Validation: shared NaN-guarded Zod coercion helpers in schemas/common.ts replace the raw number|string transform idiom across every schema (the root-cause NaN bug class); emailOrEmpty + lenient isoDateString/timeString. Security: roles privilege-escalation closed; refresh-token family revocation on reuse; TOTP uses config params; read endpoints permission-guarded; received-invoices gross VAT on all paths; orders-pdf custom-items authz. Concurrency: $queryRaw SELECT...FOR UPDATE locks in ascending-id order (warehouse confirm/cancel, attendance lockUserRow); uniqueness checks moved into create transactions (TOCTOU -> 409); deterministic id tiebreak on second-precision timestamp ordering (plan resolveCell/resolveGrid, warehouse FIFO). Frontend: Rules-of-Hooks fixed across ~14 pages + PlanCellModal; UTC-date persisted fields; dashboard invalidation gaps; stale-closure confirm bugs. Tooling/tests: ESLint flat config (react-hooks/rules-of-hooks = error) + Prettier; tsconfig.test.json so tsc -b type-checks the tests; removed 3 dead deps; npm audit fix (8 -> 3). Suite 195 -> 247 (happy-path auth, FIFO oldest-first, flakiness fixes), isolated on app_test via .env.test with a hard-throw setup guard. Gates: tsc 0 | build 0 | vitest 247/247 | eslint 0 errors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
45 lines
1.6 KiB
TypeScript
45 lines
1.6 KiB
TypeScript
import dotenv from "dotenv";
|
|
|
|
const ENV_TEST_PATH = ".env.test";
|
|
|
|
// vitest.config.ts already loads .env.test with override:true; we reload here so
|
|
// the setup file is self-contained when run directly.
|
|
dotenv.config({ path: ENV_TEST_PATH });
|
|
|
|
/**
|
|
* Safety guard: the suite hits a REAL MySQL database (no Prisma mocks) and
|
|
* MUTATES it, so it must never run against a dev/production DB. We require the
|
|
* configured database name to contain "test" (the committed `.env.test` points
|
|
* at the throwaway `app_test`); anything else is a HARD FAILURE before any test
|
|
* runs, so a stray DATABASE_URL can't silently corrupt dev/prod data.
|
|
*/
|
|
function extractDbName(url: string | undefined): string | null {
|
|
if (!url) return null;
|
|
try {
|
|
// mysql://user:pass@host:3306/dbname?params → "dbname"
|
|
const afterAuthority = url.replace(/^[a-z]+:\/\/[^/]+\//i, "");
|
|
const dbName = afterAuthority.split("?")[0].split("/")[0];
|
|
return dbName || null;
|
|
} catch {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
const dbUrl = process.env.DATABASE_URL;
|
|
const dbName = extractDbName(dbUrl);
|
|
|
|
if (!dbUrl) {
|
|
throw new Error(
|
|
"[test-setup] DATABASE_URL is not set. The suite mutates a real database — " +
|
|
`point ${ENV_TEST_PATH} at a dedicated TEST database (e.g. app_test).`,
|
|
);
|
|
}
|
|
|
|
if (dbName == null || !/test/i.test(dbName)) {
|
|
throw new Error(
|
|
`[test-setup] Refusing to run: DATABASE_URL targets database "${dbName ?? "unknown"}", ` +
|
|
`whose name does not contain "test". The suite mutates the database — point ` +
|
|
`${ENV_TEST_PATH} at a throwaway TEST database (e.g. app_test), never dev/production.`,
|
|
);
|
|
}
|