make use of esc string opt

provide EscapedStr type for faster string encoding
make unicode handling cold
2026-06-01 20:40:37 +00:00 · 2025-07-18 09:59:38 +01:00 · 2025-07-18 09:59:38 +01:00 · 2025-07-18 09:59:38 +01:00 · 2025-07-18 09:59:35 +01:00 · 2025-07-18 09:56:56 +01:00
671 changed files with 41463 additions and 13642 deletions
--- a/.config/hakari.toml
+++ b/.config/hakari.toml
@@ -33,6 +33,7 @@ workspace-members = [
    "compute_api",
    "consumption_metrics",
    "desim",
    "json",
    "metrics",
    "pageserver_api",
    "postgres_backend",
--- a/.dockerignore
+++ b/.dockerignore
@@ -4,6 +4,7 @@
 !Cargo.lock
 !Cargo.toml
 !Makefile
 !postgres.mk
 !rust-toolchain.toml
 !scripts/ninstall.sh
 !docker-compose/run-tests.sh
@@ -26,4 +27,4 @@
 !storage_controller/
 !vendor/postgres-*/
 !workspace_hack/
-!build_tools/patches
+!build-tools/patches
--- a/.github/actionlint.yml
+++ b/.github/actionlint.yml
@@ -7,6 +7,7 @@ self-hosted-runner:
    - small-metal
    - small-arm64
    - unit-perf
    - unit-perf-aws-arm
    - us-east-2
 config-variables:
  - AWS_ECR_REGION
@@ -30,6 +31,7 @@ config-variables:
  - NEON_PROD_AWS_ACCOUNT_ID
  - PGREGRESS_PG16_PROJECT_ID
  - PGREGRESS_PG17_PROJECT_ID
  - PREWARM_PGBENCH_SIZE
  - REMOTE_STORAGE_AZURE_CONTAINER
  - REMOTE_STORAGE_AZURE_REGION
  - SLACK_CICD_CHANNEL_ID
--- a/.github/actions/run-python-test-set/action.yml
+++ b/.github/actions/run-python-test-set/action.yml
@@ -176,7 +176,13 @@ runs:
        fi
        if [[ $BUILD_TYPE == "debug" && $RUNNER_ARCH == 'X64' ]]; then
-          cov_prefix=(scripts/coverage "--profraw-prefix=$GITHUB_JOB" --dir=/tmp/coverage run)
+          # We don't use code coverage for regression tests (the step is disabled),
          # so there's no need to collect it.
          # Ref https://github.com/neondatabase/neon/issues/4540
          # cov_prefix=(scripts/coverage "--profraw-prefix=$GITHUB_JOB" --dir=/tmp/coverage run)
          cov_prefix=()
          # Explicitly set LLVM_PROFILE_FILE to /dev/null to avoid writing *.profraw files
          export LLVM_PROFILE_FILE=/dev/null
        else
          cov_prefix=()
        fi
--- a/.github/workflows/_build-and-test-locally.yml
+++ b/.github/workflows/_build-and-test-locally.yml
@@ -38,6 +38,11 @@ on:
        required: false
        default: 1
        type: number
      rerun-failed:
        description: 'rerun failed tests to ignore flaky tests'
        required: false
        default: true
        type: boolean
 defaults:
  run:
@@ -99,11 +104,10 @@ jobs:
      # Set some environment variables used by all the steps.
      #
-      # CARGO_FLAGS is extra options to pass to "cargo build", "cargo test" etc.
+      # CARGO_FLAGS is extra options to pass to all "cargo" subcommands.
      #   It also includes --features, if any
      #
-      # CARGO_FEATURES is passed to "cargo metadata". It is separate from CARGO_FLAGS,
+      # CARGO_PROFILE is passed to "cargo build", "cargo test" etc, but not to
-      #   because "cargo metadata" doesn't accept --release or --debug options
+      #   "cargo metadata", because it doesn't accept --release or --debug options.
      #
      # We run tests with addtional features, that are turned off by default (e.g. in release builds), see
      # corresponding Cargo.toml files for their descriptions.
@@ -112,16 +116,16 @@ jobs:
          ARCH: ${{ inputs.arch }}
          SANITIZERS: ${{ inputs.sanitizers }}
        run: |
-          CARGO_FEATURES="--features testing"
+          CARGO_FLAGS="--locked --features testing"
          if [[ $BUILD_TYPE == "debug" && $ARCH == 'x64' ]]; then
            cov_prefix="scripts/coverage --profraw-prefix=$GITHUB_JOB --dir=/tmp/coverage run"
-            CARGO_FLAGS="--locked"
+            CARGO_PROFILE=""
          elif [[ $BUILD_TYPE == "debug" ]]; then
            cov_prefix=""
-            CARGO_FLAGS="--locked"
+            CARGO_PROFILE=""
          elif [[ $BUILD_TYPE == "release" ]]; then
            cov_prefix=""
-            CARGO_FLAGS="--locked --release"
+            CARGO_PROFILE="--release"
          fi
          if [[ $SANITIZERS == 'enabled' ]]; then
            make_vars="WITH_SANITIZERS=yes"
@@ -131,8 +135,8 @@ jobs:
          {
            echo "cov_prefix=${cov_prefix}"
            echo "make_vars=${make_vars}"
            echo "CARGO_FEATURES=${CARGO_FEATURES}"
            echo "CARGO_FLAGS=${CARGO_FLAGS}"
            echo "CARGO_PROFILE=${CARGO_PROFILE}"
            echo "CARGO_HOME=${GITHUB_WORKSPACE}/.cargo"
          } >> $GITHUB_ENV
@@ -146,7 +150,7 @@ jobs:
          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
          use-fallback: false
          path: pg_install/v14
-          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ inputs.build-type }}-pg-${{ steps.pg_v14_rev.outputs.pg_rev }}-bookworm-${{ hashFiles('Makefile', 'build-tools.Dockerfile') }}
+          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ inputs.build-type }}-pg-${{ steps.pg_v14_rev.outputs.pg_rev }}-bookworm-${{ hashFiles('Makefile', 'build-tools/Dockerfile') }}
      - name: Cache postgres v15 build
        id: cache_pg_15
@@ -158,7 +162,7 @@ jobs:
          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
          use-fallback: false
          path: pg_install/v15
-          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ inputs.build-type }}-pg-${{ steps.pg_v15_rev.outputs.pg_rev }}-bookworm-${{ hashFiles('Makefile', 'build-tools.Dockerfile') }}
+          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ inputs.build-type }}-pg-${{ steps.pg_v15_rev.outputs.pg_rev }}-bookworm-${{ hashFiles('Makefile', 'build-tools/Dockerfile') }}
      - name: Cache postgres v16 build
        id: cache_pg_16
@@ -170,7 +174,7 @@ jobs:
          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
          use-fallback: false
          path: pg_install/v16
-          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ inputs.build-type }}-pg-${{ steps.pg_v16_rev.outputs.pg_rev }}-bookworm-${{ hashFiles('Makefile', 'build-tools.Dockerfile') }}
+          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ inputs.build-type }}-pg-${{ steps.pg_v16_rev.outputs.pg_rev }}-bookworm-${{ hashFiles('Makefile', 'build-tools/Dockerfile') }}
      - name: Cache postgres v17 build
        id: cache_pg_17
@@ -182,36 +186,20 @@ jobs:
          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
          use-fallback: false
          path: pg_install/v17
-          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ inputs.build-type }}-pg-${{ steps.pg_v17_rev.outputs.pg_rev }}-bookworm-${{ hashFiles('Makefile', 'build-tools.Dockerfile') }}
+          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ inputs.build-type }}-pg-${{ steps.pg_v17_rev.outputs.pg_rev }}-bookworm-${{ hashFiles('Makefile', 'build-tools/Dockerfile') }}
-      - name: Build postgres v14
+      - name: Build all
-        if: steps.cache_pg_14.outputs.cache-hit != 'true'
+        # Note: the Makefile picks up BUILD_TYPE and CARGO_PROFILE from the env variables
-        run: mold -run make ${make_vars} postgres-v14 -j$(nproc)
+        run: mold -run make ${make_vars} all -j$(nproc) CARGO_BUILD_FLAGS="$CARGO_FLAGS"
      - name: Build postgres v15
        if: steps.cache_pg_15.outputs.cache-hit != 'true'
        run: mold -run make ${make_vars} postgres-v15 -j$(nproc)
      - name: Build postgres v16
        if: steps.cache_pg_16.outputs.cache-hit != 'true'
        run: mold -run make ${make_vars} postgres-v16 -j$(nproc)
      - name: Build postgres v17
        if: steps.cache_pg_17.outputs.cache-hit != 'true'
        run: mold -run make ${make_vars} postgres-v17 -j$(nproc)
      - name: Build neon extensions
        run: mold -run make ${make_vars} neon-pg-ext -j$(nproc)
      - name: Build walproposer-lib
        run: mold -run make ${make_vars} walproposer-lib -j$(nproc)
-      - name: Run cargo build
+      - name: Build unit tests
-        env:
+        if: inputs.sanitizers != 'enabled'
          WITH_TESTS: ${{ inputs.sanitizers != 'enabled' && '--tests' || '' }}
        run: |
          export ASAN_OPTIONS=detect_leaks=0
-          ${cov_prefix} mold -run cargo build $CARGO_FLAGS $CARGO_FEATURES --bins ${WITH_TESTS}
+          ${cov_prefix} mold -run cargo build $CARGO_FLAGS $CARGO_PROFILE --tests
      # Do install *before* running rust tests because they might recompile the
      # binaries with different features/flags.
@@ -223,7 +211,7 @@ jobs:
          # Install target binaries
          mkdir -p /tmp/neon/bin/
          binaries=$(
-            ${cov_prefix} cargo metadata $CARGO_FEATURES --format-version=1 --no-deps |
+            ${cov_prefix} cargo metadata $CARGO_FLAGS --format-version=1 --no-deps |
            jq -r '.packages[].targets[] | select(.kind | index("bin")) | .name'
          )
          for bin in $binaries; do
@@ -240,7 +228,7 @@ jobs:
            mkdir -p /tmp/neon/test_bin/
            test_exe_paths=$(
-              ${cov_prefix} cargo test $CARGO_FLAGS $CARGO_FEATURES --message-format=json --no-run |
+              ${cov_prefix} cargo test $CARGO_FLAGS $CARGO_PROFILE --message-format=json --no-run |
              jq -r '.executable | select(. != null)'
            )
            for bin in $test_exe_paths; do
@@ -274,10 +262,10 @@ jobs:
          export LD_LIBRARY_PATH
          #nextest does not yet support running doctests
-          ${cov_prefix} cargo test --doc $CARGO_FLAGS $CARGO_FEATURES
+          ${cov_prefix} cargo test --doc $CARGO_FLAGS $CARGO_PROFILE
          # run all non-pageserver tests
-          ${cov_prefix} cargo nextest run $CARGO_FLAGS $CARGO_FEATURES -E '!package(pageserver)'
+          ${cov_prefix} cargo nextest run $CARGO_FLAGS $CARGO_PROFILE -E '!package(pageserver)'
          # run pageserver tests
          # (When developing new pageserver features gated by config fields, we commonly make the rust
@@ -286,13 +274,13 @@ jobs:
          # pageserver tests from non-pageserver tests cuts down the time it takes for this CI step.)
          NEON_PAGESERVER_UNIT_TEST_VIRTUAL_FILE_IOENGINE=tokio-epoll-uring  \
          ${cov_prefix} \
-          cargo nextest run $CARGO_FLAGS $CARGO_FEATURES  -E 'package(pageserver)'
+          cargo nextest run $CARGO_FLAGS $CARGO_PROFILE  -E 'package(pageserver)'
          # Run separate tests for real S3
          export ENABLE_REAL_S3_REMOTE_STORAGE=nonempty
          export REMOTE_STORAGE_S3_BUCKET=neon-github-ci-tests
          export REMOTE_STORAGE_S3_REGION=eu-central-1
-          ${cov_prefix} cargo nextest run $CARGO_FLAGS $CARGO_FEATURES -E 'package(remote_storage)' -E 'test(test_real_s3)'
+          ${cov_prefix} cargo nextest run $CARGO_FLAGS $CARGO_PROFILE -E 'package(remote_storage)' -E 'test(test_real_s3)'
          # Run separate tests for real Azure Blob Storage
          # XXX: replace region with `eu-central-1`-like region
@@ -301,17 +289,17 @@ jobs:
          export AZURE_STORAGE_ACCESS_KEY="${{ secrets.AZURE_STORAGE_ACCESS_KEY_DEV }}"
          export REMOTE_STORAGE_AZURE_CONTAINER="${{ vars.REMOTE_STORAGE_AZURE_CONTAINER }}"
          export REMOTE_STORAGE_AZURE_REGION="${{ vars.REMOTE_STORAGE_AZURE_REGION }}"
-          ${cov_prefix} cargo nextest run $CARGO_FLAGS $CARGO_FEATURES -E 'package(remote_storage)' -E 'test(test_real_azure)'
+          ${cov_prefix} cargo nextest run $CARGO_FLAGS $CARGO_PROFILE -E 'package(remote_storage)' -E 'test(test_real_azure)'
      - name: Install postgres binaries
        run: |
          # Use tar to copy files matching the pattern, preserving the paths in the destionation
          tar c \
            pg_install/v* \
-            pg_install/build/*/src/test/regress/*.so \
+            build/*/src/test/regress/*.so \
-            pg_install/build/*/src/test/regress/pg_regress \
+            build/*/src/test/regress/pg_regress \
-            pg_install/build/*/src/test/isolation/isolationtester \
+            build/*/src/test/isolation/isolationtester \
-            pg_install/build/*/src/test/isolation/pg_isolation_regress \
+            build/*/src/test/isolation/pg_isolation_regress \
            | tar  x -C /tmp/neon
      - name: Upload Neon artifact
@@ -379,7 +367,7 @@ jobs:
      - name: Pytest regression tests
        continue-on-error: ${{ matrix.lfc_state == 'with-lfc' && inputs.build-type == 'debug' }}
        uses: ./.github/actions/run-python-test-set
-        timeout-minutes: ${{ inputs.sanitizers != 'enabled' && 75 || 180 }}
+        timeout-minutes: ${{ (inputs.build-type == 'release' && inputs.sanitizers != 'enabled') && 75 || 180 }}
        with:
          build_type: ${{ inputs.build-type }}
          test_selection: regress
@@ -387,14 +375,14 @@ jobs:
          run_with_real_s3: true
          real_s3_bucket: neon-github-ci-tests
          real_s3_region: eu-central-1
-          rerun_failed: ${{ inputs.test-run-count == 1 }}
+          rerun_failed: ${{ inputs.rerun-failed }}
          pg_version: ${{ matrix.pg_version }}
          sanitizers: ${{ inputs.sanitizers }}
          aws-oidc-role-arn: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
          # `--session-timeout` is equal to (timeout-minutes - 10 minutes) * 60 seconds.
          # Attempt to stop tests gracefully to generate test reports
          # until they are forcibly stopped by the stricter `timeout-minutes` limit.
-          extra_params: --session-timeout=${{ inputs.sanitizers != 'enabled' && 3000 || 10200 }} --count=${{ inputs.test-run-count }}
+          extra_params: --session-timeout=${{ (inputs.build-type == 'release' && inputs.sanitizers != 'enabled') && 3000 || 10200 }} --count=${{ inputs.test-run-count }}
                        ${{ inputs.test-selection != '' && format('-k "{0}"', inputs.test-selection) || '' }}
        env:
          TEST_RESULT_CONNSTR: ${{ secrets.REGRESS_TEST_RESULT_CONNSTR_NEW }}
--- a/.github/workflows/benchmarking.yml
+++ b/.github/workflows/benchmarking.yml
@@ -219,6 +219,7 @@ jobs:
          --ignore test_runner/performance/test_cumulative_statistics_persistence.py
          --ignore test_runner/performance/test_perf_many_relations.py
          --ignore test_runner/performance/test_perf_oltp_large_tenant.py
          --ignore test_runner/performance/test_lfc_prewarm.py
      env:
        BENCHMARK_CONNSTR: ${{ steps.create-neon-project.outputs.dsn }}
        VIP_VAP_ACCESS_TOKEN: "${{ secrets.VIP_VAP_ACCESS_TOKEN }}"
@@ -410,6 +411,77 @@ jobs:
      env:
        SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
  prewarm-test:
    if: ${{ github.event.inputs.run_only_pgvector_tests == 'false' || github.event.inputs.run_only_pgvector_tests == null }}
    permissions:
      contents: write
      statuses: write
      id-token: write # aws-actions/configure-aws-credentials
    env:
      PGBENCH_SIZE: ${{ vars.PREWARM_PGBENCH_SIZE }}
      POSTGRES_DISTRIB_DIR: /tmp/neon/pg_install
      DEFAULT_PG_VERSION: 17
      TEST_OUTPUT: /tmp/test_output
      BUILD_TYPE: remote
      SAVE_PERF_REPORT: ${{ github.event.inputs.save_perf_report || ( github.ref_name == 'main' ) }}
      PLATFORM: "neon-staging"
    runs-on: [ self-hosted, us-east-2, x64 ]
    container:
      image: ghcr.io/neondatabase/build-tools:pinned-bookworm
      credentials:
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
      options: --init
    steps:
    - name: Harden the runner (Audit all outbound calls)
      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
      with:
        egress-policy: audit
    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
        role-duration-seconds: 18000 # 5 hours
    - name: Download Neon artifact
      uses: ./.github/actions/download
      with:
        name: neon-${{ runner.os }}-${{ runner.arch }}-release-artifact
        path: /tmp/neon/
        prefix: latest
        aws-oidc-role-arn: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
    - name: Run prewarm benchmark
      uses: ./.github/actions/run-python-test-set
      with:
        build_type: ${{ env.BUILD_TYPE }}
        test_selection: performance/test_lfc_prewarm.py
        run_in_parallel: false
        save_perf_report: ${{ env.SAVE_PERF_REPORT }}
        extra_params: -m remote_cluster --timeout 5400
        pg_version: ${{ env.DEFAULT_PG_VERSION }}
        aws-oidc-role-arn: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
      env:
        VIP_VAP_ACCESS_TOKEN: "${{ secrets.VIP_VAP_ACCESS_TOKEN }}"
        PERF_TEST_RESULT_CONNSTR: "${{ secrets.PERF_TEST_RESULT_CONNSTR }}"
        NEON_API_KEY: ${{ secrets.NEON_STAGING_API_KEY }}
    - name: Create Allure report
      id: create-allure-report
      if: ${{ !cancelled() }}
      uses: ./.github/actions/allure-report-generate
      with:
        store-test-results-into-db: true
        aws-oidc-role-arn: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
      env:
        REGRESS_TEST_RESULT_CONNSTR_NEW: ${{ secrets.REGRESS_TEST_RESULT_CONNSTR_NEW }}
  generate-matrices:
    if: ${{ github.event.inputs.run_only_pgvector_tests == 'false' || github.event.inputs.run_only_pgvector_tests == null }}
    # Create matrices for the benchmarking jobs, so we run benchmarks on rds only once a week (on Saturday)
--- a/.github/workflows/build-build-tools-image.yml
+++ b/.github/workflows/build-build-tools-image.yml
@@ -72,7 +72,7 @@ jobs:
          ARCHS: ${{ inputs.archs || '["x64","arm64"]' }}
          DEBIANS: ${{ inputs.debians || '["bullseye","bookworm"]' }}
          IMAGE_TAG: |
-            ${{ hashFiles('build-tools.Dockerfile',
+            ${{ hashFiles('build-tools/Dockerfile',
                          '.github/workflows/build-build-tools-image.yml') }}
        run: |
          echo "archs=${ARCHS}"           | tee -a ${GITHUB_OUTPUT}
@@ -144,7 +144,7 @@ jobs:
      - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
        with:
-          file: build-tools.Dockerfile
+          file: build-tools/Dockerfile
          context: .
          provenance: false
          push: true
--- a/.github/workflows/build-macos.yml
+++ b/.github/workflows/build-macos.yml
@@ -32,161 +32,14 @@ permissions:
  contents: read
 jobs:
-  build-pgxn:
+  make-all:
    if: |
      inputs.pg_versions != '[]' || inputs.rebuild_everything ||
      contains(github.event.pull_request.labels.*.name, 'run-extra-build-macos')  ||
      contains(github.event.pull_request.labels.*.name, 'run-extra-build-*') ||
      github.ref_name == 'main'
    timeout-minutes: 30
    runs-on: macos-15
    strategy:
      matrix:
        postgres-version: ${{ inputs.rebuild_everything && fromJSON('["v14", "v15", "v16", "v17"]') || fromJSON(inputs.pg_versions) }}
    env:
      # Use release build only, to have less debug info around
      # Hence keeping target/ (and general cache size) smaller
      BUILD_TYPE: release
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
        with:
          egress-policy: audit
      - name: Checkout main repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Set pg ${{ matrix.postgres-version }} for caching
        id: pg_rev
        run: echo pg_rev=$(git rev-parse HEAD:vendor/postgres-${{ matrix.postgres-version }}) | tee -a "${GITHUB_OUTPUT}"
      - name: Cache postgres ${{ matrix.postgres-version }} build
        id: cache_pg
        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: pg_install/${{ matrix.postgres-version }}
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-${{ matrix.postgres-version }}-${{ steps.pg_rev.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
      - name: Checkout submodule vendor/postgres-${{ matrix.postgres-version }}
        if: steps.cache_pg.outputs.cache-hit != 'true'
        run: |
          git submodule init vendor/postgres-${{ matrix.postgres-version }}
          git submodule update --depth 1 --recursive
      - name: Install build dependencies
        if: steps.cache_pg.outputs.cache-hit != 'true'
        run: |
          brew install flex bison openssl protobuf icu4c
      - name: Set extra env for macOS
        if: steps.cache_pg.outputs.cache-hit != 'true'
        run: |
          echo 'LDFLAGS=-L/usr/local/opt/openssl@3/lib' >> $GITHUB_ENV
          echo 'CPPFLAGS=-I/usr/local/opt/openssl@3/include' >> $GITHUB_ENV
      - name: Build Postgres ${{ matrix.postgres-version }}
        if: steps.cache_pg.outputs.cache-hit != 'true'
        run: |
          make postgres-${{ matrix.postgres-version }} -j$(sysctl -n hw.ncpu)
      - name: Build Neon Pg Ext ${{ matrix.postgres-version }}
        if: steps.cache_pg.outputs.cache-hit != 'true'
        run: |
          make "neon-pg-ext-${{ matrix.postgres-version }}" -j$(sysctl -n hw.ncpu)
      - name: Get postgres headers ${{ matrix.postgres-version }}
        if: steps.cache_pg.outputs.cache-hit != 'true'
        run: |
          make postgres-headers-${{ matrix.postgres-version }} -j$(sysctl -n hw.ncpu)
      - name: Upload "pg_install/${{ matrix.postgres-version }}" artifact
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: pg_install--${{ matrix.postgres-version }}
          path: pg_install/${{ matrix.postgres-version }}
          # The artifact is supposed to be used by the next job in the same workflow,
          # so there’s no need to store it for too long.
          retention-days: 1
  build-walproposer-lib:
    if: |
      inputs.pg_versions != '[]' || inputs.rebuild_everything ||
      contains(github.event.pull_request.labels.*.name, 'run-extra-build-macos')  ||
      contains(github.event.pull_request.labels.*.name, 'run-extra-build-*') ||
      github.ref_name == 'main'
    timeout-minutes: 30
    runs-on: macos-15
    needs: [build-pgxn]
    env:
      # Use release build only, to have less debug info around
      # Hence keeping target/ (and general cache size) smaller
      BUILD_TYPE: release
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
        with:
          egress-policy: audit
      - name: Checkout main repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Set pg v17 for caching
        id: pg_rev
        run: echo pg_rev=$(git rev-parse HEAD:vendor/postgres-v17) | tee -a "${GITHUB_OUTPUT}"
      - name: Download "pg_install/v17" artifact
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: pg_install--v17
          path: pg_install/v17
      - name: Cache walproposer-lib
        id: cache_walproposer_lib
        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: pg_install/build/walproposer-lib
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-walproposer_lib-v17-${{ steps.pg_rev.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
      - name: Checkout submodule vendor/postgres-v17
        if: steps.cache_walproposer_lib.outputs.cache-hit != 'true'
        run: |
          git submodule init vendor/postgres-v17
          git submodule update --depth 1 --recursive
      - name: Install build dependencies
        if: steps.cache_walproposer_lib.outputs.cache-hit != 'true'
        run: |
          brew install flex bison openssl protobuf icu4c
      - name: Set extra env for macOS
        if: steps.cache_walproposer_lib.outputs.cache-hit != 'true'
        run: |
          echo 'LDFLAGS=-L/usr/local/opt/openssl@3/lib' >> $GITHUB_ENV
          echo 'CPPFLAGS=-I/usr/local/opt/openssl@3/include' >> $GITHUB_ENV
      - name: Build walproposer-lib (only for v17)
        if: steps.cache_walproposer_lib.outputs.cache-hit != 'true'
        run:
          make walproposer-lib -j$(sysctl -n hw.ncpu)
      - name: Upload "pg_install/build/walproposer-lib" artifact
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: pg_install--build--walproposer-lib
          path: pg_install/build/walproposer-lib
          # The artifact is supposed to be used by the next job in the same workflow,
          # so there’s no need to store it for too long.
          retention-days: 1
  cargo-build:
    if: |
      inputs.pg_versions != '[]' || inputs.rebuild_rust_code || inputs.rebuild_everything ||
      contains(github.event.pull_request.labels.*.name, 'run-extra-build-macos') ||
      contains(github.event.pull_request.labels.*.name, 'run-extra-build-*') ||
      github.ref_name == 'main'
-    timeout-minutes: 30
+    timeout-minutes: 60
    runs-on: macos-15
    needs: [build-pgxn, build-walproposer-lib]
    env:
      # Use release build only, to have less debug info around
      # Hence keeping target/ (and general cache size) smaller
@@ -202,41 +55,53 @@ jobs:
        with:
          submodules: true
-      - name: Download "pg_install/v14" artifact
+      - name: Install build dependencies
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: pg_install--v14
          path: pg_install/v14
      - name: Download "pg_install/v15" artifact
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: pg_install--v15
          path: pg_install/v15
      - name: Download "pg_install/v16" artifact
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: pg_install--v16
          path: pg_install/v16
      - name: Download "pg_install/v17" artifact
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: pg_install--v17
          path: pg_install/v17
      - name: Download "pg_install/build/walproposer-lib" artifact
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: pg_install--build--walproposer-lib
          path: pg_install/build/walproposer-lib
      # `actions/download-artifact` doesn't preserve permissions:
      # https://github.com/actions/download-artifact?tab=readme-ov-file#permission-loss
      - name: Make pg_install/v*/bin/* executable
        run: |
-          chmod +x pg_install/v*/bin/*
+          brew install flex bison openssl protobuf icu4c
      - name: Set extra env for macOS
        run: |
          echo 'LDFLAGS=-L/usr/local/opt/openssl@3/lib' >> $GITHUB_ENV
          echo 'CPPFLAGS=-I/usr/local/opt/openssl@3/include' >> $GITHUB_ENV
      - name: Restore "pg_install/" cache
        id: cache_pg
        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: pg_install
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-install-v14-${{ hashFiles('Makefile', 'postgres.mk', 'vendor/revisions.json') }}
      - name: Checkout vendor/postgres submodules
        if: steps.cache_pg.outputs.cache-hit != 'true'
        run: |
          git submodule init
          git submodule update --depth 1 --recursive
      - name: Build Postgres
        if: steps.cache_pg.outputs.cache-hit != 'true'
        run: |
          make postgres -j$(sysctl -n hw.ncpu)
      # This isn't strictly necessary, but it makes the cached and non-cached builds more similar,
      # When pg_install is restored from cache, there is no 'build/' directory. By removing it
      # in a non-cached build too, we enforce that the rest of the steps don't depend on it,
      # so that we notice any build caching bugs earlier.
      - name: Remove build artifacts
        if: steps.cache_pg.outputs.cache-hit != 'true'
        run: |
          rm -rf build
      # Explicitly update the rust toolchain before running 'make'. The parallel make build can
      # invoke 'cargo build' more than once in parallel, for different crates.  That's OK, 'cargo'
      # does its own locking to prevent concurrent builds from stepping on each other's
      # toes. However, it will first try to update the toolchain, and that step is not locked the
      # same way. To avoid two toolchain updates running in parallel and stepping on each other's
      # toes, ensure that the toolchain is up-to-date beforehand.
      - name: Update rust toolchain
        run: |
          rustup --version &&
          rustup update &&
          rustup show
      - name: Cache cargo deps
        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
@@ -248,17 +113,12 @@ jobs:
            target
          key: v1-${{ runner.os }}-${{ runner.arch }}-cargo-${{ hashFiles('./Cargo.lock') }}-${{ hashFiles('./rust-toolchain.toml') }}-rust
-      - name: Install build dependencies
+      # Build the neon-specific postgres extensions, and all the Rust bits.
-        run: |
+      #
-          brew install flex bison openssl protobuf icu4c
+      # Pass PG_INSTALL_CACHED=1 because PostgreSQL was already built and cached
-
+      # separately.
-      - name: Set extra env for macOS
+      - name: Build all
-        run: |
+        run: PG_INSTALL_CACHED=1 BUILD_TYPE=release make -j$(sysctl -n hw.ncpu) all
          echo 'LDFLAGS=-L/usr/local/opt/openssl@3/lib' >> $GITHUB_ENV
          echo 'CPPFLAGS=-I/usr/local/opt/openssl@3/include' >> $GITHUB_ENV
      - name: Run cargo build
        run: cargo build --all --release -j$(sysctl -n hw.ncpu)
      - name: Check that no warnings are produced
        run: ./run_clippy.sh
--- a/.github/workflows/build_and_run_selected_test.yml
+++ b/.github/workflows/build_and_run_selected_test.yml
@@ -58,6 +58,7 @@ jobs:
      test-cfg: ${{ inputs.pg-versions }}
      test-selection: ${{ inputs.test-selection }}
      test-run-count: ${{ fromJson(inputs.run-count) }}
      rerun-failed: false
    secrets: inherit
  create-test-report:
--- a/.github/workflows/build_and_test.yml
+++ b/.github/workflows/build_and_test.yml
@@ -69,7 +69,7 @@ jobs:
          submodules: true
      - name: Check for file changes
-        uses: step-security/paths-filter@v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36  # v3.0.2
        id: files-changed
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -87,6 +87,29 @@ jobs:
    uses: ./.github/workflows/build-build-tools-image.yml
    secrets: inherit
  lint-yamls:
    needs: [ meta, check-permissions, build-build-tools-image ]
    # We do need to run this in `.*-rc-pr` because of hotfixes.
    if: ${{ contains(fromJSON('["pr", "push-main", "storage-rc-pr", "proxy-rc-pr", "compute-rc-pr"]'), needs.meta.outputs.run-kind) }}
    runs-on: [ self-hosted, small ]
    container:
      image: ${{ needs.build-build-tools-image.outputs.image }}
      credentials:
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
      options: --init
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
        with:
          egress-policy: audit
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - run: make -C compute manifest-schema-validation
      - run: make lint-openapi-spec
  check-codestyle-python:
    needs: [ meta, check-permissions, build-build-tools-image ]
    # No need to run on `main` because we this in the merge queue. We do need to run this in `.*-rc-pr` because of hotfixes.
@@ -284,14 +307,14 @@ jobs:
      statuses: write
      contents: write
      pull-requests: write
-    runs-on: [ self-hosted, unit-perf ]
+    runs-on: [ self-hosted, unit-perf-aws-arm ]
    container:
      image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm
      credentials:
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
      # for changed limits, see comments on `options:` earlier in this file
-      options: --init --shm-size=512mb --ulimit memlock=67108864:67108864
+      options: --init --shm-size=512mb --ulimit memlock=67108864:67108864 --ulimit nofile=65536:65536 --security-opt seccomp=unconfined
    strategy:
      fail-fast: false
      matrix:
@@ -648,7 +671,7 @@ jobs:
                                             ghcr.io/neondatabase/neon:${{ needs.meta.outputs.build-tag }}-bookworm-arm64
  compute-node-image-arch:
-    needs: [ check-permissions, build-build-tools-image, meta ]
+    needs: [ check-permissions, meta ]
    if: ${{ contains(fromJSON('["push-main", "pr", "compute-rc-pr"]'), needs.meta.outputs.run-kind) }}
    permissions:
      id-token: write # aws-actions/configure-aws-credentials
@@ -721,7 +744,6 @@ jobs:
            GIT_VERSION=${{ github.event.pull_request.head.sha || github.sha }}
            PG_VERSION=${{ matrix.version.pg }}
            BUILD_TAG=${{ needs.meta.outputs.release-tag || needs.meta.outputs.build-tag }}
            TAG=${{ needs.build-build-tools-image.outputs.image-tag }}-${{ matrix.version.debian }}
            DEBIAN_VERSION=${{ matrix.version.debian }}
          provenance: false
          push: true
@@ -741,7 +763,6 @@ jobs:
            GIT_VERSION=${{ github.event.pull_request.head.sha || github.sha }}
            PG_VERSION=${{ matrix.version.pg }}
            BUILD_TAG=${{ needs.meta.outputs.release-tag || needs.meta.outputs.build-tag }}
            TAG=${{ needs.build-build-tools-image.outputs.image-tag }}-${{ matrix.version.debian }}
            DEBIAN_VERSION=${{ matrix.version.debian }}
          provenance: false
          push: true
@@ -966,6 +987,7 @@ jobs:
      - name: Verify docker-compose example and test extensions
        timeout-minutes: 60
        env:
          PARALLEL_COMPUTES: 3
          TAG: >-
            ${{
              needs.meta.outputs.run-kind == 'compute-rc-pr'
--- a/.github/workflows/build_and_test_fully.yml
+++ b/.github/workflows/build_and_test_fully.yml
@@ -0,0 +1,151 @@
 name: Build and Test Fully
 on:
  schedule:
    # * is a special character in YAML so you have to quote this string
    #          ┌───────────── minute (0 - 59)
    #          │ ┌───────────── hour (0 - 23)
    #          │ │ ┌───────────── day of the month (1 - 31)
    #          │ │ │ ┌───────────── month (1 - 12 or JAN-DEC)
    #          │ │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT)
    - cron:   '0 3 * * *' # run once a day, timezone is utc
  workflow_dispatch:
 defaults:
  run:
    shell: bash -euxo pipefail {0}
 concurrency:
  # Allow only one workflow per any non-`main` branch.
  group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.ref_name == 'main' && github.sha || 'anysha' }}
  cancel-in-progress: true
 env:
  RUST_BACKTRACE: 1
  COPT: '-Werror'
 jobs:
  tag:
    runs-on: [ self-hosted, small ]
    container: ${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/base:pinned
    outputs:
      build-tag: ${{steps.build-tag.outputs.tag}}
    steps:
      # Need `fetch-depth: 0` to count the number of commits in the branch
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
        with:
          egress-policy: audit
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
      - name: Get build tag
        run: |
          echo run:$GITHUB_RUN_ID
          echo ref:$GITHUB_REF_NAME
          echo rev:$(git rev-list --count HEAD)
          if [[ "$GITHUB_REF_NAME" == "main" ]]; then
            echo "tag=$(git rev-list --count HEAD)" >> $GITHUB_OUTPUT
          elif [[ "$GITHUB_REF_NAME" == "release" ]]; then
            echo "tag=release-$(git rev-list --count HEAD)" >> $GITHUB_OUTPUT
          elif [[ "$GITHUB_REF_NAME" == "release-proxy" ]]; then
            echo "tag=release-proxy-$(git rev-list --count HEAD)" >> $GITHUB_OUTPUT
          elif [[ "$GITHUB_REF_NAME" == "release-compute" ]]; then
            echo "tag=release-compute-$(git rev-list --count HEAD)" >> $GITHUB_OUTPUT
          else
            echo "GITHUB_REF_NAME (value '$GITHUB_REF_NAME') is not set to either 'main' or 'release', 'release-proxy', 'release-compute'"
            echo "tag=$GITHUB_RUN_ID" >> $GITHUB_OUTPUT
          fi
        shell: bash
        id: build-tag
  build-build-tools-image:
    uses: ./.github/workflows/build-build-tools-image.yml
    secrets: inherit
  build-and-test-locally:
    needs: [ tag, build-build-tools-image ]
    strategy:
      fail-fast: false
      matrix:
        arch: [ x64, arm64 ]
        build-type: [ debug, release ]
    uses: ./.github/workflows/_build-and-test-locally.yml
    with:
      arch: ${{ matrix.arch }}
      build-tools-image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm
      build-tag: ${{ needs.tag.outputs.build-tag }}
      build-type: ${{ matrix.build-type }}
      rerun-failed: false
      test-cfg: '[{"pg_version":"v14", "lfc_state": "with-lfc"},
                  {"pg_version":"v15", "lfc_state": "with-lfc"},
                  {"pg_version":"v16", "lfc_state": "with-lfc"},
                  {"pg_version":"v17", "lfc_state": "with-lfc"},
                  {"pg_version":"v14", "lfc_state": "without-lfc"},
                  {"pg_version":"v15", "lfc_state": "without-lfc"},
                  {"pg_version":"v16", "lfc_state": "without-lfc"},
                  {"pg_version":"v17", "lfc_state": "withouts-lfc"}]'
    secrets: inherit
  create-test-report:
    needs: [ build-and-test-locally, build-build-tools-image ]
    if: ${{ !cancelled() }}
    permissions:
      id-token: write # aws-actions/configure-aws-credentials
      statuses: write
      contents: write
      pull-requests: write
    outputs:
      report-url: ${{ steps.create-allure-report.outputs.report-url }}
    runs-on: [ self-hosted, small ]
    container:
      image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm
      credentials:
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
      options: --init
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
        with:
          egress-policy: audit
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Create Allure report
        if: ${{ !cancelled() }}
        id: create-allure-report
        uses: ./.github/actions/allure-report-generate
        with:
          store-test-results-into-db: true
          aws-oidc-role-arn: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
        env:
          REGRESS_TEST_RESULT_CONNSTR_NEW: ${{ secrets.REGRESS_TEST_RESULT_CONNSTR_NEW }}
      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        if: ${{ !cancelled() }}
        with:
          # Retry script for 5XX server errors: https://github.com/actions/github-script#retries
          retries: 5
          script: |
            const report = {
              reportUrl:     "${{ steps.create-allure-report.outputs.report-url }}",
              reportJsonUrl: "${{ steps.create-allure-report.outputs.report-json-url }}",
            }
            const coverage = {}
            const script = require("./scripts/comment-test-report.js")
            await script({
              github,
              context,
              fetch,
              report,
              coverage,
            })
--- a/.github/workflows/build_and_test_with_sanitizers.yml
+++ b/.github/workflows/build_and_test_with_sanitizers.yml
@@ -79,6 +79,7 @@ jobs:
      build-tools-image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm
      build-tag: ${{ needs.tag.outputs.build-tag }}
      build-type: ${{ matrix.build-type }}
      rerun-failed: false
      test-cfg: '[{"pg_version":"v17"}]'
      sanitizers: enabled
    secrets: inherit
--- a/.github/workflows/large_oltp_benchmark.yml
+++ b/.github/workflows/large_oltp_benchmark.yml
@@ -33,11 +33,19 @@ jobs:
      fail-fast: false # allow other variants to continue even if one fails
      matrix:
        include:
          # test only read-only custom scripts in new branch without database maintenance
          - target: new_branch
            custom_scripts: select_any_webhook_with_skew.sql@300 select_recent_webhook.sql@397 select_prefetch_webhook.sql@3
            test_maintenance: false
          # test all custom scripts in new branch with database maintenance
          - target: new_branch
            custom_scripts: insert_webhooks.sql@200 select_any_webhook_with_skew.sql@300 select_recent_webhook.sql@397 select_prefetch_webhook.sql@3 IUD_one_transaction.sql@100
            test_maintenance: true
          # test all custom scripts in reuse branch with database maintenance
          - target: reuse_branch
            custom_scripts: insert_webhooks.sql@200 select_any_webhook_with_skew.sql@300 select_recent_webhook.sql@397 select_prefetch_webhook.sql@3 IUD_one_transaction.sql@100
-      max-parallel: 1 # we want to run each stripe size sequentially to be able to compare the results
+            test_maintenance: true
      max-parallel: 1 # we want to run each benchmark sequentially to not have noisy neighbors on shared storage (PS, SK)
    permissions:
      contents: write
      statuses: write
@@ -145,6 +153,7 @@ jobs:
        PERF_TEST_RESULT_CONNSTR: "${{ secrets.PERF_TEST_RESULT_CONNSTR }}"
    - name: Benchmark database maintenance
      if: ${{ matrix.test_maintenance }}
      uses: ./.github/actions/run-python-test-set
      with:
        build_type: ${{ env.BUILD_TYPE }}
--- a/.github/workflows/large_oltp_growth.yml
+++ b/.github/workflows/large_oltp_growth.yml
@@ -0,0 +1,175 @@
 name: large oltp growth
 # workflow to grow the reuse branch of large oltp benchmark continuously (about 16 GB per run)
 on:
  # uncomment to run on push for debugging your PR
  # push:
  #  branches: [ bodobolero/increase_large_oltp_workload ]
  schedule:
    # * is a special character in YAML so you have to quote this string
    #        ┌───────────── minute (0 - 59)
    #        │ ┌───────────── hour (0 - 23)
    #        │ │  ┌───────────── day of the month (1 - 31)
    #        │ │  │ ┌───────────── month (1 - 12 or JAN-DEC)
    #        │ │  │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT)
    - cron: '0 6 * * *'   # 06:00 UTC
    - cron: '0 8 * * *'   # 08:00 UTC
    - cron: '0 10 * * *'  # 10:00 UTC
    - cron: '0 12 * * *'  # 12:00 UTC
    - cron: '0 14 * * *'  # 14:00 UTC
    - cron: '0 16 * * *'  # 16:00 UTC
  workflow_dispatch: # adds ability to run this manually
 defaults:
  run:
    shell: bash -euxo pipefail {0}
 concurrency:
  # Allow only one workflow globally because we need dedicated resources which only exist once
  group: large-oltp-growth
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  oltp:
    strategy:
      fail-fast: false # allow other variants to continue even if one fails
      matrix:
        include:
          # for now only grow the reuse branch, not the other branches.
          - target: reuse_branch
            custom_scripts:
            - grow_action_blocks.sql
            - grow_action_kwargs.sql
            - grow_device_fingerprint_event.sql
            - grow_edges.sql
            - grow_hotel_rate_mapping.sql
            - grow_ocr_pipeline_results_version.sql
            - grow_priceline_raw_response.sql
            - grow_relabled_transactions.sql
            - grow_state_values.sql
            - grow_values.sql
            - grow_vertices.sql
            - update_accounting_coding_body_tracking_category_selection.sql
            - update_action_blocks.sql
            - update_action_kwargs.sql
            - update_denormalized_approval_workflow.sql
            - update_device_fingerprint_event.sql
            - update_edges.sql
            - update_heron_transaction_enriched_log.sql
            - update_heron_transaction_enrichment_requests.sql
            - update_hotel_rate_mapping.sql
            - update_incoming_webhooks.sql
            - update_manual_transaction.sql
            - update_ml_receipt_matching_log.sql
            - update_ocr_pipeine_results_version.sql
            - update_orc_pipeline_step_results.sql
            - update_orc_pipeline_step_results_version.sql
            - update_priceline_raw_response.sql
            - update_quickbooks_transactions.sql
            - update_raw_finicity_transaction.sql
            - update_relabeled_transactions.sql
            - update_state_values.sql
            - update_stripe_authorization_event_log.sql
            - update_transaction.sql
            - update_values.sql
            - update_vertices.sql
      max-parallel: 1 # we want to run each growth workload sequentially (for now there is just one)
    permissions:
      contents: write
      statuses: write
      id-token: write # aws-actions/configure-aws-credentials
    env:
      TEST_PG_BENCH_DURATIONS_MATRIX: "1h"
      TEST_PGBENCH_CUSTOM_SCRIPTS: ${{ join(matrix.custom_scripts, ' ') }}
      POSTGRES_DISTRIB_DIR: /tmp/neon/pg_install
      PG_VERSION: 16 # pre-determined by pre-determined project
      TEST_OUTPUT: /tmp/test_output
      BUILD_TYPE: remote
      PLATFORM: ${{ matrix.target }}
    runs-on: [ self-hosted, us-east-2, x64 ]
    container:
      image: ghcr.io/neondatabase/build-tools:pinned-bookworm
      credentials:
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
      options: --init
    steps:
    - name: Harden the runner (Audit all outbound calls)
      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
      with:
        egress-policy: audit
    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Configure AWS credentials # necessary to download artefacts
      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
        role-duration-seconds: 18000 # 5 hours is currently max associated with IAM role
    - name: Download Neon artifact
      uses: ./.github/actions/download
      with:
        name: neon-${{ runner.os }}-${{ runner.arch }}-release-artifact
        path: /tmp/neon/
        prefix: latest
        aws-oidc-role-arn: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
    - name: Set up Connection String
      id: set-up-connstr
      run: |
        case "${{ matrix.target }}" in
          reuse_branch)
          CONNSTR=${{ secrets.BENCHMARK_LARGE_OLTP_REUSE_CONNSTR }}
          ;;
          *)
          echo >&2 "Unknown target=${{ matrix.target }}"
          exit 1
          ;;
        esac
        CONNSTR_WITHOUT_POOLER="${CONNSTR//-pooler/}"
        echo "connstr=${CONNSTR}" >> $GITHUB_OUTPUT
        echo "connstr_without_pooler=${CONNSTR_WITHOUT_POOLER}" >> $GITHUB_OUTPUT
    - name: pgbench with custom-scripts
      uses: ./.github/actions/run-python-test-set
      with:
        build_type: ${{ env.BUILD_TYPE }}
        test_selection: performance
        run_in_parallel: false
        save_perf_report: true
        extra_params: -m remote_cluster --timeout 7200 -k test_perf_oltp_large_tenant_growth
        pg_version: ${{ env.PG_VERSION }}
        aws-oidc-role-arn: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
      env:
        BENCHMARK_CONNSTR: ${{ steps.set-up-connstr.outputs.connstr }}
        VIP_VAP_ACCESS_TOKEN: "${{ secrets.VIP_VAP_ACCESS_TOKEN }}"
        PERF_TEST_RESULT_CONNSTR: "${{ secrets.PERF_TEST_RESULT_CONNSTR }}"
    - name: Create Allure report
      id: create-allure-report
      if: ${{ !cancelled() }}
      uses: ./.github/actions/allure-report-generate
      with:
        aws-oidc-role-arn: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
          Periodic large oltp tenant growth increase: ${{ job.status }}
          <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|GitHub Run>
          <${{ steps.create-allure-report.outputs.report-url }}|Allure report>
      env:
        SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
--- a/.github/workflows/neon_extra_builds.yml
+++ b/.github/workflows/neon_extra_builds.yml
@@ -53,7 +53,7 @@ jobs:
          submodules: true
      - name: Check for Postgres changes
-        uses: step-security/paths-filter@v3
+        uses: dorny/paths-filter@1441771bbfdd59dcd748680ee64ebd8faab1a242  #v3
        id: files_changed
        with:
          token: ${{ github.token }}
--- a/.github/workflows/periodic_pagebench.yml
+++ b/.github/workflows/periodic_pagebench.yml
@@ -1,4 +1,4 @@
-name: Periodic pagebench performance test on unit-perf hetzner runner
+name: Periodic pagebench performance test on unit-perf-aws-arm runners
 on:
  schedule:
@@ -40,7 +40,7 @@ jobs:
      statuses: write
      contents: write
      pull-requests: write
-    runs-on: [ self-hosted, unit-perf ]
+    runs-on: [ self-hosted, unit-perf-aws-arm ]
    container:
      image: ghcr.io/neondatabase/build-tools:pinned-bookworm
      credentials:
--- a/.github/workflows/pre-merge-checks.yml
+++ b/.github/workflows/pre-merge-checks.yml
@@ -34,7 +34,7 @@ jobs:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1
+      - uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
        id: python-src
        with:
          files: |
@@ -45,7 +45,7 @@ jobs:
            poetry.lock
            pyproject.toml
-      - uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1
+      - uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
        id: rust-src
        with:
          files: |
--- a/.github/workflows/proxy-benchmark.yml
+++ b/.github/workflows/proxy-benchmark.yml
@@ -0,0 +1,84 @@
 name: Periodic proxy performance test on unit-perf-aws-arm runners
 on:
  push: # TODO: remove after testing
    branches:
      - test-proxy-bench # Runs on pushes to branches starting with test-proxy-bench
  # schedule:
    # * is a special character in YAML so you have to quote this string
    #        ┌───────────── minute (0 - 59)
    #        │ ┌───────────── hour (0 - 23)
    #        │ │ ┌───────────── day of the month (1 - 31)
    #        │ │ │ ┌───────────── month (1 - 12 or JAN-DEC)
    #        │ │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT)
    # - cron: '0 5 * * *' # Runs at 5 UTC once a day
  workflow_dispatch: # adds an ability to run this manually
 defaults:
  run:
    shell: bash -euo pipefail {0}
 concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: false
 permissions:
  contents: read
 jobs:
  run_periodic_proxybench_test:
    permissions:
      id-token: write # aws-actions/configure-aws-credentials
      statuses: write
      contents: write
      pull-requests: write
    runs-on: [self-hosted, unit-perf-aws-arm]
    timeout-minutes: 60  # 1h timeout
    container:
      image: ghcr.io/neondatabase/build-tools:pinned-bookworm
      credentials:
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
      options: --init
    steps:
    - name: Checkout proxy-bench Repo
      uses: actions/checkout@v4
      with:
        repository: neondatabase/proxy-bench
        path: proxy-bench
    - name: Set up the environment which depends on $RUNNER_TEMP on nvme drive
      id: set-env
      shell: bash -euxo pipefail {0}
      run: |
        PROXY_BENCH_PATH=$(realpath ./proxy-bench)
        {
          echo "PROXY_BENCH_PATH=$PROXY_BENCH_PATH"
          echo "NEON_DIR=${RUNNER_TEMP}/neon"
          echo "TEST_OUTPUT=${PROXY_BENCH_PATH}/test_output"
          echo ""
        } >> "$GITHUB_ENV"
    - name: Run proxy-bench
      run: ${PROXY_BENCH_PATH}/run.sh
    - name: Ingest Bench Results # neon repo script
      if: always()
      run: |
        mkdir -p $TEST_OUTPUT
        python $NEON_DIR/scripts/proxy_bench_results_ingest.py --out $TEST_OUTPUT
    - name: Push Metrics to Proxy perf database
      if: always()
      env:
        PERF_TEST_RESULT_CONNSTR: "${{ secrets.PROXY_TEST_RESULT_CONNSTR }}"
        REPORT_FROM: $TEST_OUTPUT
      run: $NEON_DIR/scripts/generate_and_push_perf_report.sh
    - name: Docker cleanup
      if: always()
      run: docker compose down
    - name: Notify Failure
      if: failure()
      run: echo "Proxy bench job failed" && exit 1
--- a/.gitignore
+++ b/.gitignore
@@ -1,10 +1,12 @@
 /artifact_cache
 /build
 /pg_install
 /target
 /tmp_check
 /tmp_check_cli
 __pycache__/
 test_output/
 neon_previous/
 .vscode
 .idea
 *.swp
@@ -13,6 +15,7 @@ neon.iml
 /.neon
 /integration_tests/.neon
 compaction-suite-results.*
 docker-compose/docker-compose-parallel.yml
 # Coverage
 *.profraw
@@ -26,3 +29,6 @@ compaction-suite-results.*
 # pgindent typedef lists
 *.list
 # Node
 **/node_modules/
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,16 +1,16 @@
 [submodule "vendor/postgres-v14"]
 	path = vendor/postgres-v14
-	url = https://github.com/neondatabase/postgres.git
+	url = ../postgres.git
 	branch = REL_14_STABLE_neon
 [submodule "vendor/postgres-v15"]
 	path = vendor/postgres-v15
-	url = https://github.com/neondatabase/postgres.git
+	url = ../postgres.git
 	branch = REL_15_STABLE_neon
 [submodule "vendor/postgres-v16"]
 	path = vendor/postgres-v16
-	url = https://github.com/neondatabase/postgres.git
+	url = ../postgres.git
 	branch = REL_16_STABLE_neon
 [submodule "vendor/postgres-v17"]
 	path = vendor/postgres-v17
-	url = https://github.com/neondatabase/postgres.git
+	url = ../postgres.git
 	branch = REL_17_STABLE_neon
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -753,6 +753,7 @@ dependencies = [
 "axum",
 "axum-core",
 "bytes",
 "form_urlencoded",
 "futures-util",
 "headers",
 "http 1.1.0",
@@ -761,6 +762,8 @@ dependencies = [
 "mime",
 "pin-project-lite",
 "serde",
 "serde_html_form",
 "serde_path_to_error",
 "tower 0.5.2",
 "tower-layer",
 "tower-service",
@@ -900,12 +903,6 @@ version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
 [[package]]
 name = "base64"
 version = "0.20.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0ea22880d78093b0cbe17c89f64a7d457941e65759157ec6cb31a31d652b05e5"
 [[package]]
 name = "base64"
 version = "0.21.7"
@@ -1086,6 +1083,25 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5"
 [[package]]
 name = "cbindgen"
 version = "0.29.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "975982cdb7ad6a142be15bdf84aea7ec6a9e5d4d797c004d43185b24cfe4e684"
 dependencies = [
 "clap",
 "heck",
 "indexmap 2.9.0",
 "log",
 "proc-macro2",
 "quote",
 "serde",
 "serde_json",
 "syn 2.0.100",
 "tempfile",
 "toml",
 ]
 [[package]]
 name = "cc"
 version = "1.2.16"
@@ -1270,6 +1286,15 @@ dependencies = [
 "unicode-width",
 ]
 [[package]]
 name = "communicator"
 version = "0.1.0"
 dependencies = [
 "cbindgen",
 "neon-shmem",
 "workspace_hack",
 ]
 [[package]]
 name = "compute_api"
 version = "0.1.0"
@@ -1282,6 +1307,7 @@ dependencies = [
 "remote_storage",
 "serde",
 "serde_json",
 "url",
 "utils",
 ]
@@ -1297,7 +1323,7 @@ dependencies = [
 "aws-smithy-types",
 "axum",
 "axum-extra",
- "base64 0.13.1",
+ "base64 0.22.1",
 "bytes",
 "camino",
 "cfg-if",
@@ -1307,6 +1333,7 @@ dependencies = [
 "fail",
 "flate2",
 "futures",
 "hostname-validator",
 "http 1.1.0",
 "indexmap 2.9.0",
 "itertools 0.10.5",
@@ -1319,8 +1346,11 @@ dependencies = [
 "opentelemetry",
 "opentelemetry_sdk",
 "p256 0.13.2",
 "pageserver_page_api",
 "postgres",
 "postgres-types",
 "postgres_initdb",
 "postgres_versioninfo",
 "regex",
 "remote_storage",
 "reqwest",
@@ -1337,6 +1367,7 @@ dependencies = [
 "tokio-postgres",
 "tokio-stream",
 "tokio-util",
 "tonic 0.13.1",
 "tower 0.5.2",
 "tower-http",
 "tower-otel",
@@ -1423,7 +1454,7 @@ name = "control_plane"
 version = "0.1.0"
 dependencies = [
 "anyhow",
- "base64 0.13.1",
+ "base64 0.22.1",
 "camino",
 "clap",
 "comfy-table",
@@ -1445,6 +1476,7 @@ dependencies = [
 "regex",
 "reqwest",
 "safekeeper_api",
 "safekeeper_client",
 "scopeguard",
 "serde",
 "serde_json",
@@ -1840,6 +1872,7 @@ dependencies = [
 "diesel_derives",
 "itoa",
 "serde_json",
 "uuid",
 ]
 [[package]]
@@ -2054,6 +2087,7 @@ dependencies = [
 "axum-extra",
 "camino",
 "camino-tempfile",
 "clap",
 "futures",
 "http-body-util",
 "itertools 0.10.5",
@@ -2500,6 +2534,18 @@ dependencies = [
 "wasm-bindgen",
 ]
 [[package]]
 name = "getrandom"
 version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "26145e563e54f2cadc477553f1ec5ee650b00862f0a58bcd12cbdc5f0ea2d2f4"
 dependencies = [
 "cfg-if",
 "libc",
 "r-efi",
 "wasi 0.14.2+wasi-0.2.4",
 ]
 [[package]]
 name = "gettid"
 version = "0.1.3"
@@ -2768,6 +2814,12 @@ dependencies = [
 "windows",
 ]
 [[package]]
 name = "hostname-validator"
 version = "1.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f558a64ac9af88b5ba400d99b579451af0d39c6d360980045b91aac966d705e2"
 [[package]]
 name = "http"
 version = "0.2.9"
@@ -3451,6 +3503,16 @@ dependencies = [
 "wasm-bindgen",
 ]
 [[package]]
 name = "json"
 version = "0.1.0"
 dependencies = [
 "criterion",
 "futures",
 "itoa",
 "ryu",
 ]
 [[package]]
 name = "json-structural-diff"
 version = "0.2.0"
@@ -3558,9 +3620,9 @@ checksum = "4ee93343901ab17bd981295f2cf0026d4ad018c7c31ba84549a4ddbb47a45104"
 [[package]]
 name = "lock_api"
-version = "0.4.10"
+version = "0.4.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c1cc9717a20b1bb222f333e6a92fd32f7d8a18ddc5a3191a11af45dcbf4dcd16"
+checksum = "96936507f153605bddfcda068dd804796c84324ed2510809e5b2a624c81da765"
 dependencies = [
 "autocfg",
 "scopeguard",
@@ -3710,7 +3772,7 @@ dependencies = [
 "procfs",
 "prometheus",
 "rand 0.8.5",
- "rand_distr",
+ "rand_distr 0.4.3",
 "twox-hash",
 ]
@@ -3798,7 +3860,12 @@ checksum = "e5ce46fe64a9d73be07dcbe690a38ce1b293be448fd8ce1e6c1b8062c9f72c6a"
 name = "neon-shmem"
 version = "0.1.0"
 dependencies = [
 "libc",
 "lock_api",
 "nix 0.30.1",
 "rand 0.9.1",
 "rand_distr 0.5.1",
 "rustc-hash 2.1.1",
 "tempfile",
 "thiserror 1.0.69",
 "workspace_hack",
@@ -4236,6 +4303,8 @@ name = "pagebench"
 version = "0.1.0"
 dependencies = [
 "anyhow",
 "async-trait",
 "bytes",
 "camino",
 "clap",
 "futures",
@@ -4244,13 +4313,19 @@ dependencies = [
 "humantime-serde",
 "pageserver_api",
 "pageserver_client",
 "pageserver_client_grpc",
 "pageserver_page_api",
 "pprof",
 "rand 0.8.5",
 "reqwest",
 "serde",
 "serde_json",
 "tokio",
 "tokio-stream",
 "tokio-util",
 "tonic 0.13.1",
 "tracing",
 "url",
 "utils",
 "workspace_hack",
 ]
@@ -4269,6 +4344,7 @@ dependencies = [
 "pageserver_api",
 "postgres_ffi",
 "remote_storage",
 "serde",
 "serde_json",
 "svg_fmt",
 "thiserror 1.0.69",
@@ -4286,6 +4362,7 @@ dependencies = [
 "arc-swap",
 "async-compression",
 "async-stream",
 "base64 0.22.1",
 "bincode",
 "bit_field",
 "byteorder",
@@ -4305,6 +4382,7 @@ dependencies = [
 "hashlink",
 "hex",
 "hex-literal",
 "http 1.1.0",
 "http-utils",
 "humantime",
 "humantime-serde",
@@ -4329,6 +4407,7 @@ dependencies = [
 "postgres_backend",
 "postgres_connection",
 "postgres_ffi",
 "postgres_ffi_types",
 "postgres_initdb",
 "posthog_client_lite",
 "pprof",
@@ -4367,6 +4446,7 @@ dependencies = [
 "toml_edit",
 "tonic 0.13.1",
 "tonic-reflection",
 "tower 0.5.2",
 "tracing",
 "tracing-utils",
 "twox-hash",
@@ -4397,7 +4477,9 @@ dependencies = [
 "nix 0.30.1",
 "once_cell",
 "postgres_backend",
- "postgres_ffi",
+ "postgres_ffi_types",
 "postgres_versioninfo",
 "posthog_client_lite",
 "rand 0.8.5",
 "remote_storage",
 "reqwest",
@@ -4408,6 +4490,7 @@ dependencies = [
 "strum",
 "strum_macros",
 "thiserror 1.0.69",
 "tracing",
 "tracing-utils",
 "utils",
 ]
@@ -4421,6 +4504,7 @@ dependencies = [
 "futures",
 "http-utils",
 "pageserver_api",
 "postgres_versioninfo",
 "reqwest",
 "serde",
 "thiserror 1.0.69",
@@ -4432,6 +4516,26 @@ dependencies = [
 "workspace_hack",
 ]
 [[package]]
 name = "pageserver_client_grpc"
 version = "0.1.0"
 dependencies = [
 "anyhow",
 "arc-swap",
 "bytes",
 "compute_api",
 "futures",
 "pageserver_api",
 "pageserver_page_api",
 "tokio",
 "tokio-stream",
 "tokio-util",
 "tonic 0.13.1",
 "tracing",
 "utils",
 "workspace_hack",
 ]
 [[package]]
 name = "pageserver_compaction"
 version = "0.1.0"
@@ -4459,12 +4563,18 @@ dependencies = [
 name = "pageserver_page_api"
 version = "0.1.0"
 dependencies = [
 "anyhow",
 "bytes",
 "futures",
 "pageserver_api",
- "postgres_ffi",
+ "postgres_ffi_types",
 "prost 0.13.5",
- "smallvec",
+ "prost-types 0.13.5",
 "strum",
 "strum_macros",
 "thiserror 1.0.69",
 "tokio",
 "tokio-util",
 "tonic 0.13.1",
 "tonic-build",
 "utils",
@@ -4807,7 +4917,7 @@ dependencies = [
 name = "postgres-protocol2"
 version = "0.1.0"
 dependencies = [
- "base64 0.20.0",
+ "base64 0.22.1",
 "byteorder",
 "bytes",
 "fallible-iterator",
@@ -4884,6 +4994,8 @@ dependencies = [
 "memoffset 0.9.0",
 "once_cell",
 "postgres",
 "postgres_ffi_types",
 "postgres_versioninfo",
 "pprof",
 "regex",
 "serde",
@@ -4892,17 +5004,37 @@ dependencies = [
 "utils",
 ]
 [[package]]
 name = "postgres_ffi_types"
 version = "0.1.0"
 dependencies = [
 "thiserror 1.0.69",
 "workspace_hack",
 ]
 [[package]]
 name = "postgres_initdb"
 version = "0.1.0"
 dependencies = [
 "anyhow",
 "camino",
 "postgres_versioninfo",
 "thiserror 1.0.69",
 "tokio",
 "workspace_hack",
 ]
 [[package]]
 name = "postgres_versioninfo"
 version = "0.1.0"
 dependencies = [
 "anyhow",
 "serde",
 "serde_repr",
 "thiserror 1.0.69",
 "workspace_hack",
 ]
 [[package]]
 name = "posthog_client_lite"
 version = "0.1.0"
@@ -5115,7 +5247,7 @@ dependencies = [
 "petgraph",
 "prettyplease",
 "prost 0.13.5",
- "prost-types 0.13.3",
+ "prost-types 0.13.5",
 "regex",
 "syn 2.0.100",
 "tempfile",
@@ -5158,9 +5290,9 @@ dependencies = [
 [[package]]
 name = "prost-types"
-version = "0.13.3"
+version = "0.13.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4759aa0d3a6232fb8dbdb97b61de2c20047c68aca932c7ed76da9d788508d670"
+checksum = "52c2c1bf36ddb1a1c396b3601a3cec27c2462e45f07c386894ec3ccf5332bd16"
 dependencies = [
 "prost 0.13.5",
 ]
@@ -5177,9 +5309,10 @@ dependencies = [
 "async-trait",
 "atomic-take",
 "aws-config",
 "aws-credential-types",
 "aws-sdk-iam",
 "aws-sigv4",
- "base64 0.13.1",
+ "base64 0.22.1",
 "bstr",
 "bytes",
 "camino",
@@ -5216,6 +5349,7 @@ dependencies = [
 "itoa",
 "jose-jwa",
 "jose-jwk",
 "json",
 "lasso",
 "measured",
 "metrics",
@@ -5232,7 +5366,7 @@ dependencies = [
 "postgres_backend",
 "pq_proto",
 "rand 0.8.5",
- "rand_distr",
+ "rand_distr 0.4.3",
 "rcgen",
 "redis",
 "regex",
@@ -5243,7 +5377,7 @@ dependencies = [
 "reqwest-tracing",
 "rsa",
 "rstest",
- "rustc-hash 1.1.0",
+ "rustc-hash 2.1.1",
 "rustls 0.23.27",
 "rustls-native-certs 0.8.0",
 "rustls-pemfile 2.1.1",
@@ -5336,6 +5470,12 @@ dependencies = [
 "proc-macro2",
 ]
 [[package]]
 name = "r-efi"
 version = "5.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
 [[package]]
 name = "rand"
 version = "0.7.3"
@@ -5360,6 +5500,16 @@ dependencies = [
 "rand_core 0.6.4",
 ]
 [[package]]
 name = "rand"
 version = "0.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9fbfd9d094a40bf3ae768db9361049ace4c0e04a4fd6b359518bd7b73a73dd97"
 dependencies = [
 "rand_chacha 0.9.0",
 "rand_core 0.9.3",
 ]
 [[package]]
 name = "rand_chacha"
 version = "0.2.2"
@@ -5380,6 +5530,16 @@ dependencies = [
 "rand_core 0.6.4",
 ]
 [[package]]
 name = "rand_chacha"
 version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
 dependencies = [
 "ppv-lite86",
 "rand_core 0.9.3",
 ]
 [[package]]
 name = "rand_core"
 version = "0.5.1"
@@ -5398,6 +5558,15 @@ dependencies = [
 "getrandom 0.2.11",
 ]
 [[package]]
 name = "rand_core"
 version = "0.9.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "99d9a13982dcf210057a8a78572b2217b667c3beacbf3a0d8b454f6f82837d38"
 dependencies = [
 "getrandom 0.3.3",
 ]
 [[package]]
 name = "rand_distr"
 version = "0.4.3"
@@ -5408,6 +5577,16 @@ dependencies = [
 "rand 0.8.5",
 ]
 [[package]]
 name = "rand_distr"
 version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a8615d50dcf34fa31f7ab52692afec947c4dd0ab803cc87cb3b0b4570ff7463"
 dependencies = [
 "num-traits",
 "rand 0.9.1",
 ]
 [[package]]
 name = "rand_hc"
 version = "0.2.0"
@@ -5596,6 +5775,8 @@ dependencies = [
 "azure_identity",
 "azure_storage",
 "azure_storage_blobs",
 "base64 0.22.1",
 "byteorder",
 "bytes",
 "camino",
 "camino-tempfile",
@@ -6087,6 +6268,7 @@ dependencies = [
 "itertools 0.10.5",
 "jsonwebtoken",
 "metrics",
 "nix 0.30.1",
 "once_cell",
 "pageserver_api",
 "parking_lot 0.12.1",
@@ -6094,6 +6276,8 @@ dependencies = [
 "postgres-protocol",
 "postgres_backend",
 "postgres_ffi",
 "postgres_ffi_types",
 "postgres_versioninfo",
 "pprof",
 "pq_proto",
 "rand 0.8.5",
@@ -6137,7 +6321,8 @@ dependencies = [
 "anyhow",
 "const_format",
 "pageserver_api",
- "postgres_ffi",
+ "postgres_ffi_types",
 "postgres_versioninfo",
 "pq_proto",
 "serde",
 "serde_json",
@@ -6414,6 +6599,19 @@ dependencies = [
 "syn 2.0.100",
 ]
 [[package]]
 name = "serde_html_form"
 version = "0.2.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9d2de91cf02bbc07cde38891769ccd5d4f073d22a40683aa4bc7a95781aaa2c4"
 dependencies = [
 "form_urlencoded",
 "indexmap 2.9.0",
 "itoa",
 "ryu",
 "serde",
 ]
 [[package]]
 name = "serde_json"
 version = "1.0.125"
@@ -6447,6 +6645,17 @@ dependencies = [
 "thiserror 1.0.69",
 ]
 [[package]]
 name = "serde_repr"
 version = "0.1.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "175ee3e80ae9982737ca543e96133087cbd9a485eecc3bc4de9c1a37b47ea59c"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn 2.0.100",
 ]
 [[package]]
 name = "serde_spanned"
 version = "0.6.6"
@@ -6470,15 +6679,17 @@ dependencies = [
 [[package]]
 name = "serde_with"
-version = "2.3.3"
+version = "3.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "07ff71d2c147a7b57362cead5e22f772cd52f6ab31cfcd9edcd7f6aeb2a0afbe"
+checksum = "d6b6f7f2fcb69f747921f79f3926bd1e203fce4fef62c268dd3abfb6d86029aa"
 dependencies = [
- "base64 0.13.1",
+ "base64 0.22.1",
 "chrono",
 "hex",
 "indexmap 1.9.3",
 "indexmap 2.9.0",
 "serde",
 "serde_derive",
 "serde_json",
 "serde_with_macros",
 "time",
@@ -6486,9 +6697,9 @@ dependencies = [
 [[package]]
 name = "serde_with_macros"
-version = "2.3.3"
+version = "3.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "881b6f881b17d13214e5d494c939ebab463d01264ce1811e9d4ac3a882e7695f"
+checksum = "8d00caa5193a3c8362ac2b73be6b9e768aa5a4b2f721d8f4b339600c3cb51f8e"
 dependencies = [
 "darling",
 "proc-macro2",
@@ -6739,6 +6950,7 @@ dependencies = [
 "chrono",
 "clap",
 "clashmap",
 "compute_api",
 "control_plane",
 "cron",
 "diesel",
@@ -6750,6 +6962,7 @@ dependencies = [
 "hex",
 "http-utils",
 "humantime",
 "humantime-serde",
 "hyper 0.14.30",
 "itertools 0.10.5",
 "json-structural-diff",
@@ -6760,6 +6973,7 @@ dependencies = [
 "pageserver_api",
 "pageserver_client",
 "postgres_connection",
 "posthog_client_lite",
 "rand 0.8.5",
 "regex",
 "reqwest",
@@ -6783,6 +6997,7 @@ dependencies = [
 "tokio-util",
 "tracing",
 "utils",
 "uuid",
 "workspace_hack",
 ]
@@ -6846,6 +7061,7 @@ dependencies = [
 "pageserver_api",
 "pageserver_client",
 "reqwest",
 "safekeeper_api",
 "serde_json",
 "storage_controller_client",
 "tokio",
@@ -7415,6 +7631,7 @@ dependencies = [
 "futures-core",
 "pin-project-lite",
 "tokio",
 "tokio-util",
 ]
 [[package]]
@@ -7538,6 +7755,7 @@ dependencies = [
 "axum",
 "base64 0.22.1",
 "bytes",
 "flate2",
 "h2 0.4.4",
 "http 1.1.0",
 "http-body 1.0.0",
@@ -7557,6 +7775,7 @@ dependencies = [
 "tower-layer",
 "tower-service",
 "tracing",
 "zstd",
 ]
 [[package]]
@@ -7568,7 +7787,7 @@ dependencies = [
 "prettyplease",
 "proc-macro2",
 "prost-build 0.13.3",
- "prost-types 0.13.3",
+ "prost-types 0.13.5",
 "quote",
 "syn 2.0.100",
 ]
@@ -7580,7 +7799,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f9687bd5bfeafebdded2356950f278bba8226f0b32109537c4253406e09aafe1"
 dependencies = [
 "prost 0.13.5",
- "prost-types 0.13.3",
+ "prost-types 0.13.5",
 "tokio",
 "tokio-stream",
 "tonic 0.13.1",
@@ -8052,6 +8271,7 @@ dependencies = [
 "tracing-error",
 "tracing-subscriber",
 "tracing-utils",
 "uuid",
 "walkdir",
 ]
@@ -8136,6 +8356,7 @@ dependencies = [
 "futures",
 "pageserver_api",
 "postgres_ffi",
 "postgres_ffi_types",
 "pprof",
 "prost 0.13.5",
 "remote_storage",
@@ -8193,6 +8414,15 @@ version = "0.11.0+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
 [[package]]
 name = "wasi"
 version = "0.14.2+wasi-0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9683f9a5a998d873c0d21fcbe3c083009670149a8fab228644b8bd36b2c48cb3"
 dependencies = [
 "wit-bindgen-rt",
 ]
 [[package]]
 name = "wasite"
 version = "0.1.0"
@@ -8550,6 +8780,15 @@ dependencies = [
 "windows-sys 0.48.0",
 ]
 [[package]]
 name = "wit-bindgen-rt"
 version = "0.39.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6f42320e61fe2cfd34354ecb597f86f413484a798ba44a8ca1165c58d42da6c1"
 dependencies = [
 "bitflags 2.8.0",
 ]
 [[package]]
 name = "workspace_hack"
 version = "0.1.0"
@@ -8559,7 +8798,6 @@ dependencies = [
 "anyhow",
 "axum",
 "axum-core",
 "base64 0.13.1",
 "base64 0.21.7",
 "base64ct",
 "bytes",
@@ -8581,8 +8819,10 @@ dependencies = [
 "fail",
 "form_urlencoded",
 "futures-channel",
 "futures-core",
 "futures-executor",
 "futures-io",
 "futures-sink",
 "futures-util",
 "generic-array",
 "getrandom 0.2.11",
@@ -8651,7 +8891,6 @@ dependencies = [
 "tracing-log",
 "tracing-subscriber",
 "url",
 "uuid",
 "zeroize",
 "zstd",
 "zstd-safe",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -8,6 +8,7 @@ members = [
    "pageserver/compaction",
    "pageserver/ctl",
    "pageserver/client",
    "pageserver/client_grpc",
    "pageserver/pagebench",
    "pageserver/page_api",
    "proxy",
@@ -22,6 +23,8 @@ members = [
    "libs/http-utils",
    "libs/pageserver_api",
    "libs/postgres_ffi",
    "libs/postgres_ffi_types",
    "libs/postgres_versioninfo",
    "libs/safekeeper_api",
    "libs/desim",
    "libs/neon-shmem",
@@ -40,10 +43,12 @@ members = [
    "libs/walproposer",
    "libs/wal_decoder",
    "libs/postgres_initdb",
    "libs/proxy/json",
    "libs/proxy/postgres-protocol2",
    "libs/proxy/postgres-types2",
    "libs/proxy/tokio-postgres2",
    "endpoint_storage",
    "pgxn/neon/communicator",
 ]
 [workspace.package]
@@ -71,8 +76,8 @@ aws-credential-types = "1.2.0"
 aws-sigv4 = { version = "1.2", features = ["sign-http"] }
 aws-types = "1.3"
 axum = { version = "0.8.1", features = ["ws"] }
-axum-extra = { version = "0.10.0", features = ["typed-header"] }
+axum-extra = { version = "0.10.0", features = ["typed-header", "query"] }
-base64 = "0.13.0"
+base64 = "0.22"
 bincode = "1.3"
 bindgen = "0.71"
 bit_field = "0.10.2"
@@ -125,6 +130,7 @@ jemalloc_pprof = { version = "0.7", features = ["symbolize", "flamegraph"] }
 jsonwebtoken = "9"
 lasso = "0.7"
 libc = "0.2"
 lock_api = "0.4.13"
 md5 = "0.7.0"
 measured = { version = "0.0.22", features=["lasso"] }
 measured-process = { version = "0.0.22" }
@@ -150,6 +156,7 @@ pprof = { version = "0.14", features = ["criterion", "flamegraph", "frame-pointe
 procfs = "0.16"
 prometheus = {version = "0.13", default-features=false, features = ["process"]} # removes protobuf dependency
 prost = "0.13.5"
 prost-types = "0.13.5"
 rand = "0.8"
 redis = { version = "0.29.2", features = ["tokio-rustls-comp", "keep-alive"] }
 regex = "1.10.2"
@@ -159,7 +166,7 @@ reqwest-middleware = "0.4"
 reqwest-retry = "0.7"
 routerify = "3"
 rpds = "0.13"
-rustc-hash = "1.1.0"
+rustc-hash = "2.1.1"
 rustls = { version = "0.23.16", default-features = false }
 rustls-pemfile = "2"
 rustls-pki-types = "1.11"
@@ -171,8 +178,9 @@ sentry = { version = "0.37", default-features = false, features = ["backtrace",
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1"
 serde_path_to_error = "0.1"
-serde_with = { version = "2.0", features = [ "base64" ] }
+serde_with = { version = "3", features = [ "base64" ] }
 serde_assert = "0.5.0"
 serde_repr = "0.1.20"
 sha2 = "0.10.2"
 signal-hook = "0.3"
 smallvec = "1.11"
@@ -194,12 +202,12 @@ tokio-epoll-uring = { git = "https://github.com/neondatabase/tokio-epoll-uring.g
 tokio-io-timeout = "1.2.0"
 tokio-postgres-rustls = "0.12.0"
 tokio-rustls = { version = "0.26.0", default-features = false, features = ["tls12", "ring"]}
-tokio-stream = "0.1"
+tokio-stream = { version = "0.1", features = ["sync"] }
 tokio-tar = "0.3"
-tokio-util = { version = "0.7.10", features = ["io", "rt"] }
+tokio-util = { version = "0.7.10", features = ["io", "io-util", "rt"] }
 toml = "0.8"
 toml_edit = "0.22"
-tonic = { version = "0.13.1", default-features = false, features = ["channel", "codegen", "prost", "router", "server", "tls-ring", "tls-native-roots"] }
+tonic = { version = "0.13.1", default-features = false, features = ["channel", "codegen", "gzip", "prost", "router", "server", "tls-ring", "tls-native-roots", "zstd"] }
 tonic-reflection = { version = "0.13.1", features = ["server"] }
 tower = { version = "0.5.2", default-features = false }
 tower-http = { version = "0.6.2", features = ["auth", "request-id", "trace"] }
@@ -251,14 +259,18 @@ desim = { version = "0.1", path = "./libs/desim" }
 endpoint_storage = { version = "0.0.1", path = "./endpoint_storage/" }
 http-utils = { version = "0.1", path = "./libs/http-utils/" }
 metrics = { version = "0.1", path = "./libs/metrics/" }
 neon-shmem = { version = "0.1", path = "./libs/neon-shmem/" }
 pageserver = { path = "./pageserver" }
 pageserver_api = { version = "0.1", path = "./libs/pageserver_api/" }
 pageserver_client = { path = "./pageserver/client" }
 pageserver_client_grpc = { path = "./pageserver/client_grpc" }
 pageserver_compaction = { version = "0.1", path = "./pageserver/compaction/" }
 pageserver_page_api = { path = "./pageserver/page_api" }
 postgres_backend = { version = "0.1", path = "./libs/postgres_backend/" }
 postgres_connection = { version = "0.1", path = "./libs/postgres_connection/" }
 postgres_ffi = { version = "0.1", path = "./libs/postgres_ffi/" }
 postgres_ffi_types = { version = "0.1", path = "./libs/postgres_ffi_types/" }
 postgres_versioninfo = { version = "0.1", path = "./libs/postgres_versioninfo/" }
 postgres_initdb = { path = "./libs/postgres_initdb" }
 posthog_client_lite = { version = "0.1", path = "./libs/posthog_client_lite" }
 pq_proto = { version = "0.1", path = "./libs/pq_proto/" }
@@ -278,6 +290,7 @@ walproposer = { version = "0.1", path = "./libs/walproposer/" }
 workspace_hack = { version = "0.1", path = "./workspace_hack/" }
 ## Build dependencies
 cbindgen = "0.29.0"
 criterion = "0.5.1"
 rcgen = "0.13"
 rstest = "0.18"
--- a/76
+++ b/76
@@ -5,8 +5,6 @@
 ARG REPOSITORY=ghcr.io/neondatabase
 ARG IMAGE=build-tools
 ARG TAG=pinned
 ARG DEFAULT_PG_VERSION=17
 ARG STABLE_PG_VERSION=16
 ARG DEBIAN_VERSION=bookworm
 ARG DEBIAN_FLAVOR=${DEBIAN_VERSION}-slim
@@ -32,7 +30,18 @@ ARG BASE_IMAGE_SHA=debian:${DEBIAN_FLAVOR}
 ARG BASE_IMAGE_SHA=${BASE_IMAGE_SHA/debian:bookworm-slim/debian@$BOOKWORM_SLIM_SHA}
 ARG BASE_IMAGE_SHA=${BASE_IMAGE_SHA/debian:bullseye-slim/debian@$BULLSEYE_SLIM_SHA}
-# Build Postgres
+# Naive way:
 #
 # 1. COPY . .
 # 1. make neon-pg-ext
 # 2. cargo build <storage binaries>
 #
 # But to enable docker to cache intermediate layers, we perform a few preparatory steps:
 #
 # - Build all postgres versions, depending on just the contents of vendor/
 # - Use cargo chef to build all rust dependencies
 # 1. Build all postgres versions
 FROM $REPOSITORY/$IMAGE:$TAG AS pg-build
 WORKDIR /home/nonroot
@@ -40,17 +49,15 @@ COPY --chown=nonroot vendor/postgres-v14 vendor/postgres-v14
 COPY --chown=nonroot vendor/postgres-v15 vendor/postgres-v15
 COPY --chown=nonroot vendor/postgres-v16 vendor/postgres-v16
 COPY --chown=nonroot vendor/postgres-v17 vendor/postgres-v17
 COPY --chown=nonroot pgxn pgxn
 COPY --chown=nonroot Makefile Makefile
 COPY --chown=nonroot postgres.mk postgres.mk
 COPY --chown=nonroot scripts/ninstall.sh scripts/ninstall.sh
 ENV BUILD_TYPE=release
 RUN set -e \
-    && mold -run make -j $(nproc) -s neon-pg-ext \
+    && mold -run make -j $(nproc) -s postgres
    && rm -rf pg_install/build \
    && tar -C pg_install -czf /home/nonroot/postgres_install.tar.gz .
