fix(rivetkit-sqlite): preserve text with embedded nul bytes

[NathanFlurry]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• fix(rivetkit-core): gate startup until runtime is ready #4736 : 2 dependent PRs (#4737 , #4739 )
• fix(rivetkit-sqlite): preserve text with embedded nul bytes #4735 👈 (View in Graphite)
• chore(rivetkit): add child spans for logging #4734
• fix(rivetkit-core): orphan engine process and detect crashes #4733
• fix(rivetkit-core): return None for empty inspector state to avoid frontend CBOR decode error #4732
• fix(rivetkit-core): don't install tokio::signal::ctrl_c() handler inside serve_with_config #4731
• refactor(rivetkit-core): use subtle::ConstantTimeEq for inspector token verify #4730
• fix(rivetkit): drop is_read_only_sql classifier, surface RETURNING rows #4728
• docs: require close-code rejection for websocket auth/policy failures #4727
• fix(rivetkit): inspector reports actual config state + real queue messages #4726
• fix(rivetkit-napi): plumb ctx through serializeState TSF and stop panicking on runtime_state Ref drop #4725
• chore(rivetkit): remove legacy metrics & prometheus auth #4724
• chore(rivetkit): remove legacy metrics #4723
• chore(rivetkit): impl inspector token #4722
• chore: disable auth on serverless #4721
• chore: fix cors for envoys #4720
• chore: fix serverless in rivetkit-core #4719
• chore(rivetkit): impl follow up review #4711
• chore: rivetkit core/napi/typescript follow up review #4702
• chore: fix remaining issues with rivetkit-core #4701
• chore: sqlite v1 to v2 data migration #4692 : 1 other dependent PR (#4640 )
• chore: move rivetkit to task model #4680
• chore: rivetkit to rust #4679
• feat(rivetkit): sqlite vfs v2 #4673
• chore: rename sandbox -> kitchen sink #4671 : 1 other dependent PR (#4672 )
• chore: configure TLS trust roots for rustls clients #4667
• fix(rivetkit): update config to match envoys & remove manager references #4663
• chore(publish): pin docker base image refs #4652
• chore(engine): publish engine bases in ci #4649 : 2 other dependent PRs (#4650 , #4666 )
• chore: lockfile lefthook #4647
• fix(rivetkit): surface native sqlite kv errors to callers #4645
• fix(rivetkit): prevent sleep races during disconnect and db work #4644
• fix(rivetkit): isolate engine envoys and propagate startup failures #4643
• test(rivetkit): remove wasm sqlite-only fixtures and coverage #4642
• chore(sqlite-vfs): remove wasm sqlite packages and workspace wiring #4641
• chore(rivetkit): remove wasm sqlite runtime #4614
• fix(sqlite-native): restore native startup kv preload #4639
• fix(sqlite-native): delete metadata before chunk range #4638
• fix(sqlite-native): keep truncate cache coherent #4637
• fix(sqlite-vfs): use delete range for truncate cleanup #4636
• fix(sqlite-native): restore kv error hook #4635
• perf(sqlite-native): avoid cloning cached read chunks #4634
• perf(sqlite-native): gate kv operation labels #4633
• perf(sqlite-native): reuse read cache for partial writes #4632
• perf(sqlite-native): remove delete file existence probe #4631
• fix(sqlite-native): gate native read cache behind env var #4630
• fix(pegboard): isolate runner config dc lookup failures #4625 : 1 other dependent PR (#4626 )
• docs(pegboard): note runner config upsert split write risk #4624
• fix(pegboard): unpack global runner config keys correctly #4623
• fix(pegboard-gateway): enforce tunnel message state #4622
• fix(pegboard-runner): clear terminal tunnel routes #4621
• fix(pegboard): skip protocol version keys in runner pool backfill #4620
• fix(pegboard): create missing normal runner configs #4619
• fix(epoxy): reuse cached optimistic value #4618
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR Review: fix(rivetkit-sqlite): preserve text with embedded nul bytes

This is a targeted and correct bug fix. The core change — replacing CString::new() with an explicit-length sqlite3_bind_text call — is the right approach for handling text with embedded NUL bytes in SQLite bindings.

Correctness

The fix is technically sound:

• Bind side: sqlite3_bind_text with an explicit byte length correctly passes the full buffer including embedded NULs. The old CString::new() would return Err for any string containing NUL bytes, silently dropping the bind.
• Read side: Using sqlite3_column_bytes + slice::from_raw_parts matches the existing blob read path and correctly recovers the full byte range.

Issues

Potential truncation on large strings

value.len() as i32 will silently truncate if the string exceeds i32::MAX (~2 GB). This is consistent with the existing blob binding code so it is not a regression, but worth a checked cast:

let len = i32::try_from(value.len()).expect("text value exceeds i32::MAX");

Missing newline at end of file

The diff shows no newline at end of file on message.incoming_too_long.json after the change — the missing newline still is not added.

Duplicated MemoryDb helper

The new test file tests/query_text_nul.rs duplicates the MemoryDb helper struct that already exists in the inline #[cfg(test)] mod tests block inside query.rs. Per CLAUDE.md, Rust tests should live under tests/, not inline in src/. The existing inline tests in query.rs should be moved to tests/ alongside this new test, and MemoryDb extracted into a shared helper to avoid duplication.

Misleading test assertion

Both the Rust and TypeScript tests assert sqlite_length === 1 because the SQLite length() function stops at the first NUL for TEXT columns. While technically correct, it may confuse readers into thinking only 1 byte was stored. A brief comment would help clarify this is expected SQLite behavior, while hex() proves all bytes are actually stored.

Unrelated change

The punctuation fix in message.incoming_too_long.json is unrelated to the NUL byte fix. Not a blocker, but worth separating into its own commit.

Minor Notes

• from_utf8_lossy silently replaces invalid UTF-8 with the replacement character. This matches the pre-fix behavior (CStr::to_string_lossy) so it is not a regression, but malformed UTF-8 in a TEXT column gets silently corrupted. Acceptable for SQLite TEXT (which is defined to be UTF-8), just worth acknowledging.
• The SQL preparation paths still use CString::new(sql) — this is appropriate since SQL itself should not contain NUL bytes. The fix is correctly scoped to bound parameters and result columns.

Summary

The core fix is correct and well-tested. Main asks before merging: (1) address the i32 truncation with a checked cast, (2) add a comment to the sqlite_length == 1 assertions explaining the expected SQLite behavior, (3) move existing inline query.rs tests to tests/ per CLAUDE.md conventions and share the MemoryDb helper.