fix(pds): prevent relay desync after failed write

[ascorbic]

Summary

• After a write that failed mid-flight (most often an image post), the relay would silently stop tracking the PDS until a manual requestCrawl re-established it.
• Root cause: applyWrites updated this.repo in memory before sequencing the firehose event. If anything threw between the in-memory assignment and a successful sequenceCommit, Cloudflare rolled back the SQLite writes but JS state stayed advanced. The next successful write then emitted a firehose commit whose since rev the relay had never seen, so it marked the repo desynced.
• Fix: in all four write paths (rpcCreateRecord, rpcDeleteRecord, rpcPutRecord, rpcApplyWrites), only assign this.repo = updatedRepo after sequenceCommit and broadcastCommit succeed. Wrap the post-applyWrites block in try/catch that calls a new invalidateRepoCache() helper on failure (defense in depth — forces a reload from storage on the next access).

Test plan

• pnpm --filter @getcirrus/pds test:unit — 273 tests pass
• In production, monitor: induce a failed image post (or a transient sequencer error) and confirm the relay continues to track without manual requestCrawl

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	atproto-pds	159948e	May 10 2026, 02:51 PM

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/create-pds@162

npm i https://pkg.pr.new/@getcirrus/oauth-provider@162

npm i https://pkg.pr.new/@getcirrus/pds@162

commit: 159948e