fix: narrow _run_protocol invalidation to transport-level errors

antoineleclair · claude · antoineleclair · commit 680c9f1ca1e9 · 2026-04-17T12:53:59.000-04:00
The catch-all except BaseException invalidated the connection on any
error — including client-side encoding bugs, user TypeError/ValueError
from bad params, and other pre-write failures that leave the wire state
intact. Every such error destroyed the socket and, via the pool's
drain-on-dead-connection logic, tore down all idle connections too.

Invalidate only for the actual wire-state-damaging cases:
DqliteConnectionError, ProtocolError, OperationalError with a leader
code, and CancelledError / KeyboardInterrupt / SystemExit (where the
request/response round-trip was interrupted mid-flight). Let
programming / encoding errors propagate with the connection intact.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/dqliteclient/connection.py b/src/dqliteclient/connection.py
@@ -241,7 +241,10 @@ async def _run_protocol[T](self, fn: Callable[[DqliteProtocol, int], Awaitable[T
             if e.code in _LEADER_ERROR_CODES:
                 self._invalidate()
             raise
-        except BaseException:
+        except (asyncio.CancelledError, KeyboardInterrupt, SystemExit):
+            # Interrupted mid-operation; we don't know how much of the
+            # request/response round-trip completed, so the wire state is
+            # unsafe to reuse. Invalidate and re-raise.
             self._invalidate()
             raise
         finally:
diff --git a/tests/test_connection.py b/tests/test_connection.py
@@ -758,6 +758,26 @@ async def test_connect_open_not_leader_surfaces_as_connection_error(self) -> Non
         # Socket must also be cleaned up.
         assert not conn.is_connected
 
+    async def test_client_side_error_does_not_invalidate_connection(
+        self, connected_connection
+    ) -> None:
+        """A client-side error (e.g., encoding bug) before any wire byte is
+        written must not destroy the connection. Only transport-level and
+        leader-change errors warrant invalidation.
+        """
+        conn, _, _ = connected_connection
+        assert conn.is_connected
+
+        async def raise_client_error(_db, _sql, _params=None):
+            raise TypeError("bad parameter type")
+
+        conn._protocol.exec_sql = raise_client_error  # type: ignore[assignment]
+
+        with pytest.raises(TypeError, match="bad parameter"):
+            await conn.execute("INSERT INTO t VALUES (?)", [object()])
+
+        assert conn.is_connected, "client-side TypeError must not invalidate the connection"
+
     async def test_cross_event_loop_raises_interface_error(self) -> None:
         """Using a connection from a different event loop must raise InterfaceError."""
         import asyncio
