marcodejongh
diff --git a/‎docs/websocket-implementation.md‎
Lines changed: 45 additions & 45 deletions b/‎docs/websocket-implementation.md‎
Lines changed: 45 additions & 45 deletions
diff --git a/‎packages/backend/src/__tests__/distributed-state.test.ts‎
Lines changed: 246 additions & 0 deletions b/‎packages/backend/src/__tests__/distributed-state.test.ts‎
Lines changed: 246 additions & 0 deletions
diff --git a/‎packages/backend/src/db/schema.ts‎
Lines changed: 3 additions & 0 deletions b/‎packages/backend/src/db/schema.ts‎
Lines changed: 3 additions & 0 deletions
@@ -863,6 +863,19 @@ When Redis is unavailable, RoomManager falls back to **Postgres-only mode**:
 | **Warm** | Redis only | 4 hours | Recently inactive (users left) |
 | **Cold** | PostgreSQL | Indefinite | Historical sessions, dormant restoration |
 
+### Participant Tracking (Postgres)
+
+Session participation is tracked in two layers:
+
+| Layer | Table / Key | Granularity | Lifetime |
+|-------|-------------|-------------|----------|
+| **Real-time** (Redis) | `boardsesh:session:{id}:members` | Per connection ID | Ephemeral (4h TTL) |
+| **Historical** (Postgres) | `board_session_participants` | Per authenticated user | Permanent |
+
+**`board_session_participants`** records one row per (session_id, user_id) with a `joined_at` timestamp. It is upserted (`ON CONFLICT DO NOTHING`) when an authenticated user joins a session. Rows are never deleted on disconnect — they serve as a permanent historical record of who participated.
+
+> **Note:** The legacy `board_session_clients` table (one row per WebSocket connection) is no longer written to. Leader state is managed exclusively in Redis via the `DistributedStateManager`.
+
 ### Key Redis Data Structures
 
 **Session State (RedisSessionStore):**
@@ -877,11 +890,11 @@ boardsesh:lock:session:restore:{id} # String - distributed lock (10s TTL)
 
 **Distributed State (DistributedStateManager):**
 ```
-boardsesh:conn:{connectionId}       # Hash - connection data (instanceId, sessionId, username, etc.)
-boardsesh:session:{id}:members      # Set - connection IDs in session (cross-instance)
-boardsesh:session:{id}:leader       # String - leader connection ID
-boardsesh:instance:{id}:conns       # Set - connections owned by instance
-boardsesh:instance:{id}:heartbeat   # String - instance heartbeat timestamp (60s TTL)
+boardsesh:conn:{connectionId}       # Hash - connection data (1h TTL, refreshed on activity)
+boardsesh:session:{id}:members      # Set - connection IDs in session (4h TTL)
+boardsesh:session:{id}:leader       # String - leader connection ID (4h TTL)
+boardsesh:instance:{id}:conns       # Set - connections owned by instance (2h TTL, refreshed on heartbeat)
+boardsesh:instance:{id}:heartbeat   # String - instance heartbeat timestamp (60s TTL, refreshed every 30s)
 ```
 
 **Pub/Sub Channels:**
@@ -931,63 +944,50 @@ sequenceDiagram
     P->>P: Exit
 ```
 
-### Dead Instance Detection and TTL Cleanup
+### Dead Instance Detection and Active Cleanup
 
-When an instance crashes or terminates without graceful shutdown, the system relies on TTL-based cleanup:
+When an instance crashes or terminates without graceful shutdown, the system uses a combination of active cleanup and TTL-based self-healing:
 
-**1. Instance Heartbeat Expiry (60s TTL)**
+**1. Instance Heartbeat (60s TTL, refreshed every 30s)**
 
-Each instance updates its heartbeat every 30 seconds:
 ```
 boardsesh:instance:{id}:heartbeat = timestamp (60s TTL)
 ```
 
-When an instance dies unexpectedly:
-- The heartbeat key expires after 60 seconds
-- Redis automatically removes the heartbeat key
-
-**2. Connection Data Expiry (1 hour TTL)**
-
-Connection data has its own TTL:
-```
-boardsesh:conn:{connectionId} = {...} (1 hour TTL)
-```
-
-Connections from dead instances:
-- Continue to exist until their 1-hour TTL expires
-- Are refreshed on client activity (extends TTL)
-- Eventually expire if no activity
+When an instance dies unexpectedly, its heartbeat key expires after 60 seconds.