-# Prepare cargo-chef recipe
+# 2. Prepare cargo-chef recipe
 FROM $REPOSITORY/$IMAGE:$TAG AS plan
 WORKDIR /home/nonroot
@@ -58,26 +65,22 @@ COPY --chown=nonroot . .
 RUN cargo chef prepare --recipe-path recipe.json
-# Build neon binaries
+# Main build image
 FROM $REPOSITORY/$IMAGE:$TAG AS build
 WORKDIR /home/nonroot
 ARG GIT_VERSION=local
 ARG BUILD_TAG
 ARG STABLE_PG_VERSION
 COPY --from=pg-build /home/nonroot/pg_install/v14/include/postgresql/server pg_install/v14/include/postgresql/server
 COPY --from=pg-build /home/nonroot/pg_install/v15/include/postgresql/server pg_install/v15/include/postgresql/server
 COPY --from=pg-build /home/nonroot/pg_install/v16/include/postgresql/server pg_install/v16/include/postgresql/server
 COPY --from=pg-build /home/nonroot/pg_install/v17/include/postgresql/server pg_install/v17/include/postgresql/server
 COPY --from=pg-build /home/nonroot/pg_install/v16/lib                       pg_install/v16/lib
 COPY --from=pg-build /home/nonroot/pg_install/v17/lib                       pg_install/v17/lib
 COPY --from=plan     /home/nonroot/recipe.json                              recipe.json
 ARG ADDITIONAL_RUSTFLAGS=""
 # 3. Build cargo dependencies. Note that this step doesn't depend on anything else than
 # `recipe.json`, so the layer can be reused as long as none of the dependencies change.
 COPY --from=plan     /home/nonroot/recipe.json                              recipe.json
 RUN set -e \
    && RUSTFLAGS="-Clinker=clang -Clink-arg=-fuse-ld=mold -Clink-arg=-Wl,--no-rosegment -Cforce-frame-pointers=yes ${ADDITIONAL_RUSTFLAGS}" cargo chef cook --locked --release --recipe-path recipe.json
 # Perform the main build. We reuse the Postgres build artifacts from the intermediate 'pg-build'
 # layer, and the cargo dependencies built in the previous step.
 COPY --chown=nonroot --from=pg-build /home/nonroot/pg_install/ pg_install
 COPY --chown=nonroot . .
 RUN set -e \
@@ -92,12 +95,11 @@ RUN set -e \
      --bin endpoint_storage \
      --bin neon_local \
      --bin storage_scrubber \
-      --locked --release
+      --locked --release \
    && mold -run make -j $(nproc) -s neon-pg-ext
-# Build final image
+# Assemble the final image
 #
 FROM $BASE_IMAGE_SHA
 ARG DEFAULT_PG_VERSION
 WORKDIR /data
 RUN set -e \
@@ -107,9 +109,20 @@ RUN set -e \
        libreadline-dev \
        libseccomp-dev \
        ca-certificates \
 	# System postgres for use with client libraries (e.g. in storage controller)
        postgresql-15 \
        openssl \
        unzip \
        curl \
    && ARCH=$(uname -m) \
    && if [ "$ARCH" = "x86_64" ]; then \
        curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"; \
    elif [ "$ARCH" = "aarch64" ]; then \
        curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"; \
    else \
        echo "Unsupported architecture: $ARCH" && exit 1; \
    fi \
    && unzip awscliv2.zip \
    && ./aws/install \
    && rm -rf aws awscliv2.zip \
    && rm -f /etc/apt/apt.conf.d/80-retries \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
    && useradd -d /data neon \
@@ -125,12 +138,15 @@ COPY --from=build --chown=neon:neon /home/nonroot/target/release/proxy
 COPY --from=build --chown=neon:neon /home/nonroot/target/release/endpoint_storage    /usr/local/bin
 COPY --from=build --chown=neon:neon /home/nonroot/target/release/neon_local          /usr/local/bin
 COPY --from=build --chown=neon:neon /home/nonroot/target/release/storage_scrubber    /usr/local/bin
 COPY --from=build /home/nonroot/pg_install/v14 /usr/local/v14/
 COPY --from=build /home/nonroot/pg_install/v15 /usr/local/v15/
 COPY --from=build /home/nonroot/pg_install/v16 /usr/local/v16/
 COPY --from=build /home/nonroot/pg_install/v17 /usr/local/v17/
-COPY --from=pg-build /home/nonroot/pg_install/v14 /usr/local/v14/
+# Deprecated: Old deployment scripts use this tarball which contains all the Postgres binaries.
-COPY --from=pg-build /home/nonroot/pg_install/v15 /usr/local/v15/
+# That's obsolete, since all the same files are also present under /usr/local/v*. But to keep the
-COPY --from=pg-build /home/nonroot/pg_install/v16 /usr/local/v16/
+# old scripts working for now, create the tarball.
-COPY --from=pg-build /home/nonroot/pg_install/v17 /usr/local/v17/
+RUN tar -C /usr/local -cvzf /data/postgres_install.tar.gz v14 v15 v16 v17
 COPY --from=pg-build /home/nonroot/postgres_install.tar.gz /data/
 # By default, pageserver uses `.neon/` working directory in WORKDIR, so create one and fill it with the dummy config.
 # Now, when `docker run ... pageserver` is run, it can start without errors, yet will have some default dummy values.
--- a/273
+++ b/273
@@ -1,7 +1,20 @@
 ROOT_PROJECT_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
-# Where to install Postgres, default is ./pg_install, maybe useful for package managers
+# Where to install Postgres, default is ./pg_install, maybe useful for package
-POSTGRES_INSTALL_DIR ?= $(ROOT_PROJECT_DIR)/pg_install/
+# managers.
 POSTGRES_INSTALL_DIR ?= $(ROOT_PROJECT_DIR)/pg_install
 # Supported PostgreSQL versions
 POSTGRES_VERSIONS = v17 v16 v15 v14
 # CARGO_BUILD_FLAGS: Extra flags to pass to `cargo build`. `--locked`
 # and `--features testing` are popular examples.
 #
 # CARGO_PROFILE: Set to override the cargo profile to use. By default,
 # it is derived from BUILD_TYPE.
 # All intermediate build artifacts are stored here.
 BUILD_DIR := $(ROOT_PROJECT_DIR)/build
 ICU_PREFIX_DIR := /usr/local/icu
@@ -16,12 +29,19 @@ ifeq ($(BUILD_TYPE),release)
 	PG_CONFIGURE_OPTS = --enable-debug --with-openssl
 	PG_CFLAGS += -O2 -g3 $(CFLAGS)
 	PG_LDFLAGS = $(LDFLAGS)
-	# Unfortunately, `--profile=...` is a nightly feature
+	CARGO_PROFILE ?= --profile=release
-	CARGO_BUILD_FLAGS += --release
+	# NEON_CARGO_ARTIFACT_TARGET_DIR is the directory where `cargo build` places
 	# the final build artifacts. There is unfortunately no easy way of changing
 	# it to a fully predictable path, nor to extract the path with a simple
 	# command. See https://github.com/rust-lang/cargo/issues/9661 and
 	# https://github.com/rust-lang/cargo/issues/6790.
 	NEON_CARGO_ARTIFACT_TARGET_DIR = $(ROOT_PROJECT_DIR)/target/release
 else ifeq ($(BUILD_TYPE),debug)
 	PG_CONFIGURE_OPTS = --enable-debug --with-openssl --enable-cassert --enable-depend
 	PG_CFLAGS += -O0 -g3 $(CFLAGS)
 	PG_LDFLAGS = $(LDFLAGS)
 	CARGO_PROFILE ?= --profile=dev
 	NEON_CARGO_ARTIFACT_TARGET_DIR = $(ROOT_PROJECT_DIR)/target/debug
 else
 	$(error Bad build type '$(BUILD_TYPE)', see Makefile for options)
 endif
@@ -85,141 +105,32 @@ CACHEDIR_TAG_CONTENTS := "Signature: 8a477f597d28d172789f06886806bc55"
 # Top level Makefile to build Neon and PostgreSQL
 #
 .PHONY: all
-all: neon postgres neon-pg-ext
+all: neon postgres-install neon-pg-ext
 ### Neon Rust bits
 #
-# The 'postgres_ffi' depends on the Postgres headers.
+# The 'postgres_ffi' crate depends on the Postgres headers.
 .PHONY: neon
-neon: postgres-headers walproposer-lib cargo-target-dir
+neon: postgres-headers-install walproposer-lib cargo-target-dir
 	+@echo "Compiling Neon"
-	$(CARGO_CMD_PREFIX) cargo build $(CARGO_BUILD_FLAGS)
+	$(CARGO_CMD_PREFIX) cargo build $(CARGO_BUILD_FLAGS) $(CARGO_PROFILE)
 .PHONY: cargo-target-dir
 cargo-target-dir:
 	# https://github.com/rust-lang/cargo/issues/14281
 	mkdir -p target
 	test -e target/CACHEDIR.TAG || echo "$(CACHEDIR_TAG_CONTENTS)" > target/CACHEDIR.TAG
 ### PostgreSQL parts
 # Some rules are duplicated for Postgres v14 and 15. We may want to refactor
 # to avoid the duplication in the future, but it's tolerable for now.
 #
 $(POSTGRES_INSTALL_DIR)/build/%/config.status:
 	mkdir -p $(POSTGRES_INSTALL_DIR)
 	test -e $(POSTGRES_INSTALL_DIR)/CACHEDIR.TAG || echo "$(CACHEDIR_TAG_CONTENTS)" > $(POSTGRES_INSTALL_DIR)/CACHEDIR.TAG
 	+@echo "Configuring Postgres $* build"
 	@test -s $(ROOT_PROJECT_DIR)/vendor/postgres-$*/configure || { \
 		echo "\nPostgres submodule not found in $(ROOT_PROJECT_DIR)/vendor/postgres-$*/, execute "; \
 		echo "'git submodule update --init --recursive --depth 2 --progress .' in project root.\n"; \
 		exit 1; }
 	mkdir -p $(POSTGRES_INSTALL_DIR)/build/$*
 	VERSION=$*; \
 	EXTRA_VERSION=$$(cd $(ROOT_PROJECT_DIR)/vendor/postgres-$$VERSION && git rev-parse HEAD); \
 	(cd $(POSTGRES_INSTALL_DIR)/build/$$VERSION && \
 	env PATH="$(EXTRA_PATH_OVERRIDES):$$PATH" $(ROOT_PROJECT_DIR)/vendor/postgres-$$VERSION/configure \
 		CFLAGS='$(PG_CFLAGS)' LDFLAGS='$(PG_LDFLAGS)' \
 		$(PG_CONFIGURE_OPTS) --with-extra-version=" ($$EXTRA_VERSION)" \
 		--prefix=$(abspath $(POSTGRES_INSTALL_DIR))/$$VERSION > configure.log)
 # nicer alias to run 'configure'
 # Note: I've been unable to use templates for this part of our configuration.
 # I'm not sure why it wouldn't work, but this is the only place (apart from
 # the "build-all-versions" entry points) where direct mention of PostgreSQL
 # versions is used.
 .PHONY: postgres-configure-v17
 postgres-configure-v17: $(POSTGRES_INSTALL_DIR)/build/v17/config.status
 .PHONY: postgres-configure-v16
 postgres-configure-v16: $(POSTGRES_INSTALL_DIR)/build/v16/config.status
 .PHONY: postgres-configure-v15
 postgres-configure-v15: $(POSTGRES_INSTALL_DIR)/build/v15/config.status
 .PHONY: postgres-configure-v14
 postgres-configure-v14: $(POSTGRES_INSTALL_DIR)/build/v14/config.status
 # Install the PostgreSQL header files into $(POSTGRES_INSTALL_DIR)/<version>/include
 .PHONY: postgres-headers-%
 postgres-headers-%: postgres-configure-%
 	+@echo "Installing PostgreSQL $* headers"
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$*/src/include MAKELEVEL=0 install
 # Compile and install PostgreSQL
 .PHONY: postgres-%
 postgres-%: postgres-configure-% \
 		  postgres-headers-% # to prevent `make install` conflicts with neon's `postgres-headers`
 	+@echo "Compiling PostgreSQL $*"
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$* MAKELEVEL=0 install
 	+@echo "Compiling libpq $*"
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$*/src/interfaces/libpq install
 	+@echo "Compiling pg_prewarm $*"
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$*/contrib/pg_prewarm install
 	+@echo "Compiling pg_buffercache $*"
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$*/contrib/pg_buffercache install
 	+@echo "Compiling pg_visibility $*"
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$*/contrib/pg_visibility install
 	+@echo "Compiling pageinspect $*"
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$*/contrib/pageinspect install
 	+@echo "Compiling pg_trgm $*"
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$*/contrib/pg_trgm install
 	+@echo "Compiling amcheck $*"
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$*/contrib/amcheck install
 	+@echo "Compiling test_decoding $*"
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$*/contrib/test_decoding install
 .PHONY: postgres-clean-%
 postgres-clean-%:
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$* MAKELEVEL=0 clean
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$*/contrib/pg_buffercache clean
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$*/contrib/pageinspect clean
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$*/src/interfaces/libpq clean
 .PHONY: postgres-check-%
 postgres-check-%: postgres-%
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$* MAKELEVEL=0 check
 .PHONY: neon-pg-ext-%
-neon-pg-ext-%: postgres-%
+neon-pg-ext-%: postgres-install-% cargo-target-dir
-	+@echo "Compiling neon $*"
+	+@echo "Compiling neon-specific Postgres extensions for $*"
-	mkdir -p $(POSTGRES_INSTALL_DIR)/build/neon-$*
+	mkdir -p $(BUILD_DIR)/pgxn-$*
-	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config COPT='$(COPT)' \
+	$(MAKE) PG_CONFIG="$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config" COPT='$(COPT)' \
-		-C $(POSTGRES_INSTALL_DIR)/build/neon-$* \
+		NEON_CARGO_ARTIFACT_TARGET_DIR="$(NEON_CARGO_ARTIFACT_TARGET_DIR)" \
-		-f $(ROOT_PROJECT_DIR)/pgxn/neon/Makefile install
+		CARGO_BUILD_FLAGS="$(CARGO_BUILD_FLAGS)" \
-	+@echo "Compiling neon_walredo $*"
+		CARGO_PROFILE="$(CARGO_PROFILE)" \
-	mkdir -p $(POSTGRES_INSTALL_DIR)/build/neon-walredo-$*
+		-C $(BUILD_DIR)/pgxn-$*\
-	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config COPT='$(COPT)' \
+		-f $(ROOT_PROJECT_DIR)/pgxn/Makefile  install
 		-C $(POSTGRES_INSTALL_DIR)/build/neon-walredo-$* \
 		-f $(ROOT_PROJECT_DIR)/pgxn/neon_walredo/Makefile install
 	+@echo "Compiling neon_rmgr $*"
 	mkdir -p $(POSTGRES_INSTALL_DIR)/build/neon-rmgr-$*
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config COPT='$(COPT)' \
 		-C $(POSTGRES_INSTALL_DIR)/build/neon-rmgr-$* \
 		-f $(ROOT_PROJECT_DIR)/pgxn/neon_rmgr/Makefile install
 	+@echo "Compiling neon_test_utils $*"
 	mkdir -p $(POSTGRES_INSTALL_DIR)/build/neon-test-utils-$*
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config COPT='$(COPT)' \
 		-C $(POSTGRES_INSTALL_DIR)/build/neon-test-utils-$* \
 		-f $(ROOT_PROJECT_DIR)/pgxn/neon_test_utils/Makefile install
 	+@echo "Compiling neon_utils $*"
 	mkdir -p $(POSTGRES_INSTALL_DIR)/build/neon-utils-$*
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config COPT='$(COPT)' \
 		-C $(POSTGRES_INSTALL_DIR)/build/neon-utils-$* \
 		-f $(ROOT_PROJECT_DIR)/pgxn/neon_utils/Makefile install
 .PHONY: neon-pg-clean-ext-%
 neon-pg-clean-ext-%:
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config \
 	-C $(POSTGRES_INSTALL_DIR)/build/neon-$* \
 	-f $(ROOT_PROJECT_DIR)/pgxn/neon/Makefile clean
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config \
 	-C $(POSTGRES_INSTALL_DIR)/build/neon-walredo-$* \
 	-f $(ROOT_PROJECT_DIR)/pgxn/neon_walredo/Makefile clean
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config \
 	-C $(POSTGRES_INSTALL_DIR)/build/neon-test-utils-$* \
 	-f $(ROOT_PROJECT_DIR)/pgxn/neon_test_utils/Makefile clean
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config \
 	-C $(POSTGRES_INSTALL_DIR)/build/neon-utils-$* \
 	-f $(ROOT_PROJECT_DIR)/pgxn/neon_utils/Makefile clean
 # Build walproposer as a static library. walproposer source code is located
 # in the pgxn/neon directory.
@@ -233,15 +144,15 @@ neon-pg-clean-ext-%:
 .PHONY: walproposer-lib
 walproposer-lib: neon-pg-ext-v17
 	+@echo "Compiling walproposer-lib"
-	mkdir -p $(POSTGRES_INSTALL_DIR)/build/walproposer-lib
+	mkdir -p $(BUILD_DIR)/walproposer-lib
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/v17/bin/pg_config COPT='$(COPT)' \
-		-C $(POSTGRES_INSTALL_DIR)/build/walproposer-lib \
+		-C $(BUILD_DIR)/walproposer-lib \
 		-f $(ROOT_PROJECT_DIR)/pgxn/neon/Makefile walproposer-lib
-	cp $(POSTGRES_INSTALL_DIR)/v17/lib/libpgport.a $(POSTGRES_INSTALL_DIR)/build/walproposer-lib
+	cp $(POSTGRES_INSTALL_DIR)/v17/lib/libpgport.a $(BUILD_DIR)/walproposer-lib
-	cp $(POSTGRES_INSTALL_DIR)/v17/lib/libpgcommon.a $(POSTGRES_INSTALL_DIR)/build/walproposer-lib
+	cp $(POSTGRES_INSTALL_DIR)/v17/lib/libpgcommon.a $(BUILD_DIR)/walproposer-lib
-	$(AR) d $(POSTGRES_INSTALL_DIR)/build/walproposer-lib/libpgport.a \
+	$(AR) d $(BUILD_DIR)/walproposer-lib/libpgport.a \
 		pg_strong_random.o
-	$(AR) d $(POSTGRES_INSTALL_DIR)/build/walproposer-lib/libpgcommon.a \
+	$(AR) d $(BUILD_DIR)/walproposer-lib/libpgcommon.a \
 		checksum_helper.o \
 		cryptohash_openssl.o \
 		hmac_openssl.o \
@@ -249,69 +160,18 @@ walproposer-lib: neon-pg-ext-v17
 		parse_manifest.o \
 		scram-common.o
 ifeq ($(UNAME_S),Linux)
-	$(AR) d $(POSTGRES_INSTALL_DIR)/build/walproposer-lib/libpgcommon.a \
+	$(AR) d $(BUILD_DIR)/walproposer-lib/libpgcommon.a \
 		pg_crc32c.o
 endif
-.PHONY: walproposer-lib-clean
+# Shorthand to call neon-pg-ext-% target for all Postgres versions
 walproposer-lib-clean:
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/v17/bin/pg_config \
 		-C $(POSTGRES_INSTALL_DIR)/build/walproposer-lib \
 		-f $(ROOT_PROJECT_DIR)/pgxn/neon/Makefile clean
 .PHONY: neon-pg-ext
-neon-pg-ext: \
+neon-pg-ext: $(foreach pg_version,$(POSTGRES_VERSIONS),neon-pg-ext-$(pg_version))
 	neon-pg-ext-v14 \
 	neon-pg-ext-v15 \
 	neon-pg-ext-v16 \
 	neon-pg-ext-v17
 .PHONY: neon-pg-clean-ext
 neon-pg-clean-ext: \
 	neon-pg-clean-ext-v14 \
 	neon-pg-clean-ext-v15 \
 	neon-pg-clean-ext-v16 \
 	neon-pg-clean-ext-v17
 # shorthand to build all Postgres versions
 .PHONY: postgres
 postgres: \
 	postgres-v14 \
 	postgres-v15 \
 	postgres-v16 \
 	postgres-v17
 .PHONY: postgres-headers
 postgres-headers: \
 	postgres-headers-v14 \
 	postgres-headers-v15 \
 	postgres-headers-v16 \
 	postgres-headers-v17
 .PHONY: postgres-clean
 postgres-clean: \
 	postgres-clean-v14 \
 	postgres-clean-v15 \
 	postgres-clean-v16 \
 	postgres-clean-v17
 .PHONY: postgres-check
 postgres-check: \
 	postgres-check-v14 \
 	postgres-check-v15 \
 	postgres-check-v16 \
 	postgres-check-v17
 # This doesn't remove the effects of 'configure'.
 .PHONY: clean
 clean: postgres-clean neon-pg-clean-ext
 	$(MAKE) -C compute clean
 	$(CARGO_CMD_PREFIX) cargo clean
 # This removes everything
 .PHONY: distclean
 distclean:
-	$(RM) -r $(POSTGRES_INSTALL_DIR)
+	$(RM) -r $(POSTGRES_INSTALL_DIR) $(BUILD_DIR)
 	$(CARGO_CMD_PREFIX) cargo clean
 .PHONY: fmt
@@ -320,7 +180,7 @@ fmt:
 postgres-%-pg-bsd-indent: postgres-%
 	+@echo "Compiling pg_bsd_indent"
-	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$*/src/tools/pg_bsd_indent/
+	$(MAKE) -C $(BUILD_DIR)/$*/src/tools/pg_bsd_indent/
 # Create typedef list for the core. Note that generally it should be combined with
 # buildfarm one to cover platform specific stuff.
@@ -339,7 +199,7 @@ postgres-%-pgindent: postgres-%-pg-bsd-indent postgres-%-typedefs.list
 	cat $(ROOT_PROJECT_DIR)/vendor/postgres-$*/src/tools/pgindent/typedefs.list |\
 		cat - postgres-$*-typedefs.list | sort | uniq > postgres-$*-typedefs-full.list
 	+@echo note: you might want to run it on selected files/dirs instead.
-	INDENT=$(POSTGRES_INSTALL_DIR)/build/$*/src/tools/pg_bsd_indent/pg_bsd_indent \
+	INDENT=$(BUILD_DIR)/$*/src/tools/pg_bsd_indent/pg_bsd_indent \
 		$(ROOT_PROJECT_DIR)/vendor/postgres-$*/src/tools/pgindent/pgindent --typedefs postgres-$*-typedefs-full.list \
 		$(ROOT_PROJECT_DIR)/vendor/postgres-$*/src/ \
 		--excludes $(ROOT_PROJECT_DIR)/vendor/postgres-$*/src/tools/pgindent/exclude_file_patterns
@@ -350,12 +210,41 @@ postgres-%-pgindent: postgres-%-pg-bsd-indent postgres-%-typedefs.list
 neon-pgindent: postgres-v17-pg-bsd-indent neon-pg-ext-v17
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/v17/bin/pg_config COPT='$(COPT)' \
 		FIND_TYPEDEF=$(ROOT_PROJECT_DIR)/vendor/postgres-v17/src/tools/find_typedef \
-		INDENT=$(POSTGRES_INSTALL_DIR)/build/v17/src/tools/pg_bsd_indent/pg_bsd_indent \
+		INDENT=$(BUILD_DIR)/v17/src/tools/pg_bsd_indent/pg_bsd_indent \
 		PGINDENT_SCRIPT=$(ROOT_PROJECT_DIR)/vendor/postgres-v17/src/tools/pgindent/pgindent \
-		-C $(POSTGRES_INSTALL_DIR)/build/neon-v17 \
+		-C $(BUILD_DIR)/pgxn-v17/neon \
 		-f $(ROOT_PROJECT_DIR)/pgxn/neon/Makefile pgindent
 .PHONY: setup-pre-commit-hook
 setup-pre-commit-hook:
 	ln -s -f $(ROOT_PROJECT_DIR)/pre-commit.py .git/hooks/pre-commit
 build-tools/node_modules: build-tools/package.json
 	cd build-tools && $(if $(CI),npm ci,npm install)
 	touch build-tools/node_modules
 .PHONY: lint-openapi-spec
 lint-openapi-spec: build-tools/node_modules
 	# operation-2xx-response: pageserver timeline delete returns 404 on success
 	find . -iname "openapi_spec.y*ml" -exec\
 		npx --prefix=build-tools/ redocly\
 			--skip-rule=operation-operationId --skip-rule=operation-summary --extends=minimal\
 			--skip-rule=no-server-example.com --skip-rule=operation-2xx-response\
 			lint {} \+
 # Targets for building PostgreSQL are defined in postgres.mk.
 #
 # But if the caller has indicated that PostgreSQL is already
 # installed, by setting the PG_INSTALL_CACHED variable, skip it.
 ifdef PG_INSTALL_CACHED
 postgres-install: skip-install
 $(foreach pg_version,$(POSTGRES_VERSIONS),postgres-install-$(pg_version)): skip-install
 postgres-headers-install:
 	+@echo "Skipping installation of PostgreSQL headers because PG_INSTALL_CACHED is set"
 skip-install:
 	+@echo "Skipping PostgreSQL installation because PG_INSTALL_CACHED is set"
 else
 include postgres.mk
 endif
--- a/build-tools/Dockerfile
+++ b/build-tools/Dockerfile
@@ -35,7 +35,7 @@ RUN echo 'Acquire::Retries "5";' > /etc/apt/apt.conf.d/80-retries && \
    echo -e "retry_connrefused=on\ntimeout=15\ntries=5\nretry-on-host-error=on\n" > /root/.wgetrc && \
    echo -e "--retry-connrefused\n--connect-timeout 15\n--retry 5\n--max-time 300\n" > /root/.curlrc
-COPY build_tools/patches/pgcopydbv017.patch /pgcopydbv017.patch
+COPY build-tools/patches/pgcopydbv017.patch /pgcopydbv017.patch
 RUN if [ "${DEBIAN_VERSION}" = "bookworm" ]; then \
        set -e && \
@@ -165,6 +165,7 @@ RUN curl -fsSL \
    && rm sql_exporter.tar.gz
 # protobuf-compiler (protoc)
 # Keep the version the same as in compute/compute-node.Dockerfile
 ENV PROTOC_VERSION=25.1
 RUN curl -fsSL "https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-$(uname -m | sed 's/aarch64/aarch_64/g').zip" -o "protoc.zip" \
    && unzip -q protoc.zip -d protoc \
@@ -179,7 +180,7 @@ RUN curl -sL "https://github.com/peak/s5cmd/releases/download/v${S5CMD_VERSION}/
    && mv s5cmd /usr/local/bin/s5cmd
 # LLVM
-ENV LLVM_VERSION=19
+ENV LLVM_VERSION=20
 RUN curl -fsSL 'https://apt.llvm.org/llvm-snapshot.gpg.key' | apt-key add - \
    && echo "deb http://apt.llvm.org/${DEBIAN_VERSION}/ llvm-toolchain-${DEBIAN_VERSION}-${LLVM_VERSION} main" > /etc/apt/sources.list.d/llvm.stable.list \
    && apt update \
@@ -187,6 +188,12 @@ RUN curl -fsSL 'https://apt.llvm.org/llvm-snapshot.gpg.key' | apt-key add - \
    && bash -c 'for f in /usr/bin/clang*-${LLVM_VERSION} /usr/bin/llvm*-${LLVM_VERSION}; do ln -s "${f}" "${f%-${LLVM_VERSION}}"; done' \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 # Install node
 ENV NODE_VERSION=24
 RUN curl -fsSL https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash - \
    && apt install -y nodejs \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 # Install docker
 RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg \
    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian ${DEBIAN_VERSION} stable" > /etc/apt/sources.list.d/docker.list \
@@ -292,7 +299,7 @@ WORKDIR /home/nonroot
 # Rust
 # Please keep the version of llvm (installed above) in sync with rust llvm (`rustc --version --verbose | grep LLVM`)
-ENV RUSTC_VERSION=1.87.0
+ENV RUSTC_VERSION=1.88.0
 ENV RUSTUP_HOME="/home/nonroot/.rustup"
 ENV PATH="/home/nonroot/.cargo/bin:${PATH}"
 ARG RUSTFILT_VERSION=0.2.1
@@ -310,14 +317,14 @@ RUN curl -sSO https://static.rust-lang.org/rustup/dist/$(uname -m)-unknown-linux
    . "$HOME/.cargo/env" && \
    cargo --version && rustup --version && \
    rustup component add llvm-tools rustfmt clippy && \
-    cargo install rustfilt            --version ${RUSTFILT_VERSION} --locked && \
+    cargo install rustfilt      --locked --version ${RUSTFILT_VERSION} && \
-    cargo install cargo-hakari        --version ${CARGO_HAKARI_VERSION} --locked && \
+    cargo install cargo-hakari  --locked --version ${CARGO_HAKARI_VERSION} && \
-    cargo install cargo-deny          --version ${CARGO_DENY_VERSION} --locked && \
+    cargo install cargo-deny    --locked --version ${CARGO_DENY_VERSION} && \
-    cargo install cargo-hack          --version ${CARGO_HACK_VERSION} --locked && \
+    cargo install cargo-hack    --locked --version ${CARGO_HACK_VERSION} && \
-    cargo install cargo-nextest       --version ${CARGO_NEXTEST_VERSION} --locked && \
+    cargo install cargo-nextest --locked --version ${CARGO_NEXTEST_VERSION} && \
-    cargo install cargo-chef          --version ${CARGO_CHEF_VERSION} --locked && \
+    cargo install cargo-chef    --locked --version ${CARGO_CHEF_VERSION} && \
-    cargo install diesel_cli          --version ${CARGO_DIESEL_CLI_VERSION} --locked \
+    cargo install diesel_cli    --locked --version ${CARGO_DIESEL_CLI_VERSION} \
-                                      --features postgres-bundled --no-default-features && \
+                                --features postgres-bundled --no-default-features && \
    rm -rf /home/nonroot/.cargo/registry && \
    rm -rf /home/nonroot/.cargo/git
--- a/build-tools/package-lock.json
+++ b/build-tools/package-lock.json
--- a/build-tools/package.json
+++ b/build-tools/package.json
@@ -0,0 +1,8 @@
 {
  "name": "build-tools",
  "private": true,
  "devDependencies": {
    "@redocly/cli": "1.34.4",
    "@sourcemeta/jsonschema": "10.0.0"
  }
 }
--- a/build-tools/patches/pgcopydbv017.patch
+++ b/build-tools/patches/pgcopydbv017.patch
--- a/clippy.toml
+++ b/clippy.toml
@@ -1,9 +1,12 @@
 disallowed-methods = [
    "tokio::task::block_in_place",
    # Allow this for now, to deny it later once we stop using Handle::block_on completely
    # "tokio::runtime::Handle::block_on",
-    # use tokio_epoll_uring_ext instead
+
-    "tokio_epoll_uring::thread_local_system",
+    # tokio-epoll-uring:
    # - allow-invalid because the method doesn't exist on macOS
    { path = "tokio_epoll_uring::thread_local_system", replacement = "tokio_epoll_uring_ext module inside pageserver crate", allow-invalid = true }
 ]
 disallowed-macros = [
--- a/compute/.gitignore
+++ b/compute/.gitignore
@@ -3,3 +3,6 @@ etc/neon_collector.yml
 etc/neon_collector_autoscaling.yml
 etc/sql_exporter.yml
 etc/sql_exporter_autoscaling.yml
 # Node.js dependencies
 node_modules/
--- a/compute/Makefile
+++ b/compute/Makefile
@@ -22,7 +22,7 @@ sql_exporter.yml: $(jsonnet_files)
 		--output-file etc/$@ \
 		--tla-str collector_name=neon_collector \
 		--tla-str collector_file=neon_collector.yml \
-		--tla-str 'connection_string=postgresql://cloud_admin@127.0.0.1:5432/postgres?sslmode=disable&application_name=sql_exporter' \
+		--tla-str 'connection_string=postgresql://cloud_admin@127.0.0.1:5432/postgres?sslmode=disable&application_name=sql_exporter&pgaudit.log=none' \
 		etc/sql_exporter.jsonnet
 sql_exporter_autoscaling.yml: $(jsonnet_files)
@@ -30,7 +30,7 @@ sql_exporter_autoscaling.yml: $(jsonnet_files)
 		--output-file etc/$@ \
 		--tla-str collector_name=neon_collector_autoscaling \
 		--tla-str collector_file=neon_collector_autoscaling.yml \
-		--tla-str 'connection_string=postgresql://cloud_admin@127.0.0.1:5432/postgres?sslmode=disable&application_name=sql_exporter_autoscaling' \
+		--tla-str 'connection_string=postgresql://cloud_admin@127.0.0.1:5432/postgres?sslmode=disable&application_name=sql_exporter_autoscaling&pgaudit.log=none' \
 		etc/sql_exporter.jsonnet
 .PHONY: clean
@@ -48,3 +48,11 @@ jsonnetfmt-test:
 .PHONY: jsonnetfmt-format
 jsonnetfmt-format:
 	jsonnetfmt --in-place $(jsonnet_files)
 .PHONY: manifest-schema-validation
 manifest-schema-validation: ../build-tools/node_modules
 	npx --prefix=../build-tools/ jsonschema validate -d https://json-schema.org/draft/2020-12/schema manifest.schema.json manifest.yaml
 ../build-tools/node_modules: ../build-tools/package.json
 	cd ../build-tools && $(if $(CI),npm ci,npm install)
 	touch ../build-tools/node_modules
--- a/compute/compute-node.Dockerfile
+++ b/compute/compute-node.Dockerfile
@@ -9,7 +9,7 @@
 #
 # build-tools:   This contains Rust compiler toolchain and other tools needed at compile
 #                time. This is also used for the storage builds. This image is defined in
-#                build-tools.Dockerfile.
+#                build-tools/Dockerfile.
 #
 # build-deps:    Contains C compiler, other build tools, and compile-time dependencies
 #                needed to compile PostgreSQL and most extensions. (Some extensions need
@@ -77,9 +77,6 @@
 # build_and_test.yml github workflow for how that's done.
 ARG PG_VERSION
 ARG REPOSITORY=ghcr.io/neondatabase
 ARG IMAGE=build-tools
 ARG TAG=pinned
 ARG BUILD_TAG
 ARG DEBIAN_VERSION=bookworm
 ARG DEBIAN_FLAVOR=${DEBIAN_VERSION}-slim
@@ -118,6 +115,9 @@ ARG EXTENSIONS=all
 FROM $BASE_IMAGE_SHA AS build-deps
 ARG DEBIAN_VERSION
 # Keep in sync with build-tools/Dockerfile
 ENV PROTOC_VERSION=25.1
 # Use strict mode for bash to catch errors early
 SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
@@ -149,8 +149,17 @@ RUN case $DEBIAN_VERSION in \
    ninja-build git autoconf automake libtool build-essential bison flex libreadline-dev \
    zlib1g-dev libxml2-dev libcurl4-openssl-dev libossp-uuid-dev wget ca-certificates pkg-config libssl-dev \
    libicu-dev libxslt1-dev liblz4-dev libzstd-dev zstd curl unzip g++ \
    libclang-dev \
    jsonnet \
    $VERSION_INSTALLS \
-    && apt clean && rm -rf /var/lib/apt/lists/*
+    && apt clean && rm -rf /var/lib/apt/lists/* \
    && useradd -ms /bin/bash nonroot -b /home \
    # Install protoc from binary release, since Debian's versions are too old.
    && curl -fsSL "https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-$(uname -m | sed 's/aarch64/aarch_64/g').zip" -o "protoc.zip" \
    && unzip -q protoc.zip -d protoc \
    && mv protoc/bin/protoc /usr/local/bin/protoc \
    && mv protoc/include/google /usr/local/include/google \
    && rm -rf protoc.zip protoc
 #########################################################################################
 #
@@ -161,7 +170,29 @@ RUN case $DEBIAN_VERSION in \
 FROM build-deps AS pg-build
 ARG PG_VERSION
 COPY vendor/postgres-${PG_VERSION:?} postgres
 COPY compute/patches/postgres_fdw.patch .
