pgserve 2.0.4 → 2.0.6

package/CHANGELOG.md

@@ -4,6 +4,33 @@ All notable changes to `pgserve` are documented here. The format follows
 [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and this project adheres
 to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 2.0.6
+
+### Fixed
+
+- `PgserveDaemon` now runs a watchdog that forcibly closes peers stuck in
+  pre-handshake state past `PGSERVE_HANDSHAKE_DEADLINE_MS` (default
+  30000ms). Without this, a peer that connected to `control.sock` and
+  never sent the postgres StartupMessage occupied a connection slot
+  indefinitely — pgserve#45 documented the file-descriptor leak under
+  load. The watchdog runs every `handshakeSweepIntervalMs` (default
+  5000ms, bounded at 1s minimum). Stalls are logged with `acceptedAt`,
+  `ageMs`, and the peer's fingerprint.
+
+## 2.0.5
+
+### Fixed
+
+- `PostgresManager` now extends `EventEmitter` and emits `backendExited`
+  with `{ code, expected }` when the postgres child exits. `expected=true`
+  is reserved for shutdowns initiated by `stop()`; everything else is
+  treated as a fault. `PgserveDaemon` re-emits unexpected exits as
+  `backendDiedUnexpectedly`, and the daemon CLI wrapper subscribes and
+  exits non-zero so a process supervisor (`genie serve`, pm2, systemd)
+  can restart the daemon cleanly. Previously, an external SIGKILL of
+  the postgres backend left the wrapper alive in `epoll_wait` while the
+  control socket accepted connections forever — pgserve#45.
+
 ## 2.0.4
 
 ### Fixed

package/bin/postgres-server.js

@@ -83,6 +83,20 @@ async function runDaemonSubcommand(daemonArgs) {
   // `pgserve daemon` (long-running)
   const opts = parseDaemonArgs(daemonArgs);
   const daemon = new PgserveDaemon(opts);
+
+  // When the postgres backend dies on us (SIGKILL, OOM, segfault, anything
+  // other than a clean stop()), exit non-zero so a process supervisor can
+  // restart the daemon cleanly. Without this, the wrapper sat alive in
+  // epoll_wait while postgres was dead, and clients got "control.sock
+  // accepts but never replies" — pgserve#45.
+  daemon.on('backendDiedUnexpectedly', ({ code }) => {
+    console.error(
+      `pgserve daemon: postgres backend exited unexpectedly (code=${code}); ` +
+      `the wrapper is exiting so a process supervisor can restart it.`
+    );
+    process.exit(1);
+  });
+
   try {
     await daemon.start();
   } catch (err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pgserve",
-  "version": "2.0.4",
+  "version": "2.0.6",
   "description": "Embedded PostgreSQL server with true concurrent connections - zero config, auto-provision databases",
   "main": "src/index.js",
   "type": "module",

package/src/daemon-control.js

@@ -72,6 +72,13 @@ function handleSocketOpen(socket) {
     pendingToPg: null,
     pendingToClient: null,
     fingerprint,
+    // Wall-clock timestamp when this socket was accepted. The watchdog
+    // installed by PgserveDaemon.start() forcibly closes any socket that
+    // hasn't completed its postgres handshake within
+    // PGSERVE_HANDSHAKE_DEADLINE_MS. Without this, a peer that connects
+    // and never sends the StartupMessage occupies the connection slot
+    // forever — the file-descriptor leak documented in pgserve#45.
+    acceptedAt: Date.now(),
   });
   this.connections.add(socket);
   if (fingerprint) {

package/src/daemon.js

@@ -257,6 +257,18 @@ export class PgserveDaemon extends EventEmitter {
       enablePgvector: options.enablePgvector || false,
     });
 
