Skip to main content

mongreldb_server/
lib.rs

1//! mongreldb-server — a long-lived process holding a multi-table `Database`
2//! open, serving SQL + table-qualified native APIs over HTTP.
3//!
4//! Endpoints:
5//!   GET    /health                    → 200 OK
6//!   GET    /tables                    → ["t1", "t2", ...]
7//!   POST   /tables                    → create table
8//!   DELETE /tables/{name}              → drop table
9//!   POST   /tables/{name}/put          → upsert one row
10//!   POST   /tables/{name}/count        → { "count": N }
11//!   POST   /tables/{name}/commit       → { "epoch": N, "epoch_text": "N" }
12//!   POST   /sql                       → Arrow IPC bytes
13//!   POST   /txn                       → exact atomic commit receipt
14//!
15//! Usage: `mongreldb-server <db_dir> [port]`
16
17use std::sync::atomic::{AtomicBool, Ordering};
18use std::sync::{Arc, Mutex};
19use std::time::Duration;
20
21use axum::extract::{Path, State};
22use axum::http::header;
23use axum::http::StatusCode;
24use axum::response::{IntoResponse, Response};
25use axum::routing::{get, post};
26use axum::Json;
27use mongreldb_core::schema::{Schema, TypeId};
28use mongreldb_core::{CancellationReason, Database, Value};
29use mongreldb_query::{
30    CancelOutcome, CompactFinishedQuery, ExternalTableModule, ManagedQueryBatches, MongrelSession,
31    QueryId, RegisteredQueryGuard, RegisteredSqlQuery, SqlQueryOptions, SqlQueryPhase,
32    SqlQueryRegistry, SqlStreamCompletion,
33};
34use serde::{Deserialize, Serialize};
35use serde_json::json;
36use sha2::Digest;
37use zeroize::Zeroizing;
38
39mod audit;
40pub mod cluster_admin;
41mod kit;
42mod metrics;
43mod pre_cancel;
44mod prepared;
45mod procedure;
46mod sessions;
47mod sql_idempotency;
48mod sql_pages;
49mod trigger;
50
51pub use sessions::{spawn_session_reaper, SessionStore};
52
53fn client_closed_request_status() -> StatusCode {
54    StatusCode::from_u16(499).unwrap_or(StatusCode::BAD_REQUEST)
55}
56
57fn cancellation_checkpoint_error(query: &RegisteredSqlQuery) -> mongreldb_query::MongrelQueryError {
58    query.checkpoint().err().unwrap_or_else(|| {
59        mongreldb_query::MongrelQueryError::InvalidQueryState(
60            "cancellation notification observed without a terminal checkpoint".into(),
61        )
62    })
63}
64
65/// Map an engine error to the appropriate HTTP status code for defense-in-depth.
66/// Auth errors get 401/403; conflicts (including the retryable transaction
67/// conflicts `Deadlock`/`SerializationFailure`) get 409; deadline, budget,
68/// cancellation, and cursor errors get their own codes; everything else stays
69/// 500. This ensures that even after the HTTP auth middleware lets a request
70/// through, the storage layer's permission checks surface as the right status
71/// (not a generic 500).
72fn status_for_error(e: &mongreldb_core::MongrelError) -> StatusCode {
73    use mongreldb_core::MongrelError;
74    match e {
75        MongrelError::AuthRequired | MongrelError::InvalidCredentials { .. } => {
76            StatusCode::UNAUTHORIZED
77        }
78        MongrelError::AuthNotRequired => StatusCode::BAD_REQUEST,
79        MongrelError::PermissionDenied { .. } => StatusCode::FORBIDDEN,
80        MongrelError::InvalidArgument(_) => StatusCode::CONFLICT,
81        MongrelError::Conflict(_) => StatusCode::CONFLICT,
82        // Retryable transaction conflicts (spec 11.7): same 409 family as
83        // `Conflict`; the taxonomy category stays precise via `category()`.
84        MongrelError::Deadlock { .. } | MongrelError::SerializationFailure { .. } => {
85            StatusCode::CONFLICT
86        }
87        MongrelError::ReadOnlyReplica => StatusCode::CONFLICT,
88        MongrelError::NotFound(_) => StatusCode::NOT_FOUND,
89        MongrelError::DeadlineExceeded => StatusCode::GATEWAY_TIMEOUT,
90        MongrelError::WorkBudgetExceeded => StatusCode::TOO_MANY_REQUESTS,
91        MongrelError::Cancelled => client_closed_request_status(),
92        MongrelError::CursorStale(_) => StatusCode::CONFLICT,
93        MongrelError::CursorExpired => StatusCode::GONE,
94        _ => StatusCode::INTERNAL_SERVER_ERROR,
95    }
96}
97
98/// Map a query-layer error (which wraps engine errors via `Core(...)`) to the
99/// appropriate HTTP status code.
100fn status_for_query_error(e: &mongreldb_query::MongrelQueryError) -> StatusCode {
101    use mongreldb_query::MongrelQueryError;
102    match e {
103        MongrelQueryError::Core(core) => status_for_error(core),
104        MongrelQueryError::DeadlineExceeded { .. } => StatusCode::GATEWAY_TIMEOUT,
105        MongrelQueryError::QueryCancelled { .. } => client_closed_request_status(),
106        MongrelQueryError::QueryIdConflict { .. } => StatusCode::CONFLICT,
107        MongrelQueryError::QueryRegistryFull => StatusCode::SERVICE_UNAVAILABLE,
108        MongrelQueryError::ResultLimitExceeded { .. } => StatusCode::PAYLOAD_TOO_LARGE,
109        MongrelQueryError::TransactionAborted => StatusCode::CONFLICT,
110        MongrelQueryError::NoSqlTransaction | MongrelQueryError::SavepointNotFound { .. } => {
111            StatusCode::CONFLICT
112        }
113        MongrelQueryError::CommitOutcome { .. } => StatusCode::CONFLICT,
114        MongrelQueryError::OutcomeUnknown { .. } => StatusCode::CONFLICT,
115        _ => StatusCode::INTERNAL_SERVER_ERROR,
116    }
117}
118
119#[cfg(test)]
120mod error_status_tests {
121    use super::*;
122
123    /// Handler-level mapping (spec 9.7): the retryable transaction-conflict
124    /// family surfaces as 409 Conflict with the precise taxonomy category —
125    /// `Deadlock` keeps category code 9, `SerializationFailure` code 8 — the
126    /// same status `Conflict` already had, never a generic 500.
127    #[tokio::test]
128    async fn deadlock_and_serialization_failure_are_409_with_precise_taxonomy() {
129        use mongreldb_core::MongrelError;
130        use mongreldb_query::MongrelQueryError;
131
132        let cases = [
133            (
134                MongrelError::Deadlock {
135                    victim: 7,
136                    cycle: "7 → 3 → 7".into(),
137                },
138                "deadlock",
139                9,
140            ),
141            (
142                MongrelError::SerializationFailure {
143                    message: "ssi certification failed".into(),
144                },
145                "serialization failure",
146                8,
147            ),
148        ];
149        for (core, category, category_code) in cases {
150            assert_eq!(status_for_error(&core), StatusCode::CONFLICT, "{core}");
151            let error = MongrelQueryError::Core(core);
152            assert_eq!(
153                status_for_query_error(&error),
154                StatusCode::CONFLICT,
155                "{error}"
156            );
157            let response = query_error_response(&error, None);
158            assert_eq!(response.status(), StatusCode::CONFLICT, "{error}");
159            let bytes = axum::body::to_bytes(response.into_body(), usize::MAX)
160                .await
161                .unwrap();
162            let body: serde_json::Value = serde_json::from_slice(&bytes).unwrap();
163            assert_eq!(body.pointer("/error/category").unwrap(), category, "{body}");
164            assert_eq!(
165                body.pointer("/error/category_code").unwrap(),
166                category_code,
167                "{body}"
168            );
169        }
170    }
171}
172
173/// Extractor that pulls the authenticated [`mongreldb_core::Principal`] (if the
174/// auth middleware injected one) from request extensions without erroring when
175/// absent (e.g. token-authenticated requests carry no `Principal`).
176struct OptionalPrincipal(Option<mongreldb_core::Principal>);
177
178impl<S> axum::extract::FromRequestParts<S> for OptionalPrincipal
179where
180    S: Send + Sync,
181{
182    type Rejection = std::convert::Infallible;
183
184    async fn from_request_parts(
185        parts: &mut axum::http::request::Parts,
186        _state: &S,
187    ) -> Result<Self, Self::Rejection> {
188        Ok(OptionalPrincipal(
189            parts.extensions.get::<mongreldb_core::Principal>().cloned(),
190        ))
191    }
192}
193
194struct AppState {
195    db: Arc<Database>,
196    idem: kit::IdempotencyStore,
197    external_modules: Vec<Arc<dyn ExternalTableModule>>,
198    auth_token: Option<String>,
199    /// When true, authenticate via catalog users (HTTP Basic auth).
200    user_auth: bool,
201    /// Daemon-wide Prometheus-style counters, shared by all handlers.
202    metrics: Arc<metrics::Metrics>,
203    /// Bounded security audit log (auth + DDL/privilege events).
204    audit: Arc<audit::AuditLog>,
205    /// Token-keyed pool of live sessions for cross-request interactive
206    /// transactions (`X-Session-ID` on `/sql`).
207    sessions: Arc<sessions::SessionStore>,
208    /// Bounds CPU-heavy AI work submitted to Tokio's blocking pool.
209    ai_semaphore: Arc<tokio::sync::Semaphore>,
210    /// Process-wide SQL registry. Cancellation never takes a session lock.
211    query_registry: Arc<SqlQueryRegistry>,
212    /// Serializes registration with cancel-before-registration bookkeeping.
213    query_lifecycle: Mutex<()>,
214    /// Short-lived, owner/session-bound cancellations received before SQL.
215    pre_cancellations: pre_cancel::PreCancelStore,
216    /// Owner- and request-bound durable SQL write receipts.
217    sql_idempotency: Arc<sql_idempotency::SqlIdempotencyStore>,
218    /// Bounded projected results retained for stable SQL continuation cursors.
219    sql_pages: sql_pages::SqlPageStore,
220    /// Admission control for ordinary SQL, separate from AI workers.
221    sql_semaphore: Arc<tokio::sync::Semaphore>,
222    /// Admission control for retained-page work. Never competes with SQL.
223    sql_page_semaphore: Arc<tokio::sync::Semaphore>,
224    sql_page_default_timeout: std::time::Duration,
225    sql_page_max_timeout: std::time::Duration,
226    /// Maximum HTTP request body bytes (S1D-007); enforced by an explicit
227    /// content-length check (structured 413) plus axum's body limit as the
228    /// hard cap for chunked bodies.
229    max_request_bytes: usize,
230    accepting_sql: Arc<AtomicBool>,
231    /// Lazily generated process-local HMAC key. Restart invalidates cursors.
232    cursor_mac_key: CursorMacKey,
233    /// The reloadable mutable subset of server configuration (§10.7).
234    reloadable: Arc<ReloadableConfig>,
235    /// Graceful-drain coordination and last-outcome record (§10.7).
236    drain: Arc<DrainControl>,
237    /// Stage 4 hierarchical scheduler (admission fairness / tenant quotas).
238    scheduler: std::sync::Mutex<mongreldb_core::HierarchicalScheduler>,
239    /// Stage 4 node memory governor (cross-tablet pressure actions).
240    node_governor: std::sync::Mutex<mongreldb_core::NodeMemoryGovernor>,
241    /// Stage 4 AI index generation registry (readiness/routing metadata).
242    ai_generations: std::sync::Mutex<mongreldb_core::AiIndexGenerationRegistry>,
243    /// Stage 4 multi-region placement policy (default single-leader).
244    multi_region: std::sync::Mutex<mongreldb_cluster::multi_region::MultiRegionPolicy>,
245    /// Stage 5 online ops job store (backup, restore, movement, …).
246    ops_jobs: std::sync::Mutex<mongreldb_core::OpsJobStore>,
247    /// Workload resource groups for admission (mirrors the core defaults;
248    /// operators reconfigure via admin SQL / API).
249    resource_groups: mongreldb_core::ResourceGroupRegistry,
250    /// Optional embedding providers registered with the server process.
251    /// Empty by default — application-supplied vectors and sparse retrieval
252    /// need no vendor.
253    embedding_providers: mongreldb_core::EmbeddingProviderRegistry,
254}
255
256/// A `Duration` config value (millisecond granularity) that
257/// `POST /admin/reload` / SIGHUP may update live (§10.7 configuration
258/// reload). Reads are lock-free.
259struct ReloadableDuration(std::sync::atomic::AtomicU64);
260
261impl ReloadableDuration {
262    fn new(value: std::time::Duration) -> Self {
263        Self(std::sync::atomic::AtomicU64::new(
264            value.as_millis().min(u128::from(u64::MAX)) as u64,
265        ))
266    }
267
268    fn get(&self) -> std::time::Duration {
269        std::time::Duration::from_millis(self.0.load(Ordering::Relaxed))
270    }
271
272    fn set(&self, value: std::time::Duration) {
273        self.0.store(
274            value.as_millis().min(u128::from(u64::MAX)) as u64,
275            Ordering::Relaxed,
276        );
277    }
278
279    fn as_millis(&self) -> u64 {
280        self.0.load(Ordering::Relaxed)
281    }
282}
283
284/// A `usize` config value that `POST /admin/reload` / SIGHUP may update live.
285struct ReloadableUsize(std::sync::atomic::AtomicU64);
286
287impl ReloadableUsize {
288    fn new(value: usize) -> Self {
289        Self(std::sync::atomic::AtomicU64::new(
290            u64::try_from(value).unwrap_or(u64::MAX),
291        ))
292    }
293
294    fn get(&self) -> usize {
295        usize::try_from(self.0.load(Ordering::Relaxed)).unwrap_or(usize::MAX)
296    }
297
298    fn set(&self, value: usize) {
299        self.0
300            .store(u64::try_from(value).unwrap_or(u64::MAX), Ordering::Relaxed);
301    }
302}
303
304/// The mutable subset of server configuration (§10.7 configuration reload,
305/// §16.1 static node configuration). These values are re-read from the
306/// environment — with optional `POST /admin/reload` body overrides — and
307/// applied live. Everything NOT listed here is static node configuration and
308/// takes effect only at restart: listen address/port, data directory,
309/// authentication token/mode, connection and session capacity, session idle
310/// timeout, SQL/AI/retained-page admission semaphore capacities, the
311/// request-bytes bound, SQL idempotency TTL and capacity (the receipt binding
312/// includes the expiry policy, so changing it live would split key domains),
313/// pre-cancellation bounds, and retained-page bounds.
314struct ReloadableConfig {
315    /// `MONGRELBL_SLOW_QUERY_MS` — slow-query log/metrics threshold.
316    slow_query_threshold: ReloadableDuration,
317    /// `MONGRELDB_SQL_DEFAULT_TIMEOUT_MS` — default per-query timeout
318    /// (clamped to the maximum).
319    sql_default_timeout: ReloadableDuration,
320    /// `MONGRELDB_SQL_MAX_TIMEOUT_MS` — maximum per-query timeout.
321    sql_max_timeout: ReloadableDuration,
322    /// `MONGRELDB_SQL_CANCEL_GRACE_MS` — cancellation grace on session close
323    /// and admin drain.
324    sql_cancel_grace: ReloadableDuration,
325    /// `MONGRELDB_SQL_MAX_OUTPUT_ROWS` — per-request output row ceiling.
326    sql_max_output_rows: ReloadableUsize,
327    /// `MONGRELDB_SQL_MAX_OUTPUT_BYTES` — per-request output byte ceiling.
328    sql_max_output_bytes: ReloadableUsize,
329}
330
331/// One full set of mutable-config values to apply. Built from the
332/// environment, then any request-body overrides win field-by-field.
333#[derive(Clone, Debug)]
334struct MutableConfigValues {
335    slow_query_threshold: std::time::Duration,
336    sql_default_timeout: std::time::Duration,
337    sql_max_timeout: std::time::Duration,
338    sql_cancel_grace: std::time::Duration,
339    sql_max_output_rows: usize,
340    sql_max_output_bytes: usize,
341    history_retention_epochs: u64,
342}
343
344/// Optional `POST /admin/reload` body: every field defaults to "re-read from
345/// the environment"; a present field overrides the environment value. Values
346/// must be positive (they are limits/timeouts).
347#[derive(Clone, Debug, Default, Deserialize)]
348struct MutableConfigOverrides {
349    #[serde(default)]
350    slow_query_ms: Option<u64>,
351    #[serde(default)]
352    sql_default_timeout_ms: Option<u64>,
353    #[serde(default)]
354    sql_max_timeout_ms: Option<u64>,
355    #[serde(default)]
356    sql_cancel_grace_ms: Option<u64>,
357    #[serde(default)]
358    sql_max_output_rows: Option<u64>,
359    #[serde(default)]
360    sql_max_output_bytes: Option<u64>,
361    #[serde(default)]
362    history_retention_epochs: Option<u64>,
363}
364
365/// The values one reload pass applied (the `POST /admin/reload` response body
366/// and the SIGHUP log line). Field names are the audit detail — never values
367/// from a request body beyond these plain numbers.
368#[derive(Clone, Debug, Serialize)]
369pub struct ReloadReport {
370    pub slow_query_ms: u64,
371    pub sql_default_timeout_ms: u64,
372    pub sql_max_timeout_ms: u64,
373    pub sql_cancel_grace_ms: u64,
374    pub sql_max_output_rows: u64,
375    pub sql_max_output_bytes: u64,
376    pub history_retention_epochs: u64,
377}
378
379/// Read the environment-driven mutable configuration (same readers startup
380/// uses, so a reload never changes defaults resolution).
381fn mutable_config_from_env() -> MutableConfigValues {
382    let sql_max_timeout = default_sql_max_timeout();
383    MutableConfigValues {
384        slow_query_threshold: metrics::slow_query_threshold(),
385        sql_default_timeout: default_sql_default_timeout().min(sql_max_timeout),
386        sql_max_timeout,
387        sql_cancel_grace: default_sql_cancel_grace(),
388        sql_max_output_rows: default_sql_max_output_rows(),
389        sql_max_output_bytes: default_sql_max_output_bytes(),
390        history_retention_epochs: default_history_retention_epochs(),
391    }
392}
393
394impl MutableConfigValues {
395    /// Apply validated request-body overrides. Zero values are rejected: they
396    /// are never valid for these limits (the environment readers filter them
397    /// the same way).
398    fn apply_overrides(&mut self, overrides: &MutableConfigOverrides) -> Result<(), &'static str> {
399        fn positive(value: Option<u64>) -> Result<Option<u64>, &'static str> {
400            match value {
401                Some(0) => Err("reload override values must be positive"),
402                other => Ok(other),
403            }
404        }
405        if let Some(value) = positive(overrides.slow_query_ms)? {
406            self.slow_query_threshold = std::time::Duration::from_millis(value);
407        }
408        if let Some(value) = positive(overrides.sql_max_timeout_ms)? {
409            self.sql_max_timeout = std::time::Duration::from_millis(value);
410        }
411        if let Some(value) = positive(overrides.sql_default_timeout_ms)? {
412            self.sql_default_timeout = std::time::Duration::from_millis(value);
413        }
414        if let Some(value) = positive(overrides.sql_cancel_grace_ms)? {
415            self.sql_cancel_grace = std::time::Duration::from_millis(value);
416        }
417        if let Some(value) = positive(overrides.sql_max_output_rows)? {
418            self.sql_max_output_rows = usize::try_from(value).unwrap_or(usize::MAX);
419        }
420        if let Some(value) = positive(overrides.sql_max_output_bytes)? {
421            self.sql_max_output_bytes = usize::try_from(value).unwrap_or(usize::MAX);
422        }
423        if let Some(value) = positive(overrides.history_retention_epochs)? {
424            self.history_retention_epochs = value;
425        }
426        Ok(())
427    }
428}
429
430/// Apply one mutable-config set live (§10.7): store the runtime tunables and
431/// re-apply history retention to the core (its setter is idempotent). The
432/// default timeout is clamped to the maximum exactly like startup does.
433fn apply_mutable_config(
434    reloadable: &ReloadableConfig,
435    db: &mongreldb_core::Database,
436    values: &MutableConfigValues,
437) -> mongreldb_core::Result<ReloadReport> {
438    reloadable.sql_max_timeout.set(values.sql_max_timeout);
439    reloadable
440        .sql_default_timeout
441        .set(values.sql_default_timeout.min(values.sql_max_timeout));
442    reloadable.sql_cancel_grace.set(values.sql_cancel_grace);
443    reloadable
444        .sql_max_output_rows
445        .set(values.sql_max_output_rows);
446    reloadable
447        .sql_max_output_bytes
448        .set(values.sql_max_output_bytes);
449    reloadable
450        .slow_query_threshold
451        .set(values.slow_query_threshold);
452    db.set_history_retention_epochs(values.history_retention_epochs)?;
453    Ok(ReloadReport {
454        slow_query_ms: reloadable.slow_query_threshold.as_millis(),
455        sql_default_timeout_ms: reloadable.sql_default_timeout.as_millis(),
456        sql_max_timeout_ms: reloadable.sql_max_timeout.as_millis(),
457        sql_cancel_grace_ms: reloadable.sql_cancel_grace.as_millis(),
458        sql_max_output_rows: reloadable.sql_max_output_rows.get() as u64,
459        sql_max_output_bytes: reloadable.sql_max_output_bytes.get() as u64,
460        history_retention_epochs: values.history_retention_epochs,
461    })
462}
463
464/// Graceful-drain coordination (§10.7 graceful drain): one drain in flight at
465/// a time, plus the last outcome record served by `GET /admin/drain`.
466#[derive(Default)]
467struct DrainControl {
468    /// Serializes drain initiation; held across the (bounded) drain.
469    lock: tokio::sync::Mutex<()>,
470    record: std::sync::Mutex<DrainRecord>,
471}
472
473#[derive(Clone, Default, Serialize)]
474struct DrainRecord {
475    /// A drain was initiated at least once.
476    initiated: bool,
477    /// The last initiation ran the core to `Closed` within its deadline.
478    completed: bool,
479    /// The deadline the last initiation ran with.
480    deadline_ms: u64,
481    /// Lifecycle state at the end of the last initiation.
482    lifecycle: String,
483    /// Human-readable outcome detail (no request data).
484    detail: String,
485}
486
487#[derive(Default)]
488struct CursorMacKey {
489    key: Mutex<Option<[u8; 32]>>,
490}
491
492impl CursorMacKey {
493    fn get(&self) -> mongreldb_core::Result<[u8; 32]> {
494        let mut key = match self.key.lock() {
495            Ok(key) => key,
496            Err(poisoned) => poisoned.into_inner(),
497        };
498        if let Some(key) = *key {
499            return Ok(key);
500        }
501        let mut generated = [0u8; 32];
502        mongreldb_core::encryption::fill_random(&mut generated)?;
503        *key = Some(generated);
504        Ok(generated)
505    }
506}
507
508/// Handle retained by the daemon to coordinate graceful SQL shutdown without
509/// coupling signal handling to Axum's router internals.
510#[derive(Clone)]
511pub struct ServerControl {
512    query_registry: Arc<SqlQueryRegistry>,
513    sessions: Arc<sessions::SessionStore>,
514    accepting_sql: Arc<AtomicBool>,
515    cancel_grace: std::time::Duration,
516    metrics: Arc<metrics::Metrics>,
517    reloadable: Arc<ReloadableConfig>,
518    db: Arc<Database>,
519    audit: Arc<audit::AuditLog>,
520}
521
522impl ServerControl {
523    pub async fn shutdown(&self) -> usize {
524        self.accepting_sql.store(false, Ordering::Release);
525        self.query_registry
526            .cancel_all(CancellationReason::ServerShutdown);
527        let deadline = tokio::time::Instant::now() + self.cancel_grace;
528        while self.query_registry.active_count() > 0 && tokio::time::Instant::now() < deadline {
529            tokio::time::sleep(std::time::Duration::from_millis(5)).await;
530        }
531        self.sessions.close_all();
532        let stuck_queries = self.query_registry.active_statuses();
533        for status in &stuck_queries {
534            eprintln!(
535                "[sql-cancel-stuck] query_id={} phase={}",
536                status.query_id,
537                query_phase_name(status.phase)
538            );
539        }
540        let stuck = stuck_queries.len();
541        self.metrics.add_sql_stuck_after_cancel(stuck);
542        stuck
543    }
544
545    /// Re-read the environment-driven mutable subset of server configuration
546    /// and apply it live (§10.7 configuration reload). Invoked on SIGHUP;
547    /// `POST /admin/reload` runs the same apply path (and also accepts
548    /// request-body overrides). Static node configuration (§16.1) is
549    /// untouched and stays restart-only.
550    pub fn reload_config(&self) -> Result<ReloadReport, String> {
551        let values = mutable_config_from_env();
552        let report = apply_mutable_config(&self.reloadable, &self.db, &values)
553            .map_err(|error| error.to_string())?;
554        self.audit.record(
555            "system",
556            "admin.reload.ok",
557            "configuration reload applied (source: SIGHUP)",
558        );
559        Ok(report)
560    }
561}
562
563pub fn build_app(db: Arc<Database>) -> axum::Router {
564    build_app_with_config(
565        db,
566        std::iter::empty::<Arc<dyn ExternalTableModule>>(),
567        None,
568        None,
569    )
570}
571
572pub fn build_app_with_external_modules(
573    db: Arc<Database>,
574    external_modules: impl IntoIterator<Item = Arc<dyn ExternalTableModule>>,
575) -> axum::Router {
576    build_app_with_config(db, external_modules, None, None)
577}
578
579/// Build the daemon router with optional auth token and max-connections limit.
580pub fn build_app_with_config(
581    db: Arc<Database>,
582    external_modules: impl IntoIterator<Item = Arc<dyn ExternalTableModule>>,
583    auth_token: Option<String>,
584    max_connections: Option<usize>,
585) -> axum::Router {
586    build_app_full(db, external_modules, auth_token, max_connections, false)
587}
588
589/// Build the daemon router with full auth configuration including user-based auth.
590/// Sessions are enabled with a default capacity (256) and idle timeout (300 s).
591pub fn build_app_full(
592    db: Arc<Database>,
593    external_modules: impl IntoIterator<Item = Arc<dyn ExternalTableModule>>,
594    auth_token: Option<String>,
595    max_connections: Option<usize>,
596    user_auth: bool,
597) -> axum::Router {
598    let sessions = Arc::new(sessions::SessionStore::new(
599        default_max_sessions(),
600        default_session_idle_timeout(),
601    ));
602    build_app_with_sessions(
603        db,
604        external_modules,
605        auth_token,
606        max_connections,
607        user_auth,
608        sessions,
609    )
610}
611
612/// Build the daemon router with an explicit, externally-owned session store.
613/// The caller (typically `main`) keeps the `Arc<SessionStore>` so it can spawn
614/// the idle reaper against the same map the handlers use.
615pub fn build_app_with_sessions(
616    db: Arc<Database>,
617    external_modules: impl IntoIterator<Item = Arc<dyn ExternalTableModule>>,
618    auth_token: Option<String>,
619    max_connections: Option<usize>,
620    user_auth: bool,
621    sessions: Arc<sessions::SessionStore>,
622) -> axum::Router {
623    build_app_with_sessions_and_control(
624        db,
625        external_modules,
626        auth_token,
627        max_connections,
628        user_auth,
629        sessions,
630    )
631    .0
632}
633
634/// Build the daemon router and return a handle for graceful query shutdown.
635pub fn build_app_with_sessions_and_control(
636    db: Arc<Database>,
637    external_modules: impl IntoIterator<Item = Arc<dyn ExternalTableModule>>,
638    auth_token: Option<String>,
639    max_connections: Option<usize>,
640    user_auth: bool,
641    sessions: Arc<sessions::SessionStore>,
642) -> (axum::Router, ServerControl) {
643    db.set_replication_wal_retention_segments(default_replication_wal_segments());
644    if let Err(error) = db.set_history_retention_epochs(default_history_retention_epochs()) {
645        eprintln!("[history] failed to configure retention: {error}");
646    }
647    let max_active_queries = default_sql_max_active_queries();
648    let query_registry = Arc::new(SqlQueryRegistry::new_with_limits(
649        max_active_queries,
650        default_sql_finished_detail_max_entries(),
651        default_sql_finished_detail_max_bytes(),
652        default_sql_finished_compact_max_entries(),
653        default_sql_finished_compact_max_bytes(),
654        default_sql_finished_query_ttl(),
655    ));
656    let accepting_sql = Arc::new(AtomicBool::new(true));
657    let sql_cancel_grace = default_sql_cancel_grace();
658    let sql_max_timeout = default_sql_max_timeout();
659    let sql_default_timeout = default_sql_default_timeout().min(sql_max_timeout);
660    let metrics = Arc::new(metrics::Metrics::default());
661    let audit = Arc::new(audit::AuditLog::new(8192));
662    let reloadable = Arc::new(ReloadableConfig {
663        slow_query_threshold: ReloadableDuration::new(metrics::slow_query_threshold()),
664        sql_default_timeout: ReloadableDuration::new(sql_default_timeout),
665        sql_max_timeout: ReloadableDuration::new(sql_max_timeout),
666        sql_cancel_grace: ReloadableDuration::new(sql_cancel_grace),
667        sql_max_output_rows: ReloadableUsize::new(default_sql_max_output_rows()),
668        sql_max_output_bytes: ReloadableUsize::new(default_sql_max_output_bytes()),
669    });
670    let (idempotency_root, idempotency_integrity) =
671        match sql_idempotency::IdempotencyIntegrity::for_database(&db) {
672            Ok((root, integrity)) => (root, Some(integrity)),
673            Err(error) => {
674                eprintln!("[idempotency] durable integrity key unavailable: {error}");
675                (db.durable_root(), None)
676            }
677        };
678    let sql_idempotency = Arc::new(sql_idempotency::SqlIdempotencyStore::new_with_integrity(
679        Arc::clone(&idempotency_root),
680        idempotency_integrity.clone(),
681        default_sql_idempotency_ttl(),
682        default_sql_idempotency_max_entries(),
683    ));
684    let server_control = ServerControl {
685        query_registry: Arc::clone(&query_registry),
686        sessions: Arc::clone(&sessions),
687        accepting_sql: Arc::clone(&accepting_sql),
688        cancel_grace: sql_cancel_grace,
689        metrics: Arc::clone(&metrics),
690        reloadable: Arc::clone(&reloadable),
691        db: Arc::clone(&db),
692        audit: Arc::clone(&audit),
693    };
694    let state = Arc::new(AppState {
695        idem: kit::IdempotencyStore::new_with_integrity(
696            idempotency_root,
697            idempotency_integrity,
698            default_sql_idempotency_ttl(),
699            default_sql_idempotency_max_entries(),
700        ),
701        db,
702        external_modules: external_modules.into_iter().collect(),
703        auth_token,
704        user_auth,
705        metrics,
706        audit,
707        sessions,
708        ai_semaphore: Arc::new(tokio::sync::Semaphore::new(default_ai_max_concurrent())),
709        query_registry,
710        query_lifecycle: Mutex::new(()),
711        pre_cancellations: pre_cancel::PreCancelStore::new(
712            default_sql_pre_cancel_ttl(),
713            default_sql_pre_cancel_max_entries(),
714            default_sql_pre_cancel_max_bytes(),
715            default_sql_pre_cancel_max_entries_per_owner(),
716            default_sql_pre_cancel_rate_window(),
717            default_sql_pre_cancel_rate_per_owner(),
718        ),
719        sql_idempotency,
720        sql_pages: sql_pages::SqlPageStore::new(
721            default_sql_page_ttl(),
722            default_sql_page_max_entries(),
723            default_sql_page_max_bytes(),
724            default_sql_page_max_entries_per_owner(),
725        ),
726        sql_semaphore: Arc::new(tokio::sync::Semaphore::new(default_sql_max_concurrent())),
727        sql_page_semaphore: Arc::new(tokio::sync::Semaphore::new(
728            default_sql_page_max_concurrent(),
729        )),
730        sql_page_default_timeout: default_sql_page_default_timeout()
731            .min(default_sql_page_max_timeout()),
732        sql_page_max_timeout: default_sql_page_max_timeout(),
733        max_request_bytes: default_max_request_bytes(),
734        accepting_sql,
735        cursor_mac_key: CursorMacKey::default(),
736        reloadable,
737        drain: Arc::new(DrainControl::default()),
738        scheduler: std::sync::Mutex::new(mongreldb_core::HierarchicalScheduler::new()),
739        node_governor: std::sync::Mutex::new(mongreldb_core::NodeMemoryGovernor::new(
740            mongreldb_core::MemoryGovernor::new(mongreldb_core::GovernorConfig::new(
741                12 * 1024 * 1024 * 1024,
742            ))
743            .expect("default node memory governor config"),
744        )),
745        ai_generations: std::sync::Mutex::new(mongreldb_core::AiIndexGenerationRegistry::new()),
746        multi_region: std::sync::Mutex::new(
747            mongreldb_cluster::multi_region::MultiRegionPolicy::default(),
748        ),
749        ops_jobs: std::sync::Mutex::new(mongreldb_core::OpsJobStore::new()),
750        resource_groups: mongreldb_core::ResourceGroupRegistry::with_defaults(),
751        embedding_providers: mongreldb_core::EmbeddingProviderRegistry::new(),
752    });
753    let router = axum::Router::new()
754        .route("/health", get(health))
755        .route("/build-info", get(build_info))
756        .route("/capabilities", get(capabilities))
757        .route(
758            "/history/retention",
759            get(history_retention).put(set_history_retention),
760        )
761        .route("/metrics", get(metrics_handler))
762        .route("/audit", get(audit_handler))
763        .route("/admin/drain", get(drain_status).post(admin_drain))
764        .route("/admin/reload", post(admin_reload))
765        // Cluster bootstrap + membership workflows (spec §11.1, S2A-002).
766        .route("/admin/cluster/status", get(cluster_admin::status))
767        .route("/admin/cluster/node/drain", post(cluster_admin::drain))
768        .route("/admin/cluster/node/remove", post(cluster_admin::remove))
769        .route("/tables", get(list_tables).post(create_table))
770        .route("/tables/{name}", axum::routing::delete(drop_table))
771        .route("/tables/{name}/put", post(put_row))
772        .route("/tables/{name}/count", get(count))
773        .route("/tables/{name}/commit", post(commit))
774        .route("/sql", post(sql))
775        .route("/sql/continue", post(continue_sql_page))
776        .route("/queries/{query_id}", get(query_status))
777        .route("/queries/{query_id}/cancel", post(cancel_query))
778        .route("/txn", post(txn))
779        .route("/sessions", post(create_session))
780        .route("/sessions/{id}", axum::routing::delete(close_session))
781        .route("/sessions/{id}/prepare", post(prepare_statement))
782        .route("/sessions/{id}/execute", post(execute_statement))
783        .route(
784            "/sessions/{id}/statements/{name}",
785            axum::routing::delete(deallocate_statement),
786        )
787        .route("/procedures", get(procedure::list).post(procedure::create))
788        .route(
789            "/procedures/{name}",
790            get(procedure::describe)
791                .put(procedure::replace)
792                .delete(procedure::drop_procedure),
793        )
794        .route("/procedures/{name}/call", post(procedure::call))
795        .route("/triggers", get(trigger::list).post(trigger::create))
796        .route(
797            "/triggers/{name}",
798            get(trigger::describe)
799                .put(trigger::replace)
800                .delete(trigger::drop_trigger),
801        )
802        // Typed Kit-aware surface (authoritative validation + constraints).
803        .route("/kit/schema", get(kit::schema_all))
804        .route("/kit/schema/{table}", get(kit::schema_one))
805        .route("/kit/txn", post(kit::kit_txn))
806        .route("/kit/query", post(kit::kit_query))
807        .route("/kit/retrieve", post(kit::kit_retrieve))
808        .route("/kit/ann_rerank", post(kit::kit_ann_rerank))
809        .route("/kit/ai/metrics", get(kit::kit_ai_metrics))
810        .route("/kit/set_similarity", post(kit::kit_set_similarity))
811        .route("/kit/search", post(kit::kit_search))
812        .route("/kit/create_table", post(kit::kit_create_table))
813        .route("/kit/procedures/{name}/call", post(procedure::kit_call))
814        .route("/compact", post(compact_all))
815        .route("/tables/{name}/compact", post(compact_table))
816        .route("/wal/stream", get(wal_stream))
817        .route("/replication/snapshot", get(replication_snapshot))
818        .route("/events", get(events_stream))
819        .with_state(state.clone());
820
821    // A credential-enforced database must never expose the authenticated
822    // daemon handle when the caller forgot to configure an HTTP auth mode.
823    // With neither mode enabled the middleware rejects every route.
824    let router = if state.auth_token.is_some() || state.user_auth || state.db.require_auth_enabled()
825    {
826        router.layer(axum::middleware::from_fn_with_state(
827            state.clone(),
828            auth_middleware,
829        ))
830    } else {
831        router
832    };
833
834    // S1D-007 request-bytes bound: reject over-limit bodies with a
835    // structured 413 (content-length fast path) and cap extraction buffers
836    // at the same limit for chunked bodies (`DefaultBodyLimit`).
837    let router = router
838        .layer(axum::middleware::from_fn_with_state(
839            state.clone(),
840            request_body_limit_middleware,
841        ))
842        .layer(axum::extract::DefaultBodyLimit::max(
843            state.max_request_bytes,
844        ));
845
846    // Apply connection limit if configured.
847    let router = if let Some(max) = max_connections {
848        router.layer(tower::limit::ConcurrencyLimitLayer::new(max))
849    } else {
850        router
851    };
852    (router, server_control)
853}
854
855/// Auth middleware supporting three modes:
856/// 1. **Token** (`--auth-token <token>`): checks `Authorization: Bearer <token>`.
857/// 2. **User auth** (`--auth-users`): checks `Authorization: Basic <base64(user:pass)>`
858///    against catalog users (Argon2id-verified). Injects a `Principal` into
859///    request extensions.
860/// 3. **Both**: token OR valid user credentials accepted.
861async fn auth_middleware(
862    axum::extract::State(state): axum::extract::State<Arc<AppState>>,
863    mut req: axum::extract::Request,
864    next: axum::middleware::Next,
865) -> Result<axum::response::Response, axum::http::StatusCode> {
866    let header = req
867        .headers()
868        .get("authorization")
869        .and_then(|v| v.to_str().ok())
870        .unwrap_or("");
871
872    // Track the attempted identity + failure reason so EVERY 401 path emits
873    // exactly one `login.fail` audit event (missing, malformed, wrong token,
874    // wrong password are all logged — no unauthenticated probe goes unrecorded).
875    let mut attempted = String::new();
876    let mut fail_reason = "no credentials provided".to_string();
877
878    // Mode 1: Token auth (Bearer).
879    if let Some(token) = &state.auth_token {
880        if let Some(provided) = header.strip_prefix("Bearer ") {
881            attempted = "token".to_string();
882            if provided == token {
883                state
884                    .audit
885                    .record("token", "login.ok", "bearer token accepted");
886                return Ok(next.run(req).await);
887            }
888            fail_reason = "invalid bearer token".to_string();
889        }
890    }
891
892    // Mode 2: User auth (Basic).
893    if state.user_auth {
894        if let Some(encoded) = header.strip_prefix("Basic ") {
895            if let Ok(decoded) = base64_decode(encoded) {
896                let decoded = Zeroizing::new(decoded);
897                if let Ok(creds) = std::str::from_utf8(&decoded) {
898                    if let Some((username, password)) = creds.split_once(':') {
899                        attempted = username.to_string();
900                        if let Ok(Some(principal)) =
901                            state.db.authenticate_principal(username, password)
902                        {
903                            let username = principal.username.clone();
904                            drop(decoded);
905                            state
906                                .audit
907                                .record(&username, "login.ok", "basic credentials accepted");
908                            req.extensions_mut().insert(principal);
909                            return Ok(next.run(req).await);
910                        }
911                        fail_reason = "invalid basic credentials".to_string();
912                    } else {
913                        fail_reason = "malformed basic credentials (no ':')".to_string();
914                    }
915                } else {
916                    fail_reason = "malformed basic credentials (non-utf8)".to_string();
917                }
918            } else {
919                fail_reason = "malformed basic credentials (bad base64)".to_string();
920            }
921        }
922    }
923
924    let who = if attempted.is_empty() {
925        "anonymous"
926    } else {
927        attempted.as_str()
928    };
929    state.audit.record(who, "login.fail", fail_reason);
930    Err(axum::http::StatusCode::UNAUTHORIZED)
931}
932
933/// Minimal Base64 decoder (no extra dep).
934fn base64_decode(input: &str) -> Result<Vec<u8>, ()> {
935    const TABLE: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
936    let input: Vec<u8> = input
937        .bytes()
938        .filter(|&b| b != b'\n' && b != b'\r' && b != b' ')
939        .collect();
940    let mut out = Vec::with_capacity(input.len() * 3 / 4);
941    let mut buf = 0u32;
942    let mut bits = 0u32;
943    for &b in &input {
944        if b == b'=' {
945            break;
946        }
947        let val = TABLE.iter().position(|&t| t == b).ok_or(())? as u32;
948        buf = (buf << 6) | val;
949        bits += 6;
950        if bits >= 8 {
951            bits -= 8;
952            out.push((buf >> bits) as u8);
953        }
954    }
955    Ok(out)
956}
957
958/// Structured error envelope carrying the stable error taxonomy (spec
959/// section 9.7): `category` + `category_code` are the programmatic contract,
960/// `code` and `message` are diagnostic. Used by bounds rejections and the
961/// S1D-005 prepared-statement surface; the `/sql` query-error envelope adds
962/// the same fields additively (see `query_error_response_with_status`).
963fn structured_category_error_response(
964    http_status: StatusCode,
965    code: &'static str,
966    message: impl Into<String>,
967    category: mongreldb_types::errors::ErrorCategory,
968) -> Response {
969    (
970        http_status,
971        Json(json!({
972            "error": {
973                "code": code,
974                "message": message.into(),
975                "category": category.to_string(),
976                "category_code": category.code(),
977                "retryable": category.is_retryable(),
978            }
979        })),
980    )
981        .into_response()
982}
983
984/// S1D-007 request-bytes bound: reject requests whose declared
985/// `content-length` exceeds the configured maximum with a structured 413
986/// before any body bytes are read. Bodies without a `content-length`
987/// (chunked) are still hard-capped by `DefaultBodyLimit` at extraction.
988async fn request_body_limit_middleware(
989    axum::extract::State(state): axum::extract::State<Arc<AppState>>,
990    req: axum::extract::Request,
991    next: axum::middleware::Next,
992) -> axum::response::Response {
993    let declared = req
994        .headers()
995        .get(axum::http::header::CONTENT_LENGTH)
996        .and_then(|value| value.to_str().ok())
997        .and_then(|value| value.parse::<u64>().ok());
998    if let Some(declared) = declared {
999        if declared > state.max_request_bytes as u64 {
1000            return structured_category_error_response(
1001                StatusCode::PAYLOAD_TOO_LARGE,
1002                "REQUEST_BODY_TOO_LARGE",
1003                format!(
1004                    "request body of {declared} bytes exceeds the server limit of {} bytes",
1005                    state.max_request_bytes
1006                ),
1007                mongreldb_types::errors::ErrorCategory::ResourceExhausted,
1008            );
1009        }
1010    }
1011    next.run(req).await
1012}
1013
1014/// `GET /wal/stream?since=<epoch>` — return complete committed WAL
1015/// transactions after the follower epoch. A 409 response means retained WAL
1016/// cannot close the gap and the follower must fetch `/replication/snapshot`.
1017/// Records are newline-delimited JSON.
1018/// newline-delimited JSON for replication followers. Each line is a JSON
1019/// object `{ "seq": N, "txn_id": N, "op": {...} }`.
