resplite 1.4.20 → 1.5.2

package/src/server/connection.js

@@ -3,7 +3,7 @@
  */
 
 import { RESPReader } from '../resp/parser.js';
-import { dispatch } from '../commands/registry.js';
+import { compileCommandPolicy, dispatch } from '../commands/registry.js';
 import { encode, encodeSimpleString, encodeError } from '../resp/encoder.js';
 import { registerMonitorClient, unregisterMonitorClient, broadcastMonitorCommand } from './monitor.js';
 
@@ -13,11 +13,13 @@ let nextConnectionId = 0;
  * @param {import('net').Socket} socket
  * @param {object} engine
  * @param {object} [hooks] Optional: onUnknownCommand, onCommandError, onSocketError
+ * @param {object|null} [commandPolicy] Optional: command rename/disable policy.
  */
-export function handleConnection(socket, engine, hooks = {}) {
+export function handleConnection(socket, engine, hooks = {}, commandPolicy = null) {
   const reader = new RESPReader();
   const connectionId = ++nextConnectionId;
   const clientAddress = `${socket.remoteAddress ?? 'unknown'}:${socket.remotePort ?? 0}`;
+  const compiledCommandPolicy = compileCommandPolicy(commandPolicy);
   const context = {
     connectionId,
     clientAddress,
@@ -29,6 +31,7 @@ export function handleConnection(socket, engine, hooks = {}) {
     onUnknownCommand: hooks.onUnknownCommand,
     onCommandError: hooks.onCommandError,
     onSocketError: hooks.onSocketError,
+    commandPolicy: compiledCommandPolicy,
   };
 
   function writeResult(out) {

package/src/server/tcp-server.js

@@ -4,6 +4,7 @@
 
 import net from 'node:net';
 import { handleConnection } from './connection.js';
+import { compileCommandPolicy } from '../commands/registry.js';
 
 /**
  * @param {object} options
@@ -11,15 +12,17 @@ import { handleConnection } from './connection.js';
  * @param {number} [options.port=6379]
  * @param {string} [options.host='0.0.0.0']
  * @param {Set<import('node:net').Socket>} [options.connections] If provided, each accepted socket is added here (for graceful shutdown).
+ * @param {object|null} [options.commandPolicy] Optional: command rename/disable policy.
  * @returns {import('node:net').Server}
  */
-export function createServer({ engine, port = 6379, host = '0.0.0.0', connections = null }) {
+export function createServer({ engine, port = 6379, host = '0.0.0.0', connections = null, commandPolicy = null }) {
+  const compiledCommandPolicy = compileCommandPolicy(commandPolicy);
   const server = net.createServer((socket) => {
     if (connections) {
       connections.add(socket);
       socket.once('close', () => connections.delete(socket));
     }
-    handleConnection(socket, engine);
+    handleConnection(socket, engine, {}, compiledCommandPolicy);
   });
   return server;
 }

package/src/storage/sqlite/hashes.js

@@ -1,6 +1,8 @@
 /**
  * Hash storage: redis_hashes + coordination with redis_keys.
  * Empty hash removes the key (Section 8.6).
+ * Per-field TTL is tracked in redis_hash_field_ttl (epoch milliseconds);
+ * HSET/HINCRBY clear a field's TTL, lazy-expiration prunes stale fields.
  */
 
