Conversation
ConnectionURI's username/password getters return URL-encoded values (e.g., %3D instead of =). When these are passed to MongoClient's auth option, SCRAM authentication fails because the driver uses the encoded string as the literal password. This affects any MongoDB user whose password contains characters that get URL-encoded (=, @, +, /, %, etc.).
- createCheckpoint without forceCosmosDb now returns a wall-clock LSN instead of a sentinel string, fixing lexicographic comparison in no_checkpoint_before storage boundaries - Re-apply setName null guard (hello.setName == null && !isCosmosDb) that was lost during rebase The lexicographic comparison bug: no_checkpoint_before is stored in bucket storage and compared with `lsn >= no_checkpoint_before` to determine if the stream has advanced past the snapshot boundary. Normal LSN strings start with hex digits (0-9, a-f). The sentinel string started with "s" (sentinel:_standalone_checkpoint:1). In ASCII ordering, all hex digits are less than "s", so the comparison was always false — the stream could never be considered caught up past the snapshot boundary. The fix returns a real wall-clock LSN for storage boundaries and reserves the sentinel format for the streaming loop, which matches by document content instead of lexicographic comparison.
Replace the forceCosmosDb flag with a mode parameter ("lsn" | "sentinel")
that describes what the caller needs, not which database is in use.
- mode "lsn" (default): returns a real LSN string for storage boundaries
(uses operationTime, falls back to wall clock on Cosmos DB)
- mode "sentinel": returns a sentinel marker for event-based matching
in the streaming loop
The caller chooses based on how the result will be compared, not based
on the database type. isCosmosDb on ChangeStream controls which mode
is passed.
When isCosmosDb is true, all LSN production must use wall-clock timestamps (second precision, increment 0) to be consistent with getEventTimestamp() wallTime-derived LSNs. Previously, createCheckpoint still used session.operationTime (which has real increments) in some paths, causing LSN comparisons to fail when both timestamps fell in the same second. Changes: - createCheckpoint accepts isCosmosDb option — skips operationTime, always uses wall clock - Removed wallclock-lsn mode in favor of isCosmosDb flag - getClientCheckpoint (test util) passes isCosmosDb through - Fixed test assertion (sentinel checkpoint: exact ID instead of matcher) - Fixed resume test (set syncRulesContent on second context) - Skipped write checkpoint test (needs real Cosmos DB, not cosmosDbMode)
Remove the cosmosDbMode / isRealCosmosDb split. isCosmosDb is now set
only by server detection (hello.internal.cosmos_versions), never by a
test flag.
The sentinel approach is a single code path that works on both:
The sentinel logic itself is identical on MongoDB and Cosmos DB:
write a checkpoint document ({$inc: {i: 1}}), wait for it in the
change stream, match by documentKey._id and fullDocument.i, use
the event timestamp as the LSN, commit. This passes on both.
The branching between MongoDB and Cosmos DB is minimal and
environmental, not architectural:
- Which stream to open (client.watch vs db.watch)
- Which timestamp to use (wallTime vs clusterTime)
- Whether to initialize the stream before checkpointing
- Whether startAtOperationTime is available
These are server-level differences, not sentinel-level. The sentinel
matching, the checkpoint resolution chain, and batch.commit are the
same code on both backends.
Why cosmosDbMode on standard MongoDB does not work:
The test flag tried to force the Cosmos DB code path on standard
MongoDB. The problems were all about mixing two environments, not
about the sentinel approach:
1. Lazy ChangeStream initialization. The MongoDB driver's ChangeStream
is lazy — the aggregate command is not sent until the first
tryNext()/hasNext() call. On standard MongoDB, startAtOperationTime
sets the stream's start position explicitly, so events committed
before the first tryNext() are included. On Cosmos DB (no
startAtOperationTime), the stream starts from "now" — whenever the
first tryNext() runs. This requires opening the stream and forcing
initialization BEFORE creating checkpoint documents, reversing the
order used on standard MongoDB.
