fix: maintenance tasks - security, testing, and config cleanup

[Emmy123222]

Backend Maintenance: Security, Testing, and Configuration Cleanup

Overview

This PR addresses four maintenance issues to improve security, testing reliability, and configuration clarity.

Issues Resolved

✅ #119 Remove or implement Redis (REDIS_URL)

Problem: REDIS_URL was referenced in documentation but never used in the codebase, causing confusion for operators.

Solution: Removed all Redis references. The application uses:

• Database-backed nonce storage (via auth_nonces table)
• In-memory rate limiting (via express-rate-limit)
• Database-backed session storage (via sessions table)

Changes:

• Confirmed no Redis usage in codebase (grep search returned no matches)
• .env.example already clean (no REDIS_URL present)
• No code changes needed - Redis was never implemented

---

✅ #115 Fix flaky env.test.ts and add /health/ready integration tests

Problem:

• tests/unit/config/env.test.ts failed locally when environment variables were pre-populated
• /health/ready endpoint had no test coverage

Solution:

1. Fixed env.test.ts: Rewrote tests to run in isolated child processes instead of using jest.resetModules(), preventing environment pollution between tests
2. Added health.test.ts: Comprehensive integration tests for /health/ready covering:
   • 503 response when subsystems not ready
   • 200 response when all subsystems ready
   • Partial readiness scenarios
   • State transitions

Changes:

• tests/unit/config/env.test.ts: Replaced jest.resetModules() approach with child process isolation using spawn()
• tests/integration/api/health.test.ts: New file with 10 test cases covering all readiness scenarios

---

✅ #114 Add security scanning to CI (npm audit + Dependabot)

Problem: No automated security scanning for vulnerable dependencies.

Solution: Enhanced CI pipeline with security scanning and documented CVE policy.

Changes:

• .github/workflows/node-ci.yml: Added detailed policy comments to existing security-scan job
• .github/dependabot.yml: Already configured (no changes needed)
• readme.md: Added "Security" section documenting:
  • npm audit runs on every PR (blocks on HIGH/CRITICAL)
  • Dependabot weekly scans
  • CVE severity policy (HIGH/CRITICAL blocking, MODERATE review, LOW tracked)

Policy:

• HIGH/CRITICAL CVEs: Must be fixed before merge (blocking)
• MODERATE CVEs: Review required, fix in follow-up PR (non-blocking)
• LOW CVEs: Tracked via Dependabot, fix during regular maintenance

---

✅ #117 Remove committed legacy DLQ file and gitignore runtime logs

Problem: Need to ensure runtime logs are properly gitignored and document DLQ storage policy.

Solution:

• Confirmed logs/dead_letter_queue.json does not exist in repo (file search returned no matches)
• Updated .gitignore to ensure logs/ and postgres/ are properly excluded
• Enhanced README documentation on DLQ storage policy

Changes:

• .gitignore: Cleaned up duplicate blank lines, confirmed logs/ and postgres/ are ignored
• readme.md: Enhanced DLQ section to explicitly state logs are for application logs only, DLQ data is database-only
• .env.example: Added DLQ_ALERT_THRESHOLD documentation

---

Testing

Unit Tests

npm test tests/unit/config/env.test.ts

All environment validation tests now run in isolated processes, preventing flakiness.

Integration Tests

npm test tests/integration/api/health.test.ts

New tests validate readiness probe behavior for all subsystem states.

CI Validation

• All tests pass in clean CI environment
• Security scan runs on every PR
• Migration smoke test validates database integrity

---

Migration Notes

• No breaking changes
• No database migrations required
• No environment variable changes required (only documentation improvements)

---

Checklist

• Code follows project style guidelines
• Tests added/updated for all changes
• Documentation updated (README, .env.example)
• CI passes (lint, tests, security scan)
• No breaking changes

---

Related Documentation

• Security policy: readme.md → Security section
• DLQ storage: readme.md → Dead Letter Queue section
• CI configuration: .github/workflows/node-ci.yml
• Dependabot config: .github/dependabot.yml

---

Closes #119
Closes #115
Closes #114
Closes #117

[drips-wave]

@Emmy123222 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits