fix: guard against missing Categories key in extract_capec_names

copi.owasp.org/Dockerfile

@@ -13,10 +13,13 @@
 #   - Ex: hexpm/elixir:1.14.2-erlang-25.1.1-debian-bullseye-20220801-slim
 #
 FROM --platform=linux/amd64 hexpm/elixir:1.19-erlang-28.3-debian-bullseye-20251208@sha256:9d1e59c326674de89a2eac9cd7f118ae2917e1c6cde02e8fa4cd785198ca9be0 as builder
-# install build dependencies
-RUN (apt-get update -y && apt-get install -y build-essential git nodejs npm) || \
-    (sleep 10 && apt-get update -y && apt-get install -y build-essential git nodejs npm) \
-    && apt-get clean && rm -f /var/lib/apt/lists/*_*
+# install build dependencies (retry up to 3 times with backoff)
+RUN apt-get update -y && apt-get install -y --no-install-recommends build-essential git nodejs npm \
+    && apt-get clean && rm -rf /var/lib/apt/lists/* \
+    || (sleep 15 && apt-get update -y && apt-get install -y --no-install-recommends build-essential git nodejs npm \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*) \
+    || (sleep 30 && apt-get update -y && apt-get install -y --no-install-recommends build-essential git nodejs npm \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*)
 
 # prepare build dir
 WORKDIR /app
@@ -64,9 +67,12 @@ RUN mix release
 # the compiled release and other runtime necessities
 FROM --platform=linux/amd64 hexpm/elixir:1.19-erlang-28.3-debian-bullseye-20251208@sha256:9d1e59c326674de89a2eac9cd7f118ae2917e1c6cde02e8fa4cd785198ca9be0
 
-RUN (apt-get update -y && apt-get install -y libstdc++6 openssl libncurses5 locales) || \
-    (sleep 10 && apt-get update -y && apt-get install -y libstdc++6 openssl libncurses5 locales) \
-    && apt-get clean && rm -f /var/lib/apt/lists/*_*
+RUN apt-get update -y && apt-get install -y --no-install-recommends libstdc++6 openssl libncurses5 locales \
+    && apt-get clean && rm -rf /var/lib/apt/lists/* \
+    || (sleep 15 && apt-get update -y && apt-get install -y --no-install-recommends libstdc++6 openssl libncurses5 locales \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*) \
+    || (sleep 30 && apt-get update -y && apt-get install -y --no-install-recommends libstdc++6 openssl libncurses5 locales \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*)
 
 # Set the locale
 RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen

copi.owasp.org/lib/copi_web/live/game_live/create_game_form.ex

@@ -95,19 +95,6 @@ defmodule CopiWeb.GameLive.CreateGameForm do
     assign(socket, :form, to_form(changeset))
   end
 
-  defp save_game(socket, :edit, game_params) do
-    case Cornucopia.update_game(socket.assigns.game, game_params) do
-      {:ok, _game} ->
-        {:noreply,
-         socket
-         |> put_flash(:info, "Game updated successfully")
-         |> push_navigate(to: socket.assigns.return_to)}
-
-      {:error, %Ecto.Changeset{} = changeset} ->
-        {:noreply, assign_form(socket, changeset)}
-    end
-  end
-
   defp save_game(socket, :new, game_params) do
     ip = socket.assigns[:client_ip] || {127, 0, 0, 1}
 

copi.owasp.org/lib/copi_web/live/game_live/show.ex

@@ -28,7 +28,13 @@ defmodule CopiWeb.GameLive.Show do
         game.rounds_played + 1
       end
 
-      case Want.integer(params["round"], min: 1, max: current_round, default: current_round) do
+      round_result = if params["round"] do
+        Want.integer(params["round"], min: 1, max: current_round)
+      else
+        {:ok, current_round}
+      end
+
+      case round_result do
         {:ok, requested_round} ->
           {:noreply, socket |> assign(:game, game) |> assign(:requested_round, requested_round)}
         {:error, _reason} ->
@@ -83,20 +89,10 @@ defmodule CopiWeb.GameLive.Show do
           })
         end)
 
