turbine-orm 0.7.0 → 0.8.0

package/dist/cli/migrate.js

@@ -260,12 +260,19 @@ async function validateChecksums(client, migrationsDir) {
  * Features:
  * - Idempotent: running twice is safe (already-applied migrations are skipped)
  * - Advisory lock: prevents concurrent migration runs
- * - Checksum validation: detects modified migration files
+ * - Checksum validation: detects modified migration files (BLOCKING — use
+ *   `allowDrift: true` to bypass when intentionally rewriting history)
  * - Each migration runs in its own transaction
+ *
+ * Throws `MigrationError` if any applied migration has been modified or deleted
+ * on disk, listing the offending files. Pass `{ allowDrift: true }` to bypass
+ * this check (the CLI exposes this as `--allow-drift`).
  */
 export async function migrateUp(connectionString, migrationsDir, options) {
     const client = new pg.Client({ connectionString });
     await client.connect();
+    // Treat `force` as an alias for `allowDrift` for backwards compatibility.
+    const allowDrift = options?.allowDrift === true || options?.force === true;
     try {
         // Acquire advisory lock to prevent concurrent migrations
         const gotLock = await acquireLock(client);
@@ -274,18 +281,35 @@ export async function migrateUp(connectionString, migrationsDir, options) {
         }
         try {
             await ensureTrackingTable(client);
-            // Validate checksums of already-applied migrations (skip with --force)
-            if (!options?.force) {
+            // Validate checksums of already-applied migrations.
+            // Drift = an APPLIED migration's on-disk file has changed (or been deleted)
+            // since it was run. Either situation means the database state and the
+            // migration history no longer agree, so we BLOCK the run by default.
+            // Users can pass `allowDrift: true` (CLI: `--allow-drift`) to force past
+            // the block when they are intentionally rewriting history.
+            if (!allowDrift) {
                 const mismatches = await validateChecksums(client, migrationsDir);
                 if (mismatches.length > 0) {
                     const modified = mismatches.filter((m) => m.type === 'modified');
                     const missing = mismatches.filter((m) => m.type === 'missing');
-                    const parts = [];
-                    if (modified.length > 0)
-                        parts.push(`modified: ${modified.map((m) => m.name).join(', ')}`);
-                    if (missing.length > 0)
-                        parts.push(`deleted: ${missing.map((m) => m.name).join(', ')}`);
-                    throw new MigrationError(`[turbine] Migration integrity check failed — ${parts.join('; ')}. Applied migrations should be immutable. Use --force to skip this check.`);
+                    const lines = [
+                        '[turbine] Migration drift detected — refusing to apply pending migrations.',
+                        '',
+                        'Applied migrations should be immutable. The following files no longer match their applied state:',
+                        '',
+                    ];
+                    for (const m of modified) {
+                        lines.push(`  - ${m.name}.sql  (modified on disk)`);
+                    }
+                    for (const m of missing) {
+                        lines.push(`  - ${m.name}.sql  (deleted from disk)`);
+                    }
+                    lines.push('');
+                    lines.push('Fix one of these:');
+                    lines.push('  1. Restore the file(s) to their original content, OR');
+                    lines.push('  2. Roll back the affected migrations with `npx turbine migrate down`, OR');
+                    lines.push('  3. Pass `--allow-drift` to bypass this check (advanced — make sure you know what you are doing).');
+                    throw new MigrationError(lines.join('\n'));
                 }
             }
             const applied = await getAppliedMigrations(client);

package/dist/cli/ui.d.ts

@@ -34,7 +34,7 @@ export declare const symbols: {
     readonly warning: "⚠" | "!";
     readonly dot: "." | "∙";
     readonly line: "─" | "-";
-    readonly vertLine: "│" | "|";
+    readonly vertLine: "|" | "│";
     readonly topLeft: "╭" | "+";
     readonly topRight: "+" | "╮";
     readonly bottomLeft: "+" | "╰";

package/dist/client.d.ts

@@ -22,7 +22,8 @@
  * ```
  */
 import pg from 'pg';
-import { type PipelineResults } from './pipeline.js';
+import { type ErrorMessageMode } from './errors.js';
+import { type PipelineOptions, type PipelineResults } from './pipeline.js';
 import { type DeferredQuery, QueryInterface, type QueryInterfaceOptions } from './query.js';
 import type { SchemaMetadata } from './schema.js';
 /**
@@ -110,6 +111,37 @@ export interface TurbineConfig {
     defaultLimit?: number;
     /** Log a warning when findMany() is called without a limit (default: false) */
     warnOnUnlimited?: boolean;
+    /**
+     * Controls how `NotFoundError` (and other where-aware errors) format their
+     * messages.
