test: add core test suite for crypto, auth, and store packages

- 8 crypto tests: key derivation, encrypt/decrypt round-trip, wrong key, nonce uniqueness
- 6 auth tests: password hash/verify, JWT generate/validate, token revocation
- 14 store tests: project CRUD, user CRUD, stage/deploy lifecycle, pagination, cascade deletes
- Fix stages CREATE TABLE schema to include notification_url column
- Total: 28 tests, all passing

internal/auth/local_test.go

@@ -0,0 +1,132 @@
+package auth
+
+import (
+	"testing"
+)
+
+func TestHashAndCheckPassword(t *testing.T) {
+	hash, err := HashPassword("my-password-123")
+	if err != nil {
+		t.Fatalf("HashPassword failed: %v", err)
+	}
+	if hash == "my-password-123" {
+		t.Fatal("hash equals plaintext")
+	}
+
+	// Correct password
+	if err := CheckPassword(hash, "my-password-123"); err != nil {
+		t.Fatalf("CheckPassword rejected correct password: %v", err)
+	}
+
+	// Wrong password
+	if err := CheckPassword(hash, "wrong-password"); err == nil {
+		t.Fatal("CheckPassword accepted wrong password")
+	}
+}
+
+func TestGenerateAndValidateToken(t *testing.T) {
+	key := [32]byte{}
+	copy(key[:], "test-jwt-secret-32-bytes-needed!")
+	la := NewLocalAuth(key)
+
+	claims := Claims{UserID: "u1", Username: "admin", Role: "admin"}
+	token, err := la.GenerateToken(claims)
+	if err != nil {
+		t.Fatalf("GenerateToken failed: %v", err)
+	}
+	if token.Token == "" {
+		t.Fatal("generated empty token")
+	}
+
+	// Validate the token
+	got, err := la.ValidateToken(token.Token)
+	if err != nil {
+		t.Fatalf("ValidateToken failed: %v", err)
+	}
+	if got.UserID != "u1" || got.Username != "admin" || got.Role != "admin" {
+		t.Fatalf("claims mismatch: %+v", got)
+	}
+}
+
+func TestValidateInvalidToken(t *testing.T) {
+	key := [32]byte{}
+	copy(key[:], "test-jwt-secret-32-bytes-needed!")
+	la := NewLocalAuth(key)
+
+	_, err := la.ValidateToken("invalid-token-string")
+	if err == nil {
+		t.Fatal("ValidateToken should reject invalid token")
+	}
+}
+
+func TestValidateTokenFromDifferentKey(t *testing.T) {
+	key1 := [32]byte{}
+	copy(key1[:], "first-jwt-secret-32-bytes-needed")
+	la1 := NewLocalAuth(key1)
+
+	key2 := [32]byte{}
+	copy(key2[:], "other-jwt-secret-32-bytes-needed")
+	la2 := NewLocalAuth(key2)
+
+	claims := Claims{UserID: "u1", Username: "admin", Role: "admin"}
+	token, err := la1.GenerateToken(claims)
+	if err != nil {
+		t.Fatalf("GenerateToken failed: %v", err)
+	}
+
+	// Token signed with key1 should not validate with key2
+	_, err = la2.ValidateToken(token.Token)
+	if err == nil {
+		t.Fatal("ValidateToken should reject token signed with different key")
+	}
+}
+
+func TestHashPasswordDifferentOutputs(t *testing.T) {
+	hash1, err := HashPassword("same-password")
+	if err != nil {
+		t.Fatalf("HashPassword 1 failed: %v", err)
+	}
+
+	hash2, err := HashPassword("same-password")
+	if err != nil {
+		t.Fatalf("HashPassword 2 failed: %v", err)
+	}
+
+	if hash1 == hash2 {
+		t.Fatal("bcrypt should produce different hashes for same input (random salt)")
+	}
+
+	// Both should still verify
+	if err := CheckPassword(hash1, "same-password"); err != nil {
+		t.Fatal("hash1 should verify")
+	}
+	if err := CheckPassword(hash2, "same-password"); err != nil {
+		t.Fatal("hash2 should verify")
+	}
+}
+
+func TestTokenContainsClaims(t *testing.T) {
+	key := [32]byte{}
+	copy(key[:], "test-jwt-secret-32-bytes-needed!")
+	la := NewLocalAuth(key)
+
+	claims := Claims{UserID: "user-42", Username: "testuser", Role: "viewer"}
+	token, err := la.GenerateToken(claims)
+	if err != nil {
+		t.Fatalf("GenerateToken failed: %v", err)
+	}
+
+	got, err := la.ValidateToken(token.Token)
+	if err != nil {
+		t.Fatalf("ValidateToken failed: %v", err)
+	}
+	if got.UserID != "user-42" {
+		t.Fatalf("UserID mismatch: got %q, want %q", got.UserID, "user-42")
+	}
+	if got.Username != "testuser" {
+		t.Fatalf("Username mismatch: got %q, want %q", got.Username, "testuser")
+	}
+	if got.Role != "viewer" {
+		t.Fatalf("Role mismatch: got %q, want %q", got.Role, "viewer")
+	}
+}