+    // Forward unexpected backend deaths to wrapper-level supervisors. A clean
+    // stop() sets PostgresManager._stopping=true so the event arrives with
+    // expected=true and we leave the daemon alone; an external SIGKILL / OOM
+    // / segfault arrives with expected=false and we re-emit so the wrapper
+    // can exit non-zero and let a process supervisor (genie serve, pm2,
+    // systemd) restart us cleanly. See pgserve#45.
+    this.pgManager.on('backendExited', (info) => {
+      if (!info.expected) {
+        this.emit('backendDiedUnexpectedly', info);
+      }
+    });
+
     this.server = null;
     this.tcpServers = [];
     this.connections = new Set();
@@ -278,6 +290,52 @@ export class PgserveDaemon extends EventEmitter {
     this.gcOptions = options.gcOptions || {};
 
     this.setMaxListeners(this.maxConnections + 10);
+
+    // Watchdog: forcibly close any control-socket peer that has been accepted
+    // but hasn't completed the postgres handshake within this deadline. The
+    // env override is for tests (or for operators who want a tighter bound).
+    // See pgserve#45: peers that connected and never sent a StartupMessage
+    // would pile up indefinitely in `state.handshakeComplete=false`,
+    // exhausting connection slots.
+    const envDeadline = Number.parseInt(process.env.PGSERVE_HANDSHAKE_DEADLINE_MS ?? '', 10);
+    this.handshakeDeadlineMs =
+      Number.isFinite(envDeadline) && envDeadline > 0
+        ? envDeadline
+        : (options.handshakeDeadlineMs ?? 30_000);
+    // Sweep cadence: small enough to bound the worst-case slop on top of the
+    // deadline (5s default → 30s deadline becomes "killed within 30-35s").
+    this.handshakeSweepIntervalMs = Math.max(
+      1000,
+      Math.min(this.handshakeDeadlineMs, options.handshakeSweepIntervalMs ?? 5_000),
+    );
+    this._handshakeWatchdogTimer = null;
+  }
+
+  /**
+   * Iterate accepted sockets and force-close any that have been waiting on
+   * the postgres handshake for longer than `handshakeDeadlineMs`. Exposed on
+   * the prototype so tests can drive it deterministically without waiting for
+   * the timer.
+   */
+  _sweepStuckHandshakes() {
+    const now = Date.now();
+    let closed = 0;
+    for (const socket of this.connections) {
+      const state = this.socketState.get(socket);
+      if (!state) continue;
+      if (state.handshakeComplete) continue;
+      const acceptedAt = state.acceptedAt ?? now;
+      if (now - acceptedAt < this.handshakeDeadlineMs) continue;
+      this.logger.warn?.(
+        { acceptedAt, ageMs: now - acceptedAt, deadlineMs: this.handshakeDeadlineMs, fingerprint: state.fingerprint },
+        'Closing peer stuck in pre-handshake state past deadline',
+      );
+      try { socket.end(); } catch { /* swallow */ }
+      this.connections.delete(socket);
+      this.socketState.delete(socket);
+      closed++;
+    }
+    return closed;
   }
 
   /**
@@ -461,8 +519,20 @@ export class PgserveDaemon extends EventEmitter {
       pidLockPath: this.pidLockPath,
       pgPort: this.pgManager.port,
       tcpListens: this.tcpListens,
+      handshakeDeadlineMs: this.handshakeDeadlineMs,
     }, 'pgserve daemon listening');
 
+    // Arm the handshake watchdog. unref() so the timer doesn't keep the
+    // process alive on its own — the daemon already awaits the wrapper's
+    // forever-promise.
+    this._handshakeWatchdogTimer = setInterval(
+      () => this._sweepStuckHandshakes(),
+      this.handshakeSweepIntervalMs,
+    );
+    if (typeof this._handshakeWatchdogTimer.unref === 'function') {
+      this._handshakeWatchdogTimer.unref();
+    }
+
     this.emit('listening');
     return this;
   }
@@ -476,6 +546,11 @@ export class PgserveDaemon extends EventEmitter {
 
     this.logger.info?.('Stopping pgserve daemon');
 
+    if (this._handshakeWatchdogTimer) {
+      clearInterval(this._handshakeWatchdogTimer);
+      this._handshakeWatchdogTimer = null;
+    }
+
     for (const socket of this.connections) {
       try { socket.end(); } catch { /* swallow */ }
     }

package/src/postgres.js

@@ -14,6 +14,7 @@
  */
 
 /* global fetch, Bun */
+import { EventEmitter } from 'events';
 import os from 'os';
 import path from 'path';
 import fs from 'fs';
@@ -419,8 +420,9 @@ function findAvailableTcpPort() {
   return port;
 }
 
-export class PostgresManager {
+export class PostgresManager extends EventEmitter {
   constructor(options = {}) {
+    super();
     this.dataDir = options.dataDir || null; // null = memory mode (temp dir)
     this.port = options.port ?? 5433; // Internal PG port (router listens on different port)
     this.user = options.user || 'postgres';
@@ -863,6 +865,7 @@ export class PostgresManager {
       // the exit is unexpected (external kill, crash, OOM).
       this.process.exited.then((code) => {
         processExited = true;
+        const expected = !!this._stopping;
         if (!started) {
           reject(new Error(`PostgreSQL exited with code ${code} before starting: ${startupOutput}`));
         }
@@ -870,7 +873,7 @@ export class PostgresManager {
         // On unexpected exit (not via stop()), reset cached paths so that
         // getSocketPath() returns null and callers can fall back to TCP
         // or force a fresh start().
-        if (!this._stopping) {
+        if (!expected) {
           this.socketDir = null;
           this.databaseDir = null;
           this.logger?.warn(
@@ -878,6 +881,10 @@ export class PostgresManager {
             'PostgreSQL subprocess exited unexpectedly — socketDir/databaseDir reset'
           );
         }
+        // Notify supervisors. `expected=true` means stop() initiated the exit
+        // (clean shutdown); `expected=false` means the backend died on its
+        // own — supervisors should treat the latter as a fault signal.
+        this.emit('backendExited', { code, expected });
       });
 
       // Method 1: TCP connection polling (preferred, works on Linux/macOS)

