Merge pull request 'fix: skip db boot init in test env to prevent parallel worker lock' (#4 ) from fix/db-boot-test-isolation into dev

Reviewed-on: #4
fix: skip db boot init in test env to prevent parallel worker lock
2026-03-28 11:41:55 -04:00 · 2026-03-28 11:31:55 -04:00 · 2026-03-28 10:38:48 -04:00 · 2026-03-28 10:27:23 -04:00 · 2026-03-28 10:16:00 -04:00 · 2026-03-28 10:15:52 -04:00
13 changed files with 264 additions and 92 deletions
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -2,7 +2,8 @@
  "permissions": {
    "allow": [
      "Bash(npm test:*)",
-      "Bash(npm install:*)"
+      "Bash(npm install:*)",
+      "Bash(find /c/Users/josh1/Documents/Code/Catalyst -type f \\\\\\(-name *.test.js -o -name *.spec.js -o -name .env* -o -name *.config.js \\\\\\))"
    ]
  }
 }
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -1,84 +0,0 @@
-name: Build
-
-on:
-  push:
-    branches: [main]
-    tags:
-      - 'v*'
-
-env:
-  IMAGE: ${{ vars.REGISTRY_HOST }}/${{ gitea.repository_owner }}/catalyst
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 'lts/*'
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Run tests
-        run: npm test
-
-  build:
-    runs-on: ubuntu-latest
-    needs: test
-    if: startsWith(gitea.ref, 'refs/tags/v')
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Docker metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.IMAGE }}
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=sha,prefix=,format=short
-            type=raw,value=latest,enable={{is_default_branch}}
-
-      - name: Log in to Gitea registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ vars.REGISTRY_HOST }}
-          username: ${{ gitea.actor }}
-          password: ${{ secrets.TOKEN }}
-
-      - name: Build and push
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-
-  release:
-    runs-on: ubuntu-latest
-    needs: build
-    if: startsWith(gitea.ref, 'refs/tags/v')
-
-    steps:
-      - name: Create release
-        run: |
-          curl -sf -X POST \
-            -H "Authorization: token ${{ secrets.TOKEN }}" \
-            -H "Content-Type: application/json" \
-            "${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/releases" \
-            -d "{
-              \"tag_name\": \"${{ gitea.ref_name }}\",
-              \"name\": \"Catalyst ${{ gitea.ref_name }}\",
-              \"body\": \"### Image\n\n\`${{ env.IMAGE }}:${{ gitea.ref_name }}\`\",
-              \"draft\": false,
-              \"prerelease\": false
-            }"
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -0,0 +1,50 @@
+name: CI
+
+on:
+  push:
+    branches: [dev, main]
+  pull_request:
+    branches: [dev, main]
+
+env:
+  IMAGE: ${{ vars.REGISTRY_HOST }}/${{ gitea.repository_owner }}/catalyst
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 'lts/*'
+          cache: npm
+
+      - run: npm ci
+
+      - run: npm test
+
+  build-dev:
+    runs-on: ubuntu-latest
+    needs: test
+    if: github.event_name == 'push' && github.ref == 'refs/heads/dev'
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Log in to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.REGISTRY_HOST }}
+          username: ${{ gitea.actor }}
+          password: ${{ secrets.TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            ${{ env.IMAGE }}:dev
+            ${{ env.IMAGE }}:dev-${{ gitea.sha }}
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -0,0 +1,95 @@
+name: Release
+
+on:
+  push:
+    branches: [main]
+
+env:
+  IMAGE: ${{ vars.REGISTRY_HOST }}/${{ gitea.repository_owner }}/catalyst
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 'lts/*'
+          cache: npm
+
+      - run: npm ci
+      - run: npm test
+
+      - name: Read version
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          echo "VERSION=${VERSION}" >> $GITEA_ENV
+
+      - name: Assert tag does not exist
+        run: |
+          if git ls-remote --tags origin "refs/tags/v${{ env.VERSION }}" | grep -q .; then
+            echo "ERROR: tag v${{ env.VERSION }} already exists — bump version in package.json before merging to main."
+            exit 1
+          fi
+
+      - name: Create and push tag
+        run: |
+          git config user.name "gitea-actions"
+          git config user.email "actions@gitea"
+          git tag "v${{ env.VERSION }}"
+          git push origin "v${{ env.VERSION }}"
+
+      - name: Generate release notes
+        run: |
+          LAST_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
+          if [ -n "$LAST_TAG" ]; then
+            NOTES=$(git log "${LAST_TAG}..HEAD" --pretty=format:"- %s" --no-merges)
+          else
+            NOTES=$(git log --pretty=format:"- %s" --no-merges)
+          fi
+          NOTES_JSON=$(printf '%s' "$NOTES" | python3 -c "import sys,json; print(json.dumps(sys.stdin.read()))")
+          echo "NOTES=${NOTES_JSON}" >> $GITEA_ENV
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE }}
+          tags: |
+            type=semver,pattern={{version}},value=v${{ env.VERSION }}
+            type=semver,pattern={{major}}.{{minor}},value=v${{ env.VERSION }}
+            type=sha,prefix=,format=short
+            type=raw,value=latest
+
+      - name: Log in to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.REGISTRY_HOST }}
+          username: ${{ gitea.actor }}
+          password: ${{ secrets.TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+
+      - name: Create Gitea release
+        run: |
+          curl -sf -X POST \
+            -H "Authorization: token ${{ secrets.TOKEN }}" \
+            -H "Content-Type: application/json" \
+            "${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/releases" \
+            -d "{
+              \"tag_name\": \"v${{ env.VERSION }}\",
+              \"name\": \"Catalyst v${{ env.VERSION }}\",
+              \"body\": \"### Changes\n\n${{ env.NOTES }}\n\n### Image\n\n\`${{ env.IMAGE }}:${{ env.VERSION }}\`\",
+              \"draft\": false,
+              \"prerelease\": false
+            }"
--- a/5
+++ b/5
@@ -1,4 +1,6 @@
 FROM node:lts-alpine
+RUN addgroup -S app && adduser -S app -G app
+
 WORKDIR /app

 COPY package*.json ./
@@ -8,5 +10,8 @@ COPY . .
 RUN awk -F'"' '/"version"/{printf "const VERSION = \"%s\";\n", $4; exit}' \
    package.json > js/version.js

+RUN chown -R app:app /app
+USER app
+
 EXPOSE 3000
 CMD ["node", "server/server.js"]
--- a/index.html
+++ b/index.html
@@ -3,6 +3,7 @@
 <head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <base href="/">
  <title>Catalyst</title>
  <link rel="preconnect" href="https://fonts.googleapis.com">
  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
@@ -176,7 +177,6 @@
  <span id="toast-msg"></span>
 </div>

-<script src="https://cdnjs.cloudflare.com/ajax/libs/sql.js/1.10.2/sql-wasm.js"></script>
 <script src="js/version.js" onerror="window.VERSION=null"></script>
 <script src="js/config.js"></script>
 <script src="js/db.js"></script>
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,14 +1,15 @@
 {
  "name": "catalyst",
-  "version": "1.0.3",
+  "version": "1.1.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "catalyst",
-      "version": "1.0.3",
+      "version": "1.1.0",
      "dependencies": {
-        "express": "^4.18.0"
+        "express": "^4.18.0",
+        "helmet": "^8.1.0"
      },
      "devDependencies": {
        "jsdom": "^25.0.0",
@@ -1958,6 +1959,15 @@
        "node": ">= 0.4"
      }
    },
+    "node_modules/helmet": {
+      "version": "8.1.0",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-8.1.0.tgz",
+      "integrity": "sha512-jOiHyAZsmnr8LqoPGmCjYAaiuWwjAPLgY8ZX2XrmHawt99/u1y6RgrZMTeoPfpUbV96HOalYgz1qzkRbw54Pmg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
    "node_modules/html-encoding-sniffer": {
      "version": "4.0.0",
      "resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-4.0.0.tgz",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "catalyst",
-  "version": "1.1.0",
+  "version": "1.1.2",
  "type": "module",
  "scripts": {
    "start": "node server/server.js",
@@ -9,7 +9,8 @@
    "version:write": "node -e \"const {version}=JSON.parse(require('fs').readFileSync('package.json','utf8'));require('fs').writeFileSync('js/version.js','const VERSION = \\\"'+version+'\\\";\\n');\""
  },
  "dependencies": {
-    "express": "^4.18.0"
+    "express": "^4.18.0",
+    "helmet": "^8.1.0"
  },
  "devDependencies": {
    "jsdom": "^25.0.0",
--- a/server/db.js
+++ b/server/db.js
@@ -133,5 +133,18 @@ export function _resetForTest() {
 }

 // ── Boot ──────────────────────────────────────────────────────────────────────
+// Skipped in test environment — parallel Vitest workers would race to open
+// the same file, causing "database is locked". _resetForTest() in beforeEach
+// handles initialisation for every test worker using :memory: instead.