internal/crypto/crypto_test.go

@@ -0,0 +1,136 @@
+package crypto
+
+import (
+	"testing"
+)
+
+func TestDeriveKey(t *testing.T) {
+	key := DeriveKey("test-passphrase-that-is-long-enough")
+	if key == [32]byte{} {
+		t.Fatal("DeriveKey returned zero key")
+	}
+	// Same input produces same output
+	key2 := DeriveKey("test-passphrase-that-is-long-enough")
+	if key != key2 {
+		t.Fatal("DeriveKey is not deterministic")
+	}
+	// Different input produces different output
+	key3 := DeriveKey("different-passphrase-also-long-enough")
+	if key == key3 {
+		t.Fatal("DeriveKey produced same key for different inputs")
+	}
+}
+
+func TestEncryptDecryptRoundTrip(t *testing.T) {
+	key := DeriveKey("test-key-for-encryption-testing-1234")
+	plaintext := "super-secret-value"
+
+	encrypted, err := Encrypt(key, plaintext)
+	if err != nil {
+		t.Fatalf("Encrypt failed: %v", err)
+	}
+	if encrypted == plaintext {
+		t.Fatal("Encrypt returned plaintext")
+	}
+	if encrypted == "" {
+		t.Fatal("Encrypt returned empty string")
+	}
+
+	decrypted, err := Decrypt(key, encrypted)
+	if err != nil {
+		t.Fatalf("Decrypt failed: %v", err)
+	}
+	if decrypted != plaintext {
+		t.Fatalf("Decrypt mismatch: got %q, want %q", decrypted, plaintext)
+	}
+}
+
+func TestDecryptWithWrongKey(t *testing.T) {
+	key1 := DeriveKey("key-one-for-testing-encryption-1234")
+	key2 := DeriveKey("key-two-for-testing-encryption-5678")
+
+	encrypted, err := Encrypt(key1, "secret")
+	if err != nil {
+		t.Fatalf("Encrypt failed: %v", err)
+	}
+
+	_, err = Decrypt(key2, encrypted)
+	if err == nil {
+		t.Fatal("Decrypt with wrong key should have failed")
+	}
+}
+
+func TestEncryptIfNotEmpty(t *testing.T) {
+	key := DeriveKey("test-key-for-encryption-testing-1234")
+
+	result, err := EncryptIfNotEmpty(key, "")
+	if err != nil {
+		t.Fatalf("EncryptIfNotEmpty with empty input failed: %v", err)
+	}
+	if result != "" {
+		t.Fatal("EncryptIfNotEmpty should return empty for empty input")
+	}
+
+	result, err = EncryptIfNotEmpty(key, "value")
+	if err != nil {
+		t.Fatalf("EncryptIfNotEmpty failed: %v", err)
+	}
+	if result == "" || result == "value" {
+		t.Fatal("EncryptIfNotEmpty should encrypt non-empty input")
+	}
+}
+
+func TestKeyFromEnv(t *testing.T) {
+	// Test with no key set
+	t.Setenv("ENCRYPTION_KEY", "")
+	_, err := KeyFromEnv()
+	if err == nil {
+		t.Fatal("KeyFromEnv should fail with empty ENCRYPTION_KEY")
+	}
+
+	// Test with valid key
+	t.Setenv("ENCRYPTION_KEY", "a-very-long-encryption-key-that-is-definitely-over-32-chars")
+	key, err := KeyFromEnv()
+	if err != nil {
+		t.Fatalf("KeyFromEnv failed with valid key: %v", err)
+	}
+	if key == [32]byte{} {
+		t.Fatal("KeyFromEnv returned zero key")
+	}
+}
+
+func TestEncryptProducesDifferentCiphertexts(t *testing.T) {
+	key := DeriveKey("test-key-for-nonce-uniqueness-1234")
+
+	enc1, err := Encrypt(key, "same-plaintext")
+	if err != nil {
+		t.Fatalf("Encrypt 1 failed: %v", err)
+	}
+
+	enc2, err := Encrypt(key, "same-plaintext")
+	if err != nil {
+		t.Fatalf("Encrypt 2 failed: %v", err)
+	}
+
+	if enc1 == enc2 {
+		t.Fatal("Two encryptions of the same plaintext should produce different ciphertexts (random nonce)")
+	}
+}
+
+func TestDecryptInvalidHex(t *testing.T) {
+	key := DeriveKey("test-key-for-invalid-hex-testing")
+
+	_, err := Decrypt(key, "not-valid-hex!!!")
+	if err == nil {
+		t.Fatal("Decrypt should fail with invalid hex input")
+	}
+}
+
+func TestDecryptTooShort(t *testing.T) {
+	key := DeriveKey("test-key-for-short-ciphertext-test")
+
+	_, err := Decrypt(key, "aabb")
+	if err == nil {
+		t.Fatal("Decrypt should fail with ciphertext shorter than nonce")
+	}
+}