1020async fn wal_stream(
1021    axum::extract::State(state): axum::extract::State<Arc<AppState>>,
1022    OptionalPrincipal(principal): OptionalPrincipal,
1023    axum::extract::Query(params): axum::extract::Query<WalStreamParams>,
1024) -> Result<Response, StatusCode> {
1025    state
1026        .db
1027        .require_for(
1028            request_principal(&state, &principal).as_ref(),
1029            &mongreldb_core::Permission::Admin,
1030        )
1031        .map_err(|error| status_for_error(&error))?;
1032    let since = params.since.unwrap_or(0);
1033    let db = Arc::clone(&state.db);
1034    let batch = tokio::task::spawn_blocking(move || db.replication_batch_since(since))
1035        .await
1036        .map_err(|_e| StatusCode::INTERNAL_SERVER_ERROR)?;
1037    let batch = batch.map_err(|e| {
1038        eprintln!("wal_stream error: {e}");
1039        StatusCode::INTERNAL_SERVER_ERROR
1040    })?;
1041    if batch.requires_snapshot {
1042        let mut response = (
1043            StatusCode::CONFLICT,
1044            "replication snapshot required: WAL retention gap or spilled run",
1045        )
1046            .into_response();
1047        response.headers_mut().insert(
1048            "x-mongreldb-replication-status",
1049            "snapshot-required"
1050                .parse()
1051                .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?,
1052        );
1053        set_replication_headers(
1054            &mut response,
1055            &batch.source_id,
1056            batch.from_epoch,
1057            batch.current_epoch,
1058            batch.earliest_epoch,
1059            batch.commit_count,
1060            &batch.records_sha256,
1061        )?;
1062        return Ok(response);
1063    }
1064    let mut body = String::new();
1065    for record in &batch.records {
1066        let json = serde_json::to_string(record).map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
1067        body.push_str(&json);
1068        body.push('\n');
1069    }
1070    let mut response = (
1071        [
1072            (header::CONTENT_TYPE, "application/x-ndjson".to_string()),
1073            (header::CACHE_CONTROL, "no-cache".to_string()),
1074        ],
1075        body,
1076    )
1077        .into_response();
1078    set_replication_headers(
1079        &mut response,
1080        &batch.source_id,
1081        batch.from_epoch,
1082        batch.current_epoch,
1083        batch.earliest_epoch,
1084        batch.commit_count,
1085        &batch.records_sha256,
1086    )?;
1087    Ok(response)
1088}
1089
1090async fn replication_snapshot(
1091    axum::extract::State(state): axum::extract::State<Arc<AppState>>,
1092    OptionalPrincipal(principal): OptionalPrincipal,
1093) -> Response {
1094    if let Err(error) = state.db.require_for(
1095        request_principal(&state, &principal).as_ref(),
1096        &mongreldb_core::Permission::Admin,
1097    ) {
1098        return (status_for_error(&error), error.to_string()).into_response();
1099    }
1100    let db = Arc::clone(&state.db);
1101    let snapshot = match tokio::task::spawn_blocking(move || db.replication_snapshot()).await {
1102        Ok(Ok(snapshot)) => snapshot,
1103        Ok(Err(error)) => {
1104            return (StatusCode::INTERNAL_SERVER_ERROR, error.to_string()).into_response()
1105        }
1106        Err(error) => {
1107            return (StatusCode::INTERNAL_SERVER_ERROR, error.to_string()).into_response()
1108        }
1109    };
1110    let epoch = snapshot.epoch();
1111    // ponytail: bootstrap buffers one image; add framed file streaming when
1112    // real snapshot sizes make this memory ceiling measurable.
1113    match snapshot.encode() {
1114        Ok(bytes) => {
1115            let mut response =
1116                ([(header::CONTENT_TYPE, "application/octet-stream")], bytes).into_response();
1117            let Ok(value) = epoch.to_string().parse() else {
1118                return (
1119                    StatusCode::INTERNAL_SERVER_ERROR,
1120                    "invalid replication epoch response header",
1121                )
1122                    .into_response();
1123            };
1124            response
1125                .headers_mut()
1126                .insert("x-mongreldb-current-epoch", value);
1127            let source_id = snapshot
1128                .source_id()
1129                .iter()
1130                .map(|byte| format!("{byte:02x}"))
1131                .collect::<String>();
1132            let Ok(source_id) = source_id.parse() else {
1133                return (
1134                    StatusCode::INTERNAL_SERVER_ERROR,
1135                    "invalid replication source response header",
1136                )
1137                    .into_response();
1138            };
1139            response
1140                .headers_mut()
1141                .insert("x-mongreldb-source-id", source_id);
1142            response
1143        }
1144        Err(error) => (StatusCode::INTERNAL_SERVER_ERROR, error.to_string()).into_response(),
1145    }
1146}
1147
1148fn set_replication_headers(
1149    response: &mut Response,
1150    source_id: &[u8; 32],
1151    from: u64,
1152    current: u64,
1153    earliest: Option<u64>,
1154    commit_count: u64,
1155    records_sha256: &[u8; 32],
1156) -> Result<(), StatusCode> {
1157    let source_id = source_id
1158        .iter()
1159        .map(|byte| format!("{byte:02x}"))
1160        .collect::<String>();
1161    response.headers_mut().insert(
1162        "x-mongreldb-source-id",
1163        source_id
1164            .parse()
1165            .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?,
1166    );
1167    response.headers_mut().insert(
1168        "x-mongreldb-from-epoch",
1169        from.to_string()
1170            .parse()
1171            .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?,
1172    );
1173    response.headers_mut().insert(
1174        "x-mongreldb-current-epoch",
1175        current
1176            .to_string()
1177            .parse()
1178            .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?,
1179    );
1180    response.headers_mut().insert(
1181        "x-mongreldb-commit-count",
1182        commit_count
1183            .to_string()
1184            .parse()
1185            .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?,
1186    );
1187    let digest = records_sha256
1188        .iter()
1189        .map(|byte| format!("{byte:02x}"))
1190        .collect::<String>();
1191    response.headers_mut().insert(
1192        "x-mongreldb-records-sha256",
1193        digest
1194            .parse()
1195            .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?,
1196    );
1197    if let Some(earliest) = earliest {
1198        response.headers_mut().insert(
1199            "x-mongreldb-earliest-epoch",
1200            earliest
1201                .to_string()
1202                .parse()
1203                .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?,
1204        );
1205    }
1206    Ok(())
1207}
1208
1209#[derive(serde::Deserialize)]
1210struct WalStreamParams {
1211    since: Option<u64>,
1212}
1213
1214/// `GET /events` — long-lived SSE for durable WAL-backed row changes plus
1215/// ephemeral SQL NOTIFY messages. `Last-Event-ID` resumes from a stable
1216/// `<commit_epoch>:<operation_index>` id. A retention gap returns 409 before
1217/// the stream starts, or a terminal `gap` SSE if the client falls behind.
1218async fn events_stream(
1219    axum::extract::State(state): axum::extract::State<Arc<AppState>>,
1220    OptionalPrincipal(principal): OptionalPrincipal,
1221    headers: axum::http::HeaderMap,
1222) -> Result<Response, StatusCode> {
1223    use axum::response::sse::{Event, KeepAlive, Sse};
1224    use futures::Stream;
1225    use std::collections::VecDeque;
1226    use std::convert::Infallible;
1227
1228    state
1229        .db
1230        .require_for(
1231            request_principal(&state, &principal).as_ref(),
1232            &mongreldb_core::Permission::Admin,
1233        )
1234        .map_err(|error| status_for_error(&error))?;
1235
1236    struct State {
1237        db: Arc<Database>,
1238        receiver: tokio::sync::broadcast::Receiver<mongreldb_core::ChangeEvent>,
1239        change_wake: tokio::sync::broadcast::Receiver<()>,
1240        interval: tokio::time::Interval,
1241        pending: VecDeque<mongreldb_core::ChangeEvent>,
1242        last_id: Option<String>,
1243        poll_now: bool,
1244        done: bool,
1245    }
1246
1247    fn event(change: mongreldb_core::ChangeEvent) -> Event {
1248        let id = change.id.clone();
1249        let kind = if change.op == "notify" {
1250            "notify"
1251        } else {
1252            "change"
1253        };
1254        let mut event = Event::default().event(kind).data(
1255            serde_json::to_string(&change)
1256                .unwrap_or_else(|error| format!(r#"{{"error":"{error}"}}"#)),
1257        );
1258        if let Some(id) = id {
1259            event = event.id(id);
1260        }
1261        event
1262    }
1263
1264    let last_id = match headers.get("last-event-id") {
1265        Some(value) => Some(
1266            value
1267                .to_str()
1268                .map_err(|_| StatusCode::BAD_REQUEST)?
1269                .to_owned(),
1270        ),
1271        None => None,
1272    };
1273    let receiver = state.db.subscribe_changes();
1274    let change_wake = state.db.subscribe_change_commits();
1275    let db = Arc::clone(&state.db);
1276    let resume = last_id.clone();
1277    let initial = tokio::task::spawn_blocking(move || db.change_events_since(resume.as_deref()))
1278        .await
1279        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?
1280        .map_err(|error| match error {
1281            mongreldb_core::MongrelError::InvalidArgument(_) => StatusCode::BAD_REQUEST,
1282            _ => StatusCode::INTERNAL_SERVER_ERROR,
1283        })?;
1284    if initial.gap {
1285        return Ok((
1286            StatusCode::CONFLICT,
1287            Json(json!({
1288                "error": "cdc retention gap",
1289                "earliest_epoch": initial.earliest_epoch,
1290                "current_epoch": initial.current_epoch,
1291            })),
1292        )
1293            .into_response());
1294    }
1295
1296    let stream: std::pin::Pin<Box<dyn Stream<Item = Result<Event, Infallible>> + Send>> = Box::pin(
1297        futures::stream::unfold(
1298            State {
1299                db: Arc::clone(&state.db),
1300                receiver,
1301                change_wake,
1302                interval: tokio::time::interval(std::time::Duration::from_millis(250)),
1303                pending: initial.events.into(),
1304                last_id,
1305                poll_now: false,
1306                done: false,
1307            },
1308            |mut stream| async move {
1309                if stream.done {
1310                    return None;
1311                }
1312                loop {
1313                    if stream.poll_now {
1314                        stream.poll_now = false;
1315                        let db = Arc::clone(&stream.db);
1316                        let last_id = stream.last_id.clone();
1317                        match tokio::task::spawn_blocking(move || {
1318                            db.change_events_since(last_id.as_deref())
1319                        })
1320                        .await
1321                        {
1322                            Ok(Ok(batch)) if batch.gap => {
1323                                stream.done = true;
1324                                let gap = Event::default().event("gap").data(
1325                                    json!({
1326                                        "error": "cdc retention gap",
1327                                        "earliest_epoch": batch.earliest_epoch,
1328                                        "current_epoch": batch.current_epoch,
1329                                    })
1330                                    .to_string(),
1331                                );
1332                                return Some((Ok(gap), stream));
1333                            }
1334                            Ok(Ok(batch)) => stream.pending.extend(batch.events),
1335                            Ok(Err(error)) => {
1336                                stream.done = true;
1337                                return Some((
1338                                    Ok(Event::default().event("error").data(error.to_string())),
1339                                    stream,
1340                                ));
1341                            }
1342                            Err(error) => {
1343                                stream.done = true;
1344                                return Some((
1345                                    Ok(Event::default().event("error").data(error.to_string())),
1346                                    stream,
1347                                ));
1348                            }
1349                        }
1350                    }
1351                    if let Some(change) = stream.pending.pop_front() {
1352                        if let Some(id) = &change.id {
1353                            stream.last_id = Some(id.clone());
1354                        }
1355                        return Some((Ok(event(change)), stream));
1356                    }
1357                    tokio::select! {
1358                        received = stream.receiver.recv() => {
1359                            match received {
1360                                Ok(change) => return Some((Ok(event(change)), stream)),
1361                                Err(tokio::sync::broadcast::error::RecvError::Lagged(_)) => {},
1362                                Err(tokio::sync::broadcast::error::RecvError::Closed) => {
1363                                    return None;
1364                                }
1365                            }
1366                        }
1367                        received = stream.change_wake.recv() => {
1368                            match received {
1369                                Ok(()) | Err(tokio::sync::broadcast::error::RecvError::Lagged(_)) => {
1370                                    stream.poll_now = true;
1371                                }
1372                                Err(tokio::sync::broadcast::error::RecvError::Closed) => {}
1373                            }
1374                        }
1375                        _ = stream.interval.tick() => {
1376                            stream.poll_now = true;
1377                        }
1378                    }
1379                }
1380            },
1381        ),
1382    );
1383
1384    Ok(Sse::new(stream)
1385        .keep_alive(
1386            KeepAlive::new()
1387                .interval(std::time::Duration::from_secs(15))
1388                .text("keep-alive"),
1389        )
1390        .into_response())
1391}
1392
1393/// Launch the §5.9 background auto-compaction sweep (run-count cost trigger).
1394/// One OS thread, sleeping `interval` between sweeps; each tick locks each
1395/// table individually and calls `Table::maybe_compact`. Best-effort: a
1396/// compaction error is logged and never aborts the sweep.
1397pub fn spawn_auto_compactor(db: Arc<Database>) {
1398    if let Err(error) = std::thread::Builder::new()
1399        .name("mongreldb-auto-compact".into())
1400        .spawn(move || loop {
1401            std::thread::sleep(std::time::Duration::from_secs(30));
1402            for name in db.table_names() {
1403                let Ok(handle) = db.table(&name) else {
1404                    continue;
1405                };
1406                let mut t = handle.lock();
1407                let before = t.run_count();
1408                match t.maybe_compact() {
1409                    Ok(true) => {
1410                        eprintln!(
1411                            "[auto-compact] {name}: {} runs -> {}",
1412                            before,
1413                            t.run_count()
1414                        );
1415                    }
1416                    Ok(false) => {}
1417                    Err(e) => {
1418                        eprintln!("[auto-compact] {name}: compaction failed: {e}");
1419                    }
1420                }
1421            }
1422        })
1423    {
1424        eprintln!("[auto-compact] failed to start background thread: {error}");
1425    }
1426}
1427
1428async fn health() -> StatusCode {
1429    StatusCode::OK
1430}
1431
1432#[derive(Debug, Serialize)]
1433struct SqlCancellationCapabilities {
1434    version: u8,
1435    client_query_ids: bool,
1436    cancel_endpoint: bool,
1437    query_status: bool,
1438    pre_registration_cancel: bool,
1439    stream_disconnect_cancels: bool,
1440}
1441
1442#[derive(Debug, Serialize)]
1443struct SqlIdempotencyCapabilities {
1444    version: u8,
1445    durable_pre_execution_intent: bool,
1446    replay_committed_receipt: bool,
1447    indeterminate_never_reexecutes: bool,
1448}
1449
1450#[derive(Debug, Serialize)]
1451struct SqlPaginationCapabilities {
1452    version: u8,
1453    continuation_endpoint: &'static str,
1454    retained_snapshot: bool,
1455    projection_required: bool,
1456    byte_and_token_hints: bool,
1457}
1458
1459#[derive(Debug, Serialize)]
1460struct CapabilitiesResponse {
1461    sql_cancellation: SqlCancellationCapabilities,
1462    sql_idempotency: SqlIdempotencyCapabilities,
1463    sql_pagination: SqlPaginationCapabilities,
1464}
1465
1466async fn capabilities() -> Json<CapabilitiesResponse> {
1467    Json(CapabilitiesResponse {
1468        sql_cancellation: SqlCancellationCapabilities {
1469            version: 2,
1470            client_query_ids: true,
1471            cancel_endpoint: true,
1472            query_status: true,
1473            pre_registration_cancel: true,
1474            stream_disconnect_cancels: true,
1475        },
1476        sql_idempotency: SqlIdempotencyCapabilities {
1477            version: 1,
1478            durable_pre_execution_intent: true,
1479            replay_committed_receipt: true,
1480            indeterminate_never_reexecutes: true,
1481        },
1482        sql_pagination: SqlPaginationCapabilities {
1483            version: 1,
1484            continuation_endpoint: "/sql/continue",
1485            retained_snapshot: true,
1486            projection_required: true,
1487            byte_and_token_hints: true,
1488        },
1489    })
1490}
1491
1492async fn build_info() -> Json<mongreldb_query::BuildInfo> {
1493    Json(mongreldb_query::build_info())
1494}
1495
1496#[derive(Debug, Deserialize)]
1497struct HistoryRetentionRequest {
1498    #[serde(default)]
1499    history_retention_epochs: serde_json::Value,
1500}
1501
1502#[derive(Debug, Serialize)]
1503struct HistoryRetentionResponse {
1504    history_retention_epochs: u64,
1505    earliest_retained_epoch: u64,
1506}
1507
1508fn history_retention_response(db: &Database) -> HistoryRetentionResponse {
1509    HistoryRetentionResponse {
1510        history_retention_epochs: db.history_retention_epochs(),
1511        earliest_retained_epoch: db.earliest_retained_epoch().0,
1512    }
1513}
1514
1515/// `GET /history/retention` — inspect the durable MVCC history window.
1516async fn history_retention(
1517    State(state): State<Arc<AppState>>,
1518    OptionalPrincipal(principal): OptionalPrincipal,
1519) -> Response {
1520    if let Err(error) = state.db.require_for(
1521        request_principal(&state, &principal).as_ref(),
1522        &mongreldb_core::Permission::Admin,
1523    ) {
1524        return (status_for_error(&error), error.to_string()).into_response();
1525    }
1526    Json(history_retention_response(&state.db)).into_response()
1527}
1528
1529/// `PUT /history/retention` — set the durable MVCC history window.
1530async fn set_history_retention(
1531    State(state): State<Arc<AppState>>,
1532    OptionalPrincipal(principal): OptionalPrincipal,
1533    Json(request): Json<HistoryRetentionRequest>,
1534) -> Response {
1535    if let Err(error) = state.db.require_for(
1536        request_principal(&state, &principal).as_ref(),
1537        &mongreldb_core::Permission::Admin,
1538    ) {
1539        return (status_for_error(&error), error.to_string()).into_response();
1540    }
1541    let Some(epochs) = request.history_retention_epochs.as_u64() else {
1542        return (
1543            StatusCode::BAD_REQUEST,
1544            Json(json!({"error": "history_retention_epochs must be a u64"})),
1545        )
1546            .into_response();
1547    };
1548    match state.db.set_history_retention_epochs(epochs) {
1549        Ok(()) => Json(history_retention_response(&state.db)).into_response(),
1550        Err(error) => (status_for_error(&error), error.to_string()).into_response(),
1551    }
1552}
1553
1554/// `GET /audit` — recent security-audit events (auth + DDL/privilege) as a JSON
1555/// array, oldest-first. Subject to the same auth middleware as every other
1556/// route. This is a best-effort in-memory ring buffer, not a tamper-evident
1557/// log (see `audit` module docs).
1558async fn audit_handler(
1559    State(state): State<Arc<AppState>>,
1560    OptionalPrincipal(principal): OptionalPrincipal,
1561) -> Response {
1562    if let Err(error) = state.db.require_for(
1563        request_principal(&state, &principal).as_ref(),
1564        &mongreldb_core::Permission::Admin,
1565    ) {
1566        return (status_for_error(&error), error.to_string()).into_response();
1567    }
1568    let recent = state.audit.recent();
1569    Json(recent).into_response()
1570}
1571
1572/// Admin authorization shared by the `/admin/*` endpoints (same
1573/// `Permission::Admin` check the other operator routes use). Authorization
1574/// failures are audited with the principal and outcome, then mapped onto the
1575/// standard error status.
1576fn require_admin(
1577    state: &AppState,
1578    principal: &Option<mongreldb_core::Principal>,
1579    action: &str,
1580) -> Result<String, Box<Response>> {
1581    let owner = request_owner(state, principal);
1582    if let Err(error) = state.db.require_for(
1583        request_principal(state, principal).as_ref(),
1584        &mongreldb_core::Permission::Admin,
1585    ) {
1586        state
1587            .audit
1588            .record(owner, format!("{action}.fail"), "authorization failed");
1589        return Err(Box::new(
1590            (status_for_error(&error), error.to_string()).into_response(),
1591        ));
1592    }
1593    Ok(owner)
1594}
1595
1596/// Reject new writes while the server is draining or the storage core has
1597/// left `Open` (§10.7 graceful drain): every mutating HTTP surface — `/sql`
1598/// and `/sessions/*` gate on `accepting_sql` directly — checks this before
1599/// staging work, so a drain turns the whole write plane read-only before the
1600/// core closes. Returns the 503 response to emit, or `None` when writes are
1601/// admitted.
1602fn require_writes_open(state: &AppState) -> Option<Response> {
1603    if state.accepting_sql.load(Ordering::Acquire)
1604        && state.db.lifecycle_state() == mongreldb_core::LifecycleState::Open
1605    {
1606        return None;
1607    }
1608    Some(
1609        (
1610            StatusCode::SERVICE_UNAVAILABLE,
1611            "server is draining; writes are closed",
1612        )
1613            .into_response(),
1614    )
1615}
1616
1617/// Drain status JSON shared by `GET /admin/drain` and the `POST` response.
1618fn drain_status_json(state: &AppState) -> serde_json::Value {
1619    let record = state
1620        .drain
1621        .record
1622        .lock()
1623        .map(|record| record.clone())
1624        .unwrap_or_else(|poisoned| poisoned.into_inner().clone());
1625    json!({
1626        "lifecycle": state.db.lifecycle_state().to_string(),
1627        "accepting_sql": state.accepting_sql.load(Ordering::Acquire),
1628        "active_queries": state.query_registry.active_count(),
1629        "live_sessions": state.sessions.len(),
1630        "drain": record,
1631    })
1632}
1633
1634/// `GET /admin/drain` — lifecycle and graceful-drain status (§10.7):
1635/// the core lifecycle state, whether new SQL is admitted, in-flight query and
1636/// session counts, and the last drain initiation's outcome record.
1637async fn drain_status(
1638    State(state): State<Arc<AppState>>,
1639    OptionalPrincipal(principal): OptionalPrincipal,
1640) -> Response {
1641    if let Err(response) = require_admin(&state, &principal, "admin.drain_status") {
1642        return *response;
1643    }
1644    Json(drain_status_json(&state)).into_response()
1645}
1646
1647/// `POST /admin/drain` — initiate a graceful drain (§10.7): stop admitting
1648/// new SQL and sessions, cancel in-flight queries (`ServerShutdown`), close
1649/// sessions, then drive `DatabaseCore::shutdown` with the requested deadline
1650/// so in-flight commit-critical work finishes and durable state is synced
1651/// before the file lock is released. The deadline is configurable via the
1652/// optional `drain_deadline_ms` body field (default
1653/// `MONGRELDB_DRAIN_DEADLINE_MS`, else 30 s). A deadline overrun leaves the
1654/// core `Draining` (new operations stay rejected) and answers 409 — a later
1655/// call with a larger deadline resumes the shutdown. Draining is terminal:
1656/// there is no un-drain; restart the process to serve this database again.
1657async fn admin_drain(
1658    State(state): State<Arc<AppState>>,
1659    OptionalPrincipal(principal): OptionalPrincipal,
1660    body: Option<Json<DrainRequest>>,
1661) -> Response {
1662    let owner = match require_admin(&state, &principal, "admin.drain") {
1663        Ok(owner) => owner,
1664        Err(response) => return *response,
1665    };
1666    let deadline_ms = body
1667        .and_then(|Json(request)| request.drain_deadline_ms)
1668        .unwrap_or_else(default_drain_deadline_ms);
1669    if deadline_ms == 0 {
1670        return (
1671            StatusCode::BAD_REQUEST,
1672            Json(json!({"error": "drain_deadline_ms must be positive"})),
1673        )
1674            .into_response();
1675    }
1676    let _serialization = state.drain.lock.lock().await;
1677    if matches!(
1678        state.db.lifecycle_state(),
1679        mongreldb_core::LifecycleState::Closed
1680    ) {
1681        // Idempotent: a completed drain reports the current status again.
1682        return Json(drain_status_json(&state)).into_response();
1683    }
1684    state.audit.record(
1685        owner.clone(),
1686        "admin.drain",
1687        format!("initiated deadline_ms={deadline_ms}"),
1688    );
1689    let deadline = std::time::Duration::from_millis(deadline_ms);
1690    let started = std::time::Instant::now();
1691    // 1. Stop admitting new SQL/sessions (same gate the signal path uses).
1692    state.accepting_sql.store(false, Ordering::Release);
1693    // 2. Cancel non-commit-critical queries and wait out the cancel grace.
1694    state
1695        .query_registry
1696        .cancel_all(CancellationReason::ServerShutdown);
1697    let grace = state.reloadable.sql_cancel_grace.get().min(deadline);
1698    let grace_deadline = tokio::time::Instant::now() + grace;
1699    while state.query_registry.active_count() > 0 && tokio::time::Instant::now() < grace_deadline {
1700        tokio::time::sleep(std::time::Duration::from_millis(5)).await;
1701    }
1702    // 3. Close sessions (staged transactions roll back).
1703    state.sessions.close_all();
1704    // 4. Drain the storage core with the remaining deadline.
1705    let remaining = deadline.saturating_sub(started.elapsed());
1706    let core = state.db.core();
1707    let result = tokio::task::spawn_blocking(move || core.shutdown(remaining)).await;
1708    let lifecycle = state.db.lifecycle_state().to_string();
1709    let (completed, detail) = match &result {
1710        Ok(Ok(())) => (true, format!("drain completed; core {lifecycle}")),
1711        Ok(Err(error)) => (false, format!("drain incomplete: {error}")),
1712        Err(error) => (false, format!("drain task failed: {error}")),
1713    };
1714    if completed {
1715        state.audit.record(
1716            owner,
1717            "admin.drain.ok",
1718            format!("deadline_ms={deadline_ms} lifecycle={lifecycle}"),
1719        );
1720    } else {
1721        state.audit.record(
1722            owner,
1723            "admin.drain.fail",
1724            format!("deadline_ms={deadline_ms} {detail}"),
1725        );
1726    }
1727    if let Ok(mut record) = state.drain.record.lock() {
1728        record.initiated = true;
1729        record.completed = completed;
1730        record.deadline_ms = deadline_ms;
1731        record.lifecycle = lifecycle;
1732        record.detail = detail;
1733    }
1734    let status = drain_status_json(&state);
1735    if completed {
1736        Json(status).into_response()
1737    } else {
1738        // 409: the core remains Draining; a later call may resume.
1739        (StatusCode::CONFLICT, Json(status)).into_response()
1740    }
1741}
1742
1743#[derive(Deserialize)]
1744struct DrainRequest {
1745    #[serde(default)]
1746    drain_deadline_ms: Option<u64>,
1747}
1748
1749/// Default drain deadline: `MONGRELDB_DRAIN_DEADLINE_MS`, else 30 s (the same
1750/// default the embedded `Database::shutdown` uses).
1751fn default_drain_deadline_ms() -> u64 {
1752    positive_env_u64("MONGRELDB_DRAIN_DEADLINE_MS", 30_000)
1753}
1754
1755/// `POST /admin/reload` — re-read the mutable subset of server configuration
1756/// and apply it live (§10.7 configuration reload). With an empty/absent body
1757/// every value is re-read from the environment; present body fields override
1758/// the environment field-by-field. Reloadable: slow-query threshold
1759/// (`MONGRELBL_SLOW_QUERY_MS`), SQL default/max timeout
1760/// (`MONGRELDB_SQL_DEFAULT_TIMEOUT_MS` / `MONGRELDB_SQL_MAX_TIMEOUT_MS`), SQL
1761/// cancel grace (`MONGRELDB_SQL_CANCEL_GRACE_MS`), SQL output ceilings
1762/// (`MONGRELDB_SQL_MAX_OUTPUT_ROWS` / `MONGRELDB_SQL_MAX_OUTPUT_BYTES`), and
1763/// history retention (`MONGRELDB_HISTORY_RETENTION_EPOCHS`, re-applied to the
1764/// core). All other configuration is static node configuration (§16.1) and
1765/// stays restart-only. SIGHUP triggers the same apply path.
1766async fn admin_reload(
1767    State(state): State<Arc<AppState>>,
1768    OptionalPrincipal(principal): OptionalPrincipal,
1769    body: Option<Json<MutableConfigOverrides>>,
1770) -> Response {
1771    let owner = match require_admin(&state, &principal, "admin.reload") {
1772        Ok(owner) => owner,
1773        Err(response) => return *response,
1774    };
1775    let mut values = mutable_config_from_env();
1776    if let Some(Json(overrides)) = body {
1777        if let Err(message) = values.apply_overrides(&overrides) {
1778            return (StatusCode::BAD_REQUEST, Json(json!({ "error": message }))).into_response();
1779        }
1780    }
1781    match apply_mutable_config(&state.reloadable, &state.db, &values) {
1782        Ok(report) => {
1783            state.audit.record(
1784                owner,
1785                "admin.reload.ok",
1786                "slow_query_ms sql_default_timeout_ms sql_max_timeout_ms sql_cancel_grace_ms sql_max_output_rows sql_max_output_bytes history_retention_epochs",
1787            );
1788            Json(json!({ "reloaded": true, "applied": report })).into_response()
1789        }
1790        Err(error) => {
1791            state
1792                .audit
1793                .record(owner, "admin.reload.fail", error.to_string());
1794            (status_for_error(&error), error.to_string()).into_response()
1795        }
1796    }
1797}
1798
1799/// Default max live sessions when `--max-sessions` is not given.
1800fn default_max_sessions() -> usize {
1801    std::env::var("MONGRELBL_MAX_SESSIONS")
1802        .ok()
1803        .and_then(|v| v.parse().ok())
1804        .unwrap_or(256)
1805}
1806
1807/// Default idle-session timeout when `--session-idle-timeout` is not given.
1808fn default_session_idle_timeout() -> std::time::Duration {
1809    std::time::Duration::from_secs(
1810        std::env::var("MONGRELBL_SESSION_IDLE_TIMEOUT_SECS")
1811            .ok()
1812            .and_then(|v| v.parse().ok())
1813            .unwrap_or(300),
1814    )
1815}
1816
1817fn default_replication_wal_segments() -> usize {
1818    let replication = std::env::var("MONGRELDB_REPLICATION_WAL_SEGMENTS")
1819        .ok()
1820        .and_then(|value| value.parse().ok())
1821        .unwrap_or(16);
1822    let cdc = std::env::var("MONGRELDB_CDC_WAL_SEGMENTS")
1823        .ok()
1824        .and_then(|value| value.parse().ok())
1825        .unwrap_or(16);
1826    replication.max(cdc)
1827}
1828
1829fn default_history_retention_epochs() -> u64 {
1830    std::env::var("MONGRELDB_HISTORY_RETENTION_EPOCHS")
1831        .ok()
1832        .and_then(|value| value.parse().ok())
1833        .unwrap_or(1024)
1834}
1835
1836fn default_ai_max_concurrent() -> usize {
1837    std::env::var("MONGRELDB_AI_MAX_CONCURRENT")
1838        .ok()
1839        .and_then(|value| value.parse().ok())
1840        .filter(|value| *value > 0)
1841        .unwrap_or(4)
1842}
1843
1844fn positive_env_u64(name: &str, default: u64) -> u64 {
1845    std::env::var(name)
1846        .ok()
1847        .and_then(|value| value.parse().ok())
1848        .filter(|value| *value > 0)
1849        .unwrap_or(default)
1850}
1851
1852fn positive_env_usize(name: &str, default: usize) -> usize {
1853    std::env::var(name)
1854        .ok()
1855        .and_then(|value| value.parse().ok())
1856        .filter(|value| *value > 0)
1857        .unwrap_or(default)
1858}
1859
1860fn default_sql_default_timeout() -> std::time::Duration {
1861    std::time::Duration::from_millis(positive_env_u64("MONGRELDB_SQL_DEFAULT_TIMEOUT_MS", 30_000))
1862}
1863
1864fn default_sql_max_timeout() -> std::time::Duration {
1865    std::time::Duration::from_millis(positive_env_u64("MONGRELDB_SQL_MAX_TIMEOUT_MS", 300_000))
1866}
1867
1868fn default_sql_max_concurrent() -> usize {
1869    positive_env_usize(
1870        "MONGRELDB_SQL_MAX_CONCURRENT",
1871        std::thread::available_parallelism()
1872            .map(usize::from)
1873            .unwrap_or(4),
1874    )
1875}
1876
1877fn default_sql_max_active_queries() -> usize {
1878    positive_env_usize("MONGRELDB_SQL_MAX_ACTIVE_QUERIES", 1_024)
1879}
1880
1881fn default_sql_page_max_concurrent() -> usize {
1882    positive_env_usize("MONGRELDB_SQL_PAGE_MAX_CONCURRENT", 16)
1883}
1884
1885fn default_sql_page_default_timeout() -> std::time::Duration {
1886    std::time::Duration::from_millis(positive_env_u64(
1887        "MONGRELDB_SQL_PAGE_DEFAULT_TIMEOUT_MS",
1888        5_000,
1889    ))
1890}
1891
1892fn default_sql_page_max_timeout() -> std::time::Duration {
1893    std::time::Duration::from_millis(positive_env_u64(
1894        "MONGRELDB_SQL_PAGE_MAX_TIMEOUT_MS",
1895        30_000,
1896    ))
1897}
1898
1899fn default_sql_finished_query_ttl() -> std::time::Duration {
1900    std::time::Duration::from_secs(positive_env_u64(
1901        "MONGRELDB_SQL_FINISHED_QUERY_TTL_SECS",
1902        60,
1903    ))
1904}
1905
1906fn default_sql_finished_detail_max_entries() -> usize {
1907    positive_env_usize("MONGRELDB_SQL_FINISHED_DETAIL_MAX_ENTRIES", 2_048)
1908}
1909
1910fn default_sql_finished_detail_max_bytes() -> usize {
1911    positive_env_usize("MONGRELDB_SQL_FINISHED_DETAIL_MAX_BYTES", 8 * 1024 * 1024)
1912}
1913
1914fn default_sql_finished_compact_max_entries() -> usize {
1915    positive_env_usize("MONGRELDB_SQL_FINISHED_COMPACT_MAX_ENTRIES", 100_000)
1916}
1917
1918fn default_sql_finished_compact_max_bytes() -> usize {
1919    positive_env_usize("MONGRELDB_SQL_FINISHED_COMPACT_MAX_BYTES", 32 * 1024 * 1024)
1920}
1921
1922fn default_sql_pre_cancel_ttl() -> std::time::Duration {
1923    std::time::Duration::from_millis(positive_env_u64("MONGRELDB_SQL_PRE_CANCEL_TTL_MS", 15_000))
1924}
1925
1926fn default_sql_pre_cancel_max_entries() -> usize {
1927    positive_env_usize("MONGRELDB_SQL_PRE_CANCEL_MAX_ENTRIES", 2_048)
1928}
1929
1930fn default_sql_pre_cancel_max_bytes() -> usize {
1931    positive_env_usize("MONGRELDB_SQL_PRE_CANCEL_MAX_BYTES", 1024 * 1024)
1932}
1933
1934fn default_sql_pre_cancel_max_entries_per_owner() -> usize {
1935    positive_env_usize("MONGRELDB_SQL_PRE_CANCEL_MAX_PER_OWNER", 256)
1936}
1937
1938fn default_sql_pre_cancel_rate_window() -> std::time::Duration {
1939    std::time::Duration::from_millis(positive_env_u64(
1940        "MONGRELDB_SQL_PRE_CANCEL_RATE_WINDOW_MS",
1941        1_000,
1942    ))
1943}
1944
1945fn default_sql_pre_cancel_rate_per_owner() -> usize {
1946    positive_env_usize("MONGRELDB_SQL_PRE_CANCEL_RATE_PER_OWNER", 256)
1947}
1948
1949pub(crate) fn default_sql_idempotency_ttl() -> std::time::Duration {
1950    std::time::Duration::from_secs(positive_env_u64(
1951        "MONGRELDB_SQL_IDEMPOTENCY_TTL_SECS",
1952        86_400,
1953    ))
1954}
1955
1956pub(crate) fn default_sql_idempotency_max_entries() -> usize {
1957    positive_env_usize("MONGRELDB_SQL_IDEMPOTENCY_MAX_ENTRIES", 4_096)
1958}
1959
1960fn default_sql_page_ttl() -> std::time::Duration {
1961    std::time::Duration::from_secs(positive_env_u64("MONGRELDB_SQL_PAGE_TTL_SECS", 60))
1962}
1963
1964fn default_sql_page_max_entries() -> usize {
1965    positive_env_usize("MONGRELDB_SQL_PAGE_MAX_ENTRIES", 128)
1966}
1967
1968fn default_sql_page_max_bytes() -> usize {
1969    positive_env_usize("MONGRELDB_SQL_PAGE_MAX_RETAINED_BYTES", 128 * 1024 * 1024)
1970}
1971
1972fn default_sql_page_max_entries_per_owner() -> usize {
1973    positive_env_usize("MONGRELDB_SQL_PAGE_MAX_PER_OWNER", 16)
1974}
1975
1976fn default_sql_cancel_grace() -> std::time::Duration {
1977    std::time::Duration::from_millis(positive_env_u64("MONGRELDB_SQL_CANCEL_GRACE_MS", 1_000))
1978}
1979
1980fn default_sql_max_output_bytes() -> usize {
1981    positive_env_usize("MONGRELDB_SQL_MAX_OUTPUT_BYTES", 64 * 1024 * 1024)
1982}
1983
1984fn default_sql_max_output_rows() -> usize {
1985    positive_env_usize("MONGRELDB_SQL_MAX_OUTPUT_ROWS", 1_000_000)
1986}
1987
1988/// Maximum accepted HTTP request body in bytes (S1D-007 request-bytes
1989/// bound). Defaults to 2 MiB, matching axum's built-in `DefaultBodyLimit`
1990/// that previously applied implicitly.
1991fn default_max_request_bytes() -> usize {
1992    positive_env_usize("MONGRELDB_MAX_REQUEST_BYTES", 2 * 1024 * 1024)
1993}
1994
1995/// Stable request ownership. Usernames and the literal bearer token are never
1996/// ownership keys, so replacement credentials cannot inherit live resources.
1997fn request_owner(state: &AppState, principal: &Option<mongreldb_core::Principal>) -> String {
1998    if let Some(p) = principal {
1999        return format!("user:{}:{}", p.user_id, p.created_epoch);
2000    }
2001    if let Some(token) = state.auth_token.as_deref() {
2002        let mut digest = sha2::Sha256::new();
2003        digest.update(b"mongreldb-server-bearer-owner-v1\0");
2004        digest.update((token.len() as u64).to_le_bytes());
2005        digest.update(token.as_bytes());
2006        return format!("bearer:{}", sql_idempotency::hex(&digest.finalize()));
2007    }
2008    if state.user_auth || state.db.require_auth_enabled() {
2009        return "unauthenticated".into();
2010    }
2011    "anonymous".into()
2012}
2013
2014fn request_principal(
2015    state: &AppState,
2016    principal: &Option<mongreldb_core::Principal>,
2017) -> Option<mongreldb_core::Principal> {
2018    if let Some(principal) = principal {
2019        return state
2020            .db
2021            .resolve_current_principal(principal)
2022            .or_else(|| Some(principal.clone()));
2023    }
2024    state.auth_token.as_ref().and_then(|_| {
2025        if state.db.require_auth_enabled() {
2026            return state
2027                .db
2028                .principal_snapshot()
2029                .and_then(|principal| state.db.resolve_current_principal(&principal))
2030                .filter(|principal| principal.is_admin);
2031        }
2032        Some(mongreldb_core::Principal {
2033            user_id: 0,
2034            created_epoch: 0,
2035            username: "token".into(),
2036            is_admin: true,
2037            roles: Vec::new(),
2038            permissions: Vec::new(),
2039        })
2040    })
2041}
2042
2043fn current_request_principal(
2044    state: &AppState,
2045    principal: &Option<mongreldb_core::Principal>,
2046) -> Option<mongreldb_core::Principal> {
2047    if let Some(principal) = principal {
2048        return state.db.resolve_current_principal(principal);
2049    }
2050    request_principal(state, principal)
2051}
2052
2053fn request_identity_is_current(
2054    state: &AppState,
2055    principal: &Option<mongreldb_core::Principal>,
2056) -> bool {
2057    if principal.is_some() || state.auth_token.is_some() {
2058        return current_request_principal(state, principal).is_some();
2059    }
2060    !state.user_auth && !state.db.require_auth_enabled()
2061}
2062
2063/// Map the request's authentication onto the canonical
2064/// [`mongreldb_protocol::request::AuthenticatedIdentity`] carried by the
2065/// S1D-004 session record. Only catalog-authenticated users (HTTP Basic) pin
2066/// a `CatalogUser` identity; bearer-token and credentialless requests carry
2067/// no catalog identity. `ServicePrincipal` is never minted for external
2068/// requests.
2069fn protocol_identity(
2070    principal: &Option<mongreldb_core::Principal>,
2071) -> mongreldb_protocol::request::AuthenticatedIdentity {
2072    match principal {
2073        Some(principal) => mongreldb_protocol::request::AuthenticatedIdentity::CatalogUser {
2074            username: principal.username.clone(),
2075            user_id: principal.user_id,
2076            created_version: principal.created_epoch,
2077        },
2078        None => mongreldb_protocol::request::AuthenticatedIdentity::Credentialless,
2079    }
2080}
2081
2082/// `POST /sessions` — open a long-lived session for cross-request interactive
2083/// transactions. Returns `{"session_id": "..."}`; send `X-Session-ID: <token>`
2084/// on subsequent `/sql` requests to route to it. The session is owned by the
2085/// authenticated principal and auto-expires after the idle timeout.
2086async fn create_session(
2087    State(state): State<Arc<AppState>>,
2088    OptionalPrincipal(principal): OptionalPrincipal,
2089) -> Response {
2090    if !state.accepting_sql.load(Ordering::Acquire) {
2091        return (StatusCode::SERVICE_UNAVAILABLE, "server is shutting down").into_response();
2092    }
2093    if !request_identity_is_current(&state, &principal) {
2094        return StatusCode::UNAUTHORIZED.into_response();
2095    }
2096    let owner = request_owner(&state, &principal);
2097    let session = match MongrelSession::open_with_external_modules_as(
2098        Arc::clone(&state.db),
2099        state.external_modules.iter().cloned(),
2100        request_principal(&state, &principal),
2101    ) {
2102        Ok(session) => session.with_query_registry(Arc::clone(&state.query_registry)),
2103        Err(e) => return (status_for_query_error(&e), e.to_string()).into_response(),
2104    };
2105    match state
2106        .sessions
2107        .create_with_identity(session, owner.clone(), protocol_identity(&principal))
2108    {
2109        Some(token) => {
2110            state.audit.record(owner, "session.open", "session created");
2111            Json(json!({ "session_id": token })).into_response()
2112        }
2113        None => (
2114            StatusCode::SERVICE_UNAVAILABLE,
2115            "session limit reached; close an idle session or raise --max-sessions",
2116        )
2117            .into_response(),
2118    }
2119}
2120
2121/// `DELETE /sessions/{id}` — close a session, discarding any open (staged but
2122/// uncommitted) transaction. Only the owning principal may close it.
2123async fn close_session(
2124    State(state): State<Arc<AppState>>,
2125    OptionalPrincipal(principal): OptionalPrincipal,
2126    Path(id): Path<String>,
2127) -> Response {
2128    if !request_identity_is_current(&state, &principal) {
2129        return StatusCode::NOT_FOUND.into_response();
2130    }
2131    let owner = request_owner(&state, &principal);
2132    if let Some(entry) = state.sessions.take_for_close(&id, &owner) {
2133        entry
2134            .session()
2135            .query_registry()
2136            .cancel_session(&id, CancellationReason::SessionClosed);
2137        let deadline = tokio::time::Instant::now() + state.reloadable.sql_cancel_grace.get();
2138        while entry.session().query_registry().active_for_session(&id) > 0
2139            && tokio::time::Instant::now() < deadline
2140        {
2141            tokio::time::sleep(std::time::Duration::from_millis(5)).await;
2142        }
2143        state.audit.record(owner, "session.close", "session closed");
2144        StatusCode::OK.into_response()
2145    } else {
2146        (
2147            StatusCode::NOT_FOUND,
2148            "session not found or not owned by caller",
2149        )
2150            .into_response()
2151    }
2152}
2153
2154/// Choose a buffered response serialization: `"arrow"` (IPC file) or JSON.
