feat(postgres-wire-features): add Postgres v3 wire-protocol sample (#229)

* feat(postgres-wire-features): add Postgres v3 wire-protocol sample

A stdlib-only Go HTTP service that drives a PostgreSQL connection directly
over the v3 frontend/backend protocol (no driver), exposing ten scenarios
under GET /run/all:

- setup (DDL)
- dml (INSERT ON CONFLICT, UPDATE, DELETE, MERGE)
- catalog-cte / catalog-sub / catalog-setop (pg_catalog queries via CTE,
  subselect, UNION)
- copy (COPY FROM STDIN + COPY TO STDOUT)
- prepare (PREPARE, EXECUTE, DEALLOCATE)
- cursor (BEGIN, DECLARE CURSOR, FETCH, CLOSE, COMMIT)
- admin (ANALYZE, REINDEX, LOCK TABLE, DO, CREATE PROCEDURE, CALL)
- validation-ping (SELECT 'ok', SELECT true, SELECT NULL, SELECT 1)

Standard sample layout: Dockerfile, docker-compose.yml with api+db,
test.sh traffic script that hits /run/all and each /case/<name>, and
a README with record/test instructions.

The wire-protocol traffic is intentionally low-level so Keploy's proxy
sees every message class (CopyData, CopyDone, Parse/Bind/Execute, cursor
portals, etc.) as the server sends them, rather than what a driver would
hide behind its API.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Aditya-eddy <aditya282003@gmail.com>

* feat(postgres-wire-features): simplify test.sh to /health + /run/all only

Dropping the per-scenario /case/<name> loop from test.sh. /run/all already
exercises every scenario inside one HTTP request, which is all a record
pass needs; firing /case/* endpoints in quick succession afterwards
created many back-to-back raw-socket Postgres connections that could
push the recording proxy into an EOF regime in docker mode, producing
noisy captures whose replay diffs drowned out the real signal.

Signed-off-by: Aditya-eddy <aditya282003@gmail.com>

* feat(postgres-wire-features): share one Postgres connection across /run/all

Refactor: runXxx scenario functions now take *pgClient instead of opening
their own. /run/all dials once and walks all ten scenarios on that single
connection; /case/<name> keeps its own withClient wrapper so individual
scenario endpoints still run standalone.

Opening a fresh connection per scenario pushed Keploy's docker-mode proxy
into a back-to-back connect/close regime where the agent dropped
handshakes (visible in CI logs as 'failed to read client auth response:
EOF' on every other connection during record, and 'replayer: session
RecordedIndex missing PostgresV3Session mock' during replay). Sharing one
connection drops the connect count from ~10 per /run/all to 1, which
keeps the v3 wire surface exercised — CopyData/CopyDone frames are still
sent on the wire; validation-ping SELECTs still collide on sqlAstHash —
without tripping that unrelated instability.

Signed-off-by: Aditya-eddy <aditya282003@gmail.com>

* fix(postgres-wire-features): force trust auth so raw v3 client can handshake

Postgres 16 defaults to scram-sha-256 (auth code 10) when a password is
set. This sample's pure-stdlib client only implements codes 0/trust,
3/cleartext, and 5/md5 — SASL is out of scope for a wire-protocol repro.
Pinning POSTGRES_HOST_AUTH_METHOD=trust keeps auth on code 0, which is
what the client actually speaks.

Observed in CI: dial was failing with 'unsupported postgres
authentication code 10' before any scenario query ran, so the recorded
test body was just the auth error — masking the real Postgres wire
surface the sample is meant to exercise.

Signed-off-by: Aditya-eddy <aditya282003@gmail.com>

* feat(postgres-wire-features): add multistatement + empty-query scenarios and assertions

Extend the sample with two new scenarios that exercise specific v3
recorder edges not covered by the existing suite:

- /case/multistatement sends BEGIN; SELECT 1 AS a; SELECT 2 AS b; COMMIT
  as a SINGLE simple-Query packet. A recorder that splits the batch with
  pg_query emits four invocations; a recorder that tracks per-packet
  emits one.
- /case/empty-query sends a Query packet with empty SQL body. The server
  answers with EmptyQueryResponse ('I') and ReadyForQuery only. A
  correct recorder suppresses this as a no-op; a naive recorder emits a
  ghost invocation with empty sqlNormalized and class=UNKNOWN.