-        # Update game with start time and handle potential errors
-        case Copi.Cornucopia.update_game(game, %{started_at: DateTime.truncate(DateTime.utc_now(), :second)}) do
-          {:ok, updated_game} ->
-            CopiWeb.Endpoint.broadcast(topic(updated_game.id), "game:updated", updated_game)
-            {:noreply, assign(socket, :game, updated_game)}
-
-          {:error, _changeset} ->
-            # If update fails, reload game and show error
-            {:ok, reloaded_game} = Game.find(game.id)
-            {:noreply,
-             socket
-             |> put_flash(:error, "Failed to start game. Please try again.")
-             |> assign(:game, reloaded_game)}
-        end
+        # Update game with start time
+        {:ok, updated_game} = Copi.Cornucopia.update_game(game, %{started_at: DateTime.truncate(DateTime.utc_now(), :second)})
+        CopiWeb.Endpoint.broadcast(topic(updated_game.id), "game:updated", updated_game)
+        {:noreply, assign(socket, :game, updated_game)}
     end
   end
 

copi.owasp.org/lib/copi_web/live/player_live/form_component.ex

@@ -14,6 +14,7 @@ defmodule CopiWeb.PlayerLive.FormComponent do
       </.header1>
 
       <.simple_form
+        :if={@form}
         for={@form}
         id="player-form"
         phx-target={@myself}
@@ -47,6 +48,10 @@ defmodule CopiWeb.PlayerLive.FormComponent do
   end
 
   @impl true
+  def update(%{player: nil} = assigns, socket) do
+    {:ok, socket |> assign(assigns) |> assign(:form, nil)}
+  end
+
   def update(%{player: player} = assigns, socket) do
     changeset = Cornucopia.change_player(player)
 
@@ -81,7 +86,7 @@ defmodule CopiWeb.PlayerLive.FormComponent do
         {:noreply,
          socket
          |> put_flash(:info, "Player updated successfully")
-         |> push_navigate(to: socket.assigns.return_to)}
+         |> push_navigate(to: socket.assigns[:return_to] || socket.assigns[:patch])}
 
       {:error, %Ecto.Changeset{} = changeset} ->
         {:noreply, assign_form(socket, changeset)}

copi.owasp.org/lib/copi_web/live/player_live/show.ex

@@ -17,27 +17,23 @@ defmodule CopiWeb.PlayerLive.Show do
 
   @impl true
   def handle_params(%{"id" => player_id}, _, socket) do
-    with {:ok, player} <- Player.find(player_id) do
-      with {:ok, game} <- Game.find(player.game_id) do
-        CopiWeb.Endpoint.subscribe(topic(player.game_id))
-        {:noreply, socket |> assign(:game, game) |> assign(:player, player)}
-      else
-        {:error, _reason} ->
-          {:ok, redirect(socket, to: "/error")}
-      end
+    with {:ok, player} <- Player.find(player_id),
+         {:ok, game} <- Game.find(player.game_id) do
+      CopiWeb.Endpoint.subscribe(topic(player.game_id))
+      {:noreply, socket |> assign(:game, game) |> assign(:player, player)}
     else
       {:error, _reason} ->
-        {:ok, redirect(socket, to: "/error")}
+        {:noreply, redirect(socket, to: "/error")}
     end
   end
 
   @impl true
   def handle_info(%{topic: _message_topic, event: "game:updated", payload: updated_game}, socket) do
-    with {:ok, updated_player} <- Player.find(socket.assigns.player.id) do
-      {:noreply, socket |> assign(:game, updated_game) |> assign(:player, updated_player)}
-    else
+    case Player.find(socket.assigns.player.id) do
+      {:ok, updated_player} ->
+        {:noreply, socket |> assign(:game, updated_game) |> assign(:player, updated_player)}
       {:error, _reason} ->
-        {:ok, redirect(socket, to: "/error")}
+        {:noreply, socket}
     end
   end
 
