fix: address bugbot review for mirror handler callback + enable check

TheLastCicada · TheLastCicada · commit dfab7961faf1 · 2026-04-20T09:23:08.000-07:00
Three unresolved bugbot findings on PR #1585: 1. Skip mirror callback when MySQL setup has not completed yet (V1+V2). In safeMirrorDbHandler[V2], after the post-reconnect await, the callback previously ran unconditionally. If MySQL setup was still failing (mirrorSetupSucceeded=false), the write hit tables that did not exist and the error was swallowed by the outer catch. Add a guard that returns early when MySQL is configured but setup has not succeeded. The next authenticate() success re-enters the reconnect path and retries setup. 2. Prevent mirrorDBEnabledV2 from desyncing from sequelizeV2Mirror. sequelizeV2Mirror is built once at module load from the memoized config. mirrorDBEnabledV2() previously re-read the live config on every call, which could flip the enablement true while writes still go to the originally-selected SQLite fallback. Snapshot the enablement at module load (v2MirrorTargetsMysql) so the check stays consistent with the Sequelize instance. 3. Apply the same snapshot pattern to V1 for symmetry (v1MirrorConfiguredAtLoad + mirrorDBEnabled). Add test-only overrides (__setMysqlConfiguredForReconnect*, __resetMirrorAuthState*) and regression tests for the new skip-callback guard in both the V1 and V2 reconnect specs. The auth-state reset is required to prevent the new test from leaving mirrorAuthState in 'disconnected' and leaking into downstream integration specs.
diff --git a/src/database/index.js b/src/database/index.js
@@ -45,6 +45,24 @@ const mirrorConfig =
   (process.env.NODE_ENV || 'local') === 'local' ? 'mirror' : 'mirrorTest';
 export const sequelizeMirror = new Sequelize(config[mirrorConfig]);
 
+// Snapshot of whether V1 MIRROR_DB was fully configured at module-load time.
+// Captured alongside sequelizeMirror construction so mirrorDBEnabled() stays
+// consistent with the backend sequelizeMirror was actually built against.
+// Reading the live config on every call would let tests that clear the
+// getConfig() memoize cache (or any future runtime-reload path) drift the
+// enablement check away from the already-constructed Sequelize instance.
+// Symmetric with v2MirrorTargetsMysql in src/database/v2/index.js.
+const v1MirrorConfiguredAtLoad = (() => {
+  const CONFIG = getConfig();
+  return !!(
+    CONFIG?.MIRROR_DB?.DB_HOST &&
+    CONFIG.MIRROR_DB.DB_HOST !== '' &&
+    CONFIG.MIRROR_DB.DB_NAME &&
+    CONFIG.MIRROR_DB.DB_USERNAME &&
+    CONFIG.MIRROR_DB.DB_PASSWORD
+  );
+})();
+
 const logDebounce = _.debounce(() => {
   console.log('Mirror DB not connected');
   logger.info('Mirror DB not connected');
@@ -56,6 +74,11 @@ const logDebounce = _.debounce(() => {
 // real config value".
 let mirrorEnabledTestOverride = null;
 
