fix: add skipOnUnsynced option to reconcileOrganization to prevent data loss

TheLastCicada · TheLastCicada · commit 9cf6cb75c442 · 2026-04-23T14:47:07.000-07:00
Bugbot flagged a High Severity regression on 6d41b71: reconcileOrganization now silently returns (no throw) when a store is unsynced or the subscribe call fails, but the user-facing resyncOrganization controller (POST /organizations/resync and POST /v2/organizations/resync) calls reconcileOrganization and then unconditionally: 1. Resets registryHash / registry_hash to '0' 2. Destroys ModelKeys rows (V1) / AuditV2 rows (V2) for the orgUid Before this PR, reconcileOrganization would either complete or throw; the throw would hit the controller's catch, roll back the transaction, and return 400 without destroying data. After 6d41b71, a transient datalayer hiccup (subscribe returns false, sync-status RPC fails, etc.) causes the resync endpoint to "succeed" with silent data deletion. Fix: add a { skipOnUnsynced } option to both V1 and V2 reconcileOrganization. - Default (false): throw on any subscribe-failed / store-unsynced / status-check-failed condition. Restores pre-6e76235 behavior for request-path callers. - true: silent skip with an INFO log. Preserves the sync-blocking regression fix for background task callers (validate-organization-table-and-subscriptions*.js). Background task callers updated to pass { skipOnUnsynced: true }. The two resync controllers are unchanged — they continue to call reconcileOrganization with the (now throwing) default behavior, which hits their existing catch block and rolls back the transaction. Adds six contract tests covering the new option in simulator mode (signature acceptance, no-option back-compat, no signature errors for either value). Production throw/skip behavior remains covered by live integration tests; simulator mode cannot reach the pre-check block (wrapped in !USE_SIMULATOR for V2, guarded at the top of the function for V1).
diff --git a/src/models/organizations/organizations.model.js b/src/models/organizations/organizations.model.js
@@ -789,7 +789,7 @@ class Organization extends Model {
    * @returns {Promise<void>}
    * @throws Error on failure. call in a try block
    */
-  static async reconcileOrganization(organization) {
+  static async reconcileOrganization(organization, { skipOnUnsynced = false } = {}) {
     if (USE_SIMULATOR) {
       return;
     }
@@ -830,6 +830,19 @@ class Organization extends Model {
       }
     }
 
+    // Skip-or-throw helper: for transient "not ready" conditions, background
+    // tasks want a silent skip (skipOnUnsynced=true), request-paths want a hard
+    // failure (skipOnUnsynced=false, the default) so their downstream destructive
+    // writes (e.g. POST /organizations/resync resetting registryHash and
+    // destroying all data-model rows) don't run against stale state.
+    const skipOrThrow = (message) => {
+      if (skipOnUnsynced) {
+        logger.info(`[v1]: reconcileOrganization: ${message}. Will retry on next task run.`);
+        return;
+      }
+      throw new Error(`reconcileOrganization: ${message}`);
+    };
+
     // Subscribe to org store first so it begins syncing, then check sync status
     // before entering the blocking subscription flow.  If either the org store or
     // its derived singleton store is not yet synced, return early so the periodic
@@ -840,51 +853,48 @@ class Organization extends Model {
     // errors, so guard on both.  Without the falsy-return check, the dominant
     // datalayer-unreachable failure would slip past the try/catch and the
     // subsequent "not yet synced" skip log would be misleading.
+    let subscribeErr;
     try {
       const subscribed = await datalayer.subscribeToStoreOnDataLayer(orgUid);
       if (!subscribed) {
-        logger.warn(
-          `[v1]: reconcileOrganization: could not subscribe to org store ${orgUid}. Skipping reconcile, will retry on next task run.`,
-        );
-        return;
+        subscribeErr = `could not subscribe to org store ${orgUid}`;
       }
     } catch (error) {
-      logger.warn(
-        `[v1]: reconcileOrganization: could not subscribe to org store ${orgUid}: ${error.message}. Skipping reconcile, will retry on next task run.`,
-      );
+      subscribeErr = `could not subscribe to org store ${orgUid}: ${error.message}`;
+    }
+    if (subscribeErr) {
+      skipOrThrow(subscribeErr);
       return;
     }
 
+    let orgStatusErr;
     try {
       const orgSyncStatus = await getDataLayerStoreSyncStatus(orgUid);
       if (!isDlStoreSynced(orgSyncStatus?.sync_status)) {
-        logger.info(
-          `[v1]: reconcileOrganization: org store ${orgUid} not yet synced, skipping reconcile. Will retry on next task run.`,
-        );
-        return;
+        orgStatusErr = `org store ${orgUid} not yet synced`;
       }
     } catch (error) {
-      logger.warn(
-        `[v1]: reconcileOrganization: could not check sync status for org store ${orgUid}, skipping reconcile: ${error.message}`,
-      );
+      orgStatusErr = `could not check sync status for org store ${orgUid}: ${error.message}`;
+    }
+    if (orgStatusErr) {
+      skipOrThrow(orgStatusErr);
       return;
     }
 
