From a89cc36489b8aac636e3f35085fe41969db06024 Mon Sep 17 00:00:00 2001
From: josh <josh@thewrightserver.net>
Date: Fri, 17 Apr 2026 08:17:22 -0400
Subject: [PATCH] fix(deploy): login 500s on fresh container
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two bugs kept a fresh docker-compose deploy from ever accepting admin:admin:

1. resolveSqliteUrl in packages/db/src/client.ts stripped leading slashes
   wholesale — so file:/data/vector.db became a relative path and was
   resolved against packages/db/prisma/. Prisma CLI (migrate deploy)
   correctly wrote to /data/vector.db on the mounted volume; the app's
   runtime client connected to an empty file at packages/db/prisma/data/
   vector.db with no tables, so login threw. The helper now passes Unix
   absolute paths through verbatim, still normalizes file:/// triple-
   slash URLs, and only resolves truly relative paths against the schema
   dir.

2. The Dockerfile CMD ran migrations but not a seed, so even when the
   path bug is fixed the User table is empty — admin:admin 401s forever.
   Added packages/db/ensure-admin.mjs (pure JS, no tsx needed) that
   creates the default admin user iff User.count() === 0, and wired it
   into the API CMD between migrate deploy and node. Credentials can be
   overridden with SEED_ADMIN_{USERNAME,PASSWORD,EMAIL}.
---
 apps/api/Dockerfile          |  5 +++--
 packages/db/ensure-admin.mjs | 30 ++++++++++++++++++++++++++++++
 packages/db/src/client.ts    | 19 ++++++++++++++-----
 3 files changed, 47 insertions(+), 7 deletions(-)
 create mode 100644 packages/db/ensure-admin.mjs

diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile
index 08d0b44..9904ca8 100644
--- a/apps/api/Dockerfile
+++ b/apps/api/Dockerfile
@@ -46,5 +46,6 @@ HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
   CMD wget -qO- http://localhost:3001/healthz || exit 1
 
 WORKDIR /app/apps/api
-# Apply pending migrations before booting. Prisma reads DATABASE_URL from env.
-CMD ["sh", "-c", "pnpm -C ../../packages/db exec prisma migrate deploy && node dist/index.js"]
+# Apply migrations → seed default admin on empty DB → start API.
+# Override the default admin credentials via SEED_ADMIN_{USERNAME,PASSWORD,EMAIL}.
+CMD ["sh", "-c", "pnpm -C ../../packages/db exec prisma migrate deploy && node ../../packages/db/ensure-admin.mjs && node dist/index.js"]
diff --git a/packages/db/ensure-admin.mjs b/packages/db/ensure-admin.mjs
new file mode 100644
index 0000000..e6c1fc8
--- /dev/null
+++ b/packages/db/ensure-admin.mjs
@@ -0,0 +1,30 @@
+// Bootstrap seed run at container start. Creates a default admin user
+// when the User table is empty so a fresh deployment has something to
+// log into. Subsequent boots see an existing user and skip silently.
+import bcrypt from 'bcryptjs';
+import { prisma } from './dist/client.js';
+
+try {
+  const count = await prisma.user.count();
+  if (count === 0) {
+    const username = process.env.SEED_ADMIN_USERNAME ?? 'admin';
+    const password = process.env.SEED_ADMIN_PASSWORD ?? 'admin';
+    const email = process.env.SEED_ADMIN_EMAIL ?? 'admin@vector.local';
+    await prisma.user.create({
+      data: {
+        username,
+        email,
+        passwordHash: await bcrypt.hash(password, 12),
+        role: 'ADMIN',
+      },
+    });
+    console.log(`[seed] Created default admin user "${username}". Change this password immediately.`);
+  } else {
+    console.log(`[seed] ${count} user(s) already exist — skipping default admin seed.`);
+  }
+} catch (err) {
+  console.error('[seed] Failed to ensure admin user:', err);
+  process.exit(1);
+} finally {
+  await prisma.$disconnect();
+}
diff --git a/packages/db/src/client.ts b/packages/db/src/client.ts
index 14c58ec..3adee2e 100644
--- a/packages/db/src/client.ts
+++ b/packages/db/src/client.ts
@@ -9,13 +9,22 @@ declare global {
 
 function resolveSqliteUrl(raw: string | undefined): string | undefined {
   if (!raw || !raw.startsWith('file:')) return raw;
-  const rest = raw.slice('file:'.length).replace(/^\/+/, '');
-  if (path.isAbsolute(rest) || /^[A-Za-z]:[\\/]/.test(rest)) {
-    return 'file:' + rest.replace(/\\/g, '/');
-  }
+  let body = raw.slice('file:'.length);
+
+  // file:///unix/path is equivalent to file:/unix/path; collapse the host part.
+  if (body.startsWith('///')) body = body.slice(2);
+
+  // Windows: "/C:/..." → "C:/..." , then any backslashes to forward slashes.
+  const win = body.match(/^\/?([A-Za-z]:[\\/].*)$/);
+  if (win?.[1]) return 'file:' + win[1].replace(/\\/g, '/');
+
+  // Unix absolute (e.g. "/data/vector.db") — pass through verbatim.
+  if (body.startsWith('/')) return 'file:' + body;
+
+  // Relative — resolve against the schema dir so dev's default (file:./dev.db) keeps working.
   const here = path.dirname(fileURLToPath(import.meta.url));
   const schemaDir = path.resolve(here, '..', 'prisma');
-  const absolute = path.resolve(schemaDir, rest);
+  const absolute = path.resolve(schemaDir, body);
   return 'file:' + absolute.replace(/\\/g, '/');
 }