Both scenarios are added to /run/all so the single-connection path
exercises them, and are also exposed as standalone /case endpoints so
their recorded testcases are isolated by connection boundary.

simpleQuery grows an 'I' (EmptyQueryResponse) case so the empty-query
path returns cleanly rather than erroring on the unhandled tag.

assertions.sh validates recorded mocks.yaml after a Keploy record run:

1. no invocation with class: UNKNOWN
2. no invocation with empty sqlNormalized (ghost event)
3. multistatement Q packet produced >=1 each of BEGIN, COMMIT,
   SELECT \$1 AS a, SELECT \$1 AS b invocations
4. at least some readable SQL is present (mocks aren't entirely base64)

Use ./assertions.sh keploy after keploy record to fail the pipeline if
the recorder regressed on any of those invariants.

Signed-off-by: slayerjain <shubhamkjain@outlook.com>

* fix(postgres-wire-features): bind Postgres to loopback and fail on HTTP errors

Address Copilot review on #229:

- docker-compose.yml: bind the container's 5433 port to 127.0.0.1 only
  instead of all interfaces. With POSTGRES_HOST_AUTH_METHOD=trust the DB
  accepts unauthenticated connections, so publishing on 0.0.0.0 left an
  open Postgres on whatever network the developer machine was attached
  to. Loopback-only keeps the sample usable for record/replay without
  that exposure.

- docker-compose.yml: remove POSTGRES_PASSWORD / PGPASSWORD. Under trust
  auth the server never requests a password; keeping those env vars
  suggested the auth path in use required one and could mask an
  accidental reliance on trust mode. Trust is intentional here (see the
  adjacent comment block) so the password vars are now dropped.

- test.sh: pass --fail-with-body to every curl invocation so an HTTP
  5xx from /health, /run/all, or the /case endpoints exits the script
  non-zero. Without this curl exits 0 on 500s and the traffic script
  silently produces a bad recording.

Signed-off-by: slayerjain <shubhamkjain@outlook.com>

* fix(postgres-wire-features): bound Postgres ops and explain unsupported auth codes

Address Copilot review on #229:

- Add a 30s per-operation deadline around startup() and simpleQuery().
  Before this, the raw net.Conn had no deadlines, so a stalled or
  half-open Postgres connection would wedge io.ReadFull inside
  readMessage and hang the HTTP handler (and leak goroutines) until the
  OS eventually gave up. setOpDeadline / clearOpDeadline arm the
  deadline on entry and clear it on exit, so the /run/all path (which
  shares one pgClient across scenarios) never inherits a stale
  deadline between operations.

- Replace the opaque "unsupported postgres authentication code %d"
  error with a message that spells out the codes this client actually
  speaks (0/trust, 3/cleartext, 5/md5) and points at
  POSTGRES_HOST_AUTH_METHOD as the quick local remediation when the
  server negotiates scram-sha-256 (code 10, the Postgres 16 default).
  The prior message sent users digging through protocol docs to
  discover what the numeric code meant.

Signed-off-by: slayerjain <shubhamkjain@outlook.com>

---------

Signed-off-by: Aditya-eddy <aditya282003@gmail.com>
Signed-off-by: slayerjain <shubhamkjain@outlook.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: slayerjain <shubhamkjain@outlook.com>

Author: 3 people

postgres-wire-features/.gitignore

@@ -0,0 +1,6 @@
+keploy/
+keploy.yml
+keploy-logs.txt
+server
+postgres-wire-features
+*.log

postgres-wire-features/Dockerfile

@@ -0,0 +1,13 @@
+FROM golang:1.24-alpine AS builder
+
+WORKDIR /app
+COPY go.mod ./
+RUN go mod download
+COPY . .
+RUN CGO_ENABLED=0 go build -o server .
+
+FROM alpine:3.19
+WORKDIR /app
+COPY --from=builder /app/server .
+EXPOSE 8080
+CMD ["./server"]