2155/// Streaming IPC is dispatched before query collection.
2156async fn dispatch_buffered_sql_format(
2157    state: &AppState,
2158    format: Option<&str>,
2159    output: ManagedQueryBatches,
2160    query_id: QueryId,
2161    test_hook: Option<mongreldb_query::SqlTestHook>,
2162    output_limits: (usize, usize),
2163) -> Response {
2164    let format = format.unwrap_or("json").to_owned();
2165    let (max_rows, max_bytes) = output_limits;
2166    // Keep the lifecycle guard outside the worker. If the worker panics, the
2167    // join-error path must record a serialization failure, not let dropping a
2168    // moved guard misclassify it as a client disconnect.
2169    let serialization_batches = output.batches().to_vec();
2170    let serialization_query = output.query().clone();
2171    let serialized = tokio::task::spawn_blocking(move || {
2172        serialize_buffered_output(
2173            &format,
2174            &serialization_batches,
2175            &serialization_query,
2176            max_rows,
2177            max_bytes,
2178            test_hook.as_ref(),
2179        )
2180    })
2181    .await;
2182    let result = match serialized {
2183        Ok(result) => result,
2184        Err(error) => {
2185            output
2186                .query()
2187                .record_serialization_failure("SERIALIZATION_WORKER_FAILED");
2188            output.fail();
2189            state.metrics.inc_sql_errors();
2190            return terminal_server_error_response(
2191                state,
2192                query_id,
2193                StatusCode::INTERNAL_SERVER_ERROR,
2194                "SERIALIZATION_WORKER_FAILED",
2195                error.to_string(),
2196            );
2197        }
2198    };
2199    match result {
2200        Ok(serialized) => {
2201            if let Err(error) = output.try_complete() {
2202                state.metrics.inc_sql_errors();
2203                return tracked_query_error_response(state, &error, Some(query_id));
2204            }
2205            state.metrics.add_sql_output_bytes(serialized.bytes.len());
2206            let content_type = if serialized.arrow {
2207                "application/vnd.apache.arrow.file"
2208            } else {
2209                "application/json"
2210            };
2211            with_query_id(
2212                ([(header::CONTENT_TYPE, content_type)], serialized.bytes).into_response(),
2213                query_id,
2214            )
2215        }
2216        Err(BufferedSerializationError::Query(error)) => {
2217            output.fail();
2218            state.metrics.inc_sql_errors();
2219            tracked_query_error_response(state, &error, Some(query_id))
2220        }
2221        Err(BufferedSerializationError::Limit(message)) => {
2222            output.fail_result_limit();
2223            state.metrics.inc_sql_errors();
2224            terminal_server_error_response(
2225                state,
2226                query_id,
2227                StatusCode::PAYLOAD_TOO_LARGE,
2228                "RESULT_LIMIT_EXCEEDED",
2229                message,
2230            )
2231        }
2232        Err(BufferedSerializationError::Encoding(message)) => {
2233            output.fail_serialization();
2234            state.metrics.inc_sql_errors();
2235            terminal_server_error_response(
2236                state,
2237                query_id,
2238                StatusCode::INTERNAL_SERVER_ERROR,
2239                "SERIALIZATION_FAILED",
2240                message,
2241            )
2242        }
2243    }
2244}
2245
2246#[derive(Debug)]
2247enum PaginatedSerializationError {
2248    Query(mongreldb_query::MongrelQueryError),
2249    Limit(String),
2250    Projection(String),
2251    Encoding(String),
2252}
2253
2254struct SerializedPageRows {
2255    rows: Vec<serde_json::Value>,
2256    retained_bytes: usize,
2257}
2258
2259struct PaginatedJsonReader<'a> {
2260    cursor: std::io::Cursor<&'a [u8]>,
2261    query: &'a RegisteredSqlQuery,
2262    test_hook: Option<&'a mongreldb_query::SqlTestHook>,
2263}
2264
2265impl std::io::Read for PaginatedJsonReader<'_> {
2266    fn read(&mut self, buffer: &mut [u8]) -> std::io::Result<usize> {
2267        if let Some(hook) = self.test_hook {
2268            hook(mongreldb_query::SqlTestHookPoint::DuringPaginationDeserialization);
2269        }
2270        self.query
2271            .checkpoint()
2272            .map_err(|error| std::io::Error::other(error.to_string()))?;
2273        // Bound work between cancellation checks even for one very large row.
2274        let length = buffer.len().min(64 * 1024);
2275        std::io::Read::read(&mut self.cursor, &mut buffer[..length])
2276    }
2277}
2278
2279const PAGINATED_VALUE_NODE_BYTES: usize = 64;
2280const PAGINATED_OBJECT_ENTRY_BYTES: usize = 128;
2281const PAGINATED_MEMORY_LIMIT_ERROR: &str = "SQL retained output memory limit exceeded";
2282
2283struct PaginatedDecodeBudget<'a> {
2284    used: usize,
2285    limit: usize,
2286    nodes: usize,
2287    exceeded: bool,
2288    query: &'a RegisteredSqlQuery,
2289    test_hook: Option<&'a mongreldb_query::SqlTestHook>,
2290}
2291
2292impl PaginatedDecodeBudget<'_> {
2293    fn begin_value<E: serde::de::Error>(&mut self) -> Result<(), E> {
2294        self.nodes = self.nodes.saturating_add(1);
2295        if self.nodes & 255 == 0 {
2296            if let Some(hook) = self.test_hook {
2297                hook(mongreldb_query::SqlTestHookPoint::DuringPaginationDeserialization);
2298            }
2299            self.query.checkpoint().map_err(E::custom)?;
2300        }
2301        self.charge::<E>(PAGINATED_VALUE_NODE_BYTES)
2302    }
2303
2304    fn charge<E: serde::de::Error>(&mut self, bytes: usize) -> Result<(), E> {
2305        let next = self.used.saturating_add(bytes);
2306        if next > self.limit {
2307            self.exceeded = true;
2308            return Err(E::custom(PAGINATED_MEMORY_LIMIT_ERROR));
2309        }
2310        self.used = next;
2311        Ok(())
2312    }
2313}
2314
2315struct BudgetedJsonValueSeed<'a, 'query> {
2316    budget: &'a mut PaginatedDecodeBudget<'query>,
2317}
2318
2319impl<'de> serde::de::DeserializeSeed<'de> for BudgetedJsonValueSeed<'_, '_> {
2320    type Value = serde_json::Value;
2321
2322    fn deserialize<D>(self, deserializer: D) -> Result<Self::Value, D::Error>
2323    where
2324        D: serde::Deserializer<'de>,
2325    {
2326        self.budget.begin_value::<D::Error>()?;
2327        deserializer.deserialize_any(BudgetedJsonValueVisitor {
2328            budget: self.budget,
2329        })
2330    }
2331}
2332
2333struct BudgetedJsonValueVisitor<'a, 'query> {
2334    budget: &'a mut PaginatedDecodeBudget<'query>,
2335}
2336
2337impl<'de> serde::de::Visitor<'de> for BudgetedJsonValueVisitor<'_, '_> {
2338    type Value = serde_json::Value;
2339
2340    fn expecting(&self, formatter: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
2341        formatter.write_str("a JSON value")
2342    }
2343
2344    fn visit_bool<E>(self, value: bool) -> Result<Self::Value, E> {
2345        Ok(serde_json::Value::Bool(value))
2346    }
2347
2348    fn visit_i64<E>(self, value: i64) -> Result<Self::Value, E> {
2349        Ok(serde_json::Value::Number(value.into()))
2350    }
2351
2352    fn visit_u64<E>(self, value: u64) -> Result<Self::Value, E> {
2353        Ok(serde_json::Value::Number(value.into()))
2354    }
2355
2356    fn visit_f64<E>(self, value: f64) -> Result<Self::Value, E>
2357    where
2358        E: serde::de::Error,
2359    {
2360        serde_json::Number::from_f64(value)
2361            .map(serde_json::Value::Number)
2362            .ok_or_else(|| E::custom("JSON number is not finite"))
2363    }
2364
2365    fn visit_str<E>(self, value: &str) -> Result<Self::Value, E>
2366    where
2367        E: serde::de::Error,
2368    {
2369        self.budget.charge::<E>(value.len())?;
2370        Ok(serde_json::Value::String(value.to_owned()))
2371    }
2372
2373    fn visit_borrowed_str<E>(self, value: &'de str) -> Result<Self::Value, E>
2374    where
2375        E: serde::de::Error,
2376    {
2377        self.visit_str(value)
2378    }
2379
2380    fn visit_string<E>(self, value: String) -> Result<Self::Value, E>
2381    where
2382        E: serde::de::Error,
2383    {
2384        self.budget.charge::<E>(value.capacity())?;
2385        Ok(serde_json::Value::String(value))
2386    }
2387
2388    fn visit_none<E>(self) -> Result<Self::Value, E> {
2389        Ok(serde_json::Value::Null)
2390    }
2391
2392    fn visit_unit<E>(self) -> Result<Self::Value, E> {
2393        Ok(serde_json::Value::Null)
2394    }
2395
2396    fn visit_some<D>(self, deserializer: D) -> Result<Self::Value, D::Error>
2397    where
2398        D: serde::Deserializer<'de>,
2399    {
2400        deserializer.deserialize_any(self)
2401    }
2402
2403    fn visit_newtype_struct<D>(self, deserializer: D) -> Result<Self::Value, D::Error>
2404    where
2405        D: serde::Deserializer<'de>,
2406    {
2407        deserializer.deserialize_any(self)
2408    }
2409
2410    fn visit_seq<A>(self, mut sequence: A) -> Result<Self::Value, A::Error>
2411    where
2412        A: serde::de::SeqAccess<'de>,
2413    {
2414        let mut values = Vec::new();
2415        while let Some(value) = sequence.next_element_seed(BudgetedJsonValueSeed {
2416            budget: self.budget,
2417        })? {
2418            values.push(value);
2419        }
2420        Ok(serde_json::Value::Array(values))
2421    }
2422
2423    fn visit_map<A>(self, mut map: A) -> Result<Self::Value, A::Error>
2424    where
2425        A: serde::de::MapAccess<'de>,
2426    {
2427        let mut values = serde_json::Map::new();
2428        while let Some(key) = map.next_key::<String>()? {
2429            self.budget
2430                .charge::<A::Error>(PAGINATED_OBJECT_ENTRY_BYTES.saturating_add(key.capacity()))?;
2431            let value = map.next_value_seed(BudgetedJsonValueSeed {
2432                budget: self.budget,
2433            })?;
2434            values.insert(key, value);
2435        }
2436        Ok(serde_json::Value::Object(values))
2437    }
2438}
2439
2440struct BudgetedJsonRowsSeed<'a, 'query> {
2441    budget: &'a mut PaginatedDecodeBudget<'query>,
2442}
2443
2444impl<'de> serde::de::DeserializeSeed<'de> for BudgetedJsonRowsSeed<'_, '_> {
2445    type Value = Vec<serde_json::Value>;
2446
2447    fn deserialize<D>(self, deserializer: D) -> Result<Self::Value, D::Error>
2448    where
2449        D: serde::Deserializer<'de>,
2450    {
2451        deserializer.deserialize_seq(BudgetedJsonRowsVisitor {
2452            budget: self.budget,
2453        })
2454    }
2455}
2456
2457struct BudgetedJsonRowsVisitor<'a, 'query> {
2458    budget: &'a mut PaginatedDecodeBudget<'query>,
2459}
2460
2461impl<'de> serde::de::Visitor<'de> for BudgetedJsonRowsVisitor<'_, '_> {
2462    type Value = Vec<serde_json::Value>;
2463
2464    fn expecting(&self, formatter: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
2465        formatter.write_str("a JSON array of SQL rows")
2466    }
2467
2468    fn visit_seq<A>(self, mut sequence: A) -> Result<Self::Value, A::Error>
2469    where
2470        A: serde::de::SeqAccess<'de>,
2471    {
2472        let mut rows = Vec::new();
2473        while let Some(row) = sequence.next_element_seed(BudgetedJsonValueSeed {
2474            budget: self.budget,
2475        })? {
2476            rows.push(row);
2477        }
2478        Ok(rows)
2479    }
2480}
2481
2482#[allow(clippy::too_many_arguments)]
2483async fn dispatch_paginated_sql(
2484    state: &AppState,
2485    output: ManagedQueryBatches,
2486    query_id: QueryId,
2487    owner: &str,
2488    pagination: ResolvedSqlPagination,
2489    output_limits: (usize, usize),
2490    test_hook: Option<mongreldb_query::SqlTestHook>,
2491    binding: sql_pages::SqlPageBinding,
2492) -> Response {
2493    let projection = pagination.projection;
2494    let serialization_projection = projection.clone();
2495    let serialization_batches = output.batches().to_vec();
2496    let serialization_query = output.query().clone();
2497    let response_test_hook = test_hook.clone();
2498    let retained_memory_limit = output_limits.1.min(state.sql_pages.max_retained_bytes());
2499    let serialized = tokio::task::spawn_blocking(move || {
2500        serialize_paginated_rows(
2501            &serialization_batches,
2502            &serialization_query,
2503            &serialization_projection,
2504            output_limits.0,
2505            output_limits.1,
2506            retained_memory_limit,
2507            test_hook.as_ref(),
2508        )
2509    })
2510    .await;
2511    let serialized = match serialized {
2512        Ok(result) => result,
2513        Err(error) => {
2514            output
2515                .query()
2516                .record_serialization_failure("SERIALIZATION_WORKER_FAILED");
2517            output.fail();
2518            state.metrics.inc_sql_errors();
2519            return terminal_server_error_response(
2520                state,
2521                query_id,
2522                StatusCode::INTERNAL_SERVER_ERROR,
2523                "SERIALIZATION_WORKER_FAILED",
2524                error.to_string(),
2525            );
2526        }
2527    };
2528    let serialized = match serialized {
2529        Ok(serialized) => serialized,
2530        Err(PaginatedSerializationError::Query(error)) => {
2531            output.fail();
2532            state.metrics.inc_sql_errors();
2533            return tracked_query_error_response(state, &error, Some(query_id));
2534        }
2535        Err(PaginatedSerializationError::Limit(message)) => {
2536            output.fail_result_limit();
2537            state.metrics.inc_sql_errors();
2538            return terminal_server_error_response(
2539                state,
2540                query_id,
2541                StatusCode::PAYLOAD_TOO_LARGE,
2542                "RESULT_LIMIT_EXCEEDED",
2543                message,
2544            );
2545        }
2546        Err(PaginatedSerializationError::Projection(message)) => {
2547            output.fail_with_error(
2548                "INVALID_SQL_PROJECTION",
2549                mongreldb_query::QueryTerminalErrorCategory::Execution,
2550            );
2551            state.metrics.inc_sql_errors();
2552            return terminal_server_error_response(
2553                state,
2554                query_id,
2555                StatusCode::BAD_REQUEST,
2556                "INVALID_SQL_PROJECTION",
2557                message,
2558            );
2559        }
2560        Err(PaginatedSerializationError::Encoding(message)) => {
2561            output.fail_serialization();
2562            state.metrics.inc_sql_errors();
2563            return terminal_server_error_response(
2564                state,
2565                query_id,
2566                StatusCode::INTERNAL_SERVER_ERROR,
2567                "SERIALIZATION_FAILED",
2568                message,
2569            );
2570        }
2571    };
2572    let retained_bytes = serialized.retained_bytes;
2573    let current_binding = sql_pages::SqlPageBinding {
2574        security_version: state.db.security_version(),
2575        catalog_epoch: state.db.catalog_snapshot().db_epoch,
2576    };
2577    if current_binding != binding {
2578        output.fail_with_error(
2579            "SQL_CURSOR_EXPIRED",
2580            mongreldb_query::QueryTerminalErrorCategory::Execution,
2581        );
2582        return with_query_id(
2583            sql_cursor_error_response(
2584                StatusCode::CONFLICT,
2585                "SQL_CURSOR_EXPIRED",
2586                "authorization or schema changed while retaining the SQL result",
2587                query_id,
2588            ),
2589            query_id,
2590        );
2591    }
2592    let retained = match state.sql_pages.insert(
2593        owner,
2594        serialized.rows,
2595        projection,
2596        pagination.limits,
2597        retained_bytes,
2598        binding,
2599    ) {
2600        Ok(retained) => retained,
2601        Err(sql_pages::InsertError::Full | sql_pages::InsertError::OwnerLimit) => {
2602            output.fail_with_error(
2603                "SQL_PAGE_STORE_FULL",
2604                mongreldb_query::QueryTerminalErrorCategory::Execution,
2605            );
2606            state.metrics.inc_sql_errors();
2607            return terminal_server_error_response(
2608                state,
2609                query_id,
2610                StatusCode::SERVICE_UNAVAILABLE,
2611                "SQL_PAGE_STORE_FULL",
2612                "retained SQL result capacity reached",
2613            );
2614        }
2615        Err(sql_pages::InsertError::EntropyUnavailable) => {
2616            output.fail_with_error(
2617                "ENTROPY_UNAVAILABLE",
2618                mongreldb_query::QueryTerminalErrorCategory::Execution,
2619            );
2620            state.metrics.inc_sql_errors();
2621            return terminal_server_error_response(
2622                state,
2623                query_id,
2624                StatusCode::INTERNAL_SERVER_ERROR,
2625                "ENTROPY_UNAVAILABLE",
2626                "OS CSPRNG unavailable",
2627            );
2628        }
2629    };
2630    let cursor_mac_key = match state.cursor_mac_key.get() {
2631        Ok(key) => key,
2632        Err(_) => {
2633            state.sql_pages.discard(&retained);
2634            output.fail_with_error(
2635                "ENTROPY_UNAVAILABLE",
2636                mongreldb_query::QueryTerminalErrorCategory::Execution,
2637            );
2638            state.metrics.inc_sql_errors();
2639            return terminal_server_error_response(
2640                state,
2641                query_id,
2642                StatusCode::INTERNAL_SERVER_ERROR,
2643                "ENTROPY_UNAVAILABLE",
2644                "OS CSPRNG unavailable",
2645            );
2646        }
2647    };
2648    let page = match sql_pages::SqlPageStore::first_page(&retained, &cursor_mac_key) {
2649        Ok(page) => page,
2650        Err(sql_pages::PageError::RowExceedsLimits) => {
2651            state.sql_pages.discard(&retained);
2652            output.fail_result_limit();
2653            state.metrics.inc_sql_errors();
2654            return terminal_server_error_response(
2655                state,
2656                query_id,
2657                StatusCode::PAYLOAD_TOO_LARGE,
2658                "RESULT_LIMIT_EXCEEDED",
2659                "one projected row exceeds the page byte or token limit",
2660            );
2661        }
2662        Err(sql_pages::PageError::OffsetInvalid) => {
2663            state.sql_pages.discard(&retained);
2664            output.fail_with_error(
2665                "INVALID_PAGE_OFFSET",
2666                mongreldb_query::QueryTerminalErrorCategory::Serialization,
2667            );
2668            state.metrics.inc_sql_errors();
2669            return terminal_server_error_response(
2670                state,
2671                query_id,
2672                StatusCode::INTERNAL_SERVER_ERROR,
2673                "INVALID_PAGE_OFFSET",
2674                "failed to create the first SQL result page",
2675            );
2676        }
2677        Err(sql_pages::PageError::Cancelled) => unreachable!("first-page rendering has no control"),
2678    };
2679    let discard_after_response = page.next_cursor.is_none();
2680    let page_byte_count = page.byte_count;
2681    // The first-page encode counts toward the request deadline (S1D-006):
2682    // the controlled writer checkpoints the query's `ExecutionControl`.
2683    let serialization_query = output.query().clone();
2684    let encoded_page = tokio::task::spawn_blocking(move || {
2685        serialize_sql_page_controlled(page, &serialization_query)
2686    })
2687    .await;
2688    let encoded_page = match encoded_page {
2689        Ok(Ok(encoded_page)) => encoded_page,
2690        Ok(Err(ControlledPageSerializationError::Query(error))) => {
2691            state.sql_pages.discard(&retained);
2692            output.fail();
2693            state.metrics.inc_sql_errors();
2694            return tracked_query_error_response(state, &error, Some(query_id));
2695        }
2696        Ok(Err(ControlledPageSerializationError::Encoding)) => {
2697            state.sql_pages.discard(&retained);
2698            output.fail_serialization();
2699            state.metrics.inc_sql_errors();
2700            return terminal_server_error_response(
2701                state,
2702                query_id,
2703                StatusCode::INTERNAL_SERVER_ERROR,
2704                "SERIALIZATION_FAILED",
2705                "failed to serialize the first SQL result page",
2706            );
2707        }
2708        Err(_) => {
2709            state.sql_pages.discard(&retained);
2710            output.fail_serialization();
2711            state.metrics.inc_sql_errors();
2712            return terminal_server_error_response(
2713                state,
2714                query_id,
2715                StatusCode::INTERNAL_SERVER_ERROR,
2716                "SERIALIZATION_WORKER_FAILED",
2717                "SQL page response serialization worker failed",
2718            );
2719        }
2720    };
2721    if let Some(hook) = response_test_hook {
2722        hook(mongreldb_query::SqlTestHookPoint::AfterPageResponseSerialization);
2723    }
2724    if let Err(error) = output.query().checkpoint() {
2725        state.sql_pages.discard(&retained);
2726        state.metrics.inc_sql_errors();
2727        return tracked_query_error_response(state, &error, Some(query_id));
2728    }
2729    if let Err(error) = output.try_complete() {
2730        state.sql_pages.discard(&retained);
2731        state.metrics.inc_sql_errors();
2732        return tracked_query_error_response(state, &error, Some(query_id));
2733    }
2734    if discard_after_response {
2735        state.sql_pages.discard(&retained);
2736    }
2737    state.metrics.add_sql_output_bytes(page_byte_count);
2738    with_query_id(sql_page_response(encoded_page), query_id)
2739}
2740
2741fn serialize_paginated_rows(
2742    batches: &[arrow::record_batch::RecordBatch],
2743    query: &RegisteredSqlQuery,
2744    projection: &[String],
2745    max_rows: usize,
2746    max_bytes: usize,
2747    retained_memory_limit: usize,
2748    test_hook: Option<&mongreldb_query::SqlTestHook>,
2749) -> Result<SerializedPageRows, PaginatedSerializationError> {
2750    const ROW_CHECKPOINT_INTERVAL: usize = 256;
2751    if batches.is_empty() {
2752        let retained_bytes = sql_pages::accounted_bytes(2, &[], projection, || query.checkpoint())
2753            .map_err(PaginatedSerializationError::Query)?;
2754        if retained_bytes > retained_memory_limit {
2755            return Err(PaginatedSerializationError::Limit(
2756                PAGINATED_MEMORY_LIMIT_ERROR.into(),
2757            ));
2758        }
2759        return Ok(SerializedPageRows {
2760            rows: Vec::new(),
2761            retained_bytes,
2762        });
2763    }
2764    let fields = batches[0].schema();
2765    let mut indices = Vec::with_capacity(projection.len());
2766    for name in projection {
2767        let matches: Vec<_> = fields
2768            .fields()
2769            .iter()
2770            .enumerate()
2771            .filter_map(|(index, field)| (field.name() == name).then_some(index))
2772            .collect();
2773        if matches.len() != 1 {
2774            return Err(PaginatedSerializationError::Projection(format!(
2775                "projected output column {name:?} is missing or ambiguous"
2776            )));
2777        }
2778        indices.push(matches[0]);
2779    }
2780
2781    let mut writer_output = LimitedOutput::new(max_bytes);
2782    let mut rows = 0usize;
2783    let encoding = (|| {
2784        let mut writer = arrow::json::writer::ArrayWriter::new(&mut writer_output);
2785        for batch in batches {
2786            let batch = batch.project(&indices).map_err(|error| error.to_string())?;
2787            for offset in (0..batch.num_rows()).step_by(ROW_CHECKPOINT_INTERVAL) {
2788                if let Some(hook) = test_hook {
2789                    hook(mongreldb_query::SqlTestHookPoint::BeforeSerializationBatch);
2790                }
2791                query.checkpoint().map_err(|error| error.to_string())?;
2792                let length = ROW_CHECKPOINT_INTERVAL.min(batch.num_rows() - offset);
2793                rows = rows.saturating_add(length);
2794                if rows > max_rows {
2795                    return Err("SQL retained output row limit exceeded".into());
2796                }
2797                let slice = batch.slice(offset, length);
2798                writer
2799                    .write_batches(&[&slice])
2800                    .map_err(|error| error.to_string())?;
2801            }
2802        }
2803        writer.finish().map_err(|error| error.to_string())
2804    })();
2805    if let Err(error) = encoding {
2806        if let Err(query_error) = query.checkpoint() {
2807            return Err(PaginatedSerializationError::Query(query_error));
2808        }
2809        if writer_output.exceeded || rows > max_rows {
2810            return Err(PaginatedSerializationError::Limit(error));
2811        }
2812        return Err(PaginatedSerializationError::Encoding(error));
2813    }
2814    let bytes = writer_output.bytes.len();
2815    let retained_base = sql_pages::accounted_bytes(bytes, &[], projection, || query.checkpoint())
2816        .map_err(PaginatedSerializationError::Query)?;
2817    if retained_base > retained_memory_limit {
2818        return Err(PaginatedSerializationError::Limit(
2819            PAGINATED_MEMORY_LIMIT_ERROR.into(),
2820        ));
2821    }
2822    let reader = PaginatedJsonReader {
2823        cursor: std::io::Cursor::new(writer_output.bytes.as_slice()),
2824        query,
2825        test_hook,
2826    };
2827    let mut deserializer =
2828        serde_json::Deserializer::from_reader(std::io::BufReader::with_capacity(64 * 1024, reader));
2829    let mut budget = PaginatedDecodeBudget {
2830        used: retained_base,
2831        limit: retained_memory_limit,
2832        nodes: 0,
2833        exceeded: false,
2834        query,
2835        test_hook,
2836    };
2837    let rows = match serde::de::DeserializeSeed::deserialize(
2838        BudgetedJsonRowsSeed {
2839            budget: &mut budget,
2840        },
2841        &mut deserializer,
2842    ) {
2843        Ok(rows) => {
2844            if let Err(error) = deserializer.end() {
2845                return Err(PaginatedSerializationError::Encoding(error.to_string()));
2846            }
2847            rows
2848        }
2849        Err(error) => {
2850            if let Err(query_error) = query.checkpoint() {
2851                return Err(PaginatedSerializationError::Query(query_error));
2852            }
2853            if budget.exceeded {
2854                return Err(PaginatedSerializationError::Limit(
2855                    PAGINATED_MEMORY_LIMIT_ERROR.into(),
2856                ));
2857            }
2858            return Err(PaginatedSerializationError::Encoding(error.to_string()));
2859        }
2860    };
2861    if let Some(hook) = test_hook {
2862        hook(mongreldb_query::SqlTestHookPoint::AfterSerialization);
2863    }
2864    let retained_bytes =
2865        sql_pages::accounted_bytes(bytes, &rows, projection, || query.checkpoint())
2866            .map_err(PaginatedSerializationError::Query)?;
2867    if retained_bytes > retained_memory_limit {
2868        return Err(PaginatedSerializationError::Limit(
2869            PAGINATED_MEMORY_LIMIT_ERROR.into(),
2870        ));
2871    }
2872    Ok(SerializedPageRows {
2873        rows,
2874        retained_bytes,
2875    })
2876}
2877
2878enum ControlledPageSerializationError {
2879    Query(mongreldb_query::MongrelQueryError),
2880    Encoding,
2881}
2882
2883struct ControlledPageWriter<'a> {
2884    bytes: Vec<u8>,
2885    query: &'a RegisteredSqlQuery,
2886}
2887
2888impl std::io::Write for ControlledPageWriter<'_> {
2889    fn write(&mut self, buffer: &[u8]) -> std::io::Result<usize> {
2890        self.query
2891            .checkpoint()
2892            .map_err(|error| std::io::Error::other(error.to_string()))?;
2893        self.bytes.extend_from_slice(buffer);
2894        Ok(buffer.len())
2895    }
2896
2897    fn flush(&mut self) -> std::io::Result<()> {
2898        Ok(())
2899    }
2900}
2901
2902fn serialize_sql_page_controlled(
2903    page: sql_pages::SqlPage,
2904    query: &RegisteredSqlQuery,
2905) -> Result<Vec<u8>, ControlledPageSerializationError> {
2906    query
2907        .checkpoint()
2908        .map_err(ControlledPageSerializationError::Query)?;
2909    let value = json!({
2910        "status": "completed",
2911        "rows": page.rows,
2912        "next_cursor": page.next_cursor,
2913        "page": {
2914            "offset": page.offset,
2915            "row_count": page.row_count,
2916            "total_rows": page.total_rows,
2917            "byte_count": page.byte_count,
2918            "estimated_tokens": page.estimated_tokens,
2919            "limits": page.limits,
2920            "projection": page.projection,
2921            "expires_at_ms": page.expires_at_ms,
2922            "snapshot": "retained_result",
2923            "token_estimate": "ceil(projected_json_bytes/4)",
2924        }
2925    });
2926    let mut writer = ControlledPageWriter {
2927        bytes: Vec::new(),
2928        query,
2929    };
2930    if let Err(error) = serde_json::to_writer(&mut writer, &value) {
2931        return match query.checkpoint() {
2932            Err(error) => Err(ControlledPageSerializationError::Query(error)),
2933            Ok(()) => {
2934                let _ = error;
2935                Err(ControlledPageSerializationError::Encoding)
2936            }
2937        };
2938    }
2939    query
2940        .checkpoint()
2941        .map_err(ControlledPageSerializationError::Query)?;
2942    Ok(writer.bytes)
2943}
2944
2945fn sql_page_response(body: Vec<u8>) -> Response {
2946    ([(header::CONTENT_TYPE, "application/json")], body).into_response()
2947}
2948
2949/// Validate a prepared-statement name: bare identifier only
2950/// (`[A-Za-z_][A-Za-z0-9_]*`). Prevents SQL injection via the name, which is
2951/// interpolated into `PREPARE <name> AS ...` / `EXECUTE <name>(...)`.
2952fn validate_stmt_name(name: &str) -> Result<(), String> {
2953    let mut chars = name.chars();
2954    match chars.next() {
2955        Some(c) if c.is_ascii_alphabetic() || c == '_' => {}
2956        _ => return Err("statement name must start with a letter or underscore".into()),
2957    }
2958    if !chars.all(|c| c.is_ascii_alphanumeric() || c == '_') {
2959        return Err("statement name may contain only letters, digits, or underscore".into());
2960    }
2961    Ok(())
2962}
2963
2964/// Render a JSON value as a safe SQL literal for `EXECUTE` parameter binding.
2965/// Values are escaped so a client cannot inject SQL through a parameter.
2966/// Returns `Err` for non-scalar JSON (arrays/objects) so the caller rejects the
2967/// request with 400 rather than silently binding NULL.
2968fn render_sql_literal(v: &serde_json::Value) -> Result<String, String> {
2969    match v {
2970        serde_json::Value::Null => Ok("NULL".into()),
2971        serde_json::Value::Bool(b) => {
2972            if *b {
2973                Ok("TRUE".into())
2974            } else {
2975                Ok("FALSE".into())
2976            }
2977        }
2978        serde_json::Value::Number(n) => Ok(n.to_string()),
2979        // Single-quote, doubling embedded single quotes (SQL-standard escape).
2980        serde_json::Value::String(s) => {
2981            let mut out = String::with_capacity(s.len() + 2);
2982            out.push('\'');
2983            for c in s.chars() {
2984                if c == '\'' {
2985                    out.push_str("''");
2986                } else {
2987                    out.push(c);
2988                }
2989            }
2990            out.push('\'');
2991            Ok(out)
2992        }
2993        // Arrays/objects are not valid scalar params; reject explicitly.
2994        _ => Err("prepared-statement parameters must be scalar (null/bool/number/string)".into()),
2995    }
2996}
2997
2998/// S1D-005 parameter check: execution with a mismatched parameter list fails
2999/// rather than coercing silently. A binding whose types were not declared at
3000/// prepare time pins the canonical type names of its first execution;
3001/// subsequent executions must match exactly.
3002fn validate_prepared_params(
3003    entry: &sessions::SessionEntry,
3004    name: &str,
3005    binding: &mut mongreldb_protocol::prepared::PreparedStatementBinding,
3006    params: &[serde_json::Value],
3007) -> Result<(), Box<Response>> {
3008    let provided = prepared::parameter_type_names(params);
3009    if binding.parameter_types.is_empty() {
3010        if !provided.is_empty() {
3011            binding.parameter_types = provided;
3012            entry.insert_prepared_binding(name.to_owned(), binding.clone());
3013        }
3014        return Ok(());
3015    }
3016    if binding.parameter_types != provided {
3017        return Err(Box::new(structured_category_error_response(
3018            StatusCode::BAD_REQUEST,
3019            "PREPARED_PARAMETER_MISMATCH",
3020            format!(
3021                "prepared statement {name:?} expects parameters of types {:?}, got {provided:?}",
3022                binding.parameter_types
3023            ),
3024            mongreldb_types::errors::ErrorCategory::ClusterVersionMismatch,
3025        )));
3026    }
3027    Ok(())
3028}
3029
3030#[derive(Deserialize)]
3031struct PrepareRequest {
3032    name: String,
3033    sql: String,
3034    /// Optional declared canonical parameter types (S1D-005). When given,
3035    /// the binding pins them and `execute` rejects mismatched parameter
3036    /// lists instead of coercing silently.
3037    #[serde(default)]
3038    param_types: Option<Vec<String>>,
3039    #[serde(default)]
3040    query_id: Option<QueryId>,
3041    #[serde(default)]
3042    timeout_ms: Option<u64>,
3043}
3044
3045/// `POST /sessions/{id}/prepare` — parse+plan `sql` once and store it under
3046/// `name` on the session. Subsequent `EXECUTE name(...)` calls (via this
3047/// endpoint or `EXECUTE` SQL) reuse the cached plan, skipping re-planning.
3048///
3049/// S1D-005: on success the statement is bound to the current catalog state
3050/// (catalog version + per-table schema versions) in the session's canonical
3051/// record; `execute` revalidates the binding and replans on incompatible
3052/// schema change — a stale plan never executes silently.
3053async fn prepare_statement(
3054    State(state): State<Arc<AppState>>,
3055    OptionalPrincipal(principal): OptionalPrincipal,
3056    Path(id): Path<String>,
3057    headers: axum::http::HeaderMap,
3058    Json(req): Json<PrepareRequest>,
3059) -> Response {
3060    if !state.accepting_sql.load(Ordering::Acquire) {
3061        return (StatusCode::SERVICE_UNAVAILABLE, "server is shutting down").into_response();
3062    }
3063    if !request_identity_is_current(&state, &principal) {
3064        return StatusCode::NOT_FOUND.into_response();
3065    }
3066    if let Err(msg) = validate_stmt_name(&req.name) {
3067        return (StatusCode::BAD_REQUEST, msg).into_response();
3068    }
3069    if let Some(param_types) = req.param_types.as_deref() {
3070        if let Err(msg) = prepared::validate_parameter_type_names(param_types) {
3071            return (StatusCode::BAD_REQUEST, msg).into_response();
3072        }
3073    }
3074    let owner = request_owner(&state, &principal);
3075    let Some(entry) = state.sessions.get(&id, &owner) else {
3076        return (
3077            StatusCode::NOT_FOUND,
3078            "session not found or not owned by caller",
3079        )
3080            .into_response();
3081    };
3082    let (options, query_id) = match resolve_query_options(
3083        &state,
3084        &headers,
3085        req.query_id,
3086        req.timeout_ms,
3087        owner,
3088        Some(id),
3089    ) {
3090        Ok(options) => options,
3091        Err(response) => return *response,
3092    };
3093    let query = match register_controlled_query(&state, &entry.session(), options) {
3094        Ok(query) => query,
3095        Err(error) => return tracked_query_error_response(&state, &error, Some(query_id)),
3096    };
3097    let registration = RegisteredQueryGuard::new(query);
3098    if mongreldb_query::contains_boolean_ai_predicate(&req.sql) {
3099        registration.fail();
3100        return with_query_id(remote_boolean_ai_error(), query_id);
3101    }
3102    let _sql_permit = match acquire_sql_permit(&state, &entry.session(), registration.query()).await
3103    {
3104        Ok(permit) => permit,
3105        Err(error) => return tracked_query_error_response(&state, &error, Some(query_id)),
3106    };
3107    let _guard = tokio::select! {
3108        guard = entry.lock.lock() => guard,
3109        _ = registration.query().control().cancelled() => {
3110            return tracked_query_error_response(
3111                &state,
3112                &cancellation_checkpoint_error(registration.query()),
3113                Some(query_id),
3114            );
3115        }
3116    };
3117    if entry.is_closed() {
3118        return with_query_id(
3119            (StatusCode::NOT_FOUND, "session no longer available").into_response(),
3120            query_id,
3121        );
3122    }
3123    entry.touch();
3124    let sql = format!("PREPARE {} AS {}", req.name, req.sql);
3125    let query = registration.into_query();
3126    match entry.session().run_with_query(&sql, query).await {
3127        Ok(_) => {
3128            // Bind the plan to the catalog state it was planned against.
3129            let catalog_state = prepared::CatalogState::capture(&state.db);
3130            let statement_id = entry.allocate_statement_id();
3131            entry.insert_prepared_binding(
3132                req.name.clone(),
3133                prepared::build_binding(
3134                    statement_id,
3135                    req.sql.clone(),
3136                    req.param_types.clone().unwrap_or_default(),
3137                    &catalog_state,
3138                ),
3139            );
3140            with_query_id(
3141                Json(json!({ "prepared": req.name, "statement_id": statement_id.get() }))
3142                    .into_response(),
3143                query_id,
3144            )
3145        }
3146        Err(error) => tracked_query_error_response(&state, &error, Some(query_id)),
3147    }
3148}
3149
3150#[derive(Deserialize)]
3151struct ExecuteRequest {
3152    name: String,
3153    params: Vec<serde_json::Value>,
3154    #[serde(default)]
3155    format: Option<String>,
3156    #[serde(default)]
3157    query_id: Option<QueryId>,
3158    #[serde(default)]
3159    timeout_ms: Option<u64>,
3160}
3161
3162/// `POST /sessions/{id}/execute` — run a previously-prepared statement with
3163/// typed parameters, reusing its cached plan. Returns the same formats as
3164/// `/sql` (`json` default, `arrow`, `arrow-stream`).
3165async fn execute_statement(
3166    State(state): State<Arc<AppState>>,
3167    OptionalPrincipal(principal): OptionalPrincipal,
3168    Path(id): Path<String>,
3169    headers: axum::http::HeaderMap,
3170    Json(req): Json<ExecuteRequest>,
3171) -> Response {
3172    if !state.accepting_sql.load(Ordering::Acquire) {
3173        return (StatusCode::SERVICE_UNAVAILABLE, "server is shutting down").into_response();
3174    }
3175    if !request_identity_is_current(&state, &principal) {
3176        return StatusCode::NOT_FOUND.into_response();
3177    }
3178    if let Err(msg) = validate_stmt_name(&req.name) {
3179        return (StatusCode::BAD_REQUEST, msg).into_response();
3180    }
3181    let owner = request_owner(&state, &principal);
3182    let Some(entry) = state.sessions.get(&id, &owner) else {
3183        return (
3184            StatusCode::NOT_FOUND,
3185            "session not found or not owned by caller",
3186        )
3187            .into_response();
3188    };
3189    let (options, query_id) = match resolve_query_options(
3190        &state,
3191        &headers,
3192        req.query_id,
3193        req.timeout_ms,
3194        owner,
3195        Some(id),
3196    ) {
3197        Ok(options) => options,
3198        Err(response) => return *response,
3199    };
3200    let query = match register_controlled_query(&state, &entry.session(), options) {
3201        Ok(query) => query,
3202        Err(error) => return tracked_query_error_response(&state, &error, Some(query_id)),
3203    };
3204    let registration = RegisteredQueryGuard::new(query);
3205    let sql_permit = match acquire_sql_permit(&state, &entry.session(), registration.query()).await
3206    {
3207        Ok(permit) => permit,
3208        Err(error) => return tracked_query_error_response(&state, &error, Some(query_id)),
3209    };
3210    let _guard = tokio::select! {
3211        guard = entry.lock.lock() => guard,
3212        _ = registration.query().control().cancelled() => {
3213            return tracked_query_error_response(
3214                &state,
3215                &cancellation_checkpoint_error(registration.query()),
3216                Some(query_id),
3217            );
3218        }
3219    };
3220    if entry.is_closed() {
3221        return with_query_id(
3222            (StatusCode::NOT_FOUND, "session no longer available").into_response(),
3223            query_id,
3224        );
3225    }
3226    entry.touch();
3227    // S1D-005: when the statement was prepared through the registry-tracked
3228    // prepare endpoint, validate its binding before executing the cached
3229    // plan — a stale plan never executes silently.
3230    if let Some((statement_id, mut binding)) = entry.prepared_binding(&req.name) {
3231        if let Err(response) =
3232            validate_prepared_params(&entry, &req.name, &mut binding, &req.params)
3233        {
3234            registration.fail();
3235            state.metrics.inc_sql_errors();
3236            return with_query_id(*response, query_id);
3237        }
3238        let catalog_state = prepared::CatalogState::capture(&state.db);
3239        if !catalog_state.is_compatible(&binding) {
3240            // Incompatible catalog/schema change: invalidate and replan
3241            // (S1D-005) — a stale plan never executes silently. The old plan
3242            // is dropped first. Audited with the statement name only: the SQL
3243            // text (and any literals in it) never reaches the audit log.
3244            state.audit.record(
3245                request_owner(&state, &principal),
3246                "prepared.invalidate",
3247                format!(
3248                    "statement {:?} invalidated by a catalog/schema change",
3249                    req.name
3250                ),
3251            );
3252            let deallocate = format!("DEALLOCATE {}", req.name);
3253            let _ = entry.session().run(&deallocate).await;
3254            let replan_error: Option<String> = 'replan: {
3255                // A staged transaction pins the session's catalog view, so
3256                // the plan cannot be rebuilt against the new catalog here.
3257                if entry.session().staged_sql_operation_count().is_some() {
3258                    Some(
3259                        "the session has an open transaction; COMMIT or ROLLBACK, then re-prepare"
3260                            .to_owned(),
3261                    )
3262                } else {
3263                    // The pooled session's DataFusion table registrations
3264                    // snapshot the catalog at session open and advance only
3265                    // on same-session DDL, so replanning after a
3266                    // cross-session change requires a session built against
3267                    // the CURRENT catalog (fresh secured providers:
3268                    // authorization is preserved).
3269                    let fresh = match MongrelSession::open_with_external_modules_as(
3270                        Arc::clone(&state.db),
3271                        state.external_modules.iter().cloned(),
3272                        request_principal(&state, &principal),
3273                    ) {
3274                        Ok(session) => {
3275                            session.with_query_registry(Arc::clone(&state.query_registry))
3276                        }
3277                        Err(error) => break 'replan Some(error.to_string()),
3278                    };
3279                    // Preserve the session's test hook across the swap.
