feat: big refactor for actual persistence - psql, sqlite; outbox refactor; snapshot cleanup; microsvc context

[patrickleet]

Summary

• add stream-aware async repository/read-model/snapshot/outbox traits and async commit batch types
• add validated StreamIdentity plus async aggregate repository wrappers
• implement async in-memory reference behavior and focused async tests
• document the async persistence boundary for future Postgres/sqlx adapters

Verification

• cargo fmt --check
• git diff --check
• cargo test --test async_repository --all-features
• cargo test --all-features
• cargo clippy --lib --all-features -- -D warnings
• cargo clippy --test async_repository --all-features -- -D warnings

Note: cargo clippy --all-targets --all-features -- -D warnings still reports pre-existing warnings in unrelated integration tests under tests/todos, tests/sagas, and tests/bomberman.

Summary by CodeRabbit

• New Features

  • Async repository surface and async aggregate helpers; Postgres and SQLite backends; in-memory async references.
  • Stable aggregate-type naming so streams and snapshots are keyed by (aggregate type, id).
  • Ownership-based outbox API (pass messages by value) for clearer commit semantics.

• Documentation

  • Async repository boundary docs, roadmap update, adapter guidance, and updated examples/README.

• Database

  • SQL migrations and compose setup for local Postgres testing.

• Tests

  • New async integration and conformance tests covering streams, transactional batches, snapshots, read-models, and outbox workflows.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds StreamIdentity and async repository trait surface, extends macros to accept durable aggregate_type strings, implements async wrappers and full async backends (HashMap, SQLite, Postgres), refactors outbox ownership/workers, updates crate exports, adds docs/migrations, and broad Tokio integration and conformance tests.

Changes

Async Repository Boundary and Backends

Layer / File(s)

Summary

Full change checkpoint *

All coordinated edits: async traits and batch primitives (src/repository/async_repository.rs), StreamIdentity and new RepositoryError variants (src/repository/identity.rs, src/repository/error.rs), aggregate macro and Aggregate::aggregate_type support (sourced_rust_macros/src/lib.rs, src/aggregate/aggregate.rs), AsyncAggregate wrapper (src/aggregate/async_aggregate.rs, src/aggregate/mod.rs), in-memory async impls (src/hashmap_repo/repository.rs, src/read_model/in_memory.rs, src/snapshot/in_memory.rs, src/outbox_worker/repository_ext.rs), commit/outbox ownership and builder plumbing (src/commit_builder/mod.rs, src/outbox/commit.rs, src/outbox/message.rs, src/snapshot/repository.rs), shared SQLx validators/converters (src/sqlx_repo/mod.rs), SQLite and Postgres adapters (src/sqlite_repo/mod.rs, src/postgres_repo/mod.rs), batch type updates (src/repository/batch.rs), crate exports and feature wiring (src/repository/mod.rs, src/lib.rs, Cargo.toml), docs/matrix/roadmap (docs/async-repositories.md, docs/research-and-roadmap.md), migrations/compose (migrations/*, compose.yaml), extensive async tests and conformance harnesses (tests/*).

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant AsyncRepo as AsyncRepository
  participant SQLDB as SQLxDB
  Client->>AsyncRepo: get_stream(StreamIdentity)
  AsyncRepo->>SQLDB: query aggregate_events by (aggregate_type, aggregate_id)
  SQLDB-->>AsyncRepo: rows -> EventRecord[]
  AsyncRepo->>Client: hydrated Entity/Aggregate
  Client->>AsyncRepo: commit_batch_async(AsyncCommitBatch)
  AsyncRepo->>SQLDB: begin transaction
  AsyncRepo->>SQLDB: validate prepared appends, reject duplicates
  AsyncRepo->>SQLDB: insert events, insert outbox rows, upsert snapshots
  SQLDB-->>AsyncRepo: commit / unique-violation
  AsyncRepo->>Client: Result (ok | ConcurrentWrite | ModelError)

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• patrickleet/sourced_rust#38: Overlaps on SQLite adapter, migrations, and integration tests.
• patrickleet/sourced_rust#28: Related outbox worker completion/release/fail API changes and hardening.
• patrickleet/sourced_rust#29: Related Postgres repository schema and StreamIdentity / RepositoryError design.

Poem

"A rabbit wrote a little patch,
Streams now carry type and id attached.
Async hops through DB and test,
Macros named, migrations dressed.
🥕 CodeRabbit cheers — commits all blessed!"

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/async

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

src/aggregate/async_aggregate.rs (1)

63-74: 💤 Low value

Consider documenting the ordering/correspondence semantics of get_all.

The method collects identities from ids, calls get_streams, and hydrates whatever entities are returned. If some IDs don't exist, the result may have fewer items than ids, and the order may not correspond to the input order. This could be surprising to callers who expect a 1:1 positional match.

