pgserve 2.3.0 → 2.5.0

package/src/sync.js

@@ -1,335 +0,0 @@
-/**
- * SyncManager - Async replication from pgserve to real PostgreSQL
- *
- * Uses PostgreSQL's native logical replication for ZERO hot-path impact.
- * All replication is handled by PostgreSQL's WAL writer process, not Node.js.
- *
- * 100% Bun-native: Uses Bun.sql for all database operations.
- */
-
-import { SQL } from 'bun';
-import { createLogger } from './logger.js';
-
-/**
- * Match database name against patterns (supports wildcards)
- * @param {string} dbName - Database name to check
- * @param {string[]} patterns - Array of patterns (supports * wildcard)
- * @returns {boolean}
- */
-function matchesPattern(dbName, patterns) {
-  if (!patterns || patterns.length === 0) return true; // No filter = sync all
-
-  return patterns.some(pattern => {
-    if (pattern.includes('*')) {
-      const regex = new RegExp('^' + pattern.replace(/\*/g, '.*') + '$');
-      return regex.test(dbName);
-    }
-    return dbName === pattern;
-  });
-}
-
-/**
- * SyncManager - Handles async replication to target PostgreSQL
- */
-export class SyncManager {
-  constructor(options = {}) {
-    this.targetUrl = options.targetUrl;           // Real PostgreSQL connection string
-    this.databases = options.databases || [];      // Patterns: ["myapp", "tenant_*"]
-    this.sourcePort = options.sourcePort;          // pgserve PostgreSQL port
-    this.sourceSocketPath = options.sourceSocketPath; // pgserve socket path (optional)
-
-    this.logger = createLogger({ level: options.logLevel || 'info', component: 'sync' });
-
-    this.sourceSql = null;  // Bun.sql connection to pgserve's PostgreSQL
-    this.targetSql = null;  // Bun.sql connection to real PostgreSQL
-    this.syncedDatabases = new Set();
-    this.initialized = false;
-  }
-
-  /**
-   * Initialize the SyncManager after PostgreSQL is ready
-   * @param {Object} _pgManager - PostgresManager instance (unused, reserved for future)
-   */
-  async initialize(_pgManager) {
-    if (!this.targetUrl) {
-      throw new Error('SyncManager requires targetUrl');
-    }
-
-    this.logger.info({ target: this.targetUrl.replace(/:[^:@]+@/, ':***@') }, 'Initializing sync manager');
-
-    // Create Bun.sql connection to source (pgserve's embedded PostgreSQL)
-    this.sourceSql = new SQL({
-      hostname: this.sourceSocketPath
-        ? this.sourceSocketPath.replace(/\/\.s\.PGSQL\.\d+$/, '')
-        : '127.0.0.1',
-      port: this.sourcePort,
-      database: 'postgres',
-      username: 'postgres',
-      password: 'postgres',
-      max: 3,  // Low pool size - replication is async, not latency-sensitive
-      idleTimeout: 30,
-    });
-
-    // Create Bun.sql connection to target (real PostgreSQL)
-    const targetUrl = new URL(this.targetUrl);
-    this.targetSql = new SQL({
-      hostname: targetUrl.hostname,
-      port: parseInt(targetUrl.port) || 5432,
-      database: targetUrl.pathname.slice(1) || 'postgres',
-      username: targetUrl.username || 'postgres',
-      password: targetUrl.password || 'postgres',
-      max: 3,
-      idleTimeout: 30,
-    });
-
-    // Test connections
-    try {
-      await this.sourceSql`SELECT 1`;
-      this.logger.debug('Source connection ready');
-    } catch (err) {
-      this.logger.error({ err }, 'Failed to connect to source PostgreSQL');
-      throw err;
-    }
-
-    try {
-      await this.targetSql`SELECT 1`;
-      this.logger.debug('Target connection ready');
-    } catch (err) {
-      this.logger.error({ err }, 'Failed to connect to target PostgreSQL');
