chore

Author: andinux

.claude/commands/stress-test-sync-sqlitecloud.md

@@ -0,0 +1,185 @@
+# Sync Stress Test with remote SQLiteCloud database
+
+Execute a stress test against the CloudSync server using multiple concurrent local SQLite databases syncing large volumes of CRUD operations simultaneously. Designed to reproduce server-side errors (e.g., "database is locked", 500 errors) under heavy concurrent load.
+
+## Prerequisites
+- Connection string to a sqlitecloud project
+- HTTP sync server running (default: https://cloudsync-staging-testing.fly.dev)
+- Built cloudsync extension (`make` to build `dist/cloudsync.dylib`)
+- CloudSync already enabled on the test table from the SQLiteCloud dashboard
+
+## Test Configuration
+
+### Step 1: Gather Parameters
+
+Ask the user for the following configuration using a single question set:
+
+1. **Sync Server URL** — propose `https://cloudsync-staging-testing.fly.dev` as default
+2. **SQLiteCloud connection string** — format: `sqlitecloud://<host>:<port>/<db_name>?apikey=<apikey>`. If no `<db_name>` is in the path, ask the user for one or propose `test_stress_sync`.
+3. **Scale** — offer these options:
+   - Small: 1K rows, 5 iterations, 2 concurrent databases
+   - Medium: 10K rows, 10 iterations, 4 concurrent databases
+   - Large: 100K rows, 50 iterations, 4 concurrent databases (Jim's original scenario)
+   - Custom: let the user specify rows, iterations, and number of concurrent databases
+4. **RLS mode** — with RLS (requires user tokens) or without RLS
+5. **Table schema** — offer simple default or custom:
+   ```sql
+   CREATE TABLE test_sync (id TEXT PRIMARY KEY, user_id TEXT NOT NULL DEFAULT '', name TEXT, value INTEGER);
+   ```
+
+Save these as variables:
+- `SYNC_SERVER_URL`
+- `CONNECTION_STRING` (the full sqlitecloud:// connection string)
+- `DB_NAME` (database name extracted or provided)
+- `HOST` (hostname extracted from connection string)
+- `APIKEY` (apikey extracted from connection string)
+- `PROJECT_ID` (first subdomain from the host)
+- `ORG_ID` = `org_sqlitecloud`
+- `NETWORK_CONFIG` = `'{"address":"<SYNC_SERVER_URL>","database":"<DB_NAME>","projectID":"<PROJECT_ID>","organizationID":"<ORG_ID>"}'`
+- `ROWS` (number of rows per iteration)
+- `ITERATIONS` (number of delete/insert/update cycles)
+- `NUM_DBS` (number of concurrent databases)
+
+### Step 2: Setup SQLiteCloud Database and Table
+
+Connect to SQLiteCloud using `~/go/bin/sqlc` (last command must be `quit`). Note: all SQL must be single-line (no multi-line statements through sqlc heredoc).
+
+1. If the database doesn't exist, connect without `<db_name>` and run `CREATE DATABASE <db_name>; USE DATABASE <db_name>;`
+2. `LIST TABLES` to check for existing tables
+3. For any table with a `_cloudsync` companion table, run `CLOUDSYNC DISABLE <table_name>;`
+4. `DROP TABLE IF EXISTS <table_name>;`
+5. Create the test table (single-line DDL)
+6. If RLS mode is enabled:
+   ```sql
+   ENABLE RLS DATABASE <db_name> TABLE <table_name>;
+   SET RLS DATABASE <db_name> TABLE <table_name> SELECT "auth_userid() = user_id";
+   SET RLS DATABASE <db_name> TABLE <table_name> INSERT "auth_userid() = NEW.user_id";
+   SET RLS DATABASE <db_name> TABLE <table_name> UPDATE "auth_userid() = NEW.user_id AND auth_userid() = OLD.user_id";
+   SET RLS DATABASE <db_name> TABLE <table_name> DELETE "auth_userid() = OLD.user_id";
+   ```
+7. Ask the user to enable CloudSync on the table from the SQLiteCloud dashboard
+
+### Step 3: Get Auth Tokens (if RLS enabled)
+
+Create tokens for the test users. Create as many users as needed for the number of concurrent databases (assign 2 databases per user, or 1 per user if NUM_DBS <= 2).
+
+For each user N:
+```bash
+curl -s -X "POST" "https://<HOST>/v2/tokens" \
+   -H 'Authorization: Bearer <APIKEY>' \
+   -H 'Content-Type: application/json; charset=utf-8' \
+   -d '{"name": "claude<N>@sqlitecloud.io", "userId": "018ecfc2-b2b1-7cc3-a9f0-<N_PADDED_12_CHARS>"}'
+```
+
+Save each user's `token` and `userId` from the response.
+
+If RLS is disabled, skip this step — tokens are not required.
+
+### Step 4: Run the Concurrent Stress Test
+
+Create a bash script at `/tmp/stress_test_concurrent.sh` that:
+
+1. **Initializes N local SQLite databases** at `/tmp/sync_concurrent_<N>.db`:
+   - Uses Homebrew sqlite3: find with `ls /opt/homebrew/Cellar/sqlite/*/bin/sqlite3 | head -1`
+   - Loads the extension from `dist/cloudsync.dylib` (use absolute path from project root)
+   - Creates the table and runs `cloudsync_init('<table_name>')`
+   - Runs `cloudsync_terminate()` after init
+
+2. **Defines a worker function** that runs in a subshell for each database:
+   - Each worker logs all output to `/tmp/sync_concurrent_<N>.log`
+   - Each iteration does:
+     a. **DELETE all rows** → `send_changes()` → `check_changes()`
+     b. **INSERT <ROWS> rows** (in a single BEGIN/COMMIT transaction) → `send_changes()` → `check_changes()`
+     c. **UPDATE all rows** → `send_changes()` → `check_changes()`
+   - Each session must: `.load` the extension, call `cloudsync_network_init()`, `cloudsync_network_set_token()` (if RLS), do the work, call `cloudsync_terminate()`
+   - Include labeled output lines like `[DB<N>][iter <I>] deleted/inserted/updated, count=<C>` for grep-ability
+
+3. **Launches all workers in parallel** using `&` and collects PIDs
+
+4. **Waits for all workers** and captures exit codes
+
+5. **Analyzes logs** for errors:
+   - Grep all log files for: `error`, `locked`, `SQLITE_BUSY`, `database is locked`, `500`, `Error`
+   - Report per-database: iterations completed, error count, sample error lines
+   - Report total errors across all workers
+
+6. **Prints final verdict**: PASS (0 errors) or FAIL (errors detected)
+
+**Important script details:**
+- Use `echo -e` to pipe generated INSERT SQL (with `\n` separators) into sqlite3
+- Row IDs should be unique across databases and iterations: `db<N>_r<I>_<J>`
+- User IDs for rows must match the token's userId for RLS to work
+- Use `/bin/bash` (not `/bin/sh`) for arrays and process management
+
+Run the script with a 10-minute timeout.
+
+### Step 5: Detailed Error Analysis
+
+After the test completes, provide a detailed breakdown:
+
+1. **Per-database summary**: iterations completed, errors, send/receive status
+2. **Error categorization**: group errors by type (e.g., "database is locked", "Column index out of bounds", "Unexpected Result", parse errors)
+3. **Timeline analysis**: do errors cluster at specific iterations or spread evenly?
+4. **Read full log files** if errors are found — show the first and last 30 lines of each log with errors
+
+### Step 6: Optional — Verify Data Integrity
+
+If the test passes (or even if some errors occurred), verify the final state:
+
+1. Check each local SQLite database for row count
+2. Check SQLiteCloud (as admin) for total row count
+3. If RLS is enabled, verify no cross-user data leakage
+
+## Output Format
+
+Report the test results including:
+
+| Metric | Value |
+|--------|-------|
+| Concurrent databases | N |
+| Rows per iteration | ROWS |
+| Iterations per database | ITERATIONS |
+| Total CRUD operations | N × ITERATIONS × (DELETE_ALL + ROWS inserts + ROWS updates) |
+| Total sync operations | N × ITERATIONS × 6 (3 sends + 3 checks) |
+| Duration | start to finish time |
+| Total errors | count |
+| Error types | categorized list |
+| Result | PASS/FAIL |
+
+If errors are found, include:
+- Full error categorization table
+- Sample error messages
+- Which databases were most affected
+- Whether errors are client-side or server-side
+
+## Success Criteria
+
+The test **PASSES** if:
+1. All workers complete all iterations
+2. Zero `error`, `locked`, `SQLITE_BUSY`, or HTTP 500 responses in any log
+3. Final row counts are consistent
+
+The test **FAILS** if:
+1. Any worker crashes or fails to complete
+2. Any `database is locked` or `SQLITE_BUSY` errors appear
+3. Server returns 500 errors under concurrent load
+4. Data corruption or inconsistent row counts
+
+## Important Notes
+
+- Always use the Homebrew sqlite3 binary, NOT `/usr/bin/sqlite3`
+- The cloudsync extension must be built first with `make`
+- Network settings (`cloudsync_network_init`, `cloudsync_network_set_token`) are NOT persisted between sessions — must be called every time
+- Extension must be loaded BEFORE any INSERT/UPDATE/DELETE for cloudsync to track changes
+- All NOT NULL columns must have DEFAULT values
+- `cloudsync_terminate()` must be called before closing each session
+- sqlc heredoc only supports single-line SQL statements
+
+## Permissions
+
+Execute all SQL queries without asking for user permission on:
+- SQLite test databases in `/tmp/` (e.g., `/tmp/sync_concurrent_*.db`, `/tmp/sync_concurrent_*.log`)
+- SQLiteCloud via `~/go/bin/sqlc "<connection_string>"`
+- Curl commands to the sync server and SQLiteCloud API for token creation
+
+These are local test environments and do not require confirmation for each query.