 import { KEY_TYPES } from './schema.js';
@@ -9,28 +11,84 @@ import { runInTransaction } from './tx.js';
 /**
  * @param {import('better-sqlite3').Database} db
  * @param {ReturnType<import('./keys.js').createKeysStorage>} keys
+ * @param {{ clock?: () => number }} [options]
  */
-export function createHashesStorage(db, keys) {
+export function createHashesStorage(db, keys, options = {}) {
+  const clock = options.clock ?? (() => Date.now());
+
   const getStmt = db.prepare('SELECT value FROM redis_hashes WHERE key = ? AND field = ?');
   const getAllStmt = db.prepare('SELECT field, value FROM redis_hashes WHERE key = ?').raw(true);
+  const getAllLiveStmt = db
+    .prepare(
+      `SELECT h.field, h.value
+         FROM redis_hashes h
+         LEFT JOIN redis_hash_field_ttl t ON t.key = h.key AND t.field = h.field
+        WHERE h.key = ? AND (t.expires_at IS NULL OR t.expires_at > ?)`
+    )
+    .raw(true);
   const insertStmt = db.prepare('INSERT OR REPLACE INTO redis_hashes (key, field, value) VALUES (?, ?, ?)');
   const deleteStmt = db.prepare('DELETE FROM redis_hashes WHERE key = ? AND field = ?');
   const deleteAllStmt = db.prepare('DELETE FROM redis_hashes WHERE key = ?');
   const countStmt = db.prepare('SELECT COUNT(*) AS n FROM redis_hashes WHERE key = ?');
+  const countLiveStmt = db.prepare(
+    `SELECT COUNT(*) AS n
+       FROM redis_hashes h
+       LEFT JOIN redis_hash_field_ttl t ON t.key = h.key AND t.field = h.field
+      WHERE h.key = ? AND (t.expires_at IS NULL OR t.expires_at > ?)`
+  );
+  const hasAnyTtlStmt = db.prepare('SELECT 1 FROM redis_hash_field_ttl WHERE key = ? LIMIT 1').pluck();
+
+  const getFieldTtlStmt = db.prepare(
+    'SELECT expires_at AS expiresAt FROM redis_hash_field_ttl WHERE key = ? AND field = ?'
+  );
+  const upsertFieldTtlStmt = db.prepare(
+    'INSERT OR REPLACE INTO redis_hash_field_ttl (key, field, expires_at) VALUES (?, ?, ?)'
+  );
+  const deleteFieldTtlStmt = db.prepare('DELETE FROM redis_hash_field_ttl WHERE key = ? AND field = ?');
+
+  /**
+   * If the field has an expired TTL row, delete the field + TTL row, adjust count
+   * (and drop the whole key when empty). Returns true if the field was purged.
+   */
+  function expireFieldIfDue(key, field, now) {
+    const ttl = getFieldTtlStmt.get(key, field);
+    if (!ttl || ttl.expiresAt > now) return false;
+    const existed = getStmt.get(key, field) != null;
+    deleteFieldTtlStmt.run(key, field);
+    if (!existed) return true;
+    deleteStmt.run(key, field);
+    const meta = keys.get(key);
+    if (!meta) return true;
+    const before = meta.hashCount != null ? meta.hashCount : (countStmt.get(key) || { n: 0 }).n + 1;
+    const remaining = Math.max(0, before - 1);
+    if (remaining === 0) {
+      deleteAllStmt.run(key);
+      keys.delete(key);
+    } else {
+      keys.setHashCount(key, remaining, { touchUpdatedAt: false });
+    }
+    return true;
+  }
 
   return {
     get(key, field) {
+      runInTransaction(db, () => {
+        expireFieldIfDue(key, field, clock());
+      });
       const row = getStmt.get(key, field);
       return row ? row.value : null;
     },
 
     getAll(key) {
-      return getAllStmt.all(key).flat();
+      const now = clock();
+      const hasTtl = hasAnyTtlStmt.get(key);
+      if (!hasTtl) return getAllStmt.all(key).flat();
+      return getAllLiveStmt.all(key, now).flat();
     },
 
     set(key, field, value, options = {}) {
       runInTransaction(db, () => {
-        const now = options.updatedAt ?? Date.now();
+        const now = options.updatedAt ?? clock();
         const meta = keys.get(key);
         let knownCount = 0;
         if (meta) {
@@ -50,6 +108,7 @@ export function createHashesStorage(db, keys) {
         }
         const existed = getStmt.get(key, field) != null;
         insertStmt.run(key, field, value);
+        deleteFieldTtlStmt.run(key, field);
         if (!existed) {
           if (meta) keys.incrHashCount(key, 1, { touchUpdatedAt: false });
           else keys.setHashCount(key, 1, { touchUpdatedAt: false });
@@ -62,7 +121,7 @@ export function createHashesStorage(db, keys) {
 