+// Test-only override for isMysqlMirrorConfiguredForReconnect(). Tests set
+// this to simulate "MySQL is configured" (or not) independently of the
+// actual config.yaml. null means "use the real config value".
+let mysqlConfiguredForReconnectOverride = null;
+
 // Track the last observed auth outcome so we can detect a transition from
 // "disconnected" back to "connected" and trigger a catch-up backfill. This
 // recovers writes (INSERT/UPDATE) and deletes that were dropped during an
@@ -82,7 +105,6 @@ export const mirrorDBEnabled = () => {
   if (mirrorEnabledTestOverride !== null) {
     return mirrorEnabledTestOverride;
   }
-  const CONFIG = getConfig();
   // In production-like mode ('local' env), require full MySQL config.
   // In SQLite-fallback test mode ('mirrorTest' env), leave the mirror
   // enabled unconditionally so integration tests that rely on the
@@ -97,13 +119,11 @@ export const mirrorDBEnabled = () => {
   // is gated separately in prepareDb() via
   // isMysqlMirrorConfiguredForReconnect(), not via mirrorDBEnabled(),
   // so the backfill only fires when MySQL is actually configured.
-  if (
-    mirrorConfig === 'mirror' &&
-    (!CONFIG?.MIRROR_DB?.DB_HOST ||
-      !CONFIG?.MIRROR_DB?.DB_NAME ||
-      !CONFIG?.MIRROR_DB?.DB_USERNAME ||
-      !CONFIG?.MIRROR_DB?.DB_PASSWORD)
-  ) {
+  //
+  // Uses v1MirrorConfiguredAtLoad (module-load snapshot) so this check
+  // stays consistent with the backend sequelizeMirror was built against.
+  // Symmetric with mirrorDBEnabledV2.
+  if (mirrorConfig === 'mirror' && !v1MirrorConfiguredAtLoad) {
     return false;
   }
   return true;
@@ -122,6 +142,23 @@ export const __setMirrorSetupSucceededForTests = (value) => {
   mirrorSetupSucceeded = value;
 };
 
+// Test-only. DO NOT call from production code. Forces
+// isMysqlMirrorConfiguredForReconnect() to return a specific boolean so
+// tests can exercise the reconnect setup / skip-callback guards without a
+// live MySQL instance or a real MIRROR_DB config. null restores live behaviour.
+export const __setMysqlConfiguredForReconnectForTests = (value) => {
+  mysqlConfiguredForReconnectOverride = value;
+};
+
+// Test-only. DO NOT call from production code. Resets the internal
+// auth-state machine back to 'unknown' so tests that intentionally leave
+// the state in 'disconnected' can reset it in an afterEach hook and avoid
+// leaking reconnect behaviour into downstream specs running in the same
+// mocha session.
+export const __resetMirrorAuthStateForTests = () => {
+  mirrorAuthState = 'unknown';
+};
+
 /**
  * Ensure the V1 MySQL mirror database exists and has up-to-date migrations.
  * Idempotent: safe to call from startup and again on every reconnect.
@@ -185,6 +222,9 @@ export const prepareMysqlMirror = async () => {
 // Used to gate reconnect-setup retries - only MySQL configs need the setup
 // retry path; SQLite test fallbacks never need it.
 const isMysqlMirrorConfiguredForReconnect = () => {
+  if (mysqlConfiguredForReconnectOverride !== null) {
+    return mysqlConfiguredForReconnectOverride;
+  }
   const CONFIG = getConfig();
   return !!(
     CONFIG?.MIRROR_DB?.DB_HOST &&
@@ -271,6 +311,20 @@ export const safeMirrorDbHandler = (callback) => {
             await reconnectBackfillPromise;
           }
 
+          // If MySQL is configured but the one-time setup (CREATE DATABASE
+          // + migrations) has not yet completed, the mirror tables don't
+          // exist. Running the callback would produce a confusing
+          // "table doesn't exist" error that gets swallowed by the catch
+          // below. Skip quietly - the next authenticate success will
+          // re-enter startReconnectBackfill and retry setup. Symmetric
+          // with safeMirrorDbHandlerV2.
+          if (
+            isMysqlMirrorConfiguredForReconnect() &&
+            !mirrorSetupSucceeded
+          ) {
+            return;
+          }
+
           try {
             await callback();
           } catch (e) {
diff --git a/src/database/v2/index.js b/src/database/v2/index.js
@@ -55,12 +55,20 @@ const mirrorConfig = mysqlMirrorConfigured ? 'v2Mirror' : 'v2MirrorTest';
 
 loggerV2.info(`[v2]: Mirror DB config selected: ${mirrorConfig} (MySQL configured: ${!!mysqlMirrorConfigured})`);
 