+     *
+     *   - `'safe'`    (default): the message includes only the keys of the where
+     *     clause (e.g. `where: { id, email }`). Values are redacted to avoid
+     *     leaking PII into error logs (Sentry, Datadog, etc.).
+     *   - `'verbose'`: the message includes the full JSON-serialized where
+     *     clause (e.g. `where: {"id":1,"email":"alice@x.com"}`).
+     *
+     * The full `where` object is always available as `err.where` for
+     * programmatic access regardless of mode.
+     */
+    errorMessages?: ErrorMessageMode;
+    /**
+     * Enable prepared statements. Queries are submitted with `{ name, text, values }`
+     * to the pg driver, which caches the parse+plan on the server per connection.
+     *
+     * Default: `true` for Turbine-owned pools, `false` for external pools (serverless
+     * drivers may not support named statements).
+     *
+     * Override with `TURBINE_DISABLE_PREPARED=1` env var.
+     */
+    preparedStatements?: boolean;
+    /**
+     * Enable the SQL template cache. Repeated queries with the same shape reuse
+     * cached SQL text instead of rebuilding from scratch.
+     *
+     * Default: `true`. Set to `false` as a nuclear kill switch.
+     */
+    sqlCache?: boolean;
 }
 /** Parameters passed to middleware functions */
 export interface MiddlewareParams {
@@ -221,9 +253,21 @@ export declare class TurbineClient {
     /**
      * Execute multiple queries in a single database round-trip.
      *
-     * Pass the result of any `.build*()` method on a table accessor.
+     * Two call styles:
+     *   - `db.pipeline(q1, q2, q3)` — rest params (backward-compatible)
+     *   - `db.pipeline([q1, q2, q3], { transactional: false })` — array + options
+     *
+     * On pg.Pool-backed connections with TCP, this uses the real Postgres
+     * extended-query pipeline protocol (one TCP flush, one round-trip).
+     * On HTTP-based drivers it falls back to sequential execution.
+     */
+    pipeline<T extends readonly DeferredQuery<unknown>[]>(...args: T | [T, PipelineOptions?]): Promise<PipelineResults<T>>;
+    /**
+     * Check whether the underlying pool supports the real pipeline protocol.
+     * Returns `true` for standard pg.Pool TCP connections, `false` for HTTP
+     * drivers (Neon HTTP, Vercel Postgres, etc.) and mock pools.
      */
-    pipeline<T extends readonly DeferredQuery<unknown>[]>(...queries: T): Promise<PipelineResults<T>>;
+    pipelineSupported(): Promise<boolean>;
     /**
      * Execute a raw SQL query with parameter interpolation via tagged templates.
      *

package/dist/client.js

@@ -22,8 +22,8 @@
  * ```
  */
 import pg from 'pg';
-import { TimeoutError, wrapPgError } from './errors.js';
-import { executePipeline } from './pipeline.js';
+import { setErrorMessageMode, TimeoutError, wrapPgError } from './errors.js';
+import { executePipeline, pipelineSupported } from './pipeline.js';
 import { QueryInterface } from './query.js';
 /** Maps isolation level names to SQL */
 const ISOLATION_LEVELS = {
@@ -128,9 +128,15 @@ export class TransactionClient {
         // Return a minimal pool-compatible object that routes queries
         // through the transaction client
         return {
-            query: async (text, values) => {
+            query: async (textOrConfig, values) => {
                 try {
-                    return await client.query(text, values);
+                    if (typeof textOrConfig === 'string') {
+                        return await client.query(textOrConfig, values);
+                    }
+                    // Object form for prepared statements: { name, text, values }
+                    // pg.PoolClient.query accepts QueryConfig but the overloads make TS
+                    // unhappy with the union, so we cast through unknown.