If this is the intended behavior (skip missing aggregates), consider adding a doc comment clarifying it. Alternatively, if callers need position correspondence, returning Vec<Option<A>> would be more explicit.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/aggregate/async_aggregate.rs` around lines 63 - 74, The get_all method
currently maps ids -> stream_identity_for::<A>(id), calls
self.repo.get_streams(&identities).await and hydrates returned entities, but the
result may omit missing IDs and lose positional correspondence with the input
ids; update the behavior and document it: either add a doc comment on
async_aggregate::get_all (and mention stream_identity_for, get_streams, hydrate)
to state that missing aggregates are skipped and order is not guaranteed, or
change the signature to return Vec<Option<A>> and implement logic to preserve
input order by mapping each id to its corresponding hydrate result (None for
missing), using stream_identity_for::<A> to build lookups and get_streams to
fetch entities. Ensure tests and call sites are updated accordingly.

sourced_rust_macros/src/lib.rs (1)

698-708: ⚡ Quick win

Validate aggregate_type literals during macro parsing.

These literals are known at compile time; rejecting empty/whitespace/reserved-delimiter values here avoids deferred runtime failures (InvalidStreamIdentity).

🧩 Proposed patch

 use syn::{
@@
 };

+fn validate_aggregate_type_literal(lit: &LitStr) -> syn::Result<()> {
+    let value = lit.value();
+    if value.trim().is_empty() {
+        return Err(syn::Error::new_spanned(
+            lit,
+            "`aggregate_type` must not be empty or whitespace",
+        ));
+    }
+    if value.contains('\u{1f}') {
+        return Err(syn::Error::new_spanned(
+            lit,
+            "`aggregate_type` must not contain the reserved stream delimiter (U+001F)",
+        ));
+    }
+    Ok(())
+}
+
 impl Parse for AggregateInput {
@@
-            input.parse::<Token![=]>()?;
-            aggregate_type = Some(input.parse::<LitStr>()?);
+            input.parse::<Token![=]>()?;
+            let lit = input.parse::<LitStr>()?;
+            validate_aggregate_type_literal(&lit)?;
+            aggregate_type = Some(lit);
         }
@@
             if kw == "events" {
@@
             } else if kw == "aggregate_type" {
                 input.parse::<Ident>()?;
                 input.parse::<Token![=]>()?;
-                aggregate_type = Some(input.parse::<LitStr>()?);
+                let lit = input.parse::<LitStr>()?;
+                validate_aggregate_type_literal(&lit)?;
+                aggregate_type = Some(lit);
             } else if kw == "enqueue" {

Also applies to: 820-836

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@sourced_rust_macros/src/lib.rs` around lines 698 - 708, When parsing the
aggregate_type literal in the macro (the block that sets aggregate_type using
input.parse::<LitStr>()), validate the parsed string value immediately: if it's
empty, only whitespace, or contains reserved delimiter characters used for
stream identity, return a syn::Error::new with the LitStr span and a clear
message (e.g. "invalid aggregate_type: empty/whitespace/reserved characters")
instead of accepting it; apply the same validation to the other equivalent
parsing block around the aggregate_type handling at the later location (the
similar input.parse::<LitStr>() usage between lines ~820-836) so malformed
literals are rejected at macro-expansion time.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/async-repositories.md`:
- Around line 3-4: Replace the placeholder name "Distributed" in the sentence
shown (the word Distributed in the docs/async-repositories.md content) with the
actual crate/project name used in this repo so the documentation reflects the
current project; update the sentence "Distributed keeps the synchronous
in-memory repository API intact..." to use the real project/crate identifier
consistently.

In `@src/repository/identity.rs`:
- Around line 25-39: The validation for stream identity components
(aggregate_type and aggregate_id) currently only checks for emptiness; update
the checks in the function that returns RepositoryError::InvalidStreamIdentity
so they also reject the storage-key delimiter character '\u{1f}' (and any other
reserved delimiters if used) by treating strings containing that codepoint as
invalid and returning RepositoryError::InvalidStreamIdentity with an appropriate
reason; apply the same guard to the other validation location referenced (lines
57-59) so both aggregate_type and aggregate_id cannot contain '\u{1f}' before
composing storage keys.

---

Nitpick comments:
In `@sourced_rust_macros/src/lib.rs`:
- Around line 698-708: When parsing the aggregate_type literal in the macro (the
block that sets aggregate_type using input.parse::<LitStr>()), validate the
parsed string value immediately: if it's empty, only whitespace, or contains
reserved delimiter characters used for stream identity, return a syn::Error::new
with the LitStr span and a clear message (e.g. "invalid aggregate_type:
empty/whitespace/reserved characters") instead of accepting it; apply the same
validation to the other equivalent parsing block around the aggregate_type
handling at the later location (the similar input.parse::<LitStr>() usage
between lines ~820-836) so malformed literals are rejected at macro-expansion
time.

