proxysql

Commit Graph

Author	SHA1	Message	Date
Rene Cannao	f0a8655be3	refactor(mysqlx): replace MysqlxCredentials with MysqlxResolvedIdentity The session's identity-lookup callback now returns the full MysqlxResolvedIdentity struct from the config store rather than a stripped-down MysqlxCredentials. Password-hash derivation moves into the session via a private derive_stored_hash helper (handles both "*HEX40" and cleartext forms). No behavior change; the existing credential-lookup guard semantics are preserved so sessions without a lookup still follow the open-proxy path exercised by the robustness tests. mysqlx_robustness_unit-t passes unchanged (36/36).	1 month ago
Rene Cannao	ca6ddb860c	feat(mysqlx): add route_exists() predicate to MysqlxConfigStore Needed to distinguish unknown-route from route-with-no-backend when resolving a session's backend target. route_hostgroup() returns 0 in both cases and can't be used for disambiguation.	1 month ago
Rene Cannao	4b353ba0b1	test(mysqlx): add MysqlxConfigStore::install_for_test helper Adds a test-only seam on MysqlxConfigStore so unit tests can populate the store's private routes_ and hostgroup_endpoints_ maps directly, without building a runtime SQLite3DB fixture. This unblocks the upcoming route-identity unit tests that need to exercise route lookups in isolation. Also wires plugins/mysqlx/src/mysqlx_config_store.cpp into the mysqlx_robustness_unit-t link line. The file is already listed in the plugin's own Makefile but was missing from the unit-test target, so since MysqlxConfigStore::resolve_identity became a runtime dependency of Mysqlx_Thread the link had been broken.	1 month ago
Rene Cannao	923cbfeadc	fix(mysqlx): resolve critical authentication, TLS, and data integrity bugs - Wire credential_lookup to sessions via config store so frontend auth verification actually runs (was silently bypassed for all users) - Use backend_password (cleartext) instead of password_hash (double-SHA1) for backend MYSQL41 scramble computation - Replace cumulative BIO counter comparison with BIO_ctrl_pending() to fix permanent POLLOUT busy-loop with TLS connections - Add poll(POLLOUT) before getsockopt(SO_ERROR) in check_connect() to correctly detect non-blocking connect completion on Linux - Wrap DELETE+INSERT with BEGIN/COMMIT in sync_disk_to_memory and copy_to_runtime to prevent data loss on crash	1 month ago
Rene Cannao	04f09d6535	fix(mysqlx): address SonarCloud quality gate failures - Replace void* thread_ptr_ with typed Mysqlx_Thread* for type safety - Use RAII (unique_ptr) for SQLite3 result and error cleanup in plugin - Extract handle_auth_mysql41/handle_auth_plain from handler_auth_start to reduce cognitive complexity (37 -> ~10 per method) - Extract step_auth sub-states into individual methods to reduce cognitive complexity in mysqlx_connection.cpp (55 -> ~8 per method) - Add forward_frame_to_client helper to eliminate repeated frame forwarding code - Replace hardcoded password strings in credential verify test with named test constants - Add NOSONAR annotations for const_cast (required by SQLite3DB API) and SSL_VERIFY_NONE (test-only self-signed certs) - Fix Makefile whitespace issue with mysqlx unit test entries	2 months ago
Rene Cannao	04c0303ee9	fix(mysqlx): address critical code review feedback from PR #5593 - PluginManager: don't mark plugin stopped when stop() fails - PluginManager: add mutex to proxysql_get_plugin_manager() access - PluginManager: reject duplicate plugin paths in load() - mysqlx_thread: add listener_mutex_ for listener_fds_ synchronization - mysqlx_config_store: return tls_mode by value, not by reference - Makefile: propagate PROXYSQLGENAI/31/FFTO/TSDB flags to mysqlx builds	2 months ago
Rene Cannao	30dc111b1d	feat(mysqlx): add TLS passthrough mode for raw TLS forwarding Adds MysqlxTlsMode enum and passthrough mode support: - TLS_OFF: No TLS (default, existing behavior) - TLS_TERMINATE: ProxySQL terminates TLS, decrypts, re-encrypts to backend (existing behavior when TLS is negotiated) - TLS_PASSTHROUGH: Raw encrypted bytes forwarded between client and backend without TLS termination Passthrough behavior: - handler_tls_accept_init(): skips SSL init and handshake entirely, returns to CONNECTING_CLIENT state immediately - handler_connecting_server(): skips backend TLS setup when in passthrough mode (backend_tls_required_ is not set) - X Protocol frames are still parsed at the framing layer since the proxy needs to route and multiplex connections Use cases for passthrough mode: - TLS terminated at an external load balancer - ProxySQL should not have access to TLS certificates - Compliance requirements that forbid TLS inspection set_tls_mode() / get_tls_mode() accessors on MysqlxSession allow runtime configuration of the TLS mode per session.	2 months ago