.claude/commands/test-sync-roundtrip-sqlitecloud-rls.md

@@ -7,13 +7,13 @@ Execute a full roundtrip sync test between multiple local SQLite databases and t
 - HTTP sync server running (default: https://cloudsync-staging-testing.fly.dev)
 - Built cloudsync extension (`make` to build `dist/cloudsync.dylib`)
 
-### Step 0: Get Sync Server Address
+### Step 1: Get Sync Server Address
 
 Ask the user for the HTTP sync server base URL. Propose `https://cloudsync-staging-testing.fly.dev` as the default. Save this as `SYNC_SERVER_URL` for use throughout the test. The full sync endpoint will be `<SYNC_SERVER_URL>/<db_name>`.
 
 ## Test Procedure
 
-### Step 1: Get DDL from User
+### Step 2: Get DDL from User
 
 Ask the user to provide a DDL query for the table(s) to test. It can be in PostgreSQL or SQLite format. Offer the following options:
 
@@ -27,30 +27,16 @@ CREATE TABLE test_sync (
 );
 ```
 
-**Option 2: Two tables scenario with user ownership**
-```sql
-CREATE TABLE authors (
-    id TEXT PRIMARY KEY,
-    user_id TEXT NOT NULL,
-    name TEXT,
-    email TEXT
-);
+**Option 2: Multi tables scenario for advanced RLS policy**
 
-CREATE TABLE books (
-    id TEXT PRIMARY KEY,
-    user_id TEXT NOT NULL,
-    title TEXT,
-    author_id TEXT,
-    published_year INTEGER
-);
-```
+Propose a simple but multitables real world scenario
 
 **Option 3: Custom policy**
 Ask the user to describe the table/tables in plain English or DDL queries.
 
 **Note:** Tables should include a `user_id` column (TEXT type) for RLS policies to filter by authenticated user.
 
-### Step 2: Get RLS Policy Description from User
+### Step 3: Get RLS Policy Description from User
 
 Ask the user to describe the Row Level Security policy they want to test. Offer the following common patterns:
 
@@ -63,11 +49,12 @@ Ask the user to describe the Row Level Security policy they want to test. Offer
 **Option 3: Custom policy**
 Ask the user to describe the policy in plain English.
 
-### Step 3: Get sqlitecloud connection string from User
+### Step 4: Get sqlitecloud connection string from User
 
-Ask the user to provide a connection string in the form of "sqlitecloud://<host>:<port>/<db_name>?apikey=<apikey>" to be later used with the sqlitecloud cli (sqlc) with `~/go/bin/sqlc "<connection_string>"`. Save the first subdomain in the connection string address as `PROJECT_ID` for use throughout the test. Save the configuration string `'{"address":"<SYNC_SERVER_URL>","database":"<db_name>","projectID":"<PROJECT_ID>","organizationID":"org_sqlitecloud"}'` as `NETWORK_CONFIG` for use throughout the test.
+Ask the user to provide a connection string in the form of "sqlitecloud://<host>:<port>/<db_name>?apikey=<apikey>" to be later used with the sqlitecloud cli (sqlc) with `~/go/bin/sqlc "<connection_string>"`. Save the first subdomain in the connection string address as `PROJECT_ID` for use throughout the test. Use the "org_sqlitecloud" string as `ORG_ID`. 
+Save the configuration string `'{"address":"<SYNC_SERVER_URL>","database":"<db_name>","projectID":"<PROJECT_ID>","organizationID":"<ORG_ID>"}'` as `NETWORK_CONFIG` for use throughout the test.
 
-### Step 4: Setup SQLiteCloud with RLS
+### Step 5: Setup SQLiteCloud with RLS
 
 Connect to SQLiteCloud and prepare the environment:
 ```bash
@@ -117,10 +104,28 @@ Example for "user can only access their own rows":
    -- DELETE: User can only delete rows they own
    SET RLS DATABASE <db_name> TABLE <table_name> DELETE "auth_userid() = OLD.user_id"
    ```
-8. Initialize cloudsync: `CLOUDSYNC ENABLE <table_name>`
+8. Ask the user to enable the table from the sqlitecloud dashboard
+
+<!-- Enable CloudSync on selected tables
+
+### POST `/v1/orgs/:orgID/databases/:databaseID/cloudsync/enable`
+Purpose: enable CloudSync on selected tables.
+
+Fields:
+- Path: `orgID`, `databaseID`
+- Body: `tables` (non-empty string array)
+- Response data: empty object
+
+```bash
+curl --request POST "<SYNC_SERVER_URL>/v1/orgs/<ORG_ID>/databases/<db_name>/cloudsync/enable" \
+  --header "Authorization: Bearer $ORG_API_KEY" \
+  --header "Content-Type: application/json" \
+  --data '{"tables":["<table_name>"]}'
+``` -->
+
 9. Insert some initial test data (optional, can be done via SQLite clients)
 