In `@src/aggregate/async_aggregate.rs`:
- Around line 63-74: The get_all method currently maps ids ->
stream_identity_for::<A>(id), calls self.repo.get_streams(&identities).await and
hydrates returned entities, but the result may omit missing IDs and lose
positional correspondence with the input ids; update the behavior and document
it: either add a doc comment on async_aggregate::get_all (and mention
stream_identity_for, get_streams, hydrate) to state that missing aggregates are
skipped and order is not guaranteed, or change the signature to return
Vec<Option<A>> and implement logic to preserve input order by mapping each id to
its corresponding hydrate result (None for missing), using
stream_identity_for::<A> to build lookups and get_streams to fetch entities.
Ensure tests and call sites are updated accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 6489368a-8e2f-4433-9743-b19e88b78a62

📥 Commits

Reviewing files that changed from the base of the PR and between cedd56d and 05618e4.

📒 Files selected for processing (17)

• docs/async-repositories.md
• docs/research-and-roadmap.md
• sourced_rust_macros/src/lib.rs
• src/aggregate/aggregate.rs
• src/aggregate/async_aggregate.rs
• src/aggregate/mod.rs
• src/hashmap_repo/repository.rs
• src/lib.rs
• src/outbox_worker/repository_ext.rs
• src/read_model/in_memory.rs
• src/read_model/session.rs
• src/repository/async_repository.rs
• src/repository/error.rs
• src/repository/identity.rs
• src/repository/mod.rs
• src/snapshot/in_memory.rs
• tests/async_repository/main.rs

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/postgres_repo/mod.rs`:
- Around line 400-404: The code swallows failures from stream_version_pool by
using unwrap_or_default(), turning DB lookup errors into actual=0 and
misreporting outages as concurrency conflicts; change the call to
stream_version_pool(pool, identity).await to handle its Result explicitly: if it
returns Ok(actual) proceed to return Err(RepositoryError::ConcurrentWrite {
actual, /* expected... */ }), but if it returns Err(e) propagate or map that
error (e.g., return Err(mapped RepositoryError::Storage or forward the original
error) instead of defaulting); update the branch that currently uses
is_postgres_unique_violation, stream_version_pool, and
RepositoryError::ConcurrentWrite to remove unwrap_or_default and return the
stream lookup failure when it occurs.

In `@src/sqlite_repo/mod.rs`:
- Around line 315-325: The update is vulnerable to a TOCTOU race because you
check expected_version before calling update_document_in_tx, which performs an
UPDATE only by (collection, id); change update_document_in_tx to accept the
expected_version (or make a new helper) and include "AND version = ?" in the SQL
UPDATE predicate, then have it return the number of rows affected; in the caller
(where next_document_version, update_document_in_tx, commit_read_model_tx are
used) check rows_affected == 0 and map that to
ReadModelError::ConcurrencyConflict (using M::COLLECTION, model.id(), expected
and actual as before) instead of relying on the separate pre-check so the
read-model update becomes atomic.
- Around line 947-958: The function system_time_from_storage currently
constructs a Duration with parsed nanos which can panic if nanos >=
1_000_000_000; add a guard after parsing that checks nanos < 1_000_000_000 (and
return UNIX_EPOCH or otherwise handle the invalid value) before calling
Duration::new(secs, nanos) so invalid stored values don't cause a panic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: a35b7fb4-d32e-4866-bc5c-6f68e2b00476

📥 Commits

Reviewing files that changed from the base of the PR and between 05618e4 and cef92e8.

📒 Files selected for processing (11)

• Cargo.toml
• compose.yaml
• docs/async-repositories.md
• migrations/postgres/0001_initial.sql
• migrations/sqlite/0001_initial.sql
• src/lib.rs
• src/postgres_repo/mod.rs
• src/sqlite_repo/mod.rs
• src/sqlx_repo/mod.rs
• tests/postgres_repository/main.rs
• tests/sqlite_repository/main.rs

✅ Files skipped from review due to trivial changes (3)

• migrations/sqlite/0001_initial.sql
• migrations/postgres/0001_initial.sql
• docs/async-repositories.md

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/persistent_repository_conformance/scenario.rs (1)

104-106: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Make get_all assertion order-insensitive to avoid backend-specific flakiness.

These assertions assume deterministic ordering from get_all, which is often not guaranteed across SQL backends.

Suggested fix

-    assert_eq!(loaded[0].entity.id(), first_id);
-    assert_eq!(loaded[1].entity.id(), second_id);
+    let mut actual_ids = loaded
+        .iter()
+        .map(|seat| seat.entity.id().to_string())
+        .collect::<Vec<_>>();
+    actual_ids.sort();
+    let mut expected_ids = vec![first_id, second_id];
+    expected_ids.sort();
+    assert_eq!(actual_ids, expected_ids);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/persistent_repository_conformance/scenario.rs` around lines 104 - 106,
Test assumes deterministic ordering from get_all; make the assertion
order-insensitive by comparing the returned entities by identity rather than by
index. In the scenario test where loaded, first_id and second_id are used,
replace the index-based asserts with an unordered comparison: map loaded to a
collection of ids (from loaded[*].entity.id()), convert to a HashSet (or sort
both vectors) and assert that this set equals the set containing first_id and
second_id; update the assertions that reference loaded[0]/loaded[1] accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/persistent_repository_conformance/checkout_saga.rs`:
- Around line 26-39: Tighten the event guard on record_seat_reserved so the saga
won’t accept a seat payload that conflicts with an already-associated seat: in
the #[event(... when = ...)] expression add checks that either the saga has no
reserved seat/category yet or the incoming seat_id and seat_category match the
saga’s existing values (e.g. require (self.reserved_seat_id.is_empty() ||
self.reserved_seat_id == seat_id) && (self.seat_category.is_empty() ||
self.seat_category == seat_category) in addition to the existing checkout/status
checks for the record_seat_reserved handler).

In `@tests/persistent_repository_conformance/seat.rs`:
- Around line 23-30: The reserve transition's guard must also verify the
provided seat identifiers match the aggregate so events cannot drift; update the
#[event(... when = ...)] guard on the reserve function to require matching
identifiers (e.g., add self.seat_id == seat_id && self.seat_category ==
seat_category) in addition to the existing status and checkout_id checks,
ensuring the event only fires when the incoming seat_id/seat_category align with
the aggregate's self.seat_id/self.seat_category.

---

Outside diff comments:
In `@tests/persistent_repository_conformance/scenario.rs`:
- Around line 104-106: Test assumes deterministic ordering from get_all; make
the assertion order-insensitive by comparing the returned entities by identity
rather than by index. In the scenario test where loaded, first_id and second_id
are used, replace the index-based asserts with an unordered comparison: map
loaded to a collection of ids (from loaded[*].entity.id()), convert to a HashSet
(or sort both vectors) and assert that this set equals the set containing
first_id and second_id; update the assertions that reference loaded[0]/loaded[1]
accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 7b3da5e8-7919-4e85-a50d-5f8508052504

📥 Commits

Reviewing files that changed from the base of the PR and between a0cda35 and ae249d4.

📒 Files selected for processing (4)

• tests/persistent_repository_conformance/checkout.rs
• tests/persistent_repository_conformance/checkout_saga.rs
• tests/persistent_repository_conformance/scenario.rs
• tests/persistent_repository_conformance/seat.rs

💤 Files with no reviewable changes (1)

• tests/persistent_repository_conformance/checkout.rs

[patrickleet]

Outbox delivery-table update pushed in e9bcd6a.

Summary:

• OutboxMessage is now a durable envelope plus delivery state, not an aggregate stream.
• Commit batches insert outbox rows atomically with aggregate appends for HashMap, SQLite, and Postgres.
• Worker claim/complete/release/failure paths use table-backed state and validate active worker claims.
• Removed mutable-message compatibility and outbox: ID normalization; message IDs are caller-provided durable IDs.
• Added shared conformance coverage for atomic commit rollback and worker lifecycle.

Verification:

• cargo fmt --check
• git diff --check
• cargo test --all-features
• cargo clippy --lib --all-features -- -D warnings
• cargo clippy --all-features --test async_repository --test hashmap_repository_conformance --test sqlite_repository_conformance --test postgres_repository_conformance --test sqlite_repository --test postgres_repository --test todos -- -D warnings

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/commit_builder/mod.rs (1)

232-243: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Propagate outbox source in staged commits for parity with non-staged commits.

CommitBuilder::commit sets outbox source (Line 108), but StagedCommitBuilder::commit forwards messages unchanged. In staged flows (aggregate(...).outbox(...).commit()), outbox rows can lose aggregate-source linkage.

Suggested direction

 pub fn commit(mut self) -> Result<(), RepositoryError>
 where
     R: TransactionalCommit,
 {
     self.check_staged()?;
+
+    // Ensure staged flow applies the same source-link behavior as CommitBuilder::commit.
+    // Example approach:
+    // - when exactly one staged aggregate exists, set outbox source from it
+    // - or require caller-provided source and validate before commit
+    // (implementation depends on available OutboxMessage source setter APIs)

     let mut entity_refs: Vec<&mut Entity> = self.entities.iter_mut().collect();
     entity_refs.extend(self.staged_entities);
     self.repo.commit_batch(CommitBatch {
         entities: entity_refs,
         outbox_messages: self.outbox_messages,
         read_model_plans: self.read_model_plans,
         snapshots: Vec::new(),
     })
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/commit_builder/mod.rs` around lines 232 - 243,
StagedCommitBuilder::commit is forwarding outbox_messages unchanged which loses
the aggregate/source linkage that CommitBuilder::commit sets; before calling
self.repo.commit_batch(CommitBatch { ... }) map/transform self.outbox_messages
the same way as in CommitBuilder::commit to populate the outbox message source
(use the same field/logic used there, e.g. set message.source = self.source or
derive from the staged entity/aggregate id), then pass the transformed
outbox_messages into CommitBatch so staged commits preserve the outbox source.

tests/bomberman/commands.rs (1)

221-230: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Kill-event attribution can be wrong when multiple detonations happen in one tick.