3280                    fresh.set_test_hook(entry.session().sql_test_hook());
3281                    let replan = format!("PREPARE {} AS {}", req.name, binding.sql);
3282                    match fresh.run(&replan).await {
3283                        Ok(_) => {
3284                            entry.replace_session(fresh);
3285                            let rebound = prepared::build_binding(
3286                                statement_id,
3287                                binding.sql.clone(),
3288                                binding.parameter_types.clone(),
3289                                &prepared::CatalogState::capture(&state.db),
3290                            );
3291                            entry.insert_prepared_binding(req.name.clone(), rebound);
3292                            None
3293                        }
3294                        Err(error) => Some(error.to_string()),
3295                    }
3296                }
3297            };
3298            match &replan_error {
3299                Some(_) => state.audit.record(
3300                    request_owner(&state, &principal),
3301                    "prepared.replan.fail",
3302                    format!(
3303                        "statement {:?} could not be replanned; re-prepare required",
3304                        req.name
3305                    ),
3306                ),
3307                None => state.audit.record(
3308                    request_owner(&state, &principal),
3309                    "prepared.replan.ok",
3310                    format!(
3311                        "statement {:?} replanned against the current catalog",
3312                        req.name
3313                    ),
3314                ),
3315            }
3316            if let Some(error) = replan_error {
3317                entry.remove_prepared_binding(&req.name);
3318                registration.fail();
3319                state.metrics.inc_sql_errors();
3320                return with_query_id(
3321                    structured_category_error_response(
3322                        StatusCode::CONFLICT,
3323                        "SCHEMA_VERSION_MISMATCH",
3324                        format!(
3325                            "prepared statement {:?} was invalidated by a catalog/schema change and could not be replanned: {error}; re-prepare the statement",
3326                            req.name
3327                        ),
3328                        mongreldb_types::errors::ErrorCategory::SchemaVersionMismatch,
3329                    ),
3330                    query_id,
3331                );
3332            }
3333        }
3334    }
3335    state.metrics.inc_sql_queries();
3336    let literals: Vec<String> = match req
3337        .params
3338        .iter()
3339        .map(render_sql_literal)
3340        .collect::<Result<_, _>>()
3341    {
3342        Ok(v) => v,
3343        Err(msg) => {
3344            state.metrics.inc_sql_errors();
3345            return (StatusCode::BAD_REQUEST, msg).into_response();
3346        }
3347    };
3348    let sql = format!("EXECUTE {}({})", req.name, literals.join(", "));
3349    let start = std::time::Instant::now();
3350    let result = if req.format.as_deref() == Some("arrow-stream") {
3351        let query = registration.into_query();
3352        match entry
3353            .session()
3354            .run_stream_with_query_for_serialization(&sql, query)
3355            .await
3356        {
3357            Ok((stream, completion)) => Ok(sql_arrow_stream_response_controlled(
3358                stream,
3359                completion,
3360                sql_permit,
3361                (
3362                    state.reloadable.sql_max_output_rows.get(),
3363                    state.reloadable.sql_max_output_bytes.get(),
3364                ),
3365                &state,
3366                query_id,
3367                entry.session().sql_test_hook(),
3368            )),
3369            Err(error) => Err(error),
3370        }
3371    } else {
3372        let query = registration.into_query();
3373        match entry
3374            .session()
3375            .run_with_query_for_serialization_with_limits(
3376                &sql,
3377                query,
3378                mongreldb_query::SqlCollectionLimits::new(
3379                    state.reloadable.sql_max_output_rows.get(),
3380                    state.reloadable.sql_max_output_bytes.get(),
3381                ),
3382            )
3383            .await
3384        {
3385            Ok(output) => Ok(dispatch_buffered_sql_format(
3386                &state,
3387                req.format.as_deref(),
3388                output,
3389                query_id,
3390                entry.session().sql_test_hook(),
3391                (
3392                    state.reloadable.sql_max_output_rows.get(),
3393                    state.reloadable.sql_max_output_bytes.get(),
3394                ),
3395            )
3396            .await),
3397            Err(error) => Err(error),
3398        }
3399    };
3400    let elapsed = start.elapsed();
3401    if elapsed >= state.reloadable.slow_query_threshold.get() {
3402        state.metrics.inc_slow_queries();
3403        eprintln!(
3404            "[slow-query] {}\u{00b5}s \u{2014} EXECUTE {}",
3405            elapsed.as_micros(),
3406            req.name
3407        );
3408    }
3409    match result {
3410        Ok(response) => with_query_id(response, query_id),
3411        Err(e) => {
3412            state.metrics.inc_sql_errors();
3413            // A reference to an unprepared/unknown statement is a client error.
3414            let msg = format!("{e}");
3415            let status = if msg.contains("does not exist") {
3416                StatusCode::NOT_FOUND
3417            } else {
3418                status_for_query_error(&e)
3419            };
3420            if status == status_for_query_error(&e) {
3421                tracked_query_error_response(&state, &e, Some(query_id))
3422            } else {
3423                with_query_id(
3424                    (status, format!("{msg} ({}µs)", elapsed.as_micros())).into_response(),
3425                    query_id,
3426                )
3427            }
3428        }
3429    }
3430}
3431
3432/// `DELETE /sessions/{id}/statements/{name}` — drop a prepared statement from
3433/// the session (SQL `DEALLOCATE`).
3434async fn deallocate_statement(
3435    State(state): State<Arc<AppState>>,
3436    OptionalPrincipal(principal): OptionalPrincipal,
3437    Path((id, name)): Path<(String, String)>,
3438    headers: axum::http::HeaderMap,
3439) -> Response {
3440    if !state.accepting_sql.load(Ordering::Acquire) {
3441        return (StatusCode::SERVICE_UNAVAILABLE, "server is shutting down").into_response();
3442    }
3443    if !request_identity_is_current(&state, &principal) {
3444        return StatusCode::NOT_FOUND.into_response();
3445    }
3446    if let Err(msg) = validate_stmt_name(&name) {
3447        return (StatusCode::BAD_REQUEST, msg).into_response();
3448    }
3449    let owner = request_owner(&state, &principal);
3450    let Some(entry) = state.sessions.get(&id, &owner) else {
3451        return (
3452            StatusCode::NOT_FOUND,
3453            "session not found or not owned by caller",
3454        )
3455            .into_response();
3456    };
3457    let (options, query_id) =
3458        match resolve_query_options(&state, &headers, None, None, owner, Some(id)) {
3459            Ok(options) => options,
3460            Err(response) => return *response,
3461        };
3462    let query = match register_controlled_query(&state, &entry.session(), options) {
3463        Ok(query) => query,
3464        Err(error) => return tracked_query_error_response(&state, &error, Some(query_id)),
3465    };
3466    let registration = RegisteredQueryGuard::new(query);
3467    let _sql_permit = match acquire_sql_permit(&state, &entry.session(), registration.query()).await
3468    {
3469        Ok(permit) => permit,
3470        Err(error) => return tracked_query_error_response(&state, &error, Some(query_id)),
3471    };
3472    let _guard = tokio::select! {
3473        guard = entry.lock.lock() => guard,
3474        _ = registration.query().control().cancelled() => {
3475            return tracked_query_error_response(
3476                &state,
3477                &cancellation_checkpoint_error(registration.query()),
3478                Some(query_id),
3479            );
3480        }
3481    };
3482    if entry.is_closed() {
3483        return with_query_id(
3484            (StatusCode::NOT_FOUND, "session no longer available").into_response(),
3485            query_id,
3486        );
3487    }
3488    entry.touch();
3489    state.metrics.inc_sql_queries();
3490    let sql = format!("DEALLOCATE {name}");
3491    let start = std::time::Instant::now();
3492    let result = entry
3493        .session()
3494        .run_with_query(&sql, registration.into_query())
3495        .await;
3496    let elapsed = start.elapsed();
3497    if elapsed >= state.reloadable.slow_query_threshold.get() {
3498        state.metrics.inc_slow_queries();
3499        eprintln!(
3500            "[slow-query] {}\u{00b5}s query_id={} operation=DEALLOCATE",
3501            elapsed.as_micros(),
3502            query_id,
3503        );
3504    }
3505    match result {
3506        Ok(_) => {
3507            entry.remove_prepared_binding(&name);
3508            with_query_id(
3509                Json(json!({ "deallocated": name })).into_response(),
3510                query_id,
3511            )
3512        }
3513        Err(error) => {
3514            state.metrics.inc_sql_errors();
3515            tracked_query_error_response(&state, &error, Some(query_id))
3516        }
3517    }
3518}
3519
3520/// `mongreldb_tables` gauge. Subject to the same auth middleware as every other
3521/// route (scrape with the configured Bearer token / Basic credentials).
3522async fn metrics_handler(
3523    State(state): State<Arc<AppState>>,
3524    OptionalPrincipal(principal): OptionalPrincipal,
3525) -> Response {
3526    if let Err(error) = state.db.require_for(
3527        request_principal(&state, &principal).as_ref(),
3528        &mongreldb_core::Permission::Admin,
3529    ) {
3530        return (status_for_error(&error), error.to_string()).into_response();
3531    }
3532    let body = state.metrics.prometheus_text(
3533        state.db.table_names().len(),
3534        state.query_registry.stats(),
3535        (
3536            state.pre_cancellations.len(),
3537            state.pre_cancellations.approximate_bytes(),
3538        ),
3539    );
3540    (
3541        [(
3542            header::CONTENT_TYPE,
3543            "text/plain; version=0.0.4; charset=utf-8".to_string(),
3544        )],
3545        body,
3546    )
3547        .into_response()
3548}
3549
3550/// `POST /compact` — compact all mounted tables.
3551async fn compact_all(
3552    State(state): State<Arc<AppState>>,
3553    OptionalPrincipal(principal): OptionalPrincipal,
3554) -> (StatusCode, Json<serde_json::Value>) {
3555    if let Err(error) = state.db.require_for(
3556        request_principal(&state, &principal).as_ref(),
3557        &mongreldb_core::Permission::Ddl,
3558    ) {
3559        return (
3560            status_for_error(&error),
3561            Json(json!({ "status": "error", "message": error.to_string() })),
3562        );
3563    }
3564    match state.db.compact() {
3565        Ok((compacted, skipped)) => (
3566            StatusCode::OK,
3567            Json(json!({
3568                "status": "ok",
3569                "compacted": compacted,
3570                "skipped": skipped,
3571            })),
3572        ),
3573        Err(e) => (
3574            StatusCode::INTERNAL_SERVER_ERROR,
3575            Json(json!({ "status": "error", "message": format!("{e}") })),
3576        ),
3577    }
3578}
3579
3580/// `POST /tables/{name}/compact` — compact a single table.
3581async fn compact_table(
3582    State(state): State<Arc<AppState>>,
3583    OptionalPrincipal(principal): OptionalPrincipal,
3584    Path(name): Path<String>,
3585) -> (StatusCode, Json<serde_json::Value>) {
3586    if let Err(error) = state.db.require_for(
3587        request_principal(&state, &principal).as_ref(),
3588        &mongreldb_core::Permission::Ddl,
3589    ) {
3590        return (
3591            status_for_error(&error),
3592            Json(json!({ "status": "error", "table": name, "message": error.to_string() })),
3593        );
3594    }
3595    match state.db.compact_table(&name) {
3596        Ok(true) => (
3597            StatusCode::OK,
3598            Json(json!({ "status": "compacted", "table": name })),
3599        ),
3600        Ok(false) => (
3601            StatusCode::OK,
3602            Json(json!({ "status": "skipped", "table": name, "reason": "fewer than 2 runs" })),
3603        ),
3604        Err(e) => (
3605            StatusCode::INTERNAL_SERVER_ERROR,
3606            Json(json!({ "status": "error", "table": name, "message": format!("{e}") })),
3607        ),
3608    }
3609}
3610
3611#[derive(Deserialize)]
3612struct CreateTableRequest {
3613    name: String,
3614    columns: Vec<ColumnDefJson>,
3615}
3616
3617#[derive(Deserialize)]
3618struct ColumnDefJson {
3619    id: u16,
3620    name: String,
3621    ty: String,
3622    primary_key: bool,
3623    #[serde(default)]
3624    nullable: bool,
3625}
3626
3627async fn create_table(
3628    State(state): State<Arc<AppState>>,
3629    OptionalPrincipal(principal): OptionalPrincipal,
3630    Json(req): Json<CreateTableRequest>,
3631) -> Response {
3632    if let Some(response) = require_writes_open(&state) {
3633        return response;
3634    }
3635    if let Err(error) = state.db.require_for(
3636        request_principal(&state, &principal).as_ref(),
3637        &mongreldb_core::Permission::Ddl,
3638    ) {
3639        return (status_for_error(&error), error.to_string()).into_response();
3640    }
3641    let mut columns = Vec::new();
3642    for c in &req.columns {
3643        let ty = match c.ty.as_str() {
3644            "int64" | "bigint" => TypeId::Int64,
3645            "float64" | "double" => TypeId::Float64,
3646            "bytes" | "varchar" | "text" => TypeId::Bytes,
3647            "bool" => TypeId::Bool,
3648            other => {
3649                return (StatusCode::BAD_REQUEST, format!("unknown type: {other}")).into_response()
3650            }
3651        };
3652        let mut flags = mongreldb_core::schema::ColumnFlags::empty();
3653        if c.primary_key {
3654            flags = flags.with(mongreldb_core::schema::ColumnFlags::PRIMARY_KEY);
3655        }
3656        if c.nullable {
3657            flags = flags.with(mongreldb_core::schema::ColumnFlags::NULLABLE);
3658        }
3659        columns.push(mongreldb_core::schema::ColumnDef {
3660            id: c.id,
3661            name: c.name.clone(),
3662            ty,
3663            flags,
3664            default_value: None,
3665            embedding_source: None,
3666        });
3667    }
3668    let schema = Schema {
3669        schema_id: 0,
3670        columns,
3671        indexes: vec![],
3672        colocation: vec![],
3673        constraints: Default::default(),
3674        clustered: false,
3675    };
3676    if let Err(msg) = validate_table_name(&req.name) {
3677        return (StatusCode::BAD_REQUEST, msg).into_response();
3678    }
3679    match state.db.create_table(&req.name, schema) {
3680        Ok(id) => Json(json!({
3681            "table_id": id,
3682            "table_id_text": id.to_string()
3683        }))
3684        .into_response(),
3685        Err(error) => crate::kit::durable_core_error_response(&error)
3686            .unwrap_or_else(|| (status_for_error(&error), error.to_string()).into_response()),
3687    }
3688}
3689
3690async fn list_tables(
3691    State(state): State<Arc<AppState>>,
3692    OptionalPrincipal(principal): OptionalPrincipal,
3693) -> Json<Vec<String>> {
3694    let principal = request_principal(&state, &principal);
3695    Json(
3696        state
3697            .db
3698            .table_names()
3699            .into_iter()
3700            .filter(|table| {
3701                state
3702                    .db
3703                    .select_column_ids_for(table, principal.as_ref())
3704                    .is_ok()
3705            })
3706            .collect(),
3707    )
3708}
3709
3710async fn drop_table(
3711    State(state): State<Arc<AppState>>,
3712    OptionalPrincipal(principal): OptionalPrincipal,
3713    Path(name): Path<String>,
3714) -> Response {
3715    if let Some(response) = require_writes_open(&state) {
3716        return response;
3717    }
3718    if let Err(error) = state.db.require_for(
3719        request_principal(&state, &principal).as_ref(),
3720        &mongreldb_core::Permission::Ddl,
3721    ) {
3722        return (status_for_error(&error), error.to_string()).into_response();
3723    }
3724    match state.db.drop_table_with_epoch(&name) {
3725        Ok(epoch) => Json(json!({
3726            "status": "committed",
3727            "epoch": epoch.0,
3728            "epoch_text": epoch.0.to_string()
3729        }))
3730        .into_response(),
3731        Err(error) => crate::kit::durable_core_error_response(&error)
3732            .unwrap_or_else(|| (status_for_error(&error), error.to_string()).into_response()),
3733    }
3734}
3735
3736#[derive(Deserialize)]
3737struct PutRequest {
3738    row: Vec<serde_json::Value>,
3739}
3740
3741pub(crate) fn json_to_value(v: &serde_json::Value, expected: &TypeId) -> Value {
3742    match (v, expected) {
3743        (serde_json::Value::Number(n), TypeId::Float64) => {
3744            n.as_f64().map(Value::Float64).unwrap_or(Value::Null)
3745        }
3746        (serde_json::Value::Number(n), TypeId::Int64) => {
3747            n.as_i64().map(Value::Int64).unwrap_or(Value::Null)
3748        }
3749        (serde_json::Value::String(s), TypeId::Bytes) => Value::Bytes(s.as_bytes().to_vec()),
3750        (serde_json::Value::String(s), TypeId::Enum { variants }) => {
3751            if variants.iter().any(|v| v == s) {
3752                Value::Bytes(s.as_bytes().to_vec())
3753            } else {
3754                Value::Null
3755            }
3756        }
3757        (serde_json::Value::Bool(b), TypeId::Bool) => Value::Bool(*b),
3758        // Embedding input: a JSON array of numbers, validated against the
3759        // declared dimension. Mismatched length or non-numeric elements → Null.
3760        (serde_json::Value::Array(arr), TypeId::Embedding { dim }) => {
3761            if arr.len() as u32 != *dim {
3762                return Value::Null;
3763            }
3764            let vec: Option<Vec<f32>> =
3765                arr.iter().map(|el| el.as_f64().map(|f| f as f32)).collect();
3766            vec.map(Value::Embedding).unwrap_or(Value::Null)
3767        }
3768        (serde_json::Value::Null, _) => Value::Null,
3769        // Lenient fallbacks for unknown/loosely-typed JSON.
3770        (serde_json::Value::Number(n), _) => {
3771            if let Some(i) = n.as_i64() {
3772                Value::Int64(i)
3773            } else if let Some(f) = n.as_f64() {
3774                Value::Float64(f)
3775            } else {
3776                Value::Null
3777            }
3778        }
3779        (serde_json::Value::String(s), _) => Value::Bytes(s.as_bytes().to_vec()),
3780        (serde_json::Value::Bool(b), _) => Value::Bool(*b),
3781        _ => Value::Null,
3782    }
3783}
3784
3785fn legacy_json_to_value(value: &serde_json::Value, expected: &TypeId) -> Result<Value, String> {
3786    if value.is_null() {
3787        return Ok(Value::Null);
3788    }
3789    match expected {
3790        TypeId::Bool => value
3791            .as_bool()
3792            .map(Value::Bool)
3793            .ok_or_else(|| "expected a boolean".into()),
3794        TypeId::Int8
3795        | TypeId::Int16
3796        | TypeId::Int32
3797        | TypeId::Int64
3798        | TypeId::UInt8
3799        | TypeId::UInt16
3800        | TypeId::UInt32
3801        | TypeId::UInt64
3802        | TypeId::TimestampNanos
3803        | TypeId::Date32
3804        | TypeId::Date64
3805        | TypeId::Time64 => value
3806            .as_i64()
3807            .map(Value::Int64)
3808            .ok_or_else(|| "expected a signed 64-bit integer".into()),
3809        TypeId::Float32 | TypeId::Float64 => value
3810            .as_f64()
3811            .filter(|value| value.is_finite())
3812            .map(Value::Float64)
3813            .ok_or_else(|| "expected a finite number".into()),
3814        TypeId::Bytes => match value.as_str() {
3815            Some(value) => Ok(Value::Bytes(value.as_bytes().to_vec())),
3816            None => decode_tagged_hex(value, "bytes").map(Value::Bytes),
3817        },
3818        TypeId::Enum { variants } => {
3819            let bytes = match value.as_str() {
3820                Some(value) => value.as_bytes().to_vec(),
3821                None => decode_tagged_hex(value, "bytes")?,
3822            };
3823            let value =
3824                std::str::from_utf8(&bytes).map_err(|_| "enum variant is not UTF-8".to_string())?;
3825            if !variants.iter().any(|variant| variant == value) {
3826                return Err("expected a declared enum variant".into());
3827            }
3828            Ok(Value::Bytes(bytes))
3829        }
3830        TypeId::Embedding { dim } => {
3831            let values = value
3832                .as_array()
3833                .ok_or_else(|| "expected an embedding array".to_string())?;
3834            if values.len() != *dim as usize {
3835                return Err(format!("expected an embedding with {dim} values"));
3836            }
3837            values
3838                .iter()
3839                .map(|value| {
3840                    value
3841                        .as_f64()
3842                        .map(|value| value as f32)
3843                        .filter(|value| value.is_finite())
3844                        .ok_or_else(|| "embedding values must be finite numbers".to_string())
3845                })
3846                .collect::<Result<Vec<_>, _>>()
3847                .map(Value::Embedding)
3848        }
3849        TypeId::Decimal128 { .. } => {
3850            let object = exact_tagged_object(value, "decimal", &["unscaled"])?;
3851            let text = object["unscaled"]
3852                .as_str()
3853                .ok_or_else(|| "decimal unscaled value must be a string".to_string())?;
3854            let value = text
3855                .parse::<i128>()
3856                .map_err(|_| "decimal unscaled value is invalid".to_string())?;
3857            if value.to_string() != text {
3858                return Err("decimal unscaled value is not canonical".into());
3859            }
3860            Ok(Value::Decimal(value))
3861        }
3862        TypeId::Interval => {
3863            let object = exact_tagged_object(value, "interval", &["months", "days", "nanos"])?;
3864            let months = canonical_i64(&object["months"], "interval months")?;
3865            let days = canonical_i64(&object["days"], "interval days")?
3866                .try_into()
3867                .map_err(|_| "interval days is outside i32 range".to_string())?;
3868            let nanos = canonical_i64(&object["nanos"], "interval nanos")?;
3869            Ok(Value::Interval {
3870                months,
3871                days,
3872                nanos,
3873            })
3874        }
3875        TypeId::Uuid => {
3876            let bytes = decode_tagged_hex(value, "uuid")?;
3877            let bytes: [u8; 16] = bytes
3878                .try_into()
3879                .map_err(|_| "UUID must contain exactly 16 bytes".to_string())?;
3880            Ok(Value::Uuid(bytes))
3881        }
3882        TypeId::Json => {
3883            let bytes = decode_tagged_hex(value, "json")?;
3884            std::str::from_utf8(&bytes).map_err(|_| "JSON value is not UTF-8".to_string())?;
3885            serde_json::from_slice::<serde_json::Value>(&bytes)
3886                .map_err(|error| format!("JSON value is invalid: {error}"))?;
3887            Ok(Value::Json(bytes))
3888        }
3889        TypeId::Array { .. } => Err("legacy put does not support array columns".into()),
3890    }
3891}
3892
3893fn exact_tagged_object<'a>(
3894    value: &'a serde_json::Value,
3895    expected_kind: &str,
3896    fields: &[&str],
3897) -> Result<&'a serde_json::Map<String, serde_json::Value>, String> {
3898    let object = value
3899        .as_object()
3900        .ok_or_else(|| format!("expected tagged {expected_kind} value"))?;
3901    if object.len() != fields.len() + 1
3902        || object
3903            .get("$mongreldb_type")
3904            .and_then(|value| value.as_str())
3905            != Some(expected_kind)
3906        || fields.iter().any(|field| !object.contains_key(*field))
3907    {
3908        return Err(format!("invalid tagged {expected_kind} value"));
3909    }
3910    Ok(object)
3911}
3912
3913fn decode_tagged_hex(value: &serde_json::Value, expected_kind: &str) -> Result<Vec<u8>, String> {
3914    let object = exact_tagged_object(value, expected_kind, &["hex"])?;
3915    let encoded = object["hex"]
3916        .as_str()
3917        .ok_or_else(|| format!("tagged {expected_kind} hex must be a string"))?;
3918    if encoded.len() % 2 != 0 {
3919        return Err(format!("tagged {expected_kind} hex has odd length"));
3920    }
3921    encoded
3922        .as_bytes()
3923        .chunks_exact(2)
3924        .map(|pair| {
3925            let high = hex_nibble(pair[0])?;
3926            let low = hex_nibble(pair[1])?;
3927            Ok((high << 4) | low)
3928        })
3929        .collect()
3930}
3931
3932fn hex_nibble(value: u8) -> Result<u8, String> {
3933    match value {
3934        b'0'..=b'9' => Ok(value - b'0'),
3935        b'a'..=b'f' => Ok(value - b'a' + 10),
3936        _ => Err("hex value must use lowercase ASCII digits".into()),
3937    }
3938}
3939
3940fn canonical_i64(value: &serde_json::Value, field: &str) -> Result<i64, String> {
3941    let text = value
3942        .as_str()
3943        .ok_or_else(|| format!("{field} must be a string"))?;
3944    let value = text
3945        .parse::<i64>()
3946        .map_err(|_| format!("{field} is invalid"))?;
3947    if value.to_string() != text {
3948        return Err(format!("{field} is not canonical"));
3949    }
3950    Ok(value)
3951}
3952
3953#[cfg(test)]
3954mod legacy_wire_tests {
3955    use super::*;
3956
3957    #[test]
3958    fn typed_values_are_exact_and_malformed_values_fail_closed() {
3959        assert_eq!(
3960            legacy_json_to_value(
3961                &json!({"$mongreldb_type": "bytes", "hex": "00ff61"}),
3962                &TypeId::Bytes,
3963            )
3964            .unwrap(),
3965            Value::Bytes(vec![0, 0xff, b'a'])
3966        );
3967        for (value, ty) in [
3968            (
3969                json!({"$mongreldb_type": "bytes", "hex": "00FF"}),
3970                TypeId::Bytes,
3971            ),
3972            (
3973                json!({"$mongreldb_type": "decimal", "unscaled": "01"}),
3974                TypeId::Decimal128 {
3975                    precision: 38,
3976                    scale: 0,
3977                },
3978            ),
3979            (
3980                json!({"$mongreldb_type": "uuid", "hex": "00"}),
3981                TypeId::Uuid,
3982            ),
3983            (
3984                json!({"$mongreldb_type": "json", "hex": "7b"}),
3985                TypeId::Json,
3986            ),
3987            (json!([1.0]), TypeId::Embedding { dim: 2 }),
3988            (json!([1e100, 1.0]), TypeId::Embedding { dim: 2 }),
3989        ] {
3990            assert!(legacy_json_to_value(&value, &ty).is_err(), "{value}");
3991        }
3992    }
3993}
3994
3995/// Parse a flat JSON array `[col_id, val, col_id, val, ...]` into typed cell
3996/// pairs, validating the schema. Returns `Err(message)` on any malformed pair.
3997fn parse_cells(
3998    row: &[serde_json::Value],
3999    schema: &mongreldb_core::schema::Schema,
4000) -> Result<Vec<(u16, Value)>, String> {
4001    if row.len() & 1 != 0 {
4002        return Err("row must be an even-length array of [col_id, value] pairs".into());
4003    }
4004    let mut out = Vec::with_capacity(row.len() / 2);
4005    let mut seen = std::collections::HashSet::new();
4006    for chunk in row.chunks(2) {
4007        let col_id = chunk[0]
4008            .as_u64()
4009            .and_then(|value| u16::try_from(value).ok())
4010            .ok_or("column id must be an unsigned 16-bit integer")?;
4011        if !seen.insert(col_id) {
4012            return Err(format!("duplicate column id {col_id}"));
4013        }
4014        let expected = schema
4015            .columns
4016            .iter()
4017            .find(|c| c.id == col_id)
4018            .map(|c| c.ty.clone())
4019            .ok_or_else(|| format!("unknown column id {col_id}"))?;
4020        let val = legacy_json_to_value(&chunk[1], &expected)?;
4021        out.push((col_id, val));
4022    }
4023    Ok(out)
4024}
4025
4026/// Basic validation for a table name: non-empty and no path separators.
4027pub(crate) fn validate_table_name(name: &str) -> Result<(), String> {
4028    if name.is_empty() {
4029        return Err("table name must not be empty".into());
4030    }
4031    if name.contains('/') || name.contains('\\') || name.contains('\0') {
4032        return Err("table name contains invalid characters".into());
4033    }
4034    Ok(())
4035}
4036
4037async fn put_row(
4038    State(state): State<Arc<AppState>>,
4039    OptionalPrincipal(principal): OptionalPrincipal,
4040    Path(name): Path<String>,
4041    Json(req): Json<PutRequest>,
4042) -> Response {
4043    if let Some(response) = require_writes_open(&state) {
4044        return response;
4045    }
4046    let handle = match state.db.table(&name) {
4047        Ok(h) => h,
4048        Err(e) => return (StatusCode::NOT_FOUND, e.to_string()).into_response(),
4049    };
4050    let schema = handle.lock().schema().clone();
4051    let row = match parse_cells(&req.row, &schema) {
4052        Ok(r) => r,
4053        Err(msg) => return (StatusCode::BAD_REQUEST, msg).into_response(),
4054    };
4055    state.metrics.inc_puts();
4056    let principal = request_principal(&state, &principal);
4057    match state.db.put_for(&name, row, principal.as_ref()) {
4058        Ok(rid) => Json(json!({ "row_id": rid.0.to_string() })).into_response(),
4059        Err(e) => (status_for_error(&e), e.to_string()).into_response(),
4060    }
4061}
4062
4063async fn count(
4064    State(state): State<Arc<AppState>>,
4065    OptionalPrincipal(principal): OptionalPrincipal,
4066    Path(name): Path<String>,
4067) -> Response {
4068    let principal = request_principal(&state, &principal);
4069    match state.db.count_for(&name, principal.as_ref()) {
4070        Ok(count) => Json(json!({ "count": count })).into_response(),
4071        Err(error) => (status_for_error(&error), error.to_string()).into_response(),
4072    }
4073}
4074
4075async fn commit(
4076    State(state): State<Arc<AppState>>,
4077    OptionalPrincipal(principal): OptionalPrincipal,
4078    Path(name): Path<String>,
4079) -> Response {
4080    if let Some(response) = require_writes_open(&state) {
4081        return response;
4082    }
4083    if let Err(error) = state.db.require_for(
4084        request_principal(&state, &principal).as_ref(),
4085        &mongreldb_core::Permission::Update {
4086            table: name.clone(),
4087        },
4088    ) {
4089        return (status_for_error(&error), error.to_string()).into_response();
4090    }
4091    let handle = match state.db.table(&name) {
4092        Ok(h) => h,
4093        Err(e) => return (StatusCode::NOT_FOUND, e.to_string()).into_response(),
4094    };
4095    let mut g = handle.lock();
4096    state.metrics.inc_commits();
4097    match g.commit() {
4098        Ok(epoch) => Json(json!({
4099            "epoch": epoch.0,
4100            "epoch_text": epoch.0.to_string()
4101        }))
4102        .into_response(),
4103        Err(error) => crate::kit::durable_core_error_response(&error)
4104            .unwrap_or_else(|| (status_for_error(&error), error.to_string()).into_response()),
4105    }
4106}
4107
4108#[derive(Deserialize)]
4109struct SqlRequest {
4110    sql: String,
4111    /// Output format: `"json"` (the default) for a JSON array of row objects,
4112    /// `"arrow"` for Arrow IPC file bytes.
4113    #[serde(default)]
4114    format: Option<String>,
4115    /// Body values take precedence over the equivalent convenience headers.
4116    #[serde(default)]
4117    query_id: Option<QueryId>,
4118    #[serde(default)]
4119    timeout_ms: Option<u64>,
4120    #[serde(default)]
4121    max_output_rows: Option<u64>,
4122    #[serde(default)]
4123    max_output_bytes: Option<u64>,
4124    #[serde(default)]
4125    idempotency_key: Option<String>,
4126    #[serde(default)]
4127    pagination: Option<SqlPaginationRequest>,
4128}
4129
4130#[derive(Clone, Debug, Deserialize, Serialize)]
4131struct SqlPaginationRequest {
4132    page_size_rows: u64,
4133    projection: Vec<String>,
4134    #[serde(default)]
4135    max_page_bytes: Option<u64>,
4136    #[serde(default)]
4137    max_page_tokens: Option<u64>,
4138}
4139
4140#[derive(Clone)]
4141struct ResolvedSqlPagination {
4142    projection: Vec<String>,
4143    limits: sql_pages::SqlPageLimits,
4144}
4145
4146struct ResolvedSqlRequest {
4147    request: SqlRequest,
4148    output_limits: (usize, usize),
4149    idempotency: Option<sql_idempotency::SqlIdempotencyExecution>,
4150    pagination: Option<ResolvedSqlPagination>,
4151}
4152
4153fn query_error_response(
4154    error: &mongreldb_query::MongrelQueryError,
4155    query_id: Option<QueryId>,
4156) -> Response {
4157    query_error_response_with_status(error, query_id, None)
4158}
4159
4160/// Map a query-layer error onto the stable error taxonomy (spec section 9.7).
4161/// The taxonomy is deliberately coarser than `MongrelQueryError`; non-obvious
4162/// choices follow the `MongrelError::category()` precedents and are
4163/// documented at the arm.
4164fn query_error_category(
4165    error: &mongreldb_query::MongrelQueryError,
4166) -> mongreldb_types::errors::ErrorCategory {
4167    use mongreldb_query::MongrelQueryError;
4168    use mongreldb_types::errors::ErrorCategory;
4169    match error {
4170        MongrelQueryError::Core(error) => error.category(),
4171        MongrelQueryError::QueryCancelled { .. } => ErrorCategory::Cancelled,
4172        MongrelQueryError::DeadlineExceeded { .. } => ErrorCategory::DeadlineExceeded,
4173        // A known-aborted commit may be retried as a fresh transaction; a
4174        // committed-with-error one must never be blindly replayed (the core
4175        // `DurableCommit` precedent).
4176        MongrelQueryError::CommitOutcome { committed, .. } => {
4177            if *committed {
4178                ErrorCategory::CommitOutcomeUnknown
4179            } else {
4180                ErrorCategory::TransactionAborted
4181            }
4182        }
4183        MongrelQueryError::OutcomeUnknown { .. } => ErrorCategory::CommitOutcomeUnknown,
4184        MongrelQueryError::TransactionAborted => ErrorCategory::TransactionAborted,
4185        // The session has no usable transaction; begin a fresh one.
4186        MongrelQueryError::NoSqlTransaction => ErrorCategory::TransactionAborted,
4187        // The caller's view of session state is stale (the core `NotFound`
4188        // precedent).
4189        MongrelQueryError::SavepointNotFound { .. } => ErrorCategory::StaleMetadata,
4190        MongrelQueryError::QueryRegistryFull | MongrelQueryError::ResultLimitExceeded { .. } => {
4191            ErrorCategory::ResourceExhausted
4192        }
4193        // The taxonomy has no invalid-request category: id reuse, invalid
4194        // query state, and SQL parse/plan failures are client/server contract
4195        // disagreements (the core `InvalidArgument` precedent).
4196        MongrelQueryError::QueryIdConflict { .. }
4197        | MongrelQueryError::InvalidQueryState(_)
4198        | MongrelQueryError::Arrow(_)
4199        | MongrelQueryError::DataFusion(_) => ErrorCategory::ClusterVersionMismatch,
4200        MongrelQueryError::Schema(_) => ErrorCategory::SchemaVersionMismatch,
4201        // Uncategorized query-layer failures: the serving replica failed to
4202        // complete the request (the core `Other` precedent).
4203        _ => ErrorCategory::ReplicaUnavailable,
4204    }
4205}
4206
4207fn query_error_response_with_status(
4208    error: &mongreldb_query::MongrelQueryError,
4209    query_id: Option<QueryId>,
4210    status: Option<&mongreldb_query::QueryStatus>,
4211) -> Response {
4212    use mongreldb_query::MongrelQueryError;
4213    let (base_code, id) = match error {
4214        MongrelQueryError::QueryCancelled { query_id, .. } => ("QUERY_CANCELLED", Some(*query_id)),
4215        MongrelQueryError::DeadlineExceeded { query_id, .. } => {
4216            ("DEADLINE_EXCEEDED", Some(*query_id))
4217        }
4218        MongrelQueryError::QueryIdConflict { query_id } => ("QUERY_ID_CONFLICT", Some(*query_id)),
4219        MongrelQueryError::QueryRegistryFull => ("QUERY_REGISTRY_FULL", query_id),
4220        MongrelQueryError::ResultLimitExceeded { query_id, .. } => {
4221            ("RESULT_LIMIT_EXCEEDED", Some(*query_id))
4222        }
4223        MongrelQueryError::TransactionAborted => ("TRANSACTION_ABORTED", query_id),
4224        MongrelQueryError::NoSqlTransaction => ("NO_SQL_TRANSACTION", query_id),
4225        MongrelQueryError::SavepointNotFound { .. } => ("SAVEPOINT_NOT_FOUND", query_id),
4226        MongrelQueryError::CommitOutcome { query_id, .. } => ("COMMIT_OUTCOME", Some(*query_id)),
4227        MongrelQueryError::OutcomeUnknown { query_id, .. } => {
4228            ("QUERY_OUTCOME_UNKNOWN", Some(*query_id))
4229        }
4230        _ => ("QUERY_FAILED", query_id),
4231    };
4232    let (
4233        error_committed,
4234        error_committed_statements,
4235        error_last_commit_epoch,
4236        error_first_commit_statement_index,
4237        error_last_commit_statement_index,
4238    ) = match error {
4239        MongrelQueryError::QueryCancelled {
4240            committed,
4241            committed_statements,
4242            last_commit_epoch,
4243            first_commit_statement_index,
4244            last_commit_statement_index,
4245            ..
4246        }
4247        | MongrelQueryError::DeadlineExceeded {
4248            committed,
4249            committed_statements,
4250            last_commit_epoch,
4251            first_commit_statement_index,
4252            last_commit_statement_index,
4253            ..
4254        }
4255        | MongrelQueryError::ResultLimitExceeded {
4256            committed,
4257            committed_statements,
4258            last_commit_epoch,
4259            first_commit_statement_index,
4260            last_commit_statement_index,
4261            ..
4262        } => (
4263            *committed,
4264            *committed_statements,
4265            *last_commit_epoch,
4266            *first_commit_statement_index,
4267            *last_commit_statement_index,
4268        ),
4269        MongrelQueryError::CommitOutcome {
4270            committed,
4271            committed_statements,
4272            last_commit_epoch,
4273            first_commit_statement_index,
4274            last_commit_statement_index,
4275            ..
4276        } => (
4277            *committed,
4278            *committed_statements,
4279            *last_commit_epoch,
4280            *first_commit_statement_index,
4281            *last_commit_statement_index,
4282        ),
4283        _ => (false, 0, None, None, None),
4284    };
4285    let committed = status.map_or_else(
4286        || error_committed,
4287        |status| status.durable_outcome.committed,
4288    );
4289    let outcome_unknown = matches!(error, MongrelQueryError::OutcomeUnknown { .. })
4290        || status.is_some_and(|status| status.outcome_unknown);
4291    let code = status
4292        .and_then(|status| {
4293            status
4294                .terminal_error
4295                .as_ref()
4296                .map(|error| error.code.as_str())
4297        })
4298        .unwrap_or(match (base_code, committed) {
4299            ("QUERY_CANCELLED", true) => "QUERY_CANCELLED_AFTER_COMMIT",
4300            ("DEADLINE_EXCEEDED", true) => "DEADLINE_AFTER_COMMIT",
4301            _ => base_code,
4302        });
4303    let response_status = if outcome_unknown {
4304        "outcome_unknown"
4305    } else {
4306        status
4307            .and_then(mongreldb_query::QueryStatus::terminal_state)
4308            .map(terminal_state_name)
4309            .unwrap_or_else(|| match (error, committed) {
4310                (MongrelQueryError::QueryCancelled { .. }, true) => "cancelled_after_commit",
4311                (MongrelQueryError::QueryCancelled { .. }, false) => "cancelled_before_commit",
4312                (MongrelQueryError::DeadlineExceeded { .. }, true) => "deadline_after_commit",
4313                (MongrelQueryError::DeadlineExceeded { .. }, false) => "deadline_before_commit",
4314                (_, true) => "committed_with_error",
4315                _ => "failed_before_commit",
4316            })
4317    };
4318    let (completed_statements, statement_index) = status.map_or_else(
4319        || match error {
4320            MongrelQueryError::QueryCancelled {
4321                completed_statements,
4322                cancelled_statement_index,
4323                ..
4324            }
4325            | MongrelQueryError::DeadlineExceeded {
4326                completed_statements,
4327                cancelled_statement_index,
4328                ..
4329            } => (*completed_statements, *cancelled_statement_index),
4330            MongrelQueryError::ResultLimitExceeded {
4331                completed_statements,
4332                statement_index,
4333                ..
4334            } => (*completed_statements, *statement_index),
4335            MongrelQueryError::CommitOutcome {
4336                completed_statements,
4337                statement_index,
4338                ..
4339            } => (*completed_statements, *statement_index),
4340            _ => (0, 0),
4341        },
4342        |status| (status.completed_statements, status.statement_index),
4343    );
4344    let committed_statements = status.map_or(error_committed_statements, |status| {
4345        status.durable_outcome.committed_statements
4346    });
4347    let last_commit_epoch = status.map_or(error_last_commit_epoch, |status| {
4348        status.durable_outcome.last_commit_epoch
4349    });
4350    let first_commit_statement_index = status
4351        .map_or(error_first_commit_statement_index, |status| {
4352            status.durable_outcome.first_commit_statement_index
4353        });
4354    let last_commit_statement_index = status.map_or(error_last_commit_statement_index, |status| {
4355        status.durable_outcome.last_commit_statement_index
4356    });
4357    let cancellation_reason = status
4358        .map(|status| status.cancellation_reason)
4359        .or(match error {
4360            MongrelQueryError::QueryCancelled { reason, .. } => Some(*reason),
4361            MongrelQueryError::DeadlineExceeded { .. } => Some(CancellationReason::Deadline),
4362            _ => None,
4363        })
4364        .map(cancellation_reason_name);
4365    let cancel_outcome = match error {
4366        MongrelQueryError::QueryCancelled { .. } | MongrelQueryError::DeadlineExceeded { .. } => {
4367            Some("accepted")
4368        }
4369        _ => status.and_then(query_cancel_outcome),
4370    };
4371    let outcome = if outcome_unknown {
4372        json!({
4373            "committed": null,
4374            "committed_statements": null,
4375            "last_commit_epoch": null,
4376            "last_commit_epoch_text": null,
4377            "first_commit_statement_index": null,
4378            "last_commit_statement_index": null,
4379            "completed_statements": null,
4380            "statement_index": null,
4381            "serialization": "unknown",
4382        })
4383    } else {
4384        status.map_or_else(
4385            || {
4386                json!({
4387                    "committed": committed,
4388                    "committed_statements": committed_statements,
4389                    "last_commit_epoch": last_commit_epoch,
4390                    "last_commit_epoch_text": epoch_text(last_commit_epoch),
4391                    "first_commit_statement_index": first_commit_statement_index,
4392                    "last_commit_statement_index": last_commit_statement_index,
4393                    "completed_statements": completed_statements,
4394                    "statement_index": statement_index,
4395                    "serialization": "unknown",
4396                })
4397            },
4398            |status| query_outcome_json(Some(status)),
4399        )
4400    };
4401    let http_status = match code {
4402        "QUERY_CANCELLED_AFTER_COMMIT" | "DEADLINE_AFTER_COMMIT" => StatusCode::CONFLICT,
4403        "QUERY_CANCELLED" => client_closed_request_status(),
4404        "DEADLINE_EXCEEDED" => StatusCode::GATEWAY_TIMEOUT,
4405        _ => status_for_query_error(error),
4406    };
4407    // The stable error taxonomy (spec 9.7) rides additively on the existing
4408    // error object: programmatic handling keys off `category` /
4409    // `category_code`, never the message.