+                    return await client.query(textOrConfig);
                 }
                 catch (err) {
                     throw wrapPgError(err);
@@ -184,10 +190,19 @@ export class TurbineClient {
         }
         this.logging = config.logging ?? false;
         this.schema = schema;
+        // Respect env var kill switch
+        const envDisablePrepared = typeof process !== 'undefined' && process.env?.TURBINE_DISABLE_PREPARED === '1';
         this.queryOptions = {
             defaultLimit: config.defaultLimit,
             warnOnUnlimited: config.warnOnUnlimited,
+            preparedStatements: envDisablePrepared ? false : (config.preparedStatements ?? !config.pool),
+            sqlCache: config.sqlCache ?? true,
         };
+        // Apply NotFoundError message redaction mode (default: safe — values are
+        // stripped from messages to avoid leaking PII into error logs).
+        if (config.errorMessages) {
+            setErrorMessageMode(config.errorMessages);
+        }
         if (config.pool) {
             // External pool — use directly. Turbine doesn't manage its lifecycle.
             this.pool = config.pool;
@@ -295,13 +310,41 @@ export class TurbineClient {
     /**
      * Execute multiple queries in a single database round-trip.
      *
-     * Pass the result of any `.build*()` method on a table accessor.
+     * Two call styles:
+     *   - `db.pipeline(q1, q2, q3)` — rest params (backward-compatible)
+     *   - `db.pipeline([q1, q2, q3], { transactional: false })` — array + options
+     *
+     * On pg.Pool-backed connections with TCP, this uses the real Postgres
+     * extended-query pipeline protocol (one TCP flush, one round-trip).
+     * On HTTP-based drivers it falls back to sequential execution.
      */
-    async pipeline(...queries) {
+    async pipeline(...args) {
+        let queries;
+        let options;
+        // Detect which overload was used
+        if (args.length > 0 &&
+            Array.isArray(args[0]) &&
+            args[0].every((item) => item && typeof item === 'object' && 'sql' in item)) {
+            // Array form: pipeline([q1, q2], opts?)
+            queries = args[0];
+            options = args[1];
+        }
+        else {
+            // Rest-param form: pipeline(q1, q2, q3)
+            queries = args;
+        }
         if (this.logging) {
             console.log(`[turbine] Pipeline: ${queries.length} queries — ${queries.map((q) => q.tag).join(', ')}`);
         }
-        return executePipeline(this.pool, queries);
+        return executePipeline(this.pool, queries, options);
+    }
+    /**
+     * Check whether the underlying pool supports the real pipeline protocol.
+     * Returns `true` for standard pg.Pool TCP connections, `false` for HTTP
+     * drivers (Neon HTTP, Vercel Postgres, etc.) and mock pools.
+     */
+    async pipelineSupported() {
+        return pipelineSupported(this.pool);
     }
     // -------------------------------------------------------------------------
     // Raw SQL — tagged template literal escape hatch
@@ -392,6 +435,24 @@ export class TurbineClient {
     async $transaction(fn, options) {
         const client = await this.pool.connect();
         const timeout = options?.timeout;
+        /**
+         * Track whether the connection has already been released so the finally
+         * block doesn't double-release. When a timeout fires we destroy the
+         * connection eagerly to abort the in-flight backend query.
+         */
+        let released = false;
+        const releaseOnce = (err) => {
+            if (released)
+                return;
+            released = true;
+            try {
+                client.release(err);
+            }
+            catch {
+                // pg may throw if the client is already released — swallow.
+            }
+        };
+        let timedOut = false;
         try {
             // BEGIN with optional isolation level
             let beginSQL = 'BEGIN';
@@ -415,10 +476,22 @@ export class TurbineClient {
             }
             let result;
             if (timeout) {
-                // Race between the function and a timeout
+                // Race between the function and a timeout. If the timeout fires we
+                // need to actually abort the in-flight query — otherwise the backend
+                // keeps running until pg's own timeout, holding a pool slot the whole
+                // time. The simplest reliable cancellation is to destroy the
+                // connection: passing a truthy argument to client.release() tells the
+                // pg pool to discard the client (its socket is closed, which causes
+                // Postgres to abort the active query and roll back the transaction).
+                // The pool will spin up a fresh connection on the next checkout.
                 let timer;
                 const timeoutPromise = new Promise((_, reject) => {
                     timer = setTimeout(() => {
+                        timedOut = true;
+                        // Destroy the connection to abort the in-flight backend query.
