mire 0.2.2

A small, generic PostgreSQL event-sourcing library: append-only event streams, aggregates with optimistic concurrency, and subscription-based projections (requires tokio + sqlx)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348

use std::collections::{BTreeMap, HashMap};

use sqlx::{PgPool, Row};

use crate::{EventStore, EventStoreError, RecordedEvent};

/// A `(transaction_id, global_position)` cursor into the event log, ordered
/// lexicographically — the same order the poll queries use.
type Cursor = (u64, i64);

/// The cursor position immediately before `c`: a checkpoint persisted here
/// re-fetches the event at `c` on restart. Positions start at 1, so `p - 1`
/// never underflows into a different transaction's range.
fn just_before(c: Cursor) -> Cursor {
    (c.0, c.1 - 1)
}

fn cursor_of(e: &RecordedEvent) -> Cursor {
    (e.transaction_id, e.global_position)
}

/// A resumable cursor over the event log with a **per-stream ordering
/// guarantee** (review CORE-2/SUB-1; see `tasks/subscriber-ordering.md`).
///
/// Raw log order is `(transaction_id, global_position)` — xid-assignment
/// order, *not* per-stream version order. A multi-statement transaction
/// (`TransactionScope`, the saga runner) that writes before appending gets
/// its xid early, so a stream's v2 can sort — and become deliverable —
/// before v1. `poll`/`poll_category` therefore reorder:
///
/// - Each fetched batch is re-sorted by `global_position` (per-stream
///   position is version-monotonic, so this is per-stream version order).
/// - An event whose predecessor (`stream_version - 1`) has not been
///   delivered yet is **held** in memory instead of delivered; other
///   streams keep flowing. It is released the moment the predecessor
///   arrives. (The predecessor is always already committed — appends to a
///   stream serialize on the `es_streams` row lock — so the wait terminates
///   with whatever transaction is pinning the xmin horizon.)
/// - The **poll cursor** keeps advancing past held events (no livelock),
///   but the **checkpointable cursor** ([`checkpoint_cursor_after`]) lags
///   just before the earliest unhandled event, so a crash replays the held
///   window: at-least-once, never lost, never reordered.
///
/// The contract delivered to handlers: **each stream's events arrive in
/// strictly increasing `stream_version` order; redelivery after a restart
/// is a prefix-replay, never a reordering.** Handlers still need
/// idempotency (at-least-once stands); they no longer need
/// order-insensitivity.
///
/// As an always-on backstop, a delivery that would regress a stream
/// (version ≤ something already delivered this session) fails loudly with
/// [`EventStoreError::OrderingViolation`] rather than corrupting a read
/// model.
///
/// **Internal / unblessed (review CORE-4/SUB-2).** This is the low-level
/// poll primitive that [`ProjectionRunner`](crate::ProjectionRunner) is
/// built on; it is `#[doc(hidden)]` and is **not** part of the supported
/// public API. Production code should use `ProjectionRunner`, which
/// coordinates replicas via fenced leases. A bare `Subscription` has no
/// lease, so its [`checkpoint`](Self::checkpoint)/[`reset`](Self::reset)
/// are guarded to only touch *non-lease-managed* subscriptions
/// (`fence_token = 0`) — they can no longer silently clobber a
/// `ProjectionRunner`'s cursor on the same id.
pub struct Subscription {
    id: String,
    store: EventStore,
    db: PgPool,
    /// Poll cursor: where the next fetch starts. Advances over *fetched*
    /// events, including ones that were held rather than delivered.
    poll_cursor: Cursor,
    batch_size: i64,
    /// The persisted checkpoint at session start. Events at or before this
    /// cursor are treated as handled by previous sessions — the baseline
    /// for the one-time per-stream `last_delivered` initialisation.
    session_start: Cursor,
    /// Highest `stream_version` delivered this session, per stream. Lazily
    /// initialised per stream from the log at-or-before `session_start`.
    /// Doubles as the ordering backstop.
    last_delivered: HashMap<String, i64>,
    /// Fetched events waiting for their predecessor, keyed by cursor so the
    /// earliest hold bounds the checkpointable cursor.
    held: BTreeMap<Cursor, RecordedEvent>,
    /// Cursors of the most recent delivered batch, in delivery order —
    /// suffix-minimised by [`checkpoint_cursor_after`] so a partially
    /// handled batch checkpoints safely.
    last_batch_cursors: Vec<Cursor>,
}

impl Subscription {
    pub async fn create(
        store: EventStore,
        db: PgPool,
        id: impl Into<String>,
        batch_size: i64,
    ) -> Result<Self, EventStoreError> {
        let id = id.into();