Rene Cannao	afffad0356	feat(mysqlx): implement backend TLS via CapabilitiesSet negotiation Adds TLS support for backend X Protocol connections. When the client session is encrypted, the backend connection also negotiates TLS with the MySQL X Protocol server. Backend auth state machine changes: - New BACKEND_AUTH_TLS_HANDSHAKE state between CapSet and AuthStart - CapabilitiesSet now includes tls=true when backend_tls_required_ and an SSL_CTX is available - After CapSet Ok, if TLS required: init_ssl_connect() → handshake → send_authenticate_start() → continue normal auth - send_authenticate_start() extracted as a helper method to avoid goto-based flow control MysqlxConnection new members: - backend_tls_required_ flag (set by session when client is on TLS) - backend_ssl_ctx_ pointer (shared global SSL_CTX) - set_backend_tls_required() / is_backend_tls_required() accessors - set_ssl_ctx() to provide the SSL context TLS handshake in step_auth(): - BACKEND_AUTH_TLS_HANDSHAKE state calls backend_ds_.read_from_net() to feed encrypted bytes into the BIO pair - do_ssl_handshake() performs SSL_connect via memory BIOs - flush_ssl_write_buf() sends pending encrypted output - On failure: ssl_handshake_failed() check, returns BACKEND_AUTH_ERROR Session wiring in handler_connecting_server(): - When client_ds_.is_encrypted(), sets backend_tls_required_=true and provides SSL_CTX from Mysqlx_Thread - Backend auth failure detection distinguishes TLS failures (error 3152) from authentication failures (error 1045)	2 months ago
Rene Cannao	da75e13841	feat(mysqlx): per-message response state machines for terminal frame detection Replace the single is_terminal_server_frame() catch-all with per-message-type response tracking. Each client message type now has its own terminal frame set, matching MySQL Router's approach. New MysqlxResponseState enum: - RESP_IDLE: no pending response - RESP_WAITING_STMT_EXECUTE: SQL_STMT_EXECUTE_OK, ERROR, FETCH_DONE - RESP_WAITING_CRUD: OK, ERROR, FETCH_DONE, FETCH_SUSPENDED - RESP_WAITING_PREPARE: OK, ERROR - RESP_WAITING_CURSOR: FETCH_DONE, FETCH_SUSPENDED, ERROR - RESP_WAITING_EXPECT: OK, ERROR - RESP_WAITING_SESS_RESET: OK, ERROR Changes: - dispatch_client_message() sets response_state_ before forward_to_backend() based on message type - handler_waiting_server_msg() uses is_terminal_for_state() instead of is_terminal_server_frame() for terminal detection - is_terminal_for_state() checks the response state to determine which frames are terminal - response_state_ resets to RESP_IDLE when terminal frame received - Generic fallback preserved via is_terminal_server_frame_generic() for unknown response states This is more robust than the single catch-all list and correctly handles cases where OK is terminal for Prepare but not for StmtExecute (which needs SQL_STMT_EXECUTE_OK).	2 months ago
Rene Cannao	d50e48a971	feat(mysqlx): add descriptive TLS error messages with failure detection Adds SSL handshake failure detection and descriptive error messages for both client-side and backend TLS failures. Changes to MysqlxDataStream: - Added ssl_failed_ flag to distinguish WANT_IO (in progress) from actual SSL failure - ssl_handshake_failed() accessor for session to check failure state - ssl_failed_ is set to true in do_ssl_handshake() when get_ssl_status() returns MYSQLX_SSL_FAIL - ssl_failed_ is initialized to false in constructor, init_ssl(), and init_ssl_connect() Changes to MysqlxSession handler_tls_accept_init(): - After do_ssl_handshake() returns false, checks ssl_handshake_failed() - On failure: sends error 3151 ("TLS handshake failed") to client with OpenSSL error details retrieved via ERR_get_error()/ ERR_error_string_n(), then closes session - On WANT_IO: continues waiting (existing behavior) - Error 3150: TLS not configured on server (unchanged) - Error 3151: TLS handshake failed (new) - Error 3152: Reserved for backend TLS failures (Task 3)	2 months ago
