fix(cdr): recover from missing CDR tables and enable WAL (#1000, #1019)

WorkerCallEvents/WorkerCdr crash-loop with PDOException "no such table:
cdr" (Sentry #27651, 2600+ events on 3 servers) when the CDR database
file is recreated empty after corruption or a storage remount. Adds
runtime recovery via DatabaseProviderBase::ensureCdrTables() called at
both worker startups, serialised through MutexProvider so the parallel
WorkerSafeScripts Fiber restarts cannot race on
createUpdateDbTableByAnnotations(). Wraps the known crash points
(InsertDataToDB::execute, UpdateDataInDB::execute, ActionHangupChan::execute,
CallDetailRecordsTmp::afterSave move-to-cdr_general, and
WorkerCallEvents::deleteOldRecords) in try/catch so a missing table no
longer takes the whole worker down. deleteOldRecords also
parameterises its DELETE and short-circuits via tableExists() to avoid
spamming Sentry every minute when recovery failed.

Closes #1019: PRAGMA journal_mode=WAL, busy_timeout=5000,
synchronous=NORMAL, cache_size and temp_store now apply to
CDRDatabaseProvider and RecordingStorageDatabaseProvider in addition
to MainDatabaseProvider. With WAL, REST API readers
(WorkerApiCommands x3, AGI CdrDb.php, voicemail-sender) no longer
block the WorkerCallEvents writer. WAL is gated on
isWalSafeFilesystem() which reads /proc/mounts and falls back to
rollback journal on NFS/CIFS/SSHFS/davfs/glusterfs/ceph/lustre/gpfs
(WAL shared-memory mmap is unsafe on network filesystems).

DeleteRecordAction now dispatches deletion through a new
WorkerCdr::DELETE_CDR_TUBE Beanstalk queue handled by DeleteCDR inside
WorkerCallEvents, restoring the single-writer contract on cdr.db and
preventing parallel writes between WorkerApiCommands and the call
event worker. The action keeps its input validation in the REST
context, checks BeanstalkClient::isConnected() (the constructor
swallows connect errors), uses a 60s worker timeout for cascade
deletes on slow USB storage, and forwards the request as a single
sendRequest. DeleteCDR carries the previously-private deletion
helpers, JSON-encodes the audit context to prevent log injection,
uses JSON_THROW_ON_ERROR | JSON_INVALID_UTF8_SUBSTITUTE for replies,
and refuses to unlink recording files outside
Directories::AST_MONITOR_DIR via realpath + base prefix check.

Verification on a live mikopbx container:
- DROP TABLE cdr; cdr_general → SIGUSR1 → WorkerSafeScripts restart
  rebuilds both tables via annotations and only one of the two
  parallel workers logs "CDR tables missing" (mutex confirmed).
- cdr.db PRAGMA journal_mode = wal after recovery; -wal/-shm files
  present.
- DELETE /cdr/<id> single, DELETE /cdr/mikopbx-* cascade (3 records),
  404 on missing id, 400 on invalid format, 400 on empty id all
  return correct httpCode and JSON shape.
- No PDOException, "no such table", or "Refused to delete" entries
  in syslog after the cycle.

Author: Alexey Portnov

src/Common/Models/CallDetailRecordsTmp.php

@@ -89,17 +89,23 @@ public function afterSave(): void
         // If work is completed (value of 'work_completed' is '1') and should be moved to general CDR,
         // create a new CallDetailRecords instance and copy relevant attributes.
         if ($work_completed === '1' && $moveToGeneral) {
-            $newCdr = new CallDetailRecords();
-            $vars = $this->toArray();
-            foreach ($vars as $key => $value) {
-                if ('id' === $key) {
-                    continue;
-                }
-                if (property_exists($newCdr, $key)) {
-                    $newCdr->writeAttribute($key, $value);
+            try {
+                $newCdr = new CallDetailRecords();
+                $vars = $this->toArray();
+                foreach ($vars as $key => $value) {
+                    if ('id' === $key) {
+                        continue;
+                    }
+                    if (property_exists($newCdr, $key)) {
+                        $newCdr->writeAttribute($key, $value);
+                    }
                 }
+                $newCdr->save();
+            } catch (Throwable $e) {
+                // Prevent crash loop when cdr_general table is missing (issue #1000).
+                // The temporary record remains in `cdr` and will be retried by WorkerCdr.
+                CriticalErrorsHandler::handleExceptionWithSyslog($e);
             }
-            $newCdr->save();
         }
         $this->saveCdrCache();
     }

src/Common/Providers/DatabaseProviderBase.php

@@ -22,13 +22,18 @@
 namespace MikoPBX\Common\Providers;
 
 
+use MikoPBX\Common\Models\CallDetailRecords;
+use MikoPBX\Common\Models\CallDetailRecordsTmp;
+use MikoPBX\Core\System\SystemMessages;
 use MikoPBX\Core\System\System;
+use MikoPBX\Core\System\Upgrade\UpdateDatabase;
 use MikoPBX\Core\System\Util;
 use Phalcon\Di\Di;
 use Phalcon\Di\DiInterface;
 use Phalcon\Events\Manager as EventsManager;
 use Phalcon\Logger\Adapter\Stream as FileLogger;
 use Phalcon\Logger\Logger;
+use Throwable;
 
