fix(server): serialize alembic migrations

abhinav-galileo · abhinav-galileo · commit da5a1325a846 · 2026-05-15T14:22:19.000+05:30
diff --git a/server/src/agent_control_server/migrate.py b/server/src/agent_control_server/migrate.py
@@ -9,18 +9,36 @@
 
 import argparse
 import logging
+import os
 import shutil
 import sys
 import tempfile
+import time
 from collections.abc import Iterator
 from contextlib import contextmanager
 from pathlib import Path
 from typing import cast
 
-from alembic import command
 from alembic.config import Config
+from sqlalchemy import create_engine, text
+from sqlalchemy.engine import Connection
+from sqlalchemy.engine.url import make_url
+from sqlalchemy.pool import NullPool
 
 import agent_control_server
+from agent_control_server.config import db_config
+from alembic import command
+
+LOGGER = logging.getLogger(__name__)
+_MIGRATION_LOCK_CLASS_ID = 0x4143544C  # "ACTL"
+_MIGRATION_LOCK_OBJECT_ID = 0x4D494752  # "MIGR"
+_MIGRATION_LOCK_POLL_SECONDS = 2.0
+_DEFAULT_MIGRATION_LOCK_TIMEOUT_SECONDS = 600.0
+_MIGRATION_LOCK_TIMEOUT_ENV = "AGENT_CONTROL_MIGRATION_LOCK_TIMEOUT_SECONDS"
+_MIGRATION_LOCK_PARAMS = {
+    "class_id": _MIGRATION_LOCK_CLASS_ID,
+    "object_id": _MIGRATION_LOCK_OBJECT_ID,
+}
 
 
 def _bundled_config() -> Config:
@@ -58,6 +76,88 @@ def _runtime_bundled_config() -> Iterator[Config]:
         yield cfg
 
 
+def _migration_url(cfg: Config) -> str:
+    configured_url = cfg.get_main_option("sqlalchemy.url")
+    if configured_url:
+        return configured_url
+    return db_config.get_url()
+
+
+def _migration_lock_timeout_seconds() -> float:
+    raw_timeout = os.getenv(_MIGRATION_LOCK_TIMEOUT_ENV)
+    if raw_timeout is None:
+        return _DEFAULT_MIGRATION_LOCK_TIMEOUT_SECONDS
+
+    try:
+        timeout = float(raw_timeout)
+    except ValueError as exc:
+        raise RuntimeError(f"{_MIGRATION_LOCK_TIMEOUT_ENV} must be a number.") from exc
+
+    if timeout <= 0:
+        raise RuntimeError(f"{_MIGRATION_LOCK_TIMEOUT_ENV} must be greater than zero.")
+    return timeout
+
+
+def _acquire_migration_lock(connection: Connection, timeout_seconds: float) -> None:
+    deadline = time.monotonic() + timeout_seconds
+    logged_wait = False
+
+    while True:
+        acquired = bool(
+            connection.execute(
+                text("SELECT pg_try_advisory_lock(:class_id, :object_id)"),
+                _MIGRATION_LOCK_PARAMS,
+            ).scalar_one()
+        )
+        if acquired:
+            LOGGER.info("Acquired Agent Control migration advisory lock.")
+            return
+
+        remaining = deadline - time.monotonic()
+        if remaining <= 0:
+            raise TimeoutError(
+                f"Timed out after {timeout_seconds:g}s waiting for Agent Control "
+                "migration advisory lock."
+            )
+
+        if not logged_wait:
+            LOGGER.info("Waiting for another Agent Control migration to finish.")
+            logged_wait = True
+        time.sleep(min(_MIGRATION_LOCK_POLL_SECONDS, remaining))
+
+
+@contextmanager
+def _serialized_migration(cfg: Config, *, enabled: bool) -> Iterator[None]:
+    if not enabled:
+        yield
+        return
+
+    url = _migration_url(cfg)
+    if make_url(url).get_backend_name() != "postgresql":
+        yield
+        return
+
+    engine = create_engine(url, future=True, poolclass=NullPool)
+    try:
+        with engine.connect() as connection:
+            _acquire_migration_lock(connection, _migration_lock_timeout_seconds())
+            try:
+                yield
+            finally:
+                released = bool(
+                    connection.execute(
+                        text("SELECT pg_advisory_unlock(:class_id, :object_id)"),
+                        _MIGRATION_LOCK_PARAMS,
+                    ).scalar_one()
+                )
+                if released:
+                    LOGGER.info("Released Agent Control migration advisory lock.")
+                else:
+                    LOGGER.warning("Agent Control migration advisory lock was not held at release.")
+    finally:
+        engine.dispose()
+
+
 def _build_parser() -> argparse.ArgumentParser:
     parser = argparse.ArgumentParser(
         prog="agent-control-migrate",
@@ -104,18 +204,20 @@ def main(argv: list[str] | None = None) -> int:
 