 COPY compute/patches/pg_stat_statements_pg14-16.patch .
 COPY compute/patches/pg_stat_statements_pg17.patch .
 RUN cd postgres && \
    # Apply patches to some contrib extensions
    # For example, we need to grant EXECUTE on pg_stat_statements_reset() to {privileged_role_name}.
    # In vanilla Postgres this function is limited to Postgres role superuser.
    # In Neon we have {privileged_role_name} role that is not a superuser but replaces superuser in some cases.
    # We could add the additional grant statements to the Postgres repository but it would be hard to maintain,
    # whenever we need to pick up a new Postgres version and we want to limit the changes in our Postgres fork,
    # so we do it here.
    case "${PG_VERSION}" in \
    "v14" | "v15" | "v16") \
    patch -p1 < /pg_stat_statements_pg14-16.patch; \
    ;; \
    "v17") \
    patch -p1 < /pg_stat_statements_pg17.patch; \
    ;; \
    *) \
    # To do not forget to migrate patches to the next major version
    echo "No contrib patches for this PostgreSQL version" && exit 1;; \
    esac && \
    patch -p1 < /postgres_fdw.patch && \
    export CONFIGURE_CMD="./configure CFLAGS='-O2 -g3 -fsigned-char' --enable-debug --with-openssl --with-uuid=ossp \
    --with-icu --with-libxml --with-libxslt --with-lz4" && \
    if [ "${PG_VERSION:?}" != "v14" ]; then \
@@ -171,15 +202,10 @@ RUN cd postgres && \
    eval $CONFIGURE_CMD && \
    make MAKELEVEL=0 -j $(getconf _NPROCESSORS_ONLN) -s install && \
    make MAKELEVEL=0 -j $(getconf _NPROCESSORS_ONLN) -s -C contrib/ install && \
    # Install headers
    make MAKELEVEL=0 -j $(getconf _NPROCESSORS_ONLN) -s -C src/include install && \
    make MAKELEVEL=0 -j $(getconf _NPROCESSORS_ONLN) -s -C src/interfaces/libpq install && \
    # Enable some of contrib extensions
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/autoinc.control && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/dblink.control && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/postgres_fdw.control && \
    file=/usr/local/pgsql/share/extension/postgres_fdw--1.0.sql && [ -e $file ] && \
    echo 'GRANT USAGE ON FOREIGN DATA WRAPPER postgres_fdw TO neon_superuser;' >> $file && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/bloom.control && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/earthdistance.control && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/insert_username.control && \
@@ -189,34 +215,7 @@ RUN cd postgres && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/pgrowlocks.control && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/pgstattuple.control && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/refint.control && \
-    echo 'trusted = true' >> /usr/local/pgsql/share/extension/xml2.control && \
+    echo 'trusted = true' >> /usr/local/pgsql/share/extension/xml2.control
    # We need to grant EXECUTE on pg_stat_statements_reset() to neon_superuser.
    # In vanilla postgres this function is limited to Postgres role superuser.
    # In neon we have neon_superuser role that is not a superuser but replaces superuser in some cases.
    # We could add the additional grant statements to the postgres repository but it would be hard to maintain,
    # whenever we need to pick up a new postgres version and we want to limit the changes in our postgres fork,
    # so we do it here.
    for file in /usr/local/pgsql/share/extension/pg_stat_statements--*.sql; do \
        filename=$(basename "$file"); \
        # Note that there are no downgrade scripts for pg_stat_statements, so we \
        # don't have to modify any downgrade paths or (much) older versions: we only \
        # have to make sure every creation of the pg_stat_statements_reset function \
        # also adds execute permissions to the neon_superuser.
        case $filename in \
          pg_stat_statements--1.4.sql) \
            # pg_stat_statements_reset is first created with 1.4
            echo 'GRANT EXECUTE ON FUNCTION pg_stat_statements_reset() TO neon_superuser;' >> $file; \
            ;; \
          pg_stat_statements--1.6--1.7.sql) \
            # Then with the 1.6-1.7 migration it is re-created with a new signature, thus add the permissions back
            echo 'GRANT EXECUTE ON FUNCTION pg_stat_statements_reset(Oid, Oid, bigint) TO neon_superuser;' >> $file; \
            ;; \
          pg_stat_statements--1.10--1.11.sql) \
            # Then with the 1.10-1.11 migration it is re-created with a new signature again, thus add the permissions back
            echo 'GRANT EXECUTE ON FUNCTION pg_stat_statements_reset(Oid, Oid, bigint, boolean) TO neon_superuser;' >> $file; \
            ;; \
        esac; \
    done;
 # Set PATH for all the subsequent build steps
 ENV PATH="/usr/local/pgsql/bin:$PATH"
@@ -297,6 +296,7 @@ RUN ./autogen.sh && \
    ./configure --with-sfcgal=/usr/local/bin/sfcgal-config && \
    make -j $(getconf _NPROCESSORS_ONLN) && \
    make -j $(getconf _NPROCESSORS_ONLN) install && \
    make staged-install && \
    cd extensions/postgis && \
    make clean && \
    make -j $(getconf _NPROCESSORS_ONLN) install && \
@@ -602,7 +602,7 @@ RUN case "${PG_VERSION:?}" in \
        ;; \
    esac && \
 	wget https://github.com/knizhnik/online_advisor/archive/refs/tags/1.0.tar.gz -O online_advisor.tar.gz && \
-    echo "059b7d9e5a90013a58bdd22e9505b88406ce05790675eb2d8434e5b215652d54 online_advisor.tar.gz" | sha256sum --check && \
+    echo "37dcadf8f7cc8d6cc1f8831276ee245b44f1b0274f09e511e47a67738ba9ed0f online_advisor.tar.gz" | sha256sum --check && \
    mkdir online_advisor-src && cd online_advisor-src && tar xzf ../online_advisor.tar.gz --strip-components=1 -C .
 FROM pg-build AS online_advisor-build
@@ -1056,17 +1056,10 @@ RUN make -j $(getconf _NPROCESSORS_ONLN) && \
 #########################################################################################
 #
-# Layer "pg build with nonroot user and cargo installed"
+# Layer "build-deps with Rust toolchain installed"
 # This layer is base and common for layers with `pgrx`
 #
 #########################################################################################
-FROM pg-build AS pg-build-nonroot-with-cargo
+FROM build-deps AS build-deps-with-cargo
 ARG PG_VERSION
 RUN apt update && \
    apt install --no-install-recommends --no-install-suggests -y curl libclang-dev && \
    apt clean && rm -rf /var/lib/apt/lists/* && \
    useradd -ms /bin/bash nonroot -b /home
 ENV HOME=/home/nonroot
 ENV PATH="/home/nonroot/.cargo/bin:$PATH"
@@ -1081,13 +1074,29 @@ RUN curl -sSO https://static.rust-lang.org/rustup/dist/$(uname -m)-unknown-linux
    ./rustup-init -y --no-modify-path --profile minimal --default-toolchain stable && \
    rm rustup-init
 #########################################################################################
 #
 # Layer "pg-build with Rust toolchain installed"
 # This layer is base and common for layers with `pgrx`
 #
 #########################################################################################
 FROM pg-build AS pg-build-with-cargo
 ARG PG_VERSION
 ENV HOME=/home/nonroot
 ENV PATH="/home/nonroot/.cargo/bin:$PATH"
 USER nonroot
 WORKDIR /home/nonroot
 COPY --from=build-deps-with-cargo /home/nonroot /home/nonroot
 #########################################################################################
 #
 # Layer "rust extensions"
 # This layer is used to build `pgrx` deps
 #
 #########################################################################################
-FROM pg-build-nonroot-with-cargo AS rust-extensions-build
+FROM pg-build-with-cargo AS rust-extensions-build
 ARG PG_VERSION
 RUN case "${PG_VERSION:?}" in \
@@ -1109,7 +1118,7 @@ USER root
 # and eventually get merged with `rust-extensions-build`
 #
 #########################################################################################
-FROM pg-build-nonroot-with-cargo AS rust-extensions-build-pgrx12
+FROM pg-build-with-cargo AS rust-extensions-build-pgrx12
 ARG PG_VERSION
 RUN cargo install --locked --version 0.12.9 cargo-pgrx && \
@@ -1126,7 +1135,7 @@ USER root
 # and eventually get merged with `rust-extensions-build`
 #
 #########################################################################################
-FROM pg-build-nonroot-with-cargo AS rust-extensions-build-pgrx14
+FROM pg-build-with-cargo AS rust-extensions-build-pgrx14
 ARG PG_VERSION
 RUN cargo install --locked --version 0.14.1 cargo-pgrx && \
@@ -1143,10 +1152,12 @@ USER root
 FROM build-deps AS pgrag-src
 ARG PG_VERSION
 WORKDIR /ext-src
 COPY compute/patches/onnxruntime.patch .
 RUN wget https://github.com/microsoft/onnxruntime/archive/refs/tags/v1.18.1.tar.gz -O onnxruntime.tar.gz && \
    mkdir onnxruntime-src && cd onnxruntime-src && tar xzf ../onnxruntime.tar.gz --strip-components=1 -C . && \
    patch -p1 < /ext-src/onnxruntime.patch && \
    echo "#nothing to test here" > neon-test.sh
 RUN wget https://github.com/neondatabase-labs/pgrag/archive/refs/tags/v0.1.2.tar.gz -O pgrag.tar.gz &&  \
@@ -1161,7 +1172,7 @@ COPY --from=pgrag-src /ext-src/ /ext-src/
 # Install it using virtual environment, because Python 3.11 (the default version on Debian 12 (Bookworm)) complains otherwise
 WORKDIR /ext-src/onnxruntime-src
 RUN apt update && apt install --no-install-recommends --no-install-suggests -y \
-    python3 python3-pip python3-venv protobuf-compiler && \
+    python3 python3-pip python3-venv && \
    apt clean && rm -rf /var/lib/apt/lists/* && \
    python3 -m venv venv && \
    . venv/bin/activate && \
@@ -1180,14 +1191,14 @@ RUN cd exts/rag && \
 RUN cd exts/rag_bge_small_en_v15 && \
    sed -i 's/pgrx = "0.14.1"/pgrx = { version = "0.14.1", features = [ "unsafe-postgres" ] }/g' Cargo.toml && \
    ORT_LIB_LOCATION=/ext-src/onnxruntime-src/build/Linux \
-        REMOTE_ONNX_URL=http://pg-ext-s3-gateway/pgrag-data/bge_small_en_v15.onnx \
+        REMOTE_ONNX_URL=http://pg-ext-s3-gateway.pg-ext-s3-gateway.svc.cluster.local/pgrag-data/bge_small_en_v15.onnx \
        cargo pgrx install --release --features remote_onnx && \
    echo "trusted = true" >> /usr/local/pgsql/share/extension/rag_bge_small_en_v15.control
 RUN cd exts/rag_jina_reranker_v1_tiny_en && \
    sed -i 's/pgrx = "0.14.1"/pgrx = { version = "0.14.1", features = [ "unsafe-postgres" ] }/g' Cargo.toml && \
    ORT_LIB_LOCATION=/ext-src/onnxruntime-src/build/Linux \
-        REMOTE_ONNX_URL=http://pg-ext-s3-gateway/pgrag-data/jina_reranker_v1_tiny_en.onnx \
+        REMOTE_ONNX_URL=http://pg-ext-s3-gateway.pg-ext-s3-gateway.svc.cluster.local/pgrag-data/jina_reranker_v1_tiny_en.onnx \
        cargo pgrx install --release --features remote_onnx && \
    echo "trusted = true" >> /usr/local/pgsql/share/extension/rag_jina_reranker_v1_tiny_en.control
@@ -1506,7 +1517,7 @@ WORKDIR /ext-src
 COPY compute/patches/pg_duckdb_v031.patch .
 COPY compute/patches/duckdb_v120.patch .
 # pg_duckdb build requires source dir to be a git repo to get submodules
-# allow neon_superuser to execute some functions that in pg_duckdb are available to superuser only:
+# allow {privileged_role_name} to execute some functions that in pg_duckdb are available to superuser only:
 # - extension management function duckdb.install_extension()
 # - access to duckdb.extensions table and its sequence
 RUN git clone --depth 1 --branch v0.3.1 https://github.com/duckdb/pg_duckdb.git pg_duckdb-src && \
@@ -1554,29 +1565,31 @@ RUN make -j $(getconf _NPROCESSORS_ONLN) && \
 FROM build-deps AS pgaudit-src
 ARG PG_VERSION
 WORKDIR /ext-src
 COPY "compute/patches/pgaudit-parallel_workers-${PG_VERSION}.patch" .
 RUN case "${PG_VERSION}" in \
    "v14") \
-    export PGAUDIT_VERSION=1.6.2 \
+    export PGAUDIT_VERSION=1.6.3 \
-    export PGAUDIT_CHECKSUM=1f350d70a0cbf488c0f2b485e3a5c9b11f78ad9e3cbb95ef6904afa1eb3187eb \
+    export PGAUDIT_CHECKSUM=37a8f5a7cc8d9188e536d15cf0fdc457fcdab2547caedb54442c37f124110919 \
    ;; \
    "v15") \
-    export PGAUDIT_VERSION=1.7.0 \
+    export PGAUDIT_VERSION=1.7.1 \
-    export PGAUDIT_CHECKSUM=8f4a73e451c88c567e516e6cba7dc1e23bc91686bb6f1f77f8f3126d428a8bd8 \
+    export PGAUDIT_CHECKSUM=e9c8e6e092d82b2f901d72555ce0fe7780552f35f8985573796cd7e64b09d4ec \
    ;; \
    "v16") \
-    export PGAUDIT_VERSION=16.0 \
+    export PGAUDIT_VERSION=16.1 \
-    export PGAUDIT_CHECKSUM=d53ef985f2d0b15ba25c512c4ce967dce07b94fd4422c95bd04c4c1a055fe738 \
+    export PGAUDIT_CHECKSUM=3bae908ab70ba0c6f51224009dbcfff1a97bd6104c6273297a64292e1b921fee \
    ;; \
    "v17") \
-    export PGAUDIT_VERSION=17.0 \
+    export PGAUDIT_VERSION=17.1 \
-    export PGAUDIT_CHECKSUM=7d0d08d030275d525f36cd48b38c6455f1023da863385badff0cec44965bfd8c \
+    export PGAUDIT_CHECKSUM=9c5f37504d393486cc75d2ced83f75f5899be64fa85f689d6babb833b4361e6c \
    ;; \
    *) \
    echo "pgaudit is not supported on this PostgreSQL version" && exit 1;; \
    esac && \
    wget https://github.com/pgaudit/pgaudit/archive/refs/tags/${PGAUDIT_VERSION}.tar.gz -O pgaudit.tar.gz && \
    echo "${PGAUDIT_CHECKSUM} pgaudit.tar.gz" | sha256sum --check && \
-    mkdir pgaudit-src && cd pgaudit-src && tar xzf ../pgaudit.tar.gz --strip-components=1 -C .
+    mkdir pgaudit-src && cd pgaudit-src && tar xzf ../pgaudit.tar.gz --strip-components=1 -C . && \
    patch -p1 < "/ext-src/pgaudit-parallel_workers-${PG_VERSION}.patch"
 FROM pg-build AS pgaudit-build
 COPY --from=pgaudit-src /ext-src/ /ext-src/
@@ -1616,22 +1629,14 @@ RUN make install USE_PGXS=1 -j $(getconf _NPROCESSORS_ONLN)
 # compile neon extensions
 #
 #########################################################################################
-FROM pg-build AS neon-ext-build
+FROM pg-build-with-cargo AS neon-ext-build
 ARG PG_VERSION
-COPY pgxn/ pgxn/
+USER root
-RUN make -j $(getconf _NPROCESSORS_ONLN) \
+COPY . .
-        -C pgxn/neon \
+
-        -s install && \
+RUN make -j $(getconf _NPROCESSORS_ONLN) -C pgxn -s install-compute \
-    make -j $(getconf _NPROCESSORS_ONLN) \
+      BUILD_TYPE=release CARGO_BUILD_FLAGS="--locked --release" NEON_CARGO_ARTIFACT_TARGET_DIR="$(pwd)/target/release"
        -C pgxn/neon_utils \
        -s install && \
    make -j $(getconf _NPROCESSORS_ONLN) \
        -C pgxn/neon_test_utils \
        -s install && \
    make -j $(getconf _NPROCESSORS_ONLN) \
        -C pgxn/neon_rmgr \
        -s install
 #########################################################################################
 #
@@ -1721,7 +1726,7 @@ FROM extensions-${EXTENSIONS} AS neon-pg-ext-build
 # Compile the Neon-specific `compute_ctl`, `fast_import`, and `local_proxy` binaries
 #
 #########################################################################################
-FROM $REPOSITORY/$IMAGE:$TAG AS compute-tools
+FROM build-deps-with-cargo AS compute-tools
 ARG BUILD_TAG
 ENV BUILD_TAG=$BUILD_TAG
@@ -1731,7 +1736,7 @@ COPY --chown=nonroot . .
 RUN --mount=type=cache,uid=1000,target=/home/nonroot/.cargo/registry \
    --mount=type=cache,uid=1000,target=/home/nonroot/.cargo/git \
    --mount=type=cache,uid=1000,target=/home/nonroot/target \
-    mold -run cargo build --locked --profile release-line-debug-size-lto --bin compute_ctl --bin fast_import --bin local_proxy && \
+    cargo build --locked --profile release-line-debug-size-lto --bin compute_ctl --bin fast_import --bin local_proxy && \
    mkdir target-bin && \
    cp target/release-line-debug-size-lto/compute_ctl \
       target/release-line-debug-size-lto/fast_import \
@@ -1778,7 +1783,7 @@ RUN set -e \
 #########################################################################################
 FROM build-deps AS exporters
 ARG TARGETARCH
-# Keep sql_exporter version same as in build-tools.Dockerfile and
+# Keep sql_exporter version same as in build-tools/Dockerfile and
 # test_runner/regress/test_compute_metrics.py
 # See comment on the top of the file regading `echo`, `-e` and `\n`
 RUN if [ "$TARGETARCH" = "amd64" ]; then\
@@ -1825,10 +1830,11 @@ RUN rm /usr/local/pgsql/lib/lib*.a
 # Preprocess the sql_exporter configuration files
 #
 #########################################################################################
-FROM $REPOSITORY/$IMAGE:$TAG AS sql_exporter_preprocessor
+FROM build-deps AS sql_exporter_preprocessor
 ARG PG_VERSION
 USER nonroot
 WORKDIR /home/nonroot
 COPY --chown=nonroot compute compute
@@ -1842,10 +1848,25 @@ RUN make PG_VERSION="${PG_VERSION:?}" -C compute
 FROM pg-build AS extension-tests
 ARG PG_VERSION
 # This is required for the PostGIS test
 RUN apt-get update && case $DEBIAN_VERSION in \
      bullseye) \
        apt-get install -y libproj19 libgdal28 time; \
      ;; \
      bookworm) \
        apt-get install -y libgdal32 libproj25 time; \
      ;; \
      *) \
        echo "Unknown Debian version ${DEBIAN_VERSION}" && exit 1 \
      ;; \
    esac
 COPY docker-compose/ext-src/ /ext-src/
 COPY --from=pg-build /postgres /postgres
-#COPY --from=postgis-src /ext-src/ /ext-src/
+COPY --from=postgis-build /usr/local/pgsql/ /usr/local/pgsql/
 COPY --from=postgis-build /ext-src/postgis-src /ext-src/postgis-src
 COPY --from=postgis-build /sfcgal/* /usr
 COPY --from=plv8-src /ext-src/ /ext-src/
 COPY --from=h3-pg-src /ext-src/h3-pg-src /ext-src/h3-pg-src
 COPY --from=postgresql-unit-src /ext-src/ /ext-src/
@@ -1886,10 +1907,11 @@ COPY compute/patches/pg_repack.patch /ext-src
 RUN cd /ext-src/pg_repack-src && patch -p1 </ext-src/pg_repack.patch && rm -f /ext-src/pg_repack.patch
 COPY --chmod=755 docker-compose/run-tests.sh /run-tests.sh
-RUN apt-get update && apt-get install -y libtap-parser-sourcehandler-pgtap-perl jq \
+RUN echo /usr/local/pgsql/lib > /etc/ld.so.conf.d/00-neon.conf && /sbin/ldconfig
 RUN apt-get update && apt-get install -y libtap-parser-sourcehandler-pgtap-perl jq parallel \
   && apt clean && rm -rf /ext-src/*.tar.gz /ext-src/*.patch /var/lib/apt/lists/*
 ENV PATH=/usr/local/pgsql/bin:$PATH
-ENV PGHOST=compute
+ENV PGHOST=compute1
 ENV PGPORT=55433
 ENV PGUSER=cloud_admin
 ENV PGDATABASE=postgres
@@ -1959,7 +1981,7 @@ RUN apt update && \
        locales \
        lsof \
        procps \
-        rsyslog \
+        rsyslog-gnutls \
        screen \
        tcpdump \
        $VERSION_INSTALLS && \
--- a/compute/etc/neon_collector.jsonnet
+++ b/compute/etc/neon_collector.jsonnet
@@ -8,6 +8,8 @@
    import 'sql_exporter/compute_logical_snapshot_files.libsonnet',
    import 'sql_exporter/compute_logical_snapshots_bytes.libsonnet',
    import 'sql_exporter/compute_max_connections.libsonnet',
    import 'sql_exporter/compute_pg_oldest_frozen_xid_age.libsonnet',
    import 'sql_exporter/compute_pg_oldest_mxid_age.libsonnet',
    import 'sql_exporter/compute_receive_lsn.libsonnet',
    import 'sql_exporter/compute_subscriptions_count.libsonnet',
    import 'sql_exporter/connection_counts.libsonnet',
--- a/compute/etc/pgbouncer.ini
+++ b/compute/etc/pgbouncer.ini
@@ -21,6 +21,8 @@ unix_socket_dir=/tmp/
 unix_socket_mode=0777
 ; required for pgbouncer_exporter
 ignore_startup_parameters=extra_float_digits
 ; pidfile for graceful termination
 pidfile=/tmp/pgbouncer.pid
 ;; Disable connection logging. It produces a lot of logs that no one looks at,
 ;; and we can get similar log entries from the proxy too. We had incidents in
--- a/compute/etc/sql_exporter/compute_pg_oldest_frozen_xid_age.libsonnet
+++ b/compute/etc/sql_exporter/compute_pg_oldest_frozen_xid_age.libsonnet
@@ -0,0 +1,13 @@
 {
  metric_name: 'compute_pg_oldest_frozen_xid_age',
  type: 'gauge',
  help: 'Age of oldest XIDs that have not been frozen by VACUUM. An indicator of how long it has been since VACUUM last ran.',
  key_labels: [
    'database_name',
  ],
  value_label: 'metric',
  values: [
    'frozen_xid_age',
  ],
  query: importstr 'sql_exporter/compute_pg_oldest_frozen_xid_age.sql',
 }
--- a/compute/etc/sql_exporter/compute_pg_oldest_frozen_xid_age.sql
+++ b/compute/etc/sql_exporter/compute_pg_oldest_frozen_xid_age.sql
@@ -0,0 +1,4 @@
 SELECT datname database_name,
  age(datfrozenxid) frozen_xid_age
 FROM pg_database
 ORDER BY frozen_xid_age DESC LIMIT 10;
--- a/compute/etc/sql_exporter/compute_pg_oldest_mxid_age.libsonnet
+++ b/compute/etc/sql_exporter/compute_pg_oldest_mxid_age.libsonnet
@@ -0,0 +1,13 @@
 {
  metric_name: 'compute_pg_oldest_mxid_age',
  type: 'gauge',
  help: 'Age of oldest MXIDs that have not been replaced by VACUUM. An indicator of how long it has been since VACUUM last ran.',
  key_labels: [
    'database_name',
  ],
  value_label: 'metric',
  values: [
    'min_mxid_age',
  ],
  query: importstr 'sql_exporter/compute_pg_oldest_mxid_age.sql',
 }
--- a/compute/etc/sql_exporter/compute_pg_oldest_mxid_age.sql
+++ b/compute/etc/sql_exporter/compute_pg_oldest_mxid_age.sql
@@ -0,0 +1,4 @@
 SELECT datname database_name,
  mxid_age(datminmxid) min_mxid_age
 FROM pg_database
 ORDER BY min_mxid_age DESC LIMIT 10;
--- a/compute/manifest.schema.json
+++ b/compute/manifest.schema.json
@@ -0,0 +1,209 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "Neon Compute Manifest Schema",
  "description": "Schema for Neon compute node configuration manifest",
  "type": "object",
  "properties": {
    "pg_settings": {
      "type": "object",
      "properties": {
        "common": {
          "type": "object",
          "properties": {
            "client_connection_check_interval": {
              "type": "string",
              "description": "Check for client disconnection interval in milliseconds"
            },
            "effective_io_concurrency": {
              "type": "string",
              "description": "Effective IO concurrency setting"
            },
            "fsync": {
              "type": "string",
              "enum": ["on", "off"],
              "description": "Whether to force fsync to disk"
            },
            "hot_standby": {
              "type": "string",
              "enum": ["on", "off"],
              "description": "Whether hot standby is enabled"
            },
            "idle_in_transaction_session_timeout": {
              "type": "string",
              "description": "Timeout for idle transactions in milliseconds"
            },
            "listen_addresses": {
              "type": "string",
              "description": "Addresses to listen on"
            },
            "log_connections": {
              "type": "string",
              "enum": ["on", "off"],
              "description": "Whether to log connections"
            },
            "log_disconnections": {
              "type": "string",
              "enum": ["on", "off"],
              "description": "Whether to log disconnections"
            },
            "log_temp_files": {
              "type": "string",
              "description": "Size threshold for logging temporary files in KB"
            },
            "log_error_verbosity": {
              "type": "string",
              "enum": ["terse", "verbose", "default"],
              "description": "Error logging verbosity level"
            },
            "log_min_error_statement": {
              "type": "string",
              "description": "Minimum error level for statement logging"
            },
            "maintenance_io_concurrency": {
              "type": "string",
              "description": "Maintenance IO concurrency setting"
            },
            "max_connections": {
              "type": "string",
              "description": "Maximum number of connections"
            },
            "max_replication_flush_lag": {
              "type": "string",
              "description": "Maximum replication flush lag"
            },
            "max_replication_slots": {
              "type": "string",
              "description": "Maximum number of replication slots"
            },
            "max_replication_write_lag": {
              "type": "string",
              "description": "Maximum replication write lag"
            },
            "max_wal_senders": {
              "type": "string",
              "description": "Maximum number of WAL senders"
            },
            "max_wal_size": {
              "type": "string",
              "description": "Maximum WAL size"
            },
            "neon.unstable_extensions": {
              "type": "string",
              "description": "List of unstable extensions"
            },
            "neon.protocol_version": {
              "type": "string",
              "description": "Neon protocol version"
            },
            "password_encryption": {
              "type": "string",
              "description": "Password encryption method"
            },
            "restart_after_crash": {
              "type": "string",
              "enum": ["on", "off"],
              "description": "Whether to restart after crash"
            },
            "superuser_reserved_connections": {
              "type": "string",
              "description": "Number of reserved connections for superuser"
            },
            "synchronous_standby_names": {
              "type": "string",
              "description": "Names of synchronous standby servers"
            },
            "wal_keep_size": {
              "type": "string",
              "description": "WAL keep size"
            },
            "wal_level": {
              "type": "string",
              "description": "WAL level"
            },
            "wal_log_hints": {
              "type": "string",
              "enum": ["on", "off"],
              "description": "Whether to log hints in WAL"
            },
            "wal_sender_timeout": {
              "type": "string",
              "description": "WAL sender timeout in milliseconds"
            }
          },
          "required": [
            "client_connection_check_interval",
            "effective_io_concurrency",
            "fsync",
            "hot_standby",
            "idle_in_transaction_session_timeout",
            "listen_addresses",
            "log_connections",
            "log_disconnections",
            "log_temp_files",
            "log_error_verbosity",
            "log_min_error_statement",
            "maintenance_io_concurrency",
            "max_connections",
            "max_replication_flush_lag",
            "max_replication_slots",
            "max_replication_write_lag",
            "max_wal_senders",
            "max_wal_size",
            "neon.unstable_extensions",
            "neon.protocol_version",
            "password_encryption",
            "restart_after_crash",
            "superuser_reserved_connections",
            "synchronous_standby_names",
            "wal_keep_size",
            "wal_level",
            "wal_log_hints",
            "wal_sender_timeout"
          ]
        },
        "replica": {
          "type": "object",
          "properties": {
            "hot_standby": {
              "type": "string",
              "enum": ["on", "off"],
              "description": "Whether hot standby is enabled for replicas"
            }
          },
          "required": ["hot_standby"]
        },
        "per_version": {
          "type": "object",
          "patternProperties": {
            "^1[4-7]$": {
              "type": "object",
              "properties": {
                "common": {
                  "type": "object",
                  "properties": {
                    "io_combine_limit": {
                      "type": "string",
                      "description": "IO combine limit"
                    }
                  }
                },
                "replica": {
                  "type": "object",
                  "properties": {
                    "recovery_prefetch": {
                      "type": "string",
                      "enum": ["on", "off"],
                      "description": "Whether to enable recovery prefetch for PostgreSQL replicas"
                    }
                  }
                }
              }
            }
          }
        }
      },
      "required": ["common", "replica", "per_version"]
    }
  },
  "required": ["pg_settings"]
 } 
--- a/compute/manifest.yaml
+++ b/compute/manifest.yaml
@@ -0,0 +1,121 @@
 pg_settings:
  # Common settings for primaries and replicas of all versions.
  common:
    # Check for client disconnection every 1 minute. By default, Postgres will detect the
    # loss of the connection only at the next interaction with the socket, when it waits
    # for, receives or sends data, so it will likely waste resources till the end of the
    # query execution. There should be no drawbacks in setting this for everyone, so enable
    # it by default. If anyone will complain, we can allow editing it.
    # https://www.postgresql.org/docs/16/runtime-config-connection.html#GUC-CLIENT-CONNECTION-CHECK-INTERVAL
    client_connection_check_interval: "60000" # 1 minute
    # ---- IO ---- 
    effective_io_concurrency: "20"
    maintenance_io_concurrency: "100"
    fsync: "off"
    hot_standby: "off"
    # We allow users to change this if needed, but by default we
    # just don't want to see long-lasting idle transactions, as they
    # prevent activity monitor from suspending projects.
    idle_in_transaction_session_timeout: "300000" # 5 minutes
    listen_addresses: "*"
    # --- LOGGING ---- helps investigations
    log_connections: "on"
    log_disconnections: "on"
    # 1GB, unit is KB
    log_temp_files: "1048576"
    # Disable dumping customer data to logs, both to increase data privacy
    # and to reduce the amount the logs.
    log_error_verbosity: "terse"
    log_min_error_statement: "panic"
    max_connections: "100"
    # --- WAL ---
    # - flush lag is the max amount of WAL that has been generated but not yet stored
    # to disk in the page server. A smaller value means less delay after a pageserver
    # restart, but if you set it too small you might again need to slow down writes if the
    # pageserver cannot flush incoming WAL to disk fast enough. This must be larger
    # than the pageserver's checkpoint interval, currently 1 GB! Otherwise you get a
    # a deadlock where the compute node refuses to generate more WAL before the
    # old WAL has been uploaded to S3, but the pageserver is waiting for more WAL
    # to be generated before it is uploaded to S3.
    max_replication_flush_lag: "10GB"
    max_replication_slots: "10"
    # Backpressure configuration:
    # - write lag is the max amount of WAL that has been generated by Postgres but not yet
    # processed by the page server. Making this smaller reduces the worst case latency
    # of a GetPage request, if you request a page that was recently modified. On the other
    # hand, if this is too small, the compute node might need to wait on a write if there is a
    # hiccup in the network or page server so that the page server has temporarily fallen
    # behind.
    #
    # Previously it was set to 500 MB, but it caused compute being unresponsive under load
    # https://github.com/neondatabase/neon/issues/2028
    max_replication_write_lag: "500MB"
    max_wal_senders: "10"
    # A Postgres checkpoint is cheap in storage, as doesn't involve any significant amount
    # of real I/O. Only the SLRU buffers and some other small files are flushed to disk.
    # However, as long as we have full_page_writes=on, page updates after a checkpoint
    # include full-page images which bloats the WAL. So may want to bump max_wal_size to
    # reduce the WAL bloating, but at the same it will increase pg_wal directory size on
    # compute and can lead to out of disk error on k8s nodes.
    max_wal_size: "1024"
    wal_keep_size: "0"
    wal_level: "replica"
    # Reduce amount of WAL generated by default.
    wal_log_hints: "off"
    # - without wal_sender_timeout set we don't get feedback messages,
    # required for backpressure.
    wal_sender_timeout: "10000"
    # We have some experimental extensions, which we don't want users to install unconsciously.
    # To install them, users would need to set the `neon.allow_unstable_extensions` setting.
    # There are two of them currently:
    # - `pgrag` - https://github.com/neondatabase-labs/pgrag - extension is actually called just `rag`,
    #                                                          and two dependencies:
    #                                                          - `rag_bge_small_en_v15`
    #                                                          - `rag_jina_reranker_v1_tiny_en`
    # - `pg_mooncake` - https://github.com/Mooncake-Labs/pg_mooncake/  
    neon.unstable_extensions: "rag,rag_bge_small_en_v15,rag_jina_reranker_v1_tiny_en,pg_mooncake,anon"
    neon.protocol_version: "3"
    password_encryption: "scram-sha-256"
    # This is important to prevent Postgres from trying to perform
    # a local WAL redo after backend crash. It should exit and let
    # the systemd or k8s to do a fresh startup with compute_ctl.
    restart_after_crash: "off"
    # By default 3. We have the following persistent connections in the VM:
    # * compute_activity_monitor (from compute_ctl)
    # * postgres-exporter (metrics collector; it has 2 connections)
    # * sql_exporter (metrics collector; we have 2 instances [1 for us & users; 1 for autoscaling])
    # * vm-monitor (to query & change file cache size)
    # i.e. total of 6. Let's reserve 7, so there's still at least one left over.
    superuser_reserved_connections: "7"
    synchronous_standby_names: "walproposer"
  replica:
    hot_standby: "on"
  per_version:
    17:
      common:
        # PostgreSQL 17 has a new IO system called "read stream", which can combine IOs up to some
        # size. It still has some issues with readahead, though, so we default to disabled/
        # "no combining of IOs" to make sure we get the maximum prefetch depth.
        # See also: https://github.com/neondatabase/neon/pull/9860
        io_combine_limit: "1"
      replica:
        # prefetching of blocks referenced in WAL doesn't make sense for us
        # Neon hot standby ignores pages that are not in the shared_buffers
        recovery_prefetch: "off"
    16:
      common: {}
      replica:
        # prefetching of blocks referenced in WAL doesn't make sense for us
        # Neon hot standby ignores pages that are not in the shared_buffers
        recovery_prefetch: "off"
    15:
      common: {}
      replica:
        # prefetching of blocks referenced in WAL doesn't make sense for us
        # Neon hot standby ignores pages that are not in the shared_buffers
        recovery_prefetch: "off"
    14:
      common: {}
      replica: {}
--- a/compute/package-lock.json
+++ b/compute/package-lock.json
@@ -0,0 +1,37 @@
 {
  "name": "neon-compute",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "neon-compute",
      "dependencies": {
        "@sourcemeta/jsonschema": "9.3.4"
      }
    },
    "node_modules/@sourcemeta/jsonschema": {
      "version": "9.3.4",
      "resolved": "https://registry.npmjs.org/@sourcemeta/jsonschema/-/jsonschema-9.3.4.tgz",
      "integrity": "sha512-hkujfkZAIGXUs4U//We9faZW8LZ4/H9LqagRYsFSulH/VLcKPNhZyCTGg7AhORuzm27zqENvKpnX4g2FzudYFw==",
      "cpu": [
        "x64",
        "arm64"
      ],
      "license": "AGPL-3.0",
      "os": [
        "darwin",
        "linux",
        "win32"
      ],
      "bin": {
        "jsonschema": "cli.js"
      },
      "engines": {
        "node": ">=16"
      },
      "funding": {
        "url": "https://github.com/sponsors/sourcemeta"
      }
    }
  }
 }
--- a/compute/patches/anon_v2.patch
+++ b/compute/patches/anon_v2.patch
@@ -1,16 +1,27 @@
 diff --git a/sql/anon.sql b/sql/anon.sql
-index 0cdc769..f6cc950 100644
+index 0cdc769..5eab1d6 100644
 --- a/sql/anon.sql
 +++ b/sql/anon.sql
-@@ -1141,3 +1141,8 @@ $$
+@@ -1141,3 +1141,19 @@ $$
 -- TODO : https://en.wikipedia.org/wiki/L-diversity
 -- TODO : https://en.wikipedia.org/wiki/T-closeness
 +
 +-- NEON Patches
 +
-+GRANT ALL ON SCHEMA anon to neon_superuser;
+DO $$
-+GRANT ALL ON ALL TABLES IN SCHEMA anon TO neon_superuser;
+DECLARE
 +  privileged_role_name text;
 +BEGIN
 +  privileged_role_name := current_setting('neon.privileged_role_name');
 +
 +  EXECUTE format('GRANT ALL ON SCHEMA anon to %I', privileged_role_name);
 +  EXECUTE format('GRANT ALL ON ALL TABLES IN SCHEMA anon TO %I', privileged_role_name);
 +
 +  IF current_setting('server_version_num')::int >= 150000 THEN
 +    EXECUTE format('GRANT SET ON PARAMETER anon.transparent_dynamic_masking TO %I', privileged_role_name);
 +  END IF;
 +END $$;
 diff --git a/sql/init.sql b/sql/init.sql
 index 7da6553..9b6164b 100644
 --- a/sql/init.sql
--- a/compute/patches/onnxruntime.patch
+++ b/compute/patches/onnxruntime.patch
@@ -0,0 +1,15 @@
 diff --git a/cmake/deps.txt b/cmake/deps.txt
 index d213b09034..229de2ebf0 100644
 --- a/cmake/deps.txt
 +++ b/cmake/deps.txt
@@ -22,7 +22,9 @@ dlpack;https://github.com/dmlc/dlpack/archive/refs/tags/v0.6.zip;4d565dd2e5b3132
 # it contains changes on top of 3.4.0 which are required to fix build issues.
 # Until the 3.4.1 release this is the best option we have.
 # Issue link: https://gitlab.com/libeigen/eigen/-/issues/2744
 -eigen;https://gitlab.com/libeigen/eigen/-/archive/e7248b26a1ed53fa030c5c459f7ea095dfd276ac/eigen-e7248b26a1ed53fa030c5c459f7ea095dfd276ac.zip;be8be39fdbc6e60e94fa7870b280707069b5b81a
 +# Moved to github mirror to avoid gitlab issues.Add commentMore actions
 +# Issue link: https://github.com/bazelbuild/bazel-central-registry/issues/4355
 +eigen;https://github.com/eigen-mirror/eigen/archive/e7248b26a1ed53fa030c5c459f7ea095dfd276ac/eigen-e7248b26a1ed53fa030c5c459f7ea095dfd276ac.zip;61418a349000ba7744a3ad03cf5071f22ebf860a
 flatbuffers;https://github.com/google/flatbuffers/archive/refs/tags/v23.5.26.zip;59422c3b5e573dd192fead2834d25951f1c1670c
 fp16;https://github.com/Maratyszcza/FP16/archive/0a92994d729ff76a58f692d3028ca1b64b145d91.zip;b985f6985a05a1c03ff1bb71190f66d8f98a1494
 fxdiv;https://github.com/Maratyszcza/FXdiv/archive/63058eff77e11aa15bf531df5dd34395ec3017c8.zip;a5658f4036402dbca7cebee32be57fb8149811e1
--- a/compute/patches/pg_duckdb_v031.patch
+++ b/compute/patches/pg_duckdb_v031.patch
@@ -21,13 +21,21 @@ index 3235cc8..6b892bc 100644
 include Makefile.global
 diff --git a/sql/pg_duckdb--0.2.0--0.3.0.sql b/sql/pg_duckdb--0.2.0--0.3.0.sql
-index d777d76..af60106 100644
+index d777d76..3b54396 100644
 --- a/sql/pg_duckdb--0.2.0--0.3.0.sql
 +++ b/sql/pg_duckdb--0.2.0--0.3.0.sql
-@@ -1056,3 +1056,6 @@ GRANT ALL ON FUNCTION duckdb.cache(TEXT, TEXT) TO PUBLIC;
+@@ -1056,3 +1056,14 @@ GRANT ALL ON FUNCTION duckdb.cache(TEXT, TEXT) TO PUBLIC;
 GRANT ALL ON FUNCTION duckdb.cache_info() TO PUBLIC;
 GRANT ALL ON FUNCTION duckdb.cache_delete(TEXT) TO PUBLIC;
 GRANT ALL ON PROCEDURE duckdb.recycle_ddb() TO PUBLIC;
-+GRANT ALL ON FUNCTION duckdb.install_extension(TEXT) TO neon_superuser;
+
-+GRANT ALL ON TABLE duckdb.extensions TO neon_superuser;
+DO $$
-+GRANT ALL ON SEQUENCE duckdb.extensions_table_seq TO neon_superuser;
+DECLARE
 +  privileged_role_name text;
 +BEGIN
 +  privileged_role_name := current_setting('neon.privileged_role_name');
 +
 +  EXECUTE format('GRANT ALL ON FUNCTION duckdb.install_extension(TEXT) TO %I', privileged_role_name);
 +  EXECUTE format('GRANT ALL ON TABLE duckdb.extensions TO %I', privileged_role_name);
 +  EXECUTE format('GRANT ALL ON SEQUENCE duckdb.extensions_table_seq TO %I', privileged_role_name);
 +END $$;
--- a/compute/patches/pg_stat_statements_pg14-16.patch
+++ b/compute/patches/pg_stat_statements_pg14-16.patch
@@ -0,0 +1,34 @@
 diff --git a/contrib/pg_stat_statements/pg_stat_statements--1.4.sql b/contrib/pg_stat_statements/pg_stat_statements--1.4.sql
 index 58cdf600fce..8be57a996f6 100644
 --- a/contrib/pg_stat_statements/pg_stat_statements--1.4.sql
 +++ b/contrib/pg_stat_statements/pg_stat_statements--1.4.sql
@@ -46,3 +46,12 @@ GRANT SELECT ON pg_stat_statements TO PUBLIC;
 -- Don't want this to be available to non-superusers.
