
 
   // helper to get instance + mutex + tx state for a database name
@@ -757,6 +838,63 @@ export async function createBrowserProxy(
     return { db: instances.postgres, mutex: mutexes.postgres, txState: txStates.postgres }
   }
 
+  const waitOneTurn = () => new Promise<void>((resolve) => setTimeout(resolve, 0))
+
+  async function acquireForOwner(
+    db: PGlite,
+    mutex: Mutex,
+    txState: PgLiteTxState,
+    owner: object | null
+  ) {
+    while (true) {
+      await mutex.acquire()
+      const ownsCurrentTransaction = owner !== null && txState.owner === owner
+      if (txState.status === 0x54 && !ownsCurrentTransaction) {
+        mutex.release()
+        await waitOneTurn()
+        continue
+      }
+      if (txState.status === 0x45 && !ownsCurrentTransaction) {
+        try {
+          await db.exec('ROLLBACK')
+        } catch {}
+        txState.status = 0x49
+        txState.owner = null
+      }
+      return
+    }
+  }
+
+  function tryAcquireForOwner(
+    mutex: Mutex,
+    txState: PgLiteTxState,
+    owner: object | null
+  ) {
+    if (!mutex.tryAcquire()) return false
+    const ownsCurrentTransaction = owner !== null && txState.owner === owner
+    if ((txState.status === 0x54 || txState.status === 0x45) && !ownsCurrentTransaction) {
+      mutex.release()
+      return false
+    }
+    return true
+  }
+
+  function transactionAwareMutex(
+    db: PGlite,
+    mutex: Mutex,
+    txState: PgLiteTxState,
+    owner: object | null
+  ): Mutex {
+    return {
+      get isLocked() {
+        return mutex.isLocked
+      },
+      acquire: () => acquireForOwner(db, mutex, txState, owner),
+      tryAcquire: () => tryAcquireForOwner(mutex, txState, owner),
+      release: () => mutex.release(),
+    } as Mutex
+  }
+
   // signal replication handler after extended protocol writes complete.
   // 8ms leading-edge debounce: fires exactly 8ms after the FIRST write,
   // subsequent writes within that window are batched (handler polls all
@@ -943,6 +1081,9 @@ export async function createBrowserProxy(
     let pipelineMutexHeld = false
     let extWritePending = false
     let pipelineBuffer: Uint8Array[] = []
+    // remember the most recent Parse / SimpleQuery for diagnostic logging when
+    // an ErrorResponse fires. trimmed to 200 chars so we don't blow up logs.
+    let lastQueryForDiag = ''
 
     function installQueryHandler() {
       // message buffer: postgres sends multiple protocol messages in one write,
@@ -1038,12 +1179,17 @@ export async function createBrowserProxy(
               port.close()
             }
             port.onmessage = () => {}
-            handleStartReplication(query, writer, db, mutex).catch(() => {})
+            handleStartReplication(
+              query,
+              writer,
+              db,
+              transactionAwareMutex(db, mutex, txState, null)
+            ).catch(() => {})
             return
           }
 
           // replication queries (IDENTIFY_SYSTEM, CREATE/DROP SLOT)
-          await mutex.acquire()
+          await acquireForOwner(db, mutex, txState, null)
           try {
             const response = await handleReplicationQuery(query, db)
             if (response) {
@@ -1095,24 +1241,20 @@ export async function createBrowserProxy(
 
         if (isExtendedMsg || isSyncInPipeline) {
           if (!pipelineMutexHeld) {
-            await mutex.acquire()
+            await acquireForOwner(db, mutex, txState, connId)
             pipelineMutexHeld = true
             pipelineBuffer = []
-            // auto-rollback stale transactions
-            if (txState.status === 0x45 && txState.owner !== connId) {
-              try {
-                await db.exec('ROLLBACK')
-              } catch {}
-              txState.status = 0x49
-              txState.owner = null
-            }
           }
 
-          // detect writes for replication signaling
-          if (dbName === 'postgres' && msgType === 0x50) {
-            const q = extractParseQuery(data)?.trimStart().toLowerCase()
-            if (q && /^(insert|update|delete|copy|truncate)/.test(q)) {
-              extWritePending = true
+          // detect writes for replication signaling and remember last query
+          if (msgType === 0x50) {
+            const parsed = extractParseQuery(data)
+            if (parsed) lastQueryForDiag = parsed.slice(0, 200)
+            if (dbName === 'postgres') {
+              const q = parsed?.trimStart().toLowerCase()
+              if (q && /^(insert|update|delete|copy|truncate)/.test(q)) {
+                extWritePending = true
+              }
             }
           }
 
@@ -1195,9 +1337,12 @@ export async function createBrowserProxy(
               const t = result[pos]
               const l = readInt32BE(result, pos + 1)
               if (t === 0x45) {
-                // ErrorResponse
+                const errFields = parseErrorFields(result, pos, l)
                 console.warn(
-                  `[pg-proxy-raw] ErrorResponse in Sync! db=${dbName} rfq=${rfq === 0x49 ? 'I' : rfq === 0x45 ? 'E' : rfq}`
+                  `[pg-proxy-raw] ErrorResponse in Sync! db=${dbName} rfq=${rfq === 0x49 ? 'I' : rfq === 0x45 ? 'E' : rfq} ` +
+                    `code=${errFields.code} severity=${errFields.severity} ` +
+                    `msg=${JSON.stringify(errFields.message)} ` +
+                    `query=${JSON.stringify(lastQueryForDiag)}`
                 )
               }
               pos += 1 + l
@@ -1231,15 +1376,8 @@ export async function createBrowserProxy(
         }
 
         data = interceptQuery(data)
-        await mutex.acquire()
+        await acquireForOwner(db, mutex, txState, connId)
         try {
-          if (txState.status === 0x45 && txState.owner !== connId) {
-            try {
-              await db.exec('ROLLBACK')
-            } catch {}
-            txState.status = 0x49
-            txState.owner = null
-          }
           let result = await db.execProtocolRaw(data, { syncToFs: false })
           const rfqStatus = getReadyForQueryStatus(result)
           if (rfqStatus !== null) {
@@ -1287,19 +1425,30 @@ export async function createBrowserProxy(
     // connection closed flag
     let connClosed = false
 
-    // clean up pglite transaction state when the connection ends
+    // clean up pglite transaction state when the connection ends.
+    // CRITICAL: only ROLLBACK if THIS connection owns the current pglite
+    // transaction. pglite is single-session and the singleDb path coalesces
+    // txState across roles, so an unconditional ROLLBACK here clobbers any
+    // OTHER connection's active transaction — exactly the cross-role
+    // pollution that 2eb1873 fixed on the node side. browser cleanup was
+    // missed and showed up as "current transaction is aborted, commands
+    // ignored" when a foreign connection closed mid-someone-else's-txn.
     const cleanup = async () => {
       if (connClosed) return
       connClosed = true
       // replication connections don't own a transaction — skip ROLLBACK
       if (isReplicationConnection) return
       try {
-        const { db, mutex } = getDbContext(dbName)
+        const { db, mutex, txState } = getDbContext(dbName)
         await mutex.acquire()
         try {
-          await db.exec('ROLLBACK')
+          if (txState.owner === connId && txState.status !== 0x49) {
+            await db.exec('ROLLBACK')
+            txState.status = 0x49
+            txState.owner = null
+          }
         } catch {
-          // no transaction to rollback, or db is closed
+          // db is closed or rollback failed — ignore
         } finally {
           mutex.release()
         }
@@ -1413,17 +1562,9 @@ export async function createBrowserProxy(
             // acquire mutex on first message of pipeline
             if (!pipelineMutexHeld) {
               const t0 = performance.now()
-              await mutex.acquire()
+              await acquireForOwner(db, mutex, txState, connId)
               proxyStats.totalWaitMs += performance.now() - t0
               pipelineMutexHeld = true
-              // auto-rollback stale transactions from other connections
-              if (txState.status === 0x45 && txState.owner !== connId) {
-                try {
-                  await db.exec('ROLLBACK')
-                } catch {}
-                txState.status = 0x49
-                txState.owner = null
-              }
             }
 
