Merge pull request #5 from nnemirovsky/feat/db-watcher

nnemirovsky · web-flow · commit 82fd12a1e488 · 2026-04-07T21:40:10.000+08:00
feat(core): auto-reload policy on database changes via SQLite data_version
diff --git a/cmd/sluice/main.go b/cmd/sluice/main.go
@@ -552,71 +552,71 @@ func main() {
 	sigCh := make(chan os.Signal, 1)
 	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
 
-	sighupCh := make(chan os.Signal, 1)
-	signal.Notify(sighupCh, syscall.SIGHUP)
+	// reloadAll reloads policy, bindings, and OAuth index from the database.
+	// Called by both SIGHUP handler and the SQLite data_version watcher.
+	reloadAll := func() {
+		srv.ReloadMu().Lock()
+		defer srv.ReloadMu().Unlock()
+
+		newEng, loadErr := policy.LoadFromStore(db)
+		if loadErr != nil {
+			log.Printf("reload policy failed: %v", loadErr)
+			return
+		}
 
-	go func() {
-		for range sighupCh {
-			srv.ReloadMu().Lock()
-
-			newEng, loadErr := policy.LoadFromStore(db)
-			if loadErr != nil {
-				log.Printf("reload policy failed: %v", loadErr)
-				drainSignals(sighupCh)
-				srv.ReloadMu().Unlock()
-				continue
-			}
+		if valErr := newEng.Validate(); valErr != nil {
+			log.Printf("reload policy validation failed: %v", valErr)
+			return
+		}
 
-			// Validate the new engine before swapping to catch
-			// corrupted or incomplete compilation results.
-			if valErr := newEng.Validate(); valErr != nil {
-				log.Printf("reload policy validation failed: %v", valErr)
-				drainSignals(sighupCh)
-				srv.ReloadMu().Unlock()
-				continue
+		log.Printf("reloaded policy: %d allow, %d deny, %d ask rules (default: %s)",
+			len(newEng.AllowRules), len(newEng.DenyRules), len(newEng.AskRules), newEng.Default)
+		srv.StoreEngine(newEng)
+		srv.UpdateInspectRules(newEng)
+
+		newBindings, bindErr := readBindings(db)
+		if bindErr != nil {
+			log.Printf("reload bindings failed: %v", bindErr)
+		} else if len(newBindings) > 0 {
+			newResolver, resolveErr := vault.NewBindingResolver(newBindings)
+			if resolveErr != nil {
+				log.Printf("rebuild binding resolver failed: %v", resolveErr)
+			} else {
+				srv.StoreResolver(newResolver)
+				log.Printf("reloaded bindings: %d", len(newBindings))
 			}
+		} else if len(newBindings) == 0 {
+			srv.StoreResolver(nil)
+		}
 
-			log.Printf("reloaded policy: %d allow, %d deny, %d ask rules (default: %s)",
-				len(newEng.AllowRules), len(newEng.DenyRules), len(newEng.AskRules), newEng.Default)
-			srv.StoreEngine(newEng)
-			srv.UpdateInspectRules(newEng)
-
-			// Rebuild binding resolver so credential injection picks up
-			// bindings added via CLI or Telegram since last reload.
-			newBindings, bindErr := readBindings(db)
-			if bindErr != nil {
-				log.Printf("reload bindings failed: %v", bindErr)
-			} else if len(newBindings) > 0 {
-				newResolver, resolveErr := vault.NewBindingResolver(newBindings)
-				if resolveErr != nil {
-					log.Printf("rebuild binding resolver failed: %v", resolveErr)
-				} else {
-					srv.StoreResolver(newResolver)
-					log.Printf("reloaded bindings: %d", len(newBindings))
-				}
-			} else if len(newBindings) == 0 {
-				srv.StoreResolver(nil)
-			}
+		if metas, metaErr := db.ListCredentialMeta(); metaErr == nil {
+			srv.UpdateOAuthIndex(metas)
+		} else {
+			log.Printf("reload oauth index failed: %v", metaErr)
+		}
 