4410    let category = query_error_category(error);
4411    let mut response = (
4412        http_status,
4413        Json(json!({
4414            "query_id": id.map(|value| value.to_string()),
4415            "status": response_status,
4416            "terminal_state": response_status,
4417            "committed": (!outcome_unknown).then_some(committed),
4418            "committed_statements": (!outcome_unknown).then_some(committed_statements),
4419            "last_commit_epoch": (!outcome_unknown).then_some(last_commit_epoch).flatten(),
4420            "last_commit_epoch_text": (!outcome_unknown).then_some(epoch_text(last_commit_epoch)).flatten(),
4421            "first_commit_statement_index": (!outcome_unknown).then_some(first_commit_statement_index).flatten(),
4422            "last_commit_statement_index": (!outcome_unknown).then_some(last_commit_statement_index).flatten(),
4423            "completed_statements": (!outcome_unknown).then_some(completed_statements),
4424            "statement_index": (!outcome_unknown).then_some(statement_index),
4425            "cancel_outcome": cancel_outcome,
4426            "cancellation_reason": cancellation_reason,
4427            "retryable": matches!(error, MongrelQueryError::QueryRegistryFull),
4428            "server_state": status.map(|status| query_phase_name(status.phase)),
4429            "outcome": outcome,
4430            "error": {
4431                "code": code,
4432                "message": error.to_string(),
4433                "category": category.to_string(),
4434                "category_code": category.code(),
4435                "query_id": id.map(|value| value.to_string()),
4436                "committed": (!outcome_unknown).then_some(committed),
4437                "retryable": matches!(error, MongrelQueryError::QueryRegistryFull),
4438            }
4439        })),
4440    )
4441        .into_response();
4442    if let Some(id) = id {
4443        add_query_id_header(&mut response, id);
4444    }
4445    response
4446}
4447
4448fn record_query_error(metrics: &metrics::Metrics, error: &mongreldb_query::MongrelQueryError) {
4449    match error {
4450        mongreldb_query::MongrelQueryError::QueryCancelled { reason, .. } => {
4451            metrics.inc_sql_cancelled(*reason)
4452        }
4453        mongreldb_query::MongrelQueryError::DeadlineExceeded { .. } => {
4454            metrics.inc_sql_deadline_exceeded();
4455            metrics.inc_sql_cancelled(CancellationReason::Deadline);
4456        }
4457        _ => {}
4458    }
4459}
4460
4461fn tracked_query_error_response(
4462    state: &AppState,
4463    error: &mongreldb_query::MongrelQueryError,
4464    query_id: Option<QueryId>,
4465) -> Response {
4466    record_query_error(&state.metrics, error);
4467    if let mongreldb_query::MongrelQueryError::QueryCancelled { query_id, .. } = error {
4468        if let Some(requested_at) = state
4469            .query_registry
4470            .status(*query_id)
4471            .and_then(|status| status.cancel_requested_at)
4472        {
4473            state
4474                .metrics
4475                .observe_sql_cancel_latency(requested_at.elapsed());
4476        }
4477    }
4478    let status = if matches!(
4479        error,
4480        mongreldb_query::MongrelQueryError::QueryIdConflict { .. }
4481            | mongreldb_query::MongrelQueryError::QueryRegistryFull
4482    ) {
4483        None
4484    } else {
4485        query_id
4486            .or(match error {
4487                mongreldb_query::MongrelQueryError::QueryCancelled { query_id, .. }
4488                | mongreldb_query::MongrelQueryError::DeadlineExceeded { query_id, .. }
4489                | mongreldb_query::MongrelQueryError::CommitOutcome { query_id, .. }
4490                | mongreldb_query::MongrelQueryError::OutcomeUnknown { query_id, .. } => {
4491                    Some(*query_id)
4492                }
4493                _ => None,
4494            })
4495            .and_then(|query_id| state.query_registry.status(query_id))
4496    };
4497    query_error_response_with_status(error, query_id, status.as_ref())
4498}
4499
4500fn add_query_id_header(response: &mut Response, query_id: QueryId) {
4501    if let Ok(value) = axum::http::HeaderValue::from_str(&query_id.to_string()) {
4502        response.headers_mut().insert("x-mongreldb-query-id", value);
4503    }
4504}
4505
4506fn with_query_id(mut response: Response, query_id: QueryId) -> Response {
4507    add_query_id_header(&mut response, query_id);
4508    response
4509}
4510
4511fn bad_query_control_request(message: impl Into<String>, query_id: Option<QueryId>) -> Response {
4512    let mut response = (
4513        StatusCode::BAD_REQUEST,
4514        Json(json!({
4515            "query_id": query_id.map(|value| value.to_string()),
4516            "status": "failed_before_commit",
4517            "terminal_state": "failed_before_commit",
4518            "committed": false,
4519            "committed_statements": 0,
4520            "last_commit_epoch": null,
4521            "last_commit_epoch_text": null,
4522            "first_commit_statement_index": null,
4523            "last_commit_statement_index": null,
4524            "completed_statements": 0,
4525            "statement_index": 0,
4526            "cancel_outcome": null,
4527            "cancellation_reason": null,
4528            "retryable": false,
4529            "server_state": "failed",
4530            "outcome": {
4531                "committed": false,
4532                "committed_statements": 0,
4533                "last_commit_epoch": null,
4534                "last_commit_epoch_text": null,
4535                "first_commit_statement_index": null,
4536                "last_commit_statement_index": null,
4537                "completed_statements": 0,
4538                "statement_index": 0,
4539                "serialization": "not_started",
4540            },
4541            "error": {
4542                "code": "INVALID_QUERY_OPTIONS",
4543                "message": message.into(),
4544                "query_id": query_id.map(|value| value.to_string()),
4545                "committed": false,
4546                "retryable": false,
4547            }
4548        })),
4549    )
4550        .into_response();
4551    if let Some(query_id) = query_id {
4552        add_query_id_header(&mut response, query_id);
4553    }
4554    response
4555}
4556
4557fn resolve_query_options(
4558    state: &AppState,
4559    headers: &axum::http::HeaderMap,
4560    body_query_id: Option<QueryId>,
4561    body_timeout_ms: Option<u64>,
4562    owner: String,
4563    session_id: Option<String>,
4564) -> std::result::Result<(SqlQueryOptions, QueryId), Box<Response>> {
4565    let query_id = match body_query_id {
4566        Some(query_id) => query_id,
4567        None => match headers.get("x-mongreldb-query-id") {
4568            Some(value) => {
4569                let value = value.to_str().map_err(|_| {
4570                    Box::new(bad_query_control_request(
4571                        "X-MongrelDB-Query-ID is not valid text",
4572                        None,
4573                    ))
4574                })?;
4575                value
4576                    .parse()
4577                    .map_err(|error: mongreldb_query::MongrelQueryError| {
4578                        Box::new(bad_query_control_request(error.to_string(), None))
4579                    })?
4580            }
4581            None => {
4582                QueryId::random().map_err(|error| Box::new(query_error_response(&error, None)))?
4583            }
4584        },
4585    };
4586    let timeout_ms = match body_timeout_ms {
4587        Some(timeout_ms) => timeout_ms,
4588        None => match headers.get("x-mongreldb-timeout-ms") {
4589            Some(value) => value
4590                .to_str()
4591                .ok()
4592                .and_then(|value| value.parse::<u64>().ok())
4593                .ok_or_else(|| {
4594                    Box::new(bad_query_control_request(
4595                        "X-MongrelDB-Timeout-Ms must be a positive integer",
4596                        Some(query_id),
4597                    ))
4598                })?,
4599            None => state.reloadable.sql_default_timeout.as_millis(),
4600        },
4601    };
4602    if timeout_ms == 0 {
4603        return Err(Box::new(bad_query_control_request(
4604            "timeout_ms must be positive",
4605            Some(query_id),
4606        )));
4607    }
4608    let timeout = std::time::Duration::from_millis(timeout_ms);
4609    if timeout > state.reloadable.sql_max_timeout.get() {
4610        return Err(Box::new(bad_query_control_request(
4611            format!(
4612                "timeout_ms exceeds server maximum of {}",
4613                state.reloadable.sql_max_timeout.as_millis()
4614            ),
4615            Some(query_id),
4616        )));
4617    }
4618    Ok((
4619        SqlQueryOptions {
4620            query_id: Some(query_id),
4621            timeout: Some(timeout),
4622            owner: Some(owner),
4623            session_id,
4624            parent_control: None,
4625        },
4626        query_id,
4627    ))
4628}
4629
4630fn resolve_sql_output_limits(
4631    state: &AppState,
4632    request: &SqlRequest,
4633    query_id: QueryId,
4634) -> std::result::Result<(usize, usize), Box<Response>> {
4635    fn resolve(
4636        requested: Option<u64>,
4637        configured: usize,
4638        name: &str,
4639        query_id: QueryId,
4640    ) -> std::result::Result<usize, Box<Response>> {
4641        if requested == Some(0) {
4642            return Err(Box::new(bad_query_control_request(
4643                format!("{name} must be positive"),
4644                Some(query_id),
4645            )));
4646        }
4647        let requested = requested
4648            .and_then(|value| usize::try_from(value).ok())
4649            .unwrap_or(usize::MAX);
4650        Ok(requested.min(configured))
4651    }
4652
4653    Ok((
4654        resolve(
4655            request.max_output_rows,
4656            state.reloadable.sql_max_output_rows.get(),
4657            "max_output_rows",
4658            query_id,
4659        )?,
4660        resolve(
4661            request.max_output_bytes,
4662            state.reloadable.sql_max_output_bytes.get(),
4663            "max_output_bytes",
4664            query_id,
4665        )?,
4666    ))
4667}
4668
4669fn resolve_sql_pagination(
4670    headers: &axum::http::HeaderMap,
4671    request: &SqlRequest,
4672    output_limits: (usize, usize),
4673    registration: RegisteredQueryGuard,
4674    query_id: QueryId,
4675) -> Result<(RegisteredQueryGuard, Option<ResolvedSqlPagination>), Box<Response>> {
4676    let Some(pagination) = request.pagination.as_ref() else {
4677        return Ok((registration, None));
4678    };
4679    if requested_sql_idempotency_key(headers, request)
4680        .ok()
4681        .flatten()
4682        .is_some()
4683    {
4684        return Err(Box::new(registered_sql_error_response(
4685            registration,
4686            query_id,
4687            StatusCode::BAD_REQUEST,
4688            "INCOMPATIBLE_SQL_CONTROLS",
4689            "idempotency_key cannot be combined with SQL pagination",
4690            false,
4691        )));
4692    }
4693    if request
4694        .format
4695        .as_deref()
4696        .is_some_and(|format| format != "json")
4697    {
4698        return Err(Box::new(registered_sql_error_response(
4699            registration,
4700            query_id,
4701            StatusCode::BAD_REQUEST,
4702            "PAGINATION_REQUIRES_JSON",
4703            "SQL pagination supports JSON responses only",
4704            false,
4705        )));
4706    }
4707    registration.query().set_sql_metadata(&request.sql);
4708    if !mongreldb_query::is_single_read_only_query(&request.sql) {
4709        return Err(Box::new(registered_sql_error_response(
4710            registration,
4711            query_id,
4712            StatusCode::BAD_REQUEST,
4713            "PAGINATION_REQUIRES_SINGLE_READ_QUERY",
4714            "SQL pagination accepts exactly one read-only query statement",
4715            false,
4716        )));
4717    }
4718    let page_size = match usize::try_from(pagination.page_size_rows) {
4719        Ok(0) | Err(_) => {
4720            return Err(Box::new(registered_sql_error_response(
4721                registration,
4722                query_id,
4723                StatusCode::BAD_REQUEST,
4724                "INVALID_PAGINATION_OPTIONS",
4725                "pagination.page_size_rows must be positive",
4726                false,
4727            )))
4728        }
4729        Ok(value) => value.min(output_limits.0),
4730    };
4731    if pagination.projection.is_empty() || pagination.projection.len() > 128 {
4732        return Err(Box::new(registered_sql_error_response(
4733            registration,
4734            query_id,
4735            StatusCode::BAD_REQUEST,
4736            "INVALID_SQL_PROJECTION",
4737            "pagination.projection must contain between 1 and 128 output column names",
4738            false,
4739        )));
4740    }
4741    let mut seen = std::collections::HashSet::new();
4742    let metadata_bytes = pagination
4743        .projection
4744        .iter()
4745        .map(String::len)
4746        .fold(0usize, usize::saturating_add);
4747    if metadata_bytes > 16 * 1024
4748        || pagination.projection.iter().any(|column| {
4749            column.is_empty()
4750                || column == "*"
4751                || column.len() > 256
4752                || !seen.insert(column.as_str())
4753        })
4754    {
4755        return Err(Box::new(registered_sql_error_response(
4756            registration,
4757            query_id,
4758            StatusCode::BAD_REQUEST,
4759            "INVALID_SQL_PROJECTION",
4760            "pagination.projection requires unique explicit output names of at most 256 bytes",
4761            false,
4762        )));
4763    }
4764    let max_page_bytes = match pagination.max_page_bytes {
4765        Some(0) => {
4766            return Err(Box::new(registered_sql_error_response(
4767                registration,
4768                query_id,
4769                StatusCode::BAD_REQUEST,
4770                "INVALID_PAGINATION_OPTIONS",
4771                "pagination.max_page_bytes must be positive",
4772                false,
4773            )))
4774        }
4775        Some(value) => usize::try_from(value)
4776            .unwrap_or(usize::MAX)
4777            .min(output_limits.1),
4778        None => output_limits.1.min(1024 * 1024),
4779    };
4780    let token_cap = (output_limits.1.saturating_add(3) / 4).max(1);
4781    let max_page_tokens = match pagination.max_page_tokens {
4782        Some(0) => {
4783            return Err(Box::new(registered_sql_error_response(
4784                registration,
4785                query_id,
4786                StatusCode::BAD_REQUEST,
4787                "INVALID_PAGINATION_OPTIONS",
4788                "pagination.max_page_tokens must be positive",
4789                false,
4790            )))
4791        }
4792        Some(value) => usize::try_from(value).unwrap_or(usize::MAX).min(token_cap),
4793        None => (max_page_bytes.saturating_add(3) / 4).max(1),
4794    };
4795    Ok((
4796        registration,
4797        Some(ResolvedSqlPagination {
4798            projection: pagination.projection.clone(),
4799            limits: sql_pages::SqlPageLimits {
4800                rows: page_size,
4801                bytes: max_page_bytes,
4802                tokens: max_page_tokens,
4803            },
4804        }),
4805    ))
4806}
4807
4808fn requested_sql_idempotency_key(
4809    headers: &axum::http::HeaderMap,
4810    request: &SqlRequest,
4811) -> Result<Option<String>, &'static str> {
4812    let header = match headers.get("idempotency-key") {
4813        Some(value) => Some(
4814            value
4815                .to_str()
4816                .map_err(|_| "Idempotency-Key must be valid UTF-8")?,
4817        ),
4818        None => None,
4819    };
4820    match (request.idempotency_key.as_deref(), header) {
4821        (Some(body), Some(header)) if body != header => {
4822            Err("body idempotency_key and Idempotency-Key header must match")
4823        }
4824        (Some(body), _) => Ok(Some(body.to_owned())),
4825        (None, Some(header)) => Ok(Some(header.to_owned())),
4826        (None, None) => Ok(None),
4827    }
4828}
4829
4830fn sql_idempotency_binding(
4831    request: &SqlRequest,
4832    output_limits: (usize, usize),
4833    session_id: Option<&str>,
4834    expires_after_ms: u64,
4835) -> Result<sql_idempotency::SqlIdempotencyBinding, serde_json::Error> {
4836    let request_semantics = serde_json::to_vec(&json!({
4837        "format": request.format.as_deref().unwrap_or("json"),
4838        "max_output_rows": output_limits.0,
4839        "max_output_bytes": output_limits.1,
4840        "pagination": request.pagination.as_ref(),
4841    }))?;
4842    let session_semantics = session_id.map_or_else(
4843        || b"ephemeral".to_vec(),
4844        |session_id| {
4845            let mut semantics = b"session\0".to_vec();
4846            semantics.extend_from_slice(session_id.as_bytes());
4847            semantics
4848        },
4849    );
4850    Ok(sql_idempotency::SqlIdempotencyBinding {
4851        sql_fingerprint: mongreldb_query::normalized_sql_fingerprint(&request.sql),
4852        // `/sql` currently has no separate bind-parameter array. SQL literals
4853        // are covered by the normalized SQL fingerprint above.
4854        parameter_hash: sql_idempotency::hash(b"[]"),
4855        request_semantics_hash: sql_idempotency::hash(&request_semantics),
4856        session_semantics_hash: sql_idempotency::hash(&session_semantics),
4857        expires_after_ms,
4858    })
4859}
4860
4861struct SqlIdempotencyContext<'a> {
4862    headers: &'a axum::http::HeaderMap,
4863    request: &'a SqlRequest,
4864    output_limits: (usize, usize),
4865    owner: &'a str,
4866    session_id: Option<&'a str>,
4867    session_in_transaction: bool,
4868    query_id: QueryId,
4869}
4870
4871async fn begin_sql_idempotency(
4872    state: &AppState,
4873    context: SqlIdempotencyContext<'_>,
4874    registration: RegisteredQueryGuard,
4875) -> Result<
4876    (
4877        RegisteredQueryGuard,
4878        Option<sql_idempotency::SqlIdempotencyExecution>,
4879    ),
4880    Response,
4881> {
4882    let SqlIdempotencyContext {
4883        headers,
4884        request,
4885        output_limits,
4886        owner,
4887        session_id,
4888        session_in_transaction,
4889        query_id,
4890    } = context;
4891    let key = match requested_sql_idempotency_key(headers, request) {
4892        Ok(key) => key,
4893        Err(message) => {
4894            return Err(registered_sql_error_response(
4895                registration,
4896                query_id,
4897                StatusCode::BAD_REQUEST,
4898                "INVALID_IDEMPOTENCY_KEY",
4899                message,
4900                false,
4901            ))
4902        }
4903    };
4904    let Some(key) = key else {
4905        return Ok((registration, None));
4906    };
4907    match mongreldb_query::classify_sql_idempotency(&request.sql) {
4908        mongreldb_query::SqlIdempotencyClass::ReadOnly
4909        | mongreldb_query::SqlIdempotencyClass::Unsupported => {
4910            return Err(registered_sql_error_response(
4911                registration,
4912                query_id,
4913                StatusCode::BAD_REQUEST,
4914                "IDEMPOTENCY_REQUIRES_SINGLE_WRITE",
4915                "idempotency_key accepts one non-transaction SQL write statement",
4916                false,
4917            ));
4918        }
4919        mongreldb_query::SqlIdempotencyClass::SingleWrite => {}
4920    }
4921    if let Err(message) = sql_idempotency::SqlIdempotencyStore::validate_key(&key) {
4922        return Err(registered_sql_error_response(
4923            registration,
4924            query_id,
4925            StatusCode::BAD_REQUEST,
4926            "INVALID_IDEMPOTENCY_KEY",
4927            message,
4928            false,
4929        ));
4930    }
4931    if request
4932        .format
4933        .as_deref()
4934        .is_some_and(|format| format != "json")
4935    {
4936        return Err(registered_sql_error_response(
4937            registration,
4938            query_id,
4939            StatusCode::BAD_REQUEST,
4940            "IDEMPOTENCY_REQUIRES_JSON",
4941            "SQL idempotency supports buffered JSON responses only",
4942            false,
4943        ));
4944    }
4945    if session_in_transaction {
4946        return Err(registered_sql_error_response(
4947            registration,
4948            query_id,
4949            StatusCode::CONFLICT,
4950            "IDEMPOTENCY_UNSUPPORTED_IN_TRANSACTION",
4951            "SQL idempotency cannot be used inside an open session transaction",
4952            false,
4953        ));
4954    }
4955    registration.query().set_sql_metadata(&request.sql);
4956    let binding = match sql_idempotency_binding(
4957        request,
4958        output_limits,
4959        session_id,
4960        state.sql_idempotency.expires_after_ms(),
4961    ) {
4962        Ok(binding) => binding,
4963        Err(_) => {
4964            return Err(registered_sql_error_response(
4965                registration,
4966                query_id,
4967                StatusCode::INTERNAL_SERVER_ERROR,
4968                "SERIALIZATION_FAILED",
4969                "failed to serialize SQL idempotency request semantics",
4970                false,
4971            ))
4972        }
4973    };
4974    let begin = tokio::select! {
4975        begin = state.sql_idempotency.begin(owner, &key, binding) => begin,
4976        _ = registration.query().control().cancelled() => {
4977            return Err(tracked_query_error_response(
4978                state,
4979                &cancellation_checkpoint_error(registration.query()),
4980                Some(query_id),
4981            ));
4982        }
4983    };
4984    match begin {
4985        sql_idempotency::BeginResult::Execute(execution) => Ok((registration, Some(execution))),
4986        sql_idempotency::BeginResult::Replay {
4987            receipt,
4988            expires_at_ms,
4989        } => match restore_idempotency_replay(registration, &receipt) {
4990            Ok(()) => Err(sql_idempotency_receipt_response(
4991                query_id,
4992                &receipt,
4993                true,
4994                expires_at_ms,
4995                true,
4996            )),
4997            Err(error) => Err(tracked_query_error_response(state, &error, Some(query_id))),
4998        },
4999        sql_idempotency::BeginResult::Mismatch => Err(registered_sql_error_response(
5000            registration,
5001            query_id,
5002            StatusCode::CONFLICT,
5003            "IDEMPOTENCY_KEY_REUSE_MISMATCH",
5004            "idempotency key was already used with different SQL or request semantics",
5005            false,
5006        )),
5007        sql_idempotency::BeginResult::Indeterminate { created_at_ms } => Err(
5008            sql_idempotency_indeterminate_response(registration, query_id, created_at_ms),
5009        ),
5010        sql_idempotency::BeginResult::Full => Err(registered_sql_error_response(
5011            registration,
5012            query_id,
5013            StatusCode::SERVICE_UNAVAILABLE,
5014            "IDEMPOTENCY_STORE_FULL",
5015            "SQL idempotency receipt store is full",
5016            true,
5017        )),
5018        sql_idempotency::BeginResult::Unavailable => Err(registered_sql_error_response(
5019            registration,
5020            query_id,
5021            StatusCode::SERVICE_UNAVAILABLE,
5022            "IDEMPOTENCY_STORE_UNAVAILABLE",
5023            "could not durably reserve the SQL idempotency key",
5024            true,
5025        )),
5026    }
5027}
5028
5029fn restore_idempotency_replay(
5030    registration: RegisteredQueryGuard,
5031    receipt: &sql_idempotency::SqlDurableReceipt,
5032) -> mongreldb_query::Result<()> {
5033    use mongreldb_query::{
5034        DurableOutcome, QueryTerminalError, QueryTerminalErrorCategory, QueryTerminalState,
5035        SerializationOutcome,
5036    };
5037
5038    let invalid_receipt = |field: &str| {
5039        mongreldb_query::MongrelQueryError::InvalidQueryState(format!(
5040            "durable SQL idempotency receipt has invalid {field}"
5041        ))
5042    };
5043    let terminal_state = match receipt.status.as_str() {
5044        "completed" => QueryTerminalState::Completed,
5045        "failed_before_commit" => QueryTerminalState::FailedBeforeCommit,
5046        "cancelled_before_commit" => QueryTerminalState::CancelledBeforeCommit,
5047        "deadline_before_commit" => QueryTerminalState::DeadlineBeforeCommit,
5048        "committed" => QueryTerminalState::Committed,
5049        "committed_with_error" => QueryTerminalState::CommittedWithError,
5050        "partially_committed" => QueryTerminalState::PartiallyCommitted,
5051        "cancelled_after_commit" => QueryTerminalState::CancelledAfterCommit,
5052        "deadline_after_commit" => QueryTerminalState::DeadlineAfterCommit,
5053        _ => return Err(invalid_receipt("terminal state")),
5054    };
5055    let serialization = match receipt.outcome.serialization.as_str() {
5056        "not_started" => SerializationOutcome::NotStarted,
5057        "in_progress" => SerializationOutcome::InProgress,
5058        "succeeded" => SerializationOutcome::Succeeded,
5059        "failed" => SerializationOutcome::Failed,
5060        _ => return Err(invalid_receipt("serialization state")),
5061    };
5062    let terminal_error = match receipt.terminal_error.as_ref() {
5063        Some(error) => Some(QueryTerminalError {
5064            code: error.code.clone(),
5065            category: match error.category.as_str() {
5066                "cancellation" => QueryTerminalErrorCategory::Cancellation,
5067                "deadline" => QueryTerminalErrorCategory::Deadline,
5068                "result_limit" => QueryTerminalErrorCategory::ResultLimit,
5069                "serialization" => QueryTerminalErrorCategory::Serialization,
5070                "execution" => QueryTerminalErrorCategory::Execution,
5071                _ => return Err(invalid_receipt("terminal error category")),
5072            },
5073        }),
5074        None => None,
5075    };
5076    let cancellation_reason = CancellationReason::from_protocol_str(&receipt.cancellation_reason)
5077        .ok_or_else(|| invalid_receipt("cancellation reason"))?;
5078    let phase = match receipt.server_state.as_str() {
5079        "completed" => SqlQueryPhase::Completed,
5080        "cancelled" => SqlQueryPhase::Cancelled,
5081        "failed" => SqlQueryPhase::Failed,
5082        _ => return Err(invalid_receipt("server state")),
5083    };
5084    let query = registration.into_query();
5085    query.restore_replayed_outcome(
5086        DurableOutcome {
5087            committed: receipt.outcome.committed,
5088            committed_statements: receipt.outcome.committed_statements,
5089            last_commit_epoch: receipt.outcome.last_commit_epoch,
5090            first_commit_statement_index: receipt.outcome.first_commit_statement_index,
5091            last_commit_statement_index: receipt.outcome.last_commit_statement_index,
5092            // The replayed outcome carries the same literal commit lineage as
5093            // the original write: the core ledger receipt rides the durable
5094            // HTTP receipt (S1B-005).
5095            commit_ts: receipt
5096                .commit_receipt
5097                .as_ref()
5098                .map(sql_idempotency::SqlCommitReceipt::commit_ts),
5099        },
5100        receipt.outcome.completed_statements,
5101        receipt.outcome.statement_index,
5102        serialization,
5103        terminal_error,
5104        terminal_state,
5105        cancellation_reason,
5106        phase,
5107    );
5108    query.try_complete()
5109}
5110
5111fn sql_idempotency_indeterminate_response(
5112    registration: RegisteredQueryGuard,
5113    query_id: QueryId,
5114    created_at_ms: Option<u64>,
5115) -> Response {
5116    registration.query().mark_outcome_unknown();
5117    registration.fail();
5118    with_query_id(
5119        (
5120            StatusCode::CONFLICT,
5121            Json(json!({
5122                "query_id": query_id.to_string(),
5123                "status": "outcome_unknown",
5124                "terminal_state": "outcome_unknown",
5125                "committed": null,
5126                "committed_statements": null,
5127                "last_commit_epoch": null,
5128                "last_commit_epoch_text": null,
5129                "first_commit_statement_index": null,
5130                "last_commit_statement_index": null,
5131                "completed_statements": null,
5132                "statement_index": null,
5133                "cancel_outcome": null,
5134                "cancellation_reason": null,
5135                "retryable": false,
5136                "server_state": "failed",
5137                "idempotency_replayed": true,
5138                "idempotency_intent_created_at_ms": created_at_ms,
5139                "outcome": {
5140                    "committed": null,
5141                    "committed_statements": null,
5142                    "last_commit_epoch": null,
5143                    "last_commit_epoch_text": null,
5144                    "first_commit_statement_index": null,
5145                    "last_commit_statement_index": null,
5146                    "completed_statements": null,
5147                    "statement_index": null,
5148                    "serialization": "unknown",
5149                },
5150                "error": {
5151                    "code": "QUERY_OUTCOME_UNKNOWN",
5152                    "message": "a durable write intent exists without a durable receipt; the SQL was not re-executed",
5153                    "query_id": query_id.to_string(),
5154                    "committed": null,
5155                    "retryable": false,
5156                }
5157            })),
5158        )
5159            .into_response(),
5160        query_id,
5161    )
5162}
5163
5164fn registered_sql_error_response(
5165    registration: RegisteredQueryGuard,
5166    query_id: QueryId,
5167    status: StatusCode,
5168    code: &'static str,
5169    message: impl Into<String>,
5170    retryable: bool,
5171) -> Response {
5172    let message = message.into();
5173    registration
5174        .query()
5175        .record_terminal_error(code, mongreldb_query::QueryTerminalErrorCategory::Execution);
5176    registration.fail();
5177    with_query_id(
5178        (
5179            status,
5180            Json(json!({
5181                "query_id": query_id.to_string(),
5182                "status": "failed_before_commit",
5183                "terminal_state": "failed_before_commit",
5184                "committed": false,
5185                "committed_statements": 0,
5186                "last_commit_epoch": null,
5187                "last_commit_epoch_text": null,
5188                "first_commit_statement_index": null,
5189                "last_commit_statement_index": null,
5190                "completed_statements": 0,
5191                "statement_index": 0,
5192                "cancel_outcome": null,
5193                "cancellation_reason": null,
5194                "retryable": retryable,
5195                "server_state": "failed",
5196                "outcome": {
5197                    "committed": false,
5198                    "committed_statements": 0,
5199                    "last_commit_epoch": null,
5200                    "last_commit_epoch_text": null,
5201                    "first_commit_statement_index": null,
5202                    "last_commit_statement_index": null,
5203                    "completed_statements": 0,
5204                    "statement_index": 0,
5205                    "serialization": "not_started",
5206                },
5207                "error": {
5208                    "code": code,
5209                    "message": message,
5210                    "query_id": query_id.to_string(),
5211                    "committed": false,
5212                    "retryable": retryable,
5213                }
5214            })),
5215        )
5216            .into_response(),
5217        query_id,
5218    )
5219}
5220
5221fn register_controlled_query(
5222    state: &AppState,
5223    session: &MongrelSession,
5224    options: SqlQueryOptions,
5225) -> std::result::Result<RegisteredSqlQuery, mongreldb_query::MongrelQueryError> {
5226    let query_id = options.query_id.ok_or_else(|| {
5227        mongreldb_query::MongrelQueryError::InvalidQueryState(
5228            "server query registration requires a query id".into(),
5229        )
5230    })?;
5231    let owner = options.owner.clone().unwrap_or_default();
5232    let session_id = options.session_id.clone();
5233    let _lifecycle = state
5234        .query_lifecycle
5235        .lock()
5236        .unwrap_or_else(|error| error.into_inner());
5237    let pre_cancel_reason = match state.pre_cancellations.lookup_for_registration(
5238        query_id,
5239        &owner,
5240        session_id.as_deref(),
5241    ) {
5242        pre_cancel::RegistrationLookup::NoReservation => None,
5243        pre_cancel::RegistrationLookup::Matching(reason) => Some(reason),
5244        pre_cancel::RegistrationLookup::ReservedByAnotherIdentity => {
5245            return Err(mongreldb_query::MongrelQueryError::QueryIdConflict { query_id });
5246        }
5247    };
5248    let query = session.register_query(options)?;
5249    let Some(reason) = pre_cancel_reason else {
5250        return Ok(query);
5251    };
5252    state
5253        .pre_cancellations
5254        .take(query_id, &owner, session_id.as_deref());
5255    query.request_cancel(reason);
5256    let error = query.checkpoint().err().unwrap_or_else(|| {
5257        mongreldb_query::MongrelQueryError::InvalidQueryState(format!(
5258            "pre-cancelled query {query_id} remained runnable"
5259        ))
5260    });
5261    query.fail();
5262    Err(error)
5263}
5264
5265async fn acquire_sql_permit(
5266    state: &AppState,
5267    session: &MongrelSession,
5268    query: &RegisteredSqlQuery,
5269) -> std::result::Result<tokio::sync::OwnedSemaphorePermit, mongreldb_query::MongrelQueryError> {
5270    session.fire_test_hook(mongreldb_query::SqlTestHookPoint::WaitingForSqlPermit);
5271    tokio::select! {
5272        permit = Arc::clone(&state.sql_semaphore).acquire_owned() => permit.map_err(|_| {
5273            mongreldb_query::MongrelQueryError::InvalidQueryState(
5274                "SQL admission semaphore closed".into(),
5275            )
5276        }),
5277        _ = query.control().cancelled() => Err(cancellation_checkpoint_error(query)),
5278    }
5279}
5280
5281fn caller_may_manage_query(
5282    state: &AppState,
5283    principal: &Option<mongreldb_core::Principal>,
5284    owner: Option<&str>,
5285) -> bool {
5286    let current = current_request_principal(state, principal);
5287    if (principal.is_some()
5288        || state.auth_token.is_some()
5289        || state.user_auth
5290        || state.db.require_auth_enabled())
5291        && current.is_none()
5292    {
5293        return false;
5294    }
5295    current.is_some_and(|principal| principal.is_admin)
5296        || owner == Some(request_owner(state, principal).as_str())
5297}
5298
5299fn query_phase_name(phase: SqlQueryPhase) -> &'static str {
5300    match phase {
5301        SqlQueryPhase::Queued => "queued",
5302        SqlQueryPhase::Planning => "planning",
5303        SqlQueryPhase::Executing => "executing",
5304        SqlQueryPhase::Streaming => "streaming",
5305        SqlQueryPhase::Serializing => "serializing",
5306        SqlQueryPhase::CommitCritical => "commit_critical",
5307        SqlQueryPhase::Cancelling => "cancelling",
5308        SqlQueryPhase::Completed => "completed",
5309        SqlQueryPhase::Failed => "failed",
5310        SqlQueryPhase::Cancelled => "cancelled",
5311    }
5312}
5313
5314fn commit_fence_outcome_name(outcome: mongreldb_query::CommitFenceOutcome) -> &'static str {
5315    match outcome {
5316        mongreldb_query::CommitFenceOutcome::NotReached => "not_reached",
5317        mongreldb_query::CommitFenceOutcome::CancelWon => "cancel_won",
5318        mongreldb_query::CommitFenceOutcome::CommitWon => "commit_won",
5319    }
5320}
5321
5322fn terminal_state_name(state: mongreldb_query::QueryTerminalState) -> &'static str {
5323    use mongreldb_query::QueryTerminalState;
5324    match state {
5325        QueryTerminalState::OutcomeUnknown => "outcome_unknown",
5326        QueryTerminalState::Completed => "completed",
5327        QueryTerminalState::FailedBeforeCommit => "failed_before_commit",
5328        QueryTerminalState::CancelledBeforeCommit => "cancelled_before_commit",
5329        QueryTerminalState::DeadlineBeforeCommit => "deadline_before_commit",
5330        QueryTerminalState::Committed => "committed",
5331        QueryTerminalState::CommittedWithError => "committed_with_error",
5332        QueryTerminalState::PartiallyCommitted => "partially_committed",
5333        QueryTerminalState::CancelledAfterCommit => "cancelled_after_commit",
5334        QueryTerminalState::DeadlineAfterCommit => "deadline_after_commit",
5335    }
5336}
5337
5338fn serialization_outcome_name(outcome: mongreldb_query::SerializationOutcome) -> &'static str {
5339    use mongreldb_query::SerializationOutcome;
5340    match outcome {
5341        SerializationOutcome::NotStarted => "not_started",
5342        SerializationOutcome::InProgress => "in_progress",
5343        SerializationOutcome::Succeeded => "succeeded",
5344        SerializationOutcome::Failed => "failed",
5345    }
5346}
5347
5348fn terminal_error_category_name(
5349    category: mongreldb_query::QueryTerminalErrorCategory,
5350) -> &'static str {
5351    use mongreldb_query::QueryTerminalErrorCategory;
5352    match category {
5353        QueryTerminalErrorCategory::Cancellation => "cancellation",
5354        QueryTerminalErrorCategory::Deadline => "deadline",
5355        QueryTerminalErrorCategory::ResultLimit => "result_limit",
5356        QueryTerminalErrorCategory::Serialization => "serialization",
5357        QueryTerminalErrorCategory::Execution => "execution",
5358    }
5359}
5360
5361fn terminal_error_retryable(error: Option<&mongreldb_query::QueryTerminalError>) -> bool {
5362    error.is_some_and(|error| {
5363        matches!(
5364            error.code.as_str(),
5365            "IDEMPOTENCY_STORE_FULL" | "IDEMPOTENCY_STORE_UNAVAILABLE"
5366        )
5367    })
5368}
5369
5370fn epoch_text(epoch: Option<u64>) -> Option<String> {
5371    epoch.map(|epoch| epoch.to_string())
5372}
5373
5374fn cancellation_reason_name(reason: CancellationReason) -> &'static str {
5375    reason.as_str()
5376}
5377
5378fn query_cancel_outcome(status: &mongreldb_query::QueryStatus) -> Option<&'static str> {
5379    match status.phase {
5380        SqlQueryPhase::CommitCritical => Some("too_late"),
5381        SqlQueryPhase::Completed | SqlQueryPhase::Failed | SqlQueryPhase::Cancelled => {
5382            Some("already_finished")
5383        }
5384        SqlQueryPhase::Cancelling => Some("accepted"),
5385        _ => None,
5386    }
5387}
5388
5389fn query_outcome_json(status: Option<&mongreldb_query::QueryStatus>) -> serde_json::Value {
5390    let Some(status) = status else {
5391        return json!({
5392            "committed": false,
5393            "committed_statements": 0,
5394            "last_commit_epoch": null,
5395            "last_commit_epoch_text": null,
5396            "first_commit_statement_index": null,
5397            "last_commit_statement_index": null,
5398            "completed_statements": 0,
5399            "statement_index": 0,
5400            "serialization": "not_started",
5401        });
5402    };
5403    if status.outcome_unknown {
5404        return json!({
5405            "committed": null,
5406            "committed_statements": null,
5407            "last_commit_epoch": null,
5408            "last_commit_epoch_text": null,
5409            "first_commit_statement_index": null,
5410            "last_commit_statement_index": null,
5411            "completed_statements": null,
5412            "statement_index": null,
5413            "serialization": "unknown",
5414        });
5415    }
5416    json!({
5417        "committed": status.durable_outcome.committed,
5418        "committed_statements": (!status.outcome_unknown).then_some(status.durable_outcome.committed_statements),
5419        "last_commit_epoch": (!status.outcome_unknown).then_some(status.durable_outcome.last_commit_epoch).flatten(),
5420        "last_commit_epoch_text": (!status.outcome_unknown).then_some(epoch_text(status.durable_outcome.last_commit_epoch)).flatten(),
5421        "first_commit_statement_index": (!status.outcome_unknown).then_some(status.durable_outcome.first_commit_statement_index).flatten(),
5422        "last_commit_statement_index": (!status.outcome_unknown).then_some(status.durable_outcome.last_commit_statement_index).flatten(),
5423        "completed_statements": (!status.outcome_unknown).then_some(status.completed_statements),
5424        "statement_index": (!status.outcome_unknown).then_some(status.statement_index),
5425        "serialization": serialization_outcome_name(status.serialization_outcome),
5426    })
5427}
5428
5429fn sql_terminal_idempotency_receipt(
5430    status: &mongreldb_query::QueryStatus,
5431) -> Option<sql_idempotency::SqlDurableReceipt> {
5432    if status.outcome_unknown {
5433        return None;
5434    }
5435    let terminal_state = status.terminal_state()?;
5436    if !status.durable_outcome.committed
5437        && terminal_state != mongreldb_query::QueryTerminalState::Completed
5438    {
5439        return None;
5440    }
5441    Some(sql_idempotency::SqlDurableReceipt {
5442        original_query_id: status.query_id.to_string(),
5443        status: status
5444            .terminal_state()
5445            .map(terminal_state_name)
5446            .unwrap_or("committed")
5447            .to_owned(),
5448        server_state: query_phase_name(status.phase).to_owned(),
5449        cancellation_reason: cancellation_reason_name(status.cancellation_reason).to_owned(),
5450        outcome: sql_idempotency::SqlReceiptOutcome {
5451            committed: status.durable_outcome.committed,
5452            committed_statements: status.durable_outcome.committed_statements,
5453            last_commit_epoch: status.durable_outcome.last_commit_epoch,
5454            last_commit_epoch_text: epoch_text(status.durable_outcome.last_commit_epoch),
5455            first_commit_statement_index: status.durable_outcome.first_commit_statement_index,
5456            last_commit_statement_index: status.durable_outcome.last_commit_statement_index,
5457            completed_statements: status.completed_statements,
5458            statement_index: status.statement_index,
5459            serialization: serialization_outcome_name(status.serialization_outcome).to_owned(),
5460        },
5461        terminal_error: status.terminal_error.as_ref().map(|error| {
5462            sql_idempotency::SqlReceiptTerminalError {
5463                code: error.code.clone(),
5464                category: terminal_error_category_name(error.category).to_owned(),
5465            }
5466        }),
5467        commit_receipt: None,
5468    })
5469}
5470
5471fn sql_idempotency_receipt_response(
5472    query_id: QueryId,
5473    receipt: &sql_idempotency::SqlDurableReceipt,
5474    replayed: bool,
5475    expires_at_ms: u64,
5476    persisted: bool,
5477) -> Response {
5478    let mut body = json!({
5479        "query_id": query_id.to_string(),
5480        "original_query_id": receipt.original_query_id,
5481        "status": receipt.status,
5482        "terminal_state": receipt.status,
5483        "server_state": receipt.server_state,
5484        "cancel_outcome": "already_finished",
5485        "cancellation_reason": receipt.cancellation_reason,
5486        "committed": receipt.outcome.committed,
5487        "committed_statements": receipt.outcome.committed_statements,
5488        "last_commit_epoch": receipt.outcome.last_commit_epoch,
5489        "last_commit_epoch_text": receipt.outcome.last_commit_epoch_text.as_deref(),
5490        "first_commit_statement_index": receipt.outcome.first_commit_statement_index,
5491        "last_commit_statement_index": receipt.outcome.last_commit_statement_index,
5492        "completed_statements": receipt.outcome.completed_statements,
5493        "statement_index": receipt.outcome.statement_index,
5494        "retryable": false,
5495        "idempotency_replayed": replayed,
5496        "idempotency_persisted": persisted,
5497        "idempotency_expires_at_ms": expires_at_ms,
5498        "outcome": receipt.outcome,
5499        "terminal_error": receipt.terminal_error,
5500    });
5501    // S1B-005 additive: the core commit log's receipt for the committed
5502    // write, when the durable `TXN_IDEMPOTENCY` ledger recorded one. Absent
5503    // (not null) for receipts predating the unification and for no-op writes
5504    // that never committed.
5505    if let Some(commit_receipt) = &receipt.commit_receipt {
5506        body["commit_receipt"] = json!(commit_receipt);
5507    }
5508    let mut response = Json(body).into_response();
5509    response.headers_mut().insert(
5510        "idempotency-replayed",
5511        axum::http::HeaderValue::from_static(if replayed { "true" } else { "false" }),
5512    );
5513    response.headers_mut().insert(
5514        "idempotency-persisted",
5515        axum::http::HeaderValue::from_static(if persisted { "true" } else { "false" }),
5516    );
5517    if let Ok(value) = axum::http::HeaderValue::from_str(&receipt.original_query_id) {
5518        response
5519            .headers_mut()
5520            .insert("x-mongreldb-original-query-id", value);
5521    }
5522    with_query_id(response, query_id)
5523}
5524
5525fn terminal_server_error_response(
5526    state: &AppState,
5527    query_id: QueryId,
5528    http_status: StatusCode,
5529    base_code: &'static str,
5530    message: impl Into<String>,
5531) -> Response {
5532    let status = state.query_registry.status(query_id);
5533    let committed = status
5534        .as_ref()
5535        .is_some_and(|status| status.durable_outcome.committed);
5536    let code = if committed && base_code.starts_with("SERIALIZATION_") {
5537        "SERIALIZATION_FAILED_AFTER_COMMIT"
5538    } else {
5539        base_code
5540    };
5541    // Stable taxonomy category for this terminal code (spec 9.7); mappings
5542    // follow the `MongrelError::category()` precedents.
5543    let category = {
5544        use mongreldb_types::errors::ErrorCategory;
5545        match code {
5546            "RESULT_LIMIT_EXCEEDED" | "SQL_PAGE_STORE_FULL" | "ENTROPY_UNAVAILABLE" => {
5547                ErrorCategory::ResourceExhausted
5548            }
5549            // Client/supplied-shape disagreements and codec failures are
5550            // contract disagreements (the core `InvalidArgument` /
5551            // `Serialization` precedents).
