Improve multiGet, multiSet and multiMerge SQL operations

[fabioh8010]

Details

Slack proposal: https://expensify.slack.com/archives/C05LX9D6E07/p1770627746422309

This PR implements Solution 2 of the above proposal - Remove redundant json() wrappers

Related Issues

Expensify/App#80243

Automated Tests

N/A

Manual Tests

1. Open the app with a logged in account. Assert there are no new Onyx errors in console.
2. Go to a chat and send a message. Assert it works and there are noe new Onyx errors in console.

Author Checklist

• I linked the correct issue in the ### Related Issues section above
• I wrote clear testing steps that cover the changes made in this PR
  • I added steps for local testing in the Tests section
  • I tested this PR with a High Traffic account against the staging or production API to ensure there are no regressions (e.g. long loading states that impact usability).
• I included screenshots or videos for tests on all platforms
• I ran the tests on all platforms & verified they passed on:
  • Android / native
  • Android / Chrome
  • iOS / native
  • iOS / Safari
  • MacOS / Chrome / Safari
  • MacOS / Desktop
• I verified there are no console errors (if there's a console error not related to the PR, report it or open an issue for it to be fixed)
• I followed proper code patterns (see Reviewing the code)
  • I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick)
  • I verified that the left part of a conditional rendering a React component is a boolean and NOT a string, e.g. myBool && <MyComponent />.
  • I verified that comments were added to code that is not self explanatory
  • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
  • I verified proper file naming conventions were followed for any new files or renamed files. All non-platform specific files are named after what they export and are not named "index.js". All platform-specific files are named for the platform the code supports as outlined in the README.
  • I verified the JSDocs style guidelines (in STYLE.md) were followed
• If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
• I followed the guidelines as stated in the Review Guidelines
• I tested other components that can be impacted by my changes (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar are working as expected)
• I verified all code is DRY (the PR doesn't include any logic written more than once, with the exception of tests)
• I verified any variables that can be defined as constants (ie. in CONST.js or at the top of the file that uses the constant) are defined as such
• I verified that if a function's arguments changed that all usages have also been updated correctly
• If a new component is created I verified that:
  • A similar component doesn't exist in the codebase
  • All props are defined accurately and each prop has a /** comment above it */
  • The file is named correctly
  • The component has a clear name that is non-ambiguous and the purpose of the component can be inferred from the name alone
  • The only data being stored in the state is data necessary for rendering and nothing else
  • If we are not using the full Onyx data that we loaded, I've added the proper selector in order to ensure the component only re-renders when the data it is using changes
  • For Class Components, any internal methods passed to components event handlers are bound to this properly so there are no scoping issues (i.e. for onClick={this.submit} the method this.submit should be bound to this in the constructor)
  • Any internal methods bound to this are necessary to be bound (i.e. avoid this.submit = this.submit.bind(this); if this.submit is never passed to a component event handler like onClick)
  • All JSX used for rendering exists in the render method
  • The component has the minimum amount of code necessary for its purpose, and it is broken down into smaller components in order to separate concerns and functions
• If any new file was added I verified that:
  • The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
• If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
• If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.
• I have checked off every checkbox in the PR author checklist, including those that don't apply to this PR.

Screenshots/Videos

Android: Native

Screen.Recording.2026-02-24.at.08.46.56-compressed.mov

Android: mWeb Chrome

N/A

iOS: Native

Screen.Recording.2026-02-24.at.08.51.28-compressed.mov

iOS: mWeb Safari

N/A

MacOS: Chrome / Safari

N/A

MacOS: Desktop

N/A

[JKobrynski]

I agree with Vicky's comments, other than that LGTM!

[fabioh8010]

@tgolen Regarding your comment:

With solution 2, we should also maybe look at to see if there is a difference in removing the json() calls verses removing the JSON.stringify() calls. Maybe one of them is faster than the other?

Here's what Claude says:

⏺ The suggestion doesn't really make practical sense, and here's why:

  JSON.stringify() can't be removed. It's not doing the same job as json(). It
  serializes a JavaScript object into a string so it can cross the JS → native
  bridge → SQLite boundary. SQLite bindings only accept primitive types
  (strings, numbers, null, blobs) — you can't pass a JS object directly to a SQL
   query parameter.

  SQLite's json() doesn't "stringify" objects. It takes an already-valid JSON
  string as input, parses it, validates it, and re-serializes it (essentially
  normalizing it). So the current flow is:

  1. JS: JSON.stringify(value) → '{"a":1}' (JS object → string, necessary for
  the bridge)
  2. SQL: json('{"a":1}') → '{"a":1}' (string → parse → re-encode, redundant)

  If you removed JSON.stringify() and kept json(), you'd be trying to bind a raw
   JS object to a SQL parameter, which would either fail or get coerced to
  "[object Object]".

  So the PR's approach is the correct one — remove the redundant json() wrapper
  since JSON.stringify() already guarantees valid JSON. The two functions
  operate at completely different layers and aren't interchangeable.

I also can confirm that this approach doesn't work without JSON.stringify – we always need to stringify our JSONS before passing to SQLite.

SQLite docs explain about json() purpose:

The json(X) function verifies that its argument X is a valid JSON string or JSONB blob and returns a minified version of that JSON string with all unnecessary whitespace removed. If X is not a well-formed JSON string or JSONB blob, then this routine throws an error.

[tgolen]

Ah, cool. I just misunderstood what json() was doing then. Sounds good!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a9f31c1520

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Preserve JSON types in JSON_REPLACE argument

In the multiMerge replace-null path, JSON_REPLACE(valueJSON, ?, ?) now binds the replacement as a plain SQL value, and SQLite treats that third argument as text unless it comes from JSON(...). When replaceNullPatches contains non-string values (for example null, numbers, or objects), they are persisted as JSON strings (e.g., "null" or "{...}") instead of real JSON values, which corrupts the stored shape and can break subsequent reads/merges for those keys.

Useful? React with 👍 / 👎.

[fabioh8010]

The patches are being stringified with JSON.stringify() as same as other data that is inserted into SQL

/**
 * Transforms the replace null patches into SQL queries to be passed to JSON_REPLACE.
 */
function generateJSONReplaceSQLQueries(key: string, patches: FastMergeReplaceNullPatch[]): string[][] {
    const queries = patches.map(([pathArray, value]) => {
        const jsonPath = `$.${pathArray.join('.')}`;
        return [jsonPath, JSON.stringify(value), key];
    });

    return queries;
}

[fabioh8010]

But anyway I'm going to double-check

[fabioh8010]

The review is correct – for JSON_REPLACE operation SQLite handles data differently:

If the value of a path/value pair is an SQLite TEXT value, then it is normally inserted as a quoted JSON string, even if the string looks like valid JSON. However, if the value is the result of another json function (such as json() or json_array() or json_object()) or if it is the result of the -> operator, then it is interpreted as JSON and is inserted as JSON retaining all of its substructure. Values that are the result of the ->> operator are always interpreted as TEXT and are inserted as a JSON string even if they look like valid JSON.

So I reverted this change in particular and added a comment. 04ac56d

I tested myself and JSON() wrapper is needed there.