techempower-org
diff --git a/‎FORK_CHANGELOG.md‎
Lines changed: 31 additions & 0 deletions b/‎FORK_CHANGELOG.md‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 78 additions & 77 deletions b/‎README.md‎
Lines changed: 78 additions & 77 deletions
diff --git a/‎docs/fork-changes.yaml‎
Lines changed: 35 additions & 0 deletions b/‎docs/fork-changes.yaml‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎mempalace/mcp_server.py‎
Lines changed: 45 additions & 2 deletions b/‎mempalace/mcp_server.py‎
Lines changed: 45 additions & 2 deletions
diff --git a/‎tests/test_mcp_server.py‎
Lines changed: 70 additions & 0 deletions b/‎tests/test_mcp_server.py‎
Lines changed: 70 additions & 0 deletions
@@ -162,6 +162,37 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
   *Files:* `mempalace/knowledge_graph_age.py`, `mempalace/kg_triple_worker.py`, `mempalace/mcp_server.py`, `tests/test_knowledge_graph_age.py`, `tests/test_kg_triple_worker.py`, `tests/test_mcp_server.py`
 
 
+### Fixed
+
+
+- **mempalace_kg_stats returns structured backend-unavailable envelope on transient psycopg failures (#299)** ([`HEAD`](https://github.com/techempower-org/mempalace/commit/HEAD))
+  Observed in production 2026-05-28 09:59 PDT (familiar): postgres
+  OOM-killed under writethrough load. The `mempalace_kg_stats` MCP
+  tool propagated the raw `psycopg.OperationalError` to the
+  envelope as `Tool error in mempalace_kg_stats` — an opaque
+  -32000 internal error to the caller, with no signal that
+  "retry in a moment" is the right response.
+
+  Wraps `tool_kg_stats` with a try/except that catches the two
+  psycopg families that fire on dropped connections
+  (`OperationalError`, `InterfaceError`) and returns
+  `{"error": "backend_unavailable", "detail": "...", "retryable": true}`.
+  Other exceptions (cypher syntax, value validation, schema
+  mismatch) still propagate — those are bugs, not transient
+  backend state, and "retryable" would mask them.
+
+  Transient-error classifier broken out as
+  `_is_transient_postgres_error()` so other MCP tools can adopt
+  the shape without re-implementing the family check. Broader
+  `_call_kg` refactor left as a follow-up — the smallest-blast-
+  radius fix is the right shape while
+  techempower-org/familiar.realm.watch#50 (raise postgres
+  MemoryMax cap) is being addressed.
+
+  *Tests:* 3 — tests/test_mcp_server.py (psycopg.OperationalError surfaces structured envelope, psycopg.InterfaceError same, non-transient ValueError propagates)
+  *Files:* `mempalace/mcp_server.py`, `tests/test_mcp_server.py`
+
+
 ## [2026-05-27]
 
 
 
@@ -24,6 +24,41 @@
 
 entries:
 
+  - id: mcp-kg-stats-structured-error-envelope
+    date: 2026-05-28
+    bucket: Fixed
+    commit: HEAD
+    area: MCP
+    summary: "mempalace_kg_stats returns structured backend-unavailable envelope on transient psycopg failures (#299)"
+    tests: "3 — tests/test_mcp_server.py (psycopg.OperationalError surfaces structured envelope, psycopg.InterfaceError same, non-transient ValueError propagates)"
+    files:
+      - mempalace/mcp_server.py
+      - tests/test_mcp_server.py
+    body: |
+      Observed in production 2026-05-28 09:59 PDT (familiar): postgres
+      OOM-killed under writethrough load. The `mempalace_kg_stats` MCP
+      tool propagated the raw `psycopg.OperationalError` to the
+      envelope as `Tool error in mempalace_kg_stats` — an opaque
+      -32000 internal error to the caller, with no signal that
+      "retry in a moment" is the right response.
+
+      Wraps `tool_kg_stats` with a try/except that catches the two
+      psycopg families that fire on dropped connections
+      (`OperationalError`, `InterfaceError`) and returns
+      `{"error": "backend_unavailable", "detail": "...", "retryable": true}`.
+      Other exceptions (cypher syntax, value validation, schema
+      mismatch) still propagate — those are bugs, not transient
+      backend state, and "retryable" would mask them.
+
+      Transient-error classifier broken out as
+      `_is_transient_postgres_error()` so other MCP tools can adopt
+      the shape without re-implementing the family check. Broader
+      `_call_kg` refactor left as a follow-up — the smallest-blast-
+      radius fix is the right shape while
+      techempower-org/familiar.realm.watch#50 (raise postgres
+      MemoryMax cap) is being addressed.
+
+
   - id: cli-why-and-tunnels-fast-path
     date: 2026-05-28
     bucket: Added
 