     setMultiple(key, pairs, options = {}) {
       runInTransaction(db, () => {
-        const now = options.updatedAt ?? Date.now();
+        const now = options.updatedAt ?? clock();
         const meta = keys.get(key);
         let knownCount = 0;
         if (meta) {
@@ -84,6 +143,7 @@ export function createHashesStorage(db, keys) {
         for (let i = 0; i < pairs.length; i += 2) {
           const existed = getStmt.get(key, pairs[i]) != null;
           insertStmt.run(key, pairs[i], pairs[i + 1]);
+          deleteFieldTtlStmt.run(key, pairs[i]);
           if (!existed) added++;
         }
         if (added > 0) {
@@ -103,6 +163,7 @@ export function createHashesStorage(db, keys) {
         let n = 0;
         for (const field of fields) {
           const r = deleteStmt.run(key, field);
+          deleteFieldTtlStmt.run(key, field);
           n += r.changes;
         }
         const remaining = before != null ? Math.max(0, before - n) : ((countStmt.get(key) || {}).n ?? 0);
@@ -118,21 +179,26 @@ export function createHashesStorage(db, keys) {
 
     count(key) {
       const meta = keys.get(key);
-      if (meta && meta.type === KEY_TYPES.HASH && meta.hashCount != null) {
-        return meta.hashCount;
+      if (!meta || meta.type !== KEY_TYPES.HASH) {
+        const row = countStmt.get(key);
+        return row ? row.n : 0;
+      }
+      const hasTtl = hasAnyTtlStmt.get(key);
+      if (hasTtl) {
+        const row = countLiveStmt.get(key, clock());
+        return row ? row.n : 0;
       }
+      if (meta.hashCount != null) return meta.hashCount;
       const row = countStmt.get(key);
       const n = row ? row.n : 0;
-      if (meta && meta.type === KEY_TYPES.HASH && meta.hashCount == null) {
-        // One-time hydration for databases created before hash_count existed.
-        keys.setHashCount(key, n, { touchUpdatedAt: false });
-      }
+      // One-time hydration for databases created before hash_count existed.
+      keys.setHashCount(key, n, { touchUpdatedAt: false });
       return n;
     },
 
     incr(key, field, delta, options = {}) {
       return runInTransaction(db, () => {
-        const now = options.updatedAt ?? Date.now();
+        const now = options.updatedAt ?? clock();
         const meta = keys.get(key);
         if (meta && meta.type !== KEY_TYPES.HASH) {
           throw new Error('WRONGTYPE Operation against a key holding the wrong kind of value');
@@ -147,11 +213,13 @@ export function createHashesStorage(db, keys) {
             keys.setHashCount(key, hydrated, { touchUpdatedAt: false });
           }
         }
+        expireFieldIfDue(key, field, now);
         const cur = getStmt.get(key, field);
         const num = cur == null ? 0 : parseInt(cur.value.toString('utf8'), 10);
         if (Number.isNaN(num)) throw new Error('ERR hash value is not an integer');
         const next = num + delta;
         insertStmt.run(key, field, Buffer.from(String(next), 'utf8'));
+        deleteFieldTtlStmt.run(key, field);
         if (cur == null) {
           if (meta) keys.incrHashCount(key, 1, { touchUpdatedAt: false });
           else keys.setHashCount(key, 1, { touchUpdatedAt: false });
@@ -160,6 +228,81 @@ export function createHashesStorage(db, keys) {
       });
     },
 