-      throw err;
-    }
-
-    this.initialized = true;
-    this.logger.info('Sync manager initialized');
-  }
-
-  /**
-   * Check if a database should be synced based on patterns
-   * @param {string} dbName
-   * @returns {boolean}
-   */
-  shouldSync(dbName) {
-    // Skip system databases
-    if (['postgres', 'template0', 'template1'].includes(dbName)) {
-      return false;
-    }
-    return matchesPattern(dbName, this.databases);
-  }
-
-  /**
-   * Setup replication for a specific database
-   * Called when a new database is created in pgserve
-   *
-   * This is NON-BLOCKING - runs in background, doesn't affect hot path
-   *
-   * @param {string} dbName - Name of the database to sync
-   */
-  async setupDatabaseSync(dbName) {
-    if (!this.initialized) {
-      this.logger.warn({ dbName }, 'Sync manager not initialized, skipping sync setup');
-      return;
-    }
-
-    if (!this.shouldSync(dbName)) {
-      this.logger.debug({ dbName }, 'Database does not match sync patterns, skipping');
-      return;
-    }
-
-    if (this.syncedDatabases.has(dbName)) {
-      this.logger.debug({ dbName }, 'Database already synced');
-      return;
-    }
-
-    this.logger.info({ dbName }, 'Setting up database sync');
-
-    try {
-      // Step 1: Create database on target if it doesn't exist
-      await this.ensureTargetDatabase(dbName);
-
-      // Step 2: Setup publication on source (pgserve)
-      await this.setupPublication(dbName);
-
-      // Step 3: Setup subscription on target
-      await this.setupSubscription(dbName);
-
-      this.syncedDatabases.add(dbName);
-      this.logger.info({ dbName }, 'Database sync established');
-
-    } catch (err) {
-      // Non-fatal - sync failure doesn't affect main server operation
-      this.logger.error({ dbName, err }, 'Failed to setup database sync');
-    }
-  }
-
-  /**
-   * Ensure the database exists on target PostgreSQL
-   * @param {string} dbName
-   */
-  async ensureTargetDatabase(dbName) {
-    const result = await this.targetSql`
-      SELECT 1 FROM pg_database WHERE datname = ${dbName}
-    `;
-
-    if (result.length === 0) {
-      // CREATE DATABASE cannot run in transaction - use unsafe for DDL
-      const safeName = dbName.replace(/"/g, '""');
-      await this.targetSql.unsafe(`CREATE DATABASE "${safeName}"`);
-      this.logger.debug({ dbName }, 'Created database on target');
-    }
-  }
-
-  /**
-   * Setup publication on source (pgserve's PostgreSQL)
-   * @param {string} dbName
-   */
-  async setupPublication(dbName) {
-    // Connect to the specific database on source
-    const sourceDbSql = new SQL({
-      hostname: this.sourceSocketPath
-        ? this.sourceSocketPath.replace(/\/\.s\.PGSQL\.\d+$/, '')
-        : '127.0.0.1',
-      port: this.sourcePort,
-      database: dbName,
-      username: 'postgres',
-      password: 'postgres',
-      max: 1,
-    });
-
-    try {
-      const pubName = `pgserve_pub_${dbName.replace(/[^a-z0-9_]/gi, '_')}`;
-
-      // Check if publication exists
-      const result = await sourceDbSql`
-        SELECT 1 FROM pg_publication WHERE pubname = ${pubName}
-      `;
-
-      if (result.length === 0) {
-        // Create publication for all tables
-        await sourceDbSql.unsafe(`CREATE PUBLICATION "${pubName}" FOR ALL TABLES`);
-        this.logger.debug({ dbName, pubName }, 'Created publication on source');
-      }
-    } finally {
-      await sourceDbSql.close();
-    }
-  }
-
-  /**
-   * Setup subscription on target PostgreSQL
-   * @param {string} dbName