        sqlx::query(
            "INSERT INTO es_subscriptions (subscription_id, last_position)
             VALUES ($1, 0)
             ON CONFLICT (subscription_id) DO NOTHING",
        )
        .bind(&id)
        .execute(&db)
        .await?;

        let row = sqlx::query(
            "SELECT last_position, last_transaction_id::text AS last_transaction_id
             FROM es_subscriptions WHERE subscription_id = $1",
        )
        .bind(&id)
        .fetch_one(&db)
        .await?;

        let last_position: i64 = row.get("last_position");
        let last_transaction_id: String = row.get("last_transaction_id");
        let cursor: Cursor = (last_transaction_id.parse().unwrap_or(0), last_position);

        Ok(Self {
            id,
            store,
            db,
            poll_cursor: cursor,
            batch_size,
            session_start: cursor,
            last_delivered: HashMap::new(),
            held: BTreeMap::new(),
            last_batch_cursors: Vec::new(),
        })
    }

    /// Fetch the next batch and return the *deliverable* events, per-stream
    /// ordered (see the type docs). May return an empty batch while events
    /// are held awaiting their predecessor — keep polling.
    pub async fn poll(&mut self) -> Result<Vec<RecordedEvent>, EventStoreError> {
        let raw = self
            .store
            .read_all_after(self.poll_cursor.0, self.poll_cursor.1, self.batch_size)
            .await?;
        self.gate(raw).await
    }

    /// Like [`poll`](Self::poll), restricted to one stream category.
    pub async fn poll_category(
        &mut self,
        category: &str,
    ) -> Result<Vec<RecordedEvent>, EventStoreError> {
        let raw = self
            .store
            .read_category_after(
                category,
                self.poll_cursor.0,
                self.poll_cursor.1,
                self.batch_size,
            )
            .await?;
        self.gate(raw).await
    }

    /// The ordering gate: advance the poll cursor over the raw batch, then
    /// deliver in `global_position` order, holding back any event whose
    /// predecessor hasn't been delivered and draining holds the moment they
    /// unblock.
    async fn gate(
        &mut self,
        raw: Vec<RecordedEvent>,
    ) -> Result<Vec<RecordedEvent>, EventStoreError> {
        // The raw batch arrives in (txid, pos) order; its last element is the
        // furthest poll cursor. Advance even past events we end up holding —
        // held events live in memory, not in re-fetches.
        if let Some(last) = raw.last() {
            self.poll_cursor = cursor_of(last);
        }

        let mut batch = raw;
        batch.sort_by_key(|e| e.global_position);

        // Initialise `last_delivered` for every stream this batch is the
        // first sighting of — ONE bulk query per poll, not one per stream
        // (a cold catch-up sees thousands of new streams; per-stream
        // round-trips dominate and can starve the poll loop).
        self.init_unknown_streams(&batch).await?;

        let mut out: Vec<RecordedEvent> = Vec::with_capacity(batch.len());
        for event in batch {
            let last = *self
                .last_delivered
                .get(&event.stream_id)
                .expect("init_unknown_streams populated every batch stream");
            if event.stream_version == last + 1 {
                self.deliver(event, &mut out);
            } else if event.stream_version > last + 1 {
                self.held.insert(cursor_of(&event), event);
            } else {
                // Backstop (D-ORD-3, always on): within one session this can
                // only mean checkpoint/log inconsistency or an ordering bug.
                // Refuse rather than regress a read model.
                return Err(EventStoreError::OrderingViolation {
                    subscription_id: self.id.clone(),
                    stream_id: event.stream_id.clone(),
                    version: event.stream_version,
                    last_delivered: last,
                });
            }
        }

        self.last_batch_cursors = out.iter().map(cursor_of).collect();
        Ok(out)
    }

    /// Deliver `event`, then drain any held successors it unblocks.
    fn deliver(&mut self, event: RecordedEvent, out: &mut Vec<RecordedEvent>) {
        let stream = event.stream_id.clone();
        let mut version = event.stream_version;
        out.push(event);
        loop {
            let next = self
                .held
                .iter()
                .find(|(_, e)| e.stream_id == stream && e.stream_version == version + 1)
                .map(|(k, _)| *k);
            let Some(key) = next else {
                break;
            };
            let e = self.held.remove(&key).expect("key just found");
            version = e.stream_version;
            out.push(e);
        }
        self.last_delivered.insert(stream, version);
    }