@@ -109,12 +105,8 @@ defmodule CopiWeb.PlayerLive.Show do
       end
     else
       # Add their vote
-      case Copi.Repo.insert(%Copi.Cornucopia.ContinueVote{player_id: player.id, game_id: game.id}) do
-        {:ok, _vote} ->
-          Logger.debug("Continue vote added successfully for player_id: #{player.id}, game_id: #{game.id}")
-        {:error, changeset} ->
-          Logger.warning("Continue voting failed for player_id: #{player.id}, game_id: #{game.id}, errors: #{inspect(changeset.errors)}")
-      end
+      Logger.debug("Adding continue vote for player_id: #{player.id}, game_id: #{game.id}")
+      Copi.Repo.insert(%Copi.Cornucopia.ContinueVote{player_id: player.id, game_id: game.id})
     end
 
     {:ok, updated_game} = Game.find(game.id)

copi.owasp.org/lib/copi_web/router.ex

@@ -22,10 +22,14 @@ defmodule CopiWeb.Router do
 
     live "/games", GameLive.Index, :index
     live "/games/new", GameLive.Index, :new
-    live "/games/:game_id", GameLive.Show, :show
+
+    live_session :game_show, on_mount: [{CopiWeb.GameLive.Show, :default}] do
+      live "/games/:game_id", GameLive.Show, :show
+    end
 
     live "/games/:game_id/players", PlayerLive.Index, :index
     live "/games/:game_id/players/new", PlayerLive.Index, :new
+    live "/games/:game_id/players/:id/edit", PlayerLive.Index, :edit
 
     live "/games/:game_id/players/:id", PlayerLive.Show, :show
 

copi.owasp.org/test/copi/cornucopia_logic_test.exs

@@ -197,6 +197,22 @@ defmodule Copi.CornucopiaLogicTest do
     assert d3.id in all_card_ids
   end
 
+  test "lead-suit wins when no jokers or trumps present", %{game: game, p1: p1, p2: p2} do
+    {:ok, c1} = create_card("Authentication", "K")
+    {:ok, c2} = create_card("Authentication", "5")
+
+    d1 = play_card(p1, c1, 1)  # leads with Authentication K
+    d2 = play_card(p2, c2, 1)  # follows with Authentication 5
+
+    Repo.insert!(%Copi.Cornucopia.Vote{dealt_card_id: d1.id, player_id: p1.id})
+    Repo.insert!(%Copi.Cornucopia.Vote{dealt_card_id: d2.id, player_id: p2.id})
+
+    game = Cornucopia.get_game!(game.id) |> Repo.preload(players: [dealt_cards: [:card, :votes]])
+    winner = Cornucopia.highest_scoring_card_in_round(game, 1)
+    # "K" is higher than "5" in card_order; both Authentication (lead suit, no jokers/trumps)
+    assert winner.id == d1.id
+  end
+
   test "jokers trump all other cards", %{game: game, p1: p1, p2: p2} do
     {:ok, joker} = create_card("Joker", "JokerA")
     {:ok, trump} = create_card("Cornucopia", "A")

copi.owasp.org/test/copi_web/controllers/api_controller_test.exs

@@ -54,6 +54,27 @@ defmodule CopiWeb.ApiControllerTest do
     assert json_response(conn, 404)["error"] == "Could not find game"
   end
 