-   */
-  async setupSubscription(dbName) {
-    // Connect to the specific database on target
-    const targetUrl = new URL(this.targetUrl);
-
-    const targetDbSql = new SQL({
-      hostname: targetUrl.hostname,
-      port: parseInt(targetUrl.port) || 5432,
-      database: dbName,
-      username: targetUrl.username || 'postgres',
-      password: targetUrl.password || 'postgres',
-      max: 1,
-    });
-
-    try {
-      const subName = `pgserve_sub_${dbName.replace(/[^a-z0-9_]/gi, '_')}`;
-      const pubName = `pgserve_pub_${dbName.replace(/[^a-z0-9_]/gi, '_')}`;
-
-      // Check if subscription exists
-      const result = await targetDbSql`
-        SELECT 1 FROM pg_subscription WHERE subname = ${subName}
-      `;
-
-      if (result.length === 0) {
-        // Build connection string to source - ALWAYS use TCP for cross-container compatibility
-        // (Unix sockets won't work when target is in Docker or remote)
-        const sourceConnStr = `host=127.0.0.1 port=${this.sourcePort} dbname=${dbName} user=postgres password=postgres`;
-
-        // Create subscription
-        await targetDbSql.unsafe(`
-          CREATE SUBSCRIPTION "${subName}"
-          CONNECTION '${sourceConnStr}'
-          PUBLICATION "${pubName}"
-          WITH (copy_data = true, create_slot = true)
-        `);
-        this.logger.debug({ dbName, subName }, 'Created subscription on target');
-      }
-    } finally {
-      await targetDbSql.close();
-    }
-  }
-
-  /**
-   * Get replication status for all synced databases
-   * @returns {Promise<Object>}
-   */
-  async getReplicationStatus() {
-    if (!this.initialized) {
-      return { initialized: false, databases: [] };
-    }
-
-    const status = {
-      initialized: true,
-      targetUrl: this.targetUrl.replace(/:[^:@]+@/, ':***@'),
-      databases: [],
-      replicationSlots: []
-    };
-
-    try {
-      // Query replication slots from source
-      const slotsResult = await this.sourceSql`
-        SELECT slot_name, active, restart_lsn, confirmed_flush_lsn
-        FROM pg_replication_slots
-        WHERE slot_type = 'logical'
-      `;
-
-      status.replicationSlots = slotsResult.map(row => ({
-        name: row.slot_name,
-        active: row.active,
-        restartLsn: row.restart_lsn,
-        confirmedFlushLsn: row.confirmed_flush_lsn
-      }));
-
-      // Query replication lag
-      const lagResult = await this.sourceSql`
-        SELECT
-          slot_name,
-          pg_wal_lsn_diff(pg_current_wal_lsn(), confirmed_flush_lsn) as lag_bytes
-        FROM pg_replication_slots
-        WHERE slot_type = 'logical'
-      `;
-
-      for (const row of lagResult) {
-        const slot = status.replicationSlots.find(s => s.name === row.slot_name);
-        if (slot) {
-          slot.lagBytes = parseInt(row.lag_bytes) || 0;
-        }
-      }
-
-      status.databases = Array.from(this.syncedDatabases);
-
-    } catch (err) {
-      this.logger.error({ err }, 'Failed to get replication status');
-      status.error = err.message;
-    }
-
-    return status;
-  }
-
-  /**
-   * Graceful shutdown
-   */
-  async stop() {
-    this.logger.info('Stopping sync manager');
-
-    if (this.sourceSql) {
-      await this.sourceSql.close();
-    }
-
-    if (this.targetSql) {
-      await this.targetSql.close();
-    }
-
-    this.initialized = false;
-    this.logger.info('Sync manager stopped');
-  }
-}

package/src/tenancy.js

@@ -1,75 +0,0 @@
-/**
- * pgserve tenancy — fingerprint-to-database name resolution + kill-switch.