Lines 222–230 use the most recent detonation for every killed player, so killed_by_bomb/bomb_owner can be incorrect for kills caused by earlier detonations in the same tick.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/bomberman/commands.rs` around lines 221 - 230, The current code always
uses saga.detonations.last() (variable det) for every killed player which can
misattribute kills when multiple detonations occur in the same tick; instead
locate the specific detonation that actually caused this killed_id by searching
saga.detonations (e.g., saga.detonations.iter().find(...)) for a detonation that
lists or affects that player (match on a field like affected_players,
killed_players, bomb_id, or timestamp relative to the kill event) and use that
det to populate "killed_by_bomb" and "bomb_owner" in the OutboxMessage::create
payload, falling back to "unknown" only if no matching detonation is found.

🧹 Nitpick comments (2)

tests/todos/main.rs (1)

73-74: ⚡ Quick win

Don’t discard commit results in test setup paths.

At Line 73 and Line 94, ignoring commit results can hide the actual failure point and make test failures noisier downstream.

Tighten test failure signals

-    let _ = repo.outbox(init_message).commit(&mut todo);
+    repo.outbox(init_message).commit(&mut todo).unwrap();
@@
-        let _ = repo.outbox(complete_message).commit(&mut retrieved_todo);
+        repo.outbox(complete_message)
+            .commit(&mut retrieved_todo)
+            .unwrap();

Also applies to: 94-95

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/todos/main.rs` around lines 73 - 74, Replace the ignored commit results
for test setup (the calls to repo.outbox(init_message).commit(&mut todo) and the
similar call around line 94) with explicit error handling so failures surface
immediately; for example, call .expect("commit failed in test setup") or
propagate the Result instead of using let _ = ..., ensuring the commit() return
value is checked and the test aborts with a clear message if the commit fails.

migrations/postgres/0001_initial.sql (1)

39-68: ⚡ Quick win

Add status-dependent CHECK constraints to prevent impossible outbox states.

Current constraints validate individual columns, but they don’t guard cross-field state consistency (e.g., status='pending' with claimed_by set). Enforcing these invariants at DB level will protect worker lifecycle correctness.

Schema hardening example

 CREATE TABLE IF NOT EXISTS outbox_messages (
@@
   CHECK (status IN ('pending', 'in_flight', 'published', 'failed')),
-  CHECK (attempts >= 0)
+  CHECK (attempts >= 0),
+  CHECK (
+    (status <> 'in_flight')
+    OR (claimed_by IS NOT NULL AND claimed_until IS NOT NULL)
+  ),
+  CHECK (
+    (status = 'in_flight')
+    OR (claimed_by IS NULL AND claimed_until IS NULL)
+  ),
+  CHECK (
+    (status = 'published') = (published_at IS NOT NULL)
+  ),
+  CHECK (
+    (status = 'failed') = (failed_at IS NOT NULL)
+  )
 );

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@migrations/postgres/0001_initial.sql` around lines 39 - 68, Add table-level
CHECK constraints to outbox_messages to enforce cross-column invariants for
status-driven states: add a CHECK using a CASE/WHEN expression that for
status='pending' requires claimed_by IS NULL AND claimed_until IS NULL AND
published_at IS NULL AND failed_at IS NULL AND attempts = 0; for
status='in_flight' requires claimed_by IS NOT NULL AND claimed_until IS NOT NULL
AND published_at IS NULL AND failed_at IS NULL; for status='published' requires
published_at IS NOT NULL AND failed_at IS NULL; and for status='failed' requires
failed_at IS NOT NULL. Modify the CREATE TABLE outbox_messages definition to
include these CHECK(...) constraints referencing status, claimed_by,
claimed_until, published_at, failed_at, and attempts so impossible combinations
are rejected by the DB.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
@.agents/skills/supabase-postgres-best-practices/references/security-rls-basics.md:
- Around line 8-10: Update the wording to use consistent hyphenation: change the
heading "Enable Row Level Security for Multi-Tenant Data" to "Enable Row-Level
Security for Multi-Tenant Data" and replace occurrences of the phrase "Row Level
Security" in the body with "Row-Level Security" (search for the exact string
"Row Level Security" and update each instance) so the document consistently uses
the hyphenated form.

In @.agents/skills/supabase-postgres-best-practices/SKILL.md:
- Around line 44-48: Add a language tag to the fenced code block in
.agents/skills/supabase-postgres-best-practices/SKILL.md (the triple-backtick
block listing the three reference files) to satisfy markdownlint MD040; update
the opening fence from ``` to ```text so the block is explicitly marked as plain
text.

In `@src/outbox_worker/repository_ext.rs`:
- Around line 263-269: The async outbox ordering currently sorts only by
created_at (messages.sort_by_key(|message| message.created_at)), which yields
unstable order when timestamps tie and diverges from the sync path; change the
sort to deterministically tie-break on id as well (e.g., sort by (created_at,
id) or use sort_by with created_at then id) so the messages Vec produced from
storage.values() has the same ordering as the sync implementation; update the
messages.sort_by_key call to a composite sort that includes message.id as the
secondary key.