             // detect extended protocol writes for replication signaling
@@ -1527,14 +1668,7 @@ export async function createBrowserProxy(
 
           const execute = async (): Promise<Uint8Array> => {
             const t0 = performance.now()
-            await mutex.acquire()
-            if (txState.status === 0x45 && txState.owner !== connId) {
-              try {
-                await db.exec('ROLLBACK')
-              } catch {}
-              txState.status = 0x49
-              txState.owner = null
-            }
+            await acquireForOwner(db, mutex, txState, connId)
             const t1 = performance.now()
             let result: Uint8Array
             try {
@@ -1619,12 +1753,58 @@ export async function createBrowserProxy(
     }
   }
 
+  // detect writes that need replication signaling. wire path does this on
+  // postgres-bound INSERT/UPDATE/DELETE/COPY/TRUNCATE — same rule applies to
+  // out-of-band callers. without it, a project-server write via SAB JSON
+  // wouldn't wake up the replication stream until the next wire-protocol
+  // write came along.
+  function maybeSignalWriteForExternal(dbName: string, sql: string) {
+    if (dbName !== 'postgres' && dbName !== '') return
+    const head = sql.trimStart().toLowerCase()
+    if (/^(insert|update|delete|copy|truncate)/.test(head)) {
+      signalWrite()
+    }
+  }
+
+  async function externalQuery(dbName: string, sql: string, params?: unknown[]) {
+    if (closed) throw new Error('pg-proxy is closed')
+    const { db, mutex, txState } = getDbContext(dbName)
+    await acquireForOwner(db, mutex, txState, null)
+    try {
+      const result = await db.query(sql, params as Array<unknown> | undefined)
+      maybeSignalWriteForExternal(dbName, sql)
+      return {
+        rows: result.rows as unknown[],
+        affectedRows: result.affectedRows,
+      }
+    } finally {
+      mutex.release()
+    }
+  }
+
+  async function externalExec(dbName: string, sql: string) {
+    if (closed) throw new Error('pg-proxy is closed')
+    const { db, mutex, txState } = getDbContext(dbName)
+    await acquireForOwner(db, mutex, txState, null)
+    try {
+      const result = await db.exec(sql)
+      maybeSignalWriteForExternal(dbName, sql)
+      return result.map((r: { affectedRows?: number }) => ({
+        affectedRows: r.affectedRows ?? 0,
+      }))
+    } finally {
+      mutex.release()
+    }
+  }
+
   return {
     handleConnection,
     close() {
       closed = true
       signalPending = false
     },
+    query: externalQuery,
+    exec: externalExec,
   }
 }
 

package/src/pg-proxy.ts

@@ -560,8 +560,11 @@ export async function startPgProxy(
   // per-instance mutexes for serializing pglite access.
   // when all instances are the same object (single-db mode), share one mutex
   // to prevent concurrent protocol messages on the same pglite instance.
+  // explicit config.singleDb wins over reference equality — callers that wrap
+  // one PGlite in three distinct façades still need coalesced mutexes.
   const sharedInstance =
-    instances.postgres === instances.cvr && instances.postgres === instances.cdb
+    config.singleDb === true ||
+    (instances.postgres === instances.cvr && instances.postgres === instances.cdb)
   const pgMutex = new Mutex()
   const mutexes = {
     postgres: pgMutex,
@@ -570,11 +573,15 @@ export async function startPgProxy(
   }
 
   // per-instance transaction state: tracks which socket owns the current transaction
-  // so we can auto-ROLLBACK stale aborted transactions from other connections
+  // so we can auto-ROLLBACK stale aborted transactions from other connections.
+  // shared-instance (singleDb) coalesces txState — pglite is single-session,
+  // so an 'E' state from role A's aborted txn poisons every subsequent query
+  // unless role B can see the aborted state and ROLLBACK before its own work.
+  const pgTxState: PgLiteTxState = { status: 0x49, owner: null }
   const txStates: Record<string, PgLiteTxState> = {
-    postgres: { status: 0x49, owner: null },
-    cvr: { status: 0x49, owner: null },
-    cdb: { status: 0x49, owner: null },
+    postgres: pgTxState,
+    cvr: sharedInstance ? pgTxState : { status: 0x49, owner: null },
+    cdb: sharedInstance ? pgTxState : { status: 0x49, owner: null },
   }
 
   // helper to get instance + mutex + tx state for a database name