- *
- * Group 4 wires the kernel-rooted fingerprint (Group 3) to the per-tenant
- * Postgres database. Each `(fingerprint, name)` pair maps deterministically
- * to a database called `app_<sanitized-name>_<12hex>` (≤63 chars, the PG
- * identifier limit).
- *
- * Sanitization rules (per WISH §Group 4):
- *   - non-[a-z0-9] runs collapse to a single `_`
- *   - lowercased
- *   - truncated to 30 chars (so `app_<30>_<12>` ≤ 47 chars, well under 63)
- *
- * The kill switch (`PGSERVE_DISABLE_FINGERPRINT_ENFORCEMENT=1`) is read
- * once per process via `isFingerprintEnforcementDisabled()`. The daemon
- * logs a deprecation warning at boot when the env var is observed; the
- * audit event `enforcement_kill_switch_used` fires on every bypassed
- * cross-fingerprint connection.
- */
-
-export const KILL_SWITCH_ENV = 'PGSERVE_DISABLE_FINGERPRINT_ENFORCEMENT';
-
-const NAME_TRUNCATE = 30;
-const MAX_DB_IDENT = 63;
-
-/**
- * Collapse non-alphanumeric runs to a single `_`, lowercase, truncate.
- *
- * Empty or null names fall back to `'anon'` so we always emit a usable
- * database identifier — a peer with no resolvable package name still
- * deserves a tenant DB, just one that visibly says "anonymous".
- *
- * @param {string|null|undefined} name
- * @returns {string}
- */
-export function sanitizeName(name) {
-  const raw = (typeof name === 'string' ? name : '').toLowerCase();
-  const collapsed = raw.replace(/[^a-z0-9]+/g, '_');
-  if (!collapsed || collapsed === '_') return 'anon';
-  return collapsed.slice(0, NAME_TRUNCATE);
-}
-
-/**
- * Build the canonical per-tenant database name `app_<sanitized>_<fingerprint>`.
- *
- * Throws if fingerprint is not the documented 12 lowercase-hex blob —
- * any caller that managed to slip a malformed fingerprint through deserves
- * a loud failure rather than a silent identifier mismatch later.
- *
- * @param {{name: string|null|undefined, fingerprint: string}} args
- * @returns {string}
- */
-export function resolveTenantDatabaseName({ name, fingerprint }) {
-  if (!/^[0-9a-f]{12}$/.test(fingerprint || '')) {
-    throw new Error(`resolveTenantDatabaseName: fingerprint must be 12 hex chars, got "${fingerprint}"`);
-  }
-  const sanitized = sanitizeName(name);
-  const ident = `app_${sanitized}_${fingerprint}`;
-  if (ident.length > MAX_DB_IDENT) {
-    // Truncation already bounds sanitized to 30; the fingerprint adds 12;
-    // the prefix `app_` adds 4 + two underscores = 48. We are safe by
-    // construction, but assert anyway: a future change to NAME_TRUNCATE
-    // must not silently produce >63-char identifiers.
-    throw new Error(`resolveTenantDatabaseName: identifier "${ident}" exceeds ${MAX_DB_IDENT} chars`);
-  }
-  return ident;
-}
-
-/**
- * @param {NodeJS.ProcessEnv} [env]
- * @returns {boolean}
- */
-export function isFingerprintEnforcementDisabled(env = process.env) {
-  return env[KILL_SWITCH_ENV] === '1';
-}

package/src/tokens.js

@@ -1,102 +0,0 @@
-/**
- * pgserve TCP bearer-token helpers (Group 6).
- *
- * Tokens are random 256-bit secrets shown to the operator exactly once
- * (the output of `pgserve daemon issue-token`). Only their sha256 hash
- * is persisted in `pgserve_meta.allowed_tokens`. Verification therefore
- * compares hashes, never cleartext.