+// Test-only override for isMysqlMirrorConfiguredForReconnectV2(). Tests set
+// this to simulate "MySQL is configured" (or not) independently of the actual
+// config.yaml. null means "use the real config value".
+let mysqlConfiguredForReconnectOverrideV2 = null;
+
 // Returns true if V2.MIRROR_DB is fully configured with MySQL credentials.
 // Used to gate reconnect-setup retries - only MySQL configs need the setup
 // retry path; SQLite test fallbacks never need it. Reads config on every
 // call so the check stays correct across config reloads (symmetric with
 // V1's isMysqlMirrorConfiguredForReconnect).
 const isMysqlMirrorConfiguredForReconnectV2 = () => {
+  if (mysqlConfiguredForReconnectOverrideV2 !== null) {
+    return mysqlConfiguredForReconnectOverrideV2;
+  }
   const c = getConfigV2()?.MIRROR_DB;
   return !!(
     c?.DB_HOST &&
@@ -73,6 +81,21 @@ const isMysqlMirrorConfiguredForReconnectV2 = () => {
 
 export const sequelizeV2Mirror = new Sequelize(config[mirrorConfig]);
 
+// Snapshot of "is the mirror Sequelize instance actually pointing at MySQL"
+// taken at module-load time, alongside sequelizeV2Mirror construction.
+//
+// mirrorDBEnabledV2() must stay consistent with the backend that
+// sequelizeV2Mirror writes to. sequelizeV2Mirror is built ONCE above from
+// either the MySQL config (v2Mirror) or the SQLite fallback (v2MirrorTest)
+// and is never rebuilt - runtime config changes cannot move an already-open
+// Sequelize instance to a different target. If we re-read the live config
+// on every mirrorDBEnabledV2() call (the previous behaviour), a runtime
+// config change could flip enablement true while writes still go to the
+// originally-selected SQLite fallback, silently desyncing the mirror.
+// See PR #1585 bugbot finding "Mirror enable check desynchronizes mirror
+// target".
+const v2MirrorTargetsMysql = !!mysqlMirrorConfigured;
+
 // Test-only override. Tests set this to force mirror-enabled behaviour
 // against the SQLite fallback sequelizeV2Mirror so backfill / reconnect
 // code paths can be exercised without a live MySQL instance. null means
@@ -107,10 +130,15 @@ export const mirrorDBEnabledV2 = () => {
   if (mirrorEnabledTestOverrideV2 !== null) {
     return mirrorEnabledTestOverrideV2;
   }
-  // Read config dynamically so any runtime reload is reflected here
-  // (symmetric with V1's mirrorDBEnabled and with the setupNeverRan gate
-  // in safeMirrorDbHandlerV2 below).
-  return isMysqlMirrorConfiguredForReconnectV2();
+  // Use the module-load snapshot so this check stays consistent with the
+  // backend that sequelizeV2Mirror was actually constructed against.
+  // Reading the live config here would allow the check to drift away from
+  // the Sequelize instance after a runtime config change, causing writes
+  // intended for MySQL to silently land in the SQLite fallback (or vice
+  // versa). The setupNeverRan gate in safeMirrorDbHandlerV2 below still
+  // reads live config for its own purpose (deciding whether to retry the
+  // reconnect setup path).
+  return v2MirrorTargetsMysql;
 };
 
 // Test-only. DO NOT call from production code. Passing `null` restores the
@@ -128,6 +156,23 @@ export const __setMirrorSetupSucceededForTestsV2 = (value) => {
   v2MirrorSetupSucceeded = value;
 };
 