+  test "play_card returns 404 when dealt card not found for player", %{conn: conn, game: game} do
+    {:ok, other_game} = Cornucopia.create_game(%{name: "Other Game"})
+    {:ok, other_player} = Cornucopia.create_player(%{name: "Other", game_id: other_game.id})
+    {:ok, card2} = Cornucopia.create_card(%{
+      category: "C", value: "Q", description: "d", misc: "m",
+      edition: "webapp", external_id: "99", language: "en", version: "1",
+      owasp_scp: [], owasp_devguide: [], owasp_asvs: [], owasp_appsensor: [],
+      capec: [], safecode: [], owasp_mastg: [], owasp_masvs: [],
+      biml: "biml", url: "http://example.com"
+    })
+    {:ok, other_dealt} = Repo.insert(%DealtCard{player_id: other_player.id, card_id: card2.id})
+
+    conn = put(conn, "/api/games/#{game.id}/players/#{other_player.id}/card", %{
+      "game_id" => game.id,
+      "player_id" => to_string(other_player.id),
+      "dealt_card_id" => to_string(other_dealt.id)
+    })
+
+    assert json_response(conn, 404)["error"] == "Player not found in this game"
+  end
+
   test "play_card fails if player already played in round", %{conn: conn, game: game, player: player, dealt_card: dealt_card} do
     {:ok, card2} = Cornucopia.create_card(%{
       category: "Cornucopia", value: "K", description: "desc", misc: "misc",

copi.owasp.org/test/copi_web/live/game_live_test.exs

@@ -137,6 +137,17 @@ defmodule CopiWeb.GameLiveTest do
       assert {:error, {:redirect, %{to: "/error"}}} = live(conn, "/games/01ARZ3NDEKTSV4RRFFQ69G5FAV")
     end
 
+    test "displays finished game using rounds_played for current_round", %{conn: conn, game: game} do
+      # Set finished_at so handle_params uses game.rounds_played (not +1) for current_round
+      {:ok, game} = Cornucopia.update_game(game, %{
+        started_at: DateTime.truncate(DateTime.utc_now(), :second),
+        finished_at: DateTime.truncate(DateTime.utc_now(), :second),
+        rounds_played: 1
+      })
+      {:ok, _show_live, html} = live(conn, Routes.game_show_path(conn, :show, game))
+      assert html =~ game.name
+    end
+
     test "displays past round", %{conn: conn, game: game} do
        # Create players and play a round to make it valid
        {:ok, p1} = Cornucopia.create_player(%{name: "P1", game_id: game.id})
@@ -165,6 +176,76 @@ defmodule CopiWeb.GameLiveTest do
       # Should update the assigns
       :ok
     end
-
+
+    test "start_game does nothing when game already started", %{conn: conn, game: game} do
+      # Pre-start the game with 3 players
+      {:ok, _} = Cornucopia.create_player(%{name: "P1", game_id: game.id})
+      {:ok, _} = Cornucopia.create_player(%{name: "P2", game_id: game.id})
+      {:ok, _} = Cornucopia.create_player(%{name: "P3", game_id: game.id})
+      {:ok, game} = Cornucopia.update_game(game, %{started_at: DateTime.truncate(DateTime.utc_now(), :second)})
+
+      {:ok, show_live, _html} = live(conn, Routes.game_show_path(conn, :show, game))
+
+      # Clicking start_game on an already started game should be a noop
+      html = render(show_live)
+      refute html =~ "Start Game"
+    end
+
+    test "start_game shows error flash with fewer than 3 players", %{conn: conn, game: game} do
+      # Only 2 players — below minimum
+      {:ok, _} = Cornucopia.create_player(%{name: "P1", game_id: game.id})
+      {:ok, _} = Cornucopia.create_player(%{name: "P2", game_id: game.id})
+
+      {:ok, show_live, _html} = live(conn, Routes.game_show_path(conn, :show, game))
+
+      render_click(show_live, "start_game", %{})
+      html = render(show_live)
+      assert html =~ "At least 3 players are required"
+    end
+
+    test "redirects to error on invalid round param", %{conn: conn, game: game} do
+      {:ok, _} = Cornucopia.create_player(%{name: "P1", game_id: game.id})
+      {:ok, game} = Cornucopia.update_game(game, %{started_at: DateTime.truncate(DateTime.utc_now(), :second)})
+
+      # round=999 is way beyond current_round, should redirect to /error
+      assert {:error, {:redirect, %{to: "/error"}}} = live(conn, "/games/#{game.id}?round=999")
+    end
+  end
+
+  describe "Helper functions" do
+    alias CopiWeb.GameLive.Show
+
+    test "display_game_session returns correct label for each edition" do
+      assert Show.display_game_session("webapp") =~ "Cornucopia Web Session"
+      assert Show.display_game_session("ecommerce") =~ "Cornucopia Web Session"
+      assert Show.display_game_session("mobileapp") =~ "Cornucopia Mobile Session"
+      assert Show.display_game_session("mlsec") =~ "Elevation of MLSec Session"
+      assert Show.display_game_session("cumulus") =~ "OWASP Cumulus Session"
+      assert Show.display_game_session("masvs") =~ "Cornucopia Mobile Session"
+      assert Show.display_game_session("eop") =~ "EoP Session"
+      assert Show.display_game_session("unknown") =~ "EoP Session"
+    end
+
+    test "latest_version returns correct version for each edition" do
+      assert Show.latest_version("webapp") == "2.2"
+      assert Show.latest_version("ecommerce") == "1.22"
+      assert Show.latest_version("mobileapp") == "1.1"
+      assert Show.latest_version("mlsec") == "1.0"
+      assert Show.latest_version("cumulus") == "1.1"
+      assert Show.latest_version("masvs") == "1.1"
+      assert Show.latest_version("eop") == "5.1"
+      assert Show.latest_version("other") == "1.0"
+    end
+
+    test "card_played_in_round returns correct card" do
+      cards = [
+        %{played_in_round: 1, id: 1},
+        %{played_in_round: 2, id: 2},
+        %{played_in_round: nil, id: 3}
+      ]
+      assert Show.card_played_in_round(cards, 1).id == 1
+      assert Show.card_played_in_round(cards, 2).id == 2
+      assert is_nil(Show.card_played_in_round(cards, 3))
+    end
   end
 end

