improvement(db): add session statement/lock timeouts; simplify KB doc tx#4593
improvement(db): add session statement/lock timeouts; simplify KB doc tx#4593TheodoreSpeaks wants to merge 60 commits into
Conversation
…ership workflow edits via sockets, ui improvements
…ng improvements, posthog, secrets mutations
…ration, signup method feature flags, SSO improvements
…nts, secrets performance, polling refactors, drag resources in mothership
…y invalidation, HITL docs
…endar triggers, docs updates, integrations/models pages improvements
…ions, jira forms endpoints
…mat, logs performance improvements fix(csp): add missing analytics domains, remove unsafe-eval, fix workspace CSP gap (#4179) fix(landing): return 404 for invalid dynamic route slugs (#4182) improvement(seo): optimize sitemaps, robots.txt, and core web vitals across sim and docs (#4170) fix(gemini): support structured output with tools on Gemini 3 models (#4184) feat(brightdata): add Bright Data integration with 8 tools (#4183) fix(mothership): fix superagent credentials (#4185) fix(logs): close sidebar when selected log disappears from filtered list; cleanup (#4186)
v0.6.46: mothership streaming fixes, brightdata integration
…m integration, atlassian triggers
v0.6.57: mothership reliability, ashby refactor, tables row count, copilot id fix, bun upgrade
…rizations, mothership positional table row insertion, CI improvements, org-external users, file viewer improvements
v0.6.62: fix new copilot chat creation and selection on refresh
…ixes, db query optimizations, contract boundaries code hygiene, CORS, toast improvements, tables infinite query, executor robustness, reranker support
…tion blocks/connectors updates
…ogs block, parallel-in-loop wall clock, gpt-image-2
…s, logs panel width, tables UI/DB decoupling v0.6.67: VFS upload fix, posthog/copilot correlation, exa date filters, logs panel width, tables UI/DB decoupling
…ering upgrades, data drains, security hardening, paginated dropdowns
…ntegrations, robots.txt update, workday hardening
v0.6.72: billing pool contention fix
…personation fixes, md rendering, doc/pdf/pptx generation improvements
…pentelemetry updates, data drains to snowflake, blob, datadog, bigquery
…ip md polish v0.6.75: scheduler claim-budget drain, helm chart hardening, mothership md polish
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 29606901 | Triggered | Generic High Entropy Secret | a54dcbe | apps/sim/providers/utils.test.ts | View secret |
| 32763747 | Triggered | Generic Password | 3e9849b | helm/sim/tests/validators_test.yaml | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
PR SummaryMedium Risk Overview Updates workspace archival to Simplifies knowledge-base document creation ( Reviewed by Cursor Bugbot for commit 0ad209f. Bugbot is set up for automated code reviews on this repo. Configure here. |
Greptile SummaryThis PR adds session-level
Confidence Score: 3/5The connection-timeout and workspace-archival changes are clean and safe; the document-creation simplification removes a real deadlock surface but the claimed FK protection does not apply to soft-deletes, leaving orphaned documents possible on concurrent KB deletion. The document-service refactor solves a real deadlock problem, but KB deletion is exclusively soft in this codebase so the race window is real — documents can be inserted into a just-deleted KB without any error. The insert and updatedAt update are also now two separate uncommitted statements, so a mid-flight interruption leaves a minor inconsistency. apps/sim/lib/knowledge/documents/service.ts — the TOCTOU window and non-atomic insert/update deserve a second look before merging. Important Files Changed
Reviews (1): Last reviewed commit: "improvement(db): add session statement/l..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| // No tx wrapper: the bulk `db.insert(...).values([...])` is a single statement | ||
| // and atomic by Postgres. The KB FK constraint fails loud if the KB is | ||
| // concurrently deleted, so an explicit FOR UPDATE lock is unnecessary and | ||
| // doubles per-call pool checkouts. | ||
| const kb = await db | ||
| .select({ id: knowledgeBase.id }) | ||
| .from(knowledgeBase) | ||
| .where(and(eq(knowledgeBase.id, knowledgeBaseId), isNull(knowledgeBase.deletedAt))) | ||
| .limit(1) |
There was a problem hiding this comment.
The comment claims "KB FK constraint fails loud on concurrent KB delete," but KB deletion in this codebase is always a soft-delete (deletedAt = now) — confirmed by knowledgeService.ts ("Soft deleted knowledge base"). Since the knowledge_base row is never hard-deleted, the FK constraint on document.knowledgeBaseId never fires when a KB is concurrently soft-deleted.
The old SELECT ... FOR UPDATE locked the KB row for the duration of the transaction, serializing any concurrent soft-delete attempt. Without that lock, a concurrent UPDATE knowledge_base SET deletedAt = now can succeed between the SELECT on line 773 and the db.insert on line 850, leaving documents silently inserted into an already-deleted KB.
| if (documentRecords.length > 0) { | ||
| await db.insert(document).values(documentRecords) | ||
| logger.info( | ||
| `[${requestId}] Bulk created ${documentRecords.length} document records in knowledge base ${knowledgeBaseId}` | ||
| ) | ||
|
|
||
| return returnData | ||
| }) | ||
| await db | ||
| .update(knowledgeBase) | ||
| .set({ updatedAt: now }) | ||
| .where(eq(knowledgeBase.id, knowledgeBaseId)) |
There was a problem hiding this comment.
The db.insert(document) and the subsequent db.update(knowledgeBase).set({ updatedAt }) run as two separate statements with no enclosing transaction. If the process is interrupted after the insert succeeds but before the update runs, documents will exist in Postgres with a stale knowledge_base.updatedAt. This applies identically to the createSingleDocument path at line 1326–1331.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 0ad209f. Configure here.
| .limit(1) | ||
| // No tx wrapper: the bulk `db.insert(...).values([...])` is a single statement | ||
| // and atomic by Postgres. The KB FK constraint fails loud if the KB is | ||
| // concurrently deleted, so an explicit FOR UPDATE lock is unnecessary and |
There was a problem hiding this comment.
FK constraint doesn't guard against soft-deleted KB race
Medium Severity
The comments claim "The KB FK constraint fails loud if the KB is concurrently deleted," but knowledge bases are only ever soft-deleted (setting deletedAt), never physically removed. The FK on document.knowledgeBaseId references knowledgeBase.id — since the row still exists after a soft-delete, the constraint is always satisfied and never rejects an insert. Removing the old FOR UPDATE lock + transaction means a concurrent soft-delete between the isNull(deletedAt) check and the db.insert(document) now silently succeeds, creating orphaned documents inside a deleted KB. The bulk path is especially exposed because processDocumentTags performs additional async DB calls that widen the race window.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 0ad209f. Configure here.
4 participants
Summary
lock_timeout=5s/statement_timeout=30ssession defaults viaconnection: {...}startup params inpackages/db/db.ts. Converts silent pool wedges into loud server-side cancellations.SET LOCAL statement_timeout='5min'andlock_timeout='30s'— rare admin op stays atomic without tripping the new global default.db.transaction+SELECT 1 ... FOR UPDATEwrapper. A single bulkdb.insert(...).values([...])is atomic by Postgres natively; FK fails loud on concurrent KB delete. Side effect: removes aprocessDocumentTags-uses-db-inside-txdeadlock surface.Type of Change
Testing
Tested manually.
bun run lintclean.bun run check:api-validation:strictpasses. Vitest: workspace lifecycle 2/2, billing 29/29, knowledge 43/43, webhook trigger 17/17.Checklist