postgres-wire-features/README.md

@@ -0,0 +1,114 @@
+# postgres-wire-features
+
+A small Go HTTP service that exercises a broad set of PostgreSQL wire-protocol features in one place — designed as a Keploy sample for recording and replaying Postgres interactions that go beyond plain `SELECT` / `INSERT`.
+
+The service speaks the Postgres v3 frontend/backend protocol directly over a TCP socket (pure stdlib — no driver). That makes the recorded traffic a faithful representation of what Keploy sees on the wire, which matters for features like `COPY` whose payload is a stream of `CopyData` / `CopyDone` messages that driver libraries often abstract away.
+
+## What it covers
+
+A single call to `GET /run/all` walks through twelve scenarios in order:
+
+| Scenario | Statements |
+| --- | --- |
+| `setup` | `DROP TABLE`, `CREATE TABLE`, `INSERT`, `CREATE TABLE IF NOT EXISTS` |
+| `dml` | `INSERT … ON CONFLICT DO UPDATE`, `UPDATE`, `DELETE`, `MERGE` |
+| `catalog-cte` | `WITH … SELECT FROM pg_catalog.pg_class` |
+| `catalog-sub` | `SELECT … FROM (SELECT …) AS s` |
+| `catalog-setop` | `SELECT … UNION SELECT …` |
+| `copy` | `TRUNCATE`, `COPY … FROM STDIN`, `COPY … TO STDOUT` |
+| `prepare` | `PREPARE`, `EXECUTE`, `DEALLOCATE` |
+| `cursor` | `BEGIN`, `DECLARE CURSOR`, `FETCH`×2, `CLOSE`, `COMMIT` |
+| `admin` | `ANALYZE`, `REINDEX`, `LOCK TABLE`, `DO $$ … $$`, `CREATE PROCEDURE`, `CALL` |
+| `validation-ping` | `SELECT 'ok'`, `SELECT true`, `SELECT NULL`, `SELECT 1` |
+| `multistatement` | `BEGIN; SELECT 1 AS a; SELECT 2 AS b; COMMIT` sent as a **single** simple-Query packet (exercises multi-statement split) |
+| `empty-query` | simple-Query packet with empty SQL body (exercises `EmptyQueryResponse` / ghost-event suppression) |
+
+Each scenario is also reachable individually at `GET /case/<name>`. The response is JSON: per-statement `commands` (the Postgres command tag, e.g. `COPY 2`, `SELECT 1`), `rows`, and for `COPY TO STDOUT` a `copyData` array of the raw tab-separated rows.
+
+## Endpoints
+
+- `GET /health` → `200 ok`
+- `GET /run/all` → run every scenario in order, return the combined result
+- `GET /case/<name>` → run one scenario (see table above)
+
+## Prerequisites
+
+- Go `1.24+`
+- Docker and Docker Compose
+- Keploy CLI
+
+Install Keploy:
+
+```bash
+curl --silent -O -L https://keploy.io/install.sh
+source install.sh
+```
+
+## Setup
+
+```bash
+git clone https://github.com/keploy/samples-go.git
+cd samples-go/postgres-wire-features
+go mod download
+```
+
+## Run with Docker
+
+```bash
+docker compose up --build
+```
+
+The API will be available at `http://localhost:8080`.
+
+## Record Testcases with Keploy
+
+```bash
+keploy record -c "docker compose up" --container-name api --delay 10
+```
+
+In another terminal:
+
+```bash
+./test.sh
+```
+
+Keploy writes the recorded HTTP tests and Postgres mocks under `keploy/`.
+
+## Validate recorded mocks
+
+Run the assertions script after recording to verify v3 protocol invariants:
+
+```bash
+./assertions.sh keploy
+```
+
+It fails the pipeline if it sees any of:
+- an invocation with `class: UNKNOWN`
+- an invocation with an empty `sqlNormalized` (ghost event)
+- the `multistatement` batch collapsed into fewer than four invocations
+- all fields encoded as `!!binary` with no readable SQL in the mocks
+
+## Replay Recorded Tests
+
+```bash
+keploy test -c "docker compose up" --container-name api --delay 20
+```
+
+## Run Natively
+
+Start Postgres yourself (e.g. `docker run -p 5432:5432 -e POSTGRES_PASSWORD=postgres postgres:16-alpine`) and then:
+
+```bash
+PGHOST=127.0.0.1 PGPORT=5432 PGUSER=postgres PGPASSWORD=postgres PGDATABASE=postgres go run .
+```
+
+## Environment variables
+
+| Variable | Default | Purpose |
+| --- | --- | --- |
+| `ADDR` | `:8080` | Listen address for the HTTP server |
+| `PGHOST` | `127.0.0.1` | Postgres host |
+| `PGPORT` | `5432` | Postgres port |
+| `PGUSER` | `postgres` | Postgres user |
+| `PGPASSWORD` | _(empty)_ | Postgres password |
+| `PGDATABASE` | `postgres` | Postgres database |

