fix(wire): tighten encoder/decoder against protocol drift and corruption

- ISSUE-59: FilesResponse.encode_body validates per-file content is
  8-byte aligned. Upstream C (gateway.c::dumpFile) asserts
  ``len % 8 == 0`` because SQLite pages are always word-aligned and
  per-file entries are written back-to-back without padding. Python-
  produced mock frames with non-aligned content would decode under
  our permissive decoder but fail under a real C peer. Raise
  EncodeError at construction rather than silently producing
  malformed bytes.
- ISSUE-60: encode_value for BOOLEAN rejects arbitrary ints. Previous
  ``1 if value else 0`` coercion silently mapped ``5`` or ``-1`` to
  True, making the round-trip lossy (encode(5, BOOLEAN) → wire 1 →
  decode → True). Now only ``bool`` or exact 0/1 ints are accepted.
- ISSUE-61: RowsResponse.__post_init__ defensively deep-copies
  row_types and rows (outer + inner lists). Prior fix copied only
  column_names and column_types. User-supplied row_types / rows
  remained aliased: mutating the caller's list would silently mutate
  the message's internals.
- ISSUE-63: decode_row_header validates the full 8-byte marker, not
  just the first byte. Upstream C uses the full uint64 sentinel
  (0xff..ff for DONE, 0xee..ee for PART); Go's permissive "first byte
  wins" is tolerant but lets torn/corrupt frames silently truncate
  results. We reject non-uniform markers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: antoineleclair

src/dqlitewire/messages/responses.py

@@ -246,8 +246,8 @@ class RowsResponse(Message):
     has_more: bool = False
 
     def __post_init__(self) -> None:
-        # Defensive copies (issue 042). Two sources of aliasing
-        # motivate this:
+        # Defensive copies (issue 042, ISSUE-61). Two sources of
+        # aliasing motivate this:
         #
         # 1. ``decode_body`` stores ``column_types = types`` where
         #    ``types`` is also stored as ``all_row_types[0]``, so
@@ -257,11 +257,14 @@ def __post_init__(self) -> None:
         # 2. User code constructing ``RowsResponse`` directly with a
         #    list they intend to keep mutating elsewhere.
         #
-        # Copying here catches both sites uniformly and survives
-        # future construction sites. The cost is two list allocations
-        # per response — negligible compared to the row payload.
+        # Copy all list-valued fields uniformly. ``row_types`` is a
+        # list-of-lists so it needs both outer and inner copies; the
+        # same for ``rows``. Cost is O(n) on the row dimension —
+        # dominated by the row payload itself, so negligible.
         self.column_names = list(self.column_names)
         self.column_types = list(self.column_types)
+        self.row_types = [list(t) for t in self.row_types]
+        self.rows = [list(r) for r in self.rows]
 
     def _get_row_types(self, row_idx: int, row: list[Any]) -> list[ValueType]:
         """Get types for a row: from row_types, column_types, or inferred.
@@ -467,12 +470,21 @@ class FilesResponse(Message):
     def encode_body(self) -> bytes:
         result = encode_uint64(len(self.files))
         for name, content in self.files.items():
+            # The upstream C server (gateway.c::dumpFile) asserts
+            # ``len % 8 == 0`` for every file's content, because per-file
+            # entries are written back-to-back with no explicit padding
+            # and SQLite pages are always 8-byte aligned multiples of
+            # 512. Validate here so a Python-encoded mock-server frame
+            # cannot diverge from what a real C peer produces (ISSUE-59).
+            if len(content) % 8 != 0:
+                raise EncodeError(
+                    f"FilesResponse content for {name!r} must be 8-byte aligned "
+                    f"(got {len(content)} bytes); dqlite file entries carry no "
+                    "per-file padding"
+                )
             result += encode_text(name)
             result += encode_uint64(len(content))
             result += content
-            # No padding after content — matches Go's byte-by-byte read.
-            # The C server only produces word-aligned content (SQLite pages
-            # are multiples of 512), so padding is never needed in practice.
         return result
 
     @classmethod

src/dqlitewire/tuples.py

@@ -17,6 +17,12 @@
 # Valid ValueType codes as integers, for fast membership testing in hot paths.
 _VALID_TYPE_CODES = frozenset(int(v) for v in ValueType)
 