+                        // We do this BEFORE rejecting so the socket is gone by the time
+                        // the caller's catch block runs.
+                        releaseOnce(new Error('[turbine] Transaction timeout — connection destroyed'));
                         reject(new TimeoutError(timeout, 'Transaction'));
                     }, timeout);
                 });
@@ -439,14 +512,25 @@ export class TurbineClient {
             return result;
         }
         catch (err) {
-            await client.query('ROLLBACK');
+            // If the timeout fired we already destroyed the connection — issuing a
+            // ROLLBACK on a released client would throw "Client has already been
+            // released". Skip the rollback in that case (the backend rolled back
+            // when its socket was closed).
+            if (!timedOut && !released) {
+                try {
+                    await client.query('ROLLBACK');
+                }
+                catch {
+                    // Best-effort rollback — the connection may have died mid-query.
+                }
+            }
             if (this.logging) {
                 console.log('[turbine] Transaction rolled back');
             }
             throw err;
         }
         finally {
-            client.release();
+            releaseOnce();
         }
     }
     // -------------------------------------------------------------------------

package/dist/errors.d.ts

@@ -17,6 +17,9 @@ export declare const TurbineErrorCode: {
     readonly FOREIGN_KEY_VIOLATION: "TURBINE_E009";
     readonly NOT_NULL_VIOLATION: "TURBINE_E010";
     readonly CHECK_VIOLATION: "TURBINE_E011";
+    readonly DEADLOCK_DETECTED: "TURBINE_E012";
+    readonly SERIALIZATION_FAILURE: "TURBINE_E013";
+    readonly PIPELINE: "TURBINE_E014";
 };
 export type TurbineErrorCode = (typeof TurbineErrorCode)[keyof typeof TurbineErrorCode];
 /** Base error class for all Turbine errors */
@@ -26,6 +29,30 @@ export declare class TurbineError extends Error {
         cause?: unknown;
     });
 }
+/**
+ * Controls whether NotFoundError messages include the actual `where` values
+ * (`'verbose'`) or only the where-clause keys (`'safe'`, the default).
+ *
+ * Defaults to `'safe'` to avoid leaking PII into error logs (Sentry, Datadog,
+ * etc.). The full `where` object is always available as `err.where` for
+ * programmatic access — only the human-readable message is redacted.
+ *
+ * Set via `setErrorMessageMode('verbose')` or by constructing TurbineClient
+ * with `{ errorMessages: 'verbose' }`.
+ */
+export type ErrorMessageMode = 'safe' | 'verbose';
+/**
+ * Set the global NotFoundError message mode. Called from the TurbineClient
+ * constructor when `TurbineConfig.errorMessages` is provided.
+ *
+ *   - `'safe'`    (default): the message includes only the keys of the where
+ *     clause (e.g. `where: { id, email }`). Values are redacted.
+ *   - `'verbose'`: the message includes the full JSON-serialized where
+ *     clause (e.g. `where: {"id":1,"email":"alice@x.com"}`).
+ */
+export declare function setErrorMessageMode(mode: ErrorMessageMode): void;
+/** Returns the current NotFoundError message mode. Exported for tests. */
+export declare function getErrorMessageMode(): ErrorMessageMode;
 /**
  * Thrown when a record is not found (findUniqueOrThrow, findFirstOrThrow,
  * update/delete against a non-matching row, etc.)
@@ -35,8 +62,16 @@ export declare class TurbineError extends Error {
  *   - `new NotFoundError({ table, where, operation, cause, message })`
  *
  * When called with an options object and no explicit `message`, a Prisma-style
- * message is built automatically, e.g.:
+ * message is built automatically. By default, only the where-clause keys are
+ * shown to avoid leaking PII into logs:
+ *   `[turbine] findUniqueOrThrow on "users" found no record matching where: { id }`
+ *
+ * Set `setErrorMessageMode('verbose')` (or pass `errorMessages: 'verbose'` to
+ * the TurbineClient constructor) to include the full where values:
  *   `[turbine] findUniqueOrThrow on "users" found no record matching where: {"id":1}`
+ *
+ * The full `where` object, `table`, and `operation` are always available as
+ * structured properties on the error instance regardless of mode.
