fix(turso): replace client.transaction() with UPDATE...RETURNING to prevent connection leak in queue poller

CalmProton · CalmProton · commit a3b0c3dfdf98 · 2026-04-20T22:59:23.000+03:00
@libsql/client's transaction() method sets this.#db = null after BEGIN so that concurrent execute() calls use a separate connection. After commit/rollback, the detached Database object is abandoned to GC. At the default 100ms poll interval this orphans ~10 native SQLite connections per second — more than GC can reclaim — exhausting OS file-handle or native-heap limits and crashing the host process (exit code 5) after 5-10 minutes of idle operation. Replacing the three-step SELECT + UPDATE + COMMIT with a single atomic UPDATE...RETURNING via client.execute() preserves atomicity through SQLite's implicit per-statement transaction while reusing the single cached connection (execute() calls #getDb() without nulling #db). Fixes: https://github.com/mizzle-dev/workflow-worlds/issues/TBD
diff --git a/packages/turso/src/queue.ts b/packages/turso/src/queue.ts
@@ -237,7 +237,25 @@ export function createQueue(config: QueueConfig): {
 
   /**
    * Poll for and process pending messages.
-   * Uses a write transaction to atomically claim messages and prevent race conditions.
+   *
+   * Uses a single atomic `UPDATE ... RETURNING` to claim a message instead of
+   * the previous `client.transaction('write')` pattern.
+   *
+   * Why: `@libsql/client`'s `transaction()` method intentionally sets
+   * `this.#db = null` after calling BEGIN so that concurrent `execute()` calls
+   * on the same client use a separate connection while the transaction is open.
+   * The consequence is that the `Database` object passed to `Sqlite3Transaction`
+   * is decoupled from the client and only reclaimed by GC once the transaction
+   * variable goes out of scope.  At the default 100 ms poll interval this
+   * produces ~10 orphaned native SQLite connections per second.  The connections
+   * accumulate faster than GC can reclaim them, exhausting OS file-handle or
+   * native-heap limits and causing the host process to crash (typically exit
+   * code 5) after 5–10 minutes of idle operation.
+   *
+   * `client.execute()` reuses the single cached connection via `#getDb()`
+   * without detaching it, so no connection is orphaned.  The atomicity that
+   * the write transaction previously provided is preserved by SQLite's implicit
+   * per-statement transaction around the `UPDATE ... RETURNING`.
    */
   async function pollAndProcess(): Promise<void> {
     if (!isRunning || isShuttingDown) {
@@ -247,47 +265,30 @@ export function createQueue(config: QueueConfig): {
     try {
       const now = new Date().toISOString();
 
-      // Use a write transaction to atomically select and claim a message
-      // This prevents race conditions where multiple pollers claim the same message
-      const tx = await client.transaction('write');
-      let messageId: MessageId | null = null;
-      let queueName: ValidQueueName | null = null;
-      let payload: string | null = null;
-      let attempt = 1;
-
-      try {
-        // Find a pending message that's ready to process
-        const result = await tx.execute({
-          sql: `SELECT message_id, queue_name, payload, attempt
-                FROM queue_messages
+      // Atomically claim the oldest pending message that is ready to run.
+      // The subquery SELECT + outer UPDATE execute as a single implicit
+      // transaction in SQLite, so no two pollers can claim the same message.
+      const result = await client.execute({
+        sql: `UPDATE queue_messages
+              SET status = 'processing'
+              WHERE message_id = (
+                SELECT message_id FROM queue_messages
                 WHERE status = 'pending' AND (not_before IS NULL OR not_before <= ?)
                 ORDER BY created_at ASC
-                LIMIT 1`,
-          args: [now],
-        });
-
-        if (result.rows.length > 0) {
-          const row = result.rows[0];
-          messageId = row.message_id as MessageId;
-          queueName = row.queue_name as ValidQueueName;
-          payload = row.payload as string;
-          attempt = (row.attempt as number) || 1;
-
-          // Mark as processing within the same transaction
-          await tx.execute({
-            sql: `UPDATE queue_messages SET status = 'processing' WHERE message_id = ?`,
-            args: [messageId],
-          });
-        }
+                LIMIT 1
+              )
+              RETURNING message_id, queue_name, payload, attempt`,
+        args: [now],
+      });
 
-        await tx.commit();
-      } catch (err) {
-        await tx.rollback();
-        throw err;
-      }
+      // Process outside the implicit transaction (it already committed above).
+      if (result.rows.length > 0) {
+        const row = result.rows[0];
+        const messageId = row.message_id as MessageId;
+        const queueName = row.queue_name as ValidQueueName;
+        const payload = row.payload as string;
+        const attempt = (row.attempt as number) || 1;
 
-      // Process outside the transaction to avoid holding the lock
-      if (messageId && queueName && payload) {
         await acquireConcurrency();
         processMessage(messageId, queueName, payload, attempt)
           .catch((err) => {