 REVOKE ALL ON FUNCTION pg_stat_statements_reset() FROM PUBLIC;
 +
 +DO $$
 +DECLARE
 +  privileged_role_name text;
 +BEGIN
 +  privileged_role_name := current_setting('neon.privileged_role_name');
 +
 +  EXECUTE format('GRANT EXECUTE ON FUNCTION pg_stat_statements_reset() TO %I', privileged_role_name);
 +END $$;
 diff --git a/contrib/pg_stat_statements/pg_stat_statements--1.6--1.7.sql b/contrib/pg_stat_statements/pg_stat_statements--1.6--1.7.sql
 index 6fc3fed4c93..256345a8f79 100644
 --- a/contrib/pg_stat_statements/pg_stat_statements--1.6--1.7.sql
 +++ b/contrib/pg_stat_statements/pg_stat_statements--1.6--1.7.sql
@@ -20,3 +20,12 @@ LANGUAGE C STRICT PARALLEL SAFE;
 -- Don't want this to be available to non-superusers.
 REVOKE ALL ON FUNCTION pg_stat_statements_reset(Oid, Oid, bigint) FROM PUBLIC;
 +
 +DO $$
 +DECLARE
 +  privileged_role_name text;
 +BEGIN
 +  privileged_role_name := current_setting('neon.privileged_role_name');
 +
 +  EXECUTE format('GRANT EXECUTE ON FUNCTION pg_stat_statements_reset(Oid, Oid, bigint) TO %I', privileged_role_name);
 +END $$;
--- a/compute/patches/pg_stat_statements_pg17.patch
+++ b/compute/patches/pg_stat_statements_pg17.patch
@@ -0,0 +1,52 @@
 diff --git a/contrib/pg_stat_statements/pg_stat_statements--1.10--1.11.sql b/contrib/pg_stat_statements/pg_stat_statements--1.10--1.11.sql
 index 0bb2c397711..32764db1d8b 100644
 --- a/contrib/pg_stat_statements/pg_stat_statements--1.10--1.11.sql
 +++ b/contrib/pg_stat_statements/pg_stat_statements--1.10--1.11.sql
@@ -80,3 +80,12 @@ LANGUAGE C STRICT PARALLEL SAFE;
 -- Don't want this to be available to non-superusers.
 REVOKE ALL ON FUNCTION pg_stat_statements_reset(Oid, Oid, bigint, boolean) FROM PUBLIC;
 +
 +DO $$
 +DECLARE
 +  privileged_role_name text;
 +BEGIN
 +  privileged_role_name := current_setting('neon.privileged_role_name');
 +
 +  EXECUTE format('GRANT EXECUTE ON FUNCTION pg_stat_statements_reset(Oid, Oid, bigint, boolean) TO %I', privileged_role_name);
 +END $$;
 \ No newline at end of file
 diff --git a/contrib/pg_stat_statements/pg_stat_statements--1.4.sql b/contrib/pg_stat_statements/pg_stat_statements--1.4.sql
 index 58cdf600fce..8be57a996f6 100644
 --- a/contrib/pg_stat_statements/pg_stat_statements--1.4.sql
 +++ b/contrib/pg_stat_statements/pg_stat_statements--1.4.sql
@@ -46,3 +46,12 @@ GRANT SELECT ON pg_stat_statements TO PUBLIC;
 -- Don't want this to be available to non-superusers.
 REVOKE ALL ON FUNCTION pg_stat_statements_reset() FROM PUBLIC;
 +
 +DO $$
 +DECLARE
 +  privileged_role_name text;
 +BEGIN
 +  privileged_role_name := current_setting('neon.privileged_role_name');
 +
 +  EXECUTE format('GRANT EXECUTE ON FUNCTION pg_stat_statements_reset() TO %I', privileged_role_name);
 +END $$;
 diff --git a/contrib/pg_stat_statements/pg_stat_statements--1.6--1.7.sql b/contrib/pg_stat_statements/pg_stat_statements--1.6--1.7.sql
 index 6fc3fed4c93..256345a8f79 100644
 --- a/contrib/pg_stat_statements/pg_stat_statements--1.6--1.7.sql
 +++ b/contrib/pg_stat_statements/pg_stat_statements--1.6--1.7.sql
@@ -20,3 +20,12 @@ LANGUAGE C STRICT PARALLEL SAFE;
 -- Don't want this to be available to non-superusers.
 REVOKE ALL ON FUNCTION pg_stat_statements_reset(Oid, Oid, bigint) FROM PUBLIC;
 +
 +DO $$
 +DECLARE
 +  privileged_role_name text;
 +BEGIN
 +  privileged_role_name := current_setting('neon.privileged_role_name');
 +
 +  EXECUTE format('GRANT EXECUTE ON FUNCTION pg_stat_statements_reset(Oid, Oid, bigint) TO %I', privileged_role_name);
 +END $$;
--- a/compute/patches/pgaudit-parallel_workers-v14.patch
+++ b/compute/patches/pgaudit-parallel_workers-v14.patch
@@ -0,0 +1,143 @@
 commit 7220bb3a3f23fa27207d77562dcc286f9a123313
 Author: Tristan Partin <tristan.partin@databricks.com>
 Date:   2025-06-23 02:09:31 +0000
    Disable logging in parallel workers
    When a query uses parallel workers, pgaudit will log the same query for
    every parallel worker. This is undesireable since it can result in log
    amplification for queries that use parallel workers.
    Signed-off-by: Tristan Partin <tristan.partin@databricks.com>
 diff --git a/expected/pgaudit.out b/expected/pgaudit.out
 index baa8011..a601375 100644
 --- a/expected/pgaudit.out
 +++ b/expected/pgaudit.out
@@ -2563,6 +2563,37 @@ COMMIT;
 NOTICE:  AUDIT: SESSION,12,4,MISC,COMMIT,,,COMMIT;,<not logged>
 DROP TABLE part_test;
 NOTICE:  AUDIT: SESSION,13,1,DDL,DROP TABLE,,,DROP TABLE part_test;,<not logged>
 +--
 +-- Test logging in parallel workers
 +SET pgaudit.log = 'read';
 +SET pgaudit.log_client = on;
 +SET pgaudit.log_level = 'notice';
 +-- Force parallel execution for testing
 +SET max_parallel_workers_per_gather = 2;
 +SET parallel_tuple_cost = 0;
 +SET parallel_setup_cost = 0;
 +SET min_parallel_table_scan_size = 0;
 +SET min_parallel_index_scan_size = 0;
 +-- Create table with enough data to trigger parallel execution
 +CREATE TABLE parallel_test (id int, data text);
 +INSERT INTO parallel_test SELECT generate_series(1, 1000), 'test data';
 +SELECT count(*) FROM parallel_test;
 +NOTICE:  AUDIT: SESSION,14,1,READ,SELECT,,,SELECT count(*) FROM parallel_test;,<not logged>
 + count 
 +-------
 +  1000
 +(1 row)
 +
 +-- Cleanup parallel test
 +DROP TABLE parallel_test;
 +RESET max_parallel_workers_per_gather;
 +RESET parallel_tuple_cost;
 +RESET parallel_setup_cost;
 +RESET min_parallel_table_scan_size;
 +RESET min_parallel_index_scan_size;
 +RESET pgaudit.log;
 +RESET pgaudit.log_client;
 +RESET pgaudit.log_level;
 -- Cleanup
 -- Set client_min_messages up to warning to avoid noise
 SET client_min_messages = 'warning';
 diff --git a/pgaudit.c b/pgaudit.c
 index 5e6fd38..ac9ded2 100644
 --- a/pgaudit.c
 +++ b/pgaudit.c
@@ -11,6 +11,7 @@
 #include "postgres.h"
 #include "access/htup_details.h"
 +#include "access/parallel.h"
 #include "access/sysattr.h"
 #include "access/xact.h"
 #include "access/relation.h"
@@ -1303,7 +1304,7 @@ pgaudit_ExecutorStart_hook(QueryDesc *queryDesc, int eflags)
 {
     AuditEventStackItem *stackItem = NULL;
 -    if (!internalStatement)
 +    if (!internalStatement && !IsParallelWorker())
     {
         /* Push the audit even onto the stack */
         stackItem = stack_push();
@@ -1384,7 +1385,7 @@ pgaudit_ExecutorCheckPerms_hook(List *rangeTabls, bool abort)
     /* Log DML if the audit role is valid or session logging is enabled */
     if ((auditOid != InvalidOid || auditLogBitmap != 0) &&
 -        !IsAbortedTransactionBlockState())
 +        !IsAbortedTransactionBlockState() && !IsParallelWorker())
     {
         /* If auditLogRows is on, wait for rows processed to be set */
         if (auditLogRows && auditEventStack != NULL)
@@ -1438,7 +1439,7 @@ pgaudit_ExecutorRun_hook(QueryDesc *queryDesc, ScanDirection direction, uint64 c
     else
         standard_ExecutorRun(queryDesc, direction, count, execute_once);
 -    if (auditLogRows && !internalStatement)
 +    if (auditLogRows && !internalStatement && !IsParallelWorker())
     {
         /* Find an item from the stack by the query memory context */
         stackItem = stack_find_context(queryDesc->estate->es_query_cxt);
@@ -1458,7 +1459,7 @@ pgaudit_ExecutorEnd_hook(QueryDesc *queryDesc)
     AuditEventStackItem *stackItem = NULL;
     AuditEventStackItem *auditEventStackFull = NULL;
 -    if (auditLogRows && !internalStatement)
 +    if (auditLogRows && !internalStatement && !IsParallelWorker())
     {
         /* Find an item from the stack by the query memory context */
         stackItem = stack_find_context(queryDesc->estate->es_query_cxt);
 diff --git a/sql/pgaudit.sql b/sql/pgaudit.sql
 index cc1374a..1870a60 100644
 --- a/sql/pgaudit.sql
 +++ b/sql/pgaudit.sql
@@ -1612,6 +1612,36 @@ COMMIT;
 DROP TABLE part_test;
 +--
 +-- Test logging in parallel workers
 +SET pgaudit.log = 'read';
 +SET pgaudit.log_client = on;
 +SET pgaudit.log_level = 'notice';
 +
 +-- Force parallel execution for testing
 +SET max_parallel_workers_per_gather = 2;
 +SET parallel_tuple_cost = 0;
 +SET parallel_setup_cost = 0;
 +SET min_parallel_table_scan_size = 0;
 +SET min_parallel_index_scan_size = 0;
 +
 +-- Create table with enough data to trigger parallel execution
 +CREATE TABLE parallel_test (id int, data text);
 +INSERT INTO parallel_test SELECT generate_series(1, 1000), 'test data';
 +
 +SELECT count(*) FROM parallel_test;
 +
 +-- Cleanup parallel test
 +DROP TABLE parallel_test;
 +RESET max_parallel_workers_per_gather;
 +RESET parallel_tuple_cost;
 +RESET parallel_setup_cost;
 +RESET min_parallel_table_scan_size;
 +RESET min_parallel_index_scan_size;
 +RESET pgaudit.log;
 +RESET pgaudit.log_client;
 +RESET pgaudit.log_level;
 +
 -- Cleanup
 -- Set client_min_messages up to warning to avoid noise
 SET client_min_messages = 'warning';
--- a/compute/patches/pgaudit-parallel_workers-v15.patch
+++ b/compute/patches/pgaudit-parallel_workers-v15.patch
@@ -0,0 +1,143 @@
 commit 29dc2847f6255541992f18faf8a815dfab79631a
 Author: Tristan Partin <tristan.partin@databricks.com>
 Date:   2025-06-23 02:09:31 +0000
    Disable logging in parallel workers
    When a query uses parallel workers, pgaudit will log the same query for
    every parallel worker. This is undesireable since it can result in log
    amplification for queries that use parallel workers.
    Signed-off-by: Tristan Partin <tristan.partin@databricks.com>
 diff --git a/expected/pgaudit.out b/expected/pgaudit.out
 index b22560b..73f0327 100644
 --- a/expected/pgaudit.out
 +++ b/expected/pgaudit.out
@@ -2563,6 +2563,37 @@ COMMIT;
 NOTICE:  AUDIT: SESSION,12,4,MISC,COMMIT,,,COMMIT;,<not logged>
 DROP TABLE part_test;
 NOTICE:  AUDIT: SESSION,13,1,DDL,DROP TABLE,,,DROP TABLE part_test;,<not logged>
 +--
 +-- Test logging in parallel workers
 +SET pgaudit.log = 'read';
 +SET pgaudit.log_client = on;
 +SET pgaudit.log_level = 'notice';
 +-- Force parallel execution for testing
 +SET max_parallel_workers_per_gather = 2;
 +SET parallel_tuple_cost = 0;
 +SET parallel_setup_cost = 0;
 +SET min_parallel_table_scan_size = 0;
 +SET min_parallel_index_scan_size = 0;
 +-- Create table with enough data to trigger parallel execution
 +CREATE TABLE parallel_test (id int, data text);
 +INSERT INTO parallel_test SELECT generate_series(1, 1000), 'test data';
 +SELECT count(*) FROM parallel_test;
 +NOTICE:  AUDIT: SESSION,14,1,READ,SELECT,,,SELECT count(*) FROM parallel_test;,<not logged>
 + count 
 +-------
 +  1000
 +(1 row)
 +
 +-- Cleanup parallel test
 +DROP TABLE parallel_test;
 +RESET max_parallel_workers_per_gather;
 +RESET parallel_tuple_cost;
 +RESET parallel_setup_cost;
 +RESET min_parallel_table_scan_size;
 +RESET min_parallel_index_scan_size;
 +RESET pgaudit.log;
 +RESET pgaudit.log_client;
 +RESET pgaudit.log_level;
 -- Cleanup
 -- Set client_min_messages up to warning to avoid noise
 SET client_min_messages = 'warning';
 diff --git a/pgaudit.c b/pgaudit.c
 index 5e6fd38..ac9ded2 100644
 --- a/pgaudit.c
 +++ b/pgaudit.c
@@ -11,6 +11,7 @@
 #include "postgres.h"
 #include "access/htup_details.h"
 +#include "access/parallel.h"
 #include "access/sysattr.h"
 #include "access/xact.h"
 #include "access/relation.h"
@@ -1303,7 +1304,7 @@ pgaudit_ExecutorStart_hook(QueryDesc *queryDesc, int eflags)
 {
     AuditEventStackItem *stackItem = NULL;
 -    if (!internalStatement)
 +    if (!internalStatement && !IsParallelWorker())
     {
         /* Push the audit even onto the stack */
         stackItem = stack_push();
@@ -1384,7 +1385,7 @@ pgaudit_ExecutorCheckPerms_hook(List *rangeTabls, bool abort)
     /* Log DML if the audit role is valid or session logging is enabled */
     if ((auditOid != InvalidOid || auditLogBitmap != 0) &&
 -        !IsAbortedTransactionBlockState())
 +        !IsAbortedTransactionBlockState() && !IsParallelWorker())
     {
         /* If auditLogRows is on, wait for rows processed to be set */
         if (auditLogRows && auditEventStack != NULL)
@@ -1438,7 +1439,7 @@ pgaudit_ExecutorRun_hook(QueryDesc *queryDesc, ScanDirection direction, uint64 c
     else
         standard_ExecutorRun(queryDesc, direction, count, execute_once);
 -    if (auditLogRows && !internalStatement)
 +    if (auditLogRows && !internalStatement && !IsParallelWorker())
     {
         /* Find an item from the stack by the query memory context */
         stackItem = stack_find_context(queryDesc->estate->es_query_cxt);
@@ -1458,7 +1459,7 @@ pgaudit_ExecutorEnd_hook(QueryDesc *queryDesc)
     AuditEventStackItem *stackItem = NULL;
     AuditEventStackItem *auditEventStackFull = NULL;
 -    if (auditLogRows && !internalStatement)
 +    if (auditLogRows && !internalStatement && !IsParallelWorker())
     {
         /* Find an item from the stack by the query memory context */
         stackItem = stack_find_context(queryDesc->estate->es_query_cxt);
 diff --git a/sql/pgaudit.sql b/sql/pgaudit.sql
 index 8052426..7f0667b 100644
 --- a/sql/pgaudit.sql
 +++ b/sql/pgaudit.sql
@@ -1612,6 +1612,36 @@ COMMIT;
 DROP TABLE part_test;
 +--
 +-- Test logging in parallel workers
 +SET pgaudit.log = 'read';
 +SET pgaudit.log_client = on;
 +SET pgaudit.log_level = 'notice';
 +
 +-- Force parallel execution for testing
 +SET max_parallel_workers_per_gather = 2;
 +SET parallel_tuple_cost = 0;
 +SET parallel_setup_cost = 0;
 +SET min_parallel_table_scan_size = 0;
 +SET min_parallel_index_scan_size = 0;
 +
 +-- Create table with enough data to trigger parallel execution
 +CREATE TABLE parallel_test (id int, data text);
 +INSERT INTO parallel_test SELECT generate_series(1, 1000), 'test data';
 +
 +SELECT count(*) FROM parallel_test;
 +
 +-- Cleanup parallel test
 +DROP TABLE parallel_test;
 +RESET max_parallel_workers_per_gather;
 +RESET parallel_tuple_cost;
 +RESET parallel_setup_cost;
 +RESET min_parallel_table_scan_size;
 +RESET min_parallel_index_scan_size;
 +RESET pgaudit.log;
 +RESET pgaudit.log_client;
 +RESET pgaudit.log_level;
 +
 -- Cleanup
 -- Set client_min_messages up to warning to avoid noise
 SET client_min_messages = 'warning';
--- a/compute/patches/pgaudit-parallel_workers-v16.patch
+++ b/compute/patches/pgaudit-parallel_workers-v16.patch
@@ -0,0 +1,143 @@
 commit cc708dde7ef2af2a8120d757102d2e34c0463a0f
 Author: Tristan Partin <tristan.partin@databricks.com>
 Date:   2025-06-23 02:09:31 +0000
    Disable logging in parallel workers
    When a query uses parallel workers, pgaudit will log the same query for
    every parallel worker. This is undesireable since it can result in log
    amplification for queries that use parallel workers.
    Signed-off-by: Tristan Partin <tristan.partin@databricks.com>
 diff --git a/expected/pgaudit.out b/expected/pgaudit.out
 index 8772054..9b66ac6 100644
 --- a/expected/pgaudit.out
 +++ b/expected/pgaudit.out
@@ -2556,6 +2556,37 @@ DROP SERVER fdw_server;
 NOTICE:  AUDIT: SESSION,11,1,DDL,DROP SERVER,,,DROP SERVER fdw_server;,<not logged>
 DROP EXTENSION postgres_fdw;
 NOTICE:  AUDIT: SESSION,12,1,DDL,DROP EXTENSION,,,DROP EXTENSION postgres_fdw;,<not logged>
 +--
 +-- Test logging in parallel workers
 +SET pgaudit.log = 'read';
 +SET pgaudit.log_client = on;
 +SET pgaudit.log_level = 'notice';
 +-- Force parallel execution for testing
 +SET max_parallel_workers_per_gather = 2;
 +SET parallel_tuple_cost = 0;
 +SET parallel_setup_cost = 0;
 +SET min_parallel_table_scan_size = 0;
 +SET min_parallel_index_scan_size = 0;
 +-- Create table with enough data to trigger parallel execution
 +CREATE TABLE parallel_test (id int, data text);
 +INSERT INTO parallel_test SELECT generate_series(1, 1000), 'test data';
 +SELECT count(*) FROM parallel_test;
 +NOTICE:  AUDIT: SESSION,13,1,READ,SELECT,,,SELECT count(*) FROM parallel_test;,<not logged>
 + count 
 +-------
 +  1000
 +(1 row)
 +
 +-- Cleanup parallel test
 +DROP TABLE parallel_test;
 +RESET max_parallel_workers_per_gather;
 +RESET parallel_tuple_cost;
 +RESET parallel_setup_cost;
 +RESET min_parallel_table_scan_size;
 +RESET min_parallel_index_scan_size;
 +RESET pgaudit.log;
 +RESET pgaudit.log_client;
 +RESET pgaudit.log_level;
 -- Cleanup
 -- Set client_min_messages up to warning to avoid noise
 SET client_min_messages = 'warning';
 diff --git a/pgaudit.c b/pgaudit.c
 index 004d1f9..f061164 100644
 --- a/pgaudit.c
 +++ b/pgaudit.c
@@ -11,6 +11,7 @@
 #include "postgres.h"
 #include "access/htup_details.h"
 +#include "access/parallel.h"
 #include "access/sysattr.h"
 #include "access/xact.h"
 #include "access/relation.h"
@@ -1339,7 +1340,7 @@ pgaudit_ExecutorStart_hook(QueryDesc *queryDesc, int eflags)
 {
     AuditEventStackItem *stackItem = NULL;
 -    if (!internalStatement)
 +    if (!internalStatement && !IsParallelWorker())
     {
         /* Push the audit even onto the stack */
         stackItem = stack_push();
@@ -1420,7 +1421,7 @@ pgaudit_ExecutorCheckPerms_hook(List *rangeTabls, List *permInfos, bool abort)
     /* Log DML if the audit role is valid or session logging is enabled */
     if ((auditOid != InvalidOid || auditLogBitmap != 0) &&
 -        !IsAbortedTransactionBlockState())
 +        !IsAbortedTransactionBlockState() && !IsParallelWorker())
     {
         /* If auditLogRows is on, wait for rows processed to be set */
         if (auditLogRows && auditEventStack != NULL)
@@ -1475,7 +1476,7 @@ pgaudit_ExecutorRun_hook(QueryDesc *queryDesc, ScanDirection direction, uint64 c
     else
         standard_ExecutorRun(queryDesc, direction, count, execute_once);
 -    if (auditLogRows && !internalStatement)
 +    if (auditLogRows && !internalStatement && !IsParallelWorker())
     {
         /* Find an item from the stack by the query memory context */
         stackItem = stack_find_context(queryDesc->estate->es_query_cxt);
@@ -1495,7 +1496,7 @@ pgaudit_ExecutorEnd_hook(QueryDesc *queryDesc)
     AuditEventStackItem *stackItem = NULL;
     AuditEventStackItem *auditEventStackFull = NULL;
 -    if (auditLogRows && !internalStatement)
 +    if (auditLogRows && !internalStatement && !IsParallelWorker())
     {
         /* Find an item from the stack by the query memory context */
         stackItem = stack_find_context(queryDesc->estate->es_query_cxt);
 diff --git a/sql/pgaudit.sql b/sql/pgaudit.sql
 index 6aae88b..de6d7fd 100644
 --- a/sql/pgaudit.sql
 +++ b/sql/pgaudit.sql
@@ -1631,6 +1631,36 @@ DROP USER MAPPING FOR regress_user1 SERVER fdw_server;
 DROP SERVER fdw_server;
 DROP EXTENSION postgres_fdw;
 +--
 +-- Test logging in parallel workers
 +SET pgaudit.log = 'read';
 +SET pgaudit.log_client = on;
 +SET pgaudit.log_level = 'notice';
 +
 +-- Force parallel execution for testing
 +SET max_parallel_workers_per_gather = 2;
 +SET parallel_tuple_cost = 0;
 +SET parallel_setup_cost = 0;
 +SET min_parallel_table_scan_size = 0;
 +SET min_parallel_index_scan_size = 0;
 +
 +-- Create table with enough data to trigger parallel execution
 +CREATE TABLE parallel_test (id int, data text);
 +INSERT INTO parallel_test SELECT generate_series(1, 1000), 'test data';
 +
 +SELECT count(*) FROM parallel_test;
 +
 +-- Cleanup parallel test
 +DROP TABLE parallel_test;
 +RESET max_parallel_workers_per_gather;
 +RESET parallel_tuple_cost;
 +RESET parallel_setup_cost;
 +RESET min_parallel_table_scan_size;
 +RESET min_parallel_index_scan_size;
 +RESET pgaudit.log;
 +RESET pgaudit.log_client;
 +RESET pgaudit.log_level;
 +
 -- Cleanup
 -- Set client_min_messages up to warning to avoid noise
 SET client_min_messages = 'warning';
--- a/compute/patches/pgaudit-parallel_workers-v17.patch
+++ b/compute/patches/pgaudit-parallel_workers-v17.patch
@@ -0,0 +1,143 @@
 commit 8d02e4c6c5e1e8676251b0717a46054267091cb4
 Author: Tristan Partin <tristan.partin@databricks.com>
 Date:   2025-06-23 02:09:31 +0000
    Disable logging in parallel workers
    When a query uses parallel workers, pgaudit will log the same query for
    every parallel worker. This is undesireable since it can result in log
    amplification for queries that use parallel workers.
    Signed-off-by: Tristan Partin <tristan.partin@databricks.com>
 diff --git a/expected/pgaudit.out b/expected/pgaudit.out
 index d696287..4b1059a 100644
 --- a/expected/pgaudit.out
 +++ b/expected/pgaudit.out
@@ -2568,6 +2568,37 @@ DROP SERVER fdw_server;
 NOTICE:  AUDIT: SESSION,11,1,DDL,DROP SERVER,,,DROP SERVER fdw_server,<not logged>
 DROP EXTENSION postgres_fdw;
 NOTICE:  AUDIT: SESSION,12,1,DDL,DROP EXTENSION,,,DROP EXTENSION postgres_fdw,<not logged>
 +--
 +-- Test logging in parallel workers
 +SET pgaudit.log = 'read';
 +SET pgaudit.log_client = on;
 +SET pgaudit.log_level = 'notice';
 +-- Force parallel execution for testing
 +SET max_parallel_workers_per_gather = 2;
 +SET parallel_tuple_cost = 0;
 +SET parallel_setup_cost = 0;
 +SET min_parallel_table_scan_size = 0;
 +SET min_parallel_index_scan_size = 0;
 +-- Create table with enough data to trigger parallel execution
 +CREATE TABLE parallel_test (id int, data text);
 +INSERT INTO parallel_test SELECT generate_series(1, 1000), 'test data';
 +SELECT count(*) FROM parallel_test;
 +NOTICE:  AUDIT: SESSION,13,1,READ,SELECT,,,SELECT count(*) FROM parallel_test,<not logged>
 + count 
 +-------
 +  1000
 +(1 row)
 +
 +-- Cleanup parallel test
 +DROP TABLE parallel_test;
 +RESET max_parallel_workers_per_gather;
 +RESET parallel_tuple_cost;
 +RESET parallel_setup_cost;
 +RESET min_parallel_table_scan_size;
 +RESET min_parallel_index_scan_size;
 +RESET pgaudit.log;
 +RESET pgaudit.log_client;
 +RESET pgaudit.log_level;
 -- Cleanup
 -- Set client_min_messages up to warning to avoid noise
 SET client_min_messages = 'warning';
 diff --git a/pgaudit.c b/pgaudit.c
 index 1764af1..0e48875 100644
 --- a/pgaudit.c
 +++ b/pgaudit.c
@@ -11,6 +11,7 @@
 #include "postgres.h"
 #include "access/htup_details.h"
 +#include "access/parallel.h"
 #include "access/sysattr.h"
 #include "access/xact.h"
 #include "access/relation.h"
@@ -1406,7 +1407,7 @@ pgaudit_ExecutorStart_hook(QueryDesc *queryDesc, int eflags)
 {
     AuditEventStackItem *stackItem = NULL;
 -    if (!internalStatement)
 +    if (!internalStatement && !IsParallelWorker())
     {
         /* Push the audit event onto the stack */
         stackItem = stack_push();
@@ -1489,7 +1490,7 @@ pgaudit_ExecutorCheckPerms_hook(List *rangeTabls, List *permInfos, bool abort)
     /* Log DML if the audit role is valid or session logging is enabled */
     if ((auditOid != InvalidOid || auditLogBitmap != 0) &&
 -        !IsAbortedTransactionBlockState())
 +        !IsAbortedTransactionBlockState() && !IsParallelWorker())
     {
         /* If auditLogRows is on, wait for rows processed to be set */
         if (auditLogRows && auditEventStack != NULL)
@@ -1544,7 +1545,7 @@ pgaudit_ExecutorRun_hook(QueryDesc *queryDesc, ScanDirection direction, uint64 c
     else
         standard_ExecutorRun(queryDesc, direction, count, execute_once);
 -    if (auditLogRows && !internalStatement)
 +    if (auditLogRows && !internalStatement && !IsParallelWorker())
     {
         /* Find an item from the stack by the query memory context */
         stackItem = stack_find_context(queryDesc->estate->es_query_cxt);
@@ -1564,7 +1565,7 @@ pgaudit_ExecutorEnd_hook(QueryDesc *queryDesc)
     AuditEventStackItem *stackItem = NULL;
     AuditEventStackItem *auditEventStackFull = NULL;
 -    if (auditLogRows && !internalStatement)
 +    if (auditLogRows && !internalStatement && !IsParallelWorker())
     {
         /* Find an item from the stack by the query memory context */
         stackItem = stack_find_context(queryDesc->estate->es_query_cxt);
 diff --git a/sql/pgaudit.sql b/sql/pgaudit.sql
 index e161f01..c873098 100644
 --- a/sql/pgaudit.sql
 +++ b/sql/pgaudit.sql
@@ -1637,6 +1637,36 @@ DROP USER MAPPING FOR regress_user1 SERVER fdw_server;
 DROP SERVER fdw_server;
 DROP EXTENSION postgres_fdw;
 +--
 +-- Test logging in parallel workers
 +SET pgaudit.log = 'read';
 +SET pgaudit.log_client = on;
 +SET pgaudit.log_level = 'notice';
 +
 +-- Force parallel execution for testing
 +SET max_parallel_workers_per_gather = 2;
 +SET parallel_tuple_cost = 0;
 +SET parallel_setup_cost = 0;
 +SET min_parallel_table_scan_size = 0;
 +SET min_parallel_index_scan_size = 0;
 +
 +-- Create table with enough data to trigger parallel execution
 +CREATE TABLE parallel_test (id int, data text);
 +INSERT INTO parallel_test SELECT generate_series(1, 1000), 'test data';
 +
 +SELECT count(*) FROM parallel_test;
 +
 +-- Cleanup parallel test
 +DROP TABLE parallel_test;
 +RESET max_parallel_workers_per_gather;
 +RESET parallel_tuple_cost;
 +RESET parallel_setup_cost;
 +RESET min_parallel_table_scan_size;
 +RESET min_parallel_index_scan_size;
 +RESET pgaudit.log;
 +RESET pgaudit.log_client;
 +RESET pgaudit.log_level;
 +
 -- Cleanup
 -- Set client_min_messages up to warning to avoid noise
 SET client_min_messages = 'warning';
--- a/compute/patches/postgres_fdw.patch
+++ b/compute/patches/postgres_fdw.patch
@@ -0,0 +1,17 @@
 diff --git a/contrib/postgres_fdw/postgres_fdw--1.0.sql b/contrib/postgres_fdw/postgres_fdw--1.0.sql
 index a0f0fc1bf45..ee077f2eea6 100644
 --- a/contrib/postgres_fdw/postgres_fdw--1.0.sql
 +++ b/contrib/postgres_fdw/postgres_fdw--1.0.sql
@@ -16,3 +16,12 @@ LANGUAGE C STRICT;
 CREATE FOREIGN DATA WRAPPER postgres_fdw
   HANDLER postgres_fdw_handler
   VALIDATOR postgres_fdw_validator;
 +
 +DO $$
 +DECLARE
 +  privileged_role_name text;
 +BEGIN
 +  privileged_role_name := current_setting('neon.privileged_role_name');
 +
 +  EXECUTE format('GRANT USAGE ON FOREIGN DATA WRAPPER postgres_fdw TO %I', privileged_role_name);
 +END $$;
--- a/compute/vm-image-spec-bookworm.yaml
+++ b/compute/vm-image-spec-bookworm.yaml
@@ -26,7 +26,7 @@ commands:
  - name: postgres-exporter
    user: nobody
    sysvInitAction: respawn
-    shell: 'DATA_SOURCE_NAME="user=cloud_admin sslmode=disable dbname=postgres application_name=postgres-exporter" /bin/postgres_exporter --config.file=/etc/postgres_exporter.yml'
+    shell: 'DATA_SOURCE_NAME="user=cloud_admin sslmode=disable dbname=postgres application_name=postgres-exporter pgaudit.log=none" /bin/postgres_exporter --config.file=/etc/postgres_exporter.yml'
  - name: pgbouncer-exporter
    user: postgres
    sysvInitAction: respawn
@@ -59,7 +59,7 @@ files:
      # the rules use ALL as the hostname. Avoid the pointless lookups and the "unable to
      # resolve host" log messages that they generate.
      Defaults !fqdn
-      
+
      # Allow postgres user (which is what compute_ctl runs as) to run /neonvm/bin/resize-swap
      # and /neonvm/bin/set-disk-quota as root without requiring entering a password (NOPASSWD),
      # regardless of hostname (ALL)
--- a/compute/vm-image-spec-bullseye.yaml
+++ b/compute/vm-image-spec-bullseye.yaml
@@ -26,7 +26,7 @@ commands:
  - name: postgres-exporter
    user: nobody
    sysvInitAction: respawn
-    shell: 'DATA_SOURCE_NAME="user=cloud_admin sslmode=disable dbname=postgres application_name=postgres-exporter" /bin/postgres_exporter --config.file=/etc/postgres_exporter.yml'
+    shell: 'DATA_SOURCE_NAME="user=cloud_admin sslmode=disable dbname=postgres application_name=postgres-exporter pgaudit.log=none" /bin/postgres_exporter --config.file=/etc/postgres_exporter.yml'
  - name: pgbouncer-exporter
    user: postgres
    sysvInitAction: respawn
@@ -59,7 +59,7 @@ files:
      # the rules use ALL as the hostname. Avoid the pointless lookups and the "unable to
      # resolve host" log messages that they generate.
      Defaults !fqdn
-      
+
      # Allow postgres user (which is what compute_ctl runs as) to run /neonvm/bin/resize-swap
      # and /neonvm/bin/set-disk-quota as root without requiring entering a password (NOPASSWD),
      # regardless of hostname (ALL)
--- a/compute_tools/Cargo.toml
+++ b/compute_tools/Cargo.toml
@@ -27,6 +27,7 @@ fail.workspace = true
 flate2.workspace = true
 futures.workspace = true
 http.workspace = true
 hostname-validator = "1.1"
 indexmap.workspace = true
 itertools.workspace = true
 jsonwebtoken.workspace = true
@@ -38,6 +39,7 @@ once_cell.workspace = true
 opentelemetry.workspace = true
 opentelemetry_sdk.workspace = true
 p256 = { version = "0.13", features = ["pem"] }
 pageserver_page_api.workspace = true
 postgres.workspace = true
 regex.workspace = true
 reqwest = { workspace = true, features = ["json"] }
@@ -53,6 +55,7 @@ tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
 tokio-postgres.workspace = true
 tokio-util.workspace = true
 tokio-stream.workspace = true
 tonic.workspace = true
 tower-otel.workspace = true
 tracing.workspace = true
 tracing-opentelemetry.workspace = true
@@ -63,7 +66,8 @@ url.workspace = true
 uuid.workspace = true
 walkdir.workspace = true
 x509-cert.workspace = true
-
+postgres-types.workspace = true
 postgres_versioninfo.workspace = true
 postgres_initdb.workspace = true
 compute_api.workspace = true
 utils.workspace = true
--- a/compute_tools/README.md
+++ b/compute_tools/README.md
@@ -46,11 +46,14 @@ stateDiagram-v2
  Configuration --> Failed : Failed to configure the compute
  Configuration --> Running : Compute has been configured
  Empty --> Init : Compute spec is immediately available
-  Empty --> TerminationPending : Requested termination
+  Empty --> TerminationPendingFast : Requested termination
  Empty --> TerminationPendingImmediate : Requested termination
  Init --> Failed : Failed to start Postgres
  Init --> Running : Started Postgres
-  Running --> TerminationPending : Requested termination
+  Running --> TerminationPendingFast : Requested termination
-  TerminationPending --> Terminated : Terminated compute
+  Running --> TerminationPendingImmediate : Requested termination
  TerminationPendingFast --> Terminated compute with 30s delay for cplane to inspect status
  TerminationPendingImmediate --> Terminated : Terminated compute immediately
  Failed --> [*] : Compute exited
  Terminated --> [*] : Compute exited
 ```
--- a/compute_tools/src/bin/compute_ctl.rs
+++ b/compute_tools/src/bin/compute_ctl.rs
@@ -36,11 +36,13 @@
 use std::ffi::OsString;
 use std::fs::File;
 use std::process::exit;
 use std::sync::Arc;
 use std::sync::atomic::AtomicU64;
 use std::sync::mpsc;
 use std::thread;
 use std::time::Duration;
-use anyhow::{Context, Result};
+use anyhow::{Context, Result, bail};
 use clap::Parser;
 use compute_api::responses::ComputeConfig;
 use compute_tools::compute::{
@@ -57,14 +59,14 @@ use tracing::{error, info};
 use url::Url;
 use utils::failpoint_support;
-#[derive(Parser)]
+#[derive(Debug, Parser)]
 #[command(rename_all = "kebab-case")]
 struct Cli {
    #[arg(short = 'b', long, default_value = "postgres", env = "POSTGRES_PATH")]
    pub pgbin: String,
    /// The base URL for the remote extension storage proxy gateway.