In `@src/outbox/message.rs`:
- Around line 336-345: The re-initialization block that sets self.id,
self.event_type, self.payload, etc. must also clear delivery and source state to
avoid carrying stale state; update the same initializer (the block that assigns
self.id/event_type/payload) to reset self.attempts = 0, self.last_error = None,
self.worker_id = None, self.leased_until = None and clear any source-related
fields (e.g., self.source_id/self.source_type or whichever source_* fields
exist) so a reused OutboxMessage instance starts with fresh delivery/source
state.

In `@src/postgres_repo/mod.rs`:
- Around line 864-917: The outbox_message_from_row function selects
correlation_id and causation_id but never maps them into the returned
OutboxMessage; modify the constructor near the end (the Ok(OutboxMessage { ...
}) block) to extract both fields from the row using
row.try_get("correlation_id") and row.try_get("causation_id"), mapping errors
with repository_storage_error (e.g., "decode outbox correlation_id row" and
"decode outbox causation_id row"), and include the resulting values as the
correlation_id and causation_id fields on the OutboxMessage so the metadata is
preserved.

In `@src/sqlite_repo/mod.rs`:
- Around line 925-987: outbox_message_from_row is selecting correlation_id and
causation_id (via outbox_message_select_sql) but never assigns them to the
OutboxMessage; update outbox_message_from_row to read the columns (e.g.
row.try_get::<Option<String>, _>("correlation_id") and
row.try_get::<Option<String>, _>("causation_id")), map as needed
(as_deref()/map(...) or transpose()) and assign into message.correlation_id and
message.causation_id (or into the metadata map if OutboxMessage stores them
there) just before returning (after computing source_sequence and before
Ok(message)); ensure you use repository_storage_error for any try_get errors and
preserve the Option semantics and types that OutboxMessage expects.

---

Outside diff comments:
In `@src/commit_builder/mod.rs`:
- Around line 232-243: StagedCommitBuilder::commit is forwarding outbox_messages
unchanged which loses the aggregate/source linkage that CommitBuilder::commit
sets; before calling self.repo.commit_batch(CommitBatch { ... }) map/transform
self.outbox_messages the same way as in CommitBuilder::commit to populate the
outbox message source (use the same field/logic used there, e.g. set
message.source = self.source or derive from the staged entity/aggregate id),
then pass the transformed outbox_messages into CommitBatch so staged commits
preserve the outbox source.

In `@tests/bomberman/commands.rs`:
- Around line 221-230: The current code always uses saga.detonations.last()
(variable det) for every killed player which can misattribute kills when
multiple detonations occur in the same tick; instead locate the specific
detonation that actually caused this killed_id by searching saga.detonations
(e.g., saga.detonations.iter().find(...)) for a detonation that lists or affects
that player (match on a field like affected_players, killed_players, bomb_id, or
timestamp relative to the kill event) and use that det to populate
"killed_by_bomb" and "bomb_owner" in the OutboxMessage::create payload, falling
back to "unknown" only if no matching detonation is found.

---

Nitpick comments:
In `@migrations/postgres/0001_initial.sql`:
- Around line 39-68: Add table-level CHECK constraints to outbox_messages to
enforce cross-column invariants for status-driven states: add a CHECK using a
CASE/WHEN expression that for status='pending' requires claimed_by IS NULL AND
claimed_until IS NULL AND published_at IS NULL AND failed_at IS NULL AND
attempts = 0; for status='in_flight' requires claimed_by IS NOT NULL AND
claimed_until IS NOT NULL AND published_at IS NULL AND failed_at IS NULL; for
status='published' requires published_at IS NOT NULL AND failed_at IS NULL; and
for status='failed' requires failed_at IS NOT NULL. Modify the CREATE TABLE
outbox_messages definition to include these CHECK(...) constraints referencing
status, claimed_by, claimed_until, published_at, failed_at, and attempts so
impossible combinations are rejected by the DB.

In `@tests/todos/main.rs`:
- Around line 73-74: Replace the ignored commit results for test setup (the
calls to repo.outbox(init_message).commit(&mut todo) and the similar call around
line 94) with explicit error handling so failures surface immediately; for
example, call .expect("commit failed in test setup") or propagate the Result
instead of using let _ = ..., ensuring the commit() return value is checked and
the test aborts with a clear message if the commit fails.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d65501a4-50e8-4990-87ec-373603962123

📥 Commits

Reviewing files that changed from the base of the PR and between ae249d4 and f789034.