 
-**3. Session Member Sets (4 hour TTL)**
+**2. Active Dead Instance Cleanup**
 
-Session member sets track all connection IDs:
-```
-boardsesh:session:{id}:members = Set of connectionIds (4 hour TTL)
-```
+The `DistributedStateManager` actively discovers and cleans up dead instances:
 
-**Limitation: No Active Cleanup for Dead Instances**
+- **On startup**: `cleanupDeadInstanceConnections()` runs asynchronously after the first heartbeat
+- **Periodically**: Piggybacks on the 30s heartbeat cycle, running every 4th heartbeat (~2 minutes)
 
-Currently, there is no background job that actively scans for dead instances and cleans up their orphaned connections. This means:
+The cleanup process:
+1. SCANs for `boardsesh:instance:*:conns` keys
+2. Checks if the corresponding heartbeat key exists (skip current instance)
+3. For each dead instance: fetches its connection IDs, groups by session
+4. Deletes all orphaned connection hashes and instance tracking keys
+5. Runs `PRUNE_STALE_SESSION_MEMBERS_SCRIPT` (Lua) per affected session to atomically remove stale members and re-elect leader if needed
 
-- Session member sets may temporarily contain connection IDs from dead instances
-- `getSessionMembers()` may return connections that no longer exist (gracefully handled by filtering out missing connection data)
-- Leader election may initially select a connection from a dead instance (but will re-elect on next leader action)
-- Connection data remains until TTL expires naturally
+**3. Stale-Filtering at Read Time**
 
-**Implications for Clients**
+Even between cleanup cycles, stale entries never inflate participant counts:
 
-- Clients should handle the case where a session "member" is no longer reachable
-- Leader changes may occur when the elected leader from a dead instance is detected as unresponsive
-- User lists may temporarily show stale entries that get filtered out on refresh
+- `getSessionMemberCount()` pipelines `EXISTS` checks against each member's connection hash — only live connections are counted
+- `getSessionMembers()` filters out members whose connection data is missing
+- `hasSessionMembers()` delegates to the filtered count
 
-**Future Improvement**
+**4. TTL Self-Healing (defense in depth)**
 
-A background cleanup job could periodically:
-1. Scan for instances with expired heartbeats
-2. Remove their orphaned connections from session member sets
-3. Trigger leader re-election if the current leader's instance is dead
+| Key | TTL | Refreshed |
+|-----|-----|-----------|
+| `boardsesh:conn:{id}` | 1 hour | On client activity |
+| `boardsesh:instance:{id}:conns` | 2 hours | On every heartbeat (30s) |
+| `boardsesh:instance:{id}:heartbeat` | 60 seconds | Every 30s |
+| `boardsesh:session:{id}:members` | 4 hours | On join/leave/refresh |
 
-This would reduce the window of stale data but is not currently implemented.
+Even if active cleanup fails, orphaned data expires naturally via these TTLs.
 
 ---
 
 
@@ -1090,3 +1090,249 @@ describe.skipIf(!redisAvailable)('DistributedStateManager - cleanup error handli
     expect(Object.keys(conn).length).toBe(0);
   });
 });
+
+describe.skipIf(!redisAvailable)('DistributedStateManager - Dead Instance Cleanup', () => {
+  let redis: Redis;
+  let liveManager: DistributedStateManager;
+
+  beforeAll(async () => {
+    redis = new Redis(REDIS_URL);
+    await new Promise<void>((resolve) => redis.once('ready', resolve));
+  });
+
+  afterAll(async () => {
+    forceResetDistributedState();
+    await redis.quit();
+  });
+
+  beforeEach(async () => {
+    forceResetDistributedState();
+    try {
+      const keys = await redis.keys('boardsesh:*');
+      if (keys.length > 0) {
+        await redis.del(...keys);
+      }
+    } catch (err) {
+      console.warn('Failed to clean up test keys:', err);
+    }
+    liveManager = new DistributedStateManager(redis, 'live-instance');
+  });
+
+  afterEach(async () => {
+    await liveManager.stop();
+    forceResetDistributedState();
+  });
+
+  describe('discoverDeadInstances', () => {
+    it('should return empty when no other instances exist', async () => {
+      liveManager.start();
+      // Give heartbeat time to run
+      await new Promise((r) => setTimeout(r, 100));
+
+      const dead = await liveManager.discoverDeadInstances();
+      expect(dead).toEqual([]);
+    });
+
+    it('should skip the current instance', async () => {
+      liveManager.start();
+      await new Promise((r) => setTimeout(r, 100));
+
+      // Even if we manually clear our own heartbeat, discoverDeadInstances
+      // skips the current instance ID.
