Hartmut
01f8974314
CI / Architecture Guardrails (pull_request) Successful in 2m59s
CI / Typecheck (pull_request) Successful in 6m41s
CI / Lint (pull_request) Successful in 4m18s
CI / Assistant Split Regression (pull_request) Successful in 5m6s
CI / Unit Tests (pull_request) Successful in 7m21s
CI / Build (pull_request) Successful in 5m21s
CI / Fresh-Linux Docker Deploy (pull_request) Failing after 38s
CI / E2E Tests (pull_request) Successful in 3m28s
CI / Release Images (pull_request) Has been skipped
- docker-compose.yml / .prod.yml / .ci.yml: project names, POSTGRES_DB/USER, pg_isready, DATABASE_URL, volume names (nexus_pgdata, nexus_prod_*) - .github/workflows/ci.yml: POSTGRES_PASSWORD, pg_isready, psql credentials, GRANT statements, POSTGRES_PASSWORD=nexus_dev for Docker Deploy job - scripts/db-target-guard.mjs: expectedDatabase default, NEXUS_EXPECTED_DB_NAME - scripts/prisma-with-env.mjs, e2e/test-server.mjs: env-var rename - packages/db/src/safe-destructive-env.ts + reset-dispo-import.ts: DB name set - packages/db/src/destructive-db-guard.ts: PROTECTED_DATABASE_NAMES → "nexus" - packages/db/src/destructive-db-guard.test.ts: all fixture DB names + comments - .env.example, tooling/deploy/deploy.env.example: DATABASE_URL, image refs - packages/api: Redis channel/key prefixes (rbac-invalidate, sse, ratelimit), logger service name, app-base-url log prefix - E2E: DB container names, localStorage/sessionStorage keys, email domains - scripts: architecture-guardrails filter, export/import-dev-seed defaults, harden-postgres defaults, start.sh pg_isready, worktree-hygiene fixture - tooling/migrate/rename-to-nexus.sh: new maintenance-window cutover script Only intentional capakraken survivor: anonymization.ts DEFAULT_ANONYMIZATION_SEED (functional cryptographic constant — changing it would invalidate stored aliases). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
175 lines
5.8 KiB
JavaScript
175 lines
5.8 KiB
JavaScript
#!/usr/bin/env node
|
|
/**
|
|
* import-dev-seed.mjs
|
|
*
|
|
* Imports packages/db/prisma/dev-seed.sql into the local dev database.
|
|
* Wipes the public schema, re-applies the current Prisma schema, loads the
|
|
* seed data, then sets every user's password to "Dev123456!" via argon2id.
|
|
*
|
|
* Usage:
|
|
* node scripts/import-dev-seed.mjs
|
|
*
|
|
* Requirements:
|
|
* - The nexus-postgres-1 Docker container must be running
|
|
* - DATABASE_URL must point to a local nexus database
|
|
* - dev-seed.sql must exist (run export-dev-seed.mjs first)
|
|
*/
|
|
|
|
import { execSync, spawnSync } from "node:child_process";
|
|
import { existsSync, readFileSync } from "node:fs";
|
|
import { resolve } from "node:path";
|
|
import { loadWorkspaceEnv, resolveRealWorkspaceRoot } from "./load-env.mjs";
|
|
|
|
loadWorkspaceEnv();
|
|
const workspaceRoot = resolveRealWorkspaceRoot();
|
|
|
|
// ── Safety check ─────────────────────────────────────────────────────────────
|
|
|
|
const rawUrl = process.env["DATABASE_URL"];
|
|
if (!rawUrl) {
|
|
console.error("❌ DATABASE_URL is not set.");
|
|
process.exit(1);
|
|
}
|
|
|
|
let parsedUrl;
|
|
try {
|
|
parsedUrl = new URL(rawUrl);
|
|
} catch {
|
|
console.error("❌ DATABASE_URL is not a valid URL.");
|
|
process.exit(1);
|
|
}
|
|
|
|
const host = parsedUrl.hostname;
|
|
if (!["localhost", "127.0.0.1", "::1"].includes(host)) {
|
|
console.error(`❌ Refusing to import into non-local host: ${host}`);
|
|
console.error(" import-dev-seed is only for local development databases.");
|
|
process.exit(1);
|
|
}
|
|
|
|
const DB_USER = decodeURIComponent(parsedUrl.username) || "nexus";
|
|
const DB_NAME = parsedUrl.pathname.replace(/^\/+/, "") || "nexus";
|
|
const DB_PORT = parsedUrl.port || "5432";
|
|
|
|