📒 Files selected for processing (89)

• .agents/skills/supabase-postgres-best-practices/SKILL.md
• .agents/skills/supabase-postgres-best-practices/references/_contributing.md
• .agents/skills/supabase-postgres-best-practices/references/_sections.md
• .agents/skills/supabase-postgres-best-practices/references/_template.md
• .agents/skills/supabase-postgres-best-practices/references/advanced-full-text-search.md
• .agents/skills/supabase-postgres-best-practices/references/advanced-jsonb-indexing.md
• .agents/skills/supabase-postgres-best-practices/references/conn-idle-timeout.md
• .agents/skills/supabase-postgres-best-practices/references/conn-limits.md
• .agents/skills/supabase-postgres-best-practices/references/conn-pooling.md
• .agents/skills/supabase-postgres-best-practices/references/conn-prepared-statements.md
• .agents/skills/supabase-postgres-best-practices/references/data-batch-inserts.md
• .agents/skills/supabase-postgres-best-practices/references/data-n-plus-one.md
• .agents/skills/supabase-postgres-best-practices/references/data-pagination.md
• .agents/skills/supabase-postgres-best-practices/references/data-upsert.md
• .agents/skills/supabase-postgres-best-practices/references/lock-advisory.md
• .agents/skills/supabase-postgres-best-practices/references/lock-deadlock-prevention.md
• .agents/skills/supabase-postgres-best-practices/references/lock-short-transactions.md
• .agents/skills/supabase-postgres-best-practices/references/lock-skip-locked.md
• .agents/skills/supabase-postgres-best-practices/references/monitor-explain-analyze.md
• .agents/skills/supabase-postgres-best-practices/references/monitor-pg-stat-statements.md
• .agents/skills/supabase-postgres-best-practices/references/monitor-vacuum-analyze.md
• .agents/skills/supabase-postgres-best-practices/references/query-composite-indexes.md
• .agents/skills/supabase-postgres-best-practices/references/query-covering-indexes.md
• .agents/skills/supabase-postgres-best-practices/references/query-index-types.md
• .agents/skills/supabase-postgres-best-practices/references/query-missing-indexes.md
• .agents/skills/supabase-postgres-best-practices/references/query-partial-indexes.md
• .agents/skills/supabase-postgres-best-practices/references/schema-constraints.md
• .agents/skills/supabase-postgres-best-practices/references/schema-data-types.md
• .agents/skills/supabase-postgres-best-practices/references/schema-foreign-key-indexes.md
• .agents/skills/supabase-postgres-best-practices/references/schema-lowercase-identifiers.md
• .agents/skills/supabase-postgres-best-practices/references/schema-partitioning.md
• .agents/skills/supabase-postgres-best-practices/references/schema-primary-keys.md
• .agents/skills/supabase-postgres-best-practices/references/security-privileges.md
• .agents/skills/supabase-postgres-best-practices/references/security-rls-basics.md
• .agents/skills/supabase-postgres-best-practices/references/security-rls-performance.md
• .claude/skills/supabase-postgres-best-practices
• README.md
• migrations/postgres/0001_initial.sql
• migrations/sqlite/0001_initial.sql
• skills-lock.json
• src/bus/mod.rs
• src/commit_builder/mod.rs
• src/hashmap_repo/repository.rs
• src/lib.rs
• src/outbox/commit.rs
• src/outbox/message.rs
• src/outbox/mod.rs
• src/outbox_worker/mod.rs
• src/outbox_worker/repository_ext.rs
• src/outbox_worker/thread.rs
• src/outbox_worker/worker.rs
• src/postgres_repo/mod.rs
• src/repository/async_repository.rs
• src/repository/batch.rs
• src/repository/error.rs
• src/snapshot/repository.rs
• src/sqlite_repo/mod.rs
• src/sqlx_repo/mod.rs
• tests/async_repository/main.rs
• tests/bomberman/commands.rs
• tests/distributed_read_model/checkout_saga_service/handlers/record_seat_reserved.rs
• tests/distributed_read_model/checkout_saga_service/handlers/start.rs
• tests/distributed_read_model/seat_inventory_service/handlers/add.rs
• tests/distributed_read_model/seat_inventory_service/handlers/reserve_started_checkout_seat.rs
• tests/distributed_read_model_board/board_service/handlers/board_add_card.rs
• tests/distributed_read_model_board/board_service/handlers/board_move_card.rs
• tests/distributed_read_model_board/board_service/handlers/board_open.rs
• tests/distributed_read_model_board/board_service/handlers/board_remove_card.rs
• tests/distributed_read_model_board/projections_service/handlers/board.rs
• tests/hashmap_repository_conformance/main.rs
• tests/microsvc/handlers/counter_create.rs
• tests/microsvc/handlers/counter_increment.rs
• tests/persistent_repository_conformance/outbox.rs
• tests/persistent_repository_conformance/scenario.rs
• tests/postgres_repository/main.rs
• tests/postgres_repository_conformance/main.rs
• tests/sagas/distributed.rs
• tests/sagas/handlers/inventory/reserve.rs
• tests/sagas/handlers/orders/complete.rs
• tests/sagas/handlers/orders/create.rs
• tests/sagas/handlers/payments/process.rs
• tests/sagas/handlers/saga/on_inventory_reserved.rs
• tests/sagas/handlers/saga/on_order_created.rs
• tests/sagas/handlers/saga/on_payment_succeeded.rs
• tests/sagas/handlers/saga/start.rs
• tests/sourced_snapshot/main.rs
• tests/sqlite_repository/main.rs
• tests/sqlite_repository_conformance/main.rs
• tests/todos/main.rs

