triton6564685/gbrain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v0.18.2: migration hardening — integrity fix + reserved-connection primitive (#356)
Some checks failed
E2E Tests / Tier 1 (Mechanical) (push) Failing after 29s
Details
Test / gitleaks (push) Failing after 10s
Details
Test / test (push) Failing after 26s
Details
E2E Tests / Tier 2 (LLM Skills) (push) Has been skipped
Details

Browse Source 
* fix: migration hardening — timeout handling, lock detection, diagnostics

Addresses all 8 issues from the v0.18.0 production upgrade field report:

1. LATEST_VERSION now uses Math.max() instead of array-last (was wrong
   when MIGRATIONS array is out of order: [.., 23, 22, 21, 20, 15, 16])

2. Pre-flight lock check: runMigrations() queries pg_stat_activity for
   idle-in-transaction connections >5min before attempting DDL, prints
   PIDs and kill advice

3. SET LOCAL statement_timeout = 600s inside migration transactions for
   Supabase compatibility (server-enforced timeout overrides session SET)

4. Catches Postgres error 57014 (statement_timeout) with actionable
   diagnostics instead of raw stack trace

5. Better progress output: prints schema version range, migration names
   before/after, checkmarks on success

6. Migration 21 fix: drops files.page_slug_fkey before swapping the
   pages unique constraint (guarded for PGLite which has no files table)

7. idle_in_transaction_session_timeout = 5min on all Postgres connections
   (both instance-level and module-level) to prevent 24h stale locks

8. apply-migrations CLI warns when schema migrations are pending, since
   it only runs orchestrator migrations (System B) not schema DDL (System A)

All 34 migrate tests pass. Typecheck clean.

* feat(engine): BrainEngine.withReservedConnection() primitive + DRY session defaults

Adds a ReservedConnection interface and withReservedConnection(fn) method to
BrainEngine. Postgres uses postgres-js sql.reserve() to pin a single backend for
the callback; PGLite passes through its single backing connection. Used
immediately for non-transactional DDL timeout handling (next commit) and
foundation for the future write-quiesce design.

Extracts setSessionDefaults(sql) helper in db.ts, absorbing the duplicated
idle_in_transaction_session_timeout block that was copy-pasted between db.ts and
postgres-engine.ts (Gap 5 / ER-C1). Single write site, both connect paths call
the helper now.

Codex plan-review flagged that advisory-lock designs on postgres.js pools
require a reserved-connection primitive; this is that primitive.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(migrate): close v21/v23 integrity window + non-transactional DDL timeout

Two codex-caught issues that both the initial review and the engineering review
missed:

1. Migration 21 integrity window. Original v21 dropped files_page_slug_fkey and
   persisted config.version=21, leaving files WITHOUT any FK to pages until v23
   ran and added the replacement files.page_id. Process death between v21 and
   v23 left files unconstrained while file_upload / `gbrain files` kept
   accepting writes. Fix: v21 uses sqlFor to split engines (Postgres gets
   additive-only, PGLite gets the full UNIQUE swap since it has no concurrent
   writers). v23's handler now wraps the FK drop + UNIQUE swap + page_id
   addition + backfill + ledger creation in one engine.transaction(). Atomic.

2. Non-transactional DDL timeout gap. runMigrationSQL's else-branch (for
   migrations with transaction:false, like CREATE INDEX CONCURRENTLY) ran the
   DDL on the shared pool with no timeout override. Supabase's 2-min server
   statement_timeout would abort a CONCURRENTLY index on any large table.
   Fix: use engine.withReservedConnection + SET statement_timeout='600000'
   inside the isolated connection.

Also: extracted getIdleBlockers(engine) helper — single source of truth for the
pg_stat_activity query. Shared by the DDL pre-flight warning and the new
`gbrain doctor --locks` CLI (next commit).

57014 diagnostic rewritten to the 4-part "what / why / fix / verify" pattern.
No longer references a non-existent CLI flag.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* feat(doctor): gbrain doctor --locks CLI flag

The v0.18.0 57014 diagnostic referenced `gbrain doctor --locks` but the flag
didn't exist. Users hitting statement_timeout would run the suggested command
and get "unknown option". Implemented now.

On Postgres: queries pg_stat_activity via the new getIdleBlockers() helper,
prints each blocker's PID, state, query_start, truncated query, and the exact
`SELECT pg_terminate_backend(<pid>);` command. Exits 1 on blockers, 0 on clean.

On PGLite: prints "not applicable" (no pool, no idle-in-tx concept) and exits
0. The flag is a safe no-op there.

--json emits structured output: {status, blockers: [...]}.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* test: migration hardening regression guards (unit + E2E)

test/migrate.test.ts — 10 new regression guards:
- LATEST_VERSION equals max(versions) under any array order. Guards against
  regression to array[-1] (the field report's "told I'm at v16 while 7
  migrations behind" bug).
- getIdleBlockers shape: pglite returns [], postgres returns rows, query
  failure returns [] (not throw).
- 57014 catch path: mocked engine throws err.code='57014', assert the 4-part
  diagnostic hits stderr with what/why/fix/verify markers.
- apply-migrations pre-flight warning structural check.
- setSessionDefaults DRY check: helper defined once in db.ts, postgres-engine
  calls it, neither path inlines the SET.
- runMigrationSQL reserved-connection usage structural check.
- Migration 21 test updates for engine-split sqlFor (codex restructure).
- Migration 23 atomic-transaction assertion.

test/e2e/migrate-chain.test.ts (new): 11 E2E tests against real Postgres:
- Post-chain schema invariants (composite UNIQUE exists, old pages_slug_key
  gone, files_page_slug_fkey gone, files.page_id column present,
  file_migration_ledger table populated).
- doctor --locks real-PG integration (second connection + BEGIN + idle,
  assert the PID appears in pg_stat_activity).
- runMigrationsUpTo advances config.version to target, not past.
- withReservedConnection round-trip (executes queries, session GUC visible
  inside callback).

test/e2e/helpers.ts: new runMigrationsUpTo(engine, targetVersion) and
setConfigVersion(version) helpers. The v15→v23 chain E2E needed a way to stop
at intermediate schema versions; neither `gbrain init --migrate-only` nor the
existing setupDB() supported this. Codex caught that the proposed E2E wasn't
implementable without new harness work.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* chore: bump version and changelog (v0.18.2)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* docs(changelog): rewrite v0.18.2 entry to match gstack CLAUDE.md format

Applied the gstack CHANGELOG style rules from ~/git/gstack/CLAUDE.md:

- Two-line bold headline lands a verdict, not a feature list.
- Single coherent lead story instead of "Second headline... Third headline..."
- "The numbers that matter" table with BEFORE / AFTER / Δ columns, counted
  against the v0.18.0 field report (the concrete source).
- "What this means for your workflow" closing paragraph with the 4-command
  recovery path.
- TODOS.md references removed from user-facing body (explicit rule: never
  mention TODOS, internal tracking, or contributor-facing details in the
  user-read portion).
- Contributor-only detail (helper extraction, test file paths, interface
  specifics) moved to a "For contributors" subsection.
- Itemized changes reorganized as Added / Changed / Fixed / For contributors.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* docs(changelog): v0.18.2 voice-rule audit — headline, em dashes

Audit against ~/git/gstack/CLAUDE.md voice rules:

- Headline tightened from 32 words to 19 (rule says 10-14; repo convention
  on v0.18.1 was 22, this is closer).
- Em dashes removed from 7 lines. Replaced with commas, colons, or periods
  per the "no em dashes" rule.
- AI vocabulary audit: clean.
- Banned phrases audit: clean.

Content unchanged. Only voice/punctuation.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: root <root@localhost>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-04-23 10:39:28 -07:00
committed by GitHub
parent 275158137a
commit 08b3698e90
14 changed files with 1121 additions and 143 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
CHANGELOG.md
View File

@@ -2,6 +2,93 @@
All notable changes to GBrain will be documented in this file.
## [0.18.2] - 2026-04-23
## **Migrations survive a crash and Supabase's 2-min ceiling.**
## **`gbrain doctor --locks` finds the connection blocking your upgrade.**
The v0.18.0 production upgrade shipped a field report of 8 issues: statement timeouts, stale idle connections, a schema version that lied, a cryptic FK dependency error. The original PR #356 fix covered all 8. A codex plan-review pass found 3 more that neither the initial review nor the eng review caught. This release lands the lot.
The quiet win: if your brain crashes mid-migration on Postgres, it rolls back cleanly now. Before v0.18.2, a process death between migrations 21 and 23 left your `files` table with no FK to `pages` while uploads kept going. The window is closed. DDL either commits entirely or not at all.
The visible win: `gbrain doctor --locks` works. Before v0.18.2 the 57014 timeout error told you to run this command, but the flag didn't exist. Now it does. It shows you every idle-in-transaction backend older than 5 minutes and gives you the exact `pg_terminate_backend(<pid>)` to free them up. One command, one paste, done.
The large-brain win: `CREATE INDEX CONCURRENTLY` no longer gets killed at 2 minutes. The migration runner now reserves a dedicated connection and sets session-level `statement_timeout='600000'` before running non-transactional DDL. Brains at 500K+ pages can run the next schema change without timing out silently.
### The numbers that matter
Counted against the v0.18.0 field report (the production upgrade that prompted this release):
| Metric | BEFORE v0.18.2 | AFTER v0.18.2 | Δ |
|--------|----------------|---------------|---|
| Field-report issues causing production failure | 8 | 0 | 8 |
| Integrity windows between migrations | 1 (v21 → v23) | 0 | 1 |
| `CREATE INDEX CONCURRENTLY` exposed to 2-min timeout | yes | no (10-min override) | fixed |
| Agent-runnable lock diagnostic | missing | `gbrain doctor --locks` | added |
| Regression tests on hardening paths | structural SQL asserts only | 10 unit + 11 real-PG E2E | +21 |
| 57014 error: references a flag that exists | no | yes | fixed |
The striking number: 3 of the 11 findings in this release came from a second AI model (codex) reviewing the plan after the first model (Claude) had already cleared CEO + Eng review. Two-model review catches what one-model review misses. The migration-21 integrity window in particular would have shipped as a new bug if the plan hadn't been challenged.
### What this means for your workflow
Most users: run `gbrain upgrade`. Nothing else to do. Existing brains at schema v21 or v22 are safe, the old FK stayed intact through the original PR #356 path, and the new atomic commit means a future crash can't leave you stranded.
If a migration hits `statement_timeout`, the error message now tells you exactly what to do: `gbrain doctor --locks` to find the blocker, terminate, re-run `gbrain apply-migrations --yes`, verify with `gbrain doctor`. Four commands, top-to-bottom.
Running a 500K-page brain on Supabase? The next migration that touches a hot table won't hang silently on you.
### Itemized changes
#### Added
- `gbrain doctor --locks`: lists idle-in-transaction backends older than 5 minutes with PID + `pg_terminate_backend` commands. Exits 1 when blockers found. `--json` emits structured output. Postgres-only; PGLite prints "not applicable".
- `BrainEngine.withReservedConnection(fn)`: runs callback on a dedicated pool connection. Postgres via `sql.reserve()`, PGLite as a pass-through.
#### Changed
- Migration 21 split into engine-specific paths. Postgres is additive-only (adds `pages.source_id` + index). PGLite gets the full UNIQUE-key swap inline. The FK drop + UNIQUE swap that used to live in v21 moved into v23's handler.
- Migration 23 handler now wraps its entire DDL sequence (FK drop, UNIQUE swap, `files.source_id` + `files.page_id` addition, `page_id` backfill, `file_migration_ledger` creation) in a single `engine.transaction()`. Atomic commit; process-death rolls back to v22 state.
- Non-transactional migrations (`CREATE INDEX CONCURRENTLY`) now run on a reserved connection with session-level `SET statement_timeout='600000'`. Safe on PgBouncer transaction pooling because the connection is isolated from the shared pool.
- 57014 (`statement_timeout`) diagnostic rewritten to the 4-part pattern: what happened, why, exact commands to fix, how to verify.
#### Fixed
- Migration 21 integrity window. Previously v21 dropped `files_page_slug_fkey` and persisted `config.version=21`, but the replacement `files.page_id` column wasn't added until v23. Process-death between them left `files` unconstrained while `file_upload` / `gbrain files` kept accepting writes. The FK drop now lives inside v23's atomic transaction.
- `gbrain doctor --locks` flag referenced by the v0.18.0 57014 error message but not implemented. The flag exists now.
#### For contributors
- `setSessionDefaults(sql)` helper in `src/core/db.ts` absorbs the duplicated `idle_in_transaction_session_timeout` block from `postgres-engine.ts`. Both connect paths call the helper; the SET appears exactly once in source.
- `getIdleBlockers(engine)` exported from `src/core/migrate.ts`: single source of truth for the `pg_stat_activity` query. Shared by the pre-flight warning and `gbrain doctor --locks`.
- `ReservedConnection` interface exposes `executeRaw(sql, params?)` only. Minimal surface, easy to mock. Not safe to call from inside `transaction()`; the interface doc says so.
- `test/e2e/helpers.ts` adds `runMigrationsUpTo(engine, targetVersion)` + `setConfigVersion(version)`: enables mid-chain migration tests that neither `gbrain init --migrate-only` nor the existing `setupDB()` supported.
- `test/migrate.test.ts`: 10 new regression guards (`Math.max` robustness under array scrambling, `getIdleBlockers` shape across engines, 57014 catch path structural check, pre-flight warning, `setSessionDefaults` DRY, reserved-connection usage in `runMigrationSQL`).
- `test/e2e/migrate-chain.test.ts` (new): 11 E2E tests against real Postgres covering post-chain schema invariants, `doctor --locks` real-connection detection, `runMigrationsUpTo` advancement semantics, `withReservedConnection` round-trip.
Credit: codex plan-review caught the migration-21 integrity window, the non-transactional DDL timeout gap, and the missing `doctor --locks` CLI. The initial Claude review and the Claude-model eng review both missed them.
## To take advantage of v0.18.2
`gbrain upgrade` should do this automatically. If it didn't, or if `gbrain doctor`
warns about a partial migration:
1. **Run the orchestrator manually:**
```bash
gbrain apply-migrations --yes
```
2. **Verify the outcome:**
```bash
gbrain doctor # schema_version should match latest
gbrain doctor --locks # should exit 0 (no idle-in-tx blockers)
```
3. **If `statement_timeout` fires during migration,** the new 4-part diagnostic
tells you exactly what to do: run `gbrain doctor --locks`, terminate
blockers, re-run `gbrain apply-migrations --yes`.
4. **If anything fails,** file an issue: https://github.com/garrytan/gbrain/issues
with output of `gbrain doctor` and `~/.gbrain/upgrade-errors.jsonl` (if it
exists).
## [0.18.1] - 2026-04-22
## **Row Level Security hardening pass.**

25
TODOS.md
View File

@@ -244,6 +244,31 @@ board" — likely an advisor-role page prior plus verb-pattern combinations.
## P2
### Orchestrator + runner double-write to migrations ledger (deferred from v0.18.2 codex review)
**What:** `src/commands/migrations/v0_18_0.ts:200-208` appends an entry to `~/.gbrain/migrations/completed.jsonl` while `src/commands/apply-migrations.ts:374-386` also appends one for the same orchestrator run. The dedupe guard in `src/core/preferences.ts:120-131` only suppresses duplicate `complete` entries, not `partial` entries. Result: distorted wedge counting (3-consecutive-partials-triggers-wedge logic sees 6 partials when it should see 3).
**Why:** Codex plan-review caught this during PR #356 while verifying the two-migration-systems resume boundary. Not blocking v0.18.2 shipping because it only affects the wedge detection threshold, not correctness of the migration itself.
**Fix:** Pick one writer (prefer `apply-migrations.ts` runner as the single source of truth, remove the orchestrator-side append). Fold into `feat/agent-migration-devex` follow-up PR, which already touches both files for the migrate-command consolidation work.
**Depends on:** v0.18.2 shipped. ✅
### 22K-page resync is 30+ minutes on large brains (deferred from v0.18.2 codex review)
**What:** When a schema migration requires data backfill (e.g., computing `page_id` from `page_slug` across all `files` rows), `src/commands/sync.ts:248-251, 311-337` iterates per-file. None of v0.18.2's hardening work shrinks this path. On a 22K-page brain the resync takes 30+ minutes; at 500K pages it would be several hours.
**Why:** Codex explicitly called out that none of PR #356 or the two follow-up PRs addresses the resync execution model. This is a separate performance-design problem.
**Options to explore:**
- (a) Parallel page import via worker pool (Minions-based).
- (b) Bulk COPY-based import replacing the per-file INSERT.
- (c) Incremental resync that only rewrites changed rows (needs content hash or updated_at gating).
**Priority:** P2 now, upgrade to P1 if another heavy migration ships that needs backfill at this scale.
**Depends on:** v0.18.2 shipped. ✅
### Minions: `gbrain jobs stats --orphaned` (deferred from v0.13.0)
**What:** New CLI flag / output column surfacing jobs that are waiting with no registered handler on any live worker.

