Skip to content

CS-11126: drop Realm visibility / worldReadable caches#4868

Open
lukemelia wants to merge 1 commit into
mainfrom
cs-11126-drop-visibility-cache
Open

CS-11126: drop Realm visibility / worldReadable caches#4868
lukemelia wants to merge 1 commit into
mainfrom
cs-11126-drop-visibility-cache

Conversation

@lukemelia
Copy link
Copy Markdown
Contributor

@lukemelia lukemelia commented May 18, 2026

Summary

  • Drops the per-instance visibility() / #worldReadable memoization on Realm so a *: read grant or revoke applied on one replica is observed by every other replica on the next call instead of requiring a restart. This is the only audit finding from CS-11126 that touches auth correctness (vs. stale display data).
  • Refactors createRequestContext to fetch realm_permissions exactly once per request and derive both the world-readable flag and the full permissions map from the same row set, so the non-world-readable read path is not double-fetching.
  • Adds an integration test that simulates a peer-replica DB write via direct insertPermissions and asserts visibility() reflects the new state on the next call (the acceptance criterion from the ticket).

This is Option B from the ticket — fetch fresh, no NOTIFY channel — chosen because realm_permissions is a single indexed lookup and the per-request overhead is one SELECT.

Linear: CS-11126

Notes

  • Removed the boot-time await this.isWorldReadable() warmup — with no cache to prime, it was a wasted DB query.
  • Removed the cache-write inside patchRealmPermissions for the same reason.
  • visibility() body collapses from a memoized IIFE into a straight-line read.
  • Independent of the write-path lock issue; safe to land while launch remains single-replica.

Test plan

  • CI realm-server suite green (Docker not running locally — could not run integration tests in the worktree)
  • New test visibility() reflects out-of-band realm_permissions changes without restart passes in realm-endpoints/permissions-test.ts
  • Existing _permissions PATCH tests still pass

🤖 Generated with Claude Code

CS-11126: drop Realm visibility / worldReadable caches
411784e 
`Realm.visibility()` and `isWorldReadable()` were memoized per
instance, so a `*: read` grant or revoke applied via the PATCH
handler on replica A was silently ignored by every other replica
until restart — the only audit finding in the multi-replica
sweep that touches auth correctness, not just stale display data.

Going with Option B from the ticket: drop the caches entirely.
`realm_permissions` is indexed by `realm_url`, so each call is a
single SELECT. `createRequestContext` is refactored to do that
SELECT once per request and derive both the world-readable flag
and the full permissions map from the same row set, so the
non-world-readable read path is not double-fetching.

Removes the boot-time `await this.isWorldReadable()` warmup
(cache priming is now a no-op) and the cache-write inside
`patchRealmPermissions` (no cache to update). The `visibility()`
body collapses from a memoized IIFE into a straight-line read.

Adds an integration test in `permissions-test.ts` that simulates
a peer-replica DB write via direct `insertPermissions` and
asserts `visibility()` reflects the new state on the next call
without restart — the acceptance criterion from the ticket.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 18, 2026
edited
Loading

Host Test Results

    1 files      1 suites   1h 46m 20s ⏱️
2 661 tests 2 646 ✅ 15 💤 0 ❌
2 680 runs  2 665 ✅ 15 💤 0 ❌

Results for commit 411784e.

Realm Server Test Results

    1 files      1 suites   8m 19s ⏱️
1 409 tests 1 409 ✅ 0 💤 0 ❌
1 496 runs  1 496 ✅ 0 💤 0 ❌

Results for commit 411784e.

@lukemelia lukemelia requested a review from Copilot May 18, 2026 21:57
@lukemelia lukemelia marked this pull request as ready for review May 18, 2026 21:57
Copilot AI reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Removes the per-Realm memoization of visibility() and #worldReadable so that out-of-band changes to realm_permissions (e.g. a *: read grant/revoke applied on a peer replica) are observed without requiring a server restart. createRequestContext is refactored to do a single fetchRealmPermissions lookup per request and derive both the world-readable flag and the full permissions map from that one fetch.

Changes:

  • Drop #worldReadable/#worldReadablePromise/visibilityPromise caches and the boot-time warmup; collapse visibility() into a straight-line read.
  • Refactor createRequestContext to fetch realm_permissions exactly once and derive isWorldReadable from it.
  • Add an integration test that simulates a peer-replica DB write via insertPermissions and asserts visibility() reflects the new state on the next call.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
packages/runtime-common/realm.ts Remove visibility/worldReadable caches; single-fetch request context; simplify visibility().
packages/realm-server/tests/realm-endpoints/permissions-test.ts Add integration test asserting visibility reflects out-of-band permission writes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@lukemelia lukemelia requested review from a team and habdelra May 18, 2026 22:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@habdelra habdelra Awaiting requested review from habdelra

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lukemelia