Make Postgres usage easier to debug and safer when writes fail

[ff137]

What we’re changing

OpenDota talks to PostgreSQL from several places at once: the main API, the SQL explorer, and background workers that pull jobs from a queue. This PR does three small things:

1. Give each kind of connection a clear name so that when someone looks at database activity, they can tell whether traffic is coming from the normal API, the explorer, or a queue worker—not just a bunch of anonymous connections.

2. Add optional knobs for timeouts on the main database pool (off by default). If the team turns them on via environment variables, queries and idle-in-transaction sessions can be capped so a stuck job is less likely to hold a connection forever.

3. When a batch of database writes fails midway, we cancel that batch properly (rollback) in the places we touched, instead of leaving the database session in an awkward state. That reduces risk of pool weirdness after errors.

Why we think this helps

We’ve seen symptoms that look like the database running out of capacity or connections (too many clients already, slow periods that improve after restarts). That can come from many processes sharing one server, heavy endpoints, or errors mid-write. This PR doesn’t try to fix that—it improves observability (named connections), adds optional guardrails (timeouts you can enable gradually), and fixes a real footgun (failed transactions not always rolled back). Those are low-risk, reviewable steps before bigger changes (explorer limits, worker concurrency, etc.).

How it works

• Each connection type sets a PostgreSQL application_name like odota:<service>:knex, ...:explorer, or ...:queue:<queue>:<slot>.
• New env vars (POSTGRES_STATEMENT_TIMEOUT_MS, POSTGRES_LOCK_TIMEOUT_MS, POSTGRES_IDLE_IN_TRANSACTION_SESSION_TIMEOUT_MS) are empty by default; when set to a number, new connections run the matching SET ... so ops can tune without code changes.
• insertMatch, the rater loop, and Stripe subscriber sync wrap their manual transactions in try / catch, call rollback on failure, then rethrow so existing behavior and error handling stay the same—only the cleanup path is explicit.

What we’re not doing here

• No change to public API behavior, explorer SQL surface, or rate limits.
• No mandatory timeout rollout—defaults stay “off” until you set env vars.

Suggested review focus

• Are the application_name strings and env var names acceptable for your deployment?
• Any objection to enabling timeouts in staging first (e.g. statement timeout only)?

Co-authored-by: Cursor cursoragent@cursor.com

[builder-247]

I feel like having this length validation is an overkill (an LLM-ism, I presume)

[ff137]

100%, it is agent-assisted coding. Here it's one of those "solving a problem before it's a problem" things. So it's good, any name will work now, because it normalises the input. But at the same time, it's not really helpful when it wasn't a problem yet. I didn't ask it to solve it, but it's technically good, and once it's produced, we may as well keep it 🤷‍♂️

[howardchung]

I think we could accept the try/catch wrapping in a separate PR--I think the current behavior is that the thrown exception causes the process to crash which should also end the transaction, but probably good to roll it back earlier so we don't have to wait for timeout.

The other changes are a bit more involved so I'd like to hold off on those