-    #[arg(short = 'r', long)]
+    #[arg(short = 'r', long, value_parser = Self::parse_remote_ext_base_url)]
    pub remote_ext_base_url: Option<Url>,
    /// The port to bind the external listening HTTP server to. Clients running
@@ -85,6 +87,14 @@ struct Cli {
    #[arg(short = 'C', long, value_name = "DATABASE_URL")]
    pub connstr: String,
    #[arg(
        long,
        default_value = "neon_superuser",
        value_name = "PRIVILEGED_ROLE_NAME",
        value_parser = Self::parse_privileged_role_name
    )]
    pub privileged_role_name: String,
    #[cfg(target_os = "linux")]
    #[arg(long, default_value = "neon-postgres")]
    pub cgroup: String,
@@ -124,6 +134,44 @@ struct Cli {
    /// Interval in seconds for collecting installed extensions statistics
    #[arg(long, default_value = "3600")]
    pub installed_extensions_collection_interval: u64,
    /// Run in development mode, skipping VM-specific operations like process termination
    #[arg(long, action = clap::ArgAction::SetTrue)]
    pub dev: bool,
 }
 impl Cli {
    /// Parse a URL from an argument. By default, this isn't necessary, but we
    /// want to do some sanity checking.
    fn parse_remote_ext_base_url(value: &str) -> Result<Url> {
        // Remove extra trailing slashes, and add one. We use Url::join() later
        // when downloading remote extensions. If the base URL is something like
        // http://example.com/pg-ext-s3-gateway, and join() is called with
        // something like "xyz", the resulting URL is http://example.com/xyz.
        let value = value.trim_end_matches('/').to_owned() + "/";
        let url = Url::parse(&value)?;
        if url.query_pairs().count() != 0 {
            bail!("parameters detected in remote extensions base URL")
        }
        Ok(url)
    }
    /// For simplicity, we do not escape `privileged_role_name` anywhere in the code.
    /// Since it's a system role, which we fully control, that's fine. Still, let's
    /// validate it to avoid any surprises.
    fn parse_privileged_role_name(value: &str) -> Result<String> {
        use regex::Regex;
        let pattern = Regex::new(r"^[a-z_]+$").unwrap();
        if !pattern.is_match(value) {
            bail!("--privileged-role-name can only contain lowercase letters and underscores")
        }
        Ok(value.to_string())
    }
 }
 fn main() -> Result<()> {
@@ -140,7 +188,7 @@ fn main() -> Result<()> {
        .build()?;
    let _rt_guard = runtime.enter();
-    runtime.block_on(init())?;
+    runtime.block_on(init(cli.dev))?;
    // enable core dumping for all child processes
    setrlimit(Resource::CORE, rlimit::INFINITY, rlimit::INFINITY)?;
@@ -153,6 +201,7 @@ fn main() -> Result<()> {
        ComputeNodeParams {
            compute_id: cli.compute_id,
            connstr,
            privileged_role_name: cli.privileged_role_name.clone(),
            pgdata: cli.pgdata.clone(),
            pgbin: cli.pgbin.clone(),
            pgversion: get_pg_version_string(&cli.pgbin),
@@ -167,7 +216,9 @@ fn main() -> Result<()> {
            cgroup: cli.cgroup,
            #[cfg(target_os = "linux")]
            vm_monitor_addr: cli.vm_monitor_addr,
-            installed_extensions_collection_interval: cli.installed_extensions_collection_interval,
+            installed_extensions_collection_interval: Arc::new(AtomicU64::new(
                cli.installed_extensions_collection_interval,
            )),
        },
        config,
    )?;
@@ -179,13 +230,13 @@ fn main() -> Result<()> {
    deinit_and_exit(exit_code);
 }
-async fn init() -> Result<()> {
+async fn init(dev_mode: bool) -> Result<()> {
    init_tracing_and_logging(DEFAULT_LOG_LEVEL).await?;
    let mut signals = Signals::new([SIGINT, SIGTERM, SIGQUIT])?;
    thread::spawn(move || {
        for sig in signals.forever() {
-            handle_exit_signal(sig);
+            handle_exit_signal(sig, dev_mode);
        }
    });
@@ -244,15 +295,16 @@ fn deinit_and_exit(exit_code: Option<i32>) -> ! {
 /// When compute_ctl is killed, send also termination signal to sync-safekeepers
 /// to prevent leakage. TODO: it is better to convert compute_ctl to async and
 /// wait for termination which would be easy then.
-fn handle_exit_signal(sig: i32) {
+fn handle_exit_signal(sig: i32, dev_mode: bool) {
    info!("received {sig} termination signal");
-    forward_termination_signal();
+    forward_termination_signal(dev_mode);
    exit(1);
 }
 #[cfg(test)]
 mod test {
-    use clap::CommandFactory;
+    use clap::{CommandFactory, Parser};
    use url::Url;
    use super::Cli;
@@ -260,4 +312,88 @@ mod test {
    fn verify_cli() {
        Cli::command().debug_assert()
    }
    #[test]
    fn verify_remote_ext_base_url() {
        let cli = Cli::parse_from([
            "compute_ctl",
            "--pgdata=test",
            "--connstr=test",
            "--compute-id=test",
            "--remote-ext-base-url",
            "https://example.com/subpath",
        ]);
        assert_eq!(
            cli.remote_ext_base_url.unwrap(),
            Url::parse("https://example.com/subpath/").unwrap()
        );
        let cli = Cli::parse_from([
            "compute_ctl",
            "--pgdata=test",
            "--connstr=test",
            "--compute-id=test",
            "--remote-ext-base-url",
            "https://example.com//",
        ]);
        assert_eq!(
            cli.remote_ext_base_url.unwrap(),
            Url::parse("https://example.com").unwrap()
        );
        Cli::try_parse_from([
            "compute_ctl",
            "--pgdata=test",
            "--connstr=test",
            "--compute-id=test",
            "--remote-ext-base-url",
            "https://example.com?hello=world",
        ])
        .expect_err("URL parameters are not allowed");
    }
    #[test]
    fn verify_privileged_role_name() {
        // Valid name
        let cli = Cli::parse_from([
            "compute_ctl",
            "--pgdata=test",
            "--connstr=test",
            "--compute-id=test",
            "--privileged-role-name",
            "my_superuser",
        ]);
        assert_eq!(cli.privileged_role_name, "my_superuser");
        // Invalid names
        Cli::try_parse_from([
            "compute_ctl",
            "--pgdata=test",
            "--connstr=test",
            "--compute-id=test",
            "--privileged-role-name",
            "NeonSuperuser",
        ])
        .expect_err("uppercase letters are not allowed");
        Cli::try_parse_from([
            "compute_ctl",
            "--pgdata=test",
            "--connstr=test",
            "--compute-id=test",
            "--privileged-role-name",
            "$'neon_superuser",
        ])
        .expect_err("special characters are not allowed");
        Cli::try_parse_from([
            "compute_ctl",
            "--pgdata=test",
            "--connstr=test",
            "--compute-id=test",
            "--privileged-role-name",
            "",
        ])
        .expect_err("empty name is not allowed");
    }
 }
--- a/compute_tools/src/bin/fast_import.rs
+++ b/compute_tools/src/bin/fast_import.rs
@@ -29,7 +29,7 @@ use anyhow::{Context, bail};
 use aws_config::BehaviorVersion;
 use camino::{Utf8Path, Utf8PathBuf};
 use clap::{Parser, Subcommand};
-use compute_tools::extension_server::{PostgresMajorVersion, get_pg_version};
+use compute_tools::extension_server::get_pg_version;
 use nix::unistd::Pid;
 use std::ops::Not;
 use tracing::{Instrument, error, info, info_span, warn};
@@ -179,12 +179,8 @@ impl PostgresProcess {
            .await
            .context("create pgdata directory")?;
-        let pg_version = match get_pg_version(self.pgbin.as_ref()) {
+        let pg_version = get_pg_version(self.pgbin.as_ref());
-            PostgresMajorVersion::V14 => 14,
+
            PostgresMajorVersion::V15 => 15,
            PostgresMajorVersion::V16 => 16,
            PostgresMajorVersion::V17 => 17,
        };
        postgres_initdb::do_run_initdb(postgres_initdb::RunInitdbArgs {
            superuser: initdb_user,
            locale: DEFAULT_LOCALE, // XXX: this shouldn't be hard-coded,
@@ -486,10 +482,8 @@ async fn cmd_pgdata(
    };
    let superuser = "cloud_admin";
-    let destination_connstring = format!(
+    let destination_connstring =
-        "host=localhost port={} user={} dbname=neondb",
+        format!("host=localhost port={pg_port} user={superuser} dbname=neondb");
        pg_port, superuser
    );
    let pgdata_dir = workdir.join("pgdata");
    let mut proc = PostgresProcess::new(pgdata_dir.clone(), pg_bin_dir.clone(), pg_lib_dir.clone());
--- a/compute_tools/src/bin/fast_import/s3_uri.rs
+++ b/compute_tools/src/bin/fast_import/s3_uri.rs
@@ -69,7 +69,7 @@ impl clap::builder::TypedValueParser for S3Uri {
        S3Uri::from_str(value_str).map_err(|e| {
            clap::Error::raw(
                clap::error::ErrorKind::InvalidValue,
-                format!("Failed to parse S3 URI: {}", e),
+                format!("Failed to parse S3 URI: {e}"),
            )
        })
    }
--- a/compute_tools/src/catalog.rs
+++ b/compute_tools/src/catalog.rs
@@ -22,7 +22,7 @@ pub async fn get_dbs_and_roles(compute: &Arc<ComputeNode>) -> anyhow::Result<Cat
    spawn(async move {
        if let Err(e) = connection.await {
-            eprintln!("connection error: {}", e);
+            eprintln!("connection error: {e}");
        }
    });
@@ -119,7 +119,7 @@ pub async fn get_database_schema(
        _ => {
            let mut lines = stderr_reader.lines();
            if let Some(line) = lines.next_line().await? {
-                if line.contains(&format!("FATAL:  database \"{}\" does not exist", dbname)) {
+                if line.contains(&format!("FATAL:  database \"{dbname}\" does not exist")) {
                    return Err(SchemaDumpError::DatabaseDoesNotExist);
                }
                warn!("pg_dump stderr: {}", line)
--- a/compute_tools/src/compute.rs
+++ b/compute_tools/src/compute.rs
@@ -3,10 +3,10 @@ use chrono::{DateTime, Utc};
 use compute_api::privilege::Privilege;
 use compute_api::responses::{
    ComputeConfig, ComputeCtlConfig, ComputeMetrics, ComputeStatus, LfcOffloadState,
-    LfcPrewarmState,
+    LfcPrewarmState, PromoteState, TlsConfig,
 };
 use compute_api::spec::{
-    ComputeAudit, ComputeFeature, ComputeMode, ComputeSpec, ExtVersion, PgIdent,
+    ComputeAudit, ComputeFeature, ComputeMode, ComputeSpec, ExtVersion, PageserverProtocol, PgIdent,
 };
 use futures::StreamExt;
 use futures::future::join_all;
@@ -15,26 +15,28 @@ use itertools::Itertools;
 use nix::sys::signal::{Signal, kill};
 use nix::unistd::Pid;
 use once_cell::sync::Lazy;
 use pageserver_page_api::{self as page_api, BaseBackupCompression};
 use postgres;
 use postgres::NoTls;
 use postgres::error::SqlState;
 use remote_storage::{DownloadError, RemotePath};
 use std::collections::{HashMap, HashSet};
 use std::net::SocketAddr;
 use std::os::unix::fs::{PermissionsExt, symlink};
 use std::path::Path;
 use std::process::{Command, Stdio};
 use std::str::FromStr;
-use std::sync::atomic::{AtomicU32, Ordering};
+use std::sync::atomic::{AtomicU32, AtomicU64, Ordering};
 use std::sync::{Arc, Condvar, Mutex, RwLock};
 use std::time::{Duration, Instant};
 use std::{env, fs};
-use tokio::spawn;
+use tokio::{spawn, sync::watch, task::JoinHandle, time};
 use tracing::{Instrument, debug, error, info, instrument, warn};
 use url::Url;
 use utils::id::{TenantId, TimelineId};
 use utils::lsn::Lsn;
 use utils::measured_stream::MeasuredReader;
 use utils::pid_file;
 use utils::shard::{ShardCount, ShardIndex, ShardNumber};
 use crate::configurator::launch_configurator;
 use crate::disk_quota::set_disk_quota;
@@ -44,6 +46,7 @@ use crate::lsn_lease::launch_lsn_lease_bg_task_for_static;
 use crate::metrics::COMPUTE_CTL_UP;
 use crate::monitor::launch_monitor;
 use crate::pg_helpers::*;
 use crate::pgbouncer::*;
 use crate::rsyslog::{
    PostgresLogsRsyslogConfig, configure_audit_rsyslog, configure_postgres_logs_export,
    launch_pgaudit_gc,
@@ -67,15 +70,24 @@ pub static BUILD_TAG: Lazy<String> = Lazy::new(|| {
        .unwrap_or(BUILD_TAG_DEFAULT)
        .to_string()
 });
 const DEFAULT_INSTALLED_EXTENSIONS_COLLECTION_INTERVAL: u64 = 3600;
 /// Static configuration params that don't change after startup. These mostly
 /// come from the CLI args, or are derived from them.
 #[derive(Clone, Debug)]
 pub struct ComputeNodeParams {
    /// The ID of the compute
    pub compute_id: String,
-    // Url type maintains proper escaping
+
    /// Url type maintains proper escaping
    pub connstr: url::Url,
    /// The name of the 'weak' superuser role, which we give to the users.
    /// It follows the allow list approach, i.e., we take a standard role
    /// and grant it extra permissions with explicit GRANTs here and there,
    /// and core patches.
    pub privileged_role_name: String,
    pub resize_swap_on_bind: bool,
    pub set_disk_quota_for_fs: Option<String>,
@@ -100,9 +112,11 @@ pub struct ComputeNodeParams {
    pub remote_ext_base_url: Option<Url>,
    /// Interval for installed extensions collection
-    pub installed_extensions_collection_interval: u64,
+    pub installed_extensions_collection_interval: Arc<AtomicU64>,
 }
 type TaskHandle = Mutex<Option<JoinHandle<()>>>;
 /// Compute node info shared across several `compute_ctl` threads.
 pub struct ComputeNode {
    pub params: ComputeNodeParams,
@@ -123,6 +137,10 @@ pub struct ComputeNode {
    // key: ext_archive_name, value: started download time, download_completed?
    pub ext_download_progress: RwLock<HashMap<String, (DateTime<Utc>, bool)>>,
    pub compute_ctl_config: ComputeCtlConfig,
    /// Handle to the extension stats collection task
    extension_stats_task: TaskHandle,
    lfc_offload_task: TaskHandle,
 }
 // store some metrics about download size that might impact startup time
@@ -161,6 +179,11 @@ pub struct ComputeState {
    pub lfc_prewarm_state: LfcPrewarmState,
    pub lfc_offload_state: LfcOffloadState,
    /// WAL flush LSN that is set after terminating Postgres and syncing safekeepers if
    /// mode == ComputeMode::Primary. None otherwise
    pub terminate_flush_lsn: Option<Lsn>,
    pub promote_state: Option<watch::Receiver<PromoteState>>,
    pub metrics: ComputeMetrics,
 }
@@ -176,6 +199,8 @@ impl ComputeState {
            metrics: ComputeMetrics::default(),
            lfc_prewarm_state: LfcPrewarmState::default(),
            lfc_offload_state: LfcOffloadState::default(),
            terminate_flush_lsn: None,
            promote_state: None,
        }
    }
@@ -211,10 +236,50 @@ pub struct ParsedSpec {
    pub pageserver_connstr: String,
    pub safekeeper_connstrings: Vec<String>,
    pub storage_auth_token: Option<String>,
-    pub endpoint_storage_addr: Option<SocketAddr>,
+    /// k8s dns name and port
    pub endpoint_storage_addr: Option<String>,
    pub endpoint_storage_token: Option<String>,
 }
 impl ParsedSpec {
    pub fn validate(&self) -> Result<(), String> {
        // Only Primary nodes are using safekeeper_connstrings, and at the moment
        // this method only validates that part of the specs.
        if self.spec.mode != ComputeMode::Primary {
            return Ok(());
        }
        // While it seems like a good idea to check for an odd number of entries in
        // the safekeepers connection string, changes to the list of safekeepers might
        // incur appending a new server to a list of 3, in which case a list of 4
        // entries is okay in production.
        //
        // Still we want unique entries, and at least one entry in the vector
        if self.safekeeper_connstrings.is_empty() {
            return Err(String::from("safekeeper_connstrings is empty"));
        }
        // check for uniqueness of the connection strings in the set
        let mut connstrings = self.safekeeper_connstrings.clone();
        connstrings.sort();
        let mut previous = &connstrings[0];
        for current in connstrings.iter().skip(1) {
            // duplicate entry?
            if current == previous {
                return Err(format!(
                    "duplicate entry in safekeeper_connstrings: {current}!",
                ));
            }
            previous = current;
        }
        Ok(())
    }
 }
 impl TryFrom<ComputeSpec> for ParsedSpec {
    type Error = String;
    fn try_from(spec: ComputeSpec) -> Result<Self, String> {
@@ -244,6 +309,7 @@ impl TryFrom<ComputeSpec> for ParsedSpec {
        } else {
            spec.safekeeper_connstrings.clone()
        };
        let storage_auth_token = spec.storage_auth_token.clone();
        let tenant_id: TenantId = if let Some(tenant_id) = spec.tenant_id {
            tenant_id
@@ -266,19 +332,16 @@ impl TryFrom<ComputeSpec> for ParsedSpec {
                .or(Err("invalid timeline id"))?
        };
-        let endpoint_storage_addr: Option<SocketAddr> = spec
+        let endpoint_storage_addr: Option<String> = spec
            .endpoint_storage_addr
            .clone()
-            .or_else(|| spec.cluster.settings.find("neon.endpoint_storage_addr"))
+            .or_else(|| spec.cluster.settings.find("neon.endpoint_storage_addr"));
            .unwrap_or_default()
            .parse()
            .ok();
        let endpoint_storage_token = spec
            .endpoint_storage_token
            .clone()
            .or_else(|| spec.cluster.settings.find("neon.endpoint_storage_token"));
-        Ok(ParsedSpec {
+        let res = ParsedSpec {
            spec,
            pageserver_connstr,
            safekeeper_connstrings,
@@ -287,7 +350,11 @@ impl TryFrom<ComputeSpec> for ParsedSpec {
            timeline_id,
            endpoint_storage_addr,
            endpoint_storage_token,
-        })
+        };
        // Now check validity of the parsed specification
        res.validate()?;
        Ok(res)
    }
 }
@@ -314,7 +381,7 @@ fn maybe_cgexec(cmd: &str) -> Command {
 struct PostgresHandle {
    postgres: std::process::Child,
-    log_collector: tokio::task::JoinHandle<Result<()>>,
+    log_collector: JoinHandle<Result<()>>,
 }
 impl PostgresHandle {
@@ -328,7 +395,7 @@ struct StartVmMonitorResult {
    #[cfg(target_os = "linux")]
    token: tokio_util::sync::CancellationToken,
    #[cfg(target_os = "linux")]
-    vm_monitor: Option<tokio::task::JoinHandle<Result<()>>>,
+    vm_monitor: Option<JoinHandle<Result<()>>>,
 }
 impl ComputeNode {
@@ -354,14 +421,11 @@ impl ComputeNode {
        // that can affect `compute_ctl` and prevent it from properly configuring the database schema.
        // Unset them via connection string options before connecting to the database.
        // N.B. keep it in sync with `ZENITH_OPTIONS` in `get_maintenance_client()`.
-        //
+        const EXTRA_OPTIONS: &str = "-c role=cloud_admin -c default_transaction_read_only=off -c search_path=public -c statement_timeout=0 -c pgaudit.log=none";
        // TODO(ololobus): we currently pass `-c default_transaction_read_only=off` from control plane
        // as well. After rolling out this code, we can remove this parameter from control plane.
        // In the meantime, double-passing is fine, the last value is applied.
        // See: <https://github.com/neondatabase/cloud/blob/133dd8c4dbbba40edfbad475bf6a45073ca63faf/goapp/controlplane/internal/pkg/compute/provisioner/provisioner_common.go#L70>
        const EXTRA_OPTIONS: &str = "-c role=cloud_admin -c default_transaction_read_only=off -c search_path=public -c statement_timeout=0";
        let options = match conn_conf.get_options() {
-            Some(options) => format!("{} {}", options, EXTRA_OPTIONS),
+            // Allow the control plane to override any options set by the
            // compute
            Some(options) => format!("{EXTRA_OPTIONS} {options}"),
            None => EXTRA_OPTIONS.to_string(),
        };
        conn_conf.options(&options);
@@ -381,6 +445,8 @@ impl ComputeNode {
            state_changed: Condvar::new(),
            ext_download_progress: RwLock::new(HashMap::new()),
            compute_ctl_config: config.compute_ctl_config,
            extension_stats_task: Mutex::new(None),
            lfc_offload_task: Mutex::new(None),
        })
    }
@@ -396,7 +462,7 @@ impl ComputeNode {
        // because QEMU will already have its memory allocated from the host, and
        // the necessary binaries will already be cached.
        if cli_spec.is_none() {
-            this.prewarm_postgres()?;
+            this.prewarm_postgres_vm_memory()?;
        }
        // Set the up metric with Empty status before starting the HTTP server.
@@ -468,6 +534,9 @@ impl ComputeNode {
            None
        };
        this.terminate_extension_stats_task();
        this.terminate_lfc_offload_task();
        // Terminate the vm_monitor so it releases the file watcher on
        // /sys/fs/cgroup/neon-postgres.
        // Note: the vm-monitor only runs on linux because it requires cgroups.
@@ -489,12 +558,21 @@ impl ComputeNode {
        // Reap the postgres process
        delay_exit |= this.cleanup_after_postgres_exit()?;
        // /terminate returns LSN. If we don't sleep at all, connection will break and we
        // won't get result. If we sleep too much, tests will take significantly longer
        // and Github Action run will error out
        let sleep_duration = if delay_exit {
            Duration::from_secs(30)
        } else {
            Duration::from_millis(300)
        };
        // If launch failed, keep serving HTTP requests for a while, so the cloud
        // control plane can get the actual error.
        if delay_exit {
            info!("giving control plane 30s to collect the error before shutdown");
            std::thread::sleep(Duration::from_secs(30));
        }
        std::thread::sleep(sleep_duration);
        Ok(exit_code)
    }
@@ -603,6 +681,8 @@ impl ComputeNode {
            });
        }
        let tls_config = self.tls_config(&pspec.spec);
        // If there are any remote extensions in shared_preload_libraries, start downloading them
        if pspec.spec.remote_extensions.is_some() {
            let (this, spec) = (self.clone(), pspec.spec.clone());
@@ -659,7 +739,7 @@ impl ComputeNode {
            info!("tuning pgbouncer");
            let pgbouncer_settings = pgbouncer_settings.clone();
-            let tls_config = self.compute_ctl_config.tls.clone();
+            let tls_config = tls_config.clone();
            // Spawn a background task to do the tuning,
            // so that we don't block the main thread that starts Postgres.
@@ -678,7 +758,10 @@ impl ComputeNode {
            // Spawn a background task to do the configuration,
            // so that we don't block the main thread that starts Postgres.
-            let local_proxy = local_proxy.clone();
+
            let mut local_proxy = local_proxy.clone();
            local_proxy.tls = tls_config.clone();
            let _handle = tokio::spawn(async move {
                if let Err(err) = local_proxy::configure(&local_proxy) {
                    error!("error while configuring local_proxy: {err:?}");
@@ -690,10 +773,15 @@ impl ComputeNode {
        // Configure and start rsyslog for compliance audit logging
        match pspec.spec.audit_log_level {
            ComputeAudit::Hipaa | ComputeAudit::Extended | ComputeAudit::Full => {
-                let remote_endpoint =
+                let remote_tls_endpoint =
                    std::env::var("AUDIT_LOGGING_TLS_ENDPOINT").unwrap_or("".to_string());
                let remote_plain_endpoint =
                    std::env::var("AUDIT_LOGGING_ENDPOINT").unwrap_or("".to_string());
-                if remote_endpoint.is_empty() {
+
-                    anyhow::bail!("AUDIT_LOGGING_ENDPOINT is empty");
+                if remote_plain_endpoint.is_empty() && remote_tls_endpoint.is_empty() {
                    anyhow::bail!(
                        "AUDIT_LOGGING_ENDPOINT and AUDIT_LOGGING_TLS_ENDPOINT are both empty"
                    );
                }
                let log_directory_path = Path::new(&self.params.pgdata).join("log");
@@ -709,7 +797,8 @@ impl ComputeNode {
                    log_directory_path.clone(),
                    endpoint_id,
                    project_id,
-                    &remote_endpoint,
+                    &remote_plain_endpoint,
                    &remote_tls_endpoint,
                )?;
                // Launch a background task to clean up the audit logs
@@ -776,12 +865,15 @@ impl ComputeNode {
        // Log metrics so that we can search for slow operations in logs
        info!(?metrics, postmaster_pid = %postmaster_pid, "compute start finished");
        // Spawn the extension stats background task
        self.spawn_extension_stats_task();
-        if pspec.spec.prewarm_lfc_on_startup {
+        if pspec.spec.autoprewarm {
-            self.prewarm_lfc();
+            info!("autoprewarming on startup as requested");
            self.prewarm_lfc(None);
        }
        if let Some(seconds) = pspec.spec.offload_lfc_interval_seconds {
            self.spawn_lfc_offload_task(Duration::from_secs(seconds.into()));
        };
        Ok(())
    }
@@ -861,20 +953,31 @@ impl ComputeNode {
        // Maybe sync safekeepers again, to speed up next startup
        let compute_state = self.state.lock().unwrap().clone();
        let pspec = compute_state.pspec.as_ref().expect("spec must be set");
-        if matches!(pspec.spec.mode, compute_api::spec::ComputeMode::Primary) {
+        let lsn = if matches!(pspec.spec.mode, compute_api::spec::ComputeMode::Primary) {
            info!("syncing safekeepers on shutdown");
            let storage_auth_token = pspec.storage_auth_token.clone();
            let lsn = self.sync_safekeepers(storage_auth_token)?;
-            info!("synced safekeepers at lsn {lsn}");
+            info!(%lsn, "synced safekeepers");
-        }
+            Some(lsn)
        } else {
            info!("not primary, not syncing safekeepers");
            None
        };
        let mut delay_exit = false;
        let mut state = self.state.lock().unwrap();
-        if state.status == ComputeStatus::TerminationPending {
+        state.terminate_flush_lsn = lsn;
        let delay_exit = state.status == ComputeStatus::TerminationPendingFast;
        if state.status == ComputeStatus::TerminationPendingFast
            || state.status == ComputeStatus::TerminationPendingImmediate
        {
            info!(
                "Changing compute status from {} to {}",
                state.status,
                ComputeStatus::Terminated
            );
            state.status = ComputeStatus::Terminated;
            self.state_changed.notify_all();
            // we were asked to terminate gracefully, don't exit to avoid restart
            delay_exit = true
        }
        drop(state);
@@ -931,13 +1034,103 @@ impl ComputeNode {
        Ok(())
    }
-    // Get basebackup from the libpq connection to pageserver using `connstr` and
+    /// Fetches a basebackup from the Pageserver using the compute state's Pageserver connstring and
-    // unarchive it to `pgdata` directory overriding all its previous content.
+    /// unarchives it to `pgdata` directory, replacing any existing contents.
    #[instrument(skip_all, fields(%lsn))]
    fn try_get_basebackup(&self, compute_state: &ComputeState, lsn: Lsn) -> Result<()> {
        let spec = compute_state.pspec.as_ref().expect("spec must be set");
        let start_time = Instant::now();
        let shard0_connstr = spec.pageserver_connstr.split(',').next().unwrap();
        let started = Instant::now();
        let (connected, size) = match PageserverProtocol::from_connstring(shard0_connstr)? {
            PageserverProtocol::Libpq => self.try_get_basebackup_libpq(spec, lsn)?,
            PageserverProtocol::Grpc => self.try_get_basebackup_grpc(spec, lsn)?,
        };
        self.fix_zenith_signal_neon_signal()?;
        let mut state = self.state.lock().unwrap();
        state.metrics.pageserver_connect_micros =
            connected.duration_since(started).as_micros() as u64;
        state.metrics.basebackup_bytes = size as u64;
        state.metrics.basebackup_ms = started.elapsed().as_millis() as u64;
        Ok(())
    }
    /// Move the Zenith signal file to Neon signal file location.
    /// This makes Compute compatible with older PageServers that don't yet
    /// know about the Zenith->Neon rename.
    fn fix_zenith_signal_neon_signal(&self) -> Result<()> {
        let datadir = Path::new(&self.params.pgdata);
        let neonsig = datadir.join("neon.signal");
        if neonsig.is_file() {
            return Ok(());
        }
        let zenithsig = datadir.join("zenith.signal");
        if zenithsig.is_file() {
            fs::copy(zenithsig, neonsig)?;
        }
        Ok(())
    }
    /// Fetches a basebackup via gRPC. The connstring must use grpc://. Returns the timestamp when
    /// the connection was established, and the (compressed) size of the basebackup.
    fn try_get_basebackup_grpc(&self, spec: &ParsedSpec, lsn: Lsn) -> Result<(Instant, usize)> {
        let shard0_connstr = spec
            .pageserver_connstr
            .split(',')
            .next()
            .unwrap()
            .to_string();
        let shard_index = match spec.pageserver_connstr.split(',').count() as u8 {
            0 | 1 => ShardIndex::unsharded(),
            count => ShardIndex::new(ShardNumber(0), ShardCount(count)),
        };
        let (reader, connected) = tokio::runtime::Handle::current().block_on(async move {
            let mut client = page_api::Client::connect(
                shard0_connstr,
                spec.tenant_id,
                spec.timeline_id,
                shard_index,
                spec.storage_auth_token.clone(),
                None, // NB: base backups use payload compression
            )
            .await?;
            let connected = Instant::now();
            let reader = client
                .get_base_backup(page_api::GetBaseBackupRequest {
                    lsn: (lsn != Lsn(0)).then_some(lsn),
                    compression: BaseBackupCompression::Gzip,
                    replica: spec.spec.mode != ComputeMode::Primary,
                    full: false,
                })
                .await?;
            anyhow::Ok((reader, connected))
        })?;
        let mut reader = MeasuredReader::new(tokio_util::io::SyncIoBridge::new(reader));
        // Set `ignore_zeros` so that unpack() reads the entire stream and doesn't just stop at the
        // end-of-archive marker. If the server errors, the tar::Builder drop handler will write an
        // end-of-archive marker before the error is emitted, and we would not see the error.
        let mut ar = tar::Archive::new(flate2::read::GzDecoder::new(&mut reader));
        ar.set_ignore_zeros(true);
        ar.unpack(&self.params.pgdata)?;
        Ok((connected, reader.get_byte_count()))
    }
    /// Fetches a basebackup via libpq. The connstring must use postgresql://. Returns the timestamp
    /// when the connection was established, and the (compressed) size of the basebackup.
    fn try_get_basebackup_libpq(&self, spec: &ParsedSpec, lsn: Lsn) -> Result<(Instant, usize)> {
        let shard0_connstr = spec.pageserver_connstr.split(',').next().unwrap();
        let mut config = postgres::Config::from_str(shard0_connstr)?;
@@ -951,16 +1144,14 @@ impl ComputeNode {
        }
        config.application_name("compute_ctl");
-        if let Some(spec) = &compute_state.pspec {
+        config.options(&format!(
-            config.options(&format!(
+            "-c neon.compute_mode={}",
-                "-c neon.compute_mode={}",
+            spec.spec.mode.to_type_str()
-                spec.spec.mode.to_type_str()
+        ));
            ));
        }
        // Connect to pageserver
        let mut client = config.connect(NoTls)?;
-        let pageserver_connect_micros = start_time.elapsed().as_micros() as u64;
+        let connected = Instant::now();
        let basebackup_cmd = match lsn {
            Lsn(0) => {
@@ -997,16 +1188,13 @@ impl ComputeNode {
        // Set `ignore_zeros` so that unpack() reads all the Copy data and
        // doesn't stop at the end-of-archive marker. Otherwise, if the server
        // sends an Error after finishing the tarball, we will not notice it.
        // The tar::Builder drop handler will write an end-of-archive marker
        // before emitting the error, and we would not see it otherwise.
        let mut ar = tar::Archive::new(flate2::read::GzDecoder::new(&mut bufreader));
        ar.set_ignore_zeros(true);
        ar.unpack(&self.params.pgdata)?;
-        // Report metrics
+        Ok((connected, measured_reader.get_byte_count()))
        let mut state = self.state.lock().unwrap();
        state.metrics.pageserver_connect_micros = pageserver_connect_micros;
        state.metrics.basebackup_bytes = measured_reader.get_byte_count() as u64;
        state.metrics.basebackup_ms = start_time.elapsed().as_millis() as u64;
        Ok(())
    }
    // Gets the basebackup in a retry loop
@@ -1059,7 +1247,7 @@ impl ComputeNode {
        let sk_configs = sk_connstrs.into_iter().map(|connstr| {
            // Format connstr
            let id = connstr.clone();
-            let connstr = format!("postgresql://no_user@{}", connstr);
+            let connstr = format!("postgresql://no_user@{connstr}");
            let options = format!(
                "-c timeline_id={} tenant_id={}",
                pspec.timeline_id, pspec.tenant_id
@@ -1106,9 +1294,7 @@ impl ComputeNode {
        // In case of error, log and fail the check, but don't crash.
        // We're playing it safe because these errors could be transient
-        // and we don't yet retry. Also being careful here allows us to
+        // and we don't yet retry.
        // be backwards compatible with safekeepers that don't have the
        // TIMELINE_STATUS API yet.
        if responses.len() < quorum {
            error!(
                "failed sync safekeepers check {:?} {:?} {:?}",
@@ -1205,13 +1391,16 @@ impl ComputeNode {
        let spec = &pspec.spec;
        let pgdata_path = Path::new(&self.params.pgdata);
        let tls_config = self.tls_config(&pspec.spec);
        // Remove/create an empty pgdata directory and put configuration there.
        self.create_pgdata()?;
        config::write_postgres_conf(
            pgdata_path,
            &self.params,
            &pspec.spec,
            self.params.internal_http_port,
-            &self.compute_ctl_config.tls,
+            tls_config,
        )?;
        // Syncing safekeepers is only safe with primary nodes: if a primary
@@ -1307,8 +1496,8 @@ impl ComputeNode {
    }
    /// Start and stop a postgres process to warm up the VM for startup.
-    pub fn prewarm_postgres(&self) -> Result<()> {
+    pub fn prewarm_postgres_vm_memory(&self) -> Result<()> {
-        info!("prewarming");
+        info!("prewarming VM memory");
        // Create pgdata
        let pgdata = &format!("{}.warmup", self.params.pgdata);
@@ -1350,7 +1539,7 @@ impl ComputeNode {
        kill(pm_pid, Signal::SIGQUIT)?;
        info!("sent SIGQUIT signal");
        pg.wait()?;
-        info!("done prewarming");
+        info!("done prewarming vm memory");
        // clean up
        let _ok = fs::remove_dir_all(pgdata);
@@ -1420,7 +1609,7 @@ impl ComputeNode {
                let (mut client, connection) = conf.connect(NoTls).await?;
                tokio::spawn(async move {
                    if let Err(e) = connection.await {
-                        eprintln!("connection error: {}", e);
+                        eprintln!("connection error: {e}");
                    }
                });
@@ -1536,17 +1725,28 @@ impl ComputeNode {
                .clone(),
        );
        let mut tls_config = None::<TlsConfig>;
        if spec.features.contains(&ComputeFeature::TlsExperimental) {
            tls_config = self.compute_ctl_config.tls.clone();
        }
        self.update_installed_extensions_collection_interval(&spec);
        let max_concurrent_connections = self.max_service_connections(compute_state, &spec);
        // Merge-apply spec & changes to PostgreSQL state.
        self.apply_spec_sql(spec.clone(), conf.clone(), max_concurrent_connections)?;
        if let Some(local_proxy) = &spec.clone().local_proxy_config {
            let mut local_proxy = local_proxy.clone();
            local_proxy.tls = tls_config.clone();
            info!("configuring local_proxy");
-            local_proxy::configure(local_proxy).context("apply_config local_proxy")?;
+            local_proxy::configure(&local_proxy).context("apply_config local_proxy")?;
        }
        // Run migrations separately to not hold up cold starts
        let params = self.params.clone();
        tokio::spawn(async move {
            let mut conf = conf.as_ref().clone();
            conf.application_name("compute_ctl:migrations");
@@ -1555,10 +1755,10 @@ impl ComputeNode {
                Ok((mut client, connection)) => {
                    tokio::spawn(async move {
                        if let Err(e) = connection.await {
-                            eprintln!("connection error: {}", e);
+                            eprintln!("connection error: {e}");
                        }
                    });
-                    if let Err(e) = handle_migrations(&mut client).await {
+                    if let Err(e) = handle_migrations(params, &mut client).await {
                        error!("Failed to run migrations: {}", e);
                    }
                }
@@ -1595,11 +1795,15 @@ impl ComputeNode {
    pub fn reconfigure(&self) -> Result<()> {
        let spec = self.state.lock().unwrap().pspec.clone().unwrap().spec;
        let tls_config = self.tls_config(&spec);
        self.update_installed_extensions_collection_interval(&spec);
        if let Some(ref pgbouncer_settings) = spec.pgbouncer_settings {
            info!("tuning pgbouncer");
            let pgbouncer_settings = pgbouncer_settings.clone();
-            let tls_config = self.compute_ctl_config.tls.clone();
+            let tls_config = tls_config.clone();
            // Spawn a background task to do the tuning,
            // so that we don't block the main thread that starts Postgres.
