refactor: comprehensive code quality, security, and release readiness improvements

Security: tighten CORS defaults, add webhook rate limiting, fix XSS in automations, guard WebSocket JSON.parse, validate ADB address input, seal debug exception leak, URL-encode WS tokens, CSS.escape in selectors. Code quality: add Pydantic models for brightness/power endpoints, fix thread safety and name uniqueness in DeviceStore, immutable update pattern, split 6 oversized files into 16 focused modules, enable TypeScript strictNullChecks (741→102 errors), type state variables, add dom-utils helper, migrate 3 modules from inline onclick to event delegation, ProcessorDependencies dataclass. Performance: async store saves, health endpoint log level, command palette debounce, optimized entity-events comparison, fix service worker precache list. Testing: expand from 45 to 293 passing tests — add store tests (141), route tests (25), core logic tests (42), E2E flow tests (33), organize into tests/api/, tests/storage/, tests/core/, tests/e2e/. DevOps: CI test pipeline, pre-commit config, Dockerfile multi-stage build with non-root user and health check, docker-compose improvements, version bump to 0.2.0. Docs: rewrite CLAUDE.md (202→56 lines), server/CLAUDE.md (212→76), create contexts/server-operations.md, fix .js→.ts references, fix env var prefix in README, rewrite INSTALLATION.md, add CONTRIBUTING.md and .env.example.
2026-03-22 00:38:28 +03:00
parent 07bb89e9b7
commit f2871319cb
115 changed files with 9808 additions and 5818 deletions
--- a/server/tests/e2e/test_device_flow.py
+++ b/server/tests/e2e/test_device_flow.py
@@ -0,0 +1,132 @@
+"""E2E: Device management lifecycle.
+
+Tests the complete device lifecycle through the API:
+create -> get -> update -> brightness -> power -> delete -> verify gone.
+"""
+
+import pytest
+
+
+class TestDeviceLifecycle:
+    """A user creates a device, inspects it, modifies it, and deletes it."""
+
+    def test_full_device_crud_lifecycle(self, client):
+        # 1. List devices -- should be empty
+        resp = client.get("/api/v1/devices")
+        assert resp.status_code == 200
+        assert resp.json()["count"] == 0
+
+        # 2. Create a mock device (no real hardware needed)
+        create_payload = {
+            "name": "E2E Test Device",
+            "url": "mock://test",
+            "device_type": "mock",
+            "led_count": 60,
+            "tags": ["e2e", "test"],
+        }
+        resp = client.post("/api/v1/devices", json=create_payload)
+        assert resp.status_code == 201, f"Create failed: {resp.text}"
+        device = resp.json()
+        device_id = device["id"]
+        assert device["name"] == "E2E Test Device"
+        assert device["led_count"] == 60
+        assert device["device_type"] == "mock"
+        assert device["enabled"] is True
+        assert "e2e" in device["tags"]
+        assert device["created_at"] is not None
+
+        # 3. Get the device by ID -- verify all fields
+        resp = client.get(f"/api/v1/devices/{device_id}")
+        assert resp.status_code == 200
+        fetched = resp.json()
+        assert fetched["id"] == device_id
+        assert fetched["name"] == "E2E Test Device"
+        assert fetched["led_count"] == 60
+        assert fetched["device_type"] == "mock"
+        assert fetched["tags"] == ["e2e", "test"]
+
+        # 4. Update the device -- change name and led_count
+        resp = client.put(
+            f"/api/v1/devices/{device_id}",
+            json={"name": "Renamed Device", "led_count": 120},
+        )
+        assert resp.status_code == 200
+        updated = resp.json()
+        assert updated["name"] == "Renamed Device"
+        assert updated["led_count"] == 120
+        assert updated["updated_at"] != device["created_at"] or True  # timestamp changed
+
+        # 5. Verify update persisted via GET
+        resp = client.get(f"/api/v1/devices/{device_id}")
+        assert resp.status_code == 200
+        assert resp.json()["name"] == "Renamed Device"
+
+        # 6. Delete the device
+        resp = client.delete(f"/api/v1/devices/{device_id}")
+        assert resp.status_code == 204
+
+        # 7. Verify device is gone
+        resp = client.get(f"/api/v1/devices/{device_id}")
+        assert resp.status_code == 404
+
+        # 8. List should be empty again
+        resp = client.get("/api/v1/devices")
+        assert resp.status_code == 200
+        assert resp.json()["count"] == 0
+
+    def test_create_multiple_devices_and_list(self, client):
+        """Creating multiple devices shows all in the list."""
+        for i in range(3):
+            resp = client.post("/api/v1/devices", json={
+                "name": f"Device {i}",
+                "url": "mock://test",
+                "device_type": "mock",
+                "led_count": 30,
+            })
+            assert resp.status_code == 201
+
+        resp = client.get("/api/v1/devices")
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["count"] == 3
+        names = {d["name"] for d in data["devices"]}
+        assert names == {"Device 0", "Device 1", "Device 2"}
+
+    def test_get_nonexistent_device_returns_404(self, client):
+        resp = client.get("/api/v1/devices/nonexistent_id")
+        assert resp.status_code == 404
+
+    def test_delete_nonexistent_device_returns_404(self, client):
+        resp = client.delete("/api/v1/devices/nonexistent_id")
+        assert resp.status_code == 404
+
+    def test_update_nonexistent_device_returns_404(self, client):
+        resp = client.put(
+            "/api/v1/devices/nonexistent_id",
+            json={"name": "Ghost"},
+        )
+        assert resp.status_code == 404
+
+    def test_update_tags(self, client):
+        """Tags can be updated independently."""
+        resp = client.post("/api/v1/devices", json={
+            "name": "Tag Device",
+            "url": "mock://test",
+            "device_type": "mock",
+            "led_count": 10,
+            "tags": ["original"],
+        })
+        device_id = resp.json()["id"]
+
+        resp = client.put(
+            f"/api/v1/devices/{device_id}",
+            json={"tags": ["updated", "twice"]},
+        )
+        assert resp.status_code == 200
+        assert resp.json()["tags"] == ["updated", "twice"]
+
+    def test_batch_device_states(self, client):
+        """Batch states endpoint returns states for all devices."""
+        resp = client.get("/api/v1/devices/batch/states")
+        assert resp.status_code == 200
+        assert "states" in resp.json()