postgres-wire-features/assertions.sh

@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+# Post-record assertions for the v3 Postgres recorder against the
+# postgres-wire-features sample. Exits non-zero on the first violation
+# so the Woodpecker step shows a clean pass/fail.
+#
+# These assertions codify invariants that the *fixed* v3 recorder must
+# hold. A broken v3 (for example origin/main today) produces mocks that
+# violate at least one of them: empty-query ghost invocations with
+# class=UNKNOWN, or a multi-statement Q packet collapsed into one
+# invocation, or bind values emitted as base64 when the raw bytes are
+# valid UTF-8 text.
+#
+# Usage: ./assertions.sh [mocks_dir]
+#   default mocks_dir: ./keploy
+
+set -euo pipefail
+
+MOCKS_DIR="${1:-./keploy}"
+
+if [[ ! -d "$MOCKS_DIR" ]]; then
+	echo "assertions: mocks directory not found at $MOCKS_DIR" >&2
+	exit 2
+fi
+
+# Collect every mocks.yaml beneath $MOCKS_DIR. Keploy writes one
+# mocks.yaml per test-set.
+mapfile -t MOCK_FILES < <(find "$MOCKS_DIR" -type f -name 'mocks.yaml' | sort)
+if [[ ${#MOCK_FILES[@]} -eq 0 ]]; then
+	echo "assertions: no mocks.yaml found under $MOCKS_DIR" >&2
+	exit 2
+fi
+
+echo "assertions: scanning ${#MOCK_FILES[@]} mocks.yaml file(s) under $MOCKS_DIR"
+
+fail() {
+	echo "FAIL: $1" >&2
+	exit 1
+}
+
+pass() {
+	echo "PASS: $1"
+}
+
+# ------------------------------------------------------------------
+# Invariant 1: no invocation is classified as UNKNOWN.
+# Origin/main emits class=UNKNOWN for ghost events and for statements
+# its classifier does not recognize.
+# ------------------------------------------------------------------
+unknown_count=0
+for f in "${MOCK_FILES[@]}"; do
+	c=$(grep -c -E '^\s*class:\s*UNKNOWN\s*$' "$f" || true)
+	unknown_count=$((unknown_count + c))
+done
+if [[ $unknown_count -ne 0 ]]; then
+	echo "--- first few UNKNOWN hits ---"
+	grep -n -E '^\s*class:\s*UNKNOWN\s*$' "${MOCK_FILES[@]}" | head -n 10 || true
+	fail "found $unknown_count invocation(s) with class: UNKNOWN"
+fi
+pass "no class: UNKNOWN invocations"
+
+# ------------------------------------------------------------------
+# Invariant 2: no ghost invocation with an empty sqlNormalized.
+# A correct recorder suppresses EmptyQueryResponse paths instead of
+# emitting an invocation shell with sqlNormalized: "".
+# ------------------------------------------------------------------
+empty_sql_count=0
+for f in "${MOCK_FILES[@]}"; do
+	# Match both   sqlNormalized: ""    and   sqlNormalized:
+	c=$(grep -c -E '^\s*sqlNormalized:\s*("")?\s*$' "$f" || true)
+	empty_sql_count=$((empty_sql_count + c))
+done
+if [[ $empty_sql_count -ne 0 ]]; then
+	echo "--- first few empty sqlNormalized hits ---"
+	grep -n -E '^\s*sqlNormalized:\s*("")?\s*$' "${MOCK_FILES[@]}" | head -n 10 || true
+	fail "found $empty_sql_count invocation(s) with empty sqlNormalized (ghost event)"
+fi
+pass "no empty sqlNormalized invocations"
+
+# ------------------------------------------------------------------
+# Invariant 3: the multistatement Q packet produced distinct
+# invocations for each of its four statements.
+#
+# The sample sends `BEGIN; SELECT 1 AS a; SELECT 2 AS b; COMMIT`
+# as a single simple-Query packet. A recorder that splits the batch
+# with pg_query emits four invocations with distinct sqlNormalized
+# fragments; a recorder that tracks per-packet emits one.
+# ------------------------------------------------------------------
+begin_count=0
+commit_count=0
+select_a_count=0
+select_b_count=0
+for f in "${MOCK_FILES[@]}"; do
+	begin_count=$((begin_count + $(grep -c -E '^\s*sqlNormalized:\s*["'"'"']?BEGIN["'"'"']?\s*$' "$f" || true)))
+	commit_count=$((commit_count + $(grep -c -E '^\s*sqlNormalized:\s*["'"'"']?COMMIT["'"'"']?\s*$' "$f" || true)))
+	select_a_count=$((select_a_count + $(grep -c -E 'sqlNormalized:.*SELECT\s+\$1\s+AS\s+a' "$f" || true)))
+	select_b_count=$((select_b_count + $(grep -c -E 'sqlNormalized:.*SELECT\s+\$1\s+AS\s+b' "$f" || true)))
+done
+if [[ $begin_count -lt 1 || $commit_count -lt 1 || $select_a_count -lt 1 || $select_b_count -lt 1 ]]; then
+	echo "  BEGIN=$begin_count COMMIT=$commit_count SELECT_a=$select_a_count SELECT_b=$select_b_count"
+	fail "multistatement Q packet was not split into 4 invocations (expected >=1 each of BEGIN, COMMIT, SELECT ... AS a, SELECT ... AS b)"
+fi
+pass "multistatement Q packet split into distinct invocations (BEGIN=$begin_count, COMMIT=$commit_count, SELECT a=$select_a_count, SELECT b=$select_b_count)"
+
+# ------------------------------------------------------------------
+# Invariant 4: text bind values are emitted as plain YAML strings
+# (not wrapped in a !!binary tag) when the raw bytes are UTF-8 safe.
+# The prepare/execute scenario's bind contains ASCII integers, and
+# the COPY IN scenario's payload is ASCII text — both should survive
+# as readable strings.
+# ------------------------------------------------------------------
+binary_tag_count=0
+for f in "${MOCK_FILES[@]}"; do
+	c=$(grep -c -E '!!binary' "$f" || true)
+	binary_tag_count=$((binary_tag_count + c))
+done
+echo "  info: !!binary tag occurrences across mocks = $binary_tag_count"
+# We don't fail on this count (truly-binary values like lsn/xid bytes
+# legitimately round-trip as !!binary); instead assert that a known-
+# textual bind ('seed-a' from COPY IN) appears as a plain string.
+if ! grep -R -l -E "seed-a" "$MOCKS_DIR" >/dev/null 2>&1; then
+	# seed-a might only appear post-COPY; tolerate its absence, but
+	# require that at least one readable SQL fragment is present so
+	# we know the file isn't entirely base64-encoded.
+	if ! grep -R -l -E 'sqlNormalized:.*SELECT' "$MOCKS_DIR" >/dev/null 2>&1; then
+		fail "no readable sqlNormalized values found — every field may be base64 encoded"
+	fi
+fi
+pass "readable text fields are present in mocks (not exclusively base64)"
+
+echo "assertions: all invariants satisfied"

