chore: sql fuzz

[NathanFlurry]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• chore: sql fuzz #4739 : 2 dependent PRs (#4740 , #4741 ) 👈 (View in Graphite)
• fix(rivetkit-core): gate startup until runtime is ready #4736 : 1 other dependent PR (#4737 )
• fix(rivetkit-sqlite): preserve text with embedded nul bytes #4735
• chore(rivetkit): add child spans for logging #4734
• fix(rivetkit-core): orphan engine process and detect crashes #4733
• fix(rivetkit-core): return None for empty inspector state to avoid frontend CBOR decode error #4732
• fix(rivetkit-core): don't install tokio::signal::ctrl_c() handler inside serve_with_config #4731
• refactor(rivetkit-core): use subtle::ConstantTimeEq for inspector token verify #4730
• fix(rivetkit): drop is_read_only_sql classifier, surface RETURNING rows #4728
• docs: require close-code rejection for websocket auth/policy failures #4727
• fix(rivetkit): inspector reports actual config state + real queue messages #4726
• fix(rivetkit-napi): plumb ctx through serializeState TSF and stop panicking on runtime_state Ref drop #4725
• chore(rivetkit): remove legacy metrics & prometheus auth #4724
• chore(rivetkit): remove legacy metrics #4723
• chore(rivetkit): impl inspector token #4722
• chore: disable auth on serverless #4721
• chore: fix cors for envoys #4720
• chore: fix serverless in rivetkit-core #4719
• chore(rivetkit): impl follow up review #4711
• chore: rivetkit core/napi/typescript follow up review #4702
• chore: fix remaining issues with rivetkit-core #4701
• chore: sqlite v1 to v2 data migration #4692 : 1 other dependent PR (#4640 )
• chore: move rivetkit to task model #4680
• chore: rivetkit to rust #4679
• feat(rivetkit): sqlite vfs v2 #4673
• chore: rename sandbox -> kitchen sink #4671 : 1 other dependent PR (#4672 )
• chore: configure TLS trust roots for rustls clients #4667
• fix(rivetkit): update config to match envoys & remove manager references #4663
• chore(publish): pin docker base image refs #4652
• chore(engine): publish engine bases in ci #4649 : 2 other dependent PRs (#4650 , #4666 )
• chore: lockfile lefthook #4647
• fix(rivetkit): surface native sqlite kv errors to callers #4645
• fix(rivetkit): prevent sleep races during disconnect and db work #4644
• fix(rivetkit): isolate engine envoys and propagate startup failures #4643
• test(rivetkit): remove wasm sqlite-only fixtures and coverage #4642
• chore(sqlite-vfs): remove wasm sqlite packages and workspace wiring #4641
• chore(rivetkit): remove wasm sqlite runtime #4614
• fix(sqlite-native): restore native startup kv preload #4639
• fix(sqlite-native): delete metadata before chunk range #4638
• fix(sqlite-native): keep truncate cache coherent #4637
• fix(sqlite-vfs): use delete range for truncate cleanup #4636
• fix(sqlite-native): restore kv error hook #4635
• perf(sqlite-native): avoid cloning cached read chunks #4634
• perf(sqlite-native): gate kv operation labels #4633
• perf(sqlite-native): reuse read cache for partial writes #4632
• perf(sqlite-native): remove delete file existence probe #4631
• fix(sqlite-native): gate native read cache behind env var #4630
• fix(pegboard): isolate runner config dc lookup failures #4625 : 1 other dependent PR (#4626 )
• docs(pegboard): note runner config upsert split write risk #4624
• fix(pegboard): unpack global runner config keys correctly #4623
• fix(pegboard-gateway): enforce tunnel message state #4622
• fix(pegboard-runner): clear terminal tunnel routes #4621
• fix(pegboard): skip protocol version keys in runner pool backfill #4620
• fix(pegboard): create missing normal runner configs #4619
• fix(epoxy): reuse cached optimistic value #4618
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

Code Review: chore: sql fuzz (#4739)

Draft PR - feedback provided for early review.