  */
 export declare class NotFoundError extends TurbineError {
     readonly table?: string;
@@ -111,6 +146,57 @@ export declare class NotNullViolationError extends TurbineError {
         cause?: unknown;
     });
 }
+/**
+ * Thrown when Postgres detects a deadlock (pg code 40P01).
+ *
+ * This error is **retryable** — when caught, callers can safely retry the
+ * transaction (typically with backoff). Catch it explicitly:
+ *
+ * ```ts
+ * try {
+ *   await db.$transaction(async (tx) => { ... });
+ * } catch (err) {
+ *   if (err instanceof DeadlockError) {
+ *     // safe to retry
+ *   }
+ * }
+ * ```
+ */
+export declare class DeadlockError extends TurbineError {
+    /** Marks this error as safe to retry */
+    readonly isRetryable: true;
+    readonly constraint?: string;
+    constructor(opts?: {
+        message?: string;
+        constraint?: string;
+        cause?: unknown;
+    });
+}
+/**
+ * Thrown when a Serializable transaction fails due to a serialization
+ * conflict (pg code 40001 — `could not serialize access due to ...`).
+ *
+ * This error is **retryable** — by Postgres documentation, the recommended
+ * response is to re-run the entire transaction. Catch it explicitly:
+ *
+ * ```ts
+ * try {
+ *   await db.$transaction(async (tx) => { ... }, { isolationLevel: 'Serializable' });
+ * } catch (err) {
+ *   if (err instanceof SerializationFailureError) {
+ *     // safe to retry the whole transaction
+ *   }
+ * }
+ * ```
+ */
+export declare class SerializationFailureError extends TurbineError {
+    /** Marks this error as safe to retry */
+    readonly isRetryable: true;
+    constructor(opts?: {
+        message?: string;
+        cause?: unknown;
+    });
+}
 /** Thrown when a CHECK constraint is violated (pg code 23514) */
 export declare class CheckConstraintError extends TurbineError {
     readonly constraint?: string;
@@ -122,6 +208,49 @@ export declare class CheckConstraintError extends TurbineError {
         cause?: unknown;
     });
 }
+/** Result slot for a single query in a non-transactional pipeline */
+export type PipelineResultSlot = {
+    status: 'ok';
+    value: unknown;
+} | {
+    status: 'error';
+    error: Error;
+};
+/**
+ * Thrown when a non-transactional pipeline has partial failures.
+ *
+ * In non-transactional mode (`{ transactional: false }`), each query executes
+ * independently. If one or more queries fail, the pipeline rejects with a
+ * `PipelineError` that carries per-query results so callers can inspect which
+ * succeeded and which failed.
+ *
+ * ```ts
+ * try {
+ *   await db.pipeline([q1, q2, q3], { transactional: false });
+ * } catch (err) {
+ *   if (err instanceof PipelineError) {
+ *     for (const slot of err.results) {
+ *       if (slot.status === 'error') console.error(slot.error);
+ *     }
+ *   }
+ * }
+ * ```
+ */
+export declare class PipelineError extends TurbineError {
+    /** Per-query results: each slot is either `{status:'ok', value}` or `{status:'error', error}` */
+    readonly results: PipelineResultSlot[];
+    /** Zero-based index of the first query that failed */
+    readonly failedIndex?: number;
+    /** Tag of the first query that failed (from DeferredQuery.tag) */
+    readonly failedTag?: string;
+    constructor(opts: {
+        message?: string;
+        results: PipelineResultSlot[];
+        failedIndex?: number;
+        failedTag?: string;
+        cause?: unknown;
+    });
+}
 /**
  * Translate a pg driver error into a typed Turbine error.
  * If the error doesn't match a known constraint code, returns it unchanged.
@@ -131,6 +260,8 @@ export declare class CheckConstraintError extends TurbineError {
  *   23503 (foreign_key_violation) -> ForeignKeyError
  *   23502 (not_null_violation)    -> NotNullViolationError
  *   23514 (check_violation)       -> CheckConstraintError
+ *   40P01 (deadlock_detected)     -> DeadlockError       (retryable)
+ *   40001 (serialization_failure) -> SerializationFailureError (retryable)
  *
  * The original pg error is preserved as `.cause` on the wrapped error.
  */