Rene Cannao	dc35119813	feat(mysqlx): implement Session Reset passthrough with response tracking SESS_RESET is now properly forwarded to the backend with dedicated response tracking via the new X_SESSION_RESET_WAITING state: 1. Client sends SESS_RESET -> forward_to_backend() sends to server 2. Session transitions to X_SESSION_RESET_WAITING 3. handler_session_reset_waiting() reads backend response: - On NOTICE: forward to client immediately, keep waiting - On OK: clear prepared statement tracking, clear transaction flag, return backend to pool, resume WAITING_CLIENT_XMSG - On ERROR: forward error to client, return backend to pool, resume WAITING_CLIENT_XMSG - On backend disconnect: return to WAITING_CLIENT_XMSG This properly resets session state on both sides, clearing prepared statement and transaction flags so the backend connection can be safely reused from the pool. Previously, SESS_RESET was forwarded but the response was not tracked, potentially leaving the session in an inconsistent state.	2 months ago
Rene Cannao	437072cf28	feat(mysqlx): add backend connect timeout with configurable threshold Adds a configurable connect timeout (default 10 seconds) for backend X Protocol connections. If the TCP connection does not complete within the timeout, the connection attempt fails with error 2003. Changes to MysqlxConnection: - Added connect_timeout_ms_ (default 10000ms) and connect_start_time_ private members - start_connect() records connect_start_time_ using steady_clock - check_connect() measures elapsed time since start_connect() and returns -1 if timeout exceeded, setting state to ERROR_STATE - Added set_connect_timeout()/get_connect_timeout() accessors Changes to MysqlxSession: - handler_connecting_server() sets connect timeout to 10s before calling start_connect() on new backend connections The timeout is checked on every check_connect() invocation from the event loop, ensuring non-blocking timeout detection without additional timers.	2 months ago
Rene Cannao	e86cfe237f	feat(mysqlx): implement client-side TLS negotiation via CapabilitiesSet Wires TLS into the session state machine following ProxySQL MySQL protocol pattern. When a client sends CapabilitiesSet with tls=true capability, the session initiates SSL_accept on the client data stream. Changes to Mysqlx_Thread: - Added get_ssl_ctx() that returns GloVars.get_SSL_ctx() - Updated rebuild_poll_set() to check has_ssl_pending_write() for POLLOUT on both client and backend data streams Changes to MysqlxSession::handler_capabilities_set(): - Parses CapabilitiesSet protobuf to detect tls capability - If TLS requested and SSL_CTX available: sends Ok, transitions to X_TLS_ACCEPT_INIT state - If SSL_CTX not configured: sends error 3150 and closes session - Without TLS: existing behavior unchanged Changes to MysqlxSession::handler_tls_accept_init(): - Replaced stub with real implementation - Gets SSL_CTX from Mysqlx_Thread - Calls client_ds_.init_ssl(ctx) to create per-session SSL object - Calls do_ssl_handshake() on each handler invocation - When handshake completes, transitions to CONNECTING_CLIENT Changes to MysqlxSession::send_capabilities(): - Advertises tls capability (V_BOOL true) when SSL_CTX is configured - Existing auth capability advertisement unchanged All 10 test suites pass with no regressions.	2 months ago
Rene Cannao	0b555d3899	feat(mysqlx): add TLS infrastructure to MysqlxDataStream Adds SSL support following ProxySQL BIO-based pattern used in MySQL_Data_Stream and PgSQL_Data_Stream. New members in MysqlxDataStream: - ssl_: per-session SSL object from shared SSL_CTX - rbio_ssl_/wbio_ssl_: memory BIO pair for encrypted I/O - ssl_write_buf_/ssl_write_offset_: pending encrypted output - ssl_handshake_done_: handshake completion tracking New public methods: - init_ssl(SSL_CTX): creates SSL object with SSL_set_accept_state - init_ssl_connect(SSL_CTX): creates SSL object with SSL_set_connect_state - do_ssl_handshake(): performs TLS handshake, drains app data on completion - flush_ssl_write_buf(): sends pending encrypted bytes to network - has_ssl_pending_write(): checks