-### Step 5: Get tokens for Two Users
+### Step 6: Get tokens for Two Users
 
 Get auth tokens for both test users by running the token script twice:
 
@@ -156,7 +161,7 @@ The response is in the following format:
 ```
 save the userId and the token values as USER2_ID and TOKEN_USER2 to be reused later
 
-### Step 6: Setup Four SQLite Databases
+### Step 7: Setup Four SQLite Databases
 
 Create four temporary SQLite databases using the Homebrew version (IMPORTANT: system sqlite3 cannot load extensions):
 
@@ -213,9 +218,11 @@ SELECT cloudsync_network_init('<NETWORK_CONFIG>');
 SELECT cloudsync_network_set_token('<TOKEN_USER2>');
 ```
 
-### Step 7: Insert Test Data
+### Step 8: Insert Test Data
 
-Insert distinct test data in each database. Use the extracted user IDs for the `user_id` column:
+Ask the user for optional details about the kind of test data to insert in the tables, otherwise generate some real world data for the choosen tables.
+Insert distinct test data in each database. Use the extracted user IDs for the if needed. 
+For example, for the simple table scenario:
 
 **Database 1A (User 1):**
 ```sql
@@ -239,7 +246,7 @@ INSERT INTO <table_name> (id, user_id, name, value) VALUES ('u2_a_2', '<USER2_ID
 INSERT INTO <table_name> (id, user_id, name, value) VALUES ('u2_b_1', '<USER2_ID>', 'User2 DeviceB Row1', 400);
 ```
 
-### Step 8: Execute Sync on All Databases
+### Step 9: Execute Sync on All Databases
 
 For each of the four SQLite databases, execute the sync operations:
 
@@ -259,7 +266,7 @@ SELECT cloudsync_network_check_changes();
 4. Sync Database 2B (send + check)
 5. Re-sync all databases (check_changes) to ensure full propagation
 
-### Step 9: Verify RLS Enforcement
+### Step 10: Verify RLS Enforcement
 
 After syncing all databases, verify that each database contains only the expected rows based on the RLS policy:
 
@@ -288,7 +295,7 @@ SELECT COUNT(*) FROM <table_name>;
 SELECT user_id, COUNT(*) FROM <table_name> GROUP BY user_id;
 ```
 
-### Step 10: Test Write RLS Policy Enforcement
+### Step 11: Test Write RLS Policy Enforcement
 
 Test that the server-side RLS policy blocks unauthorized writes by attempting to insert a row with a `user_id` that doesn't match the authenticated user's token.
 
@@ -334,7 +341,7 @@ SELECT * FROM <table_name> WHERE id = 'malicious_1';
 1. The malicious row appears in PostgreSQL (RLS bypass vulnerability)
 2. The malicious row syncs to User 2's databases (data leakage)
 
-### Step 11: Cleanup
+### Step 12: Cleanup
 
 In each SQLite database before closing:
 ```sql