    /// Initialise `last_delivered` for batch streams seen for the first
    /// time this session: the highest version at or before the
    /// session-start checkpoint counts as delivered by previous sessions.
    /// One bulk query per poll; streams with no pre-checkpoint events
    /// initialise to 0.
    async fn init_unknown_streams(
        &mut self,
        batch: &[RecordedEvent],
    ) -> Result<(), EventStoreError> {
        let mut unknown: Vec<&str> = batch
            .iter()
            .map(|e| e.stream_id.as_str())
            .filter(|s| !self.last_delivered.contains_key(*s))
            .collect();
        unknown.sort_unstable();
        unknown.dedup();
        if unknown.is_empty() {
            return Ok(());
        }

        let rows: Vec<(String, i64)> = sqlx::query_as(
            "SELECT stream_id, max(stream_version)
             FROM es_events
             WHERE stream_id = ANY($1)
               AND ((transaction_id = $2::text::xid8 AND global_position <= $3)
                    OR transaction_id < $2::text::xid8)
             GROUP BY stream_id",
        )
        .bind(unknown.iter().map(|s| s.to_string()).collect::<Vec<_>>())
        .bind(self.session_start.0.to_string())
        .bind(self.session_start.1)
        .fetch_all(&self.db)
        .await?;

        for s in &unknown {
            self.last_delivered.insert((*s).to_string(), 0);
        }
        for (stream_id, max_version) in rows {
            self.last_delivered.insert(stream_id, max_version);
        }
        Ok(())
    }

    /// The safe persisted-checkpoint cursor once the first `handled` events
    /// of the most recent batch have been processed. Never passes an
    /// unhandled event: the rest of the batch, every held event, and
    /// everything beyond the poll cursor all stay re-fetchable. `handled =
    /// batch.len()` is the end-of-batch checkpoint.
    pub fn checkpoint_cursor_after(&self, handled: usize) -> Cursor {
        let mut safe = self.poll_cursor;
        if let Some((first_held, _)) = self.held.iter().next() {
            safe = safe.min(just_before(*first_held));
        }
        if let Some(min_rest) = self.last_batch_cursors.get(handled..).and_then(|rest| {
            // Delivery order is position order, not cursor order — take the
            // true minimum over the unhandled suffix.
            rest.iter().min().copied()
        }) {
            safe = safe.min(just_before(min_rest));
        }
        safe
    }

    /// Persist the cursor, treating the most recent batch as fully handled.
    /// **Fenced:** only applies to a non-lease-managed subscription
    /// (`fence_token = 0`). If a `ProjectionRunner` owns this subscription
    /// id (its lease bumped `fence_token` above 0), this is a no-op rather
    /// than a cursor-clobbering write (review CORE-4/SUB-2).
    pub async fn checkpoint(&self) -> Result<(), EventStoreError> {
        let (txid, pos) = self.checkpoint_cursor_after(self.last_batch_cursors.len());
        sqlx::query(
            "UPDATE es_subscriptions
             SET last_position = $1, last_transaction_id = $2::text::xid8, updated_at = now()
             WHERE subscription_id = $3 AND fence_token = 0",
        )
        .bind(pos)
        .bind(txid.to_string())
        .bind(&self.id)
        .execute(&self.db)
        .await?;
        Ok(())
    }

    /// Rewind the cursor to the start. Clears the ordering state too —
    /// replaying from an older cursor legitimately re-presents delivered
    /// events, which must not trip the backstop. **Fenced** like
    /// [`checkpoint`](Self::checkpoint): a no-op on a lease-managed
    /// subscription, so it can't rewind a `ProjectionRunner`'s cursor.
    pub async fn reset(&mut self) -> Result<(), EventStoreError> {
        self.poll_cursor = (0, 0);
        self.session_start = (0, 0);
        self.last_delivered.clear();
        self.held.clear();
        self.last_batch_cursors.clear();
        sqlx::query(
            "UPDATE es_subscriptions
             SET last_position = 0, last_transaction_id = '0'::xid8, updated_at = now()
             WHERE subscription_id = $1 AND fence_token = 0",
        )
        .bind(&self.id)
        .execute(&self.db)
        .await?;
        Ok(())
    }

    pub fn position(&self) -> i64 {
        self.poll_cursor.1
    }

    /// Number of events currently held awaiting a predecessor. Exposed for
    /// observability: a hold that survives many polls means some transaction
    /// is sitting on the xmin horizon (or, pathologically, an event was
    /// deleted from the log).
    pub fn held_count(&self) -> usize {
        self.held.len()
    }
}