+      await redis.del('boardsesh:instance:live-instance:heartbeat');
+
+      const dead = await liveManager.discoverDeadInstances();
+      expect(dead).toEqual([]);
+    });
+
+    it('should find instances whose heartbeat expired', async () => {
+      // Simulate a dead instance: create its conns key but no heartbeat
+      await redis.sadd('boardsesh:instance:dead-inst:conns', 'orphan-conn-1');
+
+      const dead = await liveManager.discoverDeadInstances();
+      expect(dead).toEqual(['dead-inst']);
+    });
+
+    it('should not report instances with active heartbeats', async () => {
+      // Create another instance with a valid heartbeat
+      await redis.sadd('boardsesh:instance:alive-inst:conns', 'conn-x');
+      await redis.setex('boardsesh:instance:alive-inst:heartbeat', 60, Date.now().toString());
+
+      const dead = await liveManager.discoverDeadInstances();
+      expect(dead).toEqual([]);
+    });
+  });
+
+  describe('cleanupDeadInstanceConnections', () => {
+    it('should remove orphaned connections from dead instances', async () => {
+      // Register a live connection
+      await liveManager.registerConnection('live-conn', 'LiveUser');
+      await liveManager.joinSession('live-conn', 'shared-session');
+
+      // Simulate a dead instance with orphaned connections in the same session
+      const deadInstanceId = 'dead-instance-abc';
+      // Create connection hashes for the dead connections
+      await redis.hmset('boardsesh:conn:orphan-1', {
+        connectionId: 'orphan-1',
+        instanceId: deadInstanceId,
+        sessionId: 'shared-session',
+        userId: '',
+        username: 'Ghost1',
+        avatarUrl: '',
+        isLeader: 'false',
+        connectedAt: (Date.now() - 60000).toString(),
+      });
+      await redis.hmset('boardsesh:conn:orphan-2', {
+        connectionId: 'orphan-2',
+        instanceId: deadInstanceId,
+        sessionId: 'shared-session',
+        userId: '',
+        username: 'Ghost2',
+        avatarUrl: '',
+        isLeader: 'false',
+        connectedAt: (Date.now() - 60000).toString(),
+      });
+      // Add to instance tracking (no heartbeat = dead)
+      await redis.sadd(`boardsesh:instance:${deadInstanceId}:conns`, 'orphan-1', 'orphan-2');
+      // Add to session members
+      await redis.sadd('boardsesh:session:shared-session:members', 'orphan-1', 'orphan-2');
+
+      // Verify inflated count before cleanup
+      const rawCount = await redis.scard('boardsesh:session:shared-session:members');
+      expect(rawCount).toBe(3); // 1 live + 2 ghosts
+
+      // Run cleanup
+      const result = await liveManager.cleanupDeadInstanceConnections();
+
+      expect(result.deadInstances).toEqual([deadInstanceId]);
+      expect(result.staleConnections.sort()).toEqual(['orphan-1', 'orphan-2']);
+      expect(result.sessionsAffected).toEqual(['shared-session']);
+
+      // Verify connection hashes are deleted
+      const conn1 = await redis.hgetall('boardsesh:conn:orphan-1');
+      const conn2 = await redis.hgetall('boardsesh:conn:orphan-2');
+      expect(Object.keys(conn1).length).toBe(0);
+      expect(Object.keys(conn2).length).toBe(0);
+
+      // Verify instance tracking key is deleted
+      const instanceConns = await redis.smembers(`boardsesh:instance:${deadInstanceId}:conns`);
+      expect(instanceConns.length).toBe(0);
+
+      // Verify session member count is correct (only live connection)
+      const members = await liveManager.getSessionMembers('shared-session');
+      expect(members.length).toBe(1);
+      expect(members[0].username).toBe('LiveUser');
+    });
+
+    it('should return empty summary when no dead instances exist', async () => {
+      const result = await liveManager.cleanupDeadInstanceConnections();
+      expect(result.deadInstances).toEqual([]);
+      expect(result.staleConnections).toEqual([]);
+      expect(result.sessionsAffected).toEqual([]);
+    });
+
+    it('should handle dead instance with no connections', async () => {
+      // Dead instance with empty conns set
+      await redis.sadd('boardsesh:instance:empty-dead:conns', '__placeholder__');
+      await redis.srem('boardsesh:instance:empty-dead:conns', '__placeholder__');
+      // Actually just create the key with an entry then remove it—
+      // simpler: just create it directly
+      await redis.del('boardsesh:instance:empty-dead:conns');
+      // Need the key to exist for SCAN to find it
+      await redis.sadd('boardsesh:instance:empty-dead:conns', 'temp');
+      await redis.srem('boardsesh:instance:empty-dead:conns', 'temp');
+
+      // The key may or may not exist (Redis deletes empty sets).
+      // Either way, cleanup should not error.
+      const result = await liveManager.cleanupDeadInstanceConnections();
+      // May or may not find the instance depending on whether Redis kept the empty set
+      expect(result.staleConnections).toEqual([]);
+    });
+  });
+
+  describe('cleanupStaleSessionMembers', () => {
+    it('should remove members whose connection hashes expired', async () => {
+      await liveManager.registerConnection('real-conn', 'RealUser');
+      await liveManager.joinSession('real-conn', 'prune-session');
+
+      // Add a stale member directly (no connection hash)
+      await redis.sadd('boardsesh:session:prune-session:members', 'stale-conn');
+
+      // Verify stale member is in the set
+      const rawCount = await redis.scard('boardsesh:session:prune-session:members');
+      expect(rawCount).toBe(2);
+
+      const removed = await liveManager.cleanupStaleSessionMembers('prune-session');
+      expect(removed).toBe(1);
+
+      // Only real connection remains
+      const count = await liveManager.getSessionMemberCount('prune-session');
+      expect(count).toBe(1);
+    });
+
+    it('should re-elect leader when stale leader is pruned', async () => {
+      await liveManager.registerConnection('member-conn', 'Member');
+      await liveManager.joinSession('member-conn', 'leader-prune-session');
+
+      // Add a stale leader directly
+      await redis.sadd('boardsesh:session:leader-prune-session:members', 'stale-leader');
+      await redis.set('boardsesh:session:leader-prune-session:leader', 'stale-leader', 'EX', 14400);
+
+      const removed = await liveManager.cleanupStaleSessionMembers('leader-prune-session');
+      expect(removed).toBe(1);
+
+      // member-conn should now be leader
+      const leader = await liveManager.getSessionLeader('leader-prune-session');
+      expect(leader).toBe('member-conn');
+
+      const conn = await liveManager.getConnection('member-conn');
+      expect(conn!.isLeader).toBe(true);
+    });
+
+    it('should clean up empty session when all members are stale', async () => {
+      // Add only stale members
+      await redis.sadd('boardsesh:session:all-stale:members', 'gone-1', 'gone-2');
+      await redis.set('boardsesh:session:all-stale:leader', 'gone-1', 'EX', 14400);
+
+      const removed = await liveManager.cleanupStaleSessionMembers('all-stale');
+      expect(removed).toBe(2);
+
+      // Session should be cleaned up
+      const exists = await redis.exists('boardsesh:session:all-stale:members');
+      expect(exists).toBe(0);
+
+      const leader = await liveManager.getSessionLeader('all-stale');
+      expect(leader).toBeNull();
+    });
+
+    it('should return 0 when no stale members exist', async () => {
+      await liveManager.registerConnection('healthy-conn', 'Healthy');
+      await liveManager.joinSession('healthy-conn', 'healthy-session');
+
+      const removed = await liveManager.cleanupStaleSessionMembers('healthy-session');
+      expect(removed).toBe(0);
+    });
+  });
+
+  describe('getSessionMemberCount - stale filtering', () => {
+    it('should not count members whose connection hashes are missing', async () => {
+      await liveManager.registerConnection('counted-conn', 'Counted');
+      await liveManager.joinSession('counted-conn', 'count-session');
+
+      // Add stale members directly to the session set
+      await redis.sadd('boardsesh:session:count-session:members', 'ghost-1', 'ghost-2');
+
+      // Raw SCARD would return 3, but getSessionMemberCount should return 1
+      const rawCount = await redis.scard('boardsesh:session:count-session:members');
+      expect(rawCount).toBe(3);
+
+      const filteredCount = await liveManager.getSessionMemberCount('count-session');
+      expect(filteredCount).toBe(1);
+    });
+
+    it('should return 0 for empty session', async () => {
+      const count = await liveManager.getSessionMemberCount('nonexistent-session');
+      expect(count).toBe(0);
+    });
+  });
+});
@@ -4,6 +4,7 @@ export {
   boardSessionClients as sessionClients,
   boardSessionQueues as sessionQueues,
   sessionBoards,
+  boardSessionParticipants,
   type BoardSession as Session,
   type NewBoardSession as NewSession,
   type BoardSessionClient as SessionClient,
@@ -12,4 +13,6 @@ export {
   type NewBoardSessionQueue as NewSessionQueue,
   type SessionBoard,
   type NewSessionBoard,
+  type BoardSessionParticipant,
+  type NewBoardSessionParticipant,
 } from '@boardsesh/db/schema/app';