v0.42.36.0 fix(sync): resumable, durable, single-flight sync — converges under pool exhaustion + repeated kills (#1794)

[garrytan]

What & why

A large gbrain sync that overran its launching session's timeout (SIGTERM) lost 100% of its progress and re-imported the whole backlog every run — never converging, burning CPU for hours while the source went quietly stale (#1794). The resumable checkpoint shipped in v0.42.17.0 had holes in exactly that failure mode, and #1794 recurred live. This PR closes all of them: sync is now resumable, durable, and single-flight.

How

Layer 1 — durability

• Checkpoint reads/writes route through the direct session pool + bounded withRetry, so they survive EMAXCONNSESSION / too_many_connections (now classified retryable). Previously the write swallowed pool-exhaustion errors and banked nothing.
• Guaranteed final flush on every exit path: cooperative timeout (async partial() flush), external SIGTERM (one-shot no-retry flush via registerCleanup, ordered before lock release), and clean completion.
• Fail-loud: after N consecutive failed flushes the run aborts with a checkpoint_unavailable partial instead of importing unbankable work. Every partial/blocked exit logs how many files were banked.
• First-file + time-based (~10s) flush cadence; race-safe pendingCheckpointPaths delta under parallel workers (swap + re-merge on failure).

Layer 2 — append-only storage (op_checkpoint_paths, migration v115)

• One row per drained path via a single writable-CTE unnest($3::text[]) write — O(delta), not the old O(N²) full-array rewrite. recordCompleted keeps replace semantics for the 9 non-sync consumers; sync uses the additive appendCompleted. loadOpCheckpoint unions legacy completed_keys + child rows (UNION ALL, JS-deduped).

Layer 3 — lock heartbeat + single-flight

• Event-loop yield (setTimeout(0), not setImmediate — Bun starves the timers phase) keeps the lock-refresh setInterval heartbeat alive mid-import.
• Refresh + its health probe route through the direct pool (a read-pool probe failure no longer stops renewal).
• Heartbeat-aware takeover: a holder that refreshed within a derived grace window is not stolen even if its TTL lapsed.
• Bare gbrain sync (no --source) now uses withRefreshingLock; a cron sync that collides with a running one is a skip, not a phase failure.

Test plan

• New/updated: op-checkpoint.test.ts (append delta, union read, cascade clear, purge), db-lock-heartbeat-takeover.test.ts (grace protection, stale/NULL steal, direct-refresh bump, yield mechanism), retry-matcher.test.ts (EMAXCONNSESSION/53300), sync-resumable-import.serial.test.ts (still green on the append rewrite).
• Verification gate (post-merge): 266 pass / 0 fail across op-checkpoint, resumable-sync, db-lock×3, migrate, schema-bootstrap, retry-matcher, build-llms. Typecheck clean. JSONB + batch-audit + progress-stdout guards green.
• Note: run the suite sharded (bun run test); a monolithic bun test OOMs PGLite's WASM runtime.

Review

Plan went through /plan-eng-review + cross-model outside voice (Codex), which caught a critical bug pre-implementation: routing only the lock refresh through the direct pool was insufficient because the read-pool health probe still gated renewal (fixed). Closes #1794.

🤖 Generated with Claude Code