@@ -1617,7 +1821,7 @@ impl ComputeNode {
            // Spawn a background task to do the configuration,
            // so that we don't block the main thread that starts Postgres.
            let mut local_proxy = local_proxy.clone();
-            local_proxy.tls = self.compute_ctl_config.tls.clone();
+            local_proxy.tls = tls_config.clone();
            tokio::spawn(async move {
                if let Err(err) = local_proxy::configure(&local_proxy) {
                    error!("error while configuring local_proxy: {err:?}");
@@ -1633,11 +1837,14 @@ impl ComputeNode {
        let pgdata_path = Path::new(&self.params.pgdata);
        config::write_postgres_conf(
            pgdata_path,
            &self.params,
            &spec,
            self.params.internal_http_port,
-            &self.compute_ctl_config.tls,
+            tls_config,
        )?;
        self.pg_reload_conf()?;
        if !spec.skip_pg_catalog_updates {
            let max_concurrent_connections = spec.reconfigure_concurrency;
            // Temporarily reset max_cluster_size in config
@@ -1657,10 +1864,9 @@ impl ComputeNode {
                Ok(())
            })?;
            self.pg_reload_conf()?;
        }
        self.pg_reload_conf()?;
        let unknown_op = "unknown".to_string();
        let op_id = spec.operation_uuid.as_ref().unwrap_or(&unknown_op);
        info!(
@@ -1733,7 +1939,8 @@ impl ComputeNode {
                            // exit loop
                            ComputeStatus::Failed
-                            | ComputeStatus::TerminationPending
+                            | ComputeStatus::TerminationPendingFast
                            | ComputeStatus::TerminationPendingImmediate
                            | ComputeStatus::Terminated => break 'cert_update,
                            // wait
@@ -1755,6 +1962,14 @@ impl ComputeNode {
        }
    }
    pub fn tls_config(&self, spec: &ComputeSpec) -> &Option<TlsConfig> {
        if spec.features.contains(&ComputeFeature::TlsExperimental) {
            &self.compute_ctl_config.tls
        } else {
            &None::<TlsConfig>
        }
    }
    /// Update the `last_active` in the shared state, but ensure that it's a more recent one.
    pub fn update_last_active(&self, last_active: Option<DateTime<Utc>>) {
        let mut state = self.state.lock().unwrap();
@@ -1849,7 +2064,7 @@ impl ComputeNode {
        let (client, connection) = connect_result.unwrap();
        tokio::spawn(async move {
            if let Err(e) = connection.await {
-                eprintln!("connection error: {}", e);
+                eprintln!("connection error: {e}");
            }
        });
        let result = client
@@ -2018,7 +2233,7 @@ LIMIT 100",
            db_client
                .simple_query(&query)
                .await
-                .with_context(|| format!("Failed to execute query: {}", query))?;
+                .with_context(|| format!("Failed to execute query: {query}"))?;
        }
        Ok(())
@@ -2045,7 +2260,7 @@ LIMIT 100",
        let version: Option<ExtVersion> = db_client
            .query_opt(version_query, &[&ext_name])
            .await
-            .with_context(|| format!("Failed to execute query: {}", version_query))?
+            .with_context(|| format!("Failed to execute query: {version_query}"))?
            .map(|row| row.get(0));
        // sanitize the inputs as postgres idents.
@@ -2060,14 +2275,14 @@ LIMIT 100",
            db_client
                .simple_query(&query)
                .await
-                .with_context(|| format!("Failed to execute query: {}", query))?;
+                .with_context(|| format!("Failed to execute query: {query}"))?;
        } else {
            let query =
                format!("CREATE EXTENSION IF NOT EXISTS {ext_name} WITH VERSION {quoted_version}");
            db_client
                .simple_query(&query)
                .await
-                .with_context(|| format!("Failed to execute query: {}", query))?;
+                .with_context(|| format!("Failed to execute query: {query}"))?;
        }
        Ok(ext_version)
@@ -2191,24 +2406,101 @@ LIMIT 100",
    }
    pub fn spawn_extension_stats_task(&self) {
        self.terminate_extension_stats_task();
        let conf = self.tokio_conn_conf.clone();
-        let installed_extensions_collection_interval =
+        let atomic_interval = self.params.installed_extensions_collection_interval.clone();
-            self.params.installed_extensions_collection_interval;
+        let mut installed_extensions_collection_interval =
-        tokio::spawn(async move {
+            2 * atomic_interval.load(std::sync::atomic::Ordering::SeqCst);
-            // An initial sleep is added to ensure that two collections don't happen at the same time.
+        info!(
-            // The first collection happens during compute startup.
+            "[NEON_EXT_SPAWN] Spawning background installed extensions worker with Timeout: {}",
-            tokio::time::sleep(tokio::time::Duration::from_secs(
+            installed_extensions_collection_interval
-                installed_extensions_collection_interval,
+        );
-            ))
+        let handle = tokio::spawn(async move {
            .await;
            let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(
                installed_extensions_collection_interval,
            ));
            loop {
-                interval.tick().await;
+                info!(
                    "[NEON_EXT_INT_SLEEP]: Interval: {}",
                    installed_extensions_collection_interval
                );
                // Sleep at the start of the loop to ensure that two collections don't happen at the same time.
                // The first collection happens during compute startup.
                tokio::time::sleep(tokio::time::Duration::from_secs(
                    installed_extensions_collection_interval,
                ))
                .await;
                let _ = installed_extensions(conf.clone()).await;
                // Acquire a read lock on the compute spec and then update the interval if necessary
                installed_extensions_collection_interval = std::cmp::max(
                    installed_extensions_collection_interval,
                    2 * atomic_interval.load(std::sync::atomic::Ordering::SeqCst),
                );
            }
        });
        // Store the new task handle
        *self.extension_stats_task.lock().unwrap() = Some(handle);
    }
    fn terminate_extension_stats_task(&self) {
        if let Some(h) = self.extension_stats_task.lock().unwrap().take() {
            h.abort()
        }
    }
    pub fn spawn_lfc_offload_task(self: &Arc<Self>, interval: Duration) {
        self.terminate_lfc_offload_task();
        let secs = interval.as_secs();
        let this = self.clone();
        info!("spawning LFC offload worker with {secs}s interval");
        let handle = spawn(async move {
            let mut interval = time::interval(interval);
            interval.tick().await; // returns immediately
            loop {
                interval.tick().await;
                let prewarm_state = this.state.lock().unwrap().lfc_prewarm_state.clone();
                // Do not offload LFC state if we are currently prewarming or any issue occurred.
                // If we'd do that, we might override the LFC state in endpoint storage with some
                // incomplete state. Imagine a situation:
                // 1. Endpoint started with `autoprewarm: true`
                // 2. While prewarming is not completed, we upload the new incomplete state
                // 3. Compute gets interrupted and restarts
                // 4. We start again and try to prewarm with the state from 2. instead of the previous complete state
                if matches!(
                    prewarm_state,
                    LfcPrewarmState::Completed
                        | LfcPrewarmState::NotPrewarmed
                        | LfcPrewarmState::Skipped
                ) {
                    this.offload_lfc_async().await;
                }
            }
        });
        *self.lfc_offload_task.lock().unwrap() = Some(handle);
    }
    fn terminate_lfc_offload_task(&self) {
        if let Some(h) = self.lfc_offload_task.lock().unwrap().take() {
            h.abort()
        }
    }
    fn update_installed_extensions_collection_interval(&self, spec: &ComputeSpec) {
        // Update the interval for collecting installed extensions statistics
        // If the value is -1, we never suspend so set the value to default collection.
        // If the value is 0, it means default, we will just continue to use the default.
        if spec.suspend_timeout_seconds == -1 || spec.suspend_timeout_seconds == 0 {
            self.params.installed_extensions_collection_interval.store(
                DEFAULT_INSTALLED_EXTENSIONS_COLLECTION_INTERVAL,
                std::sync::atomic::Ordering::SeqCst,
            );
        } else {
            self.params.installed_extensions_collection_interval.store(
                spec.suspend_timeout_seconds as u64,
                std::sync::atomic::Ordering::SeqCst,
            );
        }
    }
 }
@@ -2221,17 +2513,73 @@ pub async fn installed_extensions(conf: tokio_postgres::Config) -> Result<()> {
                serde_json::to_string(&extensions).expect("failed to serialize extensions list")
            );
        }
-        Err(err) => error!("could not get installed extensions: {err:?}"),
+        Err(err) => error!("could not get installed extensions: {err}"),
    }
    Ok(())
 }
-pub fn forward_termination_signal() {
+pub fn forward_termination_signal(dev_mode: bool) {
    let ss_pid = SYNC_SAFEKEEPERS_PID.load(Ordering::SeqCst);
    if ss_pid != 0 {
        let ss_pid = nix::unistd::Pid::from_raw(ss_pid as i32);
        kill(ss_pid, Signal::SIGTERM).ok();
    }
    if !dev_mode {
        //  Terminate pgbouncer with SIGKILL
        match pid_file::read(PGBOUNCER_PIDFILE.into()) {
            Ok(pid_file::PidFileRead::LockedByOtherProcess(pid)) => {
                info!("sending SIGKILL to pgbouncer process pid: {}", pid);
                if let Err(e) = kill(pid, Signal::SIGKILL) {
                    error!("failed to terminate pgbouncer: {}", e);
                }
            }
            // pgbouncer does not lock the pid file, so we read and kill the process directly
            Ok(pid_file::PidFileRead::NotHeldByAnyProcess(_)) => {
                if let Ok(pid_str) = std::fs::read_to_string(PGBOUNCER_PIDFILE) {
                    if let Ok(pid) = pid_str.trim().parse::<i32>() {
                        info!(
                            "sending SIGKILL to pgbouncer process pid: {} (from unlocked pid file)",
                            pid
                        );
                        if let Err(e) = kill(Pid::from_raw(pid), Signal::SIGKILL) {
                            error!("failed to terminate pgbouncer: {}", e);
                        }
                    }
                } else {
                    info!("pgbouncer pid file exists but process not running");
                }
            }
            Ok(pid_file::PidFileRead::NotExist) => {
                info!("pgbouncer pid file not found, process may not be running");
            }
            Err(e) => {
                error!("error reading pgbouncer pid file: {}", e);
            }
        }
        // Terminate local_proxy
        match pid_file::read("/etc/local_proxy/pid".into()) {
            Ok(pid_file::PidFileRead::LockedByOtherProcess(pid)) => {
                info!("sending SIGTERM to local_proxy process pid: {}", pid);
                if let Err(e) = kill(pid, Signal::SIGTERM) {
                    error!("failed to terminate local_proxy: {}", e);
                }
            }
            Ok(pid_file::PidFileRead::NotHeldByAnyProcess(_)) => {
                info!("local_proxy PID file exists but process not running");
            }
            Ok(pid_file::PidFileRead::NotExist) => {
                info!("local_proxy PID file not found, process may not be running");
            }
            Err(e) => {
                error!("error reading local_proxy PID file: {}", e);
            }
        }
    } else {
        info!("Skipping pgbouncer and local_proxy termination because in dev mode");
    }
    let pg_pid = PG_PID.load(Ordering::SeqCst);
    if pg_pid != 0 {
        let pg_pid = nix::unistd::Pid::from_raw(pg_pid as i32);
@@ -2264,3 +2612,21 @@ impl<T: 'static> JoinSetExt<T> for tokio::task::JoinSet<T> {
        })
    }
 }
 #[cfg(test)]
 mod tests {
    use std::fs::File;
    use super::*;
    #[test]
    fn duplicate_safekeeper_connstring() {
        let file = File::open("tests/cluster_spec.json").unwrap();
        let spec: ComputeSpec = serde_json::from_reader(file).unwrap();
        match ParsedSpec::try_from(spec.clone()) {
            Ok(_p) => panic!("Failed to detect duplicate entry"),
            Err(e) => assert!(e.starts_with("duplicate entry in safekeeper_connstrings:")),
        };
    }
 }
--- a/compute_tools/src/compute_prewarm.rs
+++ b/compute_tools/src/compute_prewarm.rs
@@ -5,6 +5,7 @@ use compute_api::responses::LfcOffloadState;
 use compute_api::responses::LfcPrewarmState;
 use http::StatusCode;
 use reqwest::Client;
 use std::mem::replace;
 use std::sync::Arc;
 use tokio::{io::AsyncReadExt, spawn};
 use tracing::{error, info};
@@ -25,11 +26,16 @@ struct EndpointStoragePair {
 }
 const KEY: &str = "lfc_state";
-impl TryFrom<&crate::compute::ParsedSpec> for EndpointStoragePair {
+impl EndpointStoragePair {
-    type Error = anyhow::Error;
+    /// endpoint_id is set to None while prewarming from other endpoint, see replica promotion
-    fn try_from(pspec: &crate::compute::ParsedSpec) -> Result<Self, Self::Error> {
+    /// If not None, takes precedence over pspec.spec.endpoint_id
-        let Some(ref endpoint_id) = pspec.spec.endpoint_id else {
+    fn from_spec_and_endpoint(
-            bail!("pspec.endpoint_id missing")
+        pspec: &crate::compute::ParsedSpec,
        endpoint_id: Option<String>,
    ) -> Result<Self> {
        let endpoint_id = endpoint_id.as_ref().or(pspec.spec.endpoint_id.as_ref());
        let Some(ref endpoint_id) = endpoint_id else {
            bail!("pspec.endpoint_id missing, other endpoint_id not provided")
        };
        let Some(ref base_uri) = pspec.endpoint_storage_addr else {
            bail!("pspec.endpoint_storage_addr missing")
@@ -64,7 +70,7 @@ impl ComputeNode {
            }
        };
        let row = match client
-            .query_one("select * from get_prewarm_info()", &[])
+            .query_one("select * from neon.get_prewarm_info()", &[])
            .await
        {
            Ok(row) => row,
@@ -83,46 +89,62 @@ impl ComputeNode {
        self.state.lock().unwrap().lfc_offload_state.clone()
    }
-    /// Returns false if there is a prewarm request ongoing, true otherwise
+    /// If there is a prewarm request ongoing, return `false`, `true` otherwise.
-    pub fn prewarm_lfc(self: &Arc<Self>) -> bool {
+    pub fn prewarm_lfc(self: &Arc<Self>, from_endpoint: Option<String>) -> bool {
        crate::metrics::LFC_PREWARM_REQUESTS.inc();
        {
            let state = &mut self.state.lock().unwrap().lfc_prewarm_state;
-            if let LfcPrewarmState::Prewarming =
+            if let LfcPrewarmState::Prewarming = replace(state, LfcPrewarmState::Prewarming) {
                std::mem::replace(state, LfcPrewarmState::Prewarming)
            {
                return false;
            }
        }
        crate::metrics::LFC_PREWARMS.inc();
        let cloned = self.clone();
        spawn(async move {
-            let Err(err) = cloned.prewarm_impl().await else {
+            let state = match cloned.prewarm_impl(from_endpoint).await {
-                cloned.state.lock().unwrap().lfc_prewarm_state = LfcPrewarmState::Completed;
+                Ok(true) => LfcPrewarmState::Completed,
-                return;
+                Ok(false) => {
-            };
+                    info!(
-            error!(%err);
+                        "skipping LFC prewarm because LFC state is not found in endpoint storage"
-            cloned.state.lock().unwrap().lfc_prewarm_state = LfcPrewarmState::Failed {
+                    );
-                error: err.to_string(),
+                    LfcPrewarmState::Skipped
                }
                Err(err) => {
                    crate::metrics::LFC_PREWARM_ERRORS.inc();
                    error!(%err, "could not prewarm LFC");
                    LfcPrewarmState::Failed {
                        error: err.to_string(),
                    }
                }
            };
            cloned.state.lock().unwrap().lfc_prewarm_state = state;
        });
        true
    }
-    fn endpoint_storage_pair(&self) -> Result<EndpointStoragePair> {
+    /// from_endpoint: None for endpoint managed by this compute_ctl
    fn endpoint_storage_pair(&self, from_endpoint: Option<String>) -> Result<EndpointStoragePair> {
        let state = self.state.lock().unwrap();
-        state.pspec.as_ref().unwrap().try_into()
+        EndpointStoragePair::from_spec_and_endpoint(state.pspec.as_ref().unwrap(), from_endpoint)
    }
-    async fn prewarm_impl(&self) -> Result<()> {
+    /// Request LFC state from endpoint storage and load corresponding pages into Postgres.
-        let EndpointStoragePair { url, token } = self.endpoint_storage_pair()?;
+    /// Returns a result with `false` if the LFC state is not found in endpoint storage.
-        info!(%url, "requesting LFC state from endpoint storage");
+    async fn prewarm_impl(&self, from_endpoint: Option<String>) -> Result<bool> {
        let EndpointStoragePair { url, token } = self.endpoint_storage_pair(from_endpoint)?;
        info!(%url, "requesting LFC state from endpoint storage");
        let request = Client::new().get(&url).bearer_auth(token);
        let res = request.send().await.context("querying endpoint storage")?;
        let status = res.status();
-        if status != StatusCode::OK {
+        match status {
-            bail!("{status} querying endpoint storage")
+            StatusCode::OK => (),
            StatusCode::NOT_FOUND => {
                return Ok(false);
            }
            _ => bail!("{status} querying endpoint storage"),
        }
        let mut uncompressed = Vec::new();
@@ -135,52 +157,67 @@ impl ComputeNode {
            .await
            .context("decoding LFC state")?;
        let uncompressed_len = uncompressed.len();
-        info!(%url, "downloaded LFC state, uncompressed size {uncompressed_len}, loading into postgres");
+
        info!(%url, "downloaded LFC state, uncompressed size {uncompressed_len}, loading into Postgres");
        ComputeNode::get_maintenance_client(&self.tokio_conn_conf)
            .await
            .context("connecting to postgres")?
-            .query_one("select prewarm_local_cache($1)", &[&uncompressed])
+            .query_one("select neon.prewarm_local_cache($1)", &[&uncompressed])
            .await
            .context("loading LFC state into postgres")
-            .map(|_| ())
+            .map(|_| ())?;
        Ok(true)
    }
-    /// Returns false if there is an offload request ongoing, true otherwise
+    /// If offload request is ongoing, return false, true otherwise
    pub fn offload_lfc(self: &Arc<Self>) -> bool {
        crate::metrics::LFC_OFFLOAD_REQUESTS.inc();
        {
            let state = &mut self.state.lock().unwrap().lfc_offload_state;
-            if let LfcOffloadState::Offloading =
+            if replace(state, LfcOffloadState::Offloading) == LfcOffloadState::Offloading {
                std::mem::replace(state, LfcOffloadState::Offloading)
            {
                return false;
            }
        }
        let cloned = self.clone();
-        spawn(async move {
+        spawn(async move { cloned.offload_lfc_with_state_update().await });
            let Err(err) = cloned.offload_lfc_impl().await else {
                cloned.state.lock().unwrap().lfc_offload_state = LfcOffloadState::Completed;
                return;
            };
            error!(%err);
            cloned.state.lock().unwrap().lfc_offload_state = LfcOffloadState::Failed {
                error: err.to_string(),
            };
        });
        true
    }
    pub async fn offload_lfc_async(self: &Arc<Self>) {
        {
            let state = &mut self.state.lock().unwrap().lfc_offload_state;
            if replace(state, LfcOffloadState::Offloading) == LfcOffloadState::Offloading {
                return;
            }
        }
        self.offload_lfc_with_state_update().await
    }
    async fn offload_lfc_with_state_update(&self) {
        crate::metrics::LFC_OFFLOADS.inc();
        let Err(err) = self.offload_lfc_impl().await else {
            self.state.lock().unwrap().lfc_offload_state = LfcOffloadState::Completed;
            return;
        };
        crate::metrics::LFC_OFFLOAD_ERRORS.inc();
        error!(%err, "could not offload LFC state to endpoint storage");
        self.state.lock().unwrap().lfc_offload_state = LfcOffloadState::Failed {
            error: err.to_string(),
        };
    }
    async fn offload_lfc_impl(&self) -> Result<()> {
-        let EndpointStoragePair { url, token } = self.endpoint_storage_pair()?;
+        let EndpointStoragePair { url, token } = self.endpoint_storage_pair(None)?;
-        info!(%url, "requesting LFC state from postgres");
+        info!(%url, "requesting LFC state from Postgres");
        let mut compressed = Vec::new();
        ComputeNode::get_maintenance_client(&self.tokio_conn_conf)
            .await
            .context("connecting to postgres")?
-            .query_one("select get_local_cache_state()", &[])
+            .query_one("select neon.get_local_cache_state()", &[])
            .await
            .context("querying LFC state")?
            .try_get::<usize, &[u8]>(0)
@@ -189,13 +226,17 @@ impl ComputeNode {
            .read_to_end(&mut compressed)
            .await
            .context("compressing LFC state")?;
        let compressed_len = compressed.len();
        info!(%url, "downloaded LFC state, compressed size {compressed_len}, writing to endpoint storage");
        let request = Client::new().put(url).bearer_auth(token).body(compressed);
        match request.send().await {
            Ok(res) if res.status() == StatusCode::OK => Ok(()),
-            Ok(res) => bail!("Error writing to endpoint storage: {}", res.status()),
+            Ok(res) => bail!(
                "Request to endpoint storage failed with status: {}",
                res.status()
            ),
            Err(err) => Err(err).context("writing to endpoint storage"),
        }
    }
--- a/compute_tools/src/compute_promote.rs
+++ b/compute_tools/src/compute_promote.rs
@@ -0,0 +1,132 @@
 use crate::compute::ComputeNode;
 use anyhow::{Context, Result, bail};
 use compute_api::{
    responses::{LfcPrewarmState, PromoteState, SafekeepersLsn},
    spec::ComputeMode,
 };
 use std::{sync::Arc, time::Duration};
 use tokio::time::sleep;
 use utils::lsn::Lsn;
 impl ComputeNode {
    /// Returns only when promote fails or succeeds. If a network error occurs
    /// and http client disconnects, this does not stop promotion, and subsequent
    /// calls block until promote finishes.
    /// Called by control plane on secondary after primary endpoint is terminated
    pub async fn promote(self: &Arc<Self>, safekeepers_lsn: SafekeepersLsn) -> PromoteState {
        let cloned = self.clone();
        let start_promotion = || {
            let (tx, rx) = tokio::sync::watch::channel(PromoteState::NotPromoted);
            tokio::spawn(async move {
                tx.send(match cloned.promote_impl(safekeepers_lsn).await {
                    Ok(_) => PromoteState::Completed,
                    Err(err) => {
                        tracing::error!(%err, "promoting");
                        PromoteState::Failed {
                            error: err.to_string(),
                        }
                    }
                })
            });
            rx
        };
        let mut task;
        // self.state is unlocked after block ends so we lock it in promote_impl
        // and task.changed() is reached
        {
            task = self
                .state
                .lock()
                .unwrap()
                .promote_state
                .get_or_insert_with(start_promotion)
                .clone()
        }
        task.changed().await.expect("promote sender dropped");
        task.borrow().clone()
    }
    // Why do we have to supply safekeepers?
    // For secondary we use primary_connection_conninfo so safekeepers field is empty
    async fn promote_impl(&self, safekeepers_lsn: SafekeepersLsn) -> Result<()> {
        {
            let state = self.state.lock().unwrap();
            let mode = &state.pspec.as_ref().unwrap().spec.mode;
            if *mode != ComputeMode::Replica {
                bail!("{} is not replica", mode.to_type_str());
            }
            // we don't need to query Postgres so not self.lfc_prewarm_state()
            match &state.lfc_prewarm_state {
                LfcPrewarmState::NotPrewarmed | LfcPrewarmState::Prewarming => {
                    bail!("prewarm not requested or pending")
                }
                LfcPrewarmState::Failed { error } => {
                    tracing::warn!(%error, "replica prewarm failed")
                }
                _ => {}
            }
        }
        let client = ComputeNode::get_maintenance_client(&self.tokio_conn_conf)
            .await
            .context("connecting to postgres")?;
        let primary_lsn = safekeepers_lsn.wal_flush_lsn;
        let mut last_wal_replay_lsn: Lsn = Lsn::INVALID;
        const RETRIES: i32 = 20;
        for i in 0..=RETRIES {
            let row = client
                .query_one("SELECT pg_last_wal_replay_lsn()", &[])
                .await
                .context("getting last replay lsn")?;
            let lsn: u64 = row.get::<usize, postgres_types::PgLsn>(0).into();
            last_wal_replay_lsn = lsn.into();
            if last_wal_replay_lsn >= primary_lsn {
                break;
            }
            tracing::info!("Try {i}, replica lsn {last_wal_replay_lsn}, primary lsn {primary_lsn}");
            sleep(Duration::from_secs(1)).await;
        }
        if last_wal_replay_lsn < primary_lsn {
            bail!("didn't catch up with primary in {RETRIES} retries");
        }
        // using $1 doesn't work with ALTER SYSTEM SET
        let safekeepers_sql = format!(
            "ALTER SYSTEM SET neon.safekeepers='{}'",
            safekeepers_lsn.safekeepers
        );
        client
            .query(&safekeepers_sql, &[])
            .await
            .context("setting safekeepers")?;
        client
            .query("SELECT pg_reload_conf()", &[])
            .await
            .context("reloading postgres config")?;
        let row = client
            .query_one("SELECT * FROM pg_promote()", &[])
            .await
            .context("pg_promote")?;
        if !row.get::<usize, bool>(0) {
            bail!("pg_promote() returned false");
        }
        let client = ComputeNode::get_maintenance_client(&self.tokio_conn_conf)
            .await
            .context("connecting to postgres")?;
        let row = client
            .query_one("SHOW transaction_read_only", &[])
            .await
            .context("getting transaction_read_only")?;
        if row.get::<usize, &str>(0) == "on" {
            bail!("replica in read only mode after promotion");
        }
        let mut state = self.state.lock().unwrap();
        state.pspec.as_mut().unwrap().spec.mode = ComputeMode::Primary;
        Ok(())
    }
 }
--- a/compute_tools/src/config.rs
+++ b/compute_tools/src/config.rs
@@ -9,6 +9,7 @@ use std::path::Path;
 use compute_api::responses::TlsConfig;
 use compute_api::spec::{ComputeAudit, ComputeMode, ComputeSpec, GenericOption};
 use crate::compute::ComputeNodeParams;
 use crate::pg_helpers::{
    GenericOptionExt, GenericOptionsSearch, PgOptionsSerialize, escape_conf_value,
 };
@@ -41,6 +42,7 @@ pub fn line_in_file(path: &Path, line: &str) -> Result<bool> {
 /// Create or completely rewrite configuration file specified by `path`
 pub fn write_postgres_conf(
    pgdata_path: &Path,
    params: &ComputeNodeParams,
    spec: &ComputeSpec,
    extension_server_port: u16,
    tls_config: &Option<TlsConfig>,
@@ -51,17 +53,18 @@ pub fn write_postgres_conf(
    // Write the postgresql.conf content from the spec file as is.
    if let Some(conf) = &spec.cluster.postgresql_conf {
-        writeln!(file, "{}", conf)?;
+        writeln!(file, "{conf}")?;
    }
    // Stripe size GUC should be defined prior to connection string
    if let Some(stripe_size) = spec.shard_stripe_size {
        writeln!(file, "neon.stripe_size={stripe_size}")?;
    }
    // Add options for connecting to storage
    writeln!(file, "# Neon storage settings")?;
    if let Some(s) = &spec.pageserver_connstring {
        writeln!(file, "neon.pageserver_connstring={}", escape_conf_value(s))?;
    }
    if let Some(stripe_size) = spec.shard_stripe_size {
        writeln!(file, "neon.stripe_size={stripe_size}")?;
    }
    if !spec.safekeeper_connstrings.is_empty() {
        let mut neon_safekeepers_value = String::new();
        tracing::info!(
@@ -70,7 +73,7 @@ pub fn write_postgres_conf(
        );
        // If generation is given, prepend sk list with g#number:
        if let Some(generation) = spec.safekeepers_generation {
-            write!(neon_safekeepers_value, "g#{}:", generation)?;
+            write!(neon_safekeepers_value, "g#{generation}:")?;
        }
        neon_safekeepers_value.push_str(&spec.safekeeper_connstrings.join(","));
        writeln!(
@@ -109,8 +112,8 @@ pub fn write_postgres_conf(
        tls::update_key_path_blocking(pgdata_path, tls_config);
        // these are the default, but good to be explicit.
-        writeln!(file, "ssl_cert_file = '{}'", SERVER_CRT)?;
+        writeln!(file, "ssl_cert_file = '{SERVER_CRT}'")?;
-        writeln!(file, "ssl_key_file = '{}'", SERVER_KEY)?;
+        writeln!(file, "ssl_key_file = '{SERVER_KEY}'")?;
    }
    // Locales
@@ -161,6 +164,12 @@ pub fn write_postgres_conf(
        }
    }
    writeln!(
        file,
        "neon.privileged_role_name={}",
        escape_conf_value(params.privileged_role_name.as_str())
    )?;
    // If there are any extra options in the 'settings' field, append those
    if spec.cluster.settings.is_some() {
        writeln!(file, "# Managed by compute_ctl: begin")?;
@@ -191,8 +200,7 @@ pub fn write_postgres_conf(
                }
                writeln!(
                    file,
-                    "shared_preload_libraries='{}{}'",
+                    "shared_preload_libraries='{libs}{extra_shared_preload_libraries}'"
                    libs, extra_shared_preload_libraries
                )?;
            } else {
                // Typically, this should be unreacheable,
@@ -244,8 +252,7 @@ pub fn write_postgres_conf(
                }
                writeln!(
                    file,
-                    "shared_preload_libraries='{}{}'",
+                    "shared_preload_libraries='{libs}{extra_shared_preload_libraries}'"
                    libs, extra_shared_preload_libraries
                )?;
            } else {
                // Typically, this should be unreacheable,
@@ -263,7 +270,7 @@ pub fn write_postgres_conf(
        }
    }
-    writeln!(file, "neon.extension_server_port={}", extension_server_port)?;
+    writeln!(file, "neon.extension_server_port={extension_server_port}")?;
    if spec.drop_subscriptions_before_start {
        writeln!(file, "neon.disable_logical_replication_subscribers=true")?;
@@ -291,7 +298,7 @@ where
 {
    let path = pgdata_path.join("compute_ctl_temp_override.conf");
    let mut file = File::create(path)?;
-    write!(file, "{}", options)?;
+    write!(file, "{options}")?;
    let res = exec();
--- a/compute_tools/src/config_template/compute_audit_rsyslog_template.conf
+++ b/compute_tools/src/config_template/compute_audit_rsyslog_template.conf
@@ -10,7 +10,13 @@ input(type="imfile" File="{log_directory}/*.log"
  startmsg.regex="^[[:digit:]]{{4}}-[[:digit:]]{{2}}-[[:digit:]]{{2}} [[:digit:]]{{2}}:[[:digit:]]{{2}}:[[:digit:]]{{2}}.[[:digit:]]{{3}} GMT,")
 # the directory to store rsyslog state files
-global(workDirectory="/var/log/rsyslog")
+global(
  workDirectory="/var/log/rsyslog"
  DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt"
 )
 # Whether the remote syslog receiver uses tls
 set $.remote_syslog_tls = "{remote_syslog_tls}";
 # Construct json, endpoint_id and project_id as additional metadata
 set $.json_log!endpoint_id = "{endpoint_id}";
@@ -21,5 +27,29 @@ set $.json_log!msg = $msg;
 template(name="PgAuditLog" type="string"
    string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% - - - - %$.json_log%")
-# Forward to remote syslog receiver (@@<hostname>:<port>;format
+# Forward to remote syslog receiver (over TLS)
-local5.info @@{remote_endpoint};PgAuditLog
+if ( $syslogtag == 'pgaudit_log' ) then {{
  if ( $.remote_syslog_tls == 'true' ) then {{
    action(type="omfwd" target="{remote_syslog_host}" port="{remote_syslog_port}" protocol="tcp"
      template="PgAuditLog"
      queue.type="linkedList"
      queue.size="1000"
      action.ResumeRetryCount="10"
      StreamDriver="gtls"
      StreamDriverMode="1"
      StreamDriverAuthMode="x509/name"
      StreamDriverPermittedPeers="{remote_syslog_host}"
      StreamDriver.CheckExtendedKeyPurpose="on"
      StreamDriver.PermitExpiredCerts="off"
    )
    stop
  }} else {{
    action(type="omfwd" target="{remote_syslog_host}" port="{remote_syslog_port}" protocol="tcp"
      template="PgAuditLog"
      queue.type="linkedList"
      queue.size="1000"
      action.ResumeRetryCount="10"
    )
    stop
  }}
 }}
--- a/compute_tools/src/extension_server.rs
+++ b/compute_tools/src/extension_server.rs
@@ -74,9 +74,11 @@ More specifically, here is an example ext_index.json
 use std::path::Path;
 use std::str;
 use crate::metrics::{REMOTE_EXT_REQUESTS_TOTAL, UNKNOWN_HTTP_STATUS};
 use anyhow::{Context, Result, bail};
 use bytes::Bytes;
 use compute_api::spec::RemoteExtSpec;
 use postgres_versioninfo::PgMajorVersion;
 use regex::Regex;
 use remote_storage::*;
 use reqwest::StatusCode;
@@ -86,8 +88,6 @@ use tracing::log::warn;
 use url::Url;
 use zstd::stream::read::Decoder;
 use crate::metrics::{REMOTE_EXT_REQUESTS_TOTAL, UNKNOWN_HTTP_STATUS};
 fn get_pg_config(argument: &str, pgbin: &str) -> String {
    // gives the result of `pg_config [argument]`
    // where argument is a flag like `--version` or `--sharedir`
@@ -106,7 +106,7 @@ fn get_pg_config(argument: &str, pgbin: &str) -> String {
        .to_string()
 }
-pub fn get_pg_version(pgbin: &str) -> PostgresMajorVersion {
+pub fn get_pg_version(pgbin: &str) -> PgMajorVersion {
    // pg_config --version returns a (platform specific) human readable string
    // such as "PostgreSQL 15.4". We parse this to v14/v15/v16 etc.
    let human_version = get_pg_config("--version", pgbin);
@@ -114,25 +114,11 @@ pub fn get_pg_version(pgbin: &str) -> PostgresMajorVersion {
 }
 pub fn get_pg_version_string(pgbin: &str) -> String {
-    match get_pg_version(pgbin) {
+    get_pg_version(pgbin).v_str()
        PostgresMajorVersion::V14 => "v14",
        PostgresMajorVersion::V15 => "v15",
        PostgresMajorVersion::V16 => "v16",
        PostgresMajorVersion::V17 => "v17",
    }
    .to_owned()
 }
-#[derive(Copy, Clone, Debug, PartialEq, Eq)]
+fn parse_pg_version(human_version: &str) -> PgMajorVersion {
-pub enum PostgresMajorVersion {
+    use PgMajorVersion::*;
    V14,
    V15,
    V16,
    V17,
 }
 fn parse_pg_version(human_version: &str) -> PostgresMajorVersion {
    use PostgresMajorVersion::*;
    // Normal releases have version strings like "PostgreSQL 15.4". But there
    // are also pre-release versions like "PostgreSQL 17devel" or "PostgreSQL
    // 16beta2" or "PostgreSQL 17rc1". And with the --with-extra-version
@@ -143,10 +129,10 @@ fn parse_pg_version(human_version: &str) -> PostgresMajorVersion {
        .captures(human_version)
    {
        Some(captures) if captures.len() == 2 => match &captures["major"] {
-            "14" => return V14,
+            "14" => return PG14,
-            "15" => return V15,
+            "15" => return PG15,
-            "16" => return V16,
+            "16" => return PG16,
-            "17" => return V17,
+            "17" => return PG17,
            _ => {}
        },
        _ => {}
@@ -166,7 +152,7 @@ pub async fn download_extension(
    // TODO add retry logic
    let download_buffer =
-        match download_extension_tar(remote_ext_base_url.as_str(), &ext_path.to_string()).await {
+        match download_extension_tar(remote_ext_base_url, &ext_path.to_string()).await {
            Ok(buffer) => buffer,
            Err(error_message) => {
                return Err(anyhow::anyhow!(
@@ -271,10 +257,14 @@ pub fn create_control_files(remote_extensions: &RemoteExtSpec, pgbin: &str) {
 }
 // Do request to extension storage proxy, e.g.,
-// curl http://pg-ext-s3-gateway/latest/v15/extensions/anon.tar.zst
+// curl http://pg-ext-s3-gateway.pg-ext-s3-gateway.svc.cluster.local/latest/v15/extensions/anon.tar.zst
 // using HTTP GET and return the response body as bytes.
-async fn download_extension_tar(remote_ext_base_url: &str, ext_path: &str) -> Result<Bytes> {
+async fn download_extension_tar(remote_ext_base_url: &Url, ext_path: &str) -> Result<Bytes> {
-    let uri = format!("{}/{}", remote_ext_base_url, ext_path);
+    let uri = remote_ext_base_url.join(ext_path).with_context(|| {
        format!(
            "failed to create the remote extension URI for {ext_path} using {remote_ext_base_url}"
        )
    })?;
    let filename = Path::new(ext_path)
        .file_name()
        .unwrap_or_else(|| std::ffi::OsStr::new("unknown"))
@@ -284,7 +274,7 @@ async fn download_extension_tar(remote_ext_base_url: &str, ext_path: &str) -> Re
    info!("Downloading extension file '{}' from uri {}", filename, uri);
-    match do_extension_server_request(&uri).await {
+    match do_extension_server_request(uri).await {
        Ok(resp) => {
            info!("Successfully downloaded remote extension data {}", ext_path);
            REMOTE_EXT_REQUESTS_TOTAL
@@ -303,13 +293,10 @@ async fn download_extension_tar(remote_ext_base_url: &str, ext_path: &str) -> Re
 // Do a single remote extensions server request.
 // Return result or (error message + stringified status code) in case of any failures.