2. Wall-clock LSN precision. Cosmos DB events use wallTime (second
precision, increment 0) instead of clusterTime (sub-second, real
increment). When cosmosDbMode forces wallTime on standard MongoDB,
the createCheckpoint function still has access to operationTime
(which has real increments). Mixing the two clock sources causes
LSN comparisons to fail when timestamps fall in the same second:
wallTime produces increment 0, operationTime produces increment N,
and 0 < N means the checkpoint never resolves.
3. Sentinel checkpoint matching. The sentinel flow depends on the
stream being initialized before the marker is written. Combined
with issue 1, this creates a deadlock on standard MongoDB where
tryNext() blocks waiting for events that have not been created yet.
These issues compound: fixing one exposes the next. A test flag that
partially simulates Cosmos DB creates more problems than it solves
because the underlying assumptions about stream initialization and
clock sources are fundamentally different between the two servers.
Changes:
- Remove cosmosDbMode from ChangeStreamOptions
- Remove isRealCosmosDb field — isCosmosDb is the only flag
- createCheckpoint auto-detects via session.operationTime == null
- Integration tests skip unless COSMOS_DB_TEST=true
- Unskip write checkpoint test (works against real Cosmos DB)
- Fix write checkpoint assertion (returns object, not bigint)
- Revert getClientCheckpoint to simple cp.lsn >= lsn comparison
Remaining test failures against Cosmos DB (3/26):
resume after restart — PSYNC_S1346 Error reading MongoDB ChangeStream
The resume test stops streaming, creates a new context, loads active
sync rules, and starts streaming again from the stored resume token.
On Cosmos DB this fails with a change stream error. Likely causes:
- Cosmos DB resume tokens may expire faster than MongoDB (400MB
change stream log limit vs time-based oplog retention)
- The token format (base64 vs hex) may not round-trip correctly
through MongoLSN serialization/deserialization
- Cosmos DB may not support resumeAfter with tokens from a previous
connection
Needs separate investigation of the resume token persistence path
in MongoLSN.fromSerialized().
isCosmosDb was only set during getSnapshotLsn() which runs on initial sync. After restart (snapshot already done), the flag stayed false, causing the stream to open with MongoDB-only features that Cosmos DB rejects: $changeStreamSplitLargeEvent, showExpandedEvents, db.watch(). Extract detection into a reusable detectCosmosDb() method (idempotent, runs hello once per ChangeStream instance). Call it at the top of both initReplication() and streamChangesInternal() so detection happens before any change stream operation, regardless of whether initial sync runs. This was a production-blocking bug: every service restart after initial sync would crash the replication loop with PSYNC_S1346. Result: 25/26 Cosmos DB tests pass. The one remaining failure is "resume after restart" on storage v2 only — a storage-version-specific issue unrelated to detection.
On Cosmos DB, wallTime has second precision (increment 0). After a restart, the .lte() check at line 1064 compares the new event timestamp against startAfter (from the last checkpoint). If events arrive within the same wall-clock second as the last checkpoint, their timestamps equal startAfter and .lte() returns true — silently dropping the events. On standard MongoDB, clusterTime has monotonically increasing increments within a second, so new events always have strictly greater timestamps. The .lte() check is a client-side dedup guard only needed for the legacy startAtOperationTime path. When resumeAfter is used (which includes Cosmos DB), the server guarantees no duplicates. The resume test still has an intermittent failure (~30% flake rate) on Cosmos DB, which appears to be a separate timing issue in the test utility getClientCheckpoint — not a production bug.
Three changes that together bring the Cosmos DB test suite to 29/29:
1. createWriteCheckpoint polling: use >= instead of > for LSN comparison
The sentinel polling in checkpointing.ts compared cp.lsn > baselineLsn
(strict greater). On Cosmos DB, wall-clock LSNs have second precision
(increment 0). When the sentinel commit and the baseline fall in the
same wall-clock second, they produce identical LSNs, so strict >
never resolves — the poll hangs until a commit in the next second,
or times out at 30s.
Changed to >= which resolves immediately with the current LSN as HEAD.
This is correct because the HEAD just needs to be a valid replication
position — the sentinel write guarantees the streaming loop will
eventually advance past it. The sync stream's watchCheckpointChanges
resolves the write checkpoint when replication naturally advances.