@@ -2565,8 +2565,51 @@ def _timeline(kg):
 
 
 def tool_kg_stats():
-    """Knowledge graph overview: entities, triples, relationship types."""
-    return _call_kg(lambda kg: kg.stats())
+    """Knowledge graph overview: entities, triples, relationship types.
+
+    Returns a structured error envelope on transient postgres failures
+    (the connection dropped between `_call_kg` opening the handle and
+    `kg.stats()` finishing its query — typically caused by a postgres
+    OOM-kill or restart under load). The caller sees
+    ``{"error": "backend_unavailable", "retryable": True, ...}`` and can
+    surface "try again in a moment" instead of an opaque -32000
+    internal error. See techempower-org/mempalace#299.
+
+    Non-transient errors (cypher syntax, value-validation, schema
+    mismatch) still propagate — those need a real fix, not a retry.
+    """
+    try:
+        return _call_kg(lambda kg: kg.stats())
+    except Exception as e:  # noqa: BLE001
+        if _is_transient_postgres_error(e):
+            logger.warning("mempalace_kg_stats: backend transiently unavailable: %s", e)
+            return {
+                "error": "backend_unavailable",
+                "detail": str(e),
+                "retryable": True,
+            }
+        raise
+
+
+def _is_transient_postgres_error(exc: BaseException) -> bool:
+    """True when ``exc`` is a psycopg connection-dropped error.
+
+    Matches the same two error families ``kg_triple_worker._execute_with_retry``
+    catches (techempower-org/mempalace#298): ``OperationalError`` (server
+    closed the connection, OOM-restart, network blip) and
+    ``InterfaceError`` (the connection is closed, pool returned a dead
+    handle). Other psycopg errors — ``DataError``, ``ProgrammingError``
+    on the postgres side, syntax errors — are bugs, not transient
+    backend state, and should propagate.
+
+    Returns False if psycopg isn't importable (sqlite-only deployments
+    can't have postgres-transient errors).
+    """
+    try:
+        import psycopg
+    except ImportError:
+        return False
+    return isinstance(exc, (psycopg.OperationalError, psycopg.InterfaceError))
 
 
 # ==================== AGENT DIARY ====================
 
@@ -1812,6 +1812,76 @@ def test_kg_stats(self, monkeypatch, config, palace_path, seeded_kg):
         result = tool_kg_stats()
         assert result["entities"] >= 4
 
+    # --- Transient backend failures return structured envelope (#299) ---
+
+    def test_kg_stats_returns_structured_envelope_on_postgres_operational_error(
+        self, monkeypatch, config, palace_path, seeded_kg
+    ):
+        """When postgres drops a connection mid-stats (OOM-kill, network
+        blip, statement_timeout), ``tool_kg_stats`` should return a
+        structured ``{"error": "backend_unavailable", "retryable": True}``
+        envelope instead of propagating the raw ``psycopg.OperationalError``
+        as a -32000 internal error. Regression for techempower-org/mempalace#299.
+        """
+        import pytest
+
+        psycopg = pytest.importorskip("psycopg")
+
+        _patch_mcp_server(monkeypatch, config, seeded_kg)
+        from mempalace import mcp_server
+
+        def _boom(kg):
+            raise psycopg.OperationalError("server closed the connection unexpectedly")
+
+        monkeypatch.setattr(mcp_server, "_call_kg", lambda op: _boom(None))
+
+        result = mcp_server.tool_kg_stats()
+        assert result["error"] == "backend_unavailable"
+        assert result["retryable"] is True
+        assert "server closed" in result["detail"]
+
+    def test_kg_stats_returns_structured_envelope_on_postgres_interface_error(
+        self, monkeypatch, config, palace_path, seeded_kg
+    ):
+        """``psycopg.InterfaceError`` ("the connection is closed") — the
+        sibling family fired by a pool returning a dead handle — also
+        gets the structured envelope. See #299."""
+        import pytest
+
+        psycopg = pytest.importorskip("psycopg")
+
+        _patch_mcp_server(monkeypatch, config, seeded_kg)
+        from mempalace import mcp_server
+
+        def _boom(kg):
+            raise psycopg.InterfaceError("the connection is closed")
+
+        monkeypatch.setattr(mcp_server, "_call_kg", lambda op: _boom(None))
+
+        result = mcp_server.tool_kg_stats()
+        assert result["error"] == "backend_unavailable"
+        assert result["retryable"] is True
+
+    def test_kg_stats_propagates_non_transient_errors(
+        self, monkeypatch, config, palace_path, seeded_kg
+    ):
+        """A ``ValueError`` (cypher syntax, value-validation, etc.) is a
+        bug, not a transient backend state. It should propagate so the
+        MCP caller sees a real error instead of "retryable backend
+        unavailable" — that would mask the bug. See #299."""
+        import pytest
+
+        _patch_mcp_server(monkeypatch, config, seeded_kg)
+        from mempalace import mcp_server
+
+        def _boom(kg):
+            raise ValueError("cypher syntax error: unexpected token at position 42")
+
+        monkeypatch.setattr(mcp_server, "_call_kg", lambda op: _boom(None))
+
+        with pytest.raises(ValueError, match="cypher syntax error"):
+            mcp_server.tool_kg_stats()
+
     # --- Date validation at the MCP boundary (issue #1164) ---
 
     def test_kg_add_rejects_invalid_valid_from(self, monkeypatch, config, palace_path, kg):