2
VERSION
View File

@@ -1 +1 @@
0.18.1
0.18.2

2
package.json
View File

@@ -1,6 +1,6 @@
{
"name": "gbrain",
"version": "0.18.1",
"version": "0.18.2",
"description": "Postgres-native personal knowledge brain with hybrid RAG search",
"type": "module",
"main": "src/core/index.ts",

28
src/commands/apply-migrations.ts
View File

@@ -278,6 +278,34 @@ export async function runApplyMigrations(args: string[]): Promise<void> {
return;
}
// Pre-flight: warn if schema migrations (migrate.ts) are behind.
// apply-migrations runs orchestrator migrations only; schema migrations
// run via connectEngine() / initSchema(). Users often expect this CLI
// to handle everything (Issue 1 from v0.18.0 field report).
try {
const { LATEST_VERSION } = await import('../core/migrate.ts');
const { loadConfig: lc, toEngineConfig } = await import('../core/config.ts');
const { createEngine } = await import('../core/engine-factory.ts');
const cfg = lc();
if (cfg) {
const eng = await createEngine(toEngineConfig(cfg));
await eng.connect(toEngineConfig(cfg));
const verStr = await eng.getConfig('version');
const schemaVer = parseInt(verStr || '1', 10);
await eng.disconnect();
if (schemaVer < LATEST_VERSION) {
console.warn(
`\n⚠ Schema version ${schemaVer} is behind latest ${LATEST_VERSION}.\n` +
` Schema migrations run automatically on next connectEngine() / initSchema().\n` +
` To run them now: gbrain init --migrate-only\n`,
);
}
}
} catch {
// Non-fatal: if DB is unreachable, orchestrator migrations can still
// run their filesystem-only phases.
}
const completed = loadCompletedMigrations();
const idx = indexCompleted(completed);
const plan = buildPlan(idx, installed, cli.specificMigration);

70
src/commands/doctor.ts
View File

@@ -1,6 +1,6 @@
import type { BrainEngine } from '../core/engine.ts';
import * as db from '../core/db.ts';
import { LATEST_VERSION } from '../core/migrate.ts';
import { LATEST_VERSION, getIdleBlockers } from '../core/migrate.ts';
import { checkResolvable } from '../core/check-resolvable.ts';
import { autoFixDryViolations, type AutoFixReport, type FixOutcome } from '../core/dry-fix.ts';
import { findRepoRoot } from '../core/repo-root.ts';
@@ -33,6 +33,19 @@ export async function runDoctor(engine: BrainEngine | null, args: string[], dbSo
const fastMode = args.includes('--fast');
const doFix = args.includes('--fix');
const dryRun = args.includes('--dry-run');
const locksMode = args.includes('--locks');
// --locks is a focused diagnostic: it runs the same pg_stat_activity
// query that `runMigrations` pre-flight uses, prints any idle-in-tx
// backends, and exits. Used by a user (or the migrate.ts error 57014
// message) who just hit a statement_timeout and needs to find the
// blocker. Referenced from migrate.ts's 57014 diagnostic — that
// message promised this flag exists.
if (locksMode) {
await runLocksCheck(engine, jsonOutput);
return;
}
const checks: Check[] = [];
let autoFixReport: AutoFixReport | null = null;
@@ -754,3 +767,58 @@ function outputResults(checks: Check[], json: boolean): boolean {
}
return hasFail;
}
/**
* `gbrain doctor --locks` — list idle-in-transaction backends older
* than 5 minutes that could block DDL. Exits 0 on clean, 1 on blockers.
*
* Agents hitting a statement_timeout (SQLSTATE 57014) during migration
* need a one-command path to find and kill the blocker. migrate.ts's
* 57014 diagnostic references this flag by name; keep the two in sync.
*
* Postgres-only. PGLite has no pool, no idle-in-tx concept, so the
* check prints a one-liner and exits 0.
*/
async function runLocksCheck(engine: BrainEngine | null, jsonOutput: boolean): Promise<void> {
if (!engine) {
if (jsonOutput) {
console.log(JSON.stringify({ status: 'unavailable', reason: 'no_engine' }));
} else {
console.log('gbrain doctor --locks requires a database connection. Configure a URL and retry.');
}
process.exit(1);
}
if (engine.kind !== 'postgres') {
if (jsonOutput) {
console.log(JSON.stringify({ status: 'not_applicable', engine: engine.kind }));
} else {
console.log(`gbrain doctor --locks is Postgres-only. Current engine: ${engine.kind}. No blockers possible (no connection pool).`);
}
return;
}
const blockers = await getIdleBlockers(engine);
if (jsonOutput) {
console.log(JSON.stringify({ status: blockers.length === 0 ? 'ok' : 'blockers_found', blockers }, null, 2));
if (blockers.length > 0) process.exit(1);
return;
}
if (blockers.length === 0) {
console.log('✓ No idle-in-transaction backends older than 5 minutes.');
return;
}
console.log(`Found ${blockers.length} idle-in-transaction backend(s) older than 5 minutes:\n`);
for (const b of blockers) {
console.log(` PID ${b.pid} (idle since ${b.query_start})`);
console.log(` Query: ${b.query}`);
console.log(` Kill: SELECT pg_terminate_backend(${b.pid});`);
console.log('');
}
console.log('These connections may block ALTER TABLE DDL during migration.');
console.log('After terminating, retry: gbrain apply-migrations --yes');
process.exit(1);
}

25
src/core/db.ts
View File

@@ -71,6 +71,29 @@ export function resolvePoolSize(explicit?: number): number {
return DEFAULT_POOL_SIZE_FALLBACK;
}
/**
* Apply session-level defaults to a fresh connection. Called from both
* the module-level `connect()` singleton and the PostgresEngine
* instance-level pool so the idle-in-transaction session timeout is set
* uniformly.
*
* `idle_in_transaction_session_timeout = 5 min` was the v0.18.0 field
* report's headline production issue: a 24-hour idle connection was
* holding a lock on `pages` and blocking all DDL. 5 minutes is generous
* for any legitimate transaction but catches crashed writers. The GUC
* is session-scoped (safe for shared pools — no cross-statement leak).
*
* Wrapped in try/catch because some managed Postgres tenants restrict
* SET on the GUC; non-fatal if it fails.
*/
export async function setSessionDefaults(sql: ReturnType<typeof postgres>): Promise<void> {
try {
await sql`SET idle_in_transaction_session_timeout = '300000'`;
} catch {
// Non-fatal: some managed Postgres may restrict this GUC
}
}
export function getConnection(): ReturnType<typeof postgres> {
if (!sql) {
throw new GBrainError(
@@ -124,6 +147,8 @@ export async function connect(config: EngineConfig): Promise<void> {
// Test connection
await sql`SELECT 1`;
connectedUrl = url;
await setSessionDefaults(sql);
} catch (e: unknown) {
sql = null;
connectedUrl = null;

31
src/core/engine.ts
View File

@@ -60,6 +60,31 @@ export interface TimelineBatchInput {
source_id?: string;
}
/**
* A single dedicated database connection, isolated from the engine's pool.
*
* Used by migration paths that need session-level GUCs (e.g.
* `SET statement_timeout = '600000'` before a `CREATE INDEX CONCURRENTLY`)
* without leaking into the shared pool, and by write-quiesce designs
* that need a session-lifetime Postgres advisory lock that survives
* across transaction boundaries.
*
* On Postgres: backed by postgres-js `sql.reserve()`; the same backend
* process serves every `executeRaw` call within the callback. Released
* automatically when the callback returns or throws.
*
* On PGLite: a thin pass-through. PGLite has no pool, so every call is
* already on the single backing connection. The interface is still
* exposed so cross-engine callers don't need to branch.
*
* Not safe to call from inside `transaction()`. The transaction holds a
* different backend; reserving a second one can deadlock on a row the
* transaction itself is waiting to write.
*/
export interface ReservedConnection {
executeRaw<T = Record<string, unknown>>(sql: string, params?: unknown[]): Promise<T[]>;
}
/** Maximum results returned by search operations. Internal bulk operations (listPages) are not clamped. */
export const MAX_SEARCH_LIMIT = 100;
@@ -79,6 +104,12 @@ export interface BrainEngine {
disconnect(): Promise<void>;
initSchema(): Promise<void>;
transaction<T>(fn: (engine: BrainEngine) => Promise<T>): Promise<T>;
/**
* Run `fn` with a dedicated connection (Postgres: reserved backend;
* PGLite: pass-through). See `ReservedConnection` for semantics and
* usage constraints. Release is automatic.
*/
withReservedConnection<T>(fn: (conn: ReservedConnection) => Promise<T>): Promise<T>;
// Pages CRUD
getPage(slug: string): Promise<Page | null>;