Note: with >= the polling loop effectively always resolves on the
first iteration (baseline is already in storage). The loop structure
is preserved for clarity but could be simplified in a follow-up.
History of this comparison:
- Original: cp.lsn > baselineLsn (strict) — hung on same-second LSNs
- Attempted: cp.checkpoint > baselineId — broke tests entirely
(checkpoint IDs did not compare as expected)
- Current: cp.lsn >= baselineLsn — resolves reliably
2. .lte() dedup guard: updated warning comment
The "data events not dropped after restart (lte guard)" test validates
that data survives restart on Cosmos DB, but cannot reproduce the
specific same-second timing condition (the getCheckpoint call needed
to initialize the stream advances past the current second). Updated
the code comment to reflect this — the isCosmosDb guard is verifiable
by code inspection rather than a timing-dependent test.
3. Resume test: polling approach with retries
The resume-after-restart test was flaky (~30% failure) because
getBucketData -> getClientCheckpoint could resolve before data events
were committed (same-second LSN race). Changed to a polling approach:
call getBucketData repeatedly with short timeouts until the expected
data appears. This mirrors production behavior where write checkpoints
may take up to ~1s to resolve on a quiet Cosmos DB system.
Also added a new "lte guard" test that specifically verifies data
events survive restart by polling storage directly.
Test results against Cosmos DB: 29/29 pass (0 flakes across 3+ runs)
Test results against standard MongoDB: no regression
Replace the polling loop in createWriteCheckpoint with a direct read of the current storage checkpoint LSN. The polling loop (get baseline → write sentinel → poll until LSN advances) was unnecessary: with >= comparison, the poll always resolved on the first iteration because the baseline LSN was already in storage. The loop was effectively just reading the current LSN. The simplified version reads the current checkpoint LSN directly and uses it as HEAD. This is correct because: - createReplicationHead already wrote a sentinel to _powersync_checkpoints - The sentinel guarantees the streaming loop will advance past this point - The HEAD just needs to be a valid LSN at or before the sentinel - The sync stream resolves the write checkpoint when replication advances Removes ~15 lines of polling/timeout code.
Bug: openChangeStream() checked streamOptions.startAtOperationTime (always undefined — constructed without it) instead of startAfter (the local variable with the parsed timestamp). This made the else-if branch dead code — startAtOperationTime was never set when resumeAfter was null. This broke the legacy resume path where the stored LSN has no resume token (only a hex timestamp from keepalive/snapshot). Without startAtOperationTime, the stream opened from "now" instead of the stored position, potentially missing the initial checkpoint event and causing batch.commit() to never be called. Introduced in fdf840c (feat: implement Cosmos DB workarounds). Found by binary search: passes at bd3170c (auth fix), fails at f6ba463 (scaffolding), root cause in the openChangeStream refactor. Also reverted tsconfig.base.json target from ES2024 back to esnext (the ES2024 change was a workaround for Node 22 not supporting native await using — CI uses Node 24 which does).
Cosmos DB has a variable delay between accepting a write and making it visible on the change stream cursor (internal propagation, not network latency). Against the remote dev cluster this can take 10-30s during spikes, though in a co-located deployment it would be much faster. Previous timeouts (25s poll, 60s test) were insufficient — the lte guard and resume tests flaked at ~20-30% rate. Increased to 50s poll deadline and 120s test timeout. 5 consecutive runs with 0 flakes (29/29 each). maxAwaitTime (when supported) would reduce polling overhead but would not help with propagation delay — the event is simply not available yet. The generous timeouts are appropriate for prototype-quality tests run manually against a remote cluster, not for CI.