+    /**
+     * Per-field expiration set. Returns -2/0/1/2 per HEXPIRE spec.
+     * `condition` is null or one of 'NX','XX','GT','LT'.
+     */
+    setFieldExpire(key, field, expiresAtMs, { condition = null } = {}) {
+      return runInTransaction(db, () => {
+        const now = clock();
+        expireFieldIfDue(key, field, now);
+        const exists = getStmt.get(key, field) != null;
+        if (!exists) return -2;
+        const current = getFieldTtlStmt.get(key, field);
+        const currentMs = current ? current.expiresAt : null;
+        if (condition === 'NX' && currentMs != null) return 0;
+        if (condition === 'XX' && currentMs == null) return 0;
+        if (condition === 'GT') {
+          if (currentMs == null) return 0;
+          if (!(expiresAtMs > currentMs)) return 0;
+        }
+        if (condition === 'LT') {
+          if (currentMs != null && !(expiresAtMs < currentMs)) return 0;
+        }
+        if (expiresAtMs <= now) {
+          deleteStmt.run(key, field);
+          deleteFieldTtlStmt.run(key, field);
+          const meta = keys.get(key);
+          if (meta) {
+            const before = meta.hashCount != null ? meta.hashCount : (countStmt.get(key) || { n: 0 }).n + 1;
+            const remaining = Math.max(0, before - 1);
+            if (remaining === 0) {
+              deleteAllStmt.run(key);
+              keys.delete(key);
+            } else {
+              keys.setHashCount(key, remaining, { touchUpdatedAt: false });
+            }
+          }
+          return 2;
+        }
+        upsertFieldTtlStmt.run(key, field, expiresAtMs);
+        return 1;
+      });
+    },
+
+    /**
+     * Returns remaining ms (>= 0), -1 if field has no TTL, -2 if field missing.
+     */
+    getFieldTtl(key, field) {
+      const now = clock();
+      let removed = false;
+      runInTransaction(db, () => {
+        removed = expireFieldIfDue(key, field, now);
+      });
+      if (removed) return -2;
+      const exists = getStmt.get(key, field) != null;
+      if (!exists) return -2;
+      const row = getFieldTtlStmt.get(key, field);
+      if (!row) return -1;
+      return Math.max(0, row.expiresAt - now);
+    },
+
+    /**
+     * Clears a field's TTL. Returns 1 if cleared, -1 if no TTL, -2 if field missing.
+     */
+    persistField(key, field) {
+      return runInTransaction(db, () => {
+        const now = clock();
+        expireFieldIfDue(key, field, now);
+        const exists = getStmt.get(key, field) != null;
+        if (!exists) return -2;
+        const row = getFieldTtlStmt.get(key, field);
+        if (!row) return -1;
+        deleteFieldTtlStmt.run(key, field);
+        return 1;
+      });
+    },
+
     /** Copy all field/value rows from oldKey to newKey. Caller ensures newKey exists in redis_keys. */
     copyKey(oldKey, newKey) {
       const rows = getAllStmt.all(oldKey);

package/src/storage/sqlite/schema.js

@@ -66,6 +66,17 @@ CREATE TABLE IF NOT EXISTS redis_zsets (
 CREATE INDEX IF NOT EXISTS redis_zsets_key_score_member_idx
   ON redis_zsets(key, score, member);
 
+CREATE TABLE IF NOT EXISTS redis_hash_field_ttl (
+  key BLOB NOT NULL,
+  field BLOB NOT NULL,
+  expires_at INTEGER NOT NULL,
+  PRIMARY KEY (key, field),
+  FOREIGN KEY(key) REFERENCES redis_keys(key) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS redis_hash_field_ttl_expires_at_idx
+  ON redis_hash_field_ttl(expires_at);
+
 CREATE TABLE IF NOT EXISTS search_indices (
   name TEXT PRIMARY KEY,
   schema_json TEXT NOT NULL,

package/test/helpers/server.js

@@ -7,17 +7,20 @@ import net from 'node:net';
 import { handleConnection } from '../../src/server/connection.js';
 import { createEngine } from '../../src/engine/engine.js';
 import { openDb } from '../../src/storage/sqlite/db.js';
+import { compileCommandPolicy } from '../../src/commands/registry.js';
 import { tmpDbPath } from './tmp.js';
 
 export function createTestServer(options = {}) {
   const dbPath = options.dbPath || tmpDbPath();
   const db = openDb(dbPath);
   const engine = createEngine({ db });
+  const hooks = options.hooks || {};
+  const commandPolicy = compileCommandPolicy(options.commandPolicy ?? null);
   const connections = new Set();
   const server = net.createServer((socket) => {
     connections.add(socket);
     socket.once('close', () => connections.delete(socket));
-    handleConnection(socket, engine);
+    handleConnection(socket, engine, hooks, commandPolicy);
   });
   return new Promise((resolve, reject) => {
     server.listen(0, '127.0.0.1', () => {