BIO pending counts for poll integration - get_ssl()/get_rbio_ssl(): accessors for testing Modified read_from_net(): - SSL handshake phase: recv→BIO_write→do_ssl_handshake - Encrypted phase: recv→BIO_write→SSL_read loop→feed_bytes - Non-TLS path unchanged when ssl_ is null Modified write_to_net(): - SSL handshake phase: flush pending handshake data only - Encrypted phase: SSL_write→BIO_read→flush_ssl_write_buf - write_raw() also uses SSL_write when encrypted - Non-TLS path unchanged when ssl_ is null do_ssl_handshake() drains application data from the SSL object immediately after handshake completes, handling the case where the client sends data in the same TLS record as the Finished message. mysqlx_ssl_status enum maps OpenSSL errors: - MYSQLX_SSL_OK (SSL_ERROR_NONE) - MYSQLX_SSL_WANT_IO (SSL_ERROR_WANT_READ/WRITE) - MYSQLX_SSL_FAIL (all other errors) Tests: 18 assertions covering: - init_ssl with null ctx (no crash, no-op) - Non-TLS read/write unchanged - Full SSL handshake between client and server - Encrypted X Protocol frame read/write - has_ssl_pending_write before SSL init - init_ssl_connect for backend TLS	2 months ago
Rene Cannao	79783a63d7	fix(mysqlx): apply 12 critical/high fixes from four-way review + robustness test suite Addresses all 6 critical and 6 high issues identified by the four-way architecture/protocol/testing/security review. Critical fixes: - C1: Credential verification — MYSQL41 uses mysqlx_mysql41_verify_hash() against stored SHA1(SHA1(password)), PLAIN uses mysqlx_mysql41_hash() + CRYPTO_memcmp for constant-time comparison - C2: Backend X Protocol handshake — 6-state state machine in MysqlxConnection::step_auth() (CapGet→CapSet→AuthStart→AuthContinue→AuthDone) - C3: Backend FD added to poll set in rebuild_poll_set() — checks sds->get_fd() >= 0 && sds->get_status() == XDS_READY - C4: Double frame-pop fixed — removed redundant pop_frame() calls in dispatch_client_message() for handlers that already pop - C5: Backend kept until terminal frame — is_terminal_server_frame() checks 7 terminal types (OK, ERROR, SQL_STMT_EXECUTE_OK, FETCH_DONE, FETCH_SUSPENDED, DONE_MORE_RESULTSETS, DONE_MORE_OUT_PARAMS) - C6: Error severity defaults to ERROR (not FATAL) — added fatal parameter to send_error() High fixes: - H1: Parse errors detected — checks client_ds_.has_parse_error() after read_from_net() - H2: EINTR retry — do { r = recv/send(...) } while (r < 0 && errno == EINTR) - H3: Connection limit — max_sessions_ per thread (default 10000), accept loop breaks when exceeded - H4: Timeouts — 10s handshake timeout, 8h idle timeout in process_all_sessions() - H5: PLAIN auth rejected without TLS — checks client_ds_.is_encrypted() - H6: write_to_net errors propagated — checks return < 0 with errno != EAGAIN New test suites: - mysqlx_backend_auth_unit-t: 34 assertions covering full backend handshake state machine and error paths - mysqlx_credential_verify_unit-t: 24 assertions covering verify_hash, hex encode/decode, hash consistency - mysqlx_robustness_unit-t: 33 assertions covering terminal/non-terminal frame detection, multi-frame pipeline, backend disconnect, client disconnect, parse errors, auth edge cases, frame forwarding Robustness test fixes: - Replaced blocking read_x_frame with poll()-based version (200ms timeout) to prevent test hangs when no more data is available - Fixed double-close bug in test cleanup — session destructor and manual close() both closed same fds, causing next test socketpairs to be prematurely closed. Added detach_session_fds() helper to invalidate session fds before manual cleanup - Fixed drain loop ordering — close write end before draining read end to prevent blocking - Re-enabled test_backend_disconnect_during_query (previously crashed due to double-close fd corruption, not protobuf FATAL) - Fixed test_mysql41_no_credential_lookup_accepts_any to use valid 20-byte scramble format (40 hex chars) - Fixed test_forward_empty_frame to use SQL_STMT_EXECUTE message type instead of unrecognized 0x11 All 9 test suites pass (218+ assertions across backend_auth, credential_verify, data_stream, message_dispatch, session, thread, connection, concurrent, robustness).	2 months ago
