fix: classify leader-change errors during connect()

antoineleclair · claude · antoineleclair · commit bf8ddf364034 · 2026-04-17T12:24:42.000-04:00
connect() called handshake()/open_database() directly, bypassing
_run_protocol's leader-error classification. A NOT_LEADER (10250) or
LEADERSHIP_LOST (10506) response on OPEN surfaced as a generic
OperationalError — indistinguishable from a SQL error — and the caller
lost the signal to re-resolve the leader.

Re-raise leader-coded OperationalError as DqliteConnectionError with
the original chained as __cause__, so retry layers and cluster failover
treat it as a transport issue.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/dqliteclient/connection.py b/src/dqliteclient/connection.py
@@ -136,6 +136,17 @@ async def connect(self) -> None:
             try:
                 await self._protocol.handshake()
                 self._db_id = await self._protocol.open_database(self._database)
+            except OperationalError as e:
+                self._protocol.close()
+                self._protocol = None
+                if e.code in _LEADER_ERROR_CODES:
+                    # Leader-change errors during OPEN are transport-level
+                    # problems — the caller needs to reconnect elsewhere, not
+                    # treat this as a SQL error.
+                    raise DqliteConnectionError(
+                        f"Node {self._address} is no longer leader: {e.message}"
+                    ) from e
+                raise
             except BaseException:
                 self._protocol.close()
                 self._protocol = None
diff --git a/tests/test_connection.py b/tests/test_connection.py
@@ -727,6 +727,37 @@ async def use_conn() -> None:
         assert isinstance(error_from_thread, InterfaceError)
         assert "event loop" in str(error_from_thread).lower()
 
+    async def test_connect_open_not_leader_surfaces_as_connection_error(self) -> None:
+        """If OPEN returns a leader-change code during connect(), callers must
+        see it as a transport-level DqliteConnectionError, not as a generic
+        OperationalError indistinguishable from a SQL error. Retry layers
+        and cluster failover hinge on this classification.
+        """
+        from dqlitewire.messages import FailureResponse, WelcomeResponse
+
+        conn = DqliteConnection("localhost:9001")
+
+        mock_reader = AsyncMock()
+        mock_writer = MagicMock()
+        mock_writer.drain = AsyncMock()
+        mock_writer.close = MagicMock()
+        mock_writer.wait_closed = AsyncMock()
+
+        # Handshake succeeds, OPEN returns SQLITE_IOERR_NOT_LEADER (10250).
+        mock_reader.read.side_effect = [
+            WelcomeResponse(heartbeat_timeout=15000).encode(),
+            FailureResponse(code=10250, message="not leader").encode(),
+        ]
+
+        with (
+            patch("asyncio.open_connection", return_value=(mock_reader, mock_writer)),
+            pytest.raises(DqliteConnectionError, match="leader"),
+        ):
+            await conn.connect()
+
+        # Socket must also be cleaned up.
+        assert not conn.is_connected
+
     async def test_cross_event_loop_raises_interface_error(self) -> None:
         """Using a connection from a different event loop must raise InterfaceError."""
         import asyncio