internal/store/store.go

@@ -167,7 +167,8 @@ CREATE TABLE IF NOT EXISTS stages (
 	confirm       INTEGER NOT NULL DEFAULT 0,
 	enable_proxy  INTEGER NOT NULL DEFAULT 1,
 	promote_from  TEXT NOT NULL DEFAULT '',
-	subdomain     TEXT NOT NULL DEFAULT '',
+	subdomain         TEXT NOT NULL DEFAULT '',
+	notification_url  TEXT NOT NULL DEFAULT '',
 	created_at    TEXT NOT NULL DEFAULT (datetime('now')),
 	updated_at    TEXT NOT NULL DEFAULT (datetime('now')),
 	UNIQUE(project_id, name)

internal/store/store_test.go

@@ -0,0 +1,328 @@
+package store
+
+import (
+	"testing"
+)
+
+func newTestStore(t *testing.T) *Store {
+	t.Helper()
+	s, err := New(":memory:")
+	if err != nil {
+		t.Fatalf("create test store: %v", err)
+	}
+	t.Cleanup(func() { s.Close() })
+	return s
+}
+
+func TestCreateAndGetProject(t *testing.T) {
+	s := newTestStore(t)
+
+	p, err := s.CreateProject(Project{
+		Name: "test-project", Image: "nginx", Port: 80, Env: "{}", Volumes: "{}",
+	})
+	if err != nil {
+		t.Fatalf("CreateProject: %v", err)
+	}
+	if p.ID == "" {
+		t.Fatal("project ID should be set")
+	}
+
+	got, err := s.GetProjectByID(p.ID)
+	if err != nil {
+		t.Fatalf("GetProjectByID: %v", err)
+	}
+	if got.Name != "test-project" {
+		t.Fatalf("got name %q, want %q", got.Name, "test-project")
+	}
+}
+
+func TestGetAllProjects(t *testing.T) {
+	s := newTestStore(t)
+
+	s.CreateProject(Project{Name: "bravo", Image: "img", Env: "{}", Volumes: "{}"})
+	s.CreateProject(Project{Name: "alpha", Image: "img", Env: "{}", Volumes: "{}"})
+
+	projects, err := s.GetAllProjects()
+	if err != nil {
+		t.Fatalf("GetAllProjects: %v", err)
+	}
+	if len(projects) != 2 {
+		t.Fatalf("expected 2 projects, got %d", len(projects))
+	}
+	// Should be ordered by name
+	if projects[0].Name != "alpha" {
+		t.Fatalf("expected first project 'alpha', got %q", projects[0].Name)
+	}
+}
+
+func TestDeleteProject(t *testing.T) {
+	s := newTestStore(t)
+
+	p, _ := s.CreateProject(Project{Name: "del-me", Image: "img", Env: "{}", Volumes: "{}"})
+	err := s.DeleteProject(p.ID)
+	if err != nil {
+		t.Fatalf("DeleteProject: %v", err)
+	}
+
+	_, err = s.GetProjectByID(p.ID)
+	if err == nil {
+		t.Fatal("expected error getting deleted project")
+	}
+}
+
+func TestCreateAndGetUser(t *testing.T) {
+	s := newTestStore(t)
+
+	u, err := s.CreateUser(User{
+		Username: "admin", PasswordHash: "hash123", Role: "admin",
+	})
+	if err != nil {
+		t.Fatalf("CreateUser: %v", err)
+	}
+
+	got, err := s.GetUserByUsername("admin")
+	if err != nil {
+		t.Fatalf("GetUserByUsername: %v", err)
+	}
+	if got.ID != u.ID {
+		t.Fatal("user ID mismatch")
+	}
+	if got.Role != "admin" {
+		t.Fatalf("role mismatch: %q", got.Role)
+	}
+}
+
+func TestUserCount(t *testing.T) {
+	s := newTestStore(t)
+
+	count, err := s.UserCount()
+	if err != nil {
+		t.Fatalf("UserCount: %v", err)
+	}
+	if count != 0 {
+		t.Fatalf("expected 0 users, got %d", count)
+	}
+
+	s.CreateUser(User{Username: "u1", PasswordHash: "h", Role: "viewer"})
+	count, _ = s.UserCount()
+	if count != 1 {
+		t.Fatalf("expected 1 user, got %d", count)
