fix: start HTTP server before background init to prevent bad gateway

- Wrap startup syncs in safeStartup() to prevent crash on external service failure
- Add migrate-entrypoint.sh for auto-generating migrations from schema diff
- Update Dockerfile migration stage to use entrypoint script
- Add test job to build-and-publish workflow (runs before build)
- Add tests.yaml workflow to run tests on every push
- Fix test setup to use real RSA key pair instead of plain strings
- Add test script to package.json

.github/workflows/build-and-publish.yaml

@@ -5,8 +5,28 @@ on:
     types: [created]
 
 jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Generate Prisma client
+        run: DATABASE_URL="postgresql://dummy:dummy@localhost:5432/dummy" bunx prisma generate
+
+      - name: Run tests
+        run: bun test --preload ./tests/setup.ts
+
   build:
     name: Build
+    needs: [test]
     runs-on: ubuntu-latest
     permissions:
       contents: read

.github/workflows/tests.yaml

@@ -0,0 +1,25 @@
+name: Tests
+
+on:
+  push:
+    branches: ["**"]
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Generate Prisma client
+        run: DATABASE_URL="postgresql://dummy:dummy@localhost:5432/dummy" bunx prisma generate
+
+      - name: Run tests
+        run: bun test --preload ./tests/setup.ts

.vscode/settings.json

@@ -0,0 +1,5 @@
+{
+  "chat.tools.terminal.autoApprove": {
+    "bun": true
+  }
+}

Dockerfile

@@ -67,4 +67,7 @@ RUN bun install --frozen-lockfile
 COPY prisma/ prisma/
 COPY prisma.config.ts ./
 
-CMD ["bunx", "prisma", "migrate", "deploy"]
+COPY prisma/migrate-entrypoint.sh ./prisma/migrate-entrypoint.sh
+RUN chmod +x prisma/migrate-entrypoint.sh
+
+CMD ["sh", "prisma/migrate-entrypoint.sh"]

package.json

@@ -19,6 +19,7 @@
   },
   "scripts": {
     "dev": "NODE_ENV=development bun --watch src/index.ts",
+    "test": "bun test --preload ./tests/setup.ts",
     "db:gen": "prisma generate",
     "db:push": "prisma migrate dev --skip-generate",
     "db:deploy": "prisma migrate deploy",

prisma/migrate-entrypoint.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+set -e
+
+# ---------------------------------------------------------------------------
+# 1. Resolve any previously failed migrations so deploy can proceed.
+#    Prisma marks failed migrations in _prisma_migrations; we roll them back
+#    so the current run can re-apply them cleanly.
+# ---------------------------------------------------------------------------
+echo "[migrate] Checking for failed migrations..."
+FAILED=$(bunx prisma migrate status 2>&1 || true)
+
+# Extract failed migration names and mark them as rolled back
+echo "$FAILED" | grep -oE '[0-9]{14}_[a-z_]+' | while read -r MIGRATION; do
+  # Only resolve if the status output says it failed
+  if echo "$FAILED" | grep -q "failed"; then
+    echo "[migrate] Resolving failed migration: $MIGRATION"
+    bunx prisma migrate resolve --rolled-back "$MIGRATION" 2>/dev/null || true
+  fi
+done
+
+# ---------------------------------------------------------------------------
+# 2. Generate diff SQL between current migrations and the Prisma schema.
+# ---------------------------------------------------------------------------
+DIFF_SQL=$(bunx prisma migrate diff \
+  --from-migrations prisma/migrations \
+  --to-schema-datamodel prisma/schema.prisma \
+  --script 2>/dev/null || true)
+
+# If there's a meaningful diff (not just empty/comments), create a migration
+if [ -n "$DIFF_SQL" ] && echo "$DIFF_SQL" | grep -qvE '^\s*$|^--'; then
+  TIMESTAMP=$(date -u +"%Y%m%d%H%M%S")
+  MIGRATION_DIR="prisma/migrations/${TIMESTAMP}_auto_generated"
+  mkdir -p "$MIGRATION_DIR"
+  echo "$DIFF_SQL" > "$MIGRATION_DIR/migration.sql"
+  echo "[migrate] Created migration: $MIGRATION_DIR"
+else
+  echo "[migrate] Schema and migrations are in sync — no migration needed."
+fi
+
+# ---------------------------------------------------------------------------
+# 3. Deploy all pending migrations.
+# ---------------------------------------------------------------------------
+echo "[migrate] Running prisma migrate deploy..."
+bunx prisma migrate deploy

src/index.ts

@@ -21,62 +21,22 @@ import cuid from "cuid";
 // Setup global event debugger in non-production environments
 if (Bun.env.NODE_ENV == "development") setupEventDebugger();
 