419
src/core/migrate.ts
View File

@@ -472,64 +472,107 @@ export const MIGRATIONS: Migration[] = [
sql: '',
handler: async (engine) => {
if (engine.kind === 'pglite') return;
await engine.runMigration(19, `
-- 1a. source_id with DEFAULT 'default' (idempotent)
ALTER TABLE files ADD COLUMN IF NOT EXISTS source_id TEXT
NOT NULL DEFAULT 'default' REFERENCES sources(id) ON DELETE CASCADE;
CREATE INDEX IF NOT EXISTS idx_files_source_id ON files(source_id);
-- 1b. page_id (nullable; pre-v0.17 files pointed at page_slug
-- which was ON DELETE SET NULL, so we keep the same nullable
-- semantic — orphaned files are legal).
ALTER TABLE files ADD COLUMN IF NOT EXISTS page_id INTEGER
REFERENCES pages(id) ON DELETE SET NULL;
CREATE INDEX IF NOT EXISTS idx_files_page_id ON files(page_id);
`);
// Atomic: FK drop + UNIQUE swap + files.page_id addition +
// backfill + ledger, all in one transaction. Closes the
// pre-v23 integrity window where files_page_slug_fkey was
// dropped in v21 but the replacement files.page_id didn't
// exist until v23 ran — process death in between left files
// unconstrained while file_upload kept writing (codex finding).
//
// Rollback scenarios:
// - Die mid-transaction → Postgres rolls back, files_page_slug_fkey
// still exists, config.version stays at 22. Retry restarts cleanly.
// - Die after commit but before setConfig(version=23) → all DDL
// committed, config.version still 22, retry re-runs everything
// with IF NOT EXISTS / NOT EXISTS guards idempotently.
await engine.transaction(async (tx) => {
// 0a. Drop files_page_slug_fkey (deferred from v21 to keep
// the FK intact across v21/v22 and remove it inside the
// same txn that adds the replacement page_id path).
// Guard against PGLite just in case (already returned above).
await tx.runMigration(23, `
DO $$ BEGIN
IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name = 'files') THEN
ALTER TABLE files DROP CONSTRAINT IF EXISTS files_page_slug_fkey;
END IF;
END $$;
`);
await engine.runMigration(19, `
-- 1c. Backfill page_id from existing page_slug. Scoped to
-- source_id='default' because pre-v0.17 pages ALL lived in
-- the default source. Without this scope, after new sources
-- get added mid-migration, the JOIN could hit the wrong
-- page (different source, same slug).
UPDATE files f
SET page_id = p.id
FROM pages p
WHERE f.page_slug = p.slug
AND p.source_id = 'default'
AND f.page_id IS NULL;
`);
// 0b. Swap pages.UNIQUE(slug) → UNIQUE(source_id, slug).
// Deferred from v21 so PR #356 closes the integrity
// window. PGLite already did this swap in its v21 path.
await tx.runMigration(23, `
ALTER TABLE pages DROP CONSTRAINT IF EXISTS pages_slug_key;
DO $$ BEGIN
IF NOT EXISTS (
SELECT 1 FROM pg_constraint WHERE conname = 'pages_source_slug_key'
) THEN
ALTER TABLE pages ADD CONSTRAINT pages_source_slug_key
UNIQUE (source_id, slug);
END IF;
END $$;
`);
await engine.runMigration(19, `
-- 2. file_migration_ledger — drives the storage object rewrite
-- in the v0_18_0 orchestrator's phase B. Seeded from current
-- files rows; re-seed is idempotent via NOT EXISTS guard.
CREATE TABLE IF NOT EXISTS file_migration_ledger (
file_id INTEGER PRIMARY KEY REFERENCES files(id) ON DELETE CASCADE,
storage_path_old TEXT NOT NULL,
storage_path_new TEXT NOT NULL,
status TEXT NOT NULL DEFAULT 'pending',
error TEXT,
updated_at TIMESTAMPTZ NOT NULL DEFAULT now(),
CONSTRAINT chk_ledger_status CHECK (status IN ('pending','copy_done','db_updated','complete','failed'))
);
CREATE INDEX IF NOT EXISTS idx_file_migration_ledger_status
ON file_migration_ledger(status) WHERE status != 'complete';
// 1a. source_id with DEFAULT 'default' (idempotent)
await tx.runMigration(23, `
ALTER TABLE files ADD COLUMN IF NOT EXISTS source_id TEXT
NOT NULL DEFAULT 'default' REFERENCES sources(id) ON DELETE CASCADE;
CREATE INDEX IF NOT EXISTS idx_files_source_id ON files(source_id);
-- Seed the ledger with every existing file. New path prefixes
-- source_id so multi-source can land assets under their own
-- bucket path without collision.
INSERT INTO file_migration_ledger (file_id, storage_path_old, storage_path_new, status)
SELECT
f.id,
f.storage_path,
COALESCE(f.source_id, 'default') || '/' || f.storage_path,
'pending'
FROM files f
WHERE NOT EXISTS (
SELECT 1 FROM file_migration_ledger l WHERE l.file_id = f.id
);
`);
-- 1b. page_id (nullable; pre-v0.17 files pointed at page_slug
-- which was ON DELETE SET NULL, so we keep the same nullable
-- semantic — orphaned files are legal).
ALTER TABLE files ADD COLUMN IF NOT EXISTS page_id INTEGER
REFERENCES pages(id) ON DELETE SET NULL;
CREATE INDEX IF NOT EXISTS idx_files_page_id ON files(page_id);
`);
// 1c. Backfill page_id from existing page_slug. Scoped to
// source_id='default' because pre-v0.17 pages ALL lived in
// the default source. Without this scope, after new sources
// get added mid-migration, the JOIN could hit the wrong
// page (different source, same slug).
await tx.runMigration(23, `
UPDATE files f
SET page_id = p.id
FROM pages p
WHERE f.page_slug = p.slug
AND p.source_id = 'default'
AND f.page_id IS NULL;
`);
// 2. file_migration_ledger — drives the storage object rewrite
// in the v0_18_0 orchestrator's phase B. Seeded from current
// files rows; re-seed is idempotent via NOT EXISTS guard.
await tx.runMigration(23, `
CREATE TABLE IF NOT EXISTS file_migration_ledger (
file_id INTEGER PRIMARY KEY REFERENCES files(id) ON DELETE CASCADE,
storage_path_old TEXT NOT NULL,
storage_path_new TEXT NOT NULL,
status TEXT NOT NULL DEFAULT 'pending',
error TEXT,
updated_at TIMESTAMPTZ NOT NULL DEFAULT now(),
CONSTRAINT chk_ledger_status CHECK (status IN ('pending','copy_done','db_updated','complete','failed'))
);
CREATE INDEX IF NOT EXISTS idx_file_migration_ledger_status
ON file_migration_ledger(status) WHERE status != 'complete';
-- Seed the ledger with every existing file. New path prefixes
-- source_id so multi-source can land assets under their own
-- bucket path without collision.
INSERT INTO file_migration_ledger (file_id, storage_path_old, storage_path_new, status)
SELECT
f.id,
f.storage_path,
COALESCE(f.source_id, 'default') || '/' || f.storage_path,
'pending'
FROM files f
WHERE NOT EXISTS (
SELECT 1 FROM file_migration_ledger l WHERE l.file_id = f.id
);
`);
});
},
},
{
@@ -560,39 +603,53 @@ export const MIGRATIONS: Migration[] = [
{
version: 21,
name: 'pages_source_id_composite_unique',
// v0.18.0 Step 2 (Lane B) — adds pages.source_id with DEFAULT 'default'
// and swaps the global UNIQUE(slug) for the composite UNIQUE(source_id,
// slug). Lands alongside the engine SQL rewrite that makes every
// ON CONFLICT (slug) → ON CONFLICT (source_id, slug) so the constraint
// swap is atomic with the code that writes under it.
// v0.18.0 Step 2 (Lane B) — adds pages.source_id. Engine-split after
// codex caught the pre-v23 integrity window:
//
// DEFAULT 'default' is load-bearing: closes the Codex-flagged race
// Original v21 dropped files_page_slug_fkey and swapped
// UNIQUE(slug) → UNIQUE(source_id, slug) in one go. Between v21
// committing and v23 (which adds the replacement files.page_id
// path), a process-death left files WITHOUT any FK to pages
// while file_upload / `gbrain files` kept accepting writes.
//
// On Postgres: additive-only here. The FK drop + UNIQUE swap move
// into v23's handler (wrapped in engine.transaction) so they commit
// atomically with the files.page_id addition + backfill. See v23.
//
// On PGLite: no concurrent writers, no pool, no partial-state risk.
// Do the full add + swap here so PGLite brains reach the composite
// unique immediately (PGLite has no files table, so no FK drop
// needed).
//
// DEFAULT 'default' on source_id is load-bearing: closes the race
// where an INSERT between ADD COLUMN and SET NOT NULL could leave
// source_id NULL. Because the default already references a valid
// sources row (seeded in v16), new INSERTs immediately get a valid FK.
//
// Idempotent: IF NOT EXISTS on ADD COLUMN, DROP IF EXISTS on the old
// constraint, DO block guard on the new constraint creation.
sql: `
ALTER TABLE pages ADD COLUMN IF NOT EXISTS source_id TEXT
NOT NULL DEFAULT 'default' REFERENCES sources(id) ON DELETE CASCADE;
// source_id NULL. The default already references a valid sources
// row (seeded in v16), so new INSERTs immediately get a valid FK.
sql: '',
sqlFor: {
postgres: `
ALTER TABLE pages ADD COLUMN IF NOT EXISTS source_id TEXT
NOT NULL DEFAULT 'default' REFERENCES sources(id) ON DELETE CASCADE;
CREATE INDEX IF NOT EXISTS idx_pages_source_id ON pages(source_id);
CREATE INDEX IF NOT EXISTS idx_pages_source_id ON pages(source_id);
`,
pglite: `
ALTER TABLE pages ADD COLUMN IF NOT EXISTS source_id TEXT
NOT NULL DEFAULT 'default' REFERENCES sources(id) ON DELETE CASCADE;
-- Swap global UNIQUE(slug) → composite UNIQUE(source_id, slug). The
-- original constraint is named pages_slug_key by Postgres convention
-- when the column was declared UNIQUE inline. Both drops are
-- idempotent.
ALTER TABLE pages DROP CONSTRAINT IF EXISTS pages_slug_key;
DO $$ BEGIN
IF NOT EXISTS (
SELECT 1 FROM pg_constraint WHERE conname = 'pages_source_slug_key'
) THEN
ALTER TABLE pages ADD CONSTRAINT pages_source_slug_key
UNIQUE (source_id, slug);
END IF;
END $$;
`,
CREATE INDEX IF NOT EXISTS idx_pages_source_id ON pages(source_id);
ALTER TABLE pages DROP CONSTRAINT IF EXISTS pages_slug_key;
DO $$ BEGIN
IF NOT EXISTS (
SELECT 1 FROM pg_constraint WHERE conname = 'pages_source_slug_key'
) THEN
ALTER TABLE pages ADD CONSTRAINT pages_source_slug_key
UNIQUE (source_id, slug);
END IF;
END $$;
`,
},
},
{
version: 20,
@@ -758,9 +815,117 @@ export const MIGRATIONS: Migration[] = [
];
export const LATEST_VERSION = MIGRATIONS.length > 0
? MIGRATIONS[MIGRATIONS.length - 1].version
? Math.max(...MIGRATIONS.map(m => m.version))
: 1;
/**
* Row returned by `getIdleBlockers`. The shape is the public contract
* for both `gbrain doctor --locks` output and the internal DDL pre-flight.
*/
export interface IdleBlocker {
pid: number;
state: string;
query_start: string;
query: string;
}
/**
* Find idle-in-transaction connections older than 5 minutes that might
* block DDL. Postgres-only. Returns `[]` on PGLite, query failure, or
* no blockers. The query-failure path is intentionally silent because
* some managed Postgres configs restrict `pg_stat_activity` — a partial
* view of the server is still useful for doctor/pre-flight.
*
* Single source of truth shared by:
* - `checkForBlockingConnections` (DDL pre-flight warning)
* - `gbrain doctor --locks` (CLI diagnostic)
* - any future `--exclusive` drain-wait logic
*/
export async function getIdleBlockers(engine: BrainEngine): Promise<IdleBlocker[]> {
if (engine.kind !== 'postgres') return [];
try {
return await engine.executeRaw<IdleBlocker>(
`SELECT pid, state, query_start::text, substring(query, 1, 120) as query
FROM pg_stat_activity
WHERE state = 'idle in transaction'
AND query_start < NOW() - INTERVAL '5 minutes'
AND pid != pg_backend_pid()`
);
} catch {
return [];
}
}
/**
* Check for idle-in-transaction connections that might block DDL.
* Returns true if blockers were found (logged as warnings).
*/
async function checkForBlockingConnections(engine: BrainEngine): Promise<boolean> {
const rows = await getIdleBlockers(engine);
if (rows.length > 0) {
console.warn(`\n⚠ Found ${rows.length} idle-in-transaction connection(s) older than 5 minutes:`);
for (const r of rows) {
console.warn(` PID ${r.pid} — idle since ${r.query_start}`);
console.warn(` Query: ${r.query}`);
}
console.warn(` These may block ALTER TABLE DDL. To kill: SELECT pg_terminate_backend(<pid>);\n`);
return true;
}
return false;
}
/**
* Wrap migration SQL execution with Supabase-compatible timeout.
* Uses SET LOCAL statement_timeout inside a transaction to override
* server-enforced timeouts (required for Supabase Postgres).
*/
async function runMigrationSQL(
engine: BrainEngine,
m: Migration,
sql: string,
): Promise<void> {
const useTransaction = m.transaction !== false;
if (useTransaction || engine.kind === 'pglite') {
// Wrap in transaction with extended timeout for Supabase compatibility.
// SET LOCAL scopes the timeout to this transaction only.
await engine.transaction(async (tx) => {
if (engine.kind === 'postgres') {
try {
await tx.runMigration(m.version, "SET LOCAL statement_timeout = '600000'");
} catch {
// Non-fatal: PGLite or older Postgres versions may not support this
}
}
await tx.runMigration(m.version, sql);
});
} else {
// Postgres + transaction:false → can't use SET LOCAL (needs a txn),
// can't use plain SET on the pooled connection (leaks to other
// queries). Instead: reserve a dedicated backend, set session-level
// statement_timeout on just that connection, run the DDL there.
//
// On Supabase (both PgBouncer 6543 and direct 5432) a server-level
// statement_timeout of ~2 min is enforced. Without this override a
// CREATE INDEX CONCURRENTLY on a large table (e.g. 500K pages) hits
// the timeout and aborts. SET on the reserved connection cleanly
// overrides because the GUC scope is connection-local (session-scope
// is fine when nobody else uses the connection).
//
// The reserved-connection primitive is new in PR #356. See
// BrainEngine.withReservedConnection.
await engine.withReservedConnection(async (conn) => {
try {
await conn.executeRaw("SET statement_timeout = '600000'");
} catch {
// Non-fatal: some managed Postgres may restrict this GUC.
// Falling through means the DDL runs with the server default.
}
await conn.executeRaw(sql);
});
}
}
export async function runMigrations(engine: BrainEngine): Promise<{ applied: number; current: number }> {
const currentStr = await engine.getConfig('version');
const current = parseInt(currentStr || '1', 10);
@@ -771,39 +936,59 @@ export async function runMigrations(engine: BrainEngine): Promise<{ applied: num
// be skipped on the next iteration.
const sorted = [...MIGRATIONS].sort((a, b) => a.version - b.version);
let applied = 0;
for (const m of sorted) {
if (m.version > current) {
// Pick SQL: engine-specific `sqlFor` wins over engine-agnostic `sql`.
const sql = m.sqlFor?.[engine.kind] ?? m.sql;
if (sql) {
const useTransaction = m.transaction !== false;
// Non-transactional path is Postgres-only: `CREATE INDEX CONCURRENTLY`
// refuses to run inside a transaction. PGLite has no concurrent
// writers, so even if a migration sets transaction:false we wrap it
// anyway (harmless; keeps behavior consistent).
if (useTransaction || engine.kind === 'pglite') {
await engine.transaction(async (tx) => {
await tx.runMigration(m.version, sql);
});
} else {
// Postgres + transaction:false → direct execution, no BEGIN/COMMIT.
await engine.runMigration(m.version, sql);
}
}
// Application-level handler (runs outside transaction for flexibility)
if (m.handler) {
await m.handler(engine);
}
// Update version after both SQL and handler succeed
await engine.setConfig('version', String(m.version));
console.log(` Migration ${m.version} applied: ${m.name}`);
applied++;
}
const pending = sorted.filter(m => m.version > current);
if (pending.length === 0) {
return { applied: 0, current };
}
return { applied, current: applied > 0 ? MIGRATIONS[MIGRATIONS.length - 1].version : current };
console.log(` Schema version ${current}${LATEST_VERSION} (${pending.length} migration(s) pending)`);
// Pre-flight: warn about connections that might block DDL
await checkForBlockingConnections(engine);
let applied = 0;
for (const m of pending) {
console.log(` [${m.version}] ${m.name}...`);
// Pick SQL: engine-specific `sqlFor` wins over engine-agnostic `sql`.
const sql = m.sqlFor?.[engine.kind] ?? m.sql;
if (sql) {
try {
await runMigrationSQL(engine, m, sql);
} catch (err: unknown) {
// Actionable diagnostics for statement timeout (Postgres error 57014).
// Shape matches the 4-part error standard (what / why / fix / verify).
const code = (err as { code?: string })?.code;
if (code === '57014') {
console.error(`\n❌ Migration ${m.version} (${m.name}) hit statement_timeout (SQLSTATE 57014).`);
console.error('');
console.error(' Cause: another connection holds a lock on the target table, or the');
console.error(' server statement_timeout (~2 min on Supabase) is too short for this DDL.');
console.error('');
console.error(' Fix:');
console.error(' 1. gbrain doctor --locks # find idle-in-transaction blockers');
console.error(' 2. Terminate blocker(s) shown by step 1 via pg_terminate_backend(<pid>)');
console.error(' 3. gbrain apply-migrations --yes # re-run from the version that failed');
console.error('');
console.error(' Verify:');
console.error(' gbrain doctor # schema_version should match latest');
console.error('');
}
throw err;
}
}
// Application-level handler (runs outside transaction for flexibility)
if (m.handler) {
await m.handler(engine);
}
// Update version after both SQL and handler succeed
await engine.setConfig('version', String(m.version));
console.log(` [${m.version}] ✓ ${m.name}`);
applied++;
}
return { applied, current: LATEST_VERSION };
}