Overview

This PR adds a comprehensive SQLite VFS fuzz harness for the kitchen-sink example, fixes two real bugs uncovered by fuzzing, and adds test-only fault injection to vfs.rs. The two production fixes are:

1. native-database.ts - serializes overlapping exec/run/query calls via an AsyncMutex, fixing concurrent read-write races on raw SQLite handles.
2. native.ts + actor_context.rs - makes onSleep/onDestroy unconditionally registered (removing the conditional gate) and explicitly calls clearRuntimeState() on teardown, fixing the NAPI ref-count panic on sleep/wake cycles.

Both fixes are well-motivated and address real bugs documented in the issue log.

---

Issues

Medium

AsyncMutex is a custom ad-hoc implementation (shared.ts:70)

CLAUDE.md mandates using antiox for TypeScript concurrency primitives instead of custom Promise queues. The AsyncMutex in shared.ts is a hand-rolled Promise queue. If antiox provides a mutex, this should use it. At minimum, if the custom implementation stays, add a comment explaining why antiox is not used here.

exec result type unsoundness in native-database.ts:202-210

The mutex closure for exec may return undefined if enrichNativeDatabaseError returns without throwing (TypeScript does not statically guarantee it throws). result would then be undefined and the subsequent result.rows/result.columns access would crash at runtime. This existed before the PR but the refactor was an opportunity to fix it - adding a !result guard after the mutex would make the invariant explicit.

Relative path to sql-loader in db-fuzz.ts:380

The import "../../../rivetkit-typescript/packages/sql-loader/dist/register.js" is brittle if the script or package moves. Prefer a workspace package reference (e.g. @rivetkit/sql-loader/register) so it resolves through the workspace graph.

registry.start() is not awaited in db-fuzz.ts:382

If start() returns a Promise, the fire-and-forget + sleep(warmupMs) is a best-effort wait that can silently lose startup errors. Either await it or document that the warmup window is intentional.

Low / Style

hashSeed and checksum are the same function (raw-sqlite-fuzzer.ts)

Both implement FNV-1a with identical constants and loops under different names. Unify into one helper to prevent drift.

Manual BEGIN/COMMIT in applyEdgePayloads (raw-sqlite-fuzzer.ts)

Most of the actor uses the transaction() helper, but applyEdgePayloads manually issues database.execute("BEGIN") and handles rollback inline. Use the transaction() helper for uniformity.

accountCount !== 8 hardcoded in assertValidation (db-fuzz.ts:253)

The client asserts validation.accountCount !== 8 which is directly coupled to ACCOUNT_COUNT = 8 in the actor. If that constant changes the client breaks silently. Consider including expected account count in ValidationSummary.

---

What Looks Good

• Rust vfs.rs test injection is clean - #[cfg(test)] gating on both struct fields and all helper functions, using parking_lot::Mutex correctly for sync VFS/FFI context. Helpers stay in src/ where private access is needed per project conventions.
• clear_runtime_state NAPI implementation - correctly takes the Option out of the parking_lot::Mutex, releases the lock, then calls unref(env). Safe ordering, correct mutex type for sync NAPI context.
• Unconditional onSleep/onDestroy registration - the root cause analysis is correct. The old conditional guard meant actors without DB providers had no cleanup path for the NAPI runtimeState reference, causing the ref-count panic on wake. Always registering is the right fix.
• closed guard in wrapJsNativeDatabase - the error message is actionable and points users toward c.abortSignal for cleanup.
• Test coverage breadth - the checklist in .agent/notes/raw-sqlite-vfs-fuzz.md is thorough: page boundaries, fragmentation, DDL churn, constraints, savepoints, fault injection, sleep/wake cycles. High-quality regression safety net for the VFS.
• Idempotent rerun safety - fixing the phase-only ID reuse bug (orders/constraints reusing order-${phase} IDs) prevents false invariant failures on --no-reset reruns.

[NathanFlurry]

Landed in main via stack-merge fast-forward push. Commits are in main; closing to match.