copi.owasp.org/test/copi_web/live/player_live/form_component_test.exs

@@ -85,4 +85,47 @@ defmodule CopiWeb.PlayerLive.FormComponentTest do
       assert CopiWeb.PlayerLive.FormComponent.topic("abc123") == "game:abc123"
     end
   end
+
+  describe "edit player (save_player :edit path)" do
+    test "successfully updates player name", %{conn: conn, game: game} do
+      {:ok, player} = Cornucopia.create_player(%{name: "Original Name", game_id: game.id})
+
+      {:ok, view, _html} = live(conn, "/games/#{game.id}/players/#{player.id}/edit")
+
+      result =
+        view
+        |> form("#player-form", player: %{name: "Updated Name", game_id: game.id})
+        |> render_submit()
+
+      assert {:ok, _view, html} = follow_redirect(result, conn)
+      assert html =~ "Player updated successfully" or html =~ "Updated Name"
+    end
+
+    test "shows validation error on blank name during edit", %{conn: conn, game: game} do
+      {:ok, player} = Cornucopia.create_player(%{name: "Original Name", game_id: game.id})
+
+      {:ok, view, _html} = live(conn, "/games/#{game.id}/players/#{player.id}/edit")
+
+      html =
+        view
+        |> form("#player-form", player: %{name: "", game_id: game.id})
+        |> render_change()
+
+      assert html =~ "can't be blank" or html =~ "blank"
+    end
+
+    test "save_player :edit returns error changeset on invalid submit", %{conn: conn, game: game} do
+      {:ok, player} = Cornucopia.create_player(%{name: "Original Name", game_id: game.id})
+
+      {:ok, view, _html} = live(conn, "/games/#{game.id}/players/#{player.id}/edit")
+
+      # Submit a blank name — triggers save_player(:edit) error branch
+      html =
+        view
+        |> form("#player-form", player: %{name: "", game_id: game.id})
+        |> render_submit()
+
+      assert html =~ "can't be blank" or html =~ "blank"
+    end
+  end
 end