package/tests/router-handshake-watchdog.test.js

@@ -0,0 +1,110 @@
+/**
+ * Handshake watchdog: peers that connect and never complete the postgres
+ * StartupMessage are forcibly closed past `PGSERVE_HANDSHAKE_DEADLINE_MS`.
+ *
+ * Regression coverage: pgserve#45 documented file-descriptor leak where
+ * peers piled up indefinitely in `state.handshakeComplete=false`.
+ *
+ * The tests drive `_sweepStuckHandshakes()` directly via a synthetic
+ * connection record. This avoids spawning a real postgres backend, which
+ * is unnecessary when we only want to assert the sweep policy and timer
+ * lifecycle.
+ */
+
+import { PgserveDaemon } from '../src/daemon.js';
+import { test, expect } from 'bun:test';
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+
+function quietLogger() {
+  return {
+    info: () => {}, warn: () => {}, error: () => {}, debug: () => {},
+    child: () => quietLogger(),
+  };
+}
+
+function makeDaemon(opts = {}) {
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'pgserve-watchdog-'));
+  const daemon = new PgserveDaemon({
+    baseDir: dir,
+    logger: quietLogger(),
+    enforcementDisabled: true,
+    ...opts,
+  });
+  return { daemon, dir };
+}
+
+function fakeSocket() {
+  const calls = [];
+  return {
+    end: () => { calls.push('end'); },
+    pause: () => {}, resume: () => {}, write: () => 0,
+    _calls: calls,
+  };
+}
+
+test('handshakeDeadlineMs falls back to 30000 when env unset', () => {
+  delete process.env.PGSERVE_HANDSHAKE_DEADLINE_MS;
+  const { daemon, dir } = makeDaemon();
+  expect(daemon.handshakeDeadlineMs).toBe(30000);
+  fs.rmSync(dir, { recursive: true, force: true });
+});
+
+test('handshakeDeadlineMs honours PGSERVE_HANDSHAKE_DEADLINE_MS env', () => {
+  process.env.PGSERVE_HANDSHAKE_DEADLINE_MS = '2000';
+  try {
+    const { daemon, dir } = makeDaemon();
+    expect(daemon.handshakeDeadlineMs).toBe(2000);
+    fs.rmSync(dir, { recursive: true, force: true });
+  } finally {
+    delete process.env.PGSERVE_HANDSHAKE_DEADLINE_MS;
+  }
+});
+
+test('_sweepStuckHandshakes closes pre-handshake sockets past deadline', () => {
+  const { daemon, dir } = makeDaemon({ handshakeDeadlineMs: 100 });
+  const sock = fakeSocket();
+  const stuckAt = Date.now() - 500; // older than 100ms deadline
+  daemon.connections.add(sock);
+  daemon.socketState.set(sock, { handshakeComplete: false, acceptedAt: stuckAt });
+  const closed = daemon._sweepStuckHandshakes();
+  expect(closed).toBe(1);
+  expect(sock._calls).toContain('end');
+  expect(daemon.connections.has(sock)).toBe(false);
+  expect(daemon.socketState.has(sock)).toBe(false);
+  fs.rmSync(dir, { recursive: true, force: true });
+});
+
+test('_sweepStuckHandshakes leaves fresh pre-handshake sockets alone', () => {
+  const { daemon, dir } = makeDaemon({ handshakeDeadlineMs: 30000 });
+  const sock = fakeSocket();
+  daemon.connections.add(sock);
+  daemon.socketState.set(sock, { handshakeComplete: false, acceptedAt: Date.now() });
+  const closed = daemon._sweepStuckHandshakes();
+  expect(closed).toBe(0);
+  expect(sock._calls).not.toContain('end');
+  expect(daemon.connections.has(sock)).toBe(true);
+  fs.rmSync(dir, { recursive: true, force: true });
+});
+
+test('_sweepStuckHandshakes leaves completed-handshake sockets alone even past deadline', () => {
+  const { daemon, dir } = makeDaemon({ handshakeDeadlineMs: 100 });
+  const sock = fakeSocket();
+  daemon.connections.add(sock);
+  daemon.socketState.set(sock, { handshakeComplete: true, acceptedAt: Date.now() - 5000 });
+  const closed = daemon._sweepStuckHandshakes();
+  expect(closed).toBe(0);
+  expect(sock._calls).not.toContain('end');
+  fs.rmSync(dir, { recursive: true, force: true });
+});
+
+test('handshakeSweepIntervalMs is bounded sensibly relative to deadline', () => {
+  const { daemon, dir } = makeDaemon({
+    handshakeDeadlineMs: 200,
+    handshakeSweepIntervalMs: 50,
+  });
+  // Sweep interval cannot drop below 1s safety floor.
+  expect(daemon.handshakeSweepIntervalMs).toBe(1000);
+  fs.rmSync(dir, { recursive: true, force: true });
+});