     // Check the singleton (data model version) store before the blocking fetch inside
     // subscribeToOrganization so that an unsynced singleton doesn't stall the background task.
     if (dataModelVersionStoreId) {
+      let singletonStatusErr;
       try {
         const singletonSyncStatus = await getDataLayerStoreSyncStatus(dataModelVersionStoreId);
         if (!isDlStoreSynced(singletonSyncStatus?.sync_status)) {
-          logger.info(
-            `[v1]: reconcileOrganization: singleton store ${dataModelVersionStoreId} for org ${orgUid} not yet synced, skipping reconcile. Will retry on next task run.`,
-          );
-          return;
+          singletonStatusErr = `singleton store ${dataModelVersionStoreId} for org ${orgUid} not yet synced`;
         }
       } catch (error) {
-        logger.warn(
-          `[v1]: reconcileOrganization: could not check sync status for singleton store ${dataModelVersionStoreId}, skipping reconcile: ${error.message}`,
-        );
+        singletonStatusErr = `could not check sync status for singleton store ${dataModelVersionStoreId}: ${error.message}`;
+      }
+      if (singletonStatusErr) {
+        skipOrThrow(singletonStatusErr);
         return;
       }
     }
@@ -1014,16 +1024,20 @@ class Organization extends Model {
    * @returns {Promise<void>}
    */
   static async importOrganization(orgUid, isHome = false) {
-    // Subscribe to the org store first, then check sync status.
-    // This ensures new org stores get subscribed on the first pass so they can
-    // begin syncing, and subsequent runs will find them synced and proceed.
+    // Subscribe-first, then check sync status. This ensures new org stores
+    // get subscribed on the first pass so they can begin syncing, and
+    // subsequent runs will find them synced and proceed.
     if (!USE_SIMULATOR) {
-      try {
-        await datalayer.subscribeToStoreOnDataLayer(orgUid);
-      } catch (error) {
-        logger.warn(
-          `[v1]: Could not subscribe to store for ${orgUid}, skipping import: ${error.message}`,
-        );
+      if (
+        !(await subscribeOrSkip({
+          datalayer,
+          storeId: orgUid,
+          logger,
+          prefix: '[v1]: importOrganization',
+          label: 'org',
+          action: 'import',
+        }))
+      ) {
         return;
       }
 
diff --git a/src/models/v2/organizations-v2.model.js b/src/models/v2/organizations-v2.model.js
@@ -1835,11 +1835,24 @@ class OrganizationsV2 extends Model {
   }
 
   /**
-   * Reconcile organization - validate and update database with datalayer data
+   * Reconcile organization - validate and update database with datalayer data.
+   *
    * @param {Object} organization - Organization record
+   * @param {Object} [options]
+   * @param {boolean} [options.skipOnUnsynced=false] - When true, silently
+   *   return early if the org or singleton store is unsynced or if a subscribe
+   *   call fails.  Background task callers (validate-organization-table*) must
+   *   pass `true` so a transient datalayer hiccup doesn't block task cadence.
+   *   Request-path callers (e.g. POST /organizations/resync) MUST leave this
+   *   `false`: their downstream code (e.g. resetting registry_hash,
+   *   destroying audit records) depends on reconcile either completing or
+   *   throwing, never silently skipping — otherwise a datalayer hiccup causes
+   *   data deletion without reconciliation.
    * @returns {Promise<void>}
+   * @throws When `skipOnUnsynced` is false and any of: the org store subscribe
+   *   fails, the org or singleton store is unsynced, or a sync-status RPC fails.
    */
-  static async reconcileOrganization(organization) {
+  static async reconcileOrganization(organization, { skipOnUnsynced = false } = {}) {
     const { org_uid, is_home, data_model_version_store_id } = organization;
 
     loggerV2.info(`[v2]: Reconciling organization ${org_uid}`);
@@ -1855,6 +1868,17 @@ class OrganizationsV2 extends Model {
       }
     }
 