🦋 Changeset detectedLatest commit: 72257d2 The changes in this PR will be included in the next version bump. This PR includes changesets to release 12 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Sleepful
force-pushed
the
cosmos
branch
4 times, most recently
from
9d2c49a to
1bf3b44
Compare
Merges upstream main which includes PR #591 (raw change streams) and PR #599 (direct BSON Buffer -> JSON conversion). Auth fix conflicts (types.ts, config.test.ts) resolved — both sides had the same fix, upstream also added database name decoding. ChangeStream.ts has 11 unresolved conflicts — PR #591 replaced the MongoDB driver ChangeStream with a custom RawChangeStream using raw aggregate + getMore. Our Cosmos DB changes need to be re-applied to the new code structure. Resolved in the next commit. resolve: ChangeStream.ts merge conflicts for raw change streams Re-applied all Cosmos DB changes to the new raw change stream code structure from PR #591. The raw aggregate approach is better for Cosmos DB: no lazy ChangeStream init, explicit cursor management, $changeStream stage built directly in pipeline. Changes applied to new structure: - detectCosmosDb() calls in getSnapshotLsn, initReplication, streamChangesInternal - getEventTimestamp() adapted to ProjectedChangeStreamDocument type - Sentinel checkpoint with BSON.deserialize for fullDocument (raw Buffer) - Pipeline guards: skip $changeStreamSplitLargeEvent and showExpandedEvents - Cluster-level aggregate (admin db + allChangesForCluster) when isCosmosDb - startAtOperationTime fix (startAfter != null) - Keepalive guard for Cosmos DB resume tokens - .lte() dedup guard skip on Cosmos DB - wallTime tracking for replication lag - Added changeset for @powersync/service-module-mongodb (minor) Verified: 59/59 standard MongoDB tests pass. Cosmos DB cluster is currently down — tests blocked by TLS timeout. Code audit of RawChangeStream.ts found no compatibility issues: cursor ID type auto-fixed by BigInt, postBatchResumeToken needs empirical verification when cluster is back.
Remove outdated "resume on storage v2" issue (resolved by increasing poll timeouts to 50s). Replace with notes about propagation delay and cluster availability.
The old comment claimed the change stream opens before the checkpoint is created on Cosmos DB. In reality, the checkpoint is created first, then the stream opens. The first checkpoint may be missed, but the retry loop (which re-creates checkpoints every second) handles this safely.
…valent The Cosmos DB "replicating basic values" test is a reduced-scope replacement for the standard test — without post-images, replaceOne, or bigint. Add a comment making this relationship explicit.
Cosmos DB vCore renamed the internal version field in the hello response from cosmos_versions to documentdb_versions in a recent server-side update. Without this fix, isCosmosDb is never set to true and the isdbgrid guard throws PSYNC_S1341 on connection. Updated all three detection sites (ChangeStream.ts, replication-utils.ts, MongoRouteAPIAdapter.ts) to check both field names. Added a test case for the new field name in cosmosdb_helpers.test.ts.
Cosmos DB vCore changed the resume token format in a recent server-side update: event._id now uses a _data field that is rejected by resumeAfter, while postBatchResumeToken uses a _token field that is accepted. On standard MongoDB both formats work, but Cosmos DB now only accepts the batch-level token. Use the batch resumeToken (from postBatchResumeToken) instead of changeDocument._id when constructing MongoLSN on Cosmos DB. Three call sites in ChangeStream.ts are affected: getSnapshotLsn, checkpoint commit, and periodic resume LSN persistence during catchup.