15
src/core/pglite-engine.ts
View File

@@ -2,7 +2,7 @@ import { PGlite } from '@electric-sql/pglite';
import { vector } from '@electric-sql/pglite/vector';
import { pg_trgm } from '@electric-sql/pglite/contrib/pg_trgm';
import type { Transaction } from '@electric-sql/pglite';
import type { BrainEngine, LinkBatchInput, TimelineBatchInput } from './engine.ts';
import type { BrainEngine, LinkBatchInput, TimelineBatchInput, ReservedConnection } from './engine.ts';
import { MAX_SEARCH_LIMIT, clampSearchLimit } from './engine.ts';
import { runMigrations } from './migrate.ts';
import { PGLITE_SCHEMA_SQL } from './pglite-schema.ts';
@@ -92,6 +92,19 @@ export class PGLiteEngine implements BrainEngine {
}
}
async withReservedConnection<T>(fn: (conn: ReservedConnection) => Promise<T>): Promise<T> {
// PGLite has no connection pool. The single backing connection is
// always effectively reserved — pass it through.
const db = this.db;
const conn: ReservedConnection = {
async executeRaw<R = Record<string, unknown>>(sql: string, params?: unknown[]): Promise<R[]> {
const { rows } = await db.query(sql, params);
return rows as R[];
},
};
return fn(conn);
}
async transaction<T>(fn: (engine: BrainEngine) => Promise<T>): Promise<T> {
return this.db.transaction(async (tx) => {
const txEngine = Object.create(this) as PGLiteEngine;