+// Test-only. DO NOT call from production code. Forces
+// isMysqlMirrorConfiguredForReconnectV2() to return a specific boolean so
+// tests can exercise the reconnect setup / skip-callback guards without a
+// live MySQL instance or a real MIRROR_DB config. null restores live behaviour.
+export const __setMysqlConfiguredForReconnectForTestsV2 = (value) => {
+  mysqlConfiguredForReconnectOverrideV2 = value;
+};
+
+// Test-only. DO NOT call from production code. Resets the internal
+// auth-state machine back to 'unknown' so tests that intentionally leave
+// the state in 'disconnected' can reset it in an afterEach hook and avoid
+// leaking reconnect behaviour into downstream specs running in the same
+// mocha session.
+export const __resetMirrorAuthStateForTestsV2 = () => {
+  v2MirrorAuthState = 'unknown';
+};
+
 /**
  * Validate that V1 and V2 mirror database names are different when both are configured.
  * Throws an error if both V1 and V2 MIRROR_DB.DB_NAME are set to the same non-empty value.
@@ -234,6 +279,19 @@ export const safeMirrorDbHandlerV2 = (callback) => {
             await v2ReconnectBackfillPromise;
           }
 
+          // If MySQL is configured but the one-time setup (CREATE DATABASE
+          // + migrations) has not yet completed, the mirror tables don't
+          // exist. Running the callback would produce a confusing
+          // "table doesn't exist" error that gets swallowed by the catch
+          // below. Skip quietly - the next authenticate success will
+          // re-enter startV2ReconnectBackfill and retry setup.
+          if (
+            isMysqlMirrorConfiguredForReconnectV2() &&
+            !v2MirrorSetupSucceeded
+          ) {
+            return;
+          }
+
           try {
             await callback();
           } catch (e) {
diff --git a/tests/integration/mirror-reconnect.spec.js b/tests/integration/mirror-reconnect.spec.js
@@ -12,6 +12,8 @@ import {
   safeMirrorDbHandler,
   __setMirrorEnabledForTests,
   __setMirrorSetupSucceededForTests,
+  __setMysqlConfiguredForReconnectForTests,
+  __resetMirrorAuthStateForTests,
 } from '../../src/database/index.js';
 import { ProjectMirror } from '../../src/models/projects/projects.model.mirror.js';
 
@@ -52,6 +54,12 @@ describe('Mirror Reconnect and Orphan Sweep (V1)', function () {
   afterEach(async function () {
     __setMirrorEnabledForTests(null);
     __setMirrorSetupSucceededForTests(false);
+    __setMysqlConfiguredForReconnectForTests(null);
+    // Reset auth-state machine so downstream specs running in the same
+    // mocha session (project.spec.js, unit.spec.js, etc.) don't observe a
+    // leaked 'disconnected' state and enter the reconnect path on their
+    // first mirror write.
+    __resetMirrorAuthStateForTests();
     sinon.restore();
 