- *
- * Token id: short hex prefix used for revocation by humans
- * (`pgserve daemon revoke-token <id>`). It is also persisted alongside
- * the hash so `tcp_token_used` audit events can name which credential
- * authorised the connection without leaking the secret.
- *
- * Wire format on the TCP path: peers pass an `application_name` shaped
- * `?fingerprint=<12hex>&token=<bearer>` (a leading `?` is tolerated so
- * libpq URL-style strings round-trip cleanly). Both keys are required;
- * any missing or extra-long value is treated as auth-fail by the
- * daemon's accept hook, never bubbling further.
- */
-
-import crypto from 'crypto';
-
-const TOKEN_BYTES = 32;       // 256 bits — plenty of entropy
-const TOKEN_ID_BYTES = 6;     // 12 hex chars — collision-bound at ~10^14
-const MAX_TOKEN_LEN = 256;    // sanity guard for parse path
-const FP_RE = /^[0-9a-f]{12}$/;
-
-/**
- * Mint a fresh `(id, cleartext, hash)` triple. The cleartext is meant to
- * leave this process exactly once (printed to stdout by `issue-token`);
- * only the hash gets stored.
- *
- * @returns {{id: string, cleartext: string, hash: string}}
- */
-export function mintToken() {
-  const id = crypto.randomBytes(TOKEN_ID_BYTES).toString('hex');
-  const cleartext = crypto.randomBytes(TOKEN_BYTES).toString('hex');
-  const hash = hashToken(cleartext);
-  return { id, cleartext, hash };
-}
-
-/**
- * Sha256 of the bearer token in lowercase hex. Centralised so daemon
- * accept code, issue-token CLI, and tests cannot drift.
- *
- * @param {string} cleartext
- * @returns {string}
- */
-export function hashToken(cleartext) {
-  if (typeof cleartext !== 'string' || cleartext.length === 0) {
-    throw new Error('hashToken: non-empty string required');
-  }
-  return crypto.createHash('sha256').update(cleartext).digest('hex');
-}
-
-/**
- * Parse `?fingerprint=<12hex>&token=<bearer>` — or its prefix-less form —
- * out of an `application_name` startup parameter.
- *
- * Returns `null` for any malformed input. Caller never inspects details
- * beyond presence: the daemon emits a single `tcp_token_denied` audit
- * event regardless of which validation step failed, to deny the peer
- * any oracle that distinguishes "unknown fingerprint" from "wrong token".
- *
- * @param {string|undefined|null} applicationName
- * @returns {{fingerprint: string, token: string} | null}
- */
-export function parseTcpAuth(applicationName) {
-  if (typeof applicationName !== 'string' || applicationName.length === 0) return null;
-  if (applicationName.length > MAX_TOKEN_LEN + 64) return null;
-  const stripped = applicationName.startsWith('?') ? applicationName.slice(1) : applicationName;
-  const params = new Map();
-  for (const segment of stripped.split('&')) {
-    const eq = segment.indexOf('=');
-    if (eq <= 0) continue;
-    const key = segment.slice(0, eq);
-    const val = segment.slice(eq + 1);
-    if (key && val) params.set(key, val);
-  }
-  const fingerprint = params.get('fingerprint');
-  const token = params.get('token');
-  if (!fingerprint || !token) return null;
-  if (!FP_RE.test(fingerprint)) return null;
-  if (token.length === 0 || token.length > MAX_TOKEN_LEN) return null;
-  return { fingerprint, token };
-}
-
-/**
- * Constant-time string compare. Bearer-token verification path uses this
- * after sha256 to avoid leaking length-mismatch via timing.
- *
- * @param {string} a
- * @param {string} b
- * @returns {boolean}
- */
-export function timingSafeEqual(a, b) {
-  if (typeof a !== 'string' || typeof b !== 'string') return false;
-  if (a.length !== b.length) return false;
-  const bufA = Buffer.from(a);
-  const bufB = Buffer.from(b);
-  return crypto.timingSafeEqual(bufA, bufB);
-}