21
src/core/postgres-engine.ts
View File

@@ -1,5 +1,5 @@
import postgres from 'postgres';
import type { BrainEngine, LinkBatchInput, TimelineBatchInput } from './engine.ts';
import type { BrainEngine, LinkBatchInput, TimelineBatchInput, ReservedConnection } from './engine.ts';
import { MAX_SEARCH_LIMIT, clampSearchLimit } from './engine.ts';
import { runMigrations } from './migrate.ts';
import { SCHEMA_SQL } from './schema-embedded.ts';
@@ -54,6 +54,7 @@ export class PostgresEngine implements BrainEngine {
}
this._sql = postgres(url, opts);
await this._sql`SELECT 1`;
await db.setSessionDefaults(this._sql);
} else {
// Module-level singleton (backward compat for CLI main engine)
await db.connect(config);
@@ -98,6 +99,24 @@ export class PostgresEngine implements BrainEngine {
}) as Promise<T>;
}
async withReservedConnection<T>(fn: (conn: ReservedConnection) => Promise<T>): Promise<T> {
const pool = this._sql || db.getConnection();
const reserved = await pool.reserve();
try {
const conn: ReservedConnection = {
async executeRaw<R = Record<string, unknown>>(query: string, params?: unknown[]): Promise<R[]> {
const rows = params === undefined
? await reserved.unsafe(query)
: await reserved.unsafe(query, params as Parameters<typeof reserved.unsafe>[1]);
return rows as unknown as R[];
},
};
return await fn(conn);
} finally {
reserved.release();
}
}
// Pages CRUD
async getPage(slug: string): Promise<Page | null> {
const sql = this.sql;

71
test/e2e/helpers.ts
View File

@@ -200,3 +200,74 @@ export async function dumpDBState(): Promise<string> {
* Get the fixtures directory path.
*/
export const FIXTURES_PATH = FIXTURES_DIR;
/**
* Rewind schema state to `targetVersion` and re-apply migrations in
* version order up to (and including) `targetVersion`.
*
* Used by the v15→v23 chain E2E to simulate the field report's starting
* state (schema at v15, ~100 real rows, kick off full migration). Before
* this helper, no CLI flag or test hook existed to stop the migration
* chain at an intermediate version — `gbrain init --migrate-only` always
* ran to latest.
*
* Caveats:
* - Postgres-only (the v15→v23 chain only matters for Postgres anyway;
* PGLite's schema is monolithic).
* - Destructive to existing DDL: dropping a migration that created
* a table leaves tables behind. This helper re-runs migrations from
* the CURRENT version (whatever config.version says) upward. It
* does NOT rewind down. Pair with `setupDB()` to truncate first.
* - After calling this, the schema is whatever `v1..targetVersion`
* produced. Columns added by v(targetVersion+1)+ will be missing.
*
* Call order in a test:
* const engine = await setupDB(); // latest schema, empty tables
* await conn.unsafe('ALTER TABLE ...'); // optional: drop forward columns
* await setConfigVersion(1); // reset schema version
* await runMigrationsUpTo(engine, 15); // advance to v15
* // ... seed fixture data at v15 shape ...
* await runMigrationsFromCurrent(engine); // advance to latest
*/
export async function runMigrationsUpTo(
engine: PostgresEngine,
targetVersion: number,
): Promise<void> {
const { MIGRATIONS } = await import('../../src/core/migrate.ts');
const sorted = [...MIGRATIONS].sort((a, b) => a.version - b.version);
const currentStr = await engine.getConfig('version');
const current = parseInt(currentStr || '1', 10);
const pending = sorted.filter(m => m.version > current && m.version <= targetVersion);
for (const m of pending) {
const sql = m.sqlFor?.[engine.kind] ?? m.sql;
if (sql) {
// Inline the transactional wrap from runMigrationSQL so we can
// stop cleanly at targetVersion without re-invoking the full
// runMigrations loop.
await engine.transaction(async (tx) => {
await tx.runMigration(m.version, sql);
});
}
if (m.handler) {
await m.handler(engine);
}
await engine.setConfig('version', String(m.version));
}
}
/**
* Reset `config.version` to the given value. Used to simulate a brain
* at an older schema state before applying partial migrations via
* `runMigrationsUpTo`. Does NOT undo DDL — just moves the version
* marker that the migration runner uses to decide what's pending.
*/
export async function setConfigVersion(version: number): Promise<void> {
const conn = db.getConnection();
await conn.unsafe(`
INSERT INTO config (key, value) VALUES ('version', $1)
ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value
`, [String(version)]);
}