 /**
  * Main database connection is created based in the parameters defined in the configuration file
@@ -99,21 +104,38 @@ function () use ($dbConfig, $serviceName) {
                  */
                 $connection->setNestedTransactionsWithSavepoints(false);
 
-                if (!System::isBooting() && $serviceName === MainDatabaseProvider::SERVICE_NAME) {
+                $optimizedServices = [
+                    MainDatabaseProvider::SERVICE_NAME,
+                    CDRDatabaseProvider::SERVICE_NAME,
+                    RecordingStorageDatabaseProvider::SERVICE_NAME,
+                ];
+                if (!System::isBooting() && in_array($serviceName, $optimizedServices, true)) {
                     // Optimize SQLite for better concurrency
                     // Set busy timeout to 5 seconds - wait for lock instead of immediate failure
                     $connection->execute("PRAGMA busy_timeout = 5000");
-            
-                    // Keep WAL mode for better concurrency (already set, but ensure it)
-                    $connection->execute("PRAGMA journal_mode = WAL");
-            
+
+                    // WAL: readers don't block writers and vice versa, only one writer at a time.
+                    // Required for CDR database where WorkerCallEvents (writer) runs in parallel
+                    // with WorkerApiCommands (REST API readers) and Asterisk AGI CdrDb.php.
+                    // Skip on network filesystems (NFS/SMB/SSHFS) where WAL shared-memory is
+                    // unsafe and can corrupt the database — fall back to rollback journal.
+                    if (self::isWalSafeFilesystem($dbConfig['dbfile'])) {
+                        $connection->execute("PRAGMA journal_mode = WAL");
+                    } else {
+                        SystemMessages::sysLogMsg(
+                            self::class,
+                            "WAL disabled for {$serviceName}: filesystem under {$dbConfig['dbfile']} is not WAL-safe",
+                            LOG_NOTICE
+                        );
+                    }
+
                     // Use NORMAL synchronous mode for better performance while maintaining durability
                     // FULL is very safe but slower, NORMAL is good balance
                     $connection->execute("PRAGMA synchronous = NORMAL");
-            
+
                     // // Increase cache size to 10MB for better performance
                     $connection->execute("PRAGMA cache_size = -10000");
-            
+
                     // Use memory for temp tables
                     $connection->execute("PRAGMA temp_store = MEMORY");
                 }
@@ -168,6 +190,142 @@ function ($event, $connection) use ($logger) {
         $connection->setEventsManager($eventsManager);
     }
 
