fcf40a12fc
* fix(migrate): v0_13_0 shells out to `gbrain` shim, not `process.execPath` On bun-installed trees, process.execPath is the bun runtime itself. `bun extract links ...` got reinterpreted as `bun run extract` and crashed the upgrade mid-Phase B. The canonical shim on PATH already wraps the right runtime+entrypoint; trust it. Regression-guarded by test/migrations-v0_13_0.test.ts which greps the source for `process.execPath` and `bun` invocations. This was Bug 1 of tonight's v0.13 → v0.14 upgrade-night postmortem. * fix(autopilot): resolveGbrainCliPath prefers shim, never returns .ts argv[1] check used to short-circuit on /cli.ts, so bun-source installs got a .ts path back. spawn() then failed EACCES because TypeScript source isn't executable, and autopilot silently lost its worker. Reordered probes: which gbrain (shim) first, then compiled execPath, then argv[1] only if it ends in /gbrain. Deleted the .ts branch entirely — no valid case exists. Rewrote the existing test that enshrined the buggy .ts return. Critical regression guard: resolver MUST NEVER return a .ts path across any combination of argv[1] + execPath + shim availability. This was Bug 4 of tonight's v0.13 → v0.14 upgrade-night postmortem. * chore: bump version and changelog (v0.15.3) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(db): resolvePrepare() helper for PgBouncer transaction-mode pools Adds port-6543 auto-detect with a 4-level precedence chain: GBRAIN_PREPARE env var → ?prepare= URL param → port auto-detect → default. Wires into the module-singleton connect() so the main CLI path no longer hits "prepared statement does not exist" against Supabase transaction pooler. Returns boolean | undefined; undefined means omit the option and let postgres.js default (true) stand. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(postgres-engine): honor resolvePrepare in worker-instance pool Without this, \`gbrain jobs work\` against a Supabase pooler URL hits "prepared statement does not exist" under load even after the module singleton was fixed in db.ts. Community PR #270 (@notjbg) caught this second path that #284 had missed. Reuses the shared helper, no regex duplication. Co-Authored-By: Jonah Berg <jonah.berg.g@gmail.com> Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(doctor): pgbouncer_prepare check URL-only check (no DB roundtrip) that reads the configured URL via loadConfig() and flags the footgun: port 6543 with prepared statements still enabled. Warns with the exact env override (GBRAIN_PREPARE=false) and URL-query alternative (?prepare=false). Works for both the module singleton and worker-instance engines. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: resolvePrepare precedence matrix + postgres-engine wiring guard - test/resolve-prepare.test.ts: 11 cases covering env override, URL query param, port auto-detect, malformed URLs, postgres:// scheme, URL-encoded credentials. Uses bun:test — #284's original vitest file would never have run in this project. - test/postgres-engine.test.ts: new source-level grep case asserting the worker-pool connect() branch calls db.resolvePrepare(url) and includes a typeof prepare === 'boolean' check. Mirrors the existing SET LOCAL regression guard. If anyone rips out the wiring, the build fails before shipping starts dropping rows. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: bump version and changelog (v0.15.4) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Jonah Berg <jonah.berg.g@gmail.com>
128 lines
5.5 KiB
TypeScript
128 lines
5.5 KiB
TypeScript
/**
|
|
* postgres-engine.ts source-level guardrails.
|
|
*
|
|
* Live Postgres coverage for search paths lives in test/e2e/search-quality.test.ts.
|
|
* This file stays fast and DB-free: it inspects the source of
|
|
* src/core/postgres-engine.ts to lock in decisions that protect the
|
|
* shared connection pool from per-request GUC leaks.
|
|
*
|
|
* Regression: R6-F006 / R4-F002.
|
|
* searchKeyword and searchVector used to call bare
|
|
* await sql`SET statement_timeout = '8s'`
|
|
* ...query...
|
|
* finally { await sql`SET statement_timeout = '0'` }
|
|
* against the shared pool. Each tagged template picks an arbitrary
|
|
* connection, so the SET, the query, and the reset could all land on
|
|
* DIFFERENT connections. Worst case: the 8s GUC sticks on some pooled
|
|
* connection and clips the next caller's long-running query; or the
|
|
* reset to 0 lands on a connection that other code expected to be
|
|
* protected. The fix wraps each query in sql.begin() and uses
|
|
* SET LOCAL so the GUC is transaction-scoped and auto-resets on
|
|
* COMMIT/ROLLBACK, regardless of error path.
|
|
*/
|
|
|
|
import { describe, test, expect } from 'bun:test';
|
|
import { readFileSync } from 'fs';
|
|
import { join } from 'path';
|
|
|
|
const SRC = readFileSync(
|
|
join(import.meta.dir, '..', 'src', 'core', 'postgres-engine.ts'),
|
|
'utf-8',
|
|
);
|
|
|
|
describe('postgres-engine / search path timeout isolation', () => {
|
|
test('no bare `SET statement_timeout` statement survives', () => {
|
|
// Strip comments so the commentary mentioning the anti-pattern does
|
|
// not trigger a false positive. Block-comment + line-comment strip.
|
|
const stripped = SRC
|
|
.replace(/\/\*[\s\S]*?\*\//g, '')
|
|
.replace(/(^|\s)\/\/[^\n]*/g, '$1');
|
|
|
|
// Match a tagged-template statement of the form
|
|
// sql`SET statement_timeout = ...`
|
|
// that is NOT preceded by LOCAL. This is the exact shape that bleeds
|
|
// onto pooled connections; SET LOCAL is safe inside a transaction.
|
|
const bare = stripped.match(
|
|
/sql`\s*SET\s+(?!LOCAL\s)statement_timeout\b[^`]*`/gi,
|
|
);
|
|
expect(bare).toBeNull();
|
|
});
|
|
|
|
test('searchKeyword wraps its query in sql.begin()', () => {
|
|
const fn = extractMethod(SRC, 'searchKeyword');
|
|
expect(fn).toMatch(/sql\.begin\s*\(\s*async\s+sql\s*=>/);
|
|
});
|
|
|
|
test('searchVector wraps its query in sql.begin()', () => {
|
|
const fn = extractMethod(SRC, 'searchVector');
|
|
expect(fn).toMatch(/sql\.begin\s*\(\s*async\s+sql\s*=>/);
|
|
});
|
|
|
|
test('both search methods use SET LOCAL for the timeout', () => {
|
|
const keyword = extractMethod(SRC, 'searchKeyword');
|
|
const vector = extractMethod(SRC, 'searchVector');
|
|
expect(keyword).toMatch(/SET\s+LOCAL\s+statement_timeout/);
|
|
expect(vector).toMatch(/SET\s+LOCAL\s+statement_timeout/);
|
|
});
|
|
|
|
test('connect() with poolSize honors resolvePrepare (PgBouncer regression guard)', () => {
|
|
// Regression: worker-instance pools were NOT honoring the prepare decision
|
|
// before v0.15.4. Module singleton connect() in db.ts was fixed by #284 but
|
|
// PostgresEngine.connect({poolSize}) (the branch used by `gbrain jobs work`)
|
|
// silently ignored it — agents running background work against Supabase
|
|
// pooler URLs still hit `prepared statement "..." does not exist` under
|
|
// load. Source-level grep is enough: runtime mocking of postgres.js's
|
|
// tagged-template interface is painful under bun ESM and the wiring is
|
|
// simple enough that if `resolvePrepare` name appears and a conditional
|
|
// `prepare` key appears in the options literal, the wire-up is live.
|
|
const stripped = stripComments(SRC);
|
|
expect(stripped).toMatch(/db\.resolvePrepare\s*\(\s*url\s*\)/);
|
|
expect(stripped).toMatch(/typeof\s+prepare\s*===\s*['"]boolean['"]/);
|
|
});
|
|
|
|
test('neither search method clears the timeout with `SET statement_timeout = 0`', () => {
|
|
// The reset-to-zero pattern was the other half of the leak: if SET
|
|
// LOCAL is in play, COMMIT handles the reset and an explicit
|
|
// `SET statement_timeout = '0'` would itself leak the GUC change
|
|
// onto the returned connection. Strip comments first so the
|
|
// commentary in the method itself (which quotes the anti-pattern
|
|
// to explain it) does not trigger a false positive.
|
|
const keyword = stripComments(extractMethod(SRC, 'searchKeyword'));
|
|
const vector = stripComments(extractMethod(SRC, 'searchVector'));
|
|
expect(keyword).not.toMatch(/SET\s+statement_timeout\s*=\s*['"]?0/);
|
|
expect(vector).not.toMatch(/SET\s+statement_timeout\s*=\s*['"]?0/);
|
|
});
|
|
});
|
|
|
|
function stripComments(s: string): string {
|
|
return s
|
|
.replace(/\/\*[\s\S]*?\*\//g, '')
|
|
.replace(/(^|\s)\/\/[^\n]*/g, '$1');
|
|
}
|
|
|
|
// extractMethod grabs the body of a class method by brace-matching from
|
|
// its opening line. Returns the method body up to the matching closing
|
|
// brace. Good enough for the small number of methods in this file.
|
|
function extractMethod(source: string, name: string): string {
|
|
// Find "async <name>(" at method-definition indentation (2 spaces).
|
|
const openRe = new RegExp(`^\\s+async\\s+${name}\\s*\\(`, 'm');
|
|
const match = openRe.exec(source);
|
|
if (!match) {
|
|
throw new Error(`method ${name} not found in postgres-engine.ts`);
|
|
}
|
|
// Scan forward balancing braces.
|
|
let i = source.indexOf('{', match.index);
|
|
if (i < 0) throw new Error(`no opening brace for ${name}`);
|
|
const start = i;
|
|
let depth = 0;
|
|
for (; i < source.length; i++) {
|
|
const c = source[i];
|
|
if (c === '{') depth++;
|
|
else if (c === '}') {
|
|
depth--;
|
|
if (depth === 0) return source.slice(start, i + 1);
|
|
}
|
|
}
|
|
throw new Error(`unbalanced braces in ${name}`);
|
|
}
|