5552            "INVALID_SQL_PROJECTION" | "INVALID_PAGE_OFFSET" => {
5553                ErrorCategory::ClusterVersionMismatch
5554            }
5555            _ if code.starts_with("SERIALIZATION_") => ErrorCategory::ClusterVersionMismatch,
5556            _ => ErrorCategory::ReplicaUnavailable,
5557        }
5558    };
5559    let response_status = status
5560        .as_ref()
5561        .and_then(mongreldb_query::QueryStatus::terminal_state)
5562        .map(terminal_state_name)
5563        .unwrap_or(if committed {
5564            "committed_with_error"
5565        } else {
5566            "failed_before_commit"
5567        });
5568    let outcome = query_outcome_json(status.as_ref());
5569    with_query_id(
5570        (
5571            http_status,
5572            Json(json!({
5573                "query_id": query_id.to_string(),
5574                "status": response_status,
5575                "terminal_state": response_status,
5576                "committed": committed,
5577                "committed_statements": status.as_ref().map_or(0, |status| status.durable_outcome.committed_statements),
5578                "last_commit_epoch": status.as_ref().and_then(|status| status.durable_outcome.last_commit_epoch),
5579                "last_commit_epoch_text": epoch_text(status.as_ref().and_then(|status| status.durable_outcome.last_commit_epoch)),
5580                "first_commit_statement_index": status.as_ref().and_then(|status| status.durable_outcome.first_commit_statement_index),
5581                "last_commit_statement_index": status.as_ref().and_then(|status| status.durable_outcome.last_commit_statement_index),
5582                "completed_statements": status.as_ref().map_or(0, |status| status.completed_statements),
5583                "statement_index": status.as_ref().map_or(0, |status| status.statement_index),
5584                "cancel_outcome": null,
5585                "cancellation_reason": status.as_ref().map(|status| cancellation_reason_name(status.cancellation_reason)),
5586                "retryable": false,
5587                "server_state": status.as_ref().map(|status| query_phase_name(status.phase)),
5588                "outcome": outcome,
5589                "error": {
5590                    "code": code,
5591                    "message": message.into(),
5592                    "category": category.to_string(),
5593                    "category_code": category.code(),
5594                    "query_id": query_id.to_string(),
5595                    "committed": committed,
5596                    "retryable": false,
5597                }
5598            })),
5599        )
5600            .into_response(),
5601        query_id,
5602    )
5603}
5604
5605fn query_not_found_response(query_id: Option<QueryId>) -> Response {
5606    let mut response = (
5607        StatusCode::NOT_FOUND,
5608        Json(json!({
5609            "query_id": query_id.map(|value| value.to_string()),
5610            "status": "unknown",
5611            "terminal_state": null,
5612            "committed": null,
5613            "committed_statements": null,
5614            "last_commit_epoch": null,
5615            "last_commit_epoch_text": null,
5616            "first_commit_statement_index": null,
5617            "last_commit_statement_index": null,
5618            "completed_statements": null,
5619            "statement_index": null,
5620            "cancel_outcome": "not_found",
5621            "cancellation_reason": null,
5622            "retryable": false,
5623            "server_state": "not_found",
5624            "outcome": {
5625                "committed": null,
5626                "committed_statements": null,
5627                "last_commit_epoch": null,
5628                "last_commit_epoch_text": null,
5629                "first_commit_statement_index": null,
5630                "last_commit_statement_index": null,
5631                "completed_statements": null,
5632                "statement_index": null,
5633                "serialization": "unknown",
5634            },
5635            "error": {
5636                "code": "QUERY_NOT_FOUND",
5637                "message": "query not found",
5638                "query_id": query_id.map(|value| value.to_string()),
5639                "committed": null,
5640                "retryable": false,
5641            }
5642        })),
5643    )
5644        .into_response();
5645    if let Some(query_id) = query_id {
5646        add_query_id_header(&mut response, query_id);
5647    }
5648    response
5649}
5650
5651fn query_session_header(
5652    headers: &axum::http::HeaderMap,
5653    query_id: Option<QueryId>,
5654) -> std::result::Result<Option<String>, Box<Response>> {
5655    match headers.get("x-session-id") {
5656        Some(value) => match value.to_str() {
5657            Ok(value) if value.len() <= 256 => Ok(Some(value.to_owned())),
5658            _ => Err(Box::new(bad_query_control_request(
5659                "X-Session-ID must be valid text no longer than 256 bytes",
5660                query_id,
5661            ))),
5662        },
5663        None => Ok(None),
5664    }
5665}
5666
5667fn pre_cancelled_query_response(
5668    query_id: QueryId,
5669    reason: CancellationReason,
5670    status: StatusCode,
5671) -> Response {
5672    with_query_id(
5673        (
5674            status,
5675            Json(json!({
5676                "query_id": query_id.to_string(),
5677                "status": "cancelled_before_start",
5678                "terminal_state": "cancelled_before_start",
5679                "state": "pre_cancelled",
5680                "server_state": "pre_cancelled",
5681                "cancel_outcome": "pre_cancelled",
5682                "committed": false,
5683                "committed_statements": 0,
5684                "last_commit_epoch": null,
5685                "last_commit_epoch_text": null,
5686                "first_commit_statement_index": null,
5687                "last_commit_statement_index": null,
5688                "completed_statements": 0,
5689                "statement_index": 0,
5690                "cancellation_reason": cancellation_reason_name(reason),
5691                "outcome": {
5692                    "committed": false,
5693                    "committed_statements": 0,
5694                    "last_commit_epoch": null,
5695                    "last_commit_epoch_text": null,
5696                    "first_commit_statement_index": null,
5697                    "last_commit_statement_index": null,
5698                    "completed_statements": 0,
5699                    "statement_index": 0,
5700                    "serialization": "not_started",
5701                },
5702                "terminal_error": {
5703                    "code": "QUERY_CANCELLED",
5704                    "category": "cancellation",
5705                },
5706                "retryable": false,
5707            })),
5708        )
5709            .into_response(),
5710        query_id,
5711    )
5712}
5713
5714fn compact_finished_query_response(status: &CompactFinishedQuery) -> Response {
5715    let query_id = status.query_id;
5716    let durable = &status.durable_outcome;
5717    let outcome_unknown =
5718        status.terminal_state == mongreldb_query::QueryTerminalState::OutcomeUnknown;
5719    let terminal_error = status.terminal_error.as_ref().map(|error| {
5720        json!({
5721            "code": error.code,
5722            "category": terminal_error_category_name(error.category),
5723        })
5724    });
5725    with_query_id(
5726        Json(json!({
5727            "detail": "compact",
5728            "query_id": query_id.to_string(),
5729            "status": terminal_state_name(status.terminal_state),
5730            "terminal_state": terminal_state_name(status.terminal_state),
5731            "state": query_phase_name(status.phase),
5732            "server_state": query_phase_name(status.phase),
5733            "cancel_outcome": "already_finished",
5734            "code": "QUERY_ALREADY_FINISHED",
5735            "committed": (!outcome_unknown).then_some(durable.committed),
5736            "committed_statements": (!outcome_unknown).then_some(durable.committed_statements),
5737            "last_commit_epoch": (!outcome_unknown).then_some(durable.last_commit_epoch).flatten(),
5738            "last_commit_epoch_text": (!outcome_unknown).then_some(epoch_text(durable.last_commit_epoch)).flatten(),
5739            "first_commit_statement_index": (!outcome_unknown).then_some(durable.first_commit_statement_index).flatten(),
5740            "last_commit_statement_index": (!outcome_unknown).then_some(durable.last_commit_statement_index).flatten(),
5741            "completed_statements": (!outcome_unknown).then_some(status.completed_statements),
5742            "statement_index": (!outcome_unknown).then_some(status.statement_index),
5743            "cancellation_reason": cancellation_reason_name(status.cancellation_reason),
5744            "outcome": {
5745                "committed": (!outcome_unknown).then_some(durable.committed),
5746                "committed_statements": (!outcome_unknown).then_some(durable.committed_statements),
5747                "last_commit_epoch": (!outcome_unknown).then_some(durable.last_commit_epoch).flatten(),
5748                "last_commit_epoch_text": (!outcome_unknown).then_some(epoch_text(durable.last_commit_epoch)).flatten(),
5749                "first_commit_statement_index": (!outcome_unknown).then_some(durable.first_commit_statement_index).flatten(),
5750                "last_commit_statement_index": (!outcome_unknown).then_some(durable.last_commit_statement_index).flatten(),
5751                "completed_statements": (!outcome_unknown).then_some(status.completed_statements),
5752                "statement_index": (!outcome_unknown).then_some(status.statement_index),
5753                "serialization": serialization_outcome_name(status.serialization_outcome),
5754            },
5755            "terminal_error": terminal_error,
5756            "retryable": terminal_error_retryable(status.terminal_error.as_ref()),
5757        }))
5758        .into_response(),
5759        query_id,
5760    )
5761}
5762
5763async fn query_status(
5764    State(state): State<Arc<AppState>>,
5765    OptionalPrincipal(principal): OptionalPrincipal,
5766    Path(query_id): Path<String>,
5767    headers: axum::http::HeaderMap,
5768) -> Response {
5769    let Ok(query_id) = query_id.parse::<QueryId>() else {
5770        return query_not_found_response(None);
5771    };
5772    if !request_identity_is_current(&state, &principal) {
5773        return query_not_found_response(Some(query_id));
5774    }
5775    let requested_session = match query_session_header(&headers, Some(query_id)) {
5776        Ok(session_id) => session_id,
5777        Err(response) => return *response,
5778    };
5779    let owner = request_owner(&state, &principal);
5780    let is_admin =
5781        current_request_principal(&state, &principal).is_some_and(|principal| principal.is_admin);
5782    let _lifecycle = state
5783        .query_lifecycle
5784        .lock()
5785        .unwrap_or_else(|error| error.into_inner());
5786    let Some(status) = state.query_registry.status(query_id) else {
5787        if let Some(finished) = state.query_registry.compact_finished_status(query_id) {
5788            if !caller_may_manage_query(&state, &principal, finished.owner.as_deref())
5789                || requested_session
5790                    .as_deref()
5791                    .is_some_and(|session| finished.session_id.as_deref() != Some(session))
5792            {
5793                return query_not_found_response(Some(query_id));
5794            }
5795            return compact_finished_query_response(&finished);
5796        }
5797        let reason = state
5798            .pre_cancellations
5799            .reason(query_id, &owner, requested_session.as_deref())
5800            .or_else(|| {
5801                is_admin.then(|| match requested_session.as_deref() {
5802                    Some(session_id) => state
5803                        .pre_cancellations
5804                        .reason_for_query_in_session(query_id, session_id),
5805                    None => state.pre_cancellations.reason_for_query(query_id),
5806                })?
5807            });
5808        if let Some(reason) = reason {
5809            return pre_cancelled_query_response(query_id, reason, StatusCode::OK);
5810        }
5811        return query_not_found_response(Some(query_id));
5812    };
5813    if !caller_may_manage_query(&state, &principal, status.owner.as_deref())
5814        || requested_session
5815            .as_deref()
5816            .is_some_and(|session| status.session_id.as_deref() != Some(session))
5817    {
5818        return query_not_found_response(Some(query_id));
5819    }
5820    let terminal_status = status.terminal_state().map(terminal_state_name);
5821    let terminal_error = status.terminal_error.as_ref().map(|error| {
5822        json!({
5823            "code": error.code,
5824            "category": terminal_error_category_name(error.category),
5825        })
5826    });
5827    let retryable = terminal_error_retryable(status.terminal_error.as_ref());
5828    let cancel_outcome = query_cancel_outcome(&status);
5829    let outcome = query_outcome_json(Some(&status));
5830    let response = Json(json!({
5831        "query_id": query_id.to_string(),
5832        "status": terminal_status.unwrap_or(if status.durable_outcome.committed {
5833            "committed"
5834        } else {
5835            "running"
5836        }),
5837        "terminal_state": terminal_status,
5838        "state": query_phase_name(status.phase),
5839        "server_state": query_phase_name(status.phase),
5840        "started_ms_ago": status.started_at.elapsed().as_millis(),
5841        "deadline_ms_remaining": status.deadline.map(|deadline| {
5842            deadline.saturating_duration_since(std::time::Instant::now()).as_millis()
5843        }),
5844        "session_id": status.session_id,
5845        "operation": status.operation,
5846        "committed": (!status.outcome_unknown).then_some(status.committed),
5847        "committed_statements": (!status.outcome_unknown).then_some(status.durable_outcome.committed_statements),
5848        "last_commit_epoch": (!status.outcome_unknown).then_some(status.durable_outcome.last_commit_epoch).flatten(),
5849        "last_commit_epoch_text": (!status.outcome_unknown).then_some(epoch_text(status.durable_outcome.last_commit_epoch)).flatten(),
5850        "first_commit_statement_index": (!status.outcome_unknown).then_some(status.durable_outcome.first_commit_statement_index).flatten(),
5851        "last_commit_statement_index": (!status.outcome_unknown).then_some(status.durable_outcome.last_commit_statement_index).flatten(),
5852        "cancellation_reason": cancellation_reason_name(status.cancellation_reason),
5853        "completed_statements": (!status.outcome_unknown).then_some(status.completed_statements),
5854        "statement_index": (!status.outcome_unknown).then_some(status.statement_index),
5855        "cancel_outcome": cancel_outcome,
5856        "retryable": retryable,
5857        "outcome": outcome,
5858        "terminal_error": terminal_error,
5859        "trace": {
5860            "queue_duration_us": status.queue_duration.as_micros(),
5861            "planning_duration_us": status.planning_duration.as_micros(),
5862            "execution_duration_us": status.execution_duration.as_micros(),
5863            "serialization_duration_us": status.serialization_duration.as_micros(),
5864            "cancel_requested_phase": status.cancel_requested_phase.map(query_phase_name),
5865            "cancel_observed_phase": status.cancel_observed_phase.map(query_phase_name),
5866            "commit_fence_outcome": commit_fence_outcome_name(status.commit_fence_outcome),
5867        },
5868    }))
5869    .into_response();
5870    with_query_id(response, query_id)
5871}
5872
5873async fn cancel_query(
5874    State(state): State<Arc<AppState>>,
5875    OptionalPrincipal(principal): OptionalPrincipal,
5876    Path(query_id): Path<String>,
5877    headers: axum::http::HeaderMap,
5878) -> Response {
5879    let Ok(query_id) = query_id.parse::<QueryId>() else {
5880        return query_not_found_response(None);
5881    };
5882    if !request_identity_is_current(&state, &principal) {
5883        return query_not_found_response(Some(query_id));
5884    }
5885    let requested_session = match query_session_header(&headers, Some(query_id)) {
5886        Ok(session_id) => session_id,
5887        Err(response) => return *response,
5888    };
5889    let owner = request_owner(&state, &principal);
5890    let _lifecycle = state
5891        .query_lifecycle
5892        .lock()
5893        .unwrap_or_else(|error| error.into_inner());
5894    state.metrics.inc_sql_cancel_requests();
5895    let Some(status) = state.query_registry.status(query_id) else {
5896        if let Some(finished) = state.query_registry.compact_finished_status(query_id) {
5897            if !caller_may_manage_query(&state, &principal, finished.owner.as_deref())
5898                || requested_session
5899                    .as_deref()
5900                    .is_some_and(|session| finished.session_id.as_deref() != Some(session))
5901            {
5902                return query_not_found_response(Some(query_id));
5903            }
5904            return compact_finished_query_response(&finished);
5905        }
5906        return match state.pre_cancellations.insert(
5907            query_id,
5908            &owner,
5909            requested_session.as_deref(),
5910            CancellationReason::ClientRequest,
5911        ) {
5912            Ok(()) => {
5913                state.metrics.inc_sql_commit_cancel_winner_cancel();
5914                pre_cancelled_query_response(
5915                    query_id,
5916                    CancellationReason::ClientRequest,
5917                    StatusCode::ACCEPTED,
5918                )
5919            }
5920            Err(pre_cancel::InsertError::MetadataTooLarge) => bad_query_control_request(
5921                "query owner or session metadata exceeds 256 bytes",
5922                Some(query_id),
5923            ),
5924            Err(
5925                pre_cancel::InsertError::Full
5926                | pre_cancel::InsertError::OwnerLimit
5927                | pre_cancel::InsertError::RateLimited,
5928            ) => with_query_id(
5929                (
5930                    StatusCode::TOO_MANY_REQUESTS,
5931                    Json(json!({
5932                        "query_id": query_id.to_string(),
5933                        "status": "failed_before_commit",
5934                        "terminal_state": "failed_before_commit",
5935                        "server_state": "failed",
5936                        "cancel_outcome": null,
5937                        "cancellation_reason": null,
5938                        "committed": false,
5939                        "committed_statements": 0,
5940                        "last_commit_epoch": null,
5941                        "last_commit_epoch_text": null,
5942                        "first_commit_statement_index": null,
5943                        "last_commit_statement_index": null,
5944                        "completed_statements": 0,
5945                        "statement_index": 0,
5946                        "retryable": true,
5947                        "outcome": {
5948                            "committed": false,
5949                            "committed_statements": 0,
5950                            "last_commit_epoch": null,
5951                            "last_commit_epoch_text": null,
5952                            "first_commit_statement_index": null,
5953                            "last_commit_statement_index": null,
5954                            "completed_statements": 0,
5955                            "statement_index": 0,
5956                            "serialization": "not_started",
5957                        },
5958                        "error": {
5959                            "code": "QUERY_REGISTRY_FULL",
5960                            "message": "pre-registration cancellation limit reached",
5961                            "query_id": query_id.to_string(),
5962                            "committed": false,
5963                            "retryable": true,
5964                        }
5965                    })),
5966                )
5967                    .into_response(),
5968                query_id,
5969            ),
5970        };
5971    };
5972    if !caller_may_manage_query(&state, &principal, status.owner.as_deref())
5973        || requested_session
5974            .as_deref()
5975            .is_some_and(|session| status.session_id.as_deref() != Some(session))
5976    {
5977        return query_not_found_response(Some(query_id));
5978    }
5979    let (http_status, mut body) = match state.query_registry.cancel(query_id) {
5980        CancelOutcome::Accepted => (
5981            {
5982                state.metrics.inc_sql_commit_cancel_winner_cancel();
5983                StatusCode::ACCEPTED
5984            },
5985            json!({
5986                "query_id": query_id.to_string(),
5987                "state": "cancellation_requested",
5988                "cancel_outcome": "accepted",
5989            }),
5990        ),
5991        CancelOutcome::AlreadyCancelling => (
5992            StatusCode::OK,
5993            json!({
5994                "query_id": query_id.to_string(),
5995                "state": "cancelling",
5996                "cancel_outcome": "already_cancelling",
5997            }),
5998        ),
5999        CancelOutcome::TooLate => (
6000            {
6001                state.metrics.inc_sql_commit_cancel_winner_commit();
6002                StatusCode::CONFLICT
6003            },
6004            json!({
6005                "query_id": query_id.to_string(),
6006                "state": "commit_critical",
6007                "cancel_outcome": "too_late",
6008                "committed": status.durable_outcome.committed,
6009                "outcome": query_outcome_json(Some(&status)),
6010                "retryable": false,
6011                "error": {
6012                    "code": "CANCEL_TOO_LATE",
6013                    "message": "the query has entered its durable commit phase",
6014                    "committed": status.durable_outcome.committed,
6015                    "retryable": false,
6016                }
6017            }),
6018        ),
6019        CancelOutcome::AlreadyFinished => (
6020            StatusCode::OK,
6021            json!({
6022                "query_id": query_id.to_string(),
6023                "state": "finished",
6024                "status": status.terminal_state().map(terminal_state_name),
6025                "cancel_outcome": "already_finished",
6026                "code": "QUERY_ALREADY_FINISHED",
6027                "committed": status.durable_outcome.committed,
6028                "outcome": query_outcome_json(Some(&status)),
6029                "retryable": false,
6030            }),
6031        ),
6032        CancelOutcome::NotFound => return query_not_found_response(Some(query_id)),
6033    };
6034    let status = state.query_registry.status(query_id).unwrap_or(status);
6035    let response_status = status.terminal_state().map(terminal_state_name).unwrap_or(
6036        if status.durable_outcome.committed {
6037            "committed"
6038        } else {
6039            "running"
6040        },
6041    );
6042    if let Some(body) = body.as_object_mut() {
6043        body.insert("status".into(), json!(response_status));
6044        body.insert(
6045            "terminal_state".into(),
6046            json!(status.terminal_state().map(terminal_state_name)),
6047        );
6048        body.insert(
6049            "committed".into(),
6050            json!((!status.outcome_unknown).then_some(status.durable_outcome.committed)),
6051        );
6052        body.insert(
6053            "committed_statements".into(),
6054            json!((!status.outcome_unknown).then_some(status.durable_outcome.committed_statements)),
6055        );
6056        body.insert(
6057            "last_commit_epoch".into(),
6058            json!((!status.outcome_unknown)
6059                .then_some(status.durable_outcome.last_commit_epoch)
6060                .flatten()),
6061        );
6062        body.insert(
6063            "last_commit_epoch_text".into(),
6064            json!((!status.outcome_unknown)
6065                .then_some(epoch_text(status.durable_outcome.last_commit_epoch))
6066                .flatten()),
6067        );
6068        body.insert(
6069            "first_commit_statement_index".into(),
6070            json!((!status.outcome_unknown)
6071                .then_some(status.durable_outcome.first_commit_statement_index)
6072                .flatten()),
6073        );
6074        body.insert(
6075            "last_commit_statement_index".into(),
6076            json!((!status.outcome_unknown)
6077                .then_some(status.durable_outcome.last_commit_statement_index)
6078                .flatten()),
6079        );
6080        body.insert(
6081            "completed_statements".into(),
6082            json!((!status.outcome_unknown).then_some(status.completed_statements)),
6083        );
6084        body.insert(
6085            "statement_index".into(),
6086            json!((!status.outcome_unknown).then_some(status.statement_index)),
6087        );
6088        body.insert(
6089            "cancellation_reason".into(),
6090            json!(cancellation_reason_name(status.cancellation_reason)),
6091        );
6092        body.insert("retryable".into(), json!(false));
6093        body.insert("server_state".into(), json!(query_phase_name(status.phase)));
6094        body.insert("outcome".into(), query_outcome_json(Some(&status)));
6095    }
6096    with_query_id((http_status, Json(body)).into_response(), query_id)
6097}
6098
6099#[derive(Deserialize)]
6100#[serde(deny_unknown_fields)]
6101struct SqlContinuationRequest {
6102    cursor: String,
6103    #[serde(default)]
6104    operation_id: Option<QueryId>,
6105    #[serde(default)]
6106    timeout_ms: Option<u64>,
6107}
6108
6109fn register_page_operation(
6110    state: &AppState,
6111    options: SqlQueryOptions,
6112) -> mongreldb_query::Result<RegisteredSqlQuery> {
6113    let query_id = options.query_id.ok_or_else(|| {
6114        mongreldb_query::MongrelQueryError::InvalidQueryState(
6115            "page operation registration requires an operation id".into(),
6116        )
6117    })?;
6118    let owner = options.owner.clone().unwrap_or_default();
6119    let session_id = options.session_id.clone();
6120    let _lifecycle = state
6121        .query_lifecycle
6122        .lock()
6123        .unwrap_or_else(|error| error.into_inner());
6124    let reason = match state.pre_cancellations.lookup_for_registration(
6125        query_id,
6126        &owner,
6127        session_id.as_deref(),
6128    ) {
6129        pre_cancel::RegistrationLookup::NoReservation => None,
6130        pre_cancel::RegistrationLookup::Matching(reason) => Some(reason),
6131        pre_cancel::RegistrationLookup::ReservedByAnotherIdentity => {
6132            return Err(mongreldb_query::MongrelQueryError::QueryIdConflict { query_id });
6133        }
6134    };
6135    let query = state.query_registry.register(options)?;
6136    if let Some(reason) = reason {
6137        state
6138            .pre_cancellations
6139            .take(query_id, &owner, session_id.as_deref());
6140        query.request_cancel(reason);
6141        let error = cancellation_checkpoint_error(&query);
6142        query.fail();
6143        return Err(error);
6144    }
6145    Ok(query)
6146}
6147
6148async fn continue_sql_page(
6149    State(state): State<Arc<AppState>>,
6150    OptionalPrincipal(principal): OptionalPrincipal,
6151    headers: axum::http::HeaderMap,
6152    Json(request): Json<SqlContinuationRequest>,
6153) -> Response {
6154    let query_id = match request.operation_id {
6155        Some(query_id) => query_id,
6156        None => match QueryId::random() {
6157            Ok(query_id) => query_id,
6158            Err(error) => return query_error_response(&error, None),
6159        },
6160    };
6161    if !request_identity_is_current(&state, &principal) {
6162        return with_query_id(
6163            sql_cursor_error_response(
6164                StatusCode::NOT_FOUND,
6165                "SQL_CURSOR_NOT_FOUND",
6166                "SQL continuation result is unavailable",
6167                query_id,
6168            ),
6169            query_id,
6170        );
6171    }
6172    let owner = request_owner(&state, &principal);
6173    let session_id = match query_session_header(&headers, Some(query_id)) {
6174        Ok(session_id) => session_id,
6175        Err(response) => return *response,
6176    };
6177    let timeout_ms = request.timeout_ms.unwrap_or_else(|| {
6178        state
6179            .sql_page_default_timeout
6180            .as_millis()
6181            .min(u128::from(u64::MAX)) as u64
6182    });
6183    if timeout_ms == 0 || Duration::from_millis(timeout_ms) > state.sql_page_max_timeout {
6184        return bad_query_control_request(
6185            format!(
6186                "timeout_ms must be positive and no greater than {}",
6187                state.sql_page_max_timeout.as_millis()
6188            ),
6189            Some(query_id),
6190        );
6191    }
6192    let query = match register_page_operation(
6193        &state,
6194        SqlQueryOptions {
6195            query_id: Some(query_id),
6196            timeout: Some(Duration::from_millis(timeout_ms)),
6197            owner: Some(owner.clone()),
6198            session_id,
6199            parent_control: None,
6200        },
6201    ) {
6202        Ok(query) => query,
6203        Err(error) => return tracked_query_error_response(&state, &error, Some(query_id)),
6204    };
6205    query.set_sql_metadata("CONTINUE SQL PAGE");
6206    let _permit = match tokio::select! {
6207        permit = Arc::clone(&state.sql_page_semaphore).acquire_owned() => permit.map_err(|_| {
6208            mongreldb_query::MongrelQueryError::InvalidQueryState(
6209                "SQL page admission semaphore closed".into(),
6210            )
6211        }),
6212        _ = query.control().cancelled() => Err(cancellation_checkpoint_error(&query)),
6213    } {
6214        Ok(permit) => permit,
6215        Err(error) => {
6216            query.fail();
6217            return tracked_query_error_response(&state, &error, Some(query_id));
6218        }
6219    };
6220    if let Err(error) = query.transition(SqlQueryPhase::Queued, SqlQueryPhase::Executing) {
6221        query.fail();
6222        return tracked_query_error_response(&state, &error, Some(query_id));
6223    }
6224    let fail = |status, code, message| {
6225        query.record_terminal_error(code, mongreldb_query::QueryTerminalErrorCategory::Execution);
6226        query.fail();
6227        with_query_id(
6228            sql_cursor_error_response(status, code, message, query_id),
6229            query_id,
6230        )
6231    };
6232    if request.cursor.is_empty() || request.cursor.len() > 2_048 {
6233        return fail(
6234            StatusCode::BAD_REQUEST,
6235            "INVALID_SQL_CURSOR",
6236            "invalid SQL continuation cursor",
6237        );
6238    }
6239    if let Err(error) = query.checkpoint() {
6240        query.fail();
6241        return tracked_query_error_response(&state, &error, Some(query_id));
6242    }
6243    let cursor_mac_key = match state.cursor_mac_key.get() {
6244        Ok(key) => key,
6245        Err(_) => {
6246            return fail(
6247                StatusCode::INTERNAL_SERVER_ERROR,
6248                "ENTROPY_UNAVAILABLE",
6249                "OS CSPRNG unavailable",
6250            );
6251        }
6252    };
6253    match state.sql_pages.continue_page_with_control(
6254        &request.cursor,
6255        &owner,
6256        &cursor_mac_key,
6257        sql_pages::SqlPageBinding {
6258            security_version: state.db.security_version(),
6259            catalog_epoch: state.db.catalog_snapshot().db_epoch,
6260        },
6261        &query,
6262    ) {
6263        Ok(page) => {
6264            let page_byte_count = page.byte_count;
6265            if let Err(error) = query.begin_serialization() {
6266                query.fail();
6267                return tracked_query_error_response(&state, &error, Some(query_id));
6268            }
6269            let serialization_query = query.clone();
6270            match tokio::task::spawn_blocking(move || {
6271                serialize_sql_page_controlled(page, &serialization_query)
6272            })
6273            .await
6274            {
6275                Ok(Ok(body)) => {
6276                    if let Err(error) = query.try_complete() {
6277                        return tracked_query_error_response(&state, &error, Some(query_id));
6278                    }
6279                    state.metrics.add_sql_output_bytes(page_byte_count);
6280                    with_query_id(sql_page_response(body), query_id)
6281                }
6282                Ok(Err(ControlledPageSerializationError::Query(error))) => {
6283                    query.fail();
6284                    tracked_query_error_response(&state, &error, Some(query_id))
6285                }
6286                Ok(Err(ControlledPageSerializationError::Encoding)) => fail(
6287                    StatusCode::INTERNAL_SERVER_ERROR,
6288                    "SERIALIZATION_FAILED",
6289                    "failed to serialize SQL continuation page",
6290                ),
6291                Err(_) => fail(
6292                    StatusCode::INTERNAL_SERVER_ERROR,
6293                    "SERIALIZATION_WORKER_FAILED",
6294                    "SQL continuation serialization worker failed",
6295                ),
6296            }
6297        }
6298        Err(sql_pages::CursorError::Cancelled) => {
6299            let error = cancellation_checkpoint_error(&query);
6300            query.fail();
6301            tracked_query_error_response(&state, &error, Some(query_id))
6302        }
6303        Err(sql_pages::CursorError::Invalid) => fail(
6304            StatusCode::BAD_REQUEST,
6305            "INVALID_SQL_CURSOR",
6306            "invalid SQL continuation cursor",
6307        ),
6308        Err(sql_pages::CursorError::Expired) => fail(
6309            StatusCode::GONE,
6310            "SQL_CURSOR_EXPIRED",
6311            "SQL continuation cursor expired",
6312        ),
6313        Err(sql_pages::CursorError::NotFound) => fail(
6314            StatusCode::NOT_FOUND,
6315            "SQL_CURSOR_NOT_FOUND",
6316            "SQL continuation result is unavailable",
6317        ),
6318        Err(sql_pages::CursorError::PageLimit) => fail(
6319            StatusCode::PAYLOAD_TOO_LARGE,
6320            "RESULT_LIMIT_EXCEEDED",
6321            "one projected row exceeds the page byte or token limit",
6322        ),
6323    }
6324}
6325
6326fn sql_cursor_error_response(
6327    status: StatusCode,
6328    code: &'static str,
6329    message: &'static str,
6330    query_id: QueryId,
6331) -> Response {
6332    // Stable taxonomy category for this cursor code (spec 9.7); mappings
6333    // follow the `MongrelError::category()` precedents.
6334    let category = {
6335        use mongreldb_types::errors::ErrorCategory;
6336        match code {
6337            // Cursor staleness/expiry is stale server-side state (the core
6338            // `CursorStale` / `CursorExpired` precedent).
6339            "SQL_CURSOR_NOT_FOUND" | "SQL_CURSOR_EXPIRED" => ErrorCategory::StaleMetadata,
6340            "RESULT_LIMIT_EXCEEDED" | "ENTROPY_UNAVAILABLE" => ErrorCategory::ResourceExhausted,
6341            _ => ErrorCategory::ClusterVersionMismatch,
6342        }
6343    };
6344    (
6345        status,
6346        Json(json!({
6347            "query_id": query_id.to_string(),
6348            "status": "failed_before_commit",
6349            "terminal_state": "failed_before_commit",
6350            "server_state": "failed",
6351            "committed": false,
6352            "committed_statements": 0,
6353            "last_commit_epoch": null,
6354            "last_commit_epoch_text": null,
6355            "first_commit_statement_index": null,
6356            "last_commit_statement_index": null,
6357            "completed_statements": 0,
6358            "statement_index": 0,
6359            "cancel_outcome": "already_finished",
6360            "cancellation_reason": "none",
6361            "retryable": false,
6362            "outcome": {
6363                "committed": false,
6364                "committed_statements": 0,
6365                "last_commit_epoch": null,
6366                "last_commit_epoch_text": null,
6367                "first_commit_statement_index": null,
6368                "last_commit_statement_index": null,
6369                "completed_statements": 0,
6370                "statement_index": 0,
6371                "serialization": "not_started",
6372            },
6373            "error": {
6374                "code": code,
6375                "message": message,
6376                "category": category.to_string(),
6377                "category_code": category.code(),
6378                "query_id": query_id.to_string(),
6379                "committed": false,
6380                "retryable": false,
6381            }
6382        })),
6383    )
6384        .into_response()
6385}
6386
6387async fn sql(
6388    State(state): State<Arc<AppState>>,
6389    OptionalPrincipal(principal): OptionalPrincipal,
6390    headers: axum::http::HeaderMap,
6391    Json(req): Json<SqlRequest>,
6392) -> Response {
6393    if !state.accepting_sql.load(Ordering::Acquire) {
6394        return (StatusCode::SERVICE_UNAVAILABLE, "server is shutting down").into_response();
6395    }
6396    if !request_identity_is_current(&state, &principal) {
6397        return StatusCode::UNAUTHORIZED.into_response();
6398    }
6399    // Session routing: an `X-Session-ID` header routes the request to a pooled
6400    // long-lived session, enabling cross-request `BEGIN`/`INSERT`/`COMMIT`
6401    // transactions. Without the header, a fresh ephemeral session is used
6402    // (the historical behavior).
6403    let session_id = match query_session_header(&headers, None) {
6404        Ok(session_id) => session_id,
6405        Err(response) => return *response,
6406    };
6407
6408    let owner = request_owner(&state, &principal);
6409    if let Some(sid) = session_id {
6410        let Some(entry) = state.sessions.get(&sid, &owner) else {
6411            return (
6412                StatusCode::NOT_FOUND,
6413                "session not found or not owned by caller",
6414            )
6415                .into_response();
6416        };
6417        let (options, query_id) = match resolve_query_options(
6418            &state,
6419            &headers,
6420            req.query_id,
6421            req.timeout_ms,
6422            owner.clone(),
6423            Some(sid.clone()),
6424        ) {
6425            Ok(options) => options,
6426            Err(response) => return *response,
6427        };
6428        let query = match register_controlled_query(&state, &entry.session(), options) {
6429            Ok(query) => query,
6430            Err(error) => return tracked_query_error_response(&state, &error, Some(query_id)),
6431        };
6432        let registration = RegisteredQueryGuard::new(query);
6433        if mongreldb_query::contains_boolean_ai_predicate(&req.sql) {
6434            registration.fail();
6435            return with_query_id(remote_boolean_ai_error(), query_id);
6436        }
6437        let output_limits = match resolve_sql_output_limits(&state, &req, query_id) {
6438            Ok(limits) => limits,
6439            Err(response) => {
6440                registration.fail();
6441                return *response;
6442            }
6443        };
6444        let (registration, pagination) =
6445            match resolve_sql_pagination(&headers, &req, output_limits, registration, query_id) {
6446                Ok(resolved) => resolved,
6447                Err(response) => return *response,
6448            };
6449        let sql_permit =
6450            match acquire_sql_permit(&state, &entry.session(), registration.query()).await {
6451                Ok(permit) => permit,
6452                Err(error) => {
6453                    return tracked_query_error_response(&state, &error, Some(query_id));
6454                }
6455            };
6456        // Registration and global admission happen before this session lock.
6457        let _guard = tokio::select! {
6458            guard = entry.lock.lock() => guard,
6459            _ = registration.query().control().cancelled() => {
6460                return tracked_query_error_response(
6461                    &state,
6462                    &cancellation_checkpoint_error(registration.query()),
6463                    Some(query_id),
6464                );
6465            }
6466        };
6467        // Re-check closed: the session may have been closed/evicted between
6468        // get() and acquiring the lock.
6469        if entry.is_closed() {
6470            return (StatusCode::NOT_FOUND, "session no longer available").into_response();
6471        }
6472        if req.idempotency_key.is_some() || headers.contains_key("idempotency-key") {
6473            entry
6474                .session()
6475                .fire_test_hook(mongreldb_query::SqlTestHookPoint::BeforeServerIdempotencyCheck);
6476        }
6477        let (registration, idempotency) = match begin_sql_idempotency(
6478            &state,
6479            SqlIdempotencyContext {
6480                headers: &headers,
6481                request: &req,
6482                output_limits,
6483                owner: &owner,
6484                session_id: Some(&sid),
6485                session_in_transaction: entry.session().staged_sql_operation_count().is_some(),
6486                query_id,
6487            },
6488            registration,
6489        )
6490        .await
6491        {
6492            Ok(resolved) => resolved,
6493            Err(response) => return response,
6494        };
6495        entry.touch();
6496        let query = registration.into_query();
6497        let (response, idempotent_commit_ts) = execute_sql(
6498            &state,
6499            &principal,
6500            &entry.session(),
6501            ResolvedSqlRequest {
6502                request: req,
6503                output_limits,
6504                idempotency,
6505                pagination,
6506            },
6507            query,
6508            query_id,
6509            sql_permit,
6510        )
6511        .await;
6512        // Keep the canonical S1D-004 record (transaction state,
6513        // read-your-writes token, last activity) in step with the session.
6514        // The token carries the write's literal commit-timestamp lineage when
6515        // one is known: the core commit log's receipt recorded for an
6516        // idempotent commit (S1B-005), else the exact commit timestamp the
6517        // query layer sourced from core into the durable outcome, else the
6518        // per-open epoch→commit-ts ledger (`Database::commit_ts_for_epoch`).
6519        // Only when none of those resolve does it fall back to the node's HLC
6520        // timestamp captured after the commit became visible, which the
6521        // single HLC authority orders after the write's commit timestamp
6522        // (spec §8.2).
6523        let durable = state
6524            .query_registry
6525            .status(query_id)
6526            .map(|status| status.durable_outcome);
6527        entry.sync_record_after_request(match durable {
6528            Some(outcome) if outcome.committed => Some(
6529                idempotent_commit_ts
6530                    .or(outcome.commit_ts)
6531                    .or_else(|| {
6532                        outcome.last_commit_epoch.and_then(|epoch| {
6533                            state.db.commit_ts_for_epoch(mongreldb_core::Epoch(epoch))
6534                        })
6535                    })
6536                    .unwrap_or_else(|| ryw_commit_timestamp(&state.db)),
6537            ),
6538            _ => None,
6539        });
6540        response
6541    } else {
6542        let session = match MongrelSession::open_with_external_modules_as(
6543            Arc::clone(&state.db),
6544            state.external_modules.iter().cloned(),
6545            request_principal(&state, &principal),
6546        ) {
6547            Ok(session) => session.with_query_registry(Arc::clone(&state.query_registry)),
6548            Err(e) => return (status_for_query_error(&e), e.to_string()).into_response(),
6549        };
6550        let (options, query_id) = match resolve_query_options(
6551            &state,
6552            &headers,
6553            req.query_id,
6554            req.timeout_ms,
6555            owner.clone(),
6556            None,
6557        ) {
6558            Ok(options) => options,
6559            Err(response) => return *response,
6560        };
6561        let query = match register_controlled_query(&state, &session, options) {
6562            Ok(query) => query,
6563            Err(error) => return tracked_query_error_response(&state, &error, Some(query_id)),
6564        };
6565        let registration = RegisteredQueryGuard::new(query);
6566        if mongreldb_query::contains_boolean_ai_predicate(&req.sql) {
6567            registration.fail();
6568            return with_query_id(remote_boolean_ai_error(), query_id);
6569        }
6570        let output_limits = match resolve_sql_output_limits(&state, &req, query_id) {
6571            Ok(limits) => limits,
6572            Err(response) => {
6573                registration.fail();
6574                return *response;
6575            }
6576        };
6577        let (registration, pagination) =
6578            match resolve_sql_pagination(&headers, &req, output_limits, registration, query_id) {
6579                Ok(resolved) => resolved,
6580                Err(response) => return *response,
6581            };
6582        let (registration, idempotency) = match begin_sql_idempotency(
6583            &state,
6584            SqlIdempotencyContext {
6585                headers: &headers,
6586                request: &req,
6587                output_limits,
6588                owner: &owner,
6589                session_id: None,
6590                session_in_transaction: false,
6591                query_id,
6592            },
6593            registration,
6594        )
6595        .await
6596        {
6597            Ok(resolved) => resolved,
6598            Err(response) => return response,
6599        };
6600        let sql_permit = match acquire_sql_permit(&state, &session, registration.query()).await {
6601            Ok(permit) => permit,
6602            Err(error) => {
6603                if let Some(idempotency) = idempotency {
6604                    idempotency.abort();
6605                }
6606                return tracked_query_error_response(&state, &error, Some(query_id));
6607            }
6608        };
6609        let query = registration.into_query();
6610        execute_sql(
6611            &state,
6612            &principal,
6613            &session,
6614            ResolvedSqlRequest {
6615                request: req,
6616                output_limits,
6617                idempotency,
6618                pagination,
6619            },
6620            query,
6621            query_id,
6622            sql_permit,
6623        )
6624        .await
6625        .0
6626    }
6627}
6628
6629/// The read-your-writes fallback token for a just-committed request whose
6630/// literal commit timestamp did not resolve (no idempotency receipt, no
6631/// query-layer `commit_ts`, no per-open ledger entry): the node's HLC
6632/// timestamp captured at a fresh `begin` after the commit became visible. The
6633/// single HLC authority (spec §8.2) orders it after every commit timestamp it
6634/// has already issued — including the commit this request observed — so a
6635/// later read presenting the token sees the session's own write. Falls back
6636/// to wall-clock micros when clock allocation is rejected (skew gate).
6637fn ryw_commit_timestamp(db: &mongreldb_core::Database) -> mongreldb_types::hlc::HlcTimestamp {
6638    if let Some(ts) = db.begin().read_ts() {
6639        return ts;
6640    }
6641    mongreldb_types::hlc::HlcTimestamp {
6642        physical_micros: sessions::now_unix_micros(),
6643        logical: 0,
6644        node_tiebreaker: 0,
6645    }
6646}
6647
6648/// Run one SQL request against a given session: bump counters, audit DDL
6649/// (after execution, with redaction), log slow queries on both success and
6650/// failure, and dispatch the response format. Shared by the pooled-session and
6651/// fresh-session paths.
6652///
6653/// The second tuple element is the HLC commit timestamp of the core receipt
6654/// recorded for an idempotent committed write (S1B-005), when one exists —
6655/// the pooled-session path folds it into the session's read-your-writes token.
6656async fn execute_sql(
6657    state: &AppState,
6658    principal: &Option<mongreldb_core::Principal>,
6659    session: &MongrelSession,
6660    request: ResolvedSqlRequest,
6661    query: RegisteredSqlQuery,
6662    query_id: QueryId,
6663    sql_permit: tokio::sync::OwnedSemaphorePermit,
6664) -> (Response, Option<mongreldb_types::hlc::HlcTimestamp>) {
6665    let ResolvedSqlRequest {
6666        request: req,
6667        output_limits,
6668        idempotency,
6669        pagination,
6670    } = request;
6671    // §15 admin SQL surface: intercept before the ordinary SQL path so
6672    // SHOW CLUSTER / ALTER NODE DRAIN / … never open tablet files from the
6673    // query gateway (spec §12.10 / §15).
6674    if let Some(response) = cluster_admin::try_admin_sql(state, principal, &req.sql) {
6675        drop(sql_permit);
6676        return (response, None);
6677    }
6678    // Keep a direct handle until the durable receipt is persisted. Finished
6679    // tombstone eviction must not make a committed idempotent write ambiguous.
6680    let idempotency_query = idempotency.as_ref().map(|_| query.clone());
6681    state.metrics.inc_sql_queries();
6682    let audited = audit::is_audited_sql(&req.sql);
6683    let actor = request_owner(state, principal);
6684    let page_binding = sql_pages::SqlPageBinding {
6685        security_version: state.db.security_version(),
6686        catalog_epoch: state.db.catalog_snapshot().db_epoch,
6687    };
6688    let start = std::time::Instant::now();
6689    // NOTE: deliberately NOT using `run_sql_traced` here. Its thread-local
6690    // push/pop spans an `.await`, and on a multi-threaded tokio runtime the
6691    // task can resume on a different thread, corrupting the trace stack and
6692    // leaking scopes. Wall-clock timing is sufficient for slow-query detection
6693    // and works across awaits.