…ge warning Add the missing "data events not dropped" test to the coverage table, include test counts (30 total: 15 integration across 3 storage versions + 15 unit), and warn about Cosmos DB server-side field renames that can break detection and resume token handling.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add experimental support for Azure Cosmos DB for MongoDB vCore (Azure DocumentDB) as a source database. Auto-detects Cosmos DB via
hello.internal.cosmos_versionsorhello.internal.documentdb_versionsand applies workarounds for compatibility gaps in change stream behavior.What this PR does
Cosmos DB detection
detectCosmosDb()method runs on bothinitReplication()andstreamChangesInternal()— survives service restartsisdbgridandsetNamechecks (Cosmos DB returnsmsg: 'isdbgrid'and nosetName)wallTime as clusterTime substitute
Standard MongoDB change events include
clusterTime— a BSON Timestamp with seconds and an increment (a monotonic counter within each second). Two operations in the same second get different increments (e.g.,Timestamp(1718457600, 1)andTimestamp(1718457600, 2)), providing a total order. Cosmos DB change events don't includeclusterTime. Instead, they providewallTime— aDateused at second precision with the increment hardcoded to 0:Timestamp.fromBits(0, Math.floor(wallTime.getTime() / 1000)). All events within the same wall-clock second produce identical LSNs.This loss of ordering precision directly drives two other changes in this PR:
clusterTime, events at the boundary have unique increments and.lte()correctly identifies duplicates. With second-precision wallTime,.lte()matches all events in the same second as the last checkpoint, silently dropping real data. (See .lte() dedup guard below.)>=ambiguous for identifying a specific checkpoint. Content matching sidesteps the ordering problem entirely. (See Sentinel checkpoint resolution below.)Call sites and files changed
getEventTimestamp()is a private method onChangeStreaminmodules/module-mongodb/src/replication/ChangeStream.ts. It returnsclusterTimeon standard MongoDB and falls back towallTimeon Cosmos DB. It replaces directclusterTime!access at these call sites, all in the same file:getSnapshotLsn()— LSN construction from the initial checkpoint eventstreamChangesInternal()— the.lte(startAfter)dedup guardstreamChangesInternal()— LSN construction when a checkpoint event is committedstreamChangesInternal()— checkpoint-out-of-order safety check (error message)streamChangesInternal()— periodic resume LSN persistence during catchupMongoRelation.tsreferences the method in a comment explaining why sentinel mode uses$inccounters rather than relying on wallTime-derived LSNs for ordering.Sentinel checkpoint resolution
The replication loop in
streamChangesInternalgroups change stream events into batches. A batch is committed when a checkpoint event arrives — a document that PowerSync writes to_powersync_checkpointsand then observes coming back through the change stream. The variablewaitForCheckpointLsngates this: it holds a value after a checkpoint is created, and clears tonullwhen the matching event arrives, triggering a commit. This creates a natural batching rhythm where data accumulates between checkpoints.On standard MongoDB, the checkpoint is resolved by comparing LSN strings.
createCheckpointcapturessession.operationTime(the server-assigned timestamp of the write) and serializes it viaMongoLSNinto a hex string. When the same write appears on the change stream, the event carriesclusterTime(the same server timestamp) plus a resume token. Both are serialized into theMongoLSNcomparable format — a hex timestamp optionally followed by|<base64 resume token>. Since the checkpoint's LSN has no resume token suffix, the event's LSN is lexicographically greater for the same timestamp, and>=resolves correctly. It also resolves for any later checkpoint event, making the comparison defensive.Cosmos DB breaks this:
session.operationTimeis not returned on regular commands, andclusterTimeis absent from change events. Without a timestamp to capture or compare, the LSN comparison can't work. Instead,createCheckpointreturns a sentinel string (sentinel:<id>:<i>) encoding the document's_idand its$inccounter value. The streaming loop matches by deserializingfullDocumentfrom the checkpoint event and checking for an exact content match on_idandi. After the sentinel resolves, the commit path is identical —batch.commit(lsn)is called with a wallTime-derived LSN in both cases.Implementation details