-			// Rebuild OAuth token URL index so response interception picks
-			// up credentials added via CLI or Telegram since last reload.
-			if metas, metaErr := db.ListCredentialMeta(); metaErr == nil {
-				srv.UpdateOAuthIndex(metas)
-			} else {
-				log.Printf("reload oauth index failed: %v", metaErr)
-			}
+		if broker == nil && (len(newEng.AskRules) > 0 || newEng.Default == policy.Ask) {
+			log.Printf("WARNING: policy has ask rules but no approval broker is running; ask verdicts will auto-deny")
+		}
 
-			// Warn if the reloaded policy has ask rules but no approval
-			// broker is running.
-			if broker == nil && (len(newEng.AskRules) > 0 || newEng.Default == policy.Ask) {
-				log.Printf("WARNING: policy has ask rules but no approval broker is running; ask verdicts will auto-deny")
-			}
+	}
+
+	sighupCh := make(chan os.Signal, 1)
+	signal.Notify(sighupCh, syscall.SIGHUP)
 
+	go func() {
+		for range sighupCh {
+			reloadAll()
 			drainSignals(sighupCh)
-			srv.ReloadMu().Unlock()
 		}
 	}()
 
+	// Watch for database changes from external connections (CLI commands).
+	// Triggers the same reload as SIGHUP without requiring manual signals.
+	dbWatcher := store.NewWatcher(db.DB(), reloadAll)
+	dbWatcher.Start()
+	defer dbWatcher.Stop()
+
 	errCh := make(chan error, 1)
 	go func() {
 		errCh <- srv.ListenAndServe()
diff --git a/internal/store/store.go b/internal/store/store.go
@@ -20,6 +20,11 @@ type Store struct {
 	db *sql.DB
 }
 
+// DB returns the underlying *sql.DB for use by the data_version watcher.
+func (s *Store) DB() *sql.DB {
+	return s.db
+}
+
 // New opens or creates a SQLite database at the given path and runs
 // schema migrations. Use ":memory:" for an in-memory database (tests).
 func New(path string) (*Store, error) {
diff --git a/internal/store/watcher.go b/internal/store/watcher.go
@@ -0,0 +1,79 @@
+package store
+
+import (
+	"context"
+	"database/sql"
+	"log"
+	"time"
+)
+
+// Watcher polls SQLite's PRAGMA data_version to detect changes from external
+// connections (e.g. CLI commands). When a change is detected, the onChange
+// callback is invoked. This enables hot-reload without signals or IPC.
+type Watcher struct {
+	db       *sql.DB
+	interval time.Duration
+	onChange func()
+	cancel   context.CancelFunc
+}
+
+const defaultWatchInterval = 2 * time.Second
+
+// NewWatcher creates a watcher that polls the database for changes.
+// The onChange callback is called when the data_version changes, indicating
+// another connection (CLI, API, Telegram) modified the database.
+func NewWatcher(db *sql.DB, onChange func(), interval ...time.Duration) *Watcher {
+	iv := defaultWatchInterval
+	if len(interval) > 0 && interval[0] > 0 {
+		iv = interval[0]
+	}
+	return &Watcher{
+		db:       db,
+		interval: iv,
+		onChange: onChange,
+	}
+}
+
+// Start begins polling in a goroutine. Call Stop to terminate.
+func (w *Watcher) Start() {
+	ctx, cancel := context.WithCancel(context.Background())
+	w.cancel = cancel
+	go w.poll(ctx)
+}
+
+// Stop terminates the polling goroutine.
+func (w *Watcher) Stop() {
+	if w.cancel != nil {
+		w.cancel()
+	}
+}
+
+func (w *Watcher) poll(ctx context.Context) {
+	var lastVersion int64
+	// Read initial version.
+	if err := w.db.QueryRow("PRAGMA data_version").Scan(&lastVersion); err != nil {
+		log.Printf("db watcher: initial data_version read failed: %v", err)
+		return
+	}
+
+	ticker := time.NewTicker(w.interval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			var version int64
+			if err := w.db.QueryRow("PRAGMA data_version").Scan(&version); err != nil {
+				log.Printf("db watcher: data_version read failed: %v", err)
+				continue
+			}
+			if version != lastVersion {
+				lastVersion = version
+				log.Printf("db watcher: change detected (version %d), triggering reload", version)
+				w.onChange()
+			}
+		}
+	}
+}
