fix(cdc): emit fallback notification for oversized payloads + visible errors

[jakebromberg]

Closes #1120

Summary

Migration 0094 replaces the cdc_notify() trigger function so it stops silently dropping CDC events when a row's JSON payload exceeds Postgres's 8000-byte pg_notify cap, and stops swallowing other trigger exceptions into the PG log only.

• Detects the oversized case up-front (octet_length(payload::text) > 7800) and emits a minimal cdc_oversized fallback notification carrying (table, schema, action, primary_key, payload_bytes, reason='payload_too_large') so downstream consumers can refetch the row from the source of truth instead of going dark.
• Routes any unexpected trigger exception through a dedicated cdc_error channel (reason='trigger_exception') in addition to the pre-existing RAISE WARNING, restoring listener-side visibility into trigger failures.
• Returns NEW/OLD instead of bare NULL so the trigger contract is unambiguous if a future maintainer rewires it as BEFORE.
• Documents the two new notification channels in the migration's header comment.

Tests in tests/integration/cdc-oversized-fallback.spec.js exercise both paths against real PG: normal INSERTs still fire cdc, oversized INSERTs fire cdc_oversized (and NOT cdc), and the row commits regardless (visibility-only failure mode). A function-body pin guards against an accidental rollback of 0094.

Test plan

• new oversized-payload integration test added (cdc / cdc_oversized split + commit-regardless + function-body pin) — runs against PG once the integration DB is up
• full unit suite green (npm run test:unit — 3151/3151)
• lint clean (npm run lint — 0 errors)
• format clean (npm run format:check)
• typecheck clean (npm run typecheck)
• migration validator clean (npm run lint:migrations)
• precondition-guard check clean (scripts/check-precondition-guards.sh)
• bulk-update/ANALYZE check clean (scripts/check-bulk-update-analyze.mjs)
• integration tests not run locally — Docker daemon unavailable in this worktree; will be exercised by the CI integration-tests job (touches shared/database/src/migrations/** + tests/**)

[github-actions]

Schema constraint shape report

data-shape report errored (exit 0): node:internal/modules/runmain:107 triggerUncaughtException( ^ Error ERRMODULENOTFOUND: Cannot find package 'postgres' imported from /home/runner/work/Backend-Service/Backend-Service/scripts/schema-shape-report.mjs Did you mean to import "postgres/cjs/src/index.js"? at Object.getPackageJ; manual check required

[jakebromberg]

Code review

Found 1 issue:

1. New cdc_oversized / cdc_error channels have no production consumer — the migration emits to channels nothing subscribes to.

   The migration's own header comment (0094_cdc_oversized_fallback.sql L33-L34) says "New channel — see cdc-listener.ts subscription update", but cdc-listener.ts is unchanged in this PR and still only subscribes to the cdc channel:

   Backend-Service/shared/database/src/cdc-listener.ts

   Lines 97 to 120 in 2cfaa21

   	await listenConnection.listen(
   	CDC_CHANNEL,
   	(payload: string) => {
   	try {
   	const event = JSON.parse(payload) as CdcEvent;
   	for (const cb of callbacks) {
   	try {
   	cb(event);
   	} catch (err) {
   	console.error('[cdc-listener] Callback error:', err);
   	}
   	}
   	} catch (err) {
   	console.error('[cdc-listener] Failed to parse CDC payload:', err);
   	}
   	},
   	() => {
   	// Fires on initial subscribe AND on every postgres-js auto-reconnect's
   	// re-LISTEN. Either way the LISTEN is live again, so flip back to true.
   	dispatchState(true);
   	}
   	);

   pg_notify is fire-and-forget (docs/cdc.md: "Postgres does not durably queue notifications for absent listeners"). With no consumer, the cdc_oversized fallback NOTIFY is dropped on the floor — the downstream cdc-websocket, metadata-broadcast, and reconciliation monitor all consume through onCdcEvent(), which is wired exclusively to cdc. The only retained signal for the oversized branch is the RAISE WARNING in the PG log, which the issue (#1120) describes as the inadequate status quo this PR exists to fix.

   This also leaves issue CDC trigger silently drops events for rows exceeding 8000 bytes #1120 AC Auth middleware #3 ("emit a metric Sentry can alert on") functionally unmet: routing to another pg_notify channel that no Node-side path subscribes to produces no Sentry signal.

   Recommend either extending cdc-listener.ts to subscribe to both new channels (with a separate onCdcOversizedEvent / onCdcErrorEvent dispatch and a Sentry hook), or shipping that listener change as a fast-follow PR before this trigger change reaches prod.