✅ Files skipped from review due to trivial changes (34)

• .agents/skills/supabase-postgres-best-practices/references/query-missing-indexes.md
• .agents/skills/supabase-postgres-best-practices/references/data-batch-inserts.md
• .agents/skills/supabase-postgres-best-practices/references/schema-constraints.md
• .agents/skills/supabase-postgres-best-practices/references/data-pagination.md
• .agents/skills/supabase-postgres-best-practices/references/query-partial-indexes.md
• .agents/skills/supabase-postgres-best-practices/references/lock-short-transactions.md
• .agents/skills/supabase-postgres-best-practices/references/data-n-plus-one.md
• .agents/skills/supabase-postgres-best-practices/references/query-index-types.md
• .agents/skills/supabase-postgres-best-practices/references/conn-limits.md
• .agents/skills/supabase-postgres-best-practices/references/lock-skip-locked.md
• .agents/skills/supabase-postgres-best-practices/references/lock-advisory.md
• .claude/skills/supabase-postgres-best-practices
• .agents/skills/supabase-postgres-best-practices/references/_template.md
• .agents/skills/supabase-postgres-best-practices/references/data-upsert.md
• .agents/skills/supabase-postgres-best-practices/references/security-rls-performance.md
• src/bus/mod.rs
• .agents/skills/supabase-postgres-best-practices/references/conn-prepared-statements.md
• .agents/skills/supabase-postgres-best-practices/references/schema-lowercase-identifiers.md
• .agents/skills/supabase-postgres-best-practices/references/monitor-explain-analyze.md
• .agents/skills/supabase-postgres-best-practices/references/query-composite-indexes.md
• .agents/skills/supabase-postgres-best-practices/references/conn-pooling.md
• .agents/skills/supabase-postgres-best-practices/references/schema-primary-keys.md
• .agents/skills/supabase-postgres-best-practices/references/_sections.md
• .agents/skills/supabase-postgres-best-practices/references/schema-data-types.md
• src/outbox_worker/worker.rs
• .agents/skills/supabase-postgres-best-practices/references/schema-foreign-key-indexes.md
• .agents/skills/supabase-postgres-best-practices/references/conn-idle-timeout.md
• .agents/skills/supabase-postgres-best-practices/references/monitor-pg-stat-statements.md
• .agents/skills/supabase-postgres-best-practices/references/advanced-jsonb-indexing.md
• .agents/skills/supabase-postgres-best-practices/references/query-covering-indexes.md
• skills-lock.json
• .agents/skills/supabase-postgres-best-practices/references/lock-deadlock-prevention.md
• .agents/skills/supabase-postgres-best-practices/references/monitor-vacuum-analyze.md
• .agents/skills/supabase-postgres-best-practices/references/schema-partitioning.md

[patrickleet]

@coderabbitai addressed the open review comments on this branch.

Implemented the still-valid inline, outside-diff, and nitpick items across docs, stream identity validation, macro parsing, SQLite/Postgres persistence, outbox state/source/metadata handling, conformance tests, Todo setup commits, and Bomberman kill attribution.

Notes:

• The async outbox ordering item was already addressed in src/outbox_worker/store.rs with created_at plus message-id tie-breaking.
• For the Postgres outbox status CHECK constraints, I enforced claim/timestamp invariants by status but did not require pending rows to have attempts = 0, because released retry messages are intentionally pending with attempts > 0.

Validation passed:

• cargo fmt --check
• git diff --check
• cargo test --lib
• cargo test --test todos
• cargo test --test bomberman --all-features
• cargo test --test sqlite_repository --features sqlite
• cargo test --test postgres_repository --features postgres
• cargo test --test hashmap_repository_conformance --all-features
• cargo test --test async_repository --all-features
• cargo test --test sqlite_repository_conformance --features sqlite
• cargo test --test postgres_repository_conformance --features postgres
• cargo test --all-features

[coderabbitai]

@patrickleet Thanks for the thorough follow-through — the summary is clear and the design rationale for both notes makes sense:

• Async outbox ordering — created_at + message-id tie-breaking in src/outbox_worker/store.rs is the right place for that.
• Postgres pending + attempts > 0 — Correct; requiring attempts = 0 on pending would break the released-retry path. The invariant is on the transition rules, not the column values at rest.

Triggering a re-review to verify the updated state of the PR.

🐇✨

✅ Actions performed

Comments resolved. Approval is disabled; enable reviews.request_changes_workflow to allow explicit top-level @coderabbitai resolve or @coderabbitai approve commands.

---

Full review triggered.