fix: fail fast on transient DB errors in custom domain verification

https://linear.app/speakeasy/issue/AGE-1630/bug-do-not-create-domains-on-transient-lookup-errors

Previously, any error from `GetCustomDomainByDomain` triggered domain
creation. Now only `pgx.ErrNoRows` does — other errors (e.g. connection
failures) return immediately instead of creating spurious domain records.

Also extracts DNS lookups into a `dns.Resolver` interface to enable
unit testing, and adds 13 tests covering domain creation, error handling,
DNS verification, and the transient error fix.

Author: bflad

.changeset/fix-transient-domain-lookup.md

@@ -0,0 +1,5 @@
+---
+"server": patch
+---
+
+Fix custom domain verification to fail fast on transient database errors instead of incorrectly creating a new domain record

server/internal/background/activities/verify_custom_domain.go

@@ -5,17 +5,18 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
-	"net"
 	"regexp"
 	"slices"
 	"strings"
 
+	"github.com/jackc/pgx/v5"
 	"github.com/jackc/pgx/v5/pgxpool"
 
 	"github.com/speakeasy-api/gram/server/internal/attr"
 	"github.com/speakeasy-api/gram/server/internal/audit"
 	"github.com/speakeasy-api/gram/server/internal/conv"
 	customdomainsRepo "github.com/speakeasy-api/gram/server/internal/customdomains/repo"
+	"github.com/speakeasy-api/gram/server/internal/dns"
 	"github.com/speakeasy-api/gram/server/internal/o11y"
 	"github.com/speakeasy-api/gram/server/internal/oops"
 	"github.com/speakeasy-api/gram/server/internal/urn"
@@ -25,16 +26,23 @@ type VerifyCustomDomain struct {
 	db                  *pgxpool.Pool
 	logger              *slog.Logger
 	expectedTargetCNAME string
+	resolver            dns.Resolver
 }
 
 func NewVerifyCustomDomain(logger *slog.Logger, db *pgxpool.Pool, expectedTargetCNAME string) *VerifyCustomDomain {
 	return &VerifyCustomDomain{
 		db:                  db,
 		logger:              logger,
 		expectedTargetCNAME: expectedTargetCNAME,
+		resolver:            dns.NetResolver{},
 	}
 }
 
+// SetResolver replaces the DNS resolver. Intended for testing.
+func (d *VerifyCustomDomain) SetResolver(r dns.Resolver) {
+	d.resolver = r
+}
+
 type VerifyCustomDomainArgs struct {
 	OrgID         string
 	Domain        string
@@ -66,7 +74,10 @@ func (d *VerifyCustomDomain) Do(ctx context.Context, args VerifyCustomDomainArgs
 	cdr := customdomainsRepo.New(dbtx)
 
 	domain, err := cdr.GetCustomDomainByDomain(ctx, args.Domain)
-	if err != nil {
+	switch {
+	case err == nil:
+		// Domain already exists, continue
+	case errors.Is(err, pgx.ErrNoRows):
 		// Create a new unverified domain entry
 		domain, err = cdr.CreateCustomDomain(ctx, customdomainsRepo.CreateCustomDomainParams{
 			OrganizationID: args.OrgID,
@@ -88,6 +99,8 @@ func (d *VerifyCustomDomain) Do(ctx context.Context, args VerifyCustomDomainArgs
 		}); err != nil {
 			return oops.E(oops.CodeUnexpected, err, "failed to create custom domain creation audit log").Log(ctx, d.logger)
 		}
+	default:
+		return oops.E(oops.CodeUnexpected, err, "failed to get custom domain").Log(ctx, d.logger)
 	}
 
 	if err := dbtx.Commit(ctx); err != nil {
@@ -98,11 +111,11 @@ func (d *VerifyCustomDomain) Do(ctx context.Context, args VerifyCustomDomainArgs
 		return oops.E(oops.CodeUnauthorized, errors.New("custom domain does not belong to organization"), "custom domain does not belong to organization").Log(ctx, d.logger)
 	}
 
-	cname, err := net.LookupCNAME(domain.Domain)
+	cname, err := d.resolver.LookupCNAME(domain.Domain)
 	if err != nil {
 		d.logger.InfoContext(ctx, "CNAME lookup failed for domain", attr.SlogURLDomain(domain.Domain), attr.SlogError(err))
 		// Provide more info if an A record exists
-		ips, aErr := net.LookupHost(domain.Domain)
+		ips, aErr := d.resolver.LookupHost(domain.Domain)
 		if aErr == nil && len(ips) > 0 {
 			d.logger.InfoContext(ctx, fmt.Sprintf("CNAME not found. Found A record(s): %s", strings.Join(ips, ", ")))
 		} else {
@@ -117,7 +130,7 @@ func (d *VerifyCustomDomain) Do(ctx context.Context, args VerifyCustomDomainArgs
 	}
 
 	txtName := "_gram." + domain.Domain
-	txts, err := net.LookupTXT(txtName)
+	txts, err := d.resolver.LookupTXT(txtName)
 	if err != nil {
 		return oops.E(oops.CodeUnexpected, err, "failed to find TXT record for %s", txtName).Log(ctx, d.logger)
 	}