Rene Cannao	70e908b9b6	feat(mysqlx): wire event-driven v2 into plugin lifecycle The mysqlx plugin now creates a configurable thread pool (mysqlx_thread_pool_size, default 4, max 64). Each thread runs its own poll() event loop, accepts connections from listeners, manages sessions cooperatively, and maintains a per-thread connection cache. New admin variables in mysqlx_variables: - mysqlx_thread_pool_size (default 4) - mysqlx_connect_timeout (default 10000ms) - mysqlx_tls_mode (default DISABLED) - mysqlx_max_cached_connections_per_thread (default 100) Plugin version bumped to 2.0.0 to reflect the architectural rewrite.	2 months ago
Rene Cannao	eb958585a6	feat(mysqlx): add protocol-aware dispatch, TLS stubs, connection pool, and async connect Implements four tightly-coupled v2 components: Task 5 - Protocol-aware frame forwarding: - dispatch_client_message() handles all 23 X Protocol client message types - CRUD operations (Find/Insert/Update/Delete) forwarded to backend - SQL statement execution forwarded to backend - Prepared statements, cursors, views, expect blocks forwarded - Compression rejected with ER_X_CAPABILITY_COMPRESSION_INVALID_ALGORITHM - Unknown messages get ER_X_BAD_MESSAGE error - forward_to_backend() and handler_waiting_server_msg() for bidirectional frame forwarding between client and server data streams Task 6 - TLS stubs: - MysqlxDataStream gains encrypted_ flag for future TLS support - MysqlxSession gains TLS state machine states (accept/connect init/cont/done) - Stub handlers skip TLS states for now (Phase 3 will add OpenSSL) Task 7 - Connection pool integration: - MysqlxSession has back-pointer to Mysqlx_Thread for pool access - handler_connecting_server() checks thread-local cache first - Connections returned to cache after query completion - Pool matching by hostgroup, user, schema Task 8 - Async backend connect: - MysqlxConnection::start_connect() uses SOCK_NONBLOCK + EINPROGRESS - check_connect() polls SO_ERROR for completion - MysqlxSession::handler_connecting_server() manages async state - Graceful error handling with proper X Protocol error frames	2 months ago
Rene Cannao	ff0070f782	feat(mysqlx): add Mysqlx_Thread event loop with poll()	2 months ago
Rene Cannao	7f8719c8d1	feat(mysqlx): add X Protocol session state machine MysqlxSession implements the X Protocol handshake and authentication as a cooperative state machine compatible with ProxySQL's poll()-based event loop. States: CONNECTING_CLIENT → X_CAPABILITIES_GET → X_CAPABILITIES_SET → X_AUTH_START → X_AUTH_CHALLENGE_SENT → X_AUTH_OK_SENT → WAITING_CLIENT_XMSG → X_SESSION_CLOSING Uses MysqlxDataStream for non-blocking frame I/O. Handler returns immediately when no data is available, allowing poll() to multiplex thousands of sessions per thread.	2 months ago
Rene Cannao	c67705ba8b	feat(mysqlx): add pooled backend connection object MysqlxConnection tracks the state of a backend X Protocol connection for connection pooling. Tracks hostgroup, user, schema, address, and multiplexing eligibility (transactions, prepared statements disable reuse). Will be used by Mysqlx_Thread's per-thread connection cache and the global connection pool.	2 months ago
Rene Cannao	6034a3fba6	fix(mysqlx): replace raw pointer MysqlxFrame with std::vector<uint8_t> Code quality fixes from review: - Replace std::pair<uint8_t*,size_t> with std::vector<uint8_t> for MysqlxFrame, eliminating use-after-free risk and Rule of Five violations - Add read buffer compaction when consumed prefix exceeds 4KB - Return -1 from write_to_net() for invalid fd (was returning 0) - Add parse_error_ flag instead of silently closing on malformed input - Add bounds check in enqueue_frame for oversized payloads	2 months ago
Rene Cannao	401a527186	feat(mysqlx): add non-blocking X Protocol frame I/O data stream Implements MysqlxDataStream with: - Non-blocking frame parsing from raw TCP byte streams - Partial frame buffering (header-first, then body accumulation) - Frame enqueue for writes with proper X Protocol wire format - read_from_net() / write_to_net() using recv()/send() on non-blocking FDs - O_NONBLOCK set automatically on init Foundation for the event-driven v2 rewrite. All future session and thread classes will use MysqlxDataStream for I/O instead of the blocking read()/write() calls from Phase 1. Tests: frame header parsing, partial frames, multiple concatenated frames, write buffer format verification.	2 months ago