postgres-wire-features/docker-compose.yml

@@ -0,0 +1,42 @@
+services:
+  db:
+    image: postgres:16-alpine
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_DB: postgres
+      # Force trust auth (code 0). Postgres 16 defaults to scram-sha-256
+      # (code 10), which this sample's raw-v3 client does not speak — we
+      # only implement code 0 / 3 / 5. This keeps auth on a path the
+      # sample can actually complete so the downstream Postgres wire
+      # surface (CopyData, cursors, PREPARE/EXECUTE, etc.) is what the
+      # record/replay cycle is actually exercising. With trust auth the
+      # server never requests a password, so POSTGRES_PASSWORD/PGPASSWORD
+      # are intentionally omitted to avoid implying otherwise.
+      POSTGRES_HOST_AUTH_METHOD: trust
+    ports:
+      # Bind to loopback only so the trust-auth Postgres isn't reachable
+      # from other hosts on the developer's network.
+      - "127.0.0.1:5433:5432"
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 2s
+      timeout: 5s
+      retries: 5
+
+  api:
+    build: .
+    ports:
+      - "8080:8080"
+    environment:
+      PGHOST: db
+      PGPORT: "5432"
+      PGUSER: postgres
+      PGDATABASE: postgres
+    depends_on:
+      db:
+        condition: service_healthy
+
+volumes:
+  pgdata:

postgres-wire-features/go.mod

@@ -0,0 +1,3 @@
+module postgres-wire-features
+
+go 1.24