+# Full 8-byte sentinels matching DQLITE_RESPONSE_ROWS_DONE/PART. Used to
+# reject torn/corrupt row markers instead of accepting any 8 bytes that
+# happen to start with 0xff/0xee (ISSUE-63).
+_ROW_DONE_MARKER = bytes([ROW_DONE_BYTE]) * 8
+_ROW_PART_MARKER = bytes([ROW_PART_BYTE]) * 8
+
 # Defense-in-depth cap on parameter count, matching the pattern used by
 # _MAX_COLUMN_COUNT, _MAX_FILE_COUNT, and _MAX_NODE_COUNT in responses.py.
 # SQLite's default limit is 999 (compile-time max 32766).
@@ -221,16 +227,22 @@ def decode_row_header(
     before validating header size, matching the Go reference implementation.
     Returns (types_or_marker, bytes_consumed).
     """
-    # Check for markers first — markers are always exactly one 8-byte word,
-    # regardless of column count. Must check before header size validation
-    # because for large column counts the header would be >8 bytes.
-    # Go checks the first byte (0xFF -> DONE, 0xEE -> PART); we match that
-    # behavior so non-uniform markers are also detected.
+    # Check for markers first — markers are always exactly one 8-byte word
+    # of a repeated sentinel byte, regardless of column count. Must check
+    # before header size validation because for large column counts the
+    # header would be >8 bytes.
+    #
+    # Upstream C uses the full uint64 sentinel (DQLITE_RESPONSE_ROWS_DONE
+    # = 0xff..ff, _PART = 0xee..ee). Go's reference client checks only the
+    # first byte; we validate all 8 bytes so torn/corrupt markers like
+    # ``0xff 0x00..`` are rejected as malformed rather than silently
+    # truncating the result stream (ISSUE-63). This is strictly tighter
+    # than the Go behavior.
     if len(data) >= 8:
-        first_byte = data[0]
-        if first_byte == ROW_DONE_BYTE:
+        marker = bytes(data[:8]) if isinstance(data, memoryview) else data[:8]
+        if marker == _ROW_DONE_MARKER:
             return RowMarker.DONE, 8
-        if first_byte == ROW_PART_BYTE:
+        if marker == _ROW_PART_MARKER:
             return RowMarker.PART, 8
 
     # Calculate bytes needed: 2 types per byte, rounded up

src/dqlitewire/types.py

@@ -242,9 +242,19 @@ def encode_value(value: Any, value_type: ValueType | None = None) -> tuple[bytes
             )
 
     if value_type == ValueType.BOOLEAN:
-        if not isinstance(value, (bool, int)):
-            raise EncodeError(f"Expected bool or int for BOOLEAN, got {type(value).__name__}")
-        return encode_uint64(1 if value else 0), value_type
+        # Accept bool directly; allow the exact ints 0 and 1 as a
+        # pragmatic escape for callers working with raw column values.
+        # Reject arbitrary ints — the previous ``1 if value else 0``
+        # coercion silently mapped values like ``5`` or ``-1`` to True,
+        # which round-trips as the bool True and loses the caller's
+        # original value (ISSUE-60).
+        if isinstance(value, bool):
+            return encode_uint64(1 if value else 0), value_type
+        if isinstance(value, int) and value in (0, 1):
+            return encode_uint64(value), value_type
+        raise EncodeError(
+            f"BOOLEAN requires bool (or exactly 0/1), got {type(value).__name__}={value!r}"
+        )
     elif value_type in (ValueType.INTEGER, ValueType.UNIXTIME):
         # Note: UNIXTIME is a server-to-client-only type (the C server's
         # tuple_decoder has no inbound case for DQLITE_UNIXTIME). Explicit

tests/test_messages_responses.py

@@ -184,6 +184,35 @@ class TestRowsResponseAliasing:
     The fix copies both lists on construction via ``__post_init__``.
     """
 
+    def test_constructor_copies_row_types_and_rows(self) -> None:
+        """Caller-supplied lists must be independent from the message
+        after construction (ISSUE-61). Applies uniformly to column_names,
+        column_types, row_types (outer + inner), and rows (outer + inner).
+        """
+        supplied_row_types = [[ValueType.INTEGER, ValueType.TEXT]]
+        supplied_rows = [[1, "alice"]]
+        msg = RowsResponse(
+            column_names=["id", "name"],
+            column_types=[ValueType.INTEGER, ValueType.TEXT],
+            row_types=supplied_row_types,
+            rows=supplied_rows,
+            has_more=False,
+        )
+
+        # Outer-list copies: mutating the supplied list does not affect
+        # the message.
+        supplied_row_types.append([ValueType.NULL])
+        supplied_rows.append([99, "mallory"])
+        assert len(msg.row_types) == 1
+        assert len(msg.rows) == 1
+
+        # Inner-list copies: mutating the supplied inner list does not
+        # affect the message's inner copies.
+        supplied_row_types[0][0] = ValueType.NULL
+        supplied_rows[0][0] = 999
+        assert msg.row_types[0][0] == ValueType.INTEGER
+        assert msg.rows[0][0] == 1
+
     def test_column_types_is_not_aliased_to_row_types_first(self) -> None:
         """After decoding, ``column_types`` must be a distinct list
         object from ``row_types[0]`` so mutation of one does not
@@ -897,7 +926,7 @@ def test_wire_format_starts_with_count(self) -> None:
         """Body must start with uint64 file count per Go wire protocol."""
         from dqlitewire.types import decode_uint64
 