+    // Skip-or-throw helper: for transient "not ready" conditions, background
+    // tasks want a silent skip, request-paths want a hard failure so their
+    // downstream destructive writes don't run.
+    const skipOrThrow = (message) => {
+      if (skipOnUnsynced) {
+        loggerV2.info(`[v2]: reconcileOrganization: ${message}. Will retry on next task run.`);
+        return;
+      }
+      throw new Error(`reconcileOrganization: ${message}`);
+    };
+
     // Subscribe to org store first so it begins syncing, then check sync status
     // before entering the blocking subscription flow.
     //
@@ -1864,49 +1888,46 @@ class OrganizationsV2 extends Model {
     // datalayer-unreachable failure would slip past the try/catch and the
     // subsequent "not yet synced" skip log would be misleading.
     if (!USE_SIMULATOR) {
+      let subscribeErr;
       try {
         const subscribed = await datalayer.subscribeToStoreOnDataLayer(org_uid);
         if (!subscribed) {
-          loggerV2.warn(
-            `[v2]: reconcileOrganization: could not subscribe to org store ${org_uid}. Skipping reconcile, will retry on next task run.`,
-          );
-          return;
+          subscribeErr = `could not subscribe to org store ${org_uid}`;
         }
       } catch (error) {
-        loggerV2.warn(
-          `[v2]: reconcileOrganization: could not subscribe to org store ${org_uid}: ${error.message}. Skipping reconcile, will retry on next task run.`,
-        );
+        subscribeErr = `could not subscribe to org store ${org_uid}: ${error.message}`;
+      }
+      if (subscribeErr) {
+        skipOrThrow(subscribeErr);
         return;
       }
 
+      let orgStatusErr;
       try {
         const orgSyncStatus = await datalayer.getDataLayerStoreSyncStatus(org_uid);
         if (!isDlStoreSynced(orgSyncStatus?.sync_status)) {
-          loggerV2.info(
-            `[v2]: reconcileOrganization: org store ${org_uid} not yet synced, skipping reconcile. Will retry on next task run.`,
-          );
-          return;
+          orgStatusErr = `org store ${org_uid} not yet synced`;
         }
       } catch (error) {
-        loggerV2.warn(
-          `[v2]: reconcileOrganization: could not check sync status for org store ${org_uid}, skipping reconcile: ${error.message}`,
-        );
+        orgStatusErr = `could not check sync status for org store ${org_uid}: ${error.message}`;
+      }
+      if (orgStatusErr) {
+        skipOrThrow(orgStatusErr);
         return;
       }
 
       if (data_model_version_store_id) {
+        let singletonStatusErr;
         try {
           const singletonSyncStatus = await datalayer.getDataLayerStoreSyncStatus(data_model_version_store_id);
           if (!isDlStoreSynced(singletonSyncStatus?.sync_status)) {
-            loggerV2.info(
-              `[v2]: reconcileOrganization: singleton store ${data_model_version_store_id} for org ${org_uid} not yet synced, skipping reconcile. Will retry on next task run.`,
-            );
-            return;
+            singletonStatusErr = `singleton store ${data_model_version_store_id} for org ${org_uid} not yet synced`;
           }
         } catch (error) {
-          loggerV2.warn(
-            `[v2]: reconcileOrganization: could not check sync status for singleton store ${data_model_version_store_id}, skipping reconcile: ${error.message}`,
-          );
+          singletonStatusErr = `could not check sync status for singleton store ${data_model_version_store_id}: ${error.message}`;
+        }
+        if (singletonStatusErr) {
+          skipOrThrow(singletonStatusErr);
           return;
         }
       }
diff --git a/src/tasks/validate-organization-table-and-subscriptions-v2.js b/src/tasks/validate-organization-table-and-subscriptions-v2.js
@@ -37,7 +37,12 @@ const task = new Task('validate-organization-table-v2', async () => {
             );
 
             try {
-              await OrganizationsV2.reconcileOrganization(organization);
+              // Background task — skip (not throw) when the org/singleton store
+              // is unsynced or a subscribe call fails, so a transient datalayer
+              // hiccup doesn't spam ERROR logs or block task cadence.
+              await OrganizationsV2.reconcileOrganization(organization, {
+                skipOnUnsynced: true,
+              });
             } catch (error) {
               loggerV2.error(
                 `failed reconcile organization records and subscriptions for organization ${organization.org_uid}. Error: ${error.message}. `,
diff --git a/src/tasks/validate-organization-table-and-subscriptions.js b/src/tasks/validate-organization-table-and-subscriptions.js
@@ -37,7 +37,12 @@ const task = new Task('validate-organization-table', async () => {
             );
 
             try {
-              await Organization.reconcileOrganization(organization);
+              // Background task — skip (not throw) when the org/singleton store
+              // is unsynced or a subscribe call fails, so a transient datalayer
+              // hiccup doesn't spam ERROR logs or block task cadence.
+              await Organization.reconcileOrganization(organization, {
+                skipOnUnsynced: true,
+              });
             } catch (error) {
               logger.error(
                 `failed reconcile organization records and subscriptions for organization ${organization.orgUid}. Error: ${error.message}. `,
diff --git a/tests/v2/integration/reconcile-unsynced-stores.spec.js b/tests/v2/integration/reconcile-unsynced-stores.spec.js