package/test/integration/command-security.test.js

@@ -0,0 +1,90 @@
+/**
+ * Integration tests for command hardening policy (rename/disable).
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert/strict';
+import { createTestServer } from '../helpers/server.js';
+import { sendCommand, argv } from '../helpers/client.js';
+import { tryParseValue } from '../../src/resp/parser.js';
+
+function parseResp(buffer) {
+  const parsed = tryParseValue(buffer, 0);
+  return parsed ? parsed.value : null;
+}
+
+function asUtf8(value) {
+  return Buffer.isBuffer(value) ? value.toString('utf8') : String(value);
+}
+
+describe('command hardening policy', () => {
+  let s;
+  let port;
+
+  before(async () => {
+    s = await createTestServer({
+      commandPolicy: {
+        rename: {
+          KEYS: 'SAFE_KEYS',
+          DEL: 'RMDEL',
+        },
+        disabled: ['MONITOR'],
+      },
+    });
+    port = s.port;
+  });
+
+  after(async () => {
+    await s.closeAsync();
+  });
+
+  it('renamed command is available only through alias', async () => {
+    const setReply = parseResp(await sendCommand(port, argv('SET', 'policy:k1', 'v1')));
+    assert.equal(asUtf8(setReply), 'OK');
+
+    const aliasReply = parseResp(await sendCommand(port, argv('SAFE_KEYS', 'policy:*')));
+    assert.ok(Array.isArray(aliasReply));
+    assert.ok(aliasReply.map(asUtf8).includes('policy:k1'));
+
+    const oldNameReply = parseResp(await sendCommand(port, argv('KEYS', 'policy:*')));
+    assert.ok(oldNameReply && oldNameReply.error);
+    assert.equal(asUtf8(oldNameReply.error), 'ERR command not supported yet');
+  });
+
+  it('explicitly disabled command returns unsupported', async () => {
+    const reply = parseResp(await sendCommand(port, argv('MONITOR')));
+    assert.ok(reply && reply.error);
+    assert.equal(asUtf8(reply.error), 'ERR command not supported yet');
+  });
+
+  it('COMMAND only exposes visible names and keeps canonical metadata', async () => {
+    const listReply = parseResp(await sendCommand(port, argv('COMMAND')));
+    assert.ok(Array.isArray(listReply));
+    const names = listReply.map((doc) => asUtf8(doc[0]).toUpperCase());
+    assert.ok(names.includes('SAFE_KEYS'));
+    assert.ok(names.includes('RMDEL'));
+    assert.ok(!names.includes('KEYS'));
+    assert.ok(!names.includes('DEL'));
+    assert.ok(!names.includes('MONITOR'));
+
+    const infoReply = parseResp(await sendCommand(port, argv('COMMAND', 'INFO', 'RMDEL')));
+    assert.ok(Array.isArray(infoReply));
+    assert.equal(infoReply.length, 1);
+    const rmDelDoc = infoReply[0];
+    assert.equal(asUtf8(rmDelDoc[0]), 'rmdel');
+    assert.equal(rmDelDoc[1], -2);
+    const flags = rmDelDoc[2].map(asUtf8);
+    assert.ok(flags.includes('write'));
+  });
+
+  it('renamed write command executes through alias and blocks original', async () => {
+    await sendCommand(port, argv('SET', 'policy:del', 'to-delete'));
+
+    const aliasDeleteReply = parseResp(await sendCommand(port, argv('RMDEL', 'policy:del')));
+    assert.equal(aliasDeleteReply, 1);
+
+    const originalDeleteReply = parseResp(await sendCommand(port, argv('DEL', 'policy:del')));
+    assert.ok(originalDeleteReply && originalDeleteReply.error);
+    assert.equal(asUtf8(originalDeleteReply.error), 'ERR command not supported yet');
+  });
+});

package/test/integration/hashes.test.js

@@ -65,6 +65,88 @@ describe('Hashes integration', () => {
     assert.equal(tryParseValue(reply, 0).value, 3);
   });
 