-// Ensure administrator role exists
-const existingAdmin = await prisma.role.findFirst({
-  where: { moniker: "administrator" },
-  include: { users: { include: { roles: true } } },
-});
-
-if (!existingAdmin) {
-  const id = cuid();
-  const created = await prisma.role.create({
-    data: {
-      id,
-      moniker: "administrator",
-      title: "Admin",
-      permissions: signPermissions({
-        issuer: "roles",
-        subject: id,
-        permissions: ["*"],
-      }),
-    },
-    include: { users: { include: { roles: true } } },
-  });
-  events.emit("role:created", new RoleController(created));
-}
-
-// Refresh the internal list of companies every minute
-await refreshCompanies();
-setInterval(() => {
-  return refreshCompanies();
-}, 60 * 1000);
-
-// Refresh the internal catalog every minute
-await refreshCatalog();
-setInterval(() => {
-  return refreshCatalog();
-}, 60 * 1000);
-
-// Refresh inventory on hand every 2 minutes
-await refreshInventory();
-setInterval(
-  () => {
-    return refreshInventory();
-  },
-  2 * 60 * 1000,
-);
-
-// Refresh opportunities every minute
-await refreshOpportunities();
-setInterval(() => {
-  return refreshOpportunities();
-}, 60 * 1000);
-
-await unifiSites.syncSites();
-setInterval(() => {
-  return unifiSites.syncSites();
-}, 60 * 1000);
+// Helper to run a startup sync safely — failures are logged but never crash the process.
+const safeStartup = async (label: string, fn: () => Promise<void>) => {
+  try {
+    await fn();
+  } catch (err) {
+    console.error(
+      `[startup] ${label} failed — will retry on next interval`,
+      err,
+    );
+  }
+};
 
+// ---------------------------------------------------------------------------
+// Start the HTTP server FIRST so the pod is reachable immediately.
+// All data-sync tasks run afterwards and are non-blocking.
+// ---------------------------------------------------------------------------
 Bun.serve({
   port: PORT,
   websocket: engine.handler().websocket,
@@ -90,3 +50,77 @@ Bun.serve({
     return app.fetch(req, server);
   },
 });
+
+console.log(`[startup] Server listening on port ${PORT}`);
+
+// ---------------------------------------------------------------------------
+// Background initialisation — none of this blocks the server.
+// ---------------------------------------------------------------------------
+
+// Ensure administrator role exists
+await safeStartup("ensureAdminRole", async () => {
+  const existingAdmin = await prisma.role.findFirst({
+    where: { moniker: "administrator" },
+    include: { users: { include: { roles: true } } },
+  });
+
+  if (!existingAdmin) {
+    const id = cuid();
+    const created = await prisma.role.create({
+      data: {
+        id,
+        moniker: "administrator",
+        title: "Admin",
+        permissions: signPermissions({
+          issuer: "roles",
+          subject: id,
+          permissions: ["*"],
+        }),
+      },
+      include: { users: { include: { roles: true } } },
+    });
+    events.emit("role:created", new RoleController(created));
+  }
+});
+
+// Refresh the internal list of companies every minute
+await safeStartup("refreshCompanies", refreshCompanies);
+setInterval(() => {
+  return refreshCompanies().catch((err) =>
+    console.error("[interval] refreshCompanies failed", err),
+  );
+}, 60 * 1000);
+
+// Refresh the internal catalog every minute
+await safeStartup("refreshCatalog", refreshCatalog);
+setInterval(() => {
+  return refreshCatalog().catch((err) =>
+    console.error("[interval] refreshCatalog failed", err),
+  );
+}, 60 * 1000);
+
+// Refresh inventory on hand every 2 minutes
+await safeStartup("refreshInventory", refreshInventory);
+setInterval(
+  () => {
+    return refreshInventory().catch((err) =>
+      console.error("[interval] refreshInventory failed", err),
+    );
+  },
+  2 * 60 * 1000,
+);
+
+// Refresh opportunities every minute
+await safeStartup("refreshOpportunities", refreshOpportunities);
+setInterval(() => {
+  return refreshOpportunities().catch((err) =>
+    console.error("[interval] refreshOpportunities failed", err),
+  );
+}, 60 * 1000);
+
+await safeStartup("syncSites", () => unifiSites.syncSites());
+setInterval(() => {
+  return unifiSites
+    .syncSites()
+    .catch((err) => console.error("[interval] syncSites failed", err));
+}, 60 * 1000);

tests/setup.ts

@@ -4,6 +4,18 @@
  */
 
 import { mock } from "bun:test";
+import crypto from "crypto";
+
+// ---------------------------------------------------------------------------
+// Generate a real RSA key pair for modules that call crypto.createPrivateKey()
+// at import time (e.g. readSecureValue.ts).
+// ---------------------------------------------------------------------------
+const { privateKey: _testPrivateKey, publicKey: _testPublicKey } =
+  crypto.generateKeyPairSync("rsa", {
+    modulusLength: 2048,
+    privateKeyEncoding: { type: "pkcs8", format: "pem" },
+    publicKeyEncoding: { type: "spki", format: "pem" },
+  });
 
 // ---------------------------------------------------------------------------
 // Mock the constants module — almost every source file imports from here.
@@ -17,11 +29,11 @@ mock.module("../src/constants", () => ({
   sessionDuration: 30 * 24 * 60 * 60_000,
   accessTokenDuration: "10min",
   refreshTokenDuration: "30d",
-  accessTokenPrivateKey: "mock-access-private-key",
-  refreshTokenPrivateKey: "mock-refresh-private-key",
-  permissionsPrivateKey: "mock-permissions-private-key",
-  secureValuesPrivateKey: "mock-secure-values-private-key",
-  secureValuesPublicKey: "mock-secure-values-public-key",
+  accessTokenPrivateKey: _testPrivateKey,
+  refreshTokenPrivateKey: _testPrivateKey,
+  permissionsPrivateKey: _testPrivateKey,
+  secureValuesPrivateKey: _testPrivateKey,
+  secureValuesPublicKey: _testPublicKey,
   msalClient: { acquireTokenByCode: mock(() => Promise.resolve({})) },
   connectWiseApi: {
     get: mock(() => Promise.resolve({ data: {} })),