-init(process.env.DB_PATH ?? DEFAULT_PATH);
+if (process.env.NODE_ENV !== 'test') {
+  const DB_PATH = process.env.DB_PATH ?? DEFAULT_PATH;
+  try {
+    init(DB_PATH);
+  } catch (e) {
+    console.error('[catalyst] fatal: could not open database at', DB_PATH);
+    console.error('[catalyst] ensure the data directory exists and is writable by the server process.');
+    console.error(e);
+    process.exit(1);
+  }
+}
--- a/server/routes.js
+++ b/server/routes.js
@@ -22,6 +22,9 @@ function validate(body) {
    errors.push(`state must be one of: ${VALID_STATES.join(', ')}`);
  if (!VALID_STACKS.includes(body.stack))
    errors.push(`stack must be one of: ${VALID_STACKS.join(', ')}`);
+  const ip = (body.tailscale_ip ?? '').trim();
+  if (ip && !/^(\d{1,3}\.){3}\d{1,3}$/.test(ip))
+    errors.push('tailscale_ip must be a valid IPv4 address or empty');
  return errors;
 }

--- a/server/server.js
+++ b/server/server.js
@@ -1,4 +1,5 @@
 import express from 'express';
+import helmet from 'helmet';
 import { fileURLToPath } from 'url';
 import { dirname, join } from 'path';
 import { router } from './routes.js';
@@ -8,6 +9,23 @@ const PORT = process.env.PORT ?? 3000;

 export const app = express();

+app.use(helmet({
+  contentSecurityPolicy: {
+    useDefaults: false, // explicit — upgrade-insecure-requests breaks HTTP deployments
+    directives: {
+      'default-src':     ["'self'"],
+      'base-uri':        ["'self'"],
+      'font-src':        ["'self'", 'https://fonts.gstatic.com'],
+      'form-action':     ["'self'"],
+      'frame-ancestors': ["'self'"],
+      'img-src':         ["'self'", 'data:'],
+      'object-src':      ["'none'"],
+      'script-src':      ["'self'"],
+      'script-src-attr': ["'unsafe-inline'"], // allow onclick handlers
+      'style-src':       ["'self'", 'https://fonts.googleapis.com'],
+    },
+  },
+}));
 app.use(express.json());

