Test environment hardening: APP_KEY override and Postgres test runs #22

New issue

Closed

opened 2026-04-26 03:53:54 +02:00 by myrmidex · 0 comments

myrmidex commented

2026-04-26 03:53:54 +02:00

Owner

Context

Two related test-environment gaps surfaced during ticket #4 review:

1. `APP_KEY` not overridden in `phpunit.xml`

Tests use the local .env APP_KEY. If a real production key is ever committed to .env (mistake or otherwise), encryption-bound tests could leak across environments. Defensible practice: pin a known testing-only APP_KEY in phpunit.xml <server> block.

2. Test/prod DB engine split

phpunit.xml forces DB_CONNECTION=sqlite :memory:, but production runs PostgreSQL 17. This means:

timestampTz() columns compile to plain datetime on SQLite — TZ behavior never tested.
FK deferred-check semantics differ.
PG-specific features (CHECK constraints, tsvector, JSON ops) are untestable.
Future ticket #11 (search via tsvector) cannot be tested at all under the current setup.

Goals

Add APP_KEY to phpunit.xml <server> overrides with a known value.
Switch tests to PostgreSQL (or add a CI-only PG run alongside the SQLite default).

Acceptance criteria

<server name="APP_KEY" value="base64:..."/> (test-only key) in phpunit.xml.
CI runs the suite against PostgreSQL 17 (the existing CI workflow already provisions a PG service container — flip the test runner to use it).
Existing tests still pass (SQLite-incompatible patterns may need adjustment).
Document in PLATFORM.md.

Risks

Some tests may have implicit SQLite assumptions (e.g. autoincrement gap behavior, transaction isolation defaults). Expect to fix a few.
Slower test runs once PG is involved. Tradeoff is correctness over speed.

## Context Two related test-environment gaps surfaced during ticket #4 review: ### 1. `APP_KEY` not overridden in `phpunit.xml` Tests use the local `.env` `APP_KEY`. If a real production key is ever committed to `.env` (mistake or otherwise), encryption-bound tests could leak across environments. Defensible practice: pin a known testing-only `APP_KEY` in `phpunit.xml` `<server>` block. ### 2. Test/prod DB engine split `phpunit.xml` forces `DB_CONNECTION=sqlite` `:memory:`, but production runs PostgreSQL 17. This means: - `timestampTz()` columns compile to plain `datetime` on SQLite — TZ behavior never tested. - FK deferred-check semantics differ. - PG-specific features (CHECK constraints, `tsvector`, JSON ops) are untestable. - Future ticket #11 (search via tsvector) cannot be tested at all under the current setup. ## Goals 1. Add `APP_KEY` to `phpunit.xml` `<server>` overrides with a known value. 2. Switch tests to PostgreSQL (or add a CI-only PG run alongside the SQLite default). ## Acceptance criteria - `<server name="APP_KEY" value="base64:..."/>` (test-only key) in phpunit.xml. - CI runs the suite against PostgreSQL 17 (the existing CI workflow already provisions a PG service container — flip the test runner to use it). - Existing tests still pass (SQLite-incompatible patterns may need adjustment). - Document in PLATFORM.md. ## Risks - Some tests may have implicit SQLite assumptions (e.g. autoincrement gap behavior, transaction isolation defaults). Expect to fix a few. - Slower test runs once PG is involved. Tradeoff is correctness over speed.