+	}
+}
+
+func TestCreateStageAndDeploy(t *testing.T) {
+	s := newTestStore(t)
+
+	p, _ := s.CreateProject(Project{Name: "proj", Image: "img", Env: "{}", Volumes: "{}"})
+	stage, err := s.CreateStage(Stage{
+		ProjectID: p.ID, Name: "dev", TagPattern: "*", MaxInstances: 2,
+	})
+	if err != nil {
+		t.Fatalf("CreateStage: %v", err)
+	}
+
+	d, err := s.CreateDeploy(Deploy{
+		ProjectID: p.ID, StageID: stage.ID, ImageTag: "v1.0",
+	})
+	if err != nil {
+		t.Fatalf("CreateDeploy: %v", err)
+	}
+	if d.Status != "pending" {
+		t.Fatalf("expected pending status, got %q", d.Status)
+	}
+
+	err = s.UpdateDeployStatus(d.ID, "success", "")
+	if err != nil {
+		t.Fatalf("UpdateDeployStatus: %v", err)
+	}
+
+	got, _ := s.GetDeployByID(d.ID)
+	if got.Status != "success" {
+		t.Fatalf("expected success, got %q", got.Status)
+	}
+}
+
+func TestGetDeploysByProjectID(t *testing.T) {
+	s := newTestStore(t)
+
+	p, _ := s.CreateProject(Project{Name: "proj", Image: "img", Env: "{}", Volumes: "{}"})
+	stage, _ := s.CreateStage(Stage{ProjectID: p.ID, Name: "dev", TagPattern: "*"})
+
+	for i := 0; i < 5; i++ {
+		_, err := s.CreateDeploy(Deploy{ProjectID: p.ID, StageID: stage.ID, ImageTag: "v" + string(rune('0'+i))})
+		if err != nil {
+			t.Fatalf("CreateDeploy %d: %v", i, err)
+		}
+	}
+
+	deploys, err := s.GetDeploysByProjectID(p.ID)
+	if err != nil {
+		t.Fatalf("GetDeploysByProjectID: %v", err)
+	}
+	if len(deploys) != 5 {
+		t.Fatalf("expected 5 deploys, got %d", len(deploys))
+	}
+}
+
+func TestGetRecentDeploys(t *testing.T) {
+	s := newTestStore(t)
+
+	p, _ := s.CreateProject(Project{Name: "proj", Image: "img", Env: "{}", Volumes: "{}"})
+	stage, _ := s.CreateStage(Stage{ProjectID: p.ID, Name: "dev", TagPattern: "*"})
+
+	for i := 0; i < 5; i++ {
+		s.CreateDeploy(Deploy{ProjectID: p.ID, StageID: stage.ID, ImageTag: "v" + string(rune('0'+i))})
+	}
+
+	// Limit to 2
+	deploys, err := s.GetRecentDeploys(2)
+	if err != nil {
+		t.Fatalf("GetRecentDeploys: %v", err)
+	}
+	if len(deploys) != 2 {
+		t.Fatalf("expected 2 deploys with limit, got %d", len(deploys))
+	}
+}
+
+func TestDeleteUser(t *testing.T) {
+	s := newTestStore(t)
+
+	u, _ := s.CreateUser(User{Username: "del-me", PasswordHash: "h", Role: "viewer"})
+	err := s.DeleteUser(u.ID)
+	if err != nil {
+		t.Fatalf("DeleteUser: %v", err)
+	}
+
+	_, err = s.GetUserByID(u.ID)
+	if err == nil {
+		t.Fatal("expected error getting deleted user")
+	}
+}
+
+func TestUpdateProject(t *testing.T) {
+	s := newTestStore(t)
+
+	p, _ := s.CreateProject(Project{Name: "original", Image: "nginx", Env: "{}", Volumes: "{}"})
+
+	p.Name = "updated"
+	p.Image = "alpine"
+	err := s.UpdateProject(p)
+	if err != nil {
+		t.Fatalf("UpdateProject: %v", err)
+	}
+
+	got, _ := s.GetProjectByID(p.ID)
+	if got.Name != "updated" {
+		t.Fatalf("expected name 'updated', got %q", got.Name)
+	}
+	if got.Image != "alpine" {
+		t.Fatalf("expected image 'alpine', got %q", got.Image)
+	}
+}
+
+func TestUpdateUser(t *testing.T) {
+	s := newTestStore(t)
+