6694    let result = if let Some(pagination) = pagination {
6695        match session
6696            .run_with_query_for_serialization_with_limits(
6697                &req.sql,
6698                query,
6699                mongreldb_query::SqlCollectionLimits::new(output_limits.0, output_limits.1),
6700            )
6701            .await
6702        {
6703            Ok(output) => Ok(dispatch_paginated_sql(
6704                state,
6705                output,
6706                query_id,
6707                &actor,
6708                pagination,
6709                output_limits,
6710                session.sql_test_hook(),
6711                page_binding,
6712            )
6713            .await),
6714            Err(error) => Err(error),
6715        }
6716    } else if req.format.as_deref() == Some("arrow-stream") {
6717        match session
6718            .run_stream_with_query_for_serialization(&req.sql, query)
6719            .await
6720        {
6721            Ok((stream, completion)) => Ok(sql_arrow_stream_response_controlled(
6722                stream,
6723                completion,
6724                sql_permit,
6725                output_limits,
6726                state,
6727                query_id,
6728                session.sql_test_hook(),
6729            )),
6730            Err(error) => Err(error),
6731        }
6732    } else {
6733        match session
6734            .run_with_query_for_serialization_with_limits(
6735                &req.sql,
6736                query,
6737                mongreldb_query::SqlCollectionLimits::new(output_limits.0, output_limits.1),
6738            )
6739            .await
6740        {
6741            Ok(output) => Ok(dispatch_buffered_sql_format(
6742                state,
6743                req.format.as_deref(),
6744                output,
6745                query_id,
6746                session.sql_test_hook(),
6747                output_limits,
6748            )
6749            .await),
6750            Err(error) => Err(error),
6751        }
6752    };
6753    let elapsed = start.elapsed();
6754    // Slow-query logging covers BOTH success and failure (the slowest errors
6755    // matter most for diagnosis), checked before branching on the outcome.
6756    if elapsed >= state.reloadable.slow_query_threshold.get() {
6757        state.metrics.inc_slow_queries();
6758        eprintln!(
6759            "[slow-query] {}\u{00b5}s query_id={} operation={}",
6760            elapsed.as_micros(),
6761            query_id,
6762            safe_sql_operation(&req.sql)
6763        );
6764    }
6765    // Audit DDL/privilege AFTER execution so the outcome (ok/fail) is captured.
6766    // `redacted_ddl_detail` never logs credential literals.
6767    if audited {
6768        let (action, detail) = audit::redacted_ddl_detail(&req.sql, result.is_ok());
6769        state.audit.record(actor, action, detail);
6770    }
6771    let response = match result {
6772        Ok(response) => with_query_id(response, query_id),
6773        Err(e) => {
6774            state.metrics.inc_sql_errors();
6775            tracked_query_error_response(state, &e, Some(query_id))
6776        }
6777    };
6778    let Some(idempotency) = idempotency else {
6779        return (response, None);
6780    };
6781    let status = idempotency_query.map(|query| query.status());
6782    if let Some(receipt) = status.as_ref().and_then(sql_terminal_idempotency_receipt) {
6783        let mut receipt = receipt;
6784        // S1B-005: a write that durably committed also records its key in the
6785        // core's durable TXN_IDEMPOTENCY ledger, so the key → original-receipt
6786        // binding survives restart under the commit log's authority (identical
6787        // replay → original receipt; different fingerprint → Conflict). The
6788        // ledger's receipt rides the durable HTTP receipt additively; the HTTP
6789        // store remains the wire authority if the bookkeeping fails.
6790        if receipt.outcome.committed {
6791            let db = Arc::clone(&state.db);
6792            let owner = idempotency.owner().to_owned();
6793            let key = idempotency.key().to_owned();
6794            let binding = idempotency.binding().clone();
6795            let ttl = idempotency.ttl();
6796            receipt.commit_receipt = tokio::task::spawn_blocking(move || {
6797                sql_idempotency::record_core_idempotency_commit(&db, &owner, &key, &binding, ttl)
6798            })
6799            .await
6800            .unwrap_or_else(|error| {
6801                eprintln!("[idempotency] core ledger record task failed: {error}");
6802                None
6803            });
6804        }
6805        let commit_ts = receipt
6806            .commit_receipt
6807            .as_ref()
6808            .map(sql_idempotency::SqlCommitReceipt::commit_ts);
6809        let (expires_at_ms, persisted) = idempotency.commit(receipt.clone());
6810        return (
6811            sql_idempotency_receipt_response(query_id, &receipt, false, expires_at_ms, persisted),
6812            commit_ts,
6813        );
6814    }
6815    if status.as_ref().is_some_and(can_abort_idempotency_intent) {
6816        idempotency.abort();
6817    }
6818    (response, None)
6819}
6820
6821fn can_abort_idempotency_intent(status: &mongreldb_query::QueryStatus) -> bool {
6822    !status.outcome_unknown
6823        && !status.durable_outcome.committed
6824        && matches!(
6825            status.terminal_state(),
6826            Some(
6827                mongreldb_query::QueryTerminalState::FailedBeforeCommit
6828                    | mongreldb_query::QueryTerminalState::CancelledBeforeCommit
6829                    | mongreldb_query::QueryTerminalState::DeadlineBeforeCommit
6830            )
6831        )
6832}
6833
6834fn safe_sql_operation(sql: &str) -> String {
6835    sql.split_whitespace()
6836        .next()
6837        .unwrap_or("UNKNOWN")
6838        .chars()
6839        .filter(|character| character.is_ascii_alphabetic())
6840        .take(16)
6841        .collect::<String>()
6842        .to_ascii_uppercase()
6843}
6844
6845fn remote_boolean_ai_error() -> Response {
6846    (
6847        StatusCode::BAD_REQUEST,
6848        "Boolean ANN/Sparse SQL is disabled remotely; use scored SQL functions",
6849    )
6850        .into_response()
6851}
6852
6853#[derive(Debug)]
6854struct SerializedOutput {
6855    bytes: Vec<u8>,
6856    arrow: bool,
6857}
6858
6859#[derive(Debug)]
6860enum BufferedSerializationError {
6861    Query(mongreldb_query::MongrelQueryError),
6862    Limit(String),
6863    Encoding(String),
6864}
6865
6866struct LimitedOutput {
6867    bytes: Vec<u8>,
6868    max_bytes: usize,
6869    exceeded: bool,
6870}
6871
6872impl LimitedOutput {
6873    fn new(max_bytes: usize) -> Self {
6874        Self {
6875            bytes: Vec::new(),
6876            max_bytes,
6877            exceeded: false,
6878        }
6879    }
6880}
6881
6882impl std::io::Write for LimitedOutput {
6883    fn write(&mut self, bytes: &[u8]) -> std::io::Result<usize> {
6884        if self.bytes.len().saturating_add(bytes.len()) > self.max_bytes {
6885            self.exceeded = true;
6886            return Err(std::io::Error::other("SQL output byte limit exceeded"));
6887        }
6888        self.bytes.extend_from_slice(bytes);
6889        Ok(bytes.len())
6890    }
6891
6892    fn flush(&mut self) -> std::io::Result<()> {
6893        Ok(())
6894    }
6895}
6896
6897fn serialize_buffered_output(
6898    format: &str,
6899    batches: &[arrow::record_batch::RecordBatch],
6900    query: &RegisteredSqlQuery,
6901    max_rows: usize,
6902    max_bytes: usize,
6903    test_hook: Option<&mongreldb_query::SqlTestHook>,
6904) -> std::result::Result<SerializedOutput, BufferedSerializationError> {
6905    const ROW_CHECKPOINT_INTERVAL: usize = 256;
6906    let mut rows = 0usize;
6907    let mut writer_output = LimitedOutput::new(max_bytes);
6908
6909    if format == "arrow" {
6910        if batches.is_empty() {
6911            if let Some(hook) = test_hook {
6912                hook(mongreldb_query::SqlTestHookPoint::AfterSerialization);
6913            }
6914            return Ok(SerializedOutput {
6915                bytes: Vec::new(),
6916                arrow: true,
6917            });
6918        }
6919        let schema = batches[0].schema();
6920        let encoding_result = (|| {
6921            let mut writer =
6922                arrow::ipc::writer::FileWriter::try_new(&mut writer_output, schema.as_ref())
6923                    .map_err(|error| error.to_string())?;
6924            for batch in batches {
6925                for offset in (0..batch.num_rows()).step_by(ROW_CHECKPOINT_INTERVAL) {
6926                    if let Some(hook) = test_hook {
6927                        hook(mongreldb_query::SqlTestHookPoint::BeforeSerializationBatch);
6928                    }
6929                    query.checkpoint().map_err(|error| error.to_string())?;
6930                    let length = ROW_CHECKPOINT_INTERVAL.min(batch.num_rows() - offset);
6931                    rows = rows.saturating_add(length);
6932                    if rows > max_rows {
6933                        return Err("SQL output row limit exceeded".into());
6934                    }
6935                    writer
6936                        .write(&batch.slice(offset, length))
6937                        .map_err(|error| error.to_string())?;
6938                }
6939            }
6940            writer.finish().map_err(|error| error.to_string())
6941        })();
6942        if let Err(error) = encoding_result {
6943            if let Err(query_error) = query.checkpoint() {
6944                return Err(BufferedSerializationError::Query(query_error));
6945            }
6946            if writer_output.exceeded || rows > max_rows {
6947                return Err(BufferedSerializationError::Limit(error));
6948            }
6949            return Err(BufferedSerializationError::Encoding(error));
6950        }
6951        if let Some(hook) = test_hook {
6952            hook(mongreldb_query::SqlTestHookPoint::AfterSerialization);
6953        }
6954        return Ok(SerializedOutput {
6955            bytes: writer_output.bytes,
6956            arrow: true,
6957        });
6958    }
6959
6960    let encoding_result = (|| {
6961        let mut writer = arrow::json::writer::ArrayWriter::new(&mut writer_output);
6962        for batch in batches {
6963            for offset in (0..batch.num_rows()).step_by(ROW_CHECKPOINT_INTERVAL) {
6964                if let Some(hook) = test_hook {
6965                    hook(mongreldb_query::SqlTestHookPoint::BeforeSerializationBatch);
6966                }
6967                query.checkpoint().map_err(|error| error.to_string())?;
6968                let length = ROW_CHECKPOINT_INTERVAL.min(batch.num_rows() - offset);
6969                rows = rows.saturating_add(length);
6970                if rows > max_rows {
6971                    return Err("SQL output row limit exceeded".into());
6972                }
6973                let slice = batch.slice(offset, length);
6974                writer
6975                    .write_batches(&[&slice])
6976                    .map_err(|error| error.to_string())?;
6977            }
6978        }
6979        writer.finish().map_err(|error| error.to_string())
6980    })();
6981    if let Err(error) = encoding_result {
6982        if let Err(query_error) = query.checkpoint() {
6983            return Err(BufferedSerializationError::Query(query_error));
6984        }
6985        if writer_output.exceeded || rows > max_rows {
6986            return Err(BufferedSerializationError::Limit(error));
6987        }
6988        return Err(BufferedSerializationError::Encoding(error));
6989    }
6990    if let Some(hook) = test_hook {
6991        hook(mongreldb_query::SqlTestHookPoint::AfterSerialization);
6992    }
6993    Ok(SerializedOutput {
6994        bytes: writer_output.bytes,
6995        arrow: false,
6996    })
6997}
6998
6999/// Serialize a DataFusion record-batch stream as Arrow streaming IPC. The body
7000/// holds only the active query batch and one serialized IPC message.
7001#[cfg(test)]
7002fn sql_arrow_stream_response(batches: mongreldb_query::MongrelRecordBatchStream) -> Response {
7003    use futures::{stream, StreamExt};
7004
7005    const STREAM_CT: &str = "application/vnd.apache.arrow.stream";
7006
7007    let schema = batches.schema();
7008    let mut writer = match arrow::ipc::writer::StreamWriter::try_new(Vec::new(), schema.as_ref()) {
7009        Ok(w) => w,
7010        Err(e) => {
7011            return (
7012                StatusCode::INTERNAL_SERVER_ERROR,
7013                format!("arrow stream init error: {e}"),
7014            )
7015                .into_response()
7016        }
7017    };
7018    // `try_new` synchronously writes the schema message; drain it so it becomes
7019    // the first chunk yielded to the client.
7020    let schema_chunk: Vec<u8> = std::mem::take(writer.get_mut());
7021    let batch_stream = stream::unfold(
7022        (batches, Some(writer)),
7023        |(mut batches, writer)| async move {
7024            let mut writer = writer?;
7025            match batches.next().await {
7026                Some(Ok(batch)) => match writer.write(&batch) {
7027                    Ok(()) => {
7028                        let chunk = std::mem::take(writer.get_mut());
7029                        Some((Ok(chunk), (batches, Some(writer))))
7030                    }
7031                    Err(error) => Some((Err(std::io::Error::other(error)), (batches, None))),
7032                },
7033                Some(Err(error)) => Some((Err(std::io::Error::other(error)), (batches, None))),
7034                None => match writer.finish() {
7035                    Ok(()) => {
7036                        let chunk = std::mem::take(writer.get_mut());
7037                        Some((Ok(chunk), (batches, None)))
7038                    }
7039                    Err(error) => Some((Err(std::io::Error::other(error)), (batches, None))),
7040                },
7041            }
7042        },
7043    );
7044
7045    // Schema first, then batches + EOS. Each item is already `Result<Vec<u8>,
7046    // io::Error>` so a mid-stream encode failure surfaces as a body error.
7047    let schema_item: Result<Vec<u8>, std::io::Error> = Ok(schema_chunk);
7048    let full = stream::iter([schema_item]).chain(batch_stream);
7049    let body = axum::body::Body::from_stream(full);
7050    ([(header::CONTENT_TYPE, STREAM_CT)], body).into_response()
7051}
7052
7053fn sql_arrow_stream_response_controlled(
7054    batches: mongreldb_query::MongrelRecordBatchStream,
7055    completion: SqlStreamCompletion,
7056    sql_permit: tokio::sync::OwnedSemaphorePermit,
7057    limits: (usize, usize),
7058    state: &AppState,
7059    query_id: QueryId,
7060    test_hook: Option<mongreldb_query::SqlTestHook>,
7061) -> Response {
7062    use futures::{stream, StreamExt};
7063
7064    const STREAM_CT: &str = "application/vnd.apache.arrow.stream";
7065    let (max_rows, max_bytes) = limits;
7066    let schema = batches.schema();
7067    let mut writer = match arrow::ipc::writer::StreamWriter::try_new(Vec::new(), schema.as_ref()) {
7068        Ok(writer) => writer,
7069        Err(error) => {
7070            completion.fail_serialization();
7071            drop(batches);
7072            return terminal_server_error_response(
7073                state,
7074                query_id,
7075                StatusCode::INTERNAL_SERVER_ERROR,
7076                "SERIALIZATION_FAILED",
7077                format!("arrow stream init error: {error}"),
7078            );
7079        }
7080    };
7081    let schema_chunk = std::mem::take(writer.get_mut());
7082    if schema_chunk.len() > max_bytes {
7083        completion.fail_result_limit();
7084        drop(batches);
7085        return terminal_server_error_response(
7086            state,
7087            query_id,
7088            StatusCode::PAYLOAD_TOO_LARGE,
7089            "RESULT_LIMIT_EXCEEDED",
7090            "SQL output byte limit exceeded",
7091        );
7092    }
7093    let metrics = Arc::clone(&state.metrics);
7094    metrics.add_sql_output_bytes(schema_chunk.len());
7095    let batch_stream = stream::unfold(
7096        (
7097            batches,
7098            Some(writer),
7099            completion,
7100            Some(sql_permit),
7101            0usize,
7102            schema_chunk.len(),
7103            metrics,
7104        ),
7105        move |(mut batches, writer, completion, permit, rows, bytes, metrics)| {
7106            let test_hook = test_hook.clone();
7107            async move {
7108                let mut writer = writer?;
7109                match batches.next().await {
7110                    Some(Ok(batch)) => {
7111                        let next_rows = rows.saturating_add(batch.num_rows());
7112                        if next_rows > max_rows {
7113                            completion.fail_result_limit();
7114                            return Some((
7115                                Err(std::io::Error::other("SQL output row limit exceeded")),
7116                                (batches, None, completion, permit, next_rows, bytes, metrics),
7117                            ));
7118                        }
7119                        match writer.write(&batch) {
7120                            Ok(()) => {
7121                                let chunk = std::mem::take(writer.get_mut());
7122                                let next_bytes = bytes.saturating_add(chunk.len());
7123                                if next_bytes > max_bytes {
7124                                    completion.fail_result_limit();
7125                                    return Some((
7126                                        Err(std::io::Error::other(
7127                                            "SQL output byte limit exceeded",
7128                                        )),
7129                                        (
7130                                            batches, None, completion, permit, next_rows,
7131                                            next_bytes, metrics,
7132                                        ),
7133                                    ));
7134                                }
7135                                metrics.add_sql_output_bytes(chunk.len());
7136                                Some((
7137                                    Ok(chunk),
7138                                    (
7139                                        batches,
7140                                        Some(writer),
7141                                        completion,
7142                                        permit,
7143                                        next_rows,
7144                                        next_bytes,
7145                                        metrics,
7146                                    ),
7147                                ))
7148                            }
7149                            Err(error) => {
7150                                completion.fail_serialization();
7151                                Some((
7152                                    Err(std::io::Error::other(error)),
7153                                    (batches, None, completion, permit, rows, bytes, metrics),
7154                                ))
7155                            }
7156                        }
7157                    }
7158                    Some(Err(error)) => Some((
7159                        Err(std::io::Error::other(error)),
7160                        (batches, None, completion, permit, rows, bytes, metrics),
7161                    )),
7162                    None => match writer.finish() {
7163                        Ok(()) => {
7164                            let chunk = std::mem::take(writer.get_mut());
7165                            let next_bytes = bytes.saturating_add(chunk.len());
7166                            if next_bytes > max_bytes {
7167                                completion.fail_result_limit();
7168                                return Some((
7169                                    Err(std::io::Error::other("SQL output byte limit exceeded")),
7170                                    (batches, None, completion, permit, rows, next_bytes, metrics),
7171                                ));
7172                            }
7173                            if let Some(hook) = test_hook {
7174                                hook(mongreldb_query::SqlTestHookPoint::AfterSerialization);
7175                            }
7176                            match completion.try_complete() {
7177                                Ok(()) => {
7178                                    metrics.add_sql_output_bytes(chunk.len());
7179                                    Some((
7180                                        Ok(chunk),
7181                                        (
7182                                            batches, None, completion, permit, rows, next_bytes,
7183                                            metrics,
7184                                        ),
7185                                    ))
7186                                }
7187                                Err(error) => {
7188                                    metrics.inc_sql_errors();
7189                                    Some((
7190                                        Err(std::io::Error::other(error.to_string())),
7191                                        (batches, None, completion, permit, rows, bytes, metrics),
7192                                    ))
7193                                }
7194                            }
7195                        }
7196                        Err(error) => {
7197                            completion.fail_serialization();
7198                            Some((
7199                                Err(std::io::Error::other(error)),
7200                                (batches, None, completion, permit, rows, bytes, metrics),
7201                            ))
7202                        }
7203                    },
7204                }
7205            }
7206        },
7207    );
7208    let schema_item: Result<Vec<u8>, std::io::Error> = Ok(schema_chunk);
7209    let body = axum::body::Body::from_stream(stream::iter([schema_item]).chain(batch_stream));
7210    ([(header::CONTENT_TYPE, STREAM_CT)], body).into_response()
7211}
7212
7213#[derive(Deserialize)]
7214struct TxnOp {
7215    table: String,
7216    op: String,
7217    cells: Option<Vec<serde_json::Value>>,
7218    row_id: Option<u64>,
7219}
7220
7221#[derive(Deserialize)]
7222struct TxnRequest {
7223    ops: Vec<TxnOp>,
7224}
7225
7226async fn txn(
7227    State(state): State<Arc<AppState>>,
7228    OptionalPrincipal(principal): OptionalPrincipal,
7229    Json(req): Json<TxnRequest>,
7230) -> Response {
7231    if let Some(response) = require_writes_open(&state) {
7232        return response;
7233    }
7234    // Pre-validate every op against the live schemas before entering the
7235    // transaction, so malformed input returns 400 without consuming an epoch
7236    // or poisoning a txn.
7237    let mut parsed: Vec<(String, TxnAction)> = Vec::with_capacity(req.ops.len());
7238    for op in &req.ops {
7239        match op.op.as_str() {
7240            "put" => {
7241                let cells_json = match op.cells.as_ref() {
7242                    Some(c) if !c.is_empty() => c,
7243                    _ => {
7244                        return (StatusCode::BAD_REQUEST, "put op requires non-empty cells")
7245                            .into_response()
7246                    }
7247                };
7248                let handle = match state.db.table(&op.table) {
7249                    Ok(h) => h,
7250                    Err(e) => return (StatusCode::NOT_FOUND, e.to_string()).into_response(),
7251                };
7252                let schema = handle.lock().schema().clone();
7253                let cells = match parse_cells(cells_json, &schema) {
7254                    Ok(c) => c,
7255                    Err(msg) => return (StatusCode::BAD_REQUEST, msg).into_response(),
7256                };
7257                parsed.push((op.table.clone(), TxnAction::Put(cells)));
7258            }
7259            "delete" => {
7260                let rid = match op.row_id {
7261                    Some(r) => r,
7262                    None => {
7263                        return (StatusCode::BAD_REQUEST, "delete op requires row_id")
7264                            .into_response()
7265                    }
7266                };
7267                parsed.push((op.table.clone(), TxnAction::Delete(rid)));
7268            }
7269            other => {
7270                return (StatusCode::BAD_REQUEST, format!("unknown op: {other}")).into_response()
7271            }
7272        }
7273    }
7274
7275    state.metrics.inc_txns();
7276    let mut transaction = state.db.begin_as(request_principal(&state, &principal));
7277    let result = (|| {
7278        for (table, action) in &parsed {
7279            match action {
7280                TxnAction::Put(cells) => {
7281                    transaction.put(table, cells.clone())?;
7282                }
7283                TxnAction::Delete(rid) => {
7284                    transaction.delete(table, mongreldb_core::RowId(*rid))?;
7285                }
7286            }
7287        }
7288        transaction.commit()
7289    })();
7290    match result {
7291        Ok(epoch) => Json(json!({
7292            "status": "committed",
7293            "epoch": epoch.0,
7294            "epoch_text": epoch.0.to_string()
7295        }))
7296        .into_response(),
7297        Err(error) => crate::kit::durable_core_error_response(&error)
7298            .unwrap_or_else(|| (status_for_error(&error), error.to_string()).into_response()),
7299    }
7300}
7301
7302enum TxnAction {
7303    Put(Vec<(u16, Value)>),
7304    Delete(u64),
7305}
7306
7307#[cfg(test)]
7308mod auth_tests {
7309    use super::*;
7310    use mongreldb_core::Database;
7311    use tempfile::tempdir;
7312
7313    #[test]
7314    fn slow_query_operation_does_not_include_literals() {
7315        let sql = "CREATE USER alice PASSWORD 'never-log-this'";
7316        let operation = safe_sql_operation(sql);
7317        assert_eq!(operation, "CREATE");
7318        assert!(!operation.contains("never-log-this"));
7319    }
7320
7321    #[tokio::test]
7322    async fn auth_rejects_missing_token() {
7323        let dir = tempdir().unwrap();
7324        let db = Arc::new(Database::create(dir.path()).unwrap());
7325        let app = build_app_with_config(db, std::iter::empty(), Some("secret".into()), None);
7326        let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
7327        let addr = listener.local_addr().unwrap();
7328        tokio::spawn(async move { axum::serve(listener, app).await.unwrap() });
7329        // Give the server a moment to start.
7330        tokio::time::sleep(std::time::Duration::from_millis(50)).await;
7331
7332        let client = reqwest::Client::new();
7333        let resp = client
7334            .get(format!("http://{addr}/health"))
7335            .send()
7336            .await
7337            .unwrap();
7338        assert_eq!(resp.status(), 401);
7339    }
7340
7341    #[tokio::test]
7342    async fn auth_accepts_valid_token() {
7343        let dir = tempdir().unwrap();
7344        let db = Arc::new(Database::create(dir.path()).unwrap());
7345        let app = build_app_with_config(db, std::iter::empty(), Some("secret".into()), None);
7346        let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
7347        let addr = listener.local_addr().unwrap();
7348        tokio::spawn(async move { axum::serve(listener, app).await.unwrap() });
7349        tokio::time::sleep(std::time::Duration::from_millis(50)).await;
7350
7351        let client = reqwest::Client::new();
7352        let resp = client
7353            .get(format!("http://{addr}/health"))
7354            .header("Authorization", "Bearer secret")
7355            .send()
7356            .await
7357            .unwrap();
7358        assert_eq!(resp.status(), 200);
7359    }
7360
7361    #[tokio::test]
7362    async fn no_auth_when_token_unset() {
7363        let dir = tempdir().unwrap();
7364        let db = Arc::new(Database::create(dir.path()).unwrap());
7365        let app = build_app_with_config(db, std::iter::empty(), None, None);
7366        let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
7367        let addr = listener.local_addr().unwrap();
7368        tokio::spawn(async move { axum::serve(listener, app).await.unwrap() });
7369        tokio::time::sleep(std::time::Duration::from_millis(50)).await;
7370
7371        let client = reqwest::Client::new();
7372        let resp = client
7373            .get(format!("http://{addr}/health"))
7374            .send()
7375            .await
7376            .unwrap();
7377        assert_eq!(resp.status(), 200);
7378    }
7379
7380    #[tokio::test]
7381    async fn capabilities_advertise_sql_cancellation_v2() {
7382        let dir = tempdir().unwrap();
7383        let db = Arc::new(Database::create(dir.path()).unwrap());
7384        let app = build_app_with_config(db, std::iter::empty(), None, None);
7385        let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
7386        let addr = listener.local_addr().unwrap();
7387        tokio::spawn(async move { axum::serve(listener, app).await.unwrap() });
7388
7389        let body: serde_json::Value = reqwest::Client::new()
7390            .get(format!("http://{addr}/capabilities"))
7391            .send()
7392            .await
7393            .unwrap()
7394            .json()
7395            .await
7396            .unwrap();
7397        assert_eq!(body["sql_cancellation"]["version"], 2);
7398        assert_eq!(body["sql_cancellation"]["client_query_ids"], true);
7399        assert_eq!(body["sql_cancellation"]["cancel_endpoint"], true);
7400        assert_eq!(body["sql_cancellation"]["query_status"], true);
7401        assert_eq!(body["sql_cancellation"]["pre_registration_cancel"], true);
7402        assert_eq!(body["sql_cancellation"]["stream_disconnect_cancels"], true);
7403        assert_eq!(body["sql_idempotency"]["version"], 1);
7404        assert_eq!(
7405            body["sql_idempotency"]["indeterminate_never_reexecutes"],
7406            true
7407        );
7408        assert_eq!(body["sql_pagination"]["version"], 1);
7409        assert_eq!(
7410            body["sql_pagination"]["continuation_endpoint"],
7411            "/sql/continue"
7412        );
7413    }
7414}
7415
7416#[cfg(test)]
7417mod query_response_tests {
7418    use super::*;
7419
7420    #[test]
7421    fn cancellation_reason_names_are_stable_snake_case() {
7422        assert_eq!(cancellation_reason_name(CancellationReason::None), "none");
7423        assert_eq!(
7424            cancellation_reason_name(CancellationReason::ClientRequest),
7425            "client_request"
7426        );
7427        assert_eq!(
7428            cancellation_reason_name(CancellationReason::ClientDisconnected),
7429            "client_disconnected"
7430        );
7431        assert_eq!(
7432            cancellation_reason_name(CancellationReason::SessionClosed),
7433            "session_closed"
7434        );
7435        assert_eq!(
7436            cancellation_reason_name(CancellationReason::ServerShutdown),
7437            "server_shutdown"
7438        );
7439        assert_eq!(
7440            cancellation_reason_name(CancellationReason::Deadline),
7441            "deadline"
7442        );
7443    }
7444
7445    #[test]
7446    fn unknown_outcome_never_proves_idempotency_intent_safe_to_abort() {
7447        let registry = Arc::new(SqlQueryRegistry::default());
7448        let unknown_id: QueryId = "102132435465768798a9bacbdcedfe0f".parse().unwrap();
7449        let unknown = registry
7450            .register(SqlQueryOptions {
7451                query_id: Some(unknown_id),
7452                ..SqlQueryOptions::default()
7453            })
7454            .unwrap();
7455        unknown.mark_outcome_unknown();
7456        unknown.fail();
7457        assert!(!can_abort_idempotency_intent(
7458            &registry.status(unknown_id).unwrap()
7459        ));
7460
7461        let failed_id: QueryId = "2031425364758697a8b9cadbecfd0e1f".parse().unwrap();
7462        let failed = registry
7463            .register(SqlQueryOptions {
7464                query_id: Some(failed_id),
7465                ..SqlQueryOptions::default()
7466            })
7467            .unwrap();
7468        failed.fail();
7469        assert!(can_abort_idempotency_intent(
7470            &registry.status(failed_id).unwrap()
7471        ));
7472    }
7473
7474    #[test]
7475    fn unknown_outcome_never_becomes_durable_receipt() {
7476        let registry = Arc::new(SqlQueryRegistry::default());
7477        let query = registry.register(SqlQueryOptions::default()).unwrap();
7478        query.record_commit(0, 42);
7479        query.mark_outcome_unknown();
7480        query.fail();
7481        let status = registry.status(query.id()).unwrap();
7482        assert!(status.durable_outcome.committed);
7483        assert!(status.outcome_unknown);
7484        assert!(sql_terminal_idempotency_receipt(&status).is_none());
7485    }
7486
7487    #[test]
7488    fn successful_noop_write_becomes_noncommitting_receipt() {
7489        let registry = Arc::new(SqlQueryRegistry::default());
7490        let query = registry.register(SqlQueryOptions::default()).unwrap();
7491        query
7492            .transition(SqlQueryPhase::Queued, SqlQueryPhase::Executing)
7493            .unwrap();
7494        query.try_complete().unwrap();
7495        let status = registry.status(query.id()).unwrap();
7496        assert!(!status.durable_outcome.committed);
7497        assert!(!can_abort_idempotency_intent(&status));
7498        let receipt = sql_terminal_idempotency_receipt(&status).unwrap();
7499        assert_eq!(receipt.status, "completed");
7500        assert!(!receipt.outcome.committed);
7501        assert_eq!(receipt.outcome.committed_statements, 0);
7502        assert_eq!(receipt.outcome.last_commit_epoch, None);
7503    }
7504
7505    #[test]
7506    fn conflicting_idempotency_key_sources_are_rejected() {
7507        let request = SqlRequest {
7508            sql: "INSERT INTO items VALUES (1)".into(),
7509            format: None,
7510            query_id: None,
7511            timeout_ms: None,
7512            max_output_rows: None,
7513            max_output_bytes: None,
7514            idempotency_key: Some("body-key".into()),
7515            pagination: None,
7516        };
7517        let mut headers = axum::http::HeaderMap::new();
7518        headers.insert("idempotency-key", "header-key".parse().unwrap());
7519        assert_eq!(
7520            requested_sql_idempotency_key(&headers, &request),
7521            Err("body idempotency_key and Idempotency-Key header must match")
7522        );
7523
7524        headers.insert("idempotency-key", "body-key".parse().unwrap());
7525        assert_eq!(
7526            requested_sql_idempotency_key(&headers, &request),
7527            Ok(Some("body-key".into()))
7528        );
7529    }
7530
7531    #[test]
7532    fn idempotency_binding_includes_pagination_semantics() {
7533        let mut request = SqlRequest {
7534            sql: "INSERT INTO items VALUES (1)".into(),
7535            format: None,
7536            query_id: None,
7537            timeout_ms: None,
7538            max_output_rows: None,
7539            max_output_bytes: None,
7540            idempotency_key: Some("key".into()),
7541            pagination: None,
7542        };
7543        let unpaged = sql_idempotency_binding(&request, (100, 1_024), None, 60_000).unwrap();
7544        request.pagination = Some(SqlPaginationRequest {
7545            page_size_rows: 10,
7546            projection: vec!["id".into()],
7547            max_page_bytes: Some(512),
7548            max_page_tokens: Some(128),
7549        });
7550        let paged = sql_idempotency_binding(&request, (100, 1_024), None, 60_000).unwrap();
7551        assert_ne!(unpaged.request_semantics_hash, paged.request_semantics_hash);
7552    }
7553
7554    #[test]
7555    fn paginated_decode_stops_nested_heap_amplification_at_budget() {
7556        let registry = Arc::new(SqlQueryRegistry::default());
7557        let query = registry.register(SqlQueryOptions::default()).unwrap();
7558        let json = format!("[[{}]]", vec!["null"; 10_000].join(","));
7559        let mut deserializer = serde_json::Deserializer::from_slice(json.as_bytes());
7560        let mut budget = PaginatedDecodeBudget {
7561            used: 0,
7562            limit: 4 * 1024,
7563            nodes: 0,
7564            exceeded: false,
7565            query: &query,
7566            test_hook: None,
7567        };
7568        let error = serde::de::DeserializeSeed::deserialize(
7569            BudgetedJsonRowsSeed {
7570                budget: &mut budget,
7571            },
7572            &mut deserializer,
7573        )
7574        .unwrap_err();
7575        assert!(error.to_string().contains(PAGINATED_MEMORY_LIMIT_ERROR));
7576        assert!(budget.exceeded);
7577        assert!(budget.nodes < 100, "decoded {} nodes", budget.nodes);
7578        query.fail();
7579    }
7580
7581    #[tokio::test]
7582    async fn unknown_outcome_response_never_claims_no_commit() {
7583        let registry = Arc::new(SqlQueryRegistry::default());
7584        let query = registry.register(SqlQueryOptions::default()).unwrap();
7585        let query_id = query.id();
7586        query
7587            .transition(SqlQueryPhase::Queued, SqlQueryPhase::Executing)
7588            .unwrap();
7589        let error = query.outcome_unknown_error("fenced maintenance failed");
7590        query.fail();
7591        let status = registry.status(query_id).unwrap();
7592        assert_eq!(
7593            status.terminal_state(),
7594            Some(mongreldb_query::QueryTerminalState::OutcomeUnknown)
7595        );
7596
7597        let response = query_error_response_with_status(&error, Some(query_id), Some(&status));
7598        assert_eq!(response.status(), StatusCode::CONFLICT);
7599        let bytes = axum::body::to_bytes(response.into_body(), usize::MAX)
7600            .await
7601            .unwrap();
7602        let body: serde_json::Value = serde_json::from_slice(&bytes).unwrap();
7603        assert_eq!(body["status"], "outcome_unknown");
7604        assert_eq!(body["error"]["code"], "QUERY_OUTCOME_UNKNOWN");
7605        assert!(body["committed"].is_null());
7606        assert!(body["committed_statements"].is_null());
7607        assert!(body["last_commit_epoch"].is_null());
7608        assert!(body["completed_statements"].is_null());
7609        assert!(body["statement_index"].is_null());
7610        assert!(body["outcome"]["committed"].is_null());
7611        assert!(body["error"]["committed"].is_null());
7612    }
7613
7614    #[tokio::test]
7615    async fn retryable_idempotency_error_survives_terminal_status() {
7616        let registry = Arc::new(SqlQueryRegistry::default());
7617        let query = registry.register(SqlQueryOptions::default()).unwrap();
7618        let query_id = query.id();
7619        let response = registered_sql_error_response(
7620            RegisteredQueryGuard::new(query),
7621            query_id,
7622            StatusCode::SERVICE_UNAVAILABLE,
7623            "IDEMPOTENCY_STORE_UNAVAILABLE",
7624            "could not durably reserve the SQL idempotency key",
7625            true,
7626        );
7627        let bytes = axum::body::to_bytes(response.into_body(), usize::MAX)
7628            .await
7629            .unwrap();
7630        let body: serde_json::Value = serde_json::from_slice(&bytes).unwrap();
7631        assert_eq!(body["retryable"], true);
7632        assert_eq!(body["error"]["retryable"], true);
7633
7634        let status = registry.status(query_id).unwrap();
7635        assert_eq!(
7636            status.terminal_error.as_ref().unwrap().code,
7637            "IDEMPOTENCY_STORE_UNAVAILABLE"
7638        );
7639        assert!(terminal_error_retryable(status.terminal_error.as_ref()));
7640    }
7641
7642    #[tokio::test]
7643    async fn committed_idempotency_terminal_error_is_a_receipt() {
7644        let query_id: QueryId = "00112233445566778899aabbccddeeff".parse().unwrap();
7645        let receipt = sql_idempotency::SqlDurableReceipt {
7646            original_query_id: query_id.to_string(),
7647            status: "committed_with_error".into(),
7648            server_state: "failed".into(),
7649            cancellation_reason: "client_disconnected".into(),
7650            outcome: sql_idempotency::SqlReceiptOutcome {
7651                committed: true,
7652                committed_statements: 1,
7653                last_commit_epoch: Some(42),
7654                last_commit_epoch_text: Some("42".into()),
7655                first_commit_statement_index: Some(0),
7656                last_commit_statement_index: Some(0),
7657                completed_statements: 1,
7658                statement_index: 0,
7659                serialization: "failed".into(),
7660            },
7661            terminal_error: Some(sql_idempotency::SqlReceiptTerminalError {
7662                code: "SERIALIZATION_FAILED_AFTER_COMMIT".into(),
7663                category: "serialization".into(),
7664            }),
7665            commit_receipt: None,
7666        };
7667        let response = sql_idempotency_receipt_response(query_id, &receipt, false, 99, true);
7668        assert_eq!(response.status(), StatusCode::OK);
7669        let bytes = axum::body::to_bytes(response.into_body(), usize::MAX)
7670            .await
7671            .unwrap();
7672        let body: serde_json::Value = serde_json::from_slice(&bytes).unwrap();
7673        assert_eq!(body["status"], "committed_with_error");
7674        assert_eq!(body["server_state"], "failed");
7675        assert_eq!(body["cancellation_reason"], "client_disconnected");
7676        assert_eq!(body["first_commit_statement_index"], 0);
7677        assert_eq!(body["last_commit_statement_index"], 0);
7678        assert_eq!(
7679            body["terminal_error"]["code"],
7680            "SERIALIZATION_FAILED_AFTER_COMMIT"
7681        );
7682    }
7683
7684    #[test]
7685    fn durable_replay_restores_terminal_status_parity() {
7686        let registry = Arc::new(SqlQueryRegistry::default());
7687        let query_id: QueryId = "11223344556677889900aabbccddeeff".parse().unwrap();
7688        let query = registry
7689            .register(SqlQueryOptions {
7690                query_id: Some(query_id),
7691                ..SqlQueryOptions::default()
7692            })
7693            .unwrap();
7694        let receipt = sql_idempotency::SqlDurableReceipt {
7695            original_query_id: "00112233445566778899aabbccddeeff".into(),
7696            status: "cancelled_after_commit".into(),
7697            server_state: "cancelled".into(),
7698            cancellation_reason: "client_disconnected".into(),
7699            outcome: sql_idempotency::SqlReceiptOutcome {
7700                committed: true,
7701                committed_statements: 1,
7702                last_commit_epoch: Some(42),
7703                last_commit_epoch_text: Some("42".into()),
7704                first_commit_statement_index: Some(0),
7705                last_commit_statement_index: Some(0),
7706                completed_statements: 1,
7707                statement_index: 1,
7708                serialization: "failed".into(),
7709            },
7710            terminal_error: Some(sql_idempotency::SqlReceiptTerminalError {
7711                code: "QUERY_CANCELLED_AFTER_COMMIT".into(),
7712                category: "cancellation".into(),
7713            }),
7714            commit_receipt: None,
7715        };
7716        restore_idempotency_replay(RegisteredQueryGuard::new(query), &receipt).unwrap();
7717        let status = registry.status(query_id).unwrap();
7718        assert_eq!(status.phase, SqlQueryPhase::Cancelled);
7719        assert_eq!(
7720            status.terminal_state(),
7721            Some(mongreldb_query::QueryTerminalState::CancelledAfterCommit)
7722        );
7723        assert_eq!(
7724            status.cancellation_reason,
7725            CancellationReason::ClientDisconnected
7726        );
7727        assert_eq!(status.durable_outcome.committed_statements, 1);
7728        assert_eq!(status.durable_outcome.last_commit_epoch, Some(42));
7729        assert_eq!(
7730            status.terminal_error.unwrap().code,
7731            "QUERY_CANCELLED_AFTER_COMMIT"
7732        );
7733    }
7734
7735    #[test]
7736    fn durable_replay_rejects_invalid_authenticated_state() {
7737        let registry = Arc::new(SqlQueryRegistry::default());
7738        let query = registry.register(SqlQueryOptions::default()).unwrap();
7739        let receipt = sql_idempotency::SqlDurableReceipt {
7740            original_query_id: query.id().to_string(),
7741            status: "invented_terminal_state".into(),
7742            server_state: "completed".into(),
7743            cancellation_reason: "none".into(),
7744            outcome: sql_idempotency::SqlReceiptOutcome {
7745                committed: true,
7746                committed_statements: 1,
7747                last_commit_epoch: Some(42),
7748                last_commit_epoch_text: Some("42".into()),
7749                first_commit_statement_index: Some(0),
7750                last_commit_statement_index: Some(0),
7751                completed_statements: 1,
7752                statement_index: 0,
7753                serialization: "succeeded".into(),
7754            },
7755            terminal_error: None,
7756            commit_receipt: None,
7757        };
7758        let error =
7759            restore_idempotency_replay(RegisteredQueryGuard::new(query), &receipt).unwrap_err();
7760        assert!(error.to_string().contains("invalid terminal state"));
7761    }
7762
7763    #[test]
7764    fn durable_replay_cancel_wins_before_receipt_response() {
7765        let registry = Arc::new(SqlQueryRegistry::default());
7766        let query_id: QueryId = "22334455667788990011aabbccddeeff".parse().unwrap();
7767        let query = registry
7768            .register(SqlQueryOptions {
7769                query_id: Some(query_id),
7770                ..SqlQueryOptions::default()
7771            })
7772            .unwrap();
7773        assert_eq!(
7774            query.request_cancel(CancellationReason::ClientRequest),
7775            CancelOutcome::Accepted
7776        );
7777        let receipt = sql_idempotency::SqlDurableReceipt {
7778            original_query_id: "00112233445566778899aabbccddeeff".into(),
7779            status: "completed".into(),
7780            server_state: "completed".into(),
7781            cancellation_reason: "none".into(),
7782            outcome: sql_idempotency::SqlReceiptOutcome {
7783                committed: true,
7784                committed_statements: 1,
7785                last_commit_epoch: Some(42),
7786                last_commit_epoch_text: Some("42".into()),
7787                first_commit_statement_index: Some(0),
7788                last_commit_statement_index: Some(0),
7789                completed_statements: 1,
7790                statement_index: 0,
7791                serialization: "succeeded".into(),
7792            },
7793            terminal_error: None,
7794            commit_receipt: None,
7795        };
7796        let error = restore_idempotency_replay(RegisteredQueryGuard::new(query), &receipt)
7797            .expect_err("accepted cancellation must suppress replay success");
7798        assert!(matches!(
7799            error,
7800            mongreldb_query::MongrelQueryError::QueryCancelled { .. }
7801        ));
7802        let status = registry.status(query_id).unwrap();
7803        assert_eq!(status.phase, SqlQueryPhase::Cancelled);
7804        assert!(status.durable_outcome.committed);
7805    }
7806
7807    #[test]
7808    fn direct_query_handle_preserves_receipt_after_tombstone_eviction() {
7809        let registry = Arc::new(SqlQueryRegistry::new(
7810            1,
7811            1,
7812            usize::MAX,
7813            std::time::Duration::from_secs(60),
7814        ));
7815        let first = registry.register(SqlQueryOptions::default()).unwrap();
7816        first
7817            .transition(SqlQueryPhase::Queued, SqlQueryPhase::Executing)
7818            .unwrap();
7819        first.record_commit(0, 42);
7820        first.complete_current_statement();
7821        first.try_complete().unwrap();
7822
7823        let second = registry.register(SqlQueryOptions::default()).unwrap();
7824        second
7825            .transition(SqlQueryPhase::Queued, SqlQueryPhase::Executing)
7826            .unwrap();
7827        second.try_complete().unwrap();
7828
7829        assert!(registry.status(first.id()).is_none());
7830        let receipt = sql_terminal_idempotency_receipt(&first.status()).unwrap();
7831        assert_eq!(receipt.outcome.committed_statements, 1);
7832        assert_eq!(receipt.outcome.last_commit_epoch, Some(42));
7833    }
7834
7835    #[test]
7836    fn cancellation_checkpoint_mismatch_returns_typed_error() {
7837        let registry = Arc::new(SqlQueryRegistry::default());
7838        let query = registry.register(SqlQueryOptions::default()).unwrap();
7839        assert!(matches!(
7840            cancellation_checkpoint_error(&query),
7841            mongreldb_query::MongrelQueryError::InvalidQueryState(_)
7842        ));
7843        assert_eq!(
7844            query.request_cancel(CancellationReason::ClientRequest),
7845            CancelOutcome::Accepted
7846        );
7847        assert!(matches!(
7848            cancellation_checkpoint_error(&query),
7849            mongreldb_query::MongrelQueryError::QueryCancelled { .. }
7850        ));
7851    }
7852
7853    #[tokio::test]
7854    async fn cancellation_after_commit_reports_durable_outcome() {
7855        let registry = Arc::new(SqlQueryRegistry::default());
7856        let query = registry.register(SqlQueryOptions::default()).unwrap();
7857        let query_id = query.id();
7858        query
7859            .transition(SqlQueryPhase::Queued, SqlQueryPhase::Executing)
7860            .unwrap();
7861        query.record_commit(0, 42);
7862        assert_eq!(
7863            query.request_cancel(CancellationReason::ClientRequest),
7864            CancelOutcome::Accepted
7865        );
7866        let error = query.checkpoint().unwrap_err();
7867        query.fail();
7868        let status = registry.status(query_id).unwrap();
7869
7870        let response = query_error_response_with_status(&error, Some(query_id), Some(&status));
7871        assert_eq!(response.status(), StatusCode::CONFLICT);
7872        let bytes = axum::body::to_bytes(response.into_body(), usize::MAX)
7873            .await
7874            .unwrap();
7875        let body: serde_json::Value = serde_json::from_slice(&bytes).unwrap();
7876        assert_eq!(body["status"], "cancelled_after_commit");
7877        assert_eq!(body["error"]["code"], "QUERY_CANCELLED_AFTER_COMMIT");
7878        assert_eq!(body["committed"], true);
7879        assert_eq!(body["outcome"]["committed_statements"], 1);
7880        assert_eq!(body["outcome"]["last_commit_epoch"], 42);
7881        assert_eq!(body["outcome"]["last_commit_epoch_text"], "42");
7882        assert_eq!(body["first_commit_statement_index"], 0);
7883        assert_eq!(body["last_commit_statement_index"], 0);
7884        assert_eq!(body["outcome"]["first_commit_statement_index"], 0);
7885        assert_eq!(body["outcome"]["last_commit_statement_index"], 0);
7886
7887        let response = query_error_response_with_status(&error, Some(query_id), None);
7888        assert_eq!(response.status(), StatusCode::CONFLICT);
7889        let bytes = axum::body::to_bytes(response.into_body(), usize::MAX)
7890            .await
7891            .unwrap();
7892        let body: serde_json::Value = serde_json::from_slice(&bytes).unwrap();
7893        assert_eq!(body["status"], "cancelled_after_commit");
7894        assert_eq!(body["error"]["code"], "QUERY_CANCELLED_AFTER_COMMIT");
7895        assert_eq!(body["committed"], true);
7896        assert_eq!(body["committed_statements"], 1);
7897        assert_eq!(body["last_commit_epoch"], 42);
7898        assert_eq!(body["last_commit_epoch_text"], "42");
7899        assert_eq!(body["first_commit_statement_index"], 0);
7900        assert_eq!(body["last_commit_statement_index"], 0);
7901        assert_eq!(body["outcome"]["committed"], true);
7902        assert_eq!(body["outcome"]["committed_statements"], 1);
7903        assert_eq!(body["outcome"]["last_commit_epoch"], 42);
7904        assert_eq!(body["outcome"]["last_commit_epoch_text"], "42");
7905        assert_eq!(body["outcome"]["first_commit_statement_index"], 0);
7906        assert_eq!(body["outcome"]["last_commit_statement_index"], 0);
7907    }
7908
7909    #[tokio::test]
7910    async fn commit_outcome_fallback_preserves_exact_progress() {
7911        let query_id: QueryId = "33445566778899001122aabbccddeeff".parse().unwrap();
7912        let error = mongreldb_query::MongrelQueryError::CommitOutcome {
7913            query_id,
7914            committed: true,
7915            committed_statements: 3,
7916            last_commit_epoch: Some(77),
7917            first_commit_statement_index: Some(1),
7918            last_commit_statement_index: Some(4),
7919            completed_statements: 4,
7920            statement_index: 5,
7921            message: "durable outcome retained".into(),
7922        };
7923        let response = query_error_response_with_status(&error, Some(query_id), None);
7924        assert_eq!(response.status(), StatusCode::CONFLICT);
7925        let bytes = axum::body::to_bytes(response.into_body(), usize::MAX)
7926            .await
7927            .unwrap();
7928        let body: serde_json::Value = serde_json::from_slice(&bytes).unwrap();
7929        assert_eq!(body["status"], "committed_with_error");
7930        assert_eq!(body["committed"], true);
7931        assert_eq!(body["committed_statements"], 3);
7932        assert_eq!(body["last_commit_epoch"], 77);
7933        assert_eq!(body["last_commit_epoch_text"], "77");
7934        assert_eq!(body["first_commit_statement_index"], 1);
7935        assert_eq!(body["last_commit_statement_index"], 4);
7936        assert_eq!(body["completed_statements"], 4);
7937        assert_eq!(body["statement_index"], 5);
7938        assert_eq!(body["outcome"]["committed_statements"], 3);
7939        assert_eq!(body["outcome"]["last_commit_epoch"], 77);
7940        assert_eq!(body["outcome"]["first_commit_statement_index"], 1);
7941        assert_eq!(body["outcome"]["last_commit_statement_index"], 4);
7942        assert_eq!(body["outcome"]["completed_statements"], 4);
7943        assert_eq!(body["outcome"]["statement_index"], 5);
7944    }
7945
7946    #[test]
7947    fn status_cancel_outcome_matches_cancel_endpoint_state() {
7948        let registry = Arc::new(SqlQueryRegistry::default());
7949        let commit = registry.register(SqlQueryOptions::default()).unwrap();
7950        commit
7951            .transition(SqlQueryPhase::Queued, SqlQueryPhase::Executing)
7952            .unwrap();
7953        commit.enter_commit_critical().unwrap();
7954        assert_eq!(
7955            query_cancel_outcome(&registry.status(commit.id()).unwrap()),
7956            Some("too_late")
7957        );
7958
7959        let completed = registry.register(SqlQueryOptions::default()).unwrap();
7960        completed
7961            .transition(SqlQueryPhase::Queued, SqlQueryPhase::Executing)
7962            .unwrap();
7963        completed.try_complete().unwrap();
7964        assert_eq!(
7965            query_cancel_outcome(&registry.status(completed.id()).unwrap()),
7966            Some("already_finished")
7967        );
7968    }
7969}
7970
7971#[cfg(test)]
7972mod wal_stream_tests {
7973    use super::*;
7974    use mongreldb_client::ReplicationFollower;
7975    use mongreldb_core::Database;
7976    use tempfile::tempdir;
7977
7978    #[tokio::test]
7979    async fn wal_stream_returns_records_after_commit() {
7980        let dir = tempdir().unwrap();
7981        let db = Arc::new(Database::create(dir.path()).unwrap());
7982        let table_schema = mongreldb_core::schema::Schema {
7983            schema_id: 1,
7984            columns: vec![mongreldb_core::schema::ColumnDef {
7985                id: 1,
7986                name: "id".into(),
7987                ty: TypeId::Int64,
7988                flags: mongreldb_core::schema::ColumnFlags::empty()
7989                    .with(mongreldb_core::schema::ColumnFlags::PRIMARY_KEY),
7990                default_value: None,
7991                embedding_source: None,
7992            }],
7993            indexes: vec![],
7994            colocation: vec![],
7995            constraints: Default::default(),
7996            clustered: false,
7997        };
7998        db.create_table("items", table_schema).unwrap();
7999        // Write a row to generate WAL records.