// ── Docker container check ────────────────────────────────────────────────────
|
|
|
|
const CONTAINER = "nexus-postgres-1";
|
|
const containerCheck = spawnSync("docker", ["inspect", "--format={{.State.Running}}", CONTAINER], {
|
|
encoding: "utf8",
|
|
});
|
|
if (containerCheck.stdout.trim() !== "true") {
|
|
console.error(`❌ Container ${CONTAINER} is not running.`);
|
|
console.error(" Start it with: docker compose up -d postgres");
|
|
process.exit(1);
|
|
}
|
|
|
|
// ── Check seed file exists ────────────────────────────────────────────────────
|
|
|
|
const seedPath = resolve(workspaceRoot, "packages/db/prisma/dev-seed.sql");
|
|
if (!existsSync(seedPath)) {
|
|
console.error("❌ packages/db/prisma/dev-seed.sql not found.");
|
|
console.error(" Generate it first with: node scripts/export-dev-seed.mjs");
|
|
process.exit(1);
|
|
}
|
|
|
|
console.log(`🗑 Wiping public schema in ${DB_USER}@${host}:${DB_PORT}/${DB_NAME} …`);
|
|
|
|
// ── Drop and recreate the public schema ──────────────────────────────────────
|
|
|
|
function psql(sql) {
|
|
const result = spawnSync(
|
|
"docker",
|
|
["exec", "-i", CONTAINER, "psql", "-U", DB_USER, "-d", DB_NAME, "-c", sql],
|
|
{ encoding: "utf8" },
|
|
);
|
|
if (result.status !== 0) {
|
|
console.error("❌ psql command failed:");
|
|
console.error(result.stderr);
|
|
process.exit(1);
|
|
}
|
|
return result.stdout;
|
|
}
|
|
|
|
psql("DROP SCHEMA public CASCADE; CREATE SCHEMA public;");
|
|
|
|
// ── Push current Prisma schema ────────────────────────────────────────────────
|
|
|
|
console.log("🔧 Applying current Prisma schema (db push) …");
|
|
try {
|
|
execSync("pnpm db:push", {
|
|
cwd: workspaceRoot,
|
|
stdio: "inherit",
|
|
env: { ...process.env },
|
|
});
|
|
} catch {
|
|
console.error("❌ pnpm db:push failed. See output above.");
|
|
process.exit(1);
|
|
}
|
|
|
|
// ── Import the seed SQL ───────────────────────────────────────────────────────
|
|
|
|
console.log("📥 Importing dev-seed.sql …");
|
|
|
|
const importResult = spawnSync(
|
|
"docker",
|
|
["exec", "-i", CONTAINER, "psql", "-U", DB_USER, "-d", DB_NAME],
|
|
{
|
|
encoding: "utf8",
|
|
input: readFileSync(seedPath, "utf8"),
|
|
maxBuffer: 256 * 1024 * 1024,
|
|
},
|
|
);
|
|
|
|
if (importResult.status !== 0) {
|
|
console.error("❌ psql import failed:");
|
|
console.error(importResult.stderr);
|
|
process.exit(1);
|
|
}
|
|
|
|
// ── Hash dev password and update all users ────────────────────────────────────
|
|
|
|
console.log("🔐 Setting dev passwords (Dev123456!) …");
|
|
|
|
const { hash } = await import("@node-rs/argon2");
|
|
const devHash = await hash("Dev123456!", {
|
|
memoryCost: 19456,
|
|
timeCost: 2,
|
|
outputLen: 32,
|
|
parallelism: 1,
|
|
});
|
|
|
|
const updateResult = spawnSync(
|
|
"docker",
|
|
[
|
|
"exec",
|
|
"-i",
|
|
CONTAINER,
|
|
"psql",
|
|
"-U", DB_USER,
|
|
"-d", DB_NAME,
|
|
"-c", `UPDATE users SET "passwordHash" = '${devHash}';`,
|
|
],
|
|
{ encoding: "utf8" },
|
|
);
|
|
|
|
if (updateResult.status !== 0) {
|
|
console.error("❌ Password update failed:");
|
|
console.error(updateResult.stderr);
|
|
process.exit(1);
|
|
}
|
|
|
|
// ── Summary ───────────────────────────────────────────────────────────────────
|
|
|
|
const userCount = psql(`SELECT COUNT(*) FROM users;`)
|
|
.trim()
|
|
.split("\n")
|
|
.find((line) => /^\s*\d+\s*$/.test(line))
|
|
?.trim() ?? "?";
|
|
|
|
console.log();
|
|
console.log("✅ Dev seed imported successfully.");
|
|
console.log(` Users: ${userCount}`);
|
|
console.log(" Password for all accounts: Dev123456!");
|
|
console.log(" Sign in at: http://localhost:3100/auth/signin");
|
|
console.log();
|
|
console.log("Note: TOTP is disabled for all users. Re-enable via Settings if needed.");
|