     try:
         with _runtime_bundled_config() as cfg:
-            if parsed.command == "upgrade":
-                command.upgrade(cfg, parsed.revision, sql=parsed.sql)
-            elif parsed.command == "downgrade":
-                command.downgrade(cfg, parsed.revision, sql=parsed.sql)
-            elif parsed.command == "current":
-                command.current(cfg)
-            elif parsed.command == "history":
-                command.history(cfg)
-            elif parsed.command == "heads":
-                command.heads(cfg)
-            else:  # pragma: no cover - argparse guarantees this cannot happen.
-                parser.error("missing command")
+            should_lock = parsed.command in {"upgrade", "downgrade"} and not parsed.sql
+            with _serialized_migration(cfg, enabled=should_lock):
+                if parsed.command == "upgrade":
+                    command.upgrade(cfg, parsed.revision, sql=parsed.sql)
+                elif parsed.command == "downgrade":
+                    command.downgrade(cfg, parsed.revision, sql=parsed.sql)
+                elif parsed.command == "current":
+                    command.current(cfg)
+                elif parsed.command == "history":
+                    command.history(cfg)
+                elif parsed.command == "heads":
+                    command.heads(cfg)
+                else:  # pragma: no cover - argparse guarantees this cannot happen.
+                    parser.error("missing command")
     except Exception as exc:
         print(f"agent-control-migrate: {exc}", file=sys.stderr)
         return 1
diff --git a/server/tests/test_migrate.py b/server/tests/test_migrate.py
@@ -2,10 +2,53 @@
 
 from pathlib import Path
 
+from alembic.config import Config
+
 import agent_control_server
 from agent_control_server import migrate
 
 
+class _FakeResult:
+    def __init__(self, value: bool) -> None:
+        self.value = value
+
+    def scalar_one(self) -> bool:
+        return self.value
+
+
+class _FakeConnection:
+    def __init__(self, lock_results: list[bool]) -> None:
+        self.lock_results = lock_results
+        self.statements: list[str] = []
+
+    def __enter__(self) -> _FakeConnection:
+        return self
+
+    def __exit__(self, *args: object) -> None:
+        return None
+
+    def execute(self, statement: object, params: object) -> _FakeResult:
+        statement_text = str(statement)
+        self.statements.append(statement_text)
+        if "pg_try_advisory_lock" in statement_text:
+            return _FakeResult(self.lock_results.pop(0))
+        if "pg_advisory_unlock" in statement_text:
+            return _FakeResult(True)
+        raise AssertionError(f"unexpected SQL statement: {statement_text}")
+
+
+class _FakeEngine:
+    def __init__(self, connection: _FakeConnection) -> None:
+        self.connection = connection
+        self.disposed = False
+
+    def connect(self) -> _FakeConnection:
+        return self.connection
+
+    def dispose(self) -> None:
+        self.disposed = True
+
+
 def test_bundled_config_omits_injected_version_init(
     tmp_path: Path,
     monkeypatch,
@@ -31,3 +74,51 @@ def test_bundled_config_omits_injected_version_init(
         assert not (script_location / "versions" / "__init__.py").exists()
 
     assert not script_location.exists()
+
+
+def test_serialized_migration_skips_lock_for_non_postgres_url(monkeypatch) -> None:
+    cfg = Config()
+    cfg.set_main_option("sqlalchemy.url", "sqlite:///agent-control.db")
+
+    def fail_create_engine(*args: object, **kwargs: object) -> object:
+        raise AssertionError("non-postgres migrations should not create a lock connection")
+
+    monkeypatch.setattr(migrate, "create_engine", fail_create_engine)
+
+    with migrate._serialized_migration(cfg, enabled=True):
+        pass
+
+
+def test_serialized_migration_acquires_and_releases_postgres_lock(monkeypatch) -> None:
+    cfg = Config()
+    cfg.set_main_option("sqlalchemy.url", "postgresql+psycopg://user:pass@postgres/db")
+    connection = _FakeConnection([False, True])
+    engine = _FakeEngine(connection)
+    sleeps: list[float] = []
+
+    monkeypatch.setattr(migrate, "create_engine", lambda *args, **kwargs: engine)
+    monkeypatch.setattr(migrate.time, "sleep", lambda seconds: sleeps.append(seconds))
+
+    with migrate._serialized_migration(cfg, enabled=True):
+        pass
+
+    assert connection.statements == [
+        "SELECT pg_try_advisory_lock(:class_id, :object_id)",
+        "SELECT pg_try_advisory_lock(:class_id, :object_id)",
+        "SELECT pg_advisory_unlock(:class_id, :object_id)",
+    ]
+    assert sleeps == [2.0]
+    assert engine.disposed
+
+
+def test_serialized_migration_respects_disabled_lock(monkeypatch) -> None:
+    cfg = Config()
+    cfg.set_main_option("sqlalchemy.url", "postgresql+psycopg://user:pass@postgres/db")
+
+    def fail_create_engine(*args: object, **kwargs: object) -> object:
+        raise AssertionError("disabled migration lock should not create a lock connection")
+
+    monkeypatch.setattr(migrate, "create_engine", fail_create_engine)
+
+    with migrate._serialized_migration(cfg, enabled=False):
+        pass