Rene Cannao	cd94ac2b12	fix: populate destination_hostgroup in route stats and add conn_used counter I5: Pass destination_hostgroup through record_conn_ok and record_conn_err so that MysqlxRouteStats.destination_hostgroup is populated from the actual route configuration instead of remaining 0. I6: Add record_conn_used() method to MysqlxStatsStore that increments the conn_used atomic counter for a route. This counter tracks active session usage of a route and is flushed to stats_mysqlx_routes.	2 months ago
Rene Cannao	1900db9e57	fix: correct MYSQL41 auth wire format for real MySQL 8.x The MySQL X Protocol MYSQL41 AuthenticateContinue auth_data must be formatted as schema\0username\0UPPERCASE_HEX(scramble), not raw binary. Backend: AuthenticateContinue now sends \0user\0HEX(scramble) instead of raw 20-byte binary. This matches what MySQL 8.x X Plugin expects. Frontend: handle_authenticate now parses \0user\0*HEX(scramble) from the client's AuthenticateContinue, hex-decodes the scramble, then verifies. This matches what mysqlsh and other conforming clients send. Backend: Add Notice-skipping loops before reading CONN_CAPABILITIES and SESS_AUTHENTICATE_CONTINUE from MySQL 8.x, which may send Notice frames at any point during the handshake sequence. Add mysqlx_hex_encode/mysqlx_hex_decode helpers.	2 months ago
Rene Cannao	9a3b399eb0	fix: address critical code review findings 1. SQL injection in stats flush: escape route names with sqlite_escape() 2. Timing attack in PLAIN auth: use CRYPTO_memcmp for constant-time password comparison 3. OOM via oversized frame: add MYSQLX_MAX_PAYLOAD_SIZE (16MB) check in mysqlx_read_frame before allocating payload buffer 4. Thread safety: add shared_mutex to MysqlxConfigStore, shared_lock for readers (resolve_identity, pick_endpoint), unique_lock for writer (load_from_runtime), separate rr_mutex_ for round-robin counter mutation	2 months ago
Rene Cannao	c2e90d3696	feat: add mysqlx stats tables and topology invalidation seam Add MysqlxStatsStore with atomic route counters (conn_ok, conn_err, bytes_sent, bytes_recv) and flush_to_sqlite() for stats_mysqlx_routes. Register stats_mysqlx_routes and stats_mysqlx_processlist tables in the plugin admin schema. Wire stats recording into the worker: record_conn_ok on successful backend connect, record_conn_err on failure. Add topology generation capture at session bind time as the Phase 2 seam for GR notification-driven route invalidation.	2 months ago
Rene Cannao	e087fdda4c	feat: add backend X sessions and hostgroup-based routing Add MysqlxBackendSession with TCP connect, X Protocol MYSQL41 auth to backend, and bidirectional byte-level relay via select(). Implement round_robin and round_robin_with_fallback endpoint selection strategies in MysqlxConfigStore::pick_endpoint(). Workers now connect to the backend after frontend auth and relay traffic until close. Phase 1 is one frontend = one backend, no pooling.	2 months ago
Rene Cannao	05ca510f2d	feat: implement frontend X Protocol handshake and auth Add mysqlx_protocol.h/cpp with frame encode/decode, MYSQL41 scramble auth using EVP SHA1, and protobuf message helpers for X Protocol Error/Ok/Capabilities/Auth frames. Add mysqlx_frontend_session.h/cpp implementing the full handshake state machine: CapabilitiesGet→Capabilities, CapabilitiesSet→Ok, AuthenticateStart→challenge→AuthenticateContinue→AuthenticateOk. Supports MYSQL41 and PLAIN auth methods. Enforces x_enabled flag, rejects pass_through backend auth mode. Workers now run the frontend session instead of immediately closing connections.	2 months ago
Rene Cannao	5b5bbfbcaf	feat: add mysqlx listener sockets and worker threads Plugin start now opens TCP listeners for each active route in runtime_mysqlx_routes. An accept thread dispatches incoming connections to worker threads round-robin. Phase 1 workers accept-then-close; Tasks 7-8 will add X Protocol handshake and backend relay.	2 months ago
Rene Cannao	0b11bce37e	feat: add mysqlx runtime config store and load commands	2 months ago
Rene Cannao	8e7a99d36a	fix: align mysqlx plugin schema and smoke test	2 months ago
Rene Cannao	19d48bdc13	feat: scaffold mysqlx plugin module	2 months ago

32 Commits (f0a8655be3dfd629d61d5eff70028b13ecc9c1dd)