createCheckpoint()inMongoRelation.tsacceptsmode: 'lsn' | 'sentinel'. In sentinel mode, it returnssentinel:<id>:<i>from the upserted document instead of readingsession.operationTime.streamChangesInternalis viawaitForCheckpointLsn.startsWith('sentinel:')— the same variable holds either a hex LSN or a sentinel string.MongoLSN.comparableserializes as<8-hex-high><8-hex-low>(timestamp only) or<8-hex-high><8-hex-low>|<base64-bson>(with resume token). The resume token is carried for stream resumption on restart, not for this comparison.lsn >= waitForCheckpointLsnwhere both sides share the same timestamp but differ in resume token suffix.changeDocument.documentKey._id+BSON.deserialize(changeDocument.fullDocument).i.waitForCheckpointLsn = null), both paths fall through identically tobatch.commit(lsn, ...).Snapshot LSN acquisition
Before the initial snapshot,
getSnapshotLsn()establishes a change stream position to resume from after the snapshot completes. It writes a checkpoint document and waits to observe it on the change stream — the event's LSN becomes the starting point for streaming.On standard MongoDB, the checkpoint's
operationTimeis used withstartAtOperationTimeto open the stream from that exact point. On Cosmos DB,startAtOperationTimeis not supported, so the stream opens from the current position (lsn: null). The checkpoint may have been written before the stream opened, in which case its event is missed. To handle this, the loop re-creates checkpoints every second for up to 60 seconds until one is observed. A later checkpoint producing a slightly later snapshot LSN is harmless — any changes between the missed and caught checkpoints are captured by the snapshot itself, which reads the full current state of all collections. Unlike the streaming loop's sentinel matching,getSnapshotLsndoesn't need content matching — it just looks for any checkpoint event from the rightcheckpointIdand returns a wallTime-derived LSN.Implementation details
getSnapshotLsn()inChangeStream.tscallsdetectCosmosDb()first, then branches onthis.isCosmosDbfor checkpoint creation and stream options.createCheckpoint(mode: 'sentinel')is called but the returned sentinel string is not used —streamLsnis set tonulland the stream opens withoutresumeAfterorstartAtOperationTime.LSN_CREATE_INTERVAL_SECONDS(1s) withmode: this.isCosmosDb ? 'sentinel' : 'lsn'.checkpointIdmatch only (this.checkpointStreamId.equals(checkpointId)), not by sentinel content. The return value is a realMongoLSNcomparable string, not a sentinel.LSN_TIMEOUT_SECONDS(60s) — if no checkpoint is observed, aPSYNC_S1301error is thrown.Write checkpoint HEAD capture
Write checkpoints provide read-your-own-writes consistency for sync clients. After a client writes to the source database, replication may not have delivered the change to PowerSync's storage yet. A write checkpoint ensures the sync response includes all writes up to a known replication position, so the client doesn't see stale data that's missing its own recent changes.
The flow works by capturing a replication HEAD — the current position of the change stream — then creating a checkpoint that the sync stream resolves once replication advances past that HEAD. On standard MongoDB,
createReplicationHeadissues ahellocommand on a session, readssession.clusterTime, and passes it to the callback as the HEAD. This works because any subsequent change stream event is guaranteed to be at or after that cluster time.Cosmos DB doesn't return
clusterTimeon thehellocommand. Instead,createReplicationHeadwrites a sentinel to_powersync_checkpoints(triggering a change stream event) and passesnullas the HEAD. The caller —createWriteCheckpointinservice-core— detects the null and reads the current storage checkpoint LSN directly. This is valid because the storage LSN was committed before the sentinel was written, and the sentinel guarantees the streaming loop will advance past it, so the write checkpoint will eventually resolve.Implementation details
MongoRouteAPIAdapter.createReplicationHead()callsdetectCosmosDb(), then either capturessession.clusterTime(standard) or writes a sentinel viafindOneAndUpdatewith$incand callscallback(null)(Cosmos DB).createWriteCheckpoint()incheckpointing.tschecks if HEAD is null. If so, it callssyncBucketStorage.getCheckpoint()to read the current storage LSN and uses that as the HEAD.ReplicationHeadCallbacktype was widened from(head: string) => Promise<T>to(head: string | null) => Promise<T>to support this.checkpointing.tsthrows on null HEAD (v1 doesn't support the polling fallback).Change stream configuration
On Cosmos DB:
admindb +allChangesForCluster) instead of database-level streams$changeStreamSplitLargeEvent(not supported)showExpandedEvents(not supported)fullDocument: 'updateLookup'(post-images not supported)Implementation details
All guards are in