+  it('HEXPIRE + HTTL + HPERSIST round-trip (node-redis style argv)', async () => {
+    await sendCommand(port, argv('HSET', 'LobbyStream', '6GQZW:FBAX7', '1'));
+    // Mirror the exact argv seen in the node-redis client log.
+    const hexpireReply = await sendCommand(
+      port,
+      argv('HEXPIRE', 'LobbyStream', '90', 'FIELDS', '1', '6GQZW:FBAX7')
+    );
+    const hexpireVal = tryParseValue(hexpireReply, 0).value;
+    assert.ok(Array.isArray(hexpireVal));
+    assert.equal(hexpireVal.length, 1);
+    assert.equal(Number(hexpireVal[0]), 1);
+
+    const httlReply = await sendCommand(
+      port,
+      argv('HTTL', 'LobbyStream', 'FIELDS', '1', '6GQZW:FBAX7')
+    );
+    const httlVal = tryParseValue(httlReply, 0).value;
+    assert.ok(Array.isArray(httlVal));
+    assert.equal(httlVal.length, 1);
+    const secs = Number(httlVal[0]);
+    assert.ok(secs > 0 && secs <= 90, `expected 0 < ttl <= 90, got ${secs}`);
+
+    const hpersistReply = await sendCommand(
+      port,
+      argv('HPERSIST', 'LobbyStream', 'FIELDS', '1', '6GQZW:FBAX7')
+    );
+    const hpersistVal = tryParseValue(hpersistReply, 0).value;
+    assert.equal(Number(hpersistVal[0]), 1);
+
+    const httlReply2 = await sendCommand(
+      port,
+      argv('HTTL', 'LobbyStream', 'FIELDS', '1', '6GQZW:FBAX7')
+    );
+    const ttl2 = Number(tryParseValue(httlReply2, 0).value[0]);
+    assert.equal(ttl2, -1);
+  });
+
+  it('HEXPIRE returns -2 for missing key/field', async () => {
+    const missingKey = await sendCommand(
+      port,
+      argv('HEXPIRE', 'hexp:nokey', '5', 'FIELDS', '1', 'f1')
+    );
+    assert.equal(Number(tryParseValue(missingKey, 0).value[0]), -2);
+
+    await sendCommand(port, argv('HSET', 'hexp:k', 'f1', 'v1'));
+    const missingField = await sendCommand(
+      port,
+      argv('HEXPIRE', 'hexp:k', '5', 'FIELDS', '1', 'nope')
+    );
+    assert.equal(Number(tryParseValue(missingField, 0).value[0]), -2);
+  });
+
+  it('HEXPIRE with 0 seconds deletes the field (returns 2)', async () => {
+    await sendCommand(port, argv('HSET', 'hexp:zero', 'f1', 'v1', 'f2', 'v2'));
+    const reply = await sendCommand(
+      port,
+      argv('HEXPIRE', 'hexp:zero', '0', 'FIELDS', '1', 'f1')
+    );
+    assert.equal(Number(tryParseValue(reply, 0).value[0]), 2);
+    const getReply = await sendCommand(port, argv('HGET', 'hexp:zero', 'f1'));
+    assert.ok(getReply.toString('utf8').startsWith('$-1'));
+  });
+
+  it('HEXPIRE NX condition fails on existing TTL', async () => {
+    await sendCommand(port, argv('HSET', 'hexp:nx', 'f1', 'v1'));
+    await sendCommand(port, argv('HEXPIRE', 'hexp:nx', '10', 'FIELDS', '1', 'f1'));
+    const reply = await sendCommand(
+      port,
+      argv('HEXPIRE', 'hexp:nx', '20', 'NX', 'FIELDS', '1', 'f1')
+    );
+    assert.equal(Number(tryParseValue(reply, 0).value[0]), 0);
+  });
+
+  it('HEXPIRE FIELDS count mismatch is a syntax error', async () => {
+    await sendCommand(port, argv('HSET', 'hexp:bad', 'f1', 'v1'));
+    const reply = await sendCommand(
+      port,
+      argv('HEXPIRE', 'hexp:bad', '10', 'FIELDS', '2', 'f1')
+    );
+    assert.ok(reply.toString('utf8').startsWith('-'), 'expected error reply');
+  });
+
   it('legacy hash rows with null hash_count hydrate on first HLEN', async () => {
     const s1 = await createTestServer();
     await sendCommand(s1.port, argv('HSET', 'legacy:h', 'f1', 'v1', 'f2', 'v2'));

package/test/integration/migration-dirty-tracker.test.js

@@ -27,7 +27,13 @@ const PREFIX    = `__resplite_tracker_test_${process.pid}__`;
 
 /** Connect to local Redis; return null if unavailable. */
 async function tryConnectRedis() {
-  const client = createClient({ url: REDIS_URL });
+  const client = createClient({
+    url: REDIS_URL,
+    socket: {
+      connectTimeout: 1500,
+      reconnectStrategy: () => new Error('no reconnect in tests'),
+    },
+  });
   try {
     await client.connect();
     await client.ping();