+    /**
+     * Ensures CDR tables (`cdr` and `cdr_general`) exist in the CDR database.
+     *
+     * Called at worker startup to recover from corruption or storage remount
+     * scenarios that cause the CDR database file to be recreated empty.
+     * Without this, WorkerCallEvents and WorkerCdr crash-loop with
+     * "no such table: cdr" (Sentry #27651, GitHub issue #1000).
+     *
+     * IMPORTANT: this method MUST only be called from a worker startup path,
+     * before any Phalcon model instance has been created in the current process.
+     * `recreateDBConnections()` re-registers DI services and invalidates any
+     * model instances that already cached a connection. Calling this from a
+     * mid-request context will silently break previously-loaded models.
+     *
+     * The static guard prevents accidental re-entry in the same process.
+     * The mutex serialises parallel `WorkerCallEvents`/`WorkerCdr` startup
+     * across processes (`WorkerSafeScriptsCore` restarts both via Fibers).
+     *
+     * All errors are caught and logged — recovery failures must not prevent
+     * the worker from starting, otherwise we trade a crash loop for a silent
+     * refusal to start.
+     */
+    public static function ensureCdrTables(): void
+    {
+        static $alreadyRun = false;
+        if ($alreadyRun) {
+            return;
+        }
+        $alreadyRun = true;
+
+        try {
+            $di = Di::getDefault();
+            if ($di === null) {
+                return;
+            }
+
+            $recovery = static function () use ($di): void {
+                /** @var \Phalcon\Db\Adapter\Pdo\Sqlite $connection */
+                $connection = $di->get(CDRDatabaseProvider::SERVICE_NAME);
+                if ($connection->tableExists('cdr') && $connection->tableExists('cdr_general')) {
+                    return;
+                }
+
+                SystemMessages::sysLogMsg(
+                    self::class,
+                    'CDR tables missing, recreating from model annotations',
+                    LOG_WARNING
+                );
+
+                $dbUpdater = new UpdateDatabase();
+                $dbUpdater->createUpdateDbTableByAnnotations(CallDetailRecordsTmp::class);
+                $dbUpdater->createUpdateDbTableByAnnotations(CallDetailRecords::class);
+
+                self::recreateDBConnections();
+            };
+
+            try {
+                /** @var \MikoPBX\Common\Providers\MutexProvider|object $mutex */
+                $mutex = $di->get(MutexProvider::SERVICE_NAME);
+                $mutex->synchronized('cdr-tables-recovery', $recovery, 30, 60);
+            } catch (Throwable $mutexError) {
+                // Mutex provider unavailable (e.g. Redis down at boot) — fall
+                // back to direct execution. SQLite's busy_timeout still
+                // serialises parallel CREATE TABLE attempts.
+                SystemMessages::sysLogMsg(
+                    self::class,
+                    'CDR recovery mutex unavailable, falling back: ' . $mutexError->getMessage(),
+                    LOG_NOTICE
+                );
+                $recovery();
+            }
+        } catch (Throwable $e) {
+            SystemMessages::sysLogMsg(
+                self::class,
+                'CDR tables recovery failed: ' . $e->getMessage(),
+                LOG_ERR
+            );
+        }
+    }
+
+    /**
+     * Determines whether the filesystem hosting the given DB file supports
+     * SQLite WAL safely. WAL relies on shared-memory mmap and atomic fsync
+     * which break on network filesystems (NFS/SMB/SSHFS) and may silently
+     * corrupt the database.
+     *
+     * Detection is best-effort: we read `/proc/mounts`, find the longest
+     * matching mount point for the given path, and reject known-unsafe
+     * filesystem types. On any error or unknown FS we default to ALLOWING
+     * WAL — that matches the previous behavior for MainDatabaseProvider
+     * and avoids surprising regressions on exotic local filesystems.
+     */
+    private static function isWalSafeFilesystem(string $dbFile): bool
+    {
+        $unsafeFsTypes = [
+            'nfs', 'nfs4', 'cifs', 'smb', 'smbfs', 'smb2', 'smb3',
+            'sshfs', 'davfs', 'glusterfs', 'ceph', 'lustre', 'gpfs',
+        ];
+
+        try {
+            $mountsContent = @file_get_contents('/proc/mounts');
+            if ($mountsContent === false || $mountsContent === '') {
+                return true;
+            }
+
+            $bestMatch = '';
+            $bestType = '';
+            foreach (explode("\n", $mountsContent) as $line) {
+                $parts = preg_split('/\s+/', trim($line));
+                if (!is_array($parts) || count($parts) < 3) {
+                    continue;
+                }
+                $mountPoint = $parts[1];
+                $fsType = $parts[2];
+                if ($mountPoint === '') {
+                    continue;
+                }
+                $needle = ($mountPoint === '/') ? '/' : $mountPoint . '/';
+                if (str_starts_with($dbFile . '/', $needle)
+                    && strlen($mountPoint) > strlen($bestMatch)
+                ) {
+                    $bestMatch = $mountPoint;
+                    $bestType = $fsType;
+                }
+            }
+
+            if ($bestType === '') {
+                return true;
+            }
+
+            return !in_array(strtolower($bestType), $unsafeFsTypes, true);
+        } catch (Throwable) {
+            return true;
+        }
+    }
+
     /**
      * Recreate DB connections after table structure changes
      */

src/Core/Workers/Libs/WorkerCallEvents/ActionHangupChan.php

@@ -20,12 +20,14 @@
 
 namespace MikoPBX\Core\Workers\Libs\WorkerCallEvents;
 
+use MikoPBX\Common\Handlers\CriticalErrorsHandler;
 use MikoPBX\Common\Models\CallDetailRecordsTmp;
 use MikoPBX\Core\Asterisk\AsteriskManager;
 use MikoPBX\Core\Asterisk\Configs\VoiceMailConf;
 use MikoPBX\Core\System\SystemMessages;
 use MikoPBX\Core\System\Util;
 use MikoPBX\Core\Workers\WorkerCallEvents;
+use Throwable;
 
 /**
  * Class ActionHangupChan
@@ -49,18 +51,23 @@ public static function execute(WorkerCallEvents $worker, array $data): void
         // Remove the agi_channel from the active channels in the worker.
         $worker->removeActiveChan($data['agi_channel']);
 
-        // Initialize arrays for channels and transfer calls.
-        $channels = [];
-        $transfer_calls = [];
+        try {
+            // Initialize arrays for channels and transfer calls.
+            $channels = [];
+            $transfer_calls = [];
 
-        // Hangup channel for end calls.
-        self::hangupChanEndCalls($worker, $data, $transfer_calls, $channels);
+            // Hangup channel for end calls.
+            self::hangupChanEndCalls($worker, $data, $transfer_calls, $channels);
 
-        // Check if it's a regular transfer.
-        CreateRowTransfer::execute($worker, 'hangup_chan', $data, $transfer_calls);
+            // Check if it's a regular transfer.
+            CreateRowTransfer::execute($worker, 'hangup_chan', $data, $transfer_calls);
 
-        // Check if it's a SIP transfer.
-        self::hangupChanCheckSipTrtansfer($worker, $data, $channels);
+            // Check if it's a SIP transfer.
+            self::hangupChanCheckSipTrtansfer($worker, $data, $channels);
+        } catch (Throwable $e) {
+            // Prevent crash loop when CDR DB is unavailable or table is missing (issue #1000).
+            CriticalErrorsHandler::handleExceptionWithSyslog($e);
+        }
 
         // Clear memory.
         if (isset($worker->checkChanHangupTransfer[$data['agi_channel']])) {