rawChangeStreamBatches()inChangeStream.ts, which builds the$changeStreamaggregation pipeline:db.watch()). The code usesclient.db('admin')withallChangesForCluster: true, reusing the same path as multi-database replication on standard MongoDB. The$matchfilter on namespaces handles collection scoping.$changeStreamSplitLargeEvent: Pushed onto the pipeline only when!this.isCosmosDb. Without it, documents exceeding 16MB on Cosmos DB would fail — but this is an existing MongoDB limitation too, and Cosmos DB simply doesn't support the split workaround.showExpandedEvents: Set onstreamOptionsonly when!this.isCosmosDb. This enables DDL events (create, rename, drop) on standard MongoDB 6.0+.fullDocument: Forced to'updateLookup'on Cosmos DB. Standard MongoDB can use'required'(which reads fromchangeStreamPreAndPostImages), but Cosmos DB doesn't support that collection option — even settingenabled: falsethrows. TheusePostImagesconfiguration is validated at startup and throws if enabled on Cosmos DB..lte() dedup guard
When the streaming loop resumes from a stored LSN, standard MongoDB may use
startAtOperationTime— a legacy path where the server can redeliver events at the boundary timestamp. The.lte(startAfter)guard skips events at or before the resume point to prevent duplicate processing. WhenresumeAfteris used instead (which includes Cosmos DB), the server guarantees no duplicates and the guard is unnecessary.On Cosmos DB, the guard is actively harmful:
wallTimehas second precision (increment 0), so every event within the same wall-clock second as the last checkpoint would satisfy.lte()and be silently dropped — causing data loss after restart. The guard is skipped whenisCosmosDbis true.Implementation details
streamChangesInternalis wrapped inif (!this.isCosmosDb && startAfter != null && ...).try/catcharound the check handles events with neitherclusterTimenorwallTime— the event is not skipped.resumeAfterpath is the default for Cosmos DB because resume tokens are always persisted with checkpoint LSNs.Keepalive guard
MongoDB's change stream API returns a resume token with every cursor batch — including empty batches from
getMorewhen no events are available. This token is an opaque marker representing the cursor's current position in the stream. A new change stream opened withresumeAfter: <token>picks up from exactly that position.When the change stream cursor returns empty batches (no data events), the streaming loop periodically persists the latest resume token to PowerSync's internal storage. This keepalive prevents the stored resume position from going stale — on standard MongoDB, a token older than the oplog retention window becomes unusable on restart (forcing a full re-snapshot), and on any backend a stale position means re-processing events unnecessarily.
On standard MongoDB, the keepalive path calls
parseResumeTokenTimestamp()to extract the timestamp from the resume token's_datahex string, then constructs aMongoLSNwith both the timestamp and the token for persistence. Cosmos DB resume tokens are opaque base64 blobs that can't be parsed byparseResumeTokenTimestamp(), which expects a specific hex byte layout. Instead, the keepalive path constructs the timestamp fromDate.now()at second precision and pairs it with the raw resume token. The token is still persisted and usable forresumeAfteron restart — only the timestamp derivation differs.Implementation details
streamChangesInternalinChangeStream.tsis gated byif (this.isCosmosDb).MongoLSN.fromResumeToken(resumeToken)— callsparseResumeTokenTimestamp()which reads bytes 1-8 of the hex_datafield.new MongoLSN({ timestamp: Timestamp.fromBits(0, Math.floor(Date.now() / 1000)), resume_token: resumeToken })— bypasses token parsing entirely.Date.now()timestamp is structurally required byMongoLSNto construct acomparablestring, but functionally unused on Cosmos DB — the resume token is what matters for stream resumption, and the Cosmos DB code paths don't use the timestamp for ordering or dedup.keepaliveIntervalMs(default 60s) and only fires whenwaitForCheckpointLsnis null (no pending checkpoint).Testing
When run against a MongoDB backend
59/59 existing tests pass. No regressions. 1 test skips, meant to be run against Cosmos DB (×3 storage versions).
When run against a Cosmos DB backend
29/29 Cosmos DB tests pass (verified before the merge with upstream main). Tests include:
10 existing tests are skipped on Cosmos DB (unsupported features: post-images, large record split, drop/rename events, wildcard collections
test.skipIf(isCosmosDb)).Post-merge status
After merging with upstream main (PR #591 raw change streams), standard MongoDB tests pass (59/59). Cosmos DB tests pass (30/30) after fixing two upstream Cosmos DB server changes — see Cosmos DB upstream changes below.