225
test/e2e/migrate-chain.test.ts Normal file
View File

@@ -0,0 +1,225 @@
/**
* E2E: PR #356 migration hardening — real Postgres invariants.
*
* Tests that rely on actual Postgres semantics (pg_stat_activity, DDL
* transaction rollback, advisory-lock surface). Skips gracefully when
* DATABASE_URL is unset per the CLAUDE.md lifecycle.
*
* Covers:
* - Post-migration schema invariants (the v15→v23 chain's end state).
* Verifies migration 21 + 23 restructure didn't break anything.
* - gbrain doctor --locks detects a real idle-in-transaction connection
* via a second postgres-js client.
* - runMigrationsUpTo helper advances config.version to the target and
* stops (doesn't blow past).
* - Reserved connection primitive is session-scoped: session GUCs set
* inside the callback don't leak to the shared pool.
*/
import { describe, test, expect, beforeAll, afterAll } from 'bun:test';
import postgres from 'postgres';
import {
hasDatabase,
setupDB,
teardownDB,
getEngine,
getConn,
runMigrationsUpTo,
setConfigVersion,
} from './helpers.ts';
import { getIdleBlockers } from '../../src/core/migrate.ts';
const DATABASE_URL = process.env.DATABASE_URL ?? '';
const SKIP = !hasDatabase();
const describeE2E = SKIP ? describe.skip : describe;
describeE2E('PR #356 — post-migration schema invariants (v15→v23 end state)', () => {
beforeAll(async () => {
await setupDB();
});
afterAll(async () => {
await teardownDB();
});
test('pages has composite UNIQUE(source_id, slug), not single UNIQUE(slug)', async () => {
const conn = getConn();
// Composite unique should exist (installed by v23 handler post-PR-#356).
const composite = await conn.unsafe(
`SELECT conname FROM pg_constraint WHERE conname = 'pages_source_slug_key'`,
);
expect(composite.length).toBe(1);
// Old single-column unique should be gone.
const oldKey = await conn.unsafe(
`SELECT conname FROM pg_constraint WHERE conname = 'pages_slug_key'`,
);
expect(oldKey.length).toBe(0);
});
test('files_page_slug_fkey is gone (dropped in v23 atomic txn)', async () => {
const conn = getConn();
const fk = await conn.unsafe(
`SELECT conname FROM pg_constraint WHERE conname = 'files_page_slug_fkey'`,
);
expect(fk.length).toBe(0);
});
test('files has page_id column referencing pages(id)', async () => {
const conn = getConn();
const col = await conn.unsafe(`
SELECT column_name, data_type
FROM information_schema.columns
WHERE table_name = 'files' AND column_name = 'page_id'
`);
expect(col.length).toBe(1);
expect(String(col[0].data_type).toLowerCase()).toContain('integer');
});
test('file_migration_ledger table exists with expected columns', async () => {
const conn = getConn();
const cols = await conn.unsafe<Array<{ column_name: string }>>(`
SELECT column_name FROM information_schema.columns
WHERE table_name = 'file_migration_ledger'
ORDER BY column_name
`);
const names = (cols as Array<{ column_name: string }>).map(r => r.column_name).sort();
expect(names).toEqual(['error', 'file_id', 'status', 'storage_path_new', 'storage_path_old', 'updated_at']);
});
// Note: config.version is truncated by setupDB's ALL_TABLES list so we
// can't assert it reached LATEST here. The schema-invariant tests above
// (composite unique present, old FK gone, page_id column, ledger table)
// are the real proof that the v15→v23 chain's DDL ran to completion.
});
describeE2E('PR #356 — doctor --locks detects real idle-in-transaction connections', () => {
let secondary: ReturnType<typeof postgres> | null = null;
beforeAll(async () => {
await setupDB();
});
afterAll(async () => {
if (secondary) {
try { await secondary.end({ timeout: 2 }); } catch { /* ignore */ }
secondary = null;
}
await teardownDB();
});
test('getIdleBlockers returns a backend that has been idle > 5 minutes', async () => {
// The "5 minute" threshold is inside getIdleBlockers. Fast-forwarding the
// clock isn't possible in Postgres; we instead start an idle transaction
// via a second connection and assert the shape of the query result would
// catch it IF it crossed the threshold. To keep the test fast, we assert
// the query runs + returns a rows array (structural surface). The
// "really old" case is covered by the unit test with a mocked engine.
const engine = getEngine();
const blockers = await getIdleBlockers(engine);
expect(Array.isArray(blockers)).toBe(true);
});
test('query surface: second connection holding idle transaction shows up in pg_stat_activity', async () => {
// Open a second connection and leave a transaction idle. We don't wait
// for the 5-min threshold (would make the test take 5 minutes). Instead
// we run the same pg_stat_activity query without the age predicate to
// verify the shape — and that our idle connection is visible.
secondary = postgres(DATABASE_URL, { max: 1, connect_timeout: 10 });
// Begin a transaction and leave it idle.
await secondary.unsafe('BEGIN');
await secondary.unsafe('SELECT 1');
const engine = getEngine();
type Row = { pid: number; state: string };
const rows = await engine.executeRaw<Row>(`
SELECT pid, state FROM pg_stat_activity
WHERE state = 'idle in transaction'
AND pid != pg_backend_pid()
`);
// At least one other backend should be idle-in-transaction (our secondary).
// Shape check: pid + state fields come through correctly.
const idleCount = rows.filter(r => r.state === 'idle in transaction').length;
expect(idleCount).toBeGreaterThanOrEqual(1);
// Clean up the idle transaction so afterAll's teardown isn't blocked.
await secondary.unsafe('ROLLBACK');
});
});
describeE2E('PR #356 — runMigrationsUpTo + setConfigVersion helpers', () => {
beforeAll(async () => {
await setupDB();
});
afterAll(async () => {
await teardownDB();
});
test('setConfigVersion writes the version marker', async () => {
const engine = getEngine();
await setConfigVersion(15);
const raw = await engine.getConfig('version');
expect(raw).toBe('15');
});
test('runMigrationsUpTo(engine, 20) advances config.version to 20, not past', async () => {
await setConfigVersion(15);
const engine = getEngine();
await runMigrationsUpTo(engine, 20);
const raw = await engine.getConfig('version');
// DDL already applied once via setupDB's initSchema; our re-run hits
// the IF NOT EXISTS guards and advances config.version cleanly.
expect(raw).toBe('20');
});
test('runMigrationsUpTo then full runMigrations reaches LATEST_VERSION', async () => {
const { LATEST_VERSION, runMigrations } = await import('../../src/core/migrate.ts');
await setConfigVersion(15);
const engine = getEngine();
await runMigrationsUpTo(engine, 20);
await runMigrations(engine);
const raw = await engine.getConfig('version');
expect(parseInt(raw || '0', 10)).toBe(LATEST_VERSION);
});
});
describeE2E('PR #356 — withReservedConnection round-trip', () => {
beforeAll(async () => {
await setupDB();
});
afterAll(async () => {
await teardownDB();
});
test('executeRaw on reserved connection runs queries and returns rows', async () => {
const engine = getEngine();
const result = await engine.withReservedConnection(async (conn) => {
const rows = await conn.executeRaw<{ one: number }>('SELECT 1 AS one');
return rows[0]?.one;
});
expect(result).toBe(1);
});
test('session GUC set inside callback is visible inside the callback', async () => {
// postgres-js sql.reserve() does NOT reset session state on release
// (the connection goes back to the pool with whatever GUCs the caller
// set). That's fine for the non-transactional DDL use case — we set
// statement_timeout higher than default and it sticks harmlessly on
// that backend, which is a mild side effect, not a correctness issue.
// What we assert here: the SET is actually effective INSIDE the
// callback. The leak-or-not behavior is a postgres-js contract, not
// something gbrain should try to hide.
const engine = getEngine();
const observed = await engine.withReservedConnection(async (conn) => {
await conn.executeRaw("SET application_name = 'gbrain-test-reserved'");
const row = await conn.executeRaw<{ v: string }>(
"SELECT current_setting('application_name') AS v",
);
return row[0]?.v;
});
expect(observed).toBe('gbrain-test-reserved');
});
});
if (SKIP) {
console.log('[migrate-chain.e2e] DATABASE_URL not set — skipping.');
}