-        msg = FilesResponse(files={"test.db": b"data"})
+        msg = FilesResponse(files={"test.db": b"datadata"})  # 8 bytes (ISSUE-59)
         body = msg.encode_body()
         count = decode_uint64(body[:8])
         assert count == 1
@@ -917,17 +946,18 @@ def test_wire_format_has_size_field(self) -> None:
         assert size == len(content)
 
     def test_roundtrip(self) -> None:
-        msg = FilesResponse(files={"db.sqlite": b"database content", "wal": b"wal data"})
+        # 16 and 8 bytes — word-aligned per upstream C's dumpFile assert.
+        msg = FilesResponse(files={"db.sqlite": b"databasecontent!", "wal": b"wal data"})
         encoded = msg.encode()
         decoded = FilesResponse.decode_body(encoded[HEADER_SIZE:])
-        assert decoded.files["db.sqlite"] == b"database content"
+        assert decoded.files["db.sqlite"] == b"databasecontent!"
         assert decoded.files["wal"] == b"wal data"
 
     def test_roundtrip_single_file(self) -> None:
-        msg = FilesResponse(files={"main.db": b"\x00\x01\x02\x03"})
+        msg = FilesResponse(files={"main.db": b"\x00\x01\x02\x03\x04\x05\x06\x07"})
         encoded = msg.encode()
         decoded = FilesResponse.decode_body(encoded[HEADER_SIZE:])
-        assert decoded.files["main.db"] == b"\x00\x01\x02\x03"
+        assert decoded.files["main.db"] == b"\x00\x01\x02\x03\x04\x05\x06\x07"
 
     def test_roundtrip_aligned_content(self) -> None:
         """Real dqlite content is always word-aligned (SQLite pages are multiples of 512)."""
@@ -943,23 +973,22 @@ def test_roundtrip_aligned_content(self) -> None:
         assert decoded.files["main.db"] == page
         assert decoded.files["wal.db"] == page + page
 
-    def test_roundtrip_non_aligned_content(self) -> None:
-        """Non-aligned content roundtrips correctly without padding.
+    def test_encode_rejects_non_aligned_content(self) -> None:
+        """Content whose length is not a multiple of 8 is rejected at encode.
 
-        The C server asserts content is always word-aligned. Neither Go nor
-        Python adds padding after file content. This test verifies that
-        non-aligned content still works for encode/decode symmetry.
+        ISSUE-59: the upstream C server (gateway.c::dumpFile) asserts
+        ``len % 8 == 0``. We enforce the same invariant on the encoder
+        side so mock-server frames cannot diverge from real C output.
         """
-        msg = FilesResponse(
-            files={
-                "file1.db": b"\x01\x02\x03",  # 3 bytes, needs 5 padding
-                "file2.db": b"\x04\x05\x06\x07\x08\x09\x0a",  # 7 bytes, needs 1 padding
-            }
-        )
-        encoded = msg.encode()
-        decoded = FilesResponse.decode_body(encoded[HEADER_SIZE:])
-        assert decoded.files["file1.db"] == b"\x01\x02\x03"
-        assert decoded.files["file2.db"] == b"\x04\x05\x06\x07\x08\x09\x0a"
+        from dqlitewire.exceptions import EncodeError
+
+        msg = FilesResponse(files={"file1.db": b"\x01\x02\x03"})  # 3 bytes
+        with pytest.raises(EncodeError, match="8-byte aligned"):
+            msg.encode_body()
+
+        msg = FilesResponse(files={"file2.db": b"\x04\x05\x06\x07\x08\x09\x0a"})  # 7
+        with pytest.raises(EncodeError, match="8-byte aligned"):
+            msg.encode_body()
 
     def test_roundtrip_empty_content(self) -> None:
         """116: zero-length file content must round-trip correctly."""
@@ -969,12 +998,15 @@ def test_roundtrip_empty_content(self) -> None:
         assert decoded.files == {"empty.db": b""}
 
     def test_roundtrip_mixed_empty_and_nonempty(self) -> None:
-        """116: empty and non-empty files in the same response."""
+        """116: empty and non-empty files in the same response.
+
+        All non-empty content must be 8-byte aligned (ISSUE-59).
+        """
         msg = FilesResponse(
             files={
-                "main.db": b"data",
+                "main.db": b"datadata",
                 "empty.db": b"",
-                "wal.db": b"more data",
+                "wal.db": b"moredata",
             }
         )
         encoded = msg.encode()

tests/test_tuples.py

@@ -357,18 +357,27 @@ def test_full_uint64_marker_comparison(self) -> None:
         assert decode_row_header(b"\xff" * 8, 1) == (RowMarker.DONE, 8)
         assert decode_row_header(b"\xee" * 8, 1) == (RowMarker.PART, 8)
 