+	u, _ := s.CreateUser(User{Username: "orig", PasswordHash: "h", Role: "viewer"})
+	u.Username = "renamed"
+	u.Role = "admin"
+
+	err := s.UpdateUser(u)
+	if err != nil {
+		t.Fatalf("UpdateUser: %v", err)
+	}
+
+	got, _ := s.GetUserByID(u.ID)
+	if got.Username != "renamed" {
+		t.Fatalf("expected username 'renamed', got %q", got.Username)
+	}
+	if got.Role != "admin" {
+		t.Fatalf("expected role 'admin', got %q", got.Role)
+	}
+}
+
+func TestDeployLogs(t *testing.T) {
+	s := newTestStore(t)
+
+	p, _ := s.CreateProject(Project{Name: "proj", Image: "img", Env: "{}", Volumes: "{}"})
+	stage, _ := s.CreateStage(Stage{ProjectID: p.ID, Name: "dev", TagPattern: "*"})
+	d, _ := s.CreateDeploy(Deploy{ProjectID: p.ID, StageID: stage.ID, ImageTag: "v1"})
+
+	err := s.AppendDeployLog(d.ID, "pulling image", "info")
+	if err != nil {
+		t.Fatalf("AppendDeployLog: %v", err)
+	}
+	err = s.AppendDeployLog(d.ID, "something failed", "error")
+	if err != nil {
+		t.Fatalf("AppendDeployLog: %v", err)
+	}
+
+	logs, err := s.GetDeployLogs(d.ID)
+	if err != nil {
+		t.Fatalf("GetDeployLogs: %v", err)
+	}
+	if len(logs) != 2 {
+		t.Fatalf("expected 2 logs, got %d", len(logs))
+	}
+	if logs[0].Message != "pulling image" {
+		t.Fatalf("expected first log 'pulling image', got %q", logs[0].Message)
+	}
+	if logs[1].Level != "error" {
+		t.Fatalf("expected second log level 'error', got %q", logs[1].Level)
+	}
+}
+
+func TestGetStagesByProjectID(t *testing.T) {
+	s := newTestStore(t)
+
+	p, _ := s.CreateProject(Project{Name: "proj", Image: "img", Env: "{}", Volumes: "{}"})
+	s.CreateStage(Stage{ProjectID: p.ID, Name: "prod", TagPattern: "v*"})
+	s.CreateStage(Stage{ProjectID: p.ID, Name: "dev", TagPattern: "*"})
+
+	stages, err := s.GetStagesByProjectID(p.ID)
+	if err != nil {
+		t.Fatalf("GetStagesByProjectID: %v", err)
+	}
+	if len(stages) != 2 {
+		t.Fatalf("expected 2 stages, got %d", len(stages))
+	}
+	// Ordered by name
+	if stages[0].Name != "dev" {
+		t.Fatalf("expected first stage 'dev', got %q", stages[0].Name)
+	}
+}
+
+func TestIsTerminalDeployStatus(t *testing.T) {
+	terminals := []string{"success", "failed", "rolled_back"}
+	for _, s := range terminals {
+		if !IsTerminalDeployStatus(s) {
+			t.Fatalf("expected %q to be terminal", s)
+		}
+	}
+
+	nonTerminals := []string{"pending", "pulling", "starting", "configuring_proxy", "health_checking"}
+	for _, s := range nonTerminals {
+		if IsTerminalDeployStatus(s) {
+			t.Fatalf("expected %q to be non-terminal", s)
+		}
+	}
+}
+
+func TestCascadeDeleteProjectRemovesStagesAndDeploys(t *testing.T) {
+	s := newTestStore(t)
+
+	p, _ := s.CreateProject(Project{Name: "proj", Image: "img", Env: "{}", Volumes: "{}"})
+	stage, _ := s.CreateStage(Stage{ProjectID: p.ID, Name: "dev", TagPattern: "*"})
+	s.CreateDeploy(Deploy{ProjectID: p.ID, StageID: stage.ID, ImageTag: "v1"})
+
+	err := s.DeleteProject(p.ID)
+	if err != nil {
+		t.Fatalf("DeleteProject: %v", err)
+	}
+
+	// Stage should be gone
+	_, err = s.GetStageByID(stage.ID)
+	if err == nil {
+		t.Fatal("expected stage to be deleted by cascade")
+	}
+}