 // API
--- a/tests/api.test.js
+++ b/tests/api.test.js
@@ -237,3 +237,43 @@ describe('DELETE /api/instances/:vmid', () => {
    expect(res.status).toBe(400)
  })
 })
+
+// ── Static assets & SPA routing ───────────────────────────────────────────────
+
+describe('static assets and SPA routing', () => {
+  it('serves index.html at root', async () => {
+    const res = await request(app).get('/')
+    expect(res.status).toBe(200)
+    expect(res.headers['content-type']).toMatch(/html/)
+  })
+
+  it('serves index.html for deep SPA routes (e.g. /instance/117)', async () => {
+    const res = await request(app).get('/instance/117')
+    expect(res.status).toBe(200)
+    expect(res.headers['content-type']).toMatch(/html/)
+  })
+
+  it('serves CSS with correct content-type (not sniffed as HTML)', async () => {
+    const res = await request(app).get('/css/app.css')
+    expect(res.status).toBe(200)
+    expect(res.headers['content-type']).toMatch(/text\/css/)
+  })
+
+  it('does not set upgrade-insecure-requests in CSP (HTTP deployments must work)', async () => {
+    const res = await request(app).get('/')
+    const csp = res.headers['content-security-policy'] ?? ''
+    expect(csp).not.toContain('upgrade-insecure-requests')
+  })
+
+  it('allows inline event handlers in CSP (onclick attributes)', async () => {
+    const res = await request(app).get('/')
+    const csp = res.headers['content-security-policy'] ?? ''
+    // script-src-attr must not be 'none' — that blocks onclick handlers
+    expect(csp).not.toContain("script-src-attr 'none'")
+  })
+
+  it('index.html contains base href / for correct asset resolution on deep routes', async () => {
+    const res = await request(app).get('/')
+    expect(res.text).toContain('<base href="/">')
+  })
+})
--- a/tests/db.test.js
+++ b/tests/db.test.js
@@ -165,3 +165,23 @@ describe('deleteInstance', () => {
    expect(getInstance(2)).not.toBeNull();
  });
 });
+
+// ── Test environment boot isolation ───────────────────────────────────────────
+
+describe('test environment boot isolation', () => {
+  it('vitest runs with NODE_ENV=test', () => {
+    // Vitest sets NODE_ENV=test automatically. This is the guard condition
+    // that prevents the boot init() from opening the real database file.
+    expect(process.env.NODE_ENV).toBe('test');
+  });
+
+  it('db module loads cleanly in parallel workers without locking the real db file', () => {
+    // Regression: the module-level init(DEFAULT_PATH) used to run unconditionally,
+    // causing "database is locked" when multiple test workers imported db.js at
+    // the same time. process.exit(1) then killed the worker mid-suite.
+    // Fix: boot init is skipped when NODE_ENV=test. _resetForTest() handles setup.
+    // Reaching this line proves the module loaded without calling process.exit.
+    expect(() => _resetForTest()).not.toThrow();
+    expect(getInstances()).toEqual([]);
+  });
+});
Author	SHA1	Message	Date
Josh Wright	4ce7df4649	Merge pull request 'fix: skip db boot init in test env to prevent parallel worker lock' (#4 ) from fix/db-boot-test-isolation into dev Some checks failed CI / test (push) Successful in 9m29s Details CI / build-dev (push) Has been cancelled Details Reviewed-on: #4	2026-03-28 11:41:55 -04:00
josh	6c04a30c3a	fix: skip db boot init in test env to prevent parallel worker lock All checks were successful CI / test (pull_request) Successful in 9m29s Details CI / build-dev (pull_request) Has been skipped Details Vitest runs test files in parallel workers. Each worker imports server/db.js, which triggered module-level init(DEFAULT_PATH) unconditionally. Two workers racing to open the same SQLite file caused "database is locked", followed by process.exit(1) killing the worker — surfacing as: Error: process.exit unexpectedly called with "1" Fix: guard the boot init block behind NODE_ENV !== 'test'. Vitest sets NODE_ENV=test automatically. Each worker's beforeEach(() => _resetForTest()) initialises its own :memory: database, so no file coordination is needed. process.exit(1) is also guarded by the same condition — it must never fire inside a test runner process. TDD: two regression tests added to tests/db.test.js documenting the expected boot behaviour and proving the module loads cleanly in parallel. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-28 11:31:55 -04:00
Josh Wright	1412b2e0b7	Merge pull request 'feat: build :dev Docker image on push to dev' (#1 ) from chore/dev-staging-build into dev All checks were successful CI / test (push) Successful in 9m29s Details CI / build-dev (push) Successful in 13s Details Reviewed-on: #1	2026-03-28 10:38:48 -04:00
josh	30b037ff9c	feat: build :dev Docker image on push to dev All checks were successful CI / test (pull_request) Successful in 9m30s Details CI / build-dev (pull_request) Has been skipped Details Adds a build-dev job to ci.yml that fires after tests pass on direct pushes to dev (not PRs). Pushes two tags to the registry: :dev — mutable, always the latest integrated dev state :dev-<sha> — immutable, for tracing exactly which commit is running Staging servers can pull :dev to test before a release PR is opened. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-28 10:27:23 -04:00
josh	7a5b5d7afc	chore: establish dev branch and branching workflow All checks were successful CI / test (push) Successful in 9m26s Details Merges the initial ci.yml + release.yml workflow changes onto dev. This is the first merge under the new feature-branch → dev → main model. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-28 10:16:00 -04:00
josh	3383bee968	chore: replace build.yml with ci.yml + release.yml Splits the single workflow into two with distinct responsibilities: ci.yml — runs tests on push/PR to dev and main. Powers the required status check for branch protection on both branches. release.yml — triggers on push to main (merged PR). Reads version from package.json, asserts the tag doesn't already exist, creates the git tag, generates patch notes from commits since the previous tag, builds and pushes the Docker image, and creates the Gitea release. No more manual git tag or git push --tags. build.yml deleted — all three of its jobs are covered by the new files. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-28 10:15:52 -04:00
josh	0c30e4bd29	chore: release v1.1.2 All checks were successful Build / test (push) Successful in 9m27s Details Build / build (push) Successful in 27s Details Build / release (push) Successful in 1s Details Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-28 09:52:57 -04:00
josh	01f83d25f6	fix: SPA deep-link assets and broken home screen CSS Three root causes addressed: 1. Added <base href="/"> to index.html so all relative asset paths (css/app.css, js/*.js) resolve from the root regardless of the current SPA route. Without this, /instance/117 requested /instance/css/app.css, which hit the SPA fallback and returned HTML; helmet's nosniff then refused it as a stylesheet. 2. Removed upgrade-insecure-requests from the CSP (useDefaults: false). This directive told browsers to upgrade HTTP→HTTPS for every asset request, breaking all resource loading on HTTP-only deployments. 3. Changed script-src-attr from 'none' to 'unsafe-inline' to allow the inline onclick handlers used throughout the UI. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-28 09:52:48 -04:00
josh	79adc365d8	server/server.js — added helmet with CSP configured to allow Google Fonts All checks were successful Build / test (push) Successful in 9m29s Details Build / release (push) Successful in 1s Details Build / build (push) Successful in 32s Details Dockerfile — creates a non-root app user and runs the process under it server/routes.js — tailscale_ip validated against IPv4 regex (empty string still allowed) index.html — sql.js CDN script tag already removed earlier in this session	2026-03-28 09:20:24 -04:00