-    def test_first_byte_marker_detection(self) -> None:
-        """Marker detection uses first byte, matching Go's byte-by-byte check.
-
-        Go checks the first byte (0xFF -> DONE, 0xEE -> PART). A non-uniform
-        marker where only the first byte matches must still be detected.
+    def test_non_uniform_marker_rejected(self) -> None:
+        """Non-uniform markers are rejected as corrupt (ISSUE-63).
+
+        Upstream C uses the full uint64 sentinel (DQLITE_RESPONSE_ROWS_DONE
+        = 0xff..ff, _PART = 0xee..ee). Go's reference client accepts any
+        8 bytes starting with 0xff/0xee as a marker; we validate all 8
+        bytes so torn/corrupt frames are rejected rather than silently
+        truncating results.
+
+        ValueType max is 11 (0xb) — a real row-header byte can never be
+        0xff or 0xee — so the "strictly C-aligned" check and the
+        "ValueType rejection on nibble 0xf/0xe" arrive at the same
+        outcome from different angles.
         """
-        # Non-uniform marker: first byte 0xFF, rest different
-        data = b"\xff\x00\x00\x00\x00\x00\x00\x00"
-        assert decode_row_header(data, 1) == (RowMarker.DONE, 8)
+        # First byte 0xff, remaining zero → falls through to ValueType
+        # nibble decode, which rejects 0xf.
+        with pytest.raises(DecodeError, match="Invalid value type code"):
+            decode_row_header(b"\xff\x00\x00\x00\x00\x00\x00\x00", 1)
 
-        data = b"\xee\x00\x00\x00\x00\x00\x00\x00"
-        assert decode_row_header(data, 1) == (RowMarker.PART, 8)
+        with pytest.raises(DecodeError, match="Invalid value type code"):
+            decode_row_header(b"\xee\x00\x00\x00\x00\x00\x00\x00", 1)
 
     def test_marker_sentinel_bytes_match_full_constants(self) -> None:
         """ROW_DONE_BYTE/ROW_PART_BYTE must match the first byte of the full marker words.

tests/test_types.py

@@ -354,13 +354,38 @@ def test_boolean_explicit_rejects_non_bool_non_int(self) -> None:
         """encode_value with explicit BOOLEAN should reject non-bool/int types."""
         import pytest
 
-        with pytest.raises(EncodeError, match="[Bb]ool"):
+        with pytest.raises(EncodeError, match="BOOLEAN"):
             encode_value("hello", ValueType.BOOLEAN)
-        with pytest.raises(EncodeError, match="[Bb]ool"):
+        with pytest.raises(EncodeError, match="BOOLEAN"):
             encode_value([1, 2], ValueType.BOOLEAN)
-        with pytest.raises(EncodeError, match="[Bb]ool"):
+        with pytest.raises(EncodeError, match="BOOLEAN"):
             encode_value({"key": "val"}, ValueType.BOOLEAN)
 
+    def test_boolean_rejects_arbitrary_int(self) -> None:
+        """BOOLEAN requires exact bool or 0/1 — arbitrary ints are rejected.
+
+        Previously any truthy int was silently coerced to True via
+        ``1 if value else 0``. That made the round-trip lossy: encode(5,
+        BOOLEAN) → wire 1 → decode → True. Callers that mean "store the
+        integer 5" should use INTEGER; callers that mean "bool" should
+        pass bool (ISSUE-60).
+        """
+        import pytest
+
+        with pytest.raises(EncodeError, match="BOOLEAN"):
+            encode_value(5, ValueType.BOOLEAN)
+        with pytest.raises(EncodeError, match="BOOLEAN"):
+            encode_value(-1, ValueType.BOOLEAN)
+        with pytest.raises(EncodeError, match="BOOLEAN"):
+            encode_value(2, ValueType.BOOLEAN)
+
+        # 0 and 1 remain acceptable as a pragmatic escape for callers
+        # working with raw column values.
+        encoded_zero, _ = encode_value(0, ValueType.BOOLEAN)
+        encoded_one, _ = encode_value(1, ValueType.BOOLEAN)
+        assert decode_uint64(encoded_zero) == 0
+        assert decode_uint64(encoded_one) == 1
+
     def test_decode_integer(self) -> None:
         value, consumed = decode_value(encode_int64(42), ValueType.INTEGER)
         assert value == 42