-async fn do_extension_server_request(uri: &str) -> Result<Bytes, (String, String)> {
+async fn do_extension_server_request(uri: Url) -> Result<Bytes, (String, String)> {
    let resp = reqwest::get(uri).await.map_err(|e| {
        (
-            format!(
+            format!("could not perform remote extensions server request: {e:?}"),
                "could not perform remote extensions server request: {:?}",
                e
            ),
            UNKNOWN_HTTP_STATUS.to_string(),
        )
    })?;
@@ -319,7 +306,7 @@ async fn do_extension_server_request(uri: &str) -> Result<Bytes, (String, String
        StatusCode::OK => match resp.bytes().await {
            Ok(resp) => Ok(resp),
            Err(e) => Err((
-                format!("could not read remote extensions server response: {:?}", e),
+                format!("could not read remote extensions server response: {e:?}"),
                // It's fine to return and report error with status as 200 OK,
                // because we still failed to read the response.
                status.to_string(),
@@ -330,10 +317,7 @@ async fn do_extension_server_request(uri: &str) -> Result<Bytes, (String, String
            status.to_string(),
        )),
        _ => Err((
-            format!(
+            format!("unexpected remote extensions server response status code: {status}"),
                "unexpected remote extensions server response status code: {}",
                status
            ),
            status.to_string(),
        )),
    }
@@ -345,25 +329,25 @@ mod tests {
    #[test]
    fn test_parse_pg_version() {
-        use super::PostgresMajorVersion::*;
+        use postgres_versioninfo::PgMajorVersion::*;
-        assert_eq!(parse_pg_version("PostgreSQL 15.4"), V15);
+        assert_eq!(parse_pg_version("PostgreSQL 15.4"), PG15);
-        assert_eq!(parse_pg_version("PostgreSQL 15.14"), V15);
+        assert_eq!(parse_pg_version("PostgreSQL 15.14"), PG15);
        assert_eq!(
            parse_pg_version("PostgreSQL 15.4 (Ubuntu 15.4-0ubuntu0.23.04.1)"),
-            V15
+            PG15
        );
-        assert_eq!(parse_pg_version("PostgreSQL 14.15"), V14);
+        assert_eq!(parse_pg_version("PostgreSQL 14.15"), PG14);
-        assert_eq!(parse_pg_version("PostgreSQL 14.0"), V14);
+        assert_eq!(parse_pg_version("PostgreSQL 14.0"), PG14);
        assert_eq!(
            parse_pg_version("PostgreSQL 14.9 (Debian 14.9-1.pgdg120+1"),
-            V14
+            PG14
        );
-        assert_eq!(parse_pg_version("PostgreSQL 16devel"), V16);
+        assert_eq!(parse_pg_version("PostgreSQL 16devel"), PG16);
-        assert_eq!(parse_pg_version("PostgreSQL 16beta1"), V16);
+        assert_eq!(parse_pg_version("PostgreSQL 16beta1"), PG16);
-        assert_eq!(parse_pg_version("PostgreSQL 16rc2"), V16);
+        assert_eq!(parse_pg_version("PostgreSQL 16rc2"), PG16);
-        assert_eq!(parse_pg_version("PostgreSQL 16extra"), V16);
+        assert_eq!(parse_pg_version("PostgreSQL 16extra"), PG16);
    }
    #[test]
--- a/compute_tools/src/http/mod.rs
+++ b/compute_tools/src/http/mod.rs
@@ -48,11 +48,9 @@ impl JsonResponse {
    /// Create an error response related to the compute being in an invalid state
    pub(self) fn invalid_status(status: ComputeStatus) -> Response {
-        Self::create_response(
+        Self::error(
            StatusCode::PRECONDITION_FAILED,
-            &GenericAPIError {
+            format!("invalid compute status: {status}"),
                error: format!("invalid compute status: {status}"),
            },
        )
    }
 }
--- a/compute_tools/src/http/openapi_spec.yaml
+++ b/compute_tools/src/http/openapi_spec.yaml
@@ -83,6 +83,87 @@ paths:
              schema:
                $ref: "#/components/schemas/DbsAndRoles"
  /promote:
    post:
      tags:
        - Promotion
      summary: Promote secondary replica to primary
      description: ""
      operationId: promoteReplica
      requestBody:
        description: Promote requests data
        required: true
        content:
          application/json:
            schema:
                $ref: "#/components/schemas/SafekeepersLsn"
      responses:
        200:
          description: Promote succeeded or wasn't started
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/PromoteState"
        500:
          description: Promote failed
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/PromoteState"
  /lfc/prewarm:
    post:
      summary: Request LFC Prewarm
      parameters:
        - name: from_endpoint
          in: query
          schema:
            type: string
      description: ""
      operationId: lfcPrewarm
      responses:
        202:
          description: LFC prewarm started
        429:
          description: LFC prewarm ongoing
    get:
      tags:
        - Prewarm
      summary: Get LFC prewarm state
      description: ""
      operationId: getLfcPrewarmState
      responses:
        200:
          description: Prewarm state
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/LfcPrewarmState"
  /lfc/offload:
    post:
      summary: Request LFC offload
      description: ""
      operationId: lfcOffload
      responses:
        202:
          description: LFC offload started
        429:
          description: LFC offload ongoing
    get:
      tags:
        - Prewarm
      summary: Get LFC offloading state
      description: ""
      operationId: getLfcOffloadState
      responses:
        200:
          description: Offload state
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/LfcOffloadState"
  /database_schema:
    get:
      tags:
@@ -290,9 +371,28 @@ paths:
      summary: Terminate Postgres and wait for it to exit
      description: ""
      operationId: terminate
      parameters:
        - name: mode
          in: query
          description: "Terminate mode: fast (wait 30s before returning) and immediate"
          required: false
          schema:
            type: string
            enum: ["fast", "immediate"]
            default: fast
      responses:
        200:
          description: Result
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/TerminateResponse"
        201:
          description: Result if compute is already terminated
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/TerminateResponse"
        412:
          description: "wrong state"
          content:
@@ -335,15 +435,6 @@ components:
        total_startup_ms:
          type: integer
    Info:
      type: object
      description: Information about VM/Pod.
      required:
        - num_cpus
      properties:
        num_cpus:
          type: integer
    DbsAndRoles:
      type: object
      description: Databases and Roles
@@ -458,11 +549,14 @@ components:
      type: string
      enum:
        - empty
        - init
        - failed
        - running
        - configuration_pending
        - init
        - running
        - configuration
        - failed
        - termination_pending_fast
        - termination_pending_immediate
        - terminated
      example: running
    ExtensionInstallRequest:
@@ -497,25 +591,69 @@ components:
          type: string
          example: "1.0.0"
-    InstalledExtensions:
+    SafekeepersLsn:
      type: object
      required:
        - safekeepers
        - wal_flush_lsn
      properties:
-        extensions:
+        safekeepers:
-          description: Contains list of installed extensions.
+          description: Primary replica safekeepers
-          type: array
+          type: string
-          items:
+        wal_flush_lsn:
-            type: object
+          description: Primary last WAL flush LSN
-            properties:
+          type: string
-              extname:
+
-                type: string
+    LfcPrewarmState:
-              version:
+      type: object
-                type: string
+      required:
-                items:
+        - status
-                  type: string
+        - total
-              n_databases:
+        - prewarmed
-                type: integer
+        - skipped
-              owned_by_superuser:
+      properties:
-                type: integer
+        status:
          description: LFC prewarm status
          enum: [not_prewarmed, prewarming, completed, failed, skipped]
          type: string
        error:
          description: LFC prewarm error, if any
          type: string
        total:
          description: Total pages processed
          type: integer
        prewarmed:
          description: Total pages prewarmed
          type: integer
        skipped:
          description: Pages processed but not prewarmed
          type: integer
    LfcOffloadState:
      type: object
      required:
        - status
      properties:
        status:
          description: LFC offload status
          enum: [not_offloaded, offloading, completed, failed]
          type: string
        error:
          description: LFC offload error, if any
          type: string
    PromoteState:
      type: object
      required:
        - status
      properties:
        status:
          description: Promote result
          enum: [not_promoted, completed, failed]
          type: string
        error:
          description: Promote error, if any
          type: string
    SetRoleGrantsRequest:
      type: object
@@ -544,6 +682,17 @@ components:
          description: Role name.
          example: "neon"
    TerminateResponse:
      type: object
      required:
        - lsn
      properties:
        lsn:
          type: string
          nullable: true
          description: "last WAL flush LSN"
          example: "0/028F10D8"
    SetRoleGrantsResponse:
      type: object
      required:
--- a/compute_tools/src/http/routes/configure.rs
+++ b/compute_tools/src/http/routes/configure.rs
@@ -22,7 +22,7 @@ pub(in crate::http) async fn configure(
    State(compute): State<Arc<ComputeNode>>,
    request: Json<ConfigurationRequest>,
 ) -> Response {
-    let pspec = match ParsedSpec::try_from(request.spec.clone()) {
+    let pspec = match ParsedSpec::try_from(request.0.spec) {
        Ok(p) => p,
        Err(e) => return JsonResponse::error(StatusCode::BAD_REQUEST, e),
    };
@@ -65,7 +65,7 @@ pub(in crate::http) async fn configure(
            if state.status == ComputeStatus::Failed {
                let err = state.error.as_ref().map_or("unknown error", |x| x);
-                let msg = format!("compute configuration failed: {:?}", err);
+                let msg = format!("compute configuration failed: {err:?}");
                return Err(msg);
            }
        }
--- a/compute_tools/src/http/routes/lfc.rs
+++ b/compute_tools/src/http/routes/lfc.rs
@@ -2,6 +2,7 @@ use crate::compute_prewarm::LfcPrewarmStateWithProgress;
 use crate::http::JsonResponse;
 use axum::response::{IntoResponse, Response};
 use axum::{Json, http::StatusCode};
 use axum_extra::extract::OptionalQuery;
 use compute_api::responses::LfcOffloadState;
 type Compute = axum::extract::State<std::sync::Arc<crate::compute::ComputeNode>>;
@@ -16,8 +17,16 @@ pub(in crate::http) async fn offload_state(compute: Compute) -> Json<LfcOffloadS
    Json(compute.lfc_offload_state())
 }
-pub(in crate::http) async fn prewarm(compute: Compute) -> Response {
+#[derive(serde::Deserialize)]
-    if compute.prewarm_lfc() {
+pub struct PrewarmQuery {
    pub from_endpoint: String,
 }
 pub(in crate::http) async fn prewarm(
    compute: Compute,
    OptionalQuery(query): OptionalQuery<PrewarmQuery>,
 ) -> Response {
    if compute.prewarm_lfc(query.map(|q| q.from_endpoint)) {
        StatusCode::ACCEPTED.into_response()
    } else {
        JsonResponse::error(
--- a/compute_tools/src/http/routes/mod.rs
+++ b/compute_tools/src/http/routes/mod.rs
@@ -14,6 +14,7 @@ pub(in crate::http) mod insights;
 pub(in crate::http) mod lfc;
 pub(in crate::http) mod metrics;
 pub(in crate::http) mod metrics_json;
 pub(in crate::http) mod promote;
 pub(in crate::http) mod status;
 pub(in crate::http) mod terminate;
--- a/compute_tools/src/http/routes/promote.rs
+++ b/compute_tools/src/http/routes/promote.rs
@@ -0,0 +1,14 @@
 use crate::http::JsonResponse;
 use axum::Form;
 use http::StatusCode;
 pub(in crate::http) async fn promote(
    compute: axum::extract::State<std::sync::Arc<crate::compute::ComputeNode>>,
    Form(safekeepers_lsn): Form<compute_api::responses::SafekeepersLsn>,
 ) -> axum::response::Response {
    let state = compute.promote(safekeepers_lsn).await;
    if let compute_api::responses::PromoteState::Failed { error } = state {
        return JsonResponse::error(StatusCode::INTERNAL_SERVER_ERROR, error);
    }
    JsonResponse::success(StatusCode::OK, state)
 }
--- a/compute_tools/src/http/routes/terminate.rs
+++ b/compute_tools/src/http/routes/terminate.rs
@@ -1,32 +1,42 @@
-use std::sync::Arc;
+use crate::compute::{ComputeNode, forward_termination_signal};
-
+use crate::http::JsonResponse;
 use axum::extract::State;
-use axum::response::{IntoResponse, Response};
+use axum::response::Response;
-use compute_api::responses::ComputeStatus;
+use axum_extra::extract::OptionalQuery;
 use compute_api::responses::{ComputeStatus, TerminateMode, TerminateResponse};
 use http::StatusCode;
 use serde::Deserialize;
 use std::sync::Arc;
 use tokio::task;
 use tracing::info;
-use crate::compute::{ComputeNode, forward_termination_signal};
+#[derive(Deserialize, Default)]
-use crate::http::JsonResponse;
+pub struct TerminateQuery {
    mode: TerminateMode,
 }
 /// Terminate the compute.
-pub(in crate::http) async fn terminate(State(compute): State<Arc<ComputeNode>>) -> Response {
+pub(in crate::http) async fn terminate(
    State(compute): State<Arc<ComputeNode>>,
    OptionalQuery(terminate): OptionalQuery<TerminateQuery>,
 ) -> Response {
    let mode = terminate.unwrap_or_default().mode;
    {
        let mut state = compute.state.lock().unwrap();
        if state.status == ComputeStatus::Terminated {
-            return StatusCode::CREATED.into_response();
+            let response = TerminateResponse {
                lsn: state.terminate_flush_lsn,
            };
            return JsonResponse::success(StatusCode::CREATED, response);
        }
        if !matches!(state.status, ComputeStatus::Empty | ComputeStatus::Running) {
            return JsonResponse::invalid_status(state.status);
        }
-
+        state.set_status(mode.into(), &compute.state_changed);
        state.set_status(ComputeStatus::TerminationPending, &compute.state_changed);
        drop(state);
    }
-    forward_termination_signal();
+    forward_termination_signal(false);
    info!("sent signal and notified waiters");
    // Spawn a blocking thread to wait for compute to become Terminated.
@@ -34,7 +44,7 @@ pub(in crate::http) async fn terminate(State(compute): State<Arc<ComputeNode>>)
    // be able to serve other requests while some particular request
    // is waiting for compute to finish configuration.
    let c = compute.clone();
-    task::spawn_blocking(move || {
+    let lsn = task::spawn_blocking(move || {
        let mut state = c.state.lock().unwrap();
        while state.status != ComputeStatus::Terminated {
            state = c.state_changed.wait(state).unwrap();
@@ -44,11 +54,10 @@ pub(in crate::http) async fn terminate(State(compute): State<Arc<ComputeNode>>)
                state.status
            );
        }
        state.terminate_flush_lsn
    })
    .await
    .unwrap();
    info!("terminated Postgres");
-
+    JsonResponse::success(StatusCode::OK, TerminateResponse { lsn })
    StatusCode::OK.into_response()
 }
--- a/compute_tools/src/http/server.rs
+++ b/compute_tools/src/http/server.rs
@@ -23,7 +23,7 @@ use super::{
    middleware::authorize::Authorize,
    routes::{
        check_writability, configure, database_schema, dbs_and_roles, extension_server, extensions,
-        grants, insights, lfc, metrics, metrics_json, status, terminate,
+        grants, insights, lfc, metrics, metrics_json, promote, status, terminate,
    },
 };
 use crate::compute::ComputeNode;
@@ -87,6 +87,7 @@ impl From<&Server> for Router<Arc<ComputeNode>> {
                let authenticated_router = Router::<Arc<ComputeNode>>::new()
                    .route("/lfc/prewarm", get(lfc::prewarm_state).post(lfc::prewarm))
                    .route("/lfc/offload", get(lfc::offload_state).post(lfc::offload))
                    .route("/promote", post(promote::promote))
                    .route("/check_writability", post(check_writability::is_writable))
                    .route("/configure", post(configure::configure))
                    .route("/database_schema", get(database_schema::get_schema_dump))
--- a/compute_tools/src/installed_extensions.rs
+++ b/compute_tools/src/installed_extensions.rs
@@ -2,6 +2,7 @@ use std::collections::HashMap;
 use anyhow::Result;
 use compute_api::responses::{InstalledExtension, InstalledExtensions};
 use tokio_postgres::error::Error as PostgresError;
 use tokio_postgres::{Client, Config, NoTls};
 use crate::metrics::INSTALLED_EXTENSIONS;
@@ -10,7 +11,7 @@ use crate::metrics::INSTALLED_EXTENSIONS;
 /// and to make database listing query here more explicit.
 ///
 /// Limit the number of databases to 500 to avoid excessive load.
-async fn list_dbs(client: &mut Client) -> Result<Vec<String>> {
+async fn list_dbs(client: &mut Client) -> Result<Vec<String>, PostgresError> {
    // `pg_database.datconnlimit = -2` means that the database is in the
    // invalid state
    let databases = client
@@ -37,13 +38,15 @@ async fn list_dbs(client: &mut Client) -> Result<Vec<String>> {
 /// Same extension can be installed in multiple databases with different versions,
 /// so we report a separate metric (number of databases where it is installed)
 /// for each extension version.
-pub async fn get_installed_extensions(mut conf: Config) -> Result<InstalledExtensions> {
+pub async fn get_installed_extensions(
    mut conf: Config,
 ) -> Result<InstalledExtensions, PostgresError> {
    conf.application_name("compute_ctl:get_installed_extensions");
    let databases: Vec<String> = {
        let (mut client, connection) = conf.connect(NoTls).await?;
        tokio::spawn(async move {
            if let Err(e) = connection.await {
-                eprintln!("connection error: {}", e);
+                eprintln!("connection error: {e}");
            }
        });
@@ -57,7 +60,7 @@ pub async fn get_installed_extensions(mut conf: Config) -> Result<InstalledExten
        let (client, connection) = conf.connect(NoTls).await?;
        tokio::spawn(async move {
            if let Err(e) = connection.await {
-                eprintln!("connection error: {}", e);
+                eprintln!("connection error: {e}");
            }
        });
--- a/compute_tools/src/lib.rs
+++ b/compute_tools/src/lib.rs
@@ -12,6 +12,7 @@ pub mod logger;
 pub mod catalog;
 pub mod compute;
 pub mod compute_prewarm;
 pub mod compute_promote;
 pub mod disk_quota;
 pub mod extension_server;
 pub mod installed_extensions;
@@ -22,6 +23,7 @@ mod migration;
 pub mod monitor;
 pub mod params;
 pub mod pg_helpers;
 pub mod pgbouncer;
 pub mod rsyslog;
 pub mod spec;
 mod spec_apply;
--- a/compute_tools/src/lsn_lease.rs
+++ b/compute_tools/src/lsn_lease.rs
@@ -4,7 +4,9 @@ use std::thread;
 use std::time::{Duration, SystemTime};
 use anyhow::{Result, bail};
-use compute_api::spec::ComputeMode;
+use compute_api::spec::{ComputeMode, PageserverProtocol};
 use itertools::Itertools as _;
 use pageserver_page_api as page_api;
 use postgres::{NoTls, SimpleQueryMessage};
 use tracing::{info, warn};
 use utils::id::{TenantId, TimelineId};
@@ -76,25 +78,17 @@ fn acquire_lsn_lease_with_retry(
    loop {
        // Note: List of pageservers is dynamic, need to re-read configs before each attempt.
-        let configs = {
+        let (connstrings, auth) = {
            let state = compute.state.lock().unwrap();
            let spec = state.pspec.as_ref().expect("spec must be set");
-
+            (
-            let conn_strings = spec.pageserver_connstr.split(',');
+                spec.pageserver_connstr.clone(),
-
+                spec.storage_auth_token.clone(),
-            conn_strings
+            )
                .map(|connstr| {
                    let mut config = postgres::Config::from_str(connstr).expect("Invalid connstr");
                    if let Some(storage_auth_token) = &spec.storage_auth_token {
                        config.password(storage_auth_token.clone());
                    }
                    config
                })
                .collect::<Vec<_>>()
        };
-        let result = try_acquire_lsn_lease(tenant_id, timeline_id, lsn, &configs);
+        let result =
            try_acquire_lsn_lease(&connstrings, auth.as_deref(), tenant_id, timeline_id, lsn);
        match result {
            Ok(Some(res)) => {
                return Ok(res);
@@ -116,68 +110,104 @@ fn acquire_lsn_lease_with_retry(
    }
 }
-/// Tries to acquire an LSN lease through PS page_service API.
+/// Tries to acquire LSN leases on all Pageserver shards.
 fn try_acquire_lsn_lease(
    connstrings: &str,
    auth: Option<&str>,
    tenant_id: TenantId,
    timeline_id: TimelineId,
    lsn: Lsn,
    configs: &[postgres::Config],
 ) -> Result<Option<SystemTime>> {
-    fn get_valid_until(
+    let connstrings = connstrings.split(',').collect_vec();
-        config: &postgres::Config,
+    let shard_count = connstrings.len();
-        tenant_shard_id: TenantShardId,
+    let mut leases = Vec::new();
-        timeline_id: TimelineId,
+
-        lsn: Lsn,
+    for (shard_number, &connstring) in connstrings.iter().enumerate() {
-    ) -> Result<Option<SystemTime>> {
+        let tenant_shard_id = match shard_count {
-        let mut client = config.connect(NoTls)?;
+            0 | 1 => TenantShardId::unsharded(tenant_id),
-        let cmd = format!("lease lsn {} {} {} ", tenant_shard_id, timeline_id, lsn);
+            shard_count => TenantShardId {
-        let res = client.simple_query(&cmd)?;
+                tenant_id,
-        let msg = match res.first() {
+                shard_number: ShardNumber(shard_number as u8),
-            Some(msg) => msg,
+                shard_count: ShardCount::new(shard_count as u8),
-            None => bail!("empty response"),
+            },
        };
        let row = match msg {
            SimpleQueryMessage::Row(row) => row,
            _ => bail!("error parsing lsn lease response"),
        };
-        // Note: this will be None if a lease is explicitly not granted.
+        let lease = match PageserverProtocol::from_connstring(connstring)? {
-        let valid_until_str = row.get("valid_until");
+            PageserverProtocol::Libpq => {
-
+                acquire_lsn_lease_libpq(connstring, auth, tenant_shard_id, timeline_id, lsn)?
-        let valid_until = valid_until_str.map(|s| {
+            }
-            SystemTime::UNIX_EPOCH
+            PageserverProtocol::Grpc => {
-                .checked_add(Duration::from_millis(u128::from_str(s).unwrap() as u64))
+                acquire_lsn_lease_grpc(connstring, auth, tenant_shard_id, timeline_id, lsn)?
-                .expect("Time larger than max SystemTime could handle")
+            }
-        });
+        };
-        Ok(valid_until)
+        leases.push(lease);
    }
-    let shard_count = configs.len();
+    Ok(leases.into_iter().min().flatten())
 }
-    let valid_until = if shard_count > 1 {
+/// Acquires an LSN lease on a single shard, using the libpq API. The connstring must use a
-        configs
+/// postgresql:// scheme.
-            .iter()
+fn acquire_lsn_lease_libpq(
-            .enumerate()
+    connstring: &str,
-            .map(|(shard_number, config)| {
+    auth: Option<&str>,
-                let tenant_shard_id = TenantShardId {
+    tenant_shard_id: TenantShardId,
-                    tenant_id,
+    timeline_id: TimelineId,
-                    shard_count: ShardCount::new(shard_count as u8),
+    lsn: Lsn,
-                    shard_number: ShardNumber(shard_number as u8),
+) -> Result<Option<SystemTime>> {
-                };
+    let mut config = postgres::Config::from_str(connstring)?;
-                get_valid_until(config, tenant_shard_id, timeline_id, lsn)
+    if let Some(auth) = auth {
-            })
+        config.password(auth);
-            .collect::<Result<Vec<Option<SystemTime>>>>()?
+    }
-            .into_iter()
+    let mut client = config.connect(NoTls)?;
-            .min()
+    let cmd = format!("lease lsn {tenant_shard_id} {timeline_id} {lsn} ");
-            .unwrap()
+    let res = client.simple_query(&cmd)?;
-    } else {
+    let msg = match res.first() {
-        get_valid_until(
+        Some(msg) => msg,
-            &configs[0],
+        None => bail!("empty response"),
-            TenantShardId::unsharded(tenant_id),
+    };
-            timeline_id,
+    let row = match msg {
-            lsn,
+        SimpleQueryMessage::Row(row) => row,
-        )?
+        _ => bail!("error parsing lsn lease response"),
    };
    // Note: this will be None if a lease is explicitly not granted.
    let valid_until_str = row.get("valid_until");
    let valid_until = valid_until_str.map(|s| {
        SystemTime::UNIX_EPOCH
            .checked_add(Duration::from_millis(u128::from_str(s).unwrap() as u64))
            .expect("Time larger than max SystemTime could handle")
    });
    Ok(valid_until)
 }
 /// Acquires an LSN lease on a single shard, using the gRPC API. The connstring must use a
 /// grpc:// scheme.
 fn acquire_lsn_lease_grpc(
    connstring: &str,
    auth: Option<&str>,
    tenant_shard_id: TenantShardId,
    timeline_id: TimelineId,
    lsn: Lsn,
 ) -> Result<Option<SystemTime>> {
    tokio::runtime::Handle::current().block_on(async move {
        let mut client = page_api::Client::connect(
            connstring.to_string(),
            tenant_shard_id.tenant_id,
            timeline_id,
            tenant_shard_id.to_index(),
            auth.map(String::from),
            None,
        )
        .await?;
        let req = page_api::LeaseLsnRequest { lsn };
        match client.lease_lsn(req).await {
            Ok(expires) => Ok(Some(expires)),
            // Lease couldn't be acquired because the LSN has been garbage collected.
            Err(err) if err.code() == tonic::Code::FailedPrecondition => Ok(None),
            Err(err) => Err(err.into()),
        }
    })
 }
--- a/compute_tools/src/metrics.rs
+++ b/compute_tools/src/metrics.rs
@@ -97,20 +97,34 @@ pub(crate) static PG_TOTAL_DOWNTIME_MS: Lazy<GenericCounter<AtomicU64>> = Lazy::
    .expect("failed to define a metric")
 });
-/// Needed as neon.file_cache_prewarm_batch == 0 doesn't mean we never tried to prewarm.
+pub(crate) static LFC_PREWARMS: Lazy<IntCounter> = Lazy::new(|| {
 /// On the other hand, LFC_PREWARMED_PAGES is excessive as we can GET /lfc/prewarm
 pub(crate) static LFC_PREWARM_REQUESTS: Lazy<IntCounter> = Lazy::new(|| {
    register_int_counter!(
-        "compute_ctl_lfc_prewarm_requests_total",
+        "compute_ctl_lfc_prewarms_total",
-        "Total number of LFC prewarm requests made by compute_ctl",
+        "Total number of LFC prewarms requested by compute_ctl or autoprewarm option",
    )
    .expect("failed to define a metric")
 });
-pub(crate) static LFC_OFFLOAD_REQUESTS: Lazy<IntCounter> = Lazy::new(|| {
+pub(crate) static LFC_PREWARM_ERRORS: Lazy<IntCounter> = Lazy::new(|| {
    register_int_counter!(
-        "compute_ctl_lfc_offload_requests_total",
+        "compute_ctl_lfc_prewarm_errors_total",
-        "Total number of LFC offload requests made by compute_ctl",
+        "Total number of LFC prewarm errors",
    )
    .expect("failed to define a metric")
 });
 pub(crate) static LFC_OFFLOADS: Lazy<IntCounter> = Lazy::new(|| {
    register_int_counter!(
        "compute_ctl_lfc_offloads_total",
        "Total number of LFC offloads requested by compute_ctl or lfc_offload_period_seconds option",
    )
    .expect("failed to define a metric")
 });
 pub(crate) static LFC_OFFLOAD_ERRORS: Lazy<IntCounter> = Lazy::new(|| {
    register_int_counter!(
        "compute_ctl_lfc_offload_errors_total",
        "Total number of LFC offload errors",
    )
    .expect("failed to define a metric")
 });
@@ -124,7 +138,9 @@ pub fn collect() -> Vec<MetricFamily> {
    metrics.extend(AUDIT_LOG_DIR_SIZE.collect());
    metrics.extend(PG_CURR_DOWNTIME_MS.collect());
    metrics.extend(PG_TOTAL_DOWNTIME_MS.collect());
-    metrics.extend(LFC_PREWARM_REQUESTS.collect());
+    metrics.extend(LFC_PREWARMS.collect());
-    metrics.extend(LFC_OFFLOAD_REQUESTS.collect());
+    metrics.extend(LFC_PREWARM_ERRORS.collect());
    metrics.extend(LFC_OFFLOADS.collect());
    metrics.extend(LFC_OFFLOAD_ERRORS.collect());
    metrics
 }
--- a/compute_tools/src/migrations/0001-add_bypass_rls_to_privileged_role.sql
+++ b/compute_tools/src/migrations/0001-add_bypass_rls_to_privileged_role.sql
@@ -0,0 +1 @@
 ALTER ROLE {privileged_role_name} BYPASSRLS;
--- a/compute_tools/src/migrations/0001-neon_superuser_bypass_rls.sql
+++ b/compute_tools/src/migrations/0001-neon_superuser_bypass_rls.sql
@@ -1 +0,0 @@
 ALTER ROLE neon_superuser BYPASSRLS;
--- a/compute_tools/src/migrations/0002-alter_roles.sql
+++ b/compute_tools/src/migrations/0002-alter_roles.sql
@@ -1,8 +1,21 @@
 -- On December 8th, 2023, an engineering escalation (INC-110) was opened after
 -- it was found that BYPASSRLS was being applied to all roles.
 --
 -- PR that introduced the issue: https://github.com/neondatabase/neon/pull/5657
 -- Subsequent commit on main: https://github.com/neondatabase/neon/commit/ad99fa5f0393e2679e5323df653c508ffa0ac072
 --
 -- NOBYPASSRLS and INHERIT are the defaults for a Postgres role, but because it
 -- isn't easy to know if a Postgres cluster is affected by the issue, we need to
 -- keep the migration around for a long time, if not indefinitely, so any
 -- cluster can be fixed.
 --
 -- Branching is the gift that keeps on giving...
 DO $$
 DECLARE
    role_name text;
 BEGIN
-    FOR role_name IN SELECT rolname FROM pg_roles WHERE pg_has_role(rolname, 'neon_superuser', 'member')
+    FOR role_name IN SELECT rolname FROM pg_roles WHERE pg_has_role(rolname, '{privileged_role_name}', 'member')
    LOOP
        RAISE NOTICE 'EXECUTING ALTER ROLE % INHERIT', quote_ident(role_name);
        EXECUTE 'ALTER ROLE ' || quote_ident(role_name) || ' INHERIT';
@@ -10,7 +23,7 @@ BEGIN
    FOR role_name IN SELECT rolname FROM pg_roles
        WHERE
-            NOT pg_has_role(rolname, 'neon_superuser', 'member') AND NOT starts_with(rolname, 'pg_')
+            NOT pg_has_role(rolname, '{privileged_role_name}', 'member') AND NOT starts_with(rolname, 'pg_')
    LOOP
        RAISE NOTICE 'EXECUTING ALTER ROLE % NOBYPASSRLS', quote_ident(role_name);
        EXECUTE 'ALTER ROLE ' || quote_ident(role_name) || ' NOBYPASSRLS';
--- a/compute_tools/src/migrations/0003-grant_pg_create_subscription_to_privileged_role.sql
+++ b/compute_tools/src/migrations/0003-grant_pg_create_subscription_to_privileged_role.sql
@@ -1,6 +1,6 @@
 DO $$
 BEGIN
    IF (SELECT setting::numeric >= 160000 FROM pg_settings WHERE name = 'server_version_num') THEN
-        EXECUTE 'GRANT pg_create_subscription TO neon_superuser';
+        EXECUTE 'GRANT pg_create_subscription TO {privileged_role_name}';
    END IF;
 END $$;
--- a/compute_tools/src/migrations/0004-grant_pg_monitor_to_neon_superuser.sql
+++ b/compute_tools/src/migrations/0004-grant_pg_monitor_to_neon_superuser.sql
@@ -1 +0,0 @@
 GRANT pg_monitor TO neon_superuser WITH ADMIN OPTION;
--- a/compute_tools/src/migrations/0004-grant_pg_monitor_to_privileged_role.sql
+++ b/compute_tools/src/migrations/0004-grant_pg_monitor_to_privileged_role.sql
@@ -0,0 +1 @@
 GRANT pg_monitor TO {privileged_role_name} WITH ADMIN OPTION;
--- a/compute_tools/src/migrations/0005-grant_all_on_tables_to_privileged_role.sql
+++ b/compute_tools/src/migrations/0005-grant_all_on_tables_to_privileged_role.sql
@@ -1,4 +1,4 @@
 -- SKIP: Deemed insufficient for allowing relations created by extensions to be
--       interacted with by neon_superuser without permission issues.
+--       interacted with by {privileged_role_name} without permission issues.
-ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO neon_superuser;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO {privileged_role_name};
--- a/compute_tools/src/migrations/0006-grant_all_on_sequences_to_privileged_role.sql
+++ b/compute_tools/src/migrations/0006-grant_all_on_sequences_to_privileged_role.sql
@@ -1,4 +1,4 @@
 -- SKIP: Deemed insufficient for allowing relations created by extensions to be
--       interacted with by neon_superuser without permission issues.
+--       interacted with by {privileged_role_name} without permission issues.
-ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO neon_superuser;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO {privileged_role_name};
--- a/compute_tools/src/migrations/0007-grant_all_on_tables_with_grant_option_to_privileged_role.sql
+++ b/compute_tools/src/migrations/0007-grant_all_on_tables_with_grant_option_to_privileged_role.sql
@@ -1,3 +1,3 @@
 -- SKIP: Moved inline to the handle_grants() functions.
-ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO neon_superuser WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO {privileged_role_name} WITH GRANT OPTION;
--- a/compute_tools/src/migrations/0008-grant_all_on_sequences_with_grant_option_to_privileged_role.sql
+++ b/compute_tools/src/migrations/0008-grant_all_on_sequences_with_grant_option_to_privileged_role.sql
@@ -1,3 +1,3 @@
 -- SKIP: Moved inline to the handle_grants() functions.
-ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO neon_superuser WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO {privileged_role_name} WITH GRANT OPTION;
--- a/compute_tools/src/migrations/0010-grant_snapshot_synchronization_funcs_to_privileged_role.sql
+++ b/compute_tools/src/migrations/0010-grant_snapshot_synchronization_funcs_to_privileged_role.sql
@@ -1,7 +1,7 @@
 DO $$
 BEGIN
    IF (SELECT setting::numeric >= 160000 FROM pg_settings WHERE name = 'server_version_num') THEN
-       EXECUTE 'GRANT EXECUTE ON FUNCTION pg_export_snapshot TO neon_superuser';
+       EXECUTE 'GRANT EXECUTE ON FUNCTION pg_export_snapshot TO {privileged_role_name}';
-       EXECUTE 'GRANT EXECUTE ON FUNCTION pg_log_standby_snapshot TO neon_superuser';
+       EXECUTE 'GRANT EXECUTE ON FUNCTION pg_log_standby_snapshot TO {privileged_role_name}';
    END IF;
 END $$;
--- a/compute_tools/src/migrations/0011-grant_pg_show_replication_origin_status_to_neon_superuser.sql
+++ b/compute_tools/src/migrations/0011-grant_pg_show_replication_origin_status_to_neon_superuser.sql
@@ -1 +0,0 @@
 GRANT EXECUTE ON FUNCTION pg_show_replication_origin_status TO neon_superuser;
--- a/compute_tools/src/migrations/0011-grant_pg_show_replication_origin_status_to_privileged_role.sql
+++ b/compute_tools/src/migrations/0011-grant_pg_show_replication_origin_status_to_privileged_role.sql
@@ -0,0 +1 @@
 GRANT EXECUTE ON FUNCTION pg_show_replication_origin_status TO {privileged_role_name};
--- a/compute_tools/src/migrations/0012-grant_pg_signal_backend_to_privileged_role.sql
+++ b/compute_tools/src/migrations/0012-grant_pg_signal_backend_to_privileged_role.sql
@@ -0,0 +1 @@
 GRANT pg_signal_backend TO {privileged_role_name} WITH ADMIN OPTION;
--- a/compute_tools/src/migrations/tests/0001-add_bypass_rls_to_privileged_role.sql
+++ b/compute_tools/src/migrations/tests/0001-add_bypass_rls_to_privileged_role.sql
--- a/compute_tools/src/migrations/tests/0003-grant_pg_create_subscription_to_privileged_role.sql
+++ b/compute_tools/src/migrations/tests/0003-grant_pg_create_subscription_to_privileged_role.sql
--- a/compute_tools/src/migrations/tests/0004-grant_pg_monitor_to_privileged_role.sql
+++ b/compute_tools/src/migrations/tests/0004-grant_pg_monitor_to_privileged_role.sql
@@ -7,13 +7,17 @@ BEGIN
        INTO monitor
        FROM pg_auth_members
        WHERE roleid = 'pg_monitor'::regrole
-            AND member = 'pg_monitor'::regrole;
+            AND member = 'neon_superuser'::regrole;
-    IF NOT monitor.member THEN
+    IF monitor IS NULL THEN
        RAISE EXCEPTION 'no entry in pg_auth_members for neon_superuser and pg_monitor';
    END IF;
    IF monitor.admin IS NULL OR NOT monitor.member THEN
        RAISE EXCEPTION 'neon_superuser is not a member of pg_monitor';
    END IF;
-    IF NOT monitor.admin THEN
+    IF monitor.admin IS NULL OR NOT monitor.admin THEN
        RAISE EXCEPTION 'neon_superuser cannot grant pg_monitor';
    END IF;
 END $$;
--- a/compute_tools/src/migrations/tests/0005-grant_all_on_tables_to_privileged_role.sql
+++ b/compute_tools/src/migrations/tests/0005-grant_all_on_tables_to_privileged_role.sql
--- a/compute_tools/src/migrations/tests/0006-grant_all_on_sequences_to_privileged_role.sql
+++ b/compute_tools/src/migrations/tests/0006-grant_all_on_sequences_to_privileged_role.sql
--- a/compute_tools/src/migrations/tests/0007-grant_all_on_tables_with_grant_option_to_privileged_role.sql
+++ b/compute_tools/src/migrations/tests/0007-grant_all_on_tables_with_grant_option_to_privileged_role.sql
--- a/compute_tools/src/migrations/tests/0008-grant_all_on_sequences_with_grant_option_to_privileged_role.sql
+++ b/compute_tools/src/migrations/tests/0008-grant_all_on_sequences_with_grant_option_to_privileged_role.sql
--- a/compute_tools/src/migrations/tests/0010-grant_snapshot_synchronization_funcs_to_privileged_role.sql
+++ b/compute_tools/src/migrations/tests/0010-grant_snapshot_synchronization_funcs_to_privileged_role.sql
--- a/compute_tools/src/migrations/tests/0011-grant_pg_show_replication_origin_status_to_privileged_role.sql
+++ b/compute_tools/src/migrations/tests/0011-grant_pg_show_replication_origin_status_to_privileged_role.sql
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1 @@`
							`ALTER ROLE {privileged_role_name} BYPASSRLS;`
		`@@ -1 +0,0 @@`
			`GRANT pg_monitor TO neon_superuser WITH ADMIN OPTION;`
		`@@ -0,0 +1 @@`
							`GRANT pg_monitor TO {privileged_role_name} WITH ADMIN OPTION;`
`@@ -1,3 +1,3 @@`
	`-- SKIP: Moved inline to the handle_grants() functions.`	`-- SKIP: Moved inline to the handle_grants() functions.`

	`ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO neon_superuser WITH GRANT OPTION;`	`ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO {privileged_role_name} WITH GRANT OPTION;`
		`@@ -1 +0,0 @@`
			`GRANT EXECUTE ON FUNCTION pg_show_replication_origin_status TO neon_superuser;`
		`@@ -0,0 +1 @@`
							`GRANT pg_signal_backend TO {privileged_role_name} WITH ADMIN OPTION;`