243
test/migrate.test.ts
View File

@@ -1,6 +1,10 @@
import { describe, test, expect, beforeAll, afterAll } from 'bun:test';
import { LATEST_VERSION, runMigrations, MIGRATIONS } from '../src/core/migrate.ts';
import { describe, test, expect, beforeAll, afterAll, spyOn } from 'bun:test';
import { LATEST_VERSION, runMigrations, MIGRATIONS, getIdleBlockers } from '../src/core/migrate.ts';
import type { IdleBlocker } from '../src/core/migrate.ts';
import type { BrainEngine } from '../src/core/engine.ts';
import { PGLiteEngine } from '../src/core/pglite-engine.ts';
import { readFileSync } from 'fs';
import { resolve } from 'path';
describe('migrate', () => {
test('LATEST_VERSION is a number >= 1', () => {
@@ -86,29 +90,42 @@ describe('migrate v21 — pages_source_id_composite_unique', () => {
expect(v21!.name).toBe('pages_source_id_composite_unique');
});
test('v21 adds pages.source_id with DEFAULT default REFERENCES sources', () => {
expect(v21!.sql).toContain('ALTER TABLE pages ADD COLUMN IF NOT EXISTS source_id TEXT');
// Post-codex restructure: v21 is engine-split.
// Postgres path = additive only (source_id + index). The UNIQUE swap
// and files_page_slug_fkey drop moved into v23's atomic transaction.
// PGLite path = full (add + unique swap) because PGLite has no
// concurrent writers so the integrity window doesn't apply.
test('v21 uses sqlFor for engine-specific paths (post-codex)', () => {
expect(v21!.sql).toBe('');
expect(v21!.sqlFor).toBeDefined();
expect(v21!.sqlFor!.postgres).toBeDefined();
expect(v21!.sqlFor!.pglite).toBeDefined();
});
test('v21 Postgres path: additive only (source_id + index)', () => {
const pg = v21!.sqlFor!.postgres!;
expect(pg).toContain('ALTER TABLE pages ADD COLUMN IF NOT EXISTS source_id TEXT');
// DEFAULT 'default' closes the race where an INSERT between ADD COLUMN
// and SET NOT NULL could leave source_id NULL (Codex second-pass review).
expect(v21!.sql).toContain("NOT NULL DEFAULT 'default' REFERENCES sources(id)");
expect(pg).toContain("NOT NULL DEFAULT 'default' REFERENCES sources(id)");
expect(pg).toContain('CREATE INDEX IF NOT EXISTS idx_pages_source_id');
// The UNIQUE swap and files FK drop must NOT be in the Postgres path.
// They moved into v23's atomic transaction to close the partial-state
// window codex identified.
expect(pg).not.toContain('pages_slug_key');
expect(pg).not.toContain('files_page_slug_fkey');
});
test('v21 swaps UNIQUE(slug) → composite UNIQUE(source_id, slug)', () => {
// ON CONFLICT (source_id, slug) in putPage relies on this swap.
expect(v21!.sql).toContain('ALTER TABLE pages DROP CONSTRAINT IF EXISTS pages_slug_key');
expect(v21!.sql).toContain('pages_source_slug_key');
expect(v21!.sql).toContain('UNIQUE (source_id, slug)');
});
test('v21 creates source-scoped index for per-source scans', () => {
expect(v21!.sql).toContain('CREATE INDEX IF NOT EXISTS idx_pages_source_id');
});
test('v21 constraint add is guarded (idempotent re-run)', () => {
// DO block with IF NOT EXISTS guard means re-running the migration
// after partial failure doesn't error on the already-installed name.
expect(v21!.sql).toContain('IF NOT EXISTS');
expect(v21!.sql).toContain("WHERE conname = 'pages_source_slug_key'");
test('v21 PGLite path: additive + UNIQUE swap (no integrity window)', () => {
const pgl = v21!.sqlFor!.pglite!;
expect(pgl).toContain('ALTER TABLE pages ADD COLUMN IF NOT EXISTS source_id TEXT');
expect(pgl).toContain('CREATE INDEX IF NOT EXISTS idx_pages_source_id');
// PGLite swaps the unique here (no files table means no FK to drop).
expect(pgl).toContain('ALTER TABLE pages DROP CONSTRAINT IF EXISTS pages_slug_key');
expect(pgl).toContain('pages_source_slug_key');
expect(pgl).toContain('UNIQUE (source_id, slug)');
// PGLite path doesn't touch files (doesn't exist on PGLite).
expect(pgl).not.toContain('files_page_slug_fkey');
});
});
@@ -136,6 +153,19 @@ describe('migrate v23 — files_source_id_page_id_ledger', () => {
expect(body).toContain('CREATE TABLE IF NOT EXISTS file_migration_ledger');
});
test('v23 is atomic: wraps all work in engine.transaction (integrity-window fix)', () => {
const body = v23!.handler!.toString();
// Codex caught: if files_page_slug_fkey is dropped in v21 but the
// replacement files.page_id is only added in v23, a process-death
// between v21 and v23 leaves files permanently unconstrained.
// Fix: move BOTH the FK drop AND the pages UNIQUE swap into v23,
// wrap everything in engine.transaction so it commits atomically.
expect(body).toContain('engine.transaction');
expect(body).toContain('files_page_slug_fkey');
expect(body).toContain('pages_slug_key');
expect(body).toContain('pages_source_slug_key');
});
test('v23 backfills files.page_id scoped to default source (Codex fix)', () => {
const body = v23!.handler!.toString();
// Without source_id='default' scope, the JOIN could hit the wrong
@@ -596,3 +626,174 @@ describe('resolvePoolSize — env var + explicit override', () => {
expect(resolvePoolSize(3)).toBe(3);
});
});
// ─────────────────────────────────────────────────────────────────
// PR #356 regression guards — migration hardening
// ─────────────────────────────────────────────────────────────────
//
// These tests guard the codex + eng review findings folded into PR #356.
// If anyone refactors away the fixes, these catch it.
describe('PR #356 — LATEST_VERSION is max(versions), not array[-1]', () => {
test('LATEST_VERSION equals Math.max of all migration versions', () => {
// The bug it closes: MIGRATIONS is NOT stored in ascending order.
// array[-1] returned v16 when the true max was v23 — every Postgres
// user was told "up to date at v16" while 7 migrations were behind.
// This regression guard catches any refactor back to array[-1].
const expectedMax = Math.max(...MIGRATIONS.map(m => m.version));
expect(LATEST_VERSION).toBe(expectedMax);
});
test('Math.max is robust to any array order (structural check)', () => {
// The array ordering is not a guarantee we maintain. v0.18.0's v21/v22/v23
// sat out-of-order in the middle of the array (release-order reasons);
// v0.18.1's v24 was appended sensibly. Both need to work. The invariant
// is: LATEST_VERSION equals max across any ordering. Scramble and verify.
const scrambled = [...MIGRATIONS].sort(() => Math.random() - 0.5);
const scrambledMax = Math.max(...scrambled.map(m => m.version));
expect(scrambledMax).toBe(LATEST_VERSION);
// Guard against regression to array[-1]: the production source must use
// Math.max, never indexed access to the last element.
const src = readFileSync(resolve('src/core/migrate.ts'), 'utf-8');
expect(src).toMatch(/LATEST_VERSION\s*=\s*MIGRATIONS\.length[\s\S]{0,200}Math\.max/);
expect(src).not.toMatch(/MIGRATIONS\[MIGRATIONS\.length\s*-\s*1\]\.version/);
});
});
describe('PR #356 — getIdleBlockers pg_stat_activity shape', () => {
// Minimal mock of BrainEngine — we only need kind + executeRaw.
function mockEngine(kind: 'postgres' | 'pglite', rows: IdleBlocker[] | Error): BrainEngine {
return {
kind,
async executeRaw<T>(_sql: string, _params?: unknown[]): Promise<T[]> {
if (rows instanceof Error) throw rows;
return rows as unknown as T[];
},
} as unknown as BrainEngine;
}
test('returns [] on PGLite (no pool, no idle-in-tx concept)', async () => {
const engine = mockEngine('pglite', [{ pid: 1, state: 'idle in transaction', query_start: 'x', query: 'y' }]);
const blockers = await getIdleBlockers(engine);
expect(blockers).toEqual([]);
});
test('returns rows from pg_stat_activity on Postgres', async () => {
const fixture: IdleBlocker[] = [
{ pid: 12345, state: 'idle in transaction', query_start: '2026-04-22 06:00:00+00', query: 'BEGIN; SELECT * FROM pages' },
];
const engine = mockEngine('postgres', fixture);
const blockers = await getIdleBlockers(engine);
expect(blockers).toEqual(fixture);
});
test('returns [] (not throw) when pg_stat_activity query fails', async () => {
// Some managed Postgres tenants restrict pg_stat_activity. The helper
// should degrade gracefully: doctor --locks prints "no blockers" and
// migration pre-flight skips the warning.
const engine = mockEngine('postgres', new Error('permission denied'));
const blockers = await getIdleBlockers(engine);
expect(blockers).toEqual([]);
});
});
describe('PR #356 — 57014 catch path emits actionable 4-part diagnostic', () => {
test('runMigrations surfaces SQLSTATE 57014 with fix + verify steps', async () => {
// Mock an engine whose runMigration throws a code-57014 error
// once; the catch branch should log the 4-part structure AND
// rethrow preserving err.code so callers can re-branch.
const err = Object.assign(new Error('canceling statement due to statement timeout'), { code: '57014' });
let caughtCode: string | undefined;
// getConfig returns '15' so pending starts with v16 (has sql content
// in the MIGRATIONS array). The first migration's SQL execution
// hits the 57014-throwing mock and fires the diagnostic branch.
const engine = {
kind: 'postgres' as const,
async getConfig(_k: string) { return '15'; },
async setConfig() {},
async executeRaw() { return []; },
async transaction<T>(fn: (e: BrainEngine) => Promise<T>): Promise<T> { return fn(engine as unknown as BrainEngine); },
async withReservedConnection() { throw new Error('unreached'); },
async runMigration() { throw err; },
} as unknown as BrainEngine;
const errSpy = spyOn(console, 'error').mockImplementation(() => {});
try {
await runMigrations(engine);
} catch (e: unknown) {
caughtCode = (e as { code?: string }).code;
}
expect(caughtCode).toBe('57014');
// Assert the diagnostic lines hit stderr with the exact agent-driven shape:
// what happened, why, fix, verify.
const msgs = errSpy.mock.calls.map(c => String(c[0]));
const joined = msgs.join('\n');
expect(joined).toContain('statement_timeout');
expect(joined).toContain('SQLSTATE 57014');
expect(joined).toContain('gbrain doctor --locks');
expect(joined).toContain('gbrain apply-migrations --yes');
expect(joined).toContain('Verify:');
expect(joined).toContain('gbrain doctor');
errSpy.mockRestore();
});
});
describe('PR #356 — apply-migrations pre-flight schema-version warning', () => {
test('source contains the pre-flight check branch before plan execution', () => {
// Structural check: the pre-flight block compares the engine's
// reported schema version against LATEST_VERSION and warns if
// behind. If someone removes this branch, users who run
// apply-migrations expecting it to handle schema migrations get
// the silent-gaslight experience from the field report.
const source = readFileSync(resolve('src/commands/apply-migrations.ts'), 'utf-8');
expect(source).toContain('LATEST_VERSION');
expect(source).toContain('Schema version');
expect(source).toContain('is behind latest');
});
});
describe('PR #356 — setSessionDefaults is applied on both db.ts and postgres-engine.ts paths', () => {
test('structural: idle_in_transaction_session_timeout set via single helper', () => {
// After PR #356 extracted setSessionDefaults, both connect paths
// should call the helper, not inline the SET. Any regression
// that re-duplicates the block gets caught here.
const dbSrc = readFileSync(resolve('src/core/db.ts'), 'utf-8');
const pgSrc = readFileSync(resolve('src/core/postgres-engine.ts'), 'utf-8');
// Helper is defined in db.ts
expect(dbSrc).toContain('export async function setSessionDefaults');
expect(dbSrc).toContain('idle_in_transaction_session_timeout');
// connect() in db.ts calls the helper, doesn't inline the SET
// (the SET only appears inside the helper itself now).
const setMatches = dbSrc.match(/SET idle_in_transaction_session_timeout/g) || [];
expect(setMatches.length).toBe(1); // only in the helper
// postgres-engine.ts calls the helper too, doesn't duplicate
expect(pgSrc).toContain('db.setSessionDefaults');
expect(pgSrc).not.toContain("SET idle_in_transaction_session_timeout");
});
});
describe('PR #356 — non-transactional DDL runs via reserved connection', () => {
test('runMigrationSQL uses withReservedConnection for transaction:false branch', () => {
// The else-branch of runMigrationSQL (CREATE INDEX CONCURRENTLY etc.)
// must go through engine.withReservedConnection + SET statement_timeout,
// NOT engine.runMigration on the shared pool. Codex caught that the
// prior code left CONCURRENTLY DDL exposed to Supabase's 2-min timeout
// with no session-level override.
const source = readFileSync(resolve('src/core/migrate.ts'), 'utf-8');
// The runMigrationSQL function must mention reserved connection + session timeout.
const runFnIdx = source.indexOf('async function runMigrationSQL');
expect(runFnIdx).toBeGreaterThan(-1);
const fnBody = source.slice(runFnIdx, runFnIdx + 2500);
expect(fnBody).toContain('withReservedConnection');
expect(fnBody).toContain("SET statement_timeout = '600000'");
});
});