8000        let handle = db.table("items").unwrap();
8001        handle.lock().put(vec![(1, Value::Int64(1))]).unwrap();
8002        handle.lock().flush().unwrap();
8003
8004        let app = build_app(db);
8005        let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
8006        let addr = listener.local_addr().unwrap();
8007        tokio::spawn(async move { axum::serve(listener, app).await.unwrap() });
8008        tokio::time::sleep(std::time::Duration::from_millis(50)).await;
8009
8010        let resp = reqwest::get(format!("http://{addr}/wal/stream"))
8011            .await
8012            .unwrap();
8013        assert_eq!(resp.status(), 200);
8014        let body = resp.text().await.unwrap();
8015        // Should contain at least one record (the flush commit).
8016        assert!(!body.is_empty(), "wal_stream should return records");
8017        assert!(body.contains("seq"), "response should contain seq field");
8018    }
8019
8020    #[tokio::test]
8021    async fn follower_bootstraps_and_applies_incremental_commit() {
8022        let leader_dir = tempdir().unwrap();
8023        let follower_dir = tempdir().unwrap();
8024        let follower_path = follower_dir.path().join("copy");
8025        let db = Arc::new(Database::create(leader_dir.path()).unwrap());
8026        db.create_table(
8027            "items",
8028            mongreldb_core::schema::Schema {
8029                schema_id: 1,
8030                columns: vec![mongreldb_core::schema::ColumnDef {
8031                    id: 1,
8032                    name: "id".into(),
8033                    ty: TypeId::Int64,
8034                    flags: mongreldb_core::schema::ColumnFlags::empty()
8035                        .with(mongreldb_core::schema::ColumnFlags::PRIMARY_KEY),
8036                    default_value: None,
8037                    embedding_source: None,
8038                }],
8039                indexes: vec![],
8040                colocation: vec![],
8041                constraints: Default::default(),
8042                clustered: false,
8043            },
8044        )
8045        .unwrap();
8046        let handle = db.table("items").unwrap();
8047        handle.lock().put(vec![(1, Value::Int64(1))]).unwrap();
8048        handle.lock().commit().unwrap();
8049
8050        let app = build_app_with_config(
8051            Arc::clone(&db),
8052            std::iter::empty::<Arc<dyn ExternalTableModule>>(),
8053            Some("replication-secret".into()),
8054            None,
8055        );
8056        let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
8057        let addr = listener.local_addr().unwrap();
8058        tokio::spawn(async move { axum::serve(listener, app).await.unwrap() });
8059        tokio::time::sleep(std::time::Duration::from_millis(50)).await;
8060
8061        let leader_url = format!("http://{addr}");
8062        let first_path = follower_path.clone();
8063        let (mut follower, initial) = tokio::task::spawn_blocking(move || {
8064            let mut follower = ReplicationFollower::new(&leader_url, first_path)
8065                .unwrap()
8066                .with_bearer_token("replication-secret");
8067            let applied = follower.sync().unwrap();
8068            (follower, applied)
8069        })
8070        .await
8071        .unwrap();
8072        assert_eq!(initial, 0);
8073
8074        handle.lock().put(vec![(1, Value::Int64(2))]).unwrap();
8075        handle.lock().commit().unwrap();
8076        let applied = tokio::task::spawn_blocking(move || {
8077            let count = follower.sync().unwrap();
8078            (follower, count)
8079        })
8080        .await
8081        .unwrap();
8082        follower = applied.0;
8083        assert!(applied.1 > 0);
8084        assert!(follower.last_epoch() > 0);
8085
8086        let replica = Database::open(&follower_path).unwrap();
8087        assert_eq!(replica.table("items").unwrap().lock().count(), 2);
8088        drop(replica);
8089
8090        db.set_spill_threshold(1);
8091        db.transaction(|txn| {
8092            txn.put("items", vec![(1, Value::Int64(3))])?;
8093            Ok(())
8094        })
8095        .unwrap();
8096        let (follower_after_bootstrap, applied) = tokio::task::spawn_blocking(move || {
8097            let count = follower.sync().unwrap();
8098            (follower, count)
8099        })
8100        .await
8101        .unwrap();
8102        assert_eq!(applied, 0, "spilled run should trigger safe rebootstrap");
8103        assert!(follower_after_bootstrap.last_epoch() > 0);
8104        let replica = Database::open(&follower_path).unwrap();
8105        assert_eq!(replica.table("items").unwrap().lock().count(), 3);
8106    }
8107}
8108
8109#[cfg(test)]
8110mod metrics_tests {
8111    use super::*;
8112    use mongreldb_core::Database;
8113    use tempfile::tempdir;
8114
8115    /// Helper: spin up a daemon over a fresh DB with one `items(id int64 pk)`
8116    /// table pre-created, returning the bound address.
8117    async fn setup() -> (tempfile::TempDir, std::net::SocketAddr) {
8118        let dir = tempdir().unwrap();
8119        let db = Arc::new(Database::create(dir.path()).unwrap());
8120        let table_schema = mongreldb_core::schema::Schema {
8121            schema_id: 1,
8122            columns: vec![mongreldb_core::schema::ColumnDef {
8123                id: 1,
8124                name: "id".into(),
8125                ty: TypeId::Int64,
8126                flags: mongreldb_core::schema::ColumnFlags::empty()
8127                    .with(mongreldb_core::schema::ColumnFlags::PRIMARY_KEY),
8128                default_value: None,
8129                embedding_source: None,
8130            }],
8131            indexes: vec![],
8132            colocation: vec![],
8133            constraints: Default::default(),
8134            clustered: false,
8135        };
8136        db.create_table("items", table_schema).unwrap();
8137        let app = build_app(db);
8138        let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
8139        let addr = listener.local_addr().unwrap();
8140        tokio::spawn(async move { axum::serve(listener, app).await.unwrap() });
8141        tokio::time::sleep(std::time::Duration::from_millis(50)).await;
8142        (dir, addr)
8143    }
8144
8145    #[tokio::test]
8146    async fn metrics_endpoint_returns_prometheus_text() {
8147        let (_dir, addr) = setup().await;
8148        let client = reqwest::Client::new();
8149
8150        // Exercise a few handlers to bump counters.
8151        let _ = client
8152            .post(format!("http://{addr}/tables/items/put"))
8153            .json(&json!({ "row": [1, 1] }))
8154            .send()
8155            .await
8156            .unwrap();
8157        let _ = client
8158            .post(format!("http://{addr}/sql"))
8159            .json(&json!({ "sql": "SELECT count(*) FROM items" }))
8160            .send()
8161            .await
8162            .unwrap();
8163
8164        let resp = client
8165            .get(format!("http://{addr}/metrics"))
8166            .send()
8167            .await
8168            .unwrap();
8169        assert_eq!(resp.status(), 200);
8170        let ct = resp
8171            .headers()
8172            .get("content-type")
8173            .and_then(|v| v.to_str().ok())
8174            .unwrap_or_default()
8175            .to_string();
8176        assert!(
8177            ct.contains("text/plain"),
8178            "content-type is prometheus text: {ct}"
8179        );
8180        let body = resp.text().await.unwrap();
8181        // Prometheus series + type lines are present.
8182        assert!(body.contains("# TYPE mongreldb_sql_queries_total counter"));
8183        assert!(body.contains("# TYPE mongreldb_puts_total counter"));
8184        assert!(body.contains("# TYPE mongreldb_tables gauge"));
8185        // Counters were bumped: at least one query and one put were served.
8186        assert!(
8187            body.contains("mongreldb_sql_queries_total 1"),
8188            "sql_queries counter should reflect the /sql call: {body}"
8189        );
8190        assert!(
8191            body.contains("mongreldb_puts_total 1"),
8192            "puts counter should reflect the put call: {body}"
8193        );
8194        // The tables gauge reflects the single `items` table.
8195        assert!(body.contains("mongreldb_tables 1"));
8196    }
8197
8198    #[tokio::test]
8199    async fn metrics_error_counter_increments_on_bad_sql() {
8200        let (_dir, addr) = setup().await;
8201        let client = reqwest::Client::new();
8202        // A query against a non-existent table errors at the engine layer.
8203        let _ = client
8204            .post(format!("http://{addr}/sql"))
8205            .json(&json!({ "sql": "SELECT * FROM does_not_exist" }))
8206            .send()
8207            .await
8208            .unwrap();
8209        let body = client
8210            .get(format!("http://{addr}/metrics"))
8211            .send()
8212            .await
8213            .unwrap()
8214            .text()
8215            .await
8216            .unwrap();
8217        assert!(
8218            body.contains("mongreldb_sql_errors_total 1"),
8219            "sql_errors should increment on a failed query: {body}"
8220        );
8221    }
8222
8223    #[tokio::test]
8224    async fn arrow_stream_returns_ipc_stream_bytes() {
8225        let (_dir, addr) = setup().await;
8226        let client = reqwest::Client::new();
8227        // Insert a couple of rows so there are real batches to stream, then
8228        // flush so the rows are durable/visible to a fresh SQL session.
8229        for i in 1..=3 {
8230            let resp = client
8231                .post(format!("http://{addr}/tables/items/put"))
8232                .json(&json!({ "row": [1, i] }))
8233                .send()
8234                .await
8235                .unwrap();
8236            assert_eq!(resp.status(), 200, "put should succeed");
8237        }
8238        let _ = client
8239            .post(format!("http://{addr}/tables/items/commit"))
8240            .send()
8241            .await
8242            .unwrap();
8243        // Sanity: the rows are durable and visible to the table handle.
8244        let count_body = client
8245            .get(format!("http://{addr}/tables/items/count"))
8246            .send()
8247            .await
8248            .unwrap()
8249            .text()
8250            .await
8251            .unwrap();
8252        assert!(
8253            count_body.contains("\"count\":3"),
8254            "expected 3 visible rows, got: {count_body}"
8255        );
8256        let resp = client
8257            .post(format!("http://{addr}/sql"))
8258            .json(&json!({ "sql": "SELECT count(*) FROM items", "format": "arrow-stream" }))
8259            .send()
8260            .await
8261            .unwrap();
8262        assert_eq!(resp.status(), 200, "streaming query should succeed");
8263        let ct = resp
8264            .headers()
8265            .get("content-type")
8266            .and_then(|v| v.to_str().ok())
8267            .unwrap_or_default()
8268            .to_string();
8269        assert!(
8270            ct.contains("application/vnd.apache.arrow.stream"),
8271            "content-type should be the arrow stream format: {ct}"
8272        );
8273        let bytes = resp.bytes().await.unwrap();
8274        // Arrow IPC streams begin with the magic continuation marker
8275        // 0xFFFFFFFF followed by the schema message length. The stream must be
8276        // non-empty (3 rows were written) and end with the EOS marker.
8277        assert!(
8278            !bytes.is_empty(),
8279            "arrow stream body should contain schema + batch + EOS"
8280        );
8281        assert!(
8282            bytes.starts_with(&0xFFFFFFFFu32.to_le_bytes()),
8283            "arrow stream must begin with the IPC continuation marker"
8284        );
8285        assert!(
8286            bytes.ends_with(&[0u8, 0, 0, 0]),
8287            "arrow stream should end with the EOS marker (trailing zero length)"
8288        );
8289    }
8290}
8291
8292#[cfg(test)]
8293mod streaming_tests {
8294    use super::*;
8295    use arrow::array::Int64Array;
8296    use arrow::datatypes::{DataType, Field, Schema};
8297    use arrow::record_batch::RecordBatch;
8298    use datafusion::common::DataFusionError;
8299    use datafusion::physical_plan::stream::RecordBatchStreamAdapter;
8300    use futures::StreamExt;
8301    use std::sync::Arc as StdArc;
8302
8303    fn batch_stream(batches: Vec<RecordBatch>) -> mongreldb_query::MongrelRecordBatchStream {
8304        let schema = batches
8305            .first()
8306            .map(RecordBatch::schema)
8307            .unwrap_or_else(|| StdArc::new(Schema::empty()));
8308        let batches =
8309            futures::stream::iter(batches.into_iter().map(Ok::<RecordBatch, DataFusionError>));
8310        Box::pin(RecordBatchStreamAdapter::new(schema, batches))
8311    }
8312
8313    /// Unit-level check: feed two synthetic batches through the streaming
8314    /// serializer and re-parse the resulting IPC stream end-to-end. This
8315    /// validates the per-message chunking (schema + N batches + EOS) without
8316    /// depending on the engine's scan visibility.
8317    #[tokio::test]
8318    async fn arrow_stream_serializes_multiple_batches_roundtrip() {
8319        let schema = StdArc::new(Schema::new(vec![Field::new("v", DataType::Int64, false)]));
8320        let b1 = RecordBatch::try_new(
8321            schema.clone(),
8322            vec![StdArc::new(Int64Array::from(vec![1, 2]))],
8323        )
8324        .unwrap();
8325        let b2 = RecordBatch::try_new(
8326            schema.clone(),
8327            vec![StdArc::new(Int64Array::from(vec![3, 4, 5]))],
8328        )
8329        .unwrap();
8330
8331        let resp = sql_arrow_stream_response(batch_stream(vec![b1, b2]));
8332        let bytes = axum::body::to_bytes(resp.into_body(), 1 << 20)
8333            .await
8334            .unwrap();
8335
8336        // Begins with the IPC continuation marker.
8337        assert!(bytes.starts_with(&0xFFFFFFFFu32.to_le_bytes()));
8338
8339        // Re-parse the full stream and confirm all rows survived the chunked
8340        // serialization.
8341        let slice: &[u8] = bytes.as_ref();
8342        let mut reader = arrow::ipc::reader::StreamReader::try_new(slice, None).unwrap();
8343        let mut total_rows = 0;
8344        for batch in reader.by_ref() {
8345            let batch = batch.expect("each IPC message should decode");
8346            total_rows += batch.num_rows();
8347        }
8348        assert_eq!(
8349            total_rows, 5,
8350            "all rows should round-trip through the stream"
8351        );
8352    }
8353
8354    #[tokio::test]
8355    async fn arrow_stream_emits_schema_before_first_batch() {
8356        let schema = StdArc::new(Schema::new(vec![Field::new("v", DataType::Int64, false)]));
8357        let pending = futures::stream::pending::<Result<RecordBatch, DataFusionError>>();
8358        let batches = Box::pin(RecordBatchStreamAdapter::new(schema, pending));
8359        let mut body = sql_arrow_stream_response(batches)
8360            .into_body()
8361            .into_data_stream();
8362
8363        let chunk = tokio::time::timeout(std::time::Duration::from_millis(100), body.next())
8364            .await
8365            .expect("schema chunk should not wait for a query batch")
8366            .unwrap()
8367            .unwrap();
8368        assert!(chunk.starts_with(&0xFFFFFFFFu32.to_le_bytes()));
8369    }
8370
8371    #[tokio::test]
8372    async fn arrow_stream_empty_query_is_valid_ipc() {
8373        let resp = sql_arrow_stream_response(batch_stream(Vec::new()));
8374        let bytes = axum::body::to_bytes(resp.into_body(), 1 << 20)
8375            .await
8376            .unwrap();
8377        let slice: &[u8] = bytes.as_ref();
8378        let reader = arrow::ipc::reader::StreamReader::try_new(slice, None).unwrap();
8379        assert_eq!(reader.count(), 0);
8380    }
8381
8382    #[tokio::test]
8383    async fn buffered_output_limits_are_typed() {
8384        let dir = tempfile::tempdir().unwrap();
8385        let db = StdArc::new(mongreldb_core::Database::create(dir.path()).unwrap());
8386        let session = MongrelSession::open(db).unwrap();
8387        let query = session.register_query(SqlQueryOptions::default()).unwrap();
8388        let output = session
8389            .run_with_query_for_serialization("SELECT 1", query)
8390            .await
8391            .unwrap();
8392
8393        let row_error =
8394            serialize_buffered_output("json", output.batches(), output.query(), 0, 1024, None)
8395                .unwrap_err();
8396        assert!(matches!(row_error, BufferedSerializationError::Limit(_)));
8397        let byte_error =
8398            serialize_buffered_output("json", output.batches(), output.query(), 10, 1, None)
8399                .unwrap_err();
8400        assert!(matches!(byte_error, BufferedSerializationError::Limit(_)));
8401        output.fail();
8402    }
8403}
8404
8405#[cfg(test)]
8406mod audit_tests {
8407    use super::*;
8408    use mongreldb_core::Database;
8409    use tempfile::tempdir;
8410
8411    /// Build a daemon with user-auth enabled plus one catalog user `alice`.
8412    async fn auth_setup(password: &str) -> std::net::SocketAddr {
8413        let dir = tempdir().unwrap();
8414        let db = Arc::new(Database::create(dir.path()).unwrap());
8415        db.create_user("alice", password).unwrap();
8416        db.set_user_admin("alice", true).unwrap();
8417        let app = build_app_full(
8418            db,
8419            std::iter::empty::<Arc<dyn ExternalTableModule>>(),
8420            None,
8421            None,
8422            true,
8423        );
8424        let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
8425        let addr = listener.local_addr().unwrap();
8426        tokio::spawn(async move { axum::serve(listener, app).await.unwrap() });
8427        tokio::time::sleep(std::time::Duration::from_millis(50)).await;
8428        addr
8429    }
8430
8431    #[tokio::test]
8432    async fn audit_records_login_success_and_failure() {
8433        let addr = auth_setup("s3cret").await;
8434        let client = reqwest::Client::new();
8435
8436        // Successful basic auth.
8437        let resp = client
8438            .get(format!("http://{addr}/health"))
8439            .header("Authorization", basic("alice", "s3cret"))
8440            .send()
8441            .await
8442            .unwrap();
8443        assert_eq!(resp.status(), 200);
8444
8445        // Failed basic auth (wrong password).
8446        let resp = client
8447            .get(format!("http://{addr}/health"))
8448            .header("Authorization", basic("alice", "wrong"))
8449            .send()
8450            .await
8451            .unwrap();
8452        assert_eq!(resp.status(), 401);
8453
8454        let body = client
8455            .get(format!("http://{addr}/audit"))
8456            .header("Authorization", basic("alice", "s3cret"))
8457            .send()
8458            .await
8459            .unwrap()
8460            .text()
8461            .await
8462            .unwrap();
8463        assert!(
8464            body.contains("\"action\":\"login.ok\""),
8465            "audit should record the successful login: {body}"
8466        );
8467        assert!(
8468            body.contains("\"action\":\"login.fail\""),
8469            "audit should record the failed login: {body}"
8470        );
8471        assert!(
8472            body.contains("\"principal\":\"alice\""),
8473            "audit should attribute events to alice: {body}"
8474        );
8475    }
8476
8477    #[tokio::test]
8478    async fn audit_records_ddl_sql() {
8479        let dir = tempdir().unwrap();
8480        let db = Arc::new(Database::create(dir.path()).unwrap());
8481        let app = build_app(db);
8482        let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
8483        let addr = listener.local_addr().unwrap();
8484        tokio::spawn(async move { axum::serve(listener, app).await.unwrap() });
8485        tokio::time::sleep(std::time::Duration::from_millis(50)).await;
8486
8487        let client = reqwest::Client::new();
8488        let _ = client
8489            .post(format!("http://{addr}/sql"))
8490            .json(&json!({ "sql": "CREATE TABLE t (id BIGINT PRIMARY KEY)" }))
8491            .send()
8492            .await
8493            .unwrap();
8494        // A plain SELECT is NOT audited.
8495        let _ = client
8496            .post(format!("http://{addr}/sql"))
8497            .json(&json!({ "sql": "SELECT 1" }))
8498            .send()
8499            .await
8500            .unwrap();
8501
8502        let body = client
8503            .get(format!("http://{addr}/audit"))
8504            .send()
8505            .await
8506            .unwrap()
8507            .text()
8508            .await
8509            .unwrap();
8510        assert!(
8511            body.contains("\"action\":\"ddl.ok\""),
8512            "audit should record the successful DDL statement: {body}"
8513        );
8514        assert!(
8515            body.contains("CREATE TABLE"),
8516            "audit detail should carry the DDL snippet: {body}"
8517        );
8518        // SELECT must not appear.
8519        assert!(
8520            !body.contains("SELECT 1"),
8521            "non-DDL reads should not be audited: {body}"
8522        );
8523    }
8524
8525    #[tokio::test]
8526    async fn audit_redacts_credential_passwords() {
8527        let dir = tempdir().unwrap();
8528        let db = Arc::new(Database::create(dir.path()).unwrap());
8529        let app = build_app(db);
8530        let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
8531        let addr = listener.local_addr().unwrap();
8532        tokio::spawn(async move { axum::serve(listener, app).await.unwrap() });
8533        tokio::time::sleep(std::time::Duration::from_millis(50)).await;
8534
8535        let client = reqwest::Client::new();
8536        // A CREATE USER carrying a plaintext password must be audited but the
8537        // password must NEVER reach /audit or stderr.
8538        let _ = client
8539            .post(format!("http://{addr}/sql"))
8540            .json(&json!({ "sql": "CREATE USER alice WITH PASSWORD 'topsecret'" }))
8541            .send()
8542            .await
8543            .unwrap();
8544
8545        let body = client
8546            .get(format!("http://{addr}/audit"))
8547            .send()
8548            .await
8549            .unwrap()
8550            .text()
8551            .await
8552            .unwrap();
8553        assert!(
8554            !body.contains("topsecret"),
8555            "password must never appear in the audit log: {body}"
8556        );
8557        assert!(
8558            body.contains("redacted credential statement"),
8559            "credential DDL should be recorded as redacted: {body}"
8560        );
8561    }
8562
8563    fn basic(user: &str, pass: &str) -> String {
8564        let raw = format!("{user}:{pass}");
8565        format!("Basic {}", base64_encode(raw.as_bytes()))
8566    }
8567
8568    fn base64_encode(input: &[u8]) -> String {
8569        const TABLE: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
8570        let mut out = String::new();
8571        let mut buf = 0u32;
8572        let mut bits = 0u32;
8573        for &b in input {
8574            buf = (buf << 8) | b as u32;
8575            bits += 8;
8576            while bits >= 6 {
8577                bits -= 6;
8578                out.push(TABLE[((buf >> bits) & 0x3F) as usize] as char);
8579            }
8580        }
8581        if bits > 0 {
8582            out.push(TABLE[((buf << (6 - bits)) & 0x3F) as usize] as char);
8583        }
8584        while !out.len().is_multiple_of(4) {
8585            out.push('=');
8586        }
8587        out
8588    }
8589}
8590
8591#[cfg(test)]
8592mod session_tests {
8593    use super::*;
8594    use mongreldb_core::Database;
8595    use tempfile::tempdir;
8596
8597    /// Spin up a daemon over a fresh DB with one `items(id int64 pk)` table.
8598    /// Returns the TempDir (must be held alive for the test's duration — dropping
8599    /// it deletes the database directory mid-test) and the bound address.
8600    async fn setup() -> (tempfile::TempDir, std::net::SocketAddr) {
8601        let dir = tempdir().unwrap();
8602        let db = Arc::new(Database::create(dir.path()).unwrap());
8603        let table_schema = mongreldb_core::schema::Schema {
8604            schema_id: 1,
8605            columns: vec![mongreldb_core::schema::ColumnDef {
8606                id: 1,
8607                name: "id".into(),
8608                ty: TypeId::Int64,
8609                flags: mongreldb_core::schema::ColumnFlags::empty()
8610                    .with(mongreldb_core::schema::ColumnFlags::PRIMARY_KEY),
8611                default_value: None,
8612                embedding_source: None,
8613            }],
8614            indexes: vec![],
8615            colocation: vec![],
8616            constraints: Default::default(),
8617            clustered: false,
8618        };
8619        db.create_table("items", table_schema).unwrap();
8620        let app = build_app(db);
8621        let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
8622        let addr = listener.local_addr().unwrap();
8623        tokio::spawn(async move { axum::serve(listener, app).await.unwrap() });
8624        tokio::time::sleep(std::time::Duration::from_millis(50)).await;
8625        (dir, addr)
8626    }
8627
8628    /// Open a session and return its token.
8629    async fn open_session(client: &reqwest::Client, addr: &std::net::SocketAddr) -> String {
8630        let resp = client
8631            .post(format!("http://{addr}/sessions"))
8632            .send()
8633            .await
8634            .unwrap();
8635        assert_eq!(resp.status(), 200);
8636        resp.json::<serde_json::Value>()
8637            .await
8638            .unwrap()
8639            .get("session_id")
8640            .unwrap()
8641            .as_str()
8642            .unwrap()
8643            .to_string()
8644    }
8645
8646    async fn sql_on(
8647        client: &reqwest::Client,
8648        addr: &std::net::SocketAddr,
8649        session: &str,
8650        sql: &str,
8651    ) -> reqwest::Response {
8652        client
8653            .post(format!("http://{addr}/sql"))
8654            .header("X-Session-ID", session)
8655            .json(&json!({ "sql": sql }))
8656            .send()
8657            .await
8658            .unwrap()
8659    }
8660
8661    async fn count_items(client: &reqwest::Client, addr: &std::net::SocketAddr) -> u64 {
8662        client
8663            .get(format!("http://{addr}/tables/items/count"))
8664            .send()
8665            .await
8666            .unwrap()
8667            .json::<serde_json::Value>()
8668            .await
8669            .unwrap()
8670            .get("count")
8671            .unwrap()
8672            .as_u64()
8673            .unwrap()
8674    }
8675
8676    #[tokio::test]
8677    async fn cross_request_transaction_commits() {
8678        let (_dir, addr) = setup().await;
8679        let client = reqwest::Client::new();
8680        let session = open_session(&client, &addr).await;
8681
8682        // BEGIN, INSERT, COMMIT — each its own HTTP request on the same session.
8683        let r = sql_on(&client, &addr, &session, "BEGIN").await;
8684        assert_eq!(r.status(), 200);
8685        let r = sql_on(
8686            &client,
8687            &addr,
8688            &session,
8689            "INSERT INTO items (id) VALUES (1)",
8690        )
8691        .await;
8692        assert_eq!(r.status(), 200, "INSERT should stage successfully");
8693        // Not yet committed → not visible to other connections.
8694        assert_eq!(count_items(&client, &addr).await, 0);
8695        let r = sql_on(&client, &addr, &session, "COMMIT").await;
8696        assert_eq!(r.status(), 200);
8697
8698        // After COMMIT the row is durable and visible.
8699        assert_eq!(count_items(&client, &addr).await, 1);
8700    }
8701
8702    #[tokio::test]
8703    async fn cross_request_transaction_rolls_back() {
8704        let (_dir, addr) = setup().await;
8705        let client = reqwest::Client::new();
8706        let session = open_session(&client, &addr).await;
8707
8708        sql_on(&client, &addr, &session, "BEGIN").await;
8709        sql_on(
8710            &client,
8711            &addr,
8712            &session,
8713            "INSERT INTO items (id) VALUES (5)",
8714        )
8715        .await;
8716        // ROLLBACK discards the staged insert.
8717        let r = sql_on(&client, &addr, &session, "ROLLBACK").await;
8718        assert_eq!(r.status(), 200);
8719        assert_eq!(
8720            count_items(&client, &addr).await,
8721            0,
8722            "rollback discards staged writes"
8723        );
8724    }
8725
8726    #[tokio::test]
8727    async fn unknown_session_id_is_404() {
8728        let (_dir, addr) = setup().await;
8729        let client = reqwest::Client::new();
8730        let resp = client
8731            .post(format!("http://{addr}/sql"))
8732            .header("X-Session-ID", "does-not-exist")
8733            .json(&json!({ "sql": "SELECT 1" }))
8734            .send()
8735            .await
8736            .unwrap();
8737        assert_eq!(resp.status(), 404);
8738    }
8739
8740    #[tokio::test]
8741    async fn invalid_session_headers_do_not_autocommit() {
8742        let (_dir, addr) = setup().await;
8743        let client = reqwest::Client::new();
8744
8745        let resp = client
8746            .post(format!("http://{addr}/sql"))
8747            .header(
8748                "X-Session-ID",
8749                reqwest::header::HeaderValue::from_bytes(&[0xff]).unwrap(),
8750            )
8751            .json(&json!({ "sql": "INSERT INTO items (id) VALUES (1)" }))
8752            .send()
8753            .await
8754            .unwrap();
8755        assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
8756
8757        let resp = client
8758            .post(format!("http://{addr}/sql"))
8759            .header("X-Session-ID", "x".repeat(257))
8760            .json(&json!({ "sql": "INSERT INTO items (id) VALUES (2)" }))
8761            .send()
8762            .await
8763            .unwrap();
8764        assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
8765        assert_eq!(count_items(&client, &addr).await, 0);
8766    }
8767
8768    #[tokio::test]
8769    async fn close_session_ends_cross_request_state() {
8770        let (_dir, addr) = setup().await;
8771        let client = reqwest::Client::new();
8772        let session = open_session(&client, &addr).await;
8773
8774        // BEGIN on the session, then close it → staged txn is discarded.
8775        sql_on(&client, &addr, &session, "BEGIN").await;
8776        let r = client
8777            .delete(format!("http://{addr}/sessions/{session}"))
8778            .send()
8779            .await
8780            .unwrap();
8781        assert_eq!(r.status(), 200);
8782
8783        // The session token is now invalid.
8784        let resp = sql_on(&client, &addr, &session, "COMMIT").await;
8785        assert_eq!(resp.status(), 404, "closed session is no longer usable");
8786    }
8787
8788    #[tokio::test]
8789    async fn no_session_header_uses_fresh_ephemeral_session() {
8790        // Without X-Session-ID, BEGIN..COMMIT must still work within a single
8791        // multi-statement /sql body (the historical behavior is preserved).
8792        let (_dir, addr) = setup().await;
8793        let client = reqwest::Client::new();
8794        let resp = client
8795            .post(format!("http://{addr}/sql"))
8796            .json(&json!({ "sql": "INSERT INTO items (id) VALUES (42)" }))
8797            .send()
8798            .await
8799            .unwrap();
8800        assert_eq!(resp.status(), 200);
8801        assert_eq!(count_items(&client, &addr).await, 1);
8802    }
8803
8804    #[tokio::test]
8805    async fn prepared_statement_prepare_execute_and_reuse() {
8806        let (_dir, addr) = setup().await;
8807        let client = reqwest::Client::new();
8808        let session = open_session(&client, &addr).await;
8809        sql_on(
8810            &client,
8811            &addr,
8812            &session,
8813            "INSERT INTO items (id) VALUES (1), (2), (3), (4)",
8814        )
8815        .await;
8816
8817        // Prepare a parameterized query once.
8818        let resp = client
8819            .post(format!("http://{addr}/sessions/{session}/prepare"))
8820            .json(&json!({"name":"gt","sql":"SELECT id FROM items WHERE id > $1"}))
8821            .send()
8822            .await
8823            .unwrap();
8824        assert_eq!(resp.status(), 200);
8825
8826        // Execute with param 2 → ids 3,4.
8827        let resp = client
8828            .post(format!("http://{addr}/sessions/{session}/execute"))
8829            .json(&json!({"name":"gt","params":[2]}))
8830            .send()
8831            .await
8832            .unwrap();
8833        assert_eq!(resp.status(), 200);
8834        let body = resp.json::<serde_json::Value>().await.unwrap();
8835        let arr = body
8836            .as_array()
8837            .expect("execute returns a JSON array of rows");
8838        assert_eq!(arr.len(), 2, "ids > 2 are {{3,4}}: {body}");
8839
8840        // Re-execute with a different param → reuses the cached plan, fewer rows.
8841        let resp = client
8842            .post(format!("http://{addr}/sessions/{session}/execute"))
8843            .json(&json!({"name":"gt","params":[3]}))
8844            .send()
8845            .await
8846            .unwrap();
8847        let body = resp.json::<serde_json::Value>().await.unwrap();
8848        assert_eq!(body.as_array().unwrap().len(), 1, "ids > 3 is {{4}}");
8849    }
8850
8851    #[tokio::test]
8852    async fn prepared_statement_deallocate_then_execute_fails() {
8853        let (_dir, addr) = setup().await;
8854        let client = reqwest::Client::new();
8855        let session = open_session(&client, &addr).await;
8856        let _ = client
8857            .post(format!("http://{addr}/sessions/{session}/prepare"))
8858            .json(&json!({"name":"p","sql":"SELECT $1"}))
8859            .send()
8860            .await
8861            .unwrap();
8862        let deallocate_query_id = "dadadadadadadadadadadadadadadada";
8863        let resp = client
8864            .delete(format!("http://{addr}/sessions/{session}/statements/p"))
8865            .header("X-MongrelDB-Query-ID", deallocate_query_id)
8866            .header("X-MongrelDB-Timeout-Ms", "10000")
8867            .send()
8868            .await
8869            .unwrap();
8870        assert_eq!(resp.status(), 200);
8871        assert_eq!(
8872            resp.headers()
8873                .get("X-MongrelDB-Query-ID")
8874                .unwrap()
8875                .to_str()
8876                .unwrap(),
8877            deallocate_query_id
8878        );
8879        let status = client
8880            .get(format!("http://{addr}/queries/{deallocate_query_id}"))
8881            .send()
8882            .await
8883            .unwrap()
8884            .json::<serde_json::Value>()
8885            .await
8886            .unwrap();
8887        assert_eq!(status["state"], "completed");
8888        assert_eq!(status["operation"], "DEALLOCATE");
8889        // Execute after deallocate must error.
8890        let resp = client
8891            .post(format!("http://{addr}/sessions/{session}/execute"))
8892            .json(&json!({"name":"p","params":[1]}))
8893            .send()
8894            .await
8895            .unwrap();
8896        assert_ne!(resp.status(), 200, "execute after DEALLOCATE must fail");
8897    }
8898
8899    #[tokio::test]
8900    async fn prepared_statement_deallocate_honors_pre_registration_cancel() {
8901        let (_dir, addr) = setup().await;
8902        let client = reqwest::Client::new();
8903        let session = open_session(&client, &addr).await;
8904        let prepared = client
8905            .post(format!("http://{addr}/sessions/{session}/prepare"))
8906            .json(&json!({"name":"p","sql":"SELECT $1"}))
8907            .send()
8908            .await
8909            .unwrap();
8910        assert_eq!(prepared.status(), StatusCode::OK);
8911
8912        let query_id = "dbdbdbdbdbdbdbdbdbdbdbdbdbdbdbdb";
8913        let cancel = client
8914            .post(format!("http://{addr}/queries/{query_id}/cancel"))
8915            .header("X-Session-ID", &session)
8916            .send()
8917            .await
8918            .unwrap();
8919        assert_eq!(cancel.status(), StatusCode::ACCEPTED);
8920        let deallocate = client
8921            .delete(format!("http://{addr}/sessions/{session}/statements/p"))
8922            .header("X-MongrelDB-Query-ID", query_id)
8923            .send()
8924            .await
8925            .unwrap();
8926        assert_eq!(deallocate.status().as_u16(), 499);
8927        assert_eq!(
8928            deallocate.json::<serde_json::Value>().await.unwrap()["error"]["code"],
8929            "QUERY_CANCELLED"
8930        );
8931
8932        let execute = client
8933            .post(format!("http://{addr}/sessions/{session}/execute"))
8934            .json(&json!({"name":"p","params":[1]}))
8935            .send()
8936            .await
8937            .unwrap();
8938        assert_eq!(execute.status(), StatusCode::OK);
8939    }
8940
8941    #[tokio::test]
8942    async fn prepared_statement_rejects_bad_name() {
8943        let (_dir, addr) = setup().await;
8944        let client = reqwest::Client::new();
8945        let session = open_session(&client, &addr).await;
8946        let resp = client
8947            .post(format!("http://{addr}/sessions/{session}/prepare"))
8948            .json(&json!({"name":"1bad","sql":"SELECT 1"}))
8949            .send()
8950            .await
8951            .unwrap();
8952        assert_eq!(
8953            resp.status(),
8954            400,
8955            "statement name starting with a digit must be rejected"
8956        );
8957    }
8958}