Files changed
14 files changed (click to expand)
modules/module-mongodb/src/replication/ChangeStream.tsmodules/module-mongodb/src/replication/MongoRelation.tscreateCheckpointmodules/module-mongodb/src/replication/replication-utils.tsisdbgridguardmodules/module-mongodb/src/api/MongoRouteAPIAdapter.tscreateReplicationHeadpackages/service-core/src/util/checkpointing.tspackages/service-core/src/api/RouteAPI.tsReplicationHeadCallbackacceptsstring | nullpackages/service-core/src/routes/endpoints/checkpointing.tsmodules/module-postgres/test/src/util.tslsnafterReplicationHeadCallbacktype changemodules/module-mongodb/test/src/cosmosdb_mode.test.tsmodules/module-mongodb/test/src/cosmosdb_helpers.test.tsmodules/module-mongodb/test/src/change_stream.test.tsmodules/module-mongodb/test/src/change_stream_utils.tsmodules/module-mongodb/test/COSMOS_DB_TESTING.mdCross-module impact
The
ReplicationHeadCallbacktype inpackages/service-core/src/api/RouteAPI.tswas changed from(head: string) => Promise<T>to(head: string | null) => Promise<T>to support the Cosmos DB sentinel flow. This required a null guard in:packages/service-core/src/routes/endpoints/checkpointing.ts(v1 endpoint)packages/service-core/src/util/checkpointing.ts(v2 write checkpoint)modules/module-postgres/test/src/util.ts(Postgres test utility)The Postgres production code is unaffected — only the test utility needed a guard.
Behavioral gaps from unsupported features
10 existing tests are skipped on Cosmos DB (
test.skipIf(isCosmosDb)) because they exercise features Cosmos DB doesn't support. These gaps have not been verified independently against a live cluster — the risks below are inferred from the feature absence.Post-images (
changeStreamPreAndPostImages) — 7 tests skippedCosmos DB doesn't support stored post-images, so
fullDocument: 'updateLookup'is used instead. The difference:updateLookupre-queries the document at read time, while post-images store the document state at write time.Risk: Occasional missing update data. If a document is updated and then quickly deleted (or updated again) before the
updateLookupre-query executes,fullDocumentisnull. PowerSync skips the update — the client sees the previous state followed by the delete, missing the intermediate update. This would be a brief data staleness window, not permanent data loss — the data self-corrects once the delete (or next update) is processed.Large record splitting (
$changeStreamSplitLargeEvent) — 1 test skippedCosmos DB doesn't support the pipeline stage that splits change events exceeding 16MB into fragments.
Risk: Replication stall on oversized documents. If a change event exceeds 16MB, the change stream would error. Replication restarts and hits the same error — an infinite restart loop until the document is reduced in size or the change ages out. No data loss for other documents, but replication would be blocked.
DDL events (
drop,rename,showExpandedEvents) — 2 tests skippedCosmos DB may not emit
droporrenameevents on the change stream.Risk: Stale phantom data. If a collection is dropped, PowerSync would never learn about it. The dropped collection's data would persist in PowerSync's storage indefinitely, serving stale records to clients that no longer exist in the source. If a collection is renamed, PowerSync would continue tracking the old name — new writes under the new name are missed. Neither case would be self-correcting. Recovery would require restarting replication (which triggers a re-snapshot and reconciliation).
Known limitations
maxAwaitTimeMSwhich acts as a timeout on the rawgetMore.Dependencies
Cosmos DB upstream changes
The Cosmos DB vCore dev cluster received a server-side update that broke two assumptions in this PR. Both were fixed:
Detection field renamed: The
helloresponse changed frominternal.cosmos_versionstointernal.documentdb_versions. All three detection sites now check both field names for backwards compatibility.Resume token format changed: Individual change event
_idfields use a_datakey thatresumeAfternow rejects. The batch-levelpostBatchResumeTokenuses a_tokenkey that is accepted. On Cosmos DB, LSN construction now uses the batch-levelpostBatchResumeTokeninstead ofchangeDocument._id. Standard MongoDB is unaffected — both formats work there.