fix(persistence): address PR #117 review feedback

Adopt 8 PR-agent (Qodo) findings; 4 declined (concurrency already guarded by
the putSyncedRecord/markRecordSynced guards + RPC optimistic concurrency;
SQL-injection / won-equality / microtask-race are false positives — see PR reply).

- markRecordSynced: guard on updatedAt too — softDeleteStory doesn't bump rev,
  so a same-rev newer local tombstone must not be marked synced by an older
  push's ack (symmetric with putSyncedRecord's guard)
- recordToEnvelope: fallback timestamps to 0 not Date.now() (a corrupt record
  should lose LWW, not win as "now")
- push/delete routes: validate rev/updatedAt as finite -> 400 (was silent 200);
  push: Content-Length pre-check before buffering the body
- pushDeletion: idbGet a single record instead of a full-store scan
- manifest: Cache-Control private,no-store + client fetch cache:no-store
- cloudSyncClient: Array.isArray narrowing on items/blobs
- RPC: `if found` instead of `v_row.id is not null` after RETURNING INTO

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Kai ki
2026-06-28 11:52:09 +08:00
parent 739af60848
commit 6ba5307c6c
7 changed files with 63 additions and 27 deletions
+8 -7
View File
@@ -25,6 +25,7 @@ import {
putSyncedRecord,
markRecordSynced,
} from "./localStore";
import { idbGet, STORIES_STORE } from "./idb";
import { coerceEpoch, type StoryRecord, type StorySyncMeta, type StorySyncEnvelope } from "./types";
// Keep in lockstep with the pull route's MAX_PULL_IDS.
@@ -88,8 +89,8 @@ function recordToEnvelope(rec: StoryRecord): StorySyncEnvelope {
sceneCount: rec.sceneCount ?? 0,
rev: rec.rev ?? 1,
session: rec.session,
updatedAt: coerceEpoch(rec.updatedAt, Date.now()),
deletedAt: rec.deletedAt == null ? null : coerceEpoch(rec.deletedAt, Date.now()),
updatedAt: coerceEpoch(rec.updatedAt, 0),
deletedAt: rec.deletedAt == null ? null : coerceEpoch(rec.deletedAt, 0),
};
}
@@ -105,7 +106,7 @@ async function pushOne(rec: StoryRecord): Promise<void> {
const res = await pushBlob(recordToEnvelope(rec));
if (!res) return; // network/auth failure → leave pending for next reconcile
if (res.won) {
await markRecordSynced(rec.id, rec.rev ?? 1);
await markRecordSynced(rec.id, rec.rev ?? 1, coerceEpoch(rec.updatedAt, 0));
} else if (res.stored) {
await putSyncedRecord(res.stored); // we lost → adopt the newer cloud state
}
@@ -177,7 +178,7 @@ async function reconcile(): Promise<void> {
for (const rec of toDelete) {
try {
const ok = await pushDelete(rec.id, rec.rev ?? 1, coerceEpoch(rec.deletedAt, Date.now()));
if (ok) await markRecordSynced(rec.id, rec.rev ?? 1);
if (ok) await markRecordSynced(rec.id, rec.rev ?? 1, coerceEpoch(rec.updatedAt, 0));
// !ok → cloud has a newer row; the next reconcile pulls it back.
} catch {
/* leave pending */
@@ -186,7 +187,7 @@ async function reconcile(): Promise<void> {
// Mark already-consistent records synced.
for (const rec of toMarkSynced) {
try {
await markRecordSynced(rec.id, rec.rev ?? 1);
await markRecordSynced(rec.id, rec.rev ?? 1, coerceEpoch(rec.updatedAt, 0));
} catch {
/* best-effort */
}
@@ -236,10 +237,10 @@ export async function pushDeletion(id: string): Promise<void> {
if (!AUTH_ENABLED || !id) return;
try {
if (!(await isAuthed())) return;
const rec = (await listAllRecordsForSync()).find((r) => r.id === id);
const rec = await idbGet<StoryRecord>(STORIES_STORE, id);
if (!rec || !rec.deletedAt) return; // not a tombstone / already gone
const ok = await pushDelete(id, rec.rev ?? 1, coerceEpoch(rec.deletedAt, Date.now()));
if (ok) await markRecordSynced(id, rec.rev ?? 1);
if (ok) await markRecordSynced(id, rec.rev ?? 1, coerceEpoch(rec.updatedAt, 0));
} catch {
/* leave pending */
}
+5 -8
View File
@@ -36,10 +36,10 @@ async function postJson<T>(url: string, body: unknown): Promise<T | null> {
export async function pullManifest(): Promise<StorySyncMeta[]> {
if (!AUTH_ENABLED) return [];
try {
const res = await fetch("/api/stories/manifest", { method: "GET" });
const res = await fetch("/api/stories/manifest", { method: "GET", cache: "no-store" });
if (!res.ok) return [];
const data = (await res.json()) as { items?: StorySyncMeta[] };
return data.items ?? [];
const data = (await res.json()) as { items?: unknown };
return Array.isArray(data.items) ? (data.items as StorySyncMeta[]) : [];
} catch {
return [];
}
@@ -48,11 +48,8 @@ export async function pullManifest(): Promise<StorySyncMeta[]> {
/** Pull full envelopes for the given ids. [] on empty ids / failure / auth off. */
export async function pullBlobs(ids: string[]): Promise<StorySyncEnvelope[]> {
if (!AUTH_ENABLED || ids.length === 0) return [];
const data = await postJson<{ blobs?: StorySyncEnvelope[] }>(
"/api/stories/pull",
{ ids },
);
return data?.blobs ?? [];
const data = await postJson<{ blobs?: unknown }>("/api/stories/pull", { ids });
return Array.isArray(data?.blobs) ? (data.blobs as StorySyncEnvelope[]) : [];
}
/** Push one envelope through the optimistic-concurrency RPC. Returns the
+6 -1
View File
@@ -251,10 +251,15 @@ export async function putSyncedRecord(
* the rev we pushed. A newer local edit (rev moved past what we pushed) is left
* pending so the next reconcile re-pushes the newer content. No-op if the
* record is gone or already synced (Req 8.1). */
export async function markRecordSynced(id: string, rev: number): Promise<void> {
export async function markRecordSynced(id: string, rev: number, updatedAt: number): Promise<void> {
const rec = await idbGet<StoryRecord>(STORIES_STORE, id);
if (!rec) return;
// Guard on BOTH rev and updatedAt. softDeleteStory bumps updatedAt WITHOUT
// bumping rev, so a same-rev-but-newer local tombstone produced while a push
// was in flight must NOT be marked synced by that older push's ack (it still
// owes a delete push). Symmetric with putSyncedRecord's concurrency guard.
if ((rec.rev ?? 1) !== rev) return;
if (coerceEpoch(rec.updatedAt, 0) !== coerceEpoch(updatedAt, 0)) return;
if (rec.syncState === "synced") return;
await idbPut(STORIES_STORE, { ...rec, syncState: "synced" });
}