     // Clean both databases between tests. We clear a minimal set of tables
@@ -217,5 +225,44 @@ describe('Mirror Reconnect and Orphan Sweep (V1)', function () {
       expect(mirrorAfter, 'reconnect backfill must recover missing row').to.not
         .be.null;
     });
+
+    // Placed last in this block because it intentionally leaves
+    // mirrorAuthState in the 'disconnected' state (startReconnectBackfill
+    // does so on setup failure). Running another reconnect-related test
+    // after this one would observe that stale state and behave differently.
+    it('should skip the callback when MySQL is configured but setup has not completed yet', async function () {
+      // Regression guard for the post-reconnect skip-callback branch in
+      // safeMirrorDbHandler. When the mirror is "enabled" and authenticate()
+      // succeeds but the one-time setup (CREATE DATABASE + migrations) has
+      // not yet completed, running the callback would hit tables that don't
+      // exist and produce a confusing swallowed error. The handler must
+      // skip the callback silently in that window. Symmetric with V2.
+      //
+      // Forces both prongs of the guard true:
+      //   - isMysqlMirrorConfiguredForReconnect() -> true
+      //   - mirrorSetupSucceeded                  -> false
+      __setMysqlConfiguredForReconnectForTests(true);
+      __setMirrorSetupSucceededForTests(false);
+
+      // Happy-path authenticate so the handler reaches the guard without
+      // going through the disconnected-catch branch. The handler will first
+      // call startReconnectBackfill (because setupNeverRan is true), which
+      // calls prepareMysqlMirror. prepareMysqlMirror reads config.yaml
+      // directly (not via the override above) and, with no real MIRROR_DB
+      // in the test config, returns false. That leaves mirrorSetupSucceeded
+      // still false, so the new guard trips.
+      sinon.stub(sequelizeMirror, 'authenticate').resolves();
+
+      let cbRan = false;
+      await safeMirrorDbHandler(async () => {
+        cbRan = true;
+      });
+      await new Promise((r) => setTimeout(r, 100));
+
+      expect(
+        cbRan,
+        'callback must not run while MySQL setup is still pending',
+      ).to.equal(false);
+    });
   });
 });
diff --git a/tests/v2/integration/mirror-reconnect-v2.spec.js b/tests/v2/integration/mirror-reconnect-v2.spec.js
@@ -12,6 +12,8 @@ import {
   safeMirrorDbHandlerV2,
   __setMirrorEnabledForTestsV2,
   __setMirrorSetupSucceededForTestsV2,
+  __setMysqlConfiguredForReconnectForTestsV2,
+  __resetMirrorAuthStateForTestsV2,
 } from '../../../src/database/v2/index.js';
 import { loggerV2 } from '../../../src/config/logger.js';
 import {
@@ -65,6 +67,11 @@ describe('Mirror Reconnect and Orphan Sweep (V2)', function () {
   afterEach(async function () {
     __setMirrorEnabledForTestsV2(null);
     __setMirrorSetupSucceededForTestsV2(false);
+    __setMysqlConfiguredForReconnectForTestsV2(null);
+    // Reset auth-state machine so downstream specs running in the same
+    // mocha session don't observe a leaked 'disconnected' state and enter
+    // the reconnect path on their first mirror write.
+    __resetMirrorAuthStateForTestsV2();
     sinon.restore();
 
     for (const t of ['program', 'organizations']) {
@@ -266,5 +273,44 @@ describe('Mirror Reconnect and Orphan Sweep (V2)', function () {
       loggerSpy.restore();
       backfillSpy.restore();
     });
+
+    // Placed last in this block because it intentionally leaves
+    // v2MirrorAuthState in the 'disconnected' state (startV2ReconnectBackfill
+    // does so on setup failure). Running another reconnect-related test
+    // after this one would observe that stale state and behave differently.
+    it('should skip the callback when MySQL is configured but setup has not completed yet', async function () {
+      // Regression guard for the post-reconnect skip-callback branch in
+      // safeMirrorDbHandlerV2. When the mirror is "enabled" and
+      // authenticate() succeeds but the one-time setup (CREATE DATABASE +
+      // migrations) has not yet completed, running the callback would hit
+      // tables that don't exist and produce a confusing swallowed error.
+      // The handler must skip the callback silently in that window.
+      //
+      // Forces both prongs of the guard true:
+      //   - isMysqlMirrorConfiguredForReconnectV2() -> true
+      //   - v2MirrorSetupSucceeded                  -> false
+      __setMysqlConfiguredForReconnectForTestsV2(true);
+      __setMirrorSetupSucceededForTestsV2(false);
+
+      // Happy-path authenticate so the handler reaches the guard without
+      // going through the disconnected-catch branch. The handler will first
+      // call startV2ReconnectBackfill (because setupNeverRan is true), which
+      // in turn calls prepareMysqlMirrorV2. prepareMysqlMirrorV2 reads
+      // config.yaml directly (not via the override above) and, with no real
+      // MIRROR_DB in the test config, returns false. That leaves
+      // v2MirrorSetupSucceeded still false, so the new guard trips.
+      sinon.stub(sequelizeV2Mirror, 'authenticate').resolves();
+
+      let cbRan = false;
+      await safeMirrorDbHandlerV2(async () => {
+        cbRan = true;
+      });
+      await new Promise((r) => setTimeout(r, 100));
+
+      expect(
+        cbRan,
+        'callback must not run while MySQL setup is still pending',
+      ).to.equal(false);
+    });
   });
 });