package/tests/wrapper-supervision.test.js

@@ -0,0 +1,107 @@
+/**
+ * Wrapper supervision: postgres backend death surfaces to the wrapper
+ *
+ * Verifies that:
+ *  1. PostgresManager extends EventEmitter and emits `backendExited` when
+ *     the postgres child exits.
+ *  2. `expected: true` is reported when the exit was initiated by stop().
+ *  3. `expected: false` is reported when the child was killed externally
+ *     (the case the wrapper needs to react to per pgserve#45).
+ *  4. PgserveDaemon re-emits `backendDiedUnexpectedly` only for unexpected
+ *     exits, not for clean stop().
+ *
+ * Tests use the real Bun.spawn'd postgres binary via PostgresManager because
+ * the supervision contract is end-to-end — a unit test with a mocked process
+ * would prove only that the JS plumbing fires.
+ */
+
+import { PostgresManager } from '../src/postgres.js';
+import { PgserveDaemon } from '../src/daemon.js';
+import { EventEmitter } from 'events';
+import { test, expect } from 'bun:test';
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+
+function quietLogger() {
+  return {
+    info: () => {}, warn: () => {}, error: () => {}, debug: () => {},
+    child: () => quietLogger(),
+  };
+}
+
+test('PostgresManager extends EventEmitter', () => {
+  const mgr = new PostgresManager({});
+  expect(mgr).toBeInstanceOf(EventEmitter);
+});
+
+test('PostgresManager emits backendExited with expected=true after stop()', async () => {
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'pgserve-supv-stop-'));
+  const mgr = new PostgresManager({ dataDir: dir, logger: quietLogger() });
+  let event = null;
+  mgr.on('backendExited', (info) => { event = info; });
+  await mgr.start();
+  await mgr.stop();
+  // Give event loop a tick to flush exited.then handler if not already drained
+  await new Promise((r) => setTimeout(r, 50));
+  expect(event).not.toBeNull();
+  expect(event.expected).toBe(true);
+  fs.rmSync(dir, { recursive: true, force: true });
+}, 60000);
+
+// External-SIGKILL integration coverage runs on Linux only. On macOS,
+// Bun.spawn'd postgres reliably refuses to surface its `exited` promise
+// within the test deadline when killed by SIGKILL — Bun's posix_spawn
+// path on darwin holds parent reaping until grandchildren reap, which
+// postgres never does fast enough for a deterministic test. The
+// `expected=false` branch is still covered cross-platform by the
+// daemon-level re-emit test below, which feeds a synthetic
+// `backendExited` payload through a fake EventEmitter and bypasses the
+// OS signal-handling variability entirely.
+const linuxOnly = process.platform === 'linux' ? test : test.skip;
+linuxOnly('PostgresManager emits backendExited with expected=false on external SIGKILL (linux)', async () => {
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'pgserve-supv-kill-'));
+  const mgr = new PostgresManager({ dataDir: dir, logger: quietLogger() });
+  let event = null;
+  mgr.on('backendExited', (info) => { event = info; });
+  await mgr.start();
+  const childPid = mgr.process?.pid;
+  expect(childPid).toBeGreaterThan(0);
+  // External kill — _stopping stays false, so the handler must mark unexpected
+  process.kill(childPid, 'SIGKILL');
+  // Wait for the exit handler to fire (max 3s)
+  for (let i = 0; i < 60 && event === null; i++) {
+    await new Promise((r) => setTimeout(r, 50));
+  }
+  expect(event).not.toBeNull();
+  expect(event.expected).toBe(false);
+  // Cleanup: paths were nulled by the unexpected-exit branch, so stop() is a no-op
+  await mgr.stop().catch(() => {});
+  fs.rmSync(dir, { recursive: true, force: true });
+}, 60000);
+
+test('PgserveDaemon re-emits backendDiedUnexpectedly only on unexpected exit', () => {
+  // Pure plumbing test — synthesize PgserveDaemon and a fake pgManager that
+  // is just an EventEmitter; verify the wiring.
+  const fakePgManager = new EventEmitter();
+  // PgserveDaemon constructor needs a baseDir; passing a tmp dir avoids
+  // touching real config.
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'pgserve-supv-daemon-'));
+  const daemon = new PgserveDaemon({
+    baseDir: dir,
+    logger: quietLogger(),
+    pgManager: fakePgManager,
+    enforcementDisabled: true,
+  });
+  const events = [];
+  daemon.on('backendDiedUnexpectedly', (info) => events.push(info));
+
+  fakePgManager.emit('backendExited', { code: 0, expected: true });
+  expect(events).toHaveLength(0); // clean stop — no re-emit
+
+  fakePgManager.emit('backendExited', { code: 137, expected: false });
+  expect(events).toHaveLength(1);
+  expect(events[0]).toEqual({ code: 137, expected: false });
+
+  fs.rmSync(dir, { recursive: true, force: true });
+});