chadstart 1.0.0 → 1.0.1

package/test/integration/db-integration.test.js

@@ -0,0 +1,368 @@
+'use strict';
+
+/**
+ * Engine-agnostic HTTP-level integration tests.
+ *
+ * Runs against a live database specified by DB_ENGINE (postgres | mysql).
+ * Execute via:  npm run test:integration
+ *
+ * Required env vars when DB_ENGINE != sqlite:
+ *   DB_HOST, DB_PORT, DB_USERNAME, DB_PASSWORD, DB_DATABASE
+ */
+
+const assert = require('assert');
+const http   = require('http');
+const path   = require('path');
+const os     = require('os');
+const fs     = require('fs');
+
+const { buildApp } = require('../../server/express-server');
+const dbModule = require('../../core/db');
+
+const YAML_PATH  = path.resolve(__dirname, '../../chadstart.yaml');
+const DB_ENGINE  = (process.env.DB_ENGINE || 'sqlite').toLowerCase();
+
+// ── HTTP helper ──────────────────────────────────────────────────────────────
+
+function req(options) {
+  return new Promise((resolve, reject) => {
+    const { method = 'GET', path: p, body, headers = {}, port } = options;
+    const data = body ? JSON.stringify(body) : undefined;
+    const opts = {
+      hostname: 'localhost',
+      port,
+      path: p,
+      method,
+      headers: {
+        'Content-Type': 'application/json',
+        ...headers,
+        ...(data ? { 'Content-Length': Buffer.byteLength(data) } : {}),
+      },
+    };
+    const r = http.request(opts, (res) => {
+      let buf = '';
+      res.on('data', (c) => { buf += c; });
+      res.on('end', () => {
+        let json;
+        try { json = JSON.parse(buf); } catch { json = buf; }
+        resolve({ status: res.statusCode, body: json });
+      });
+    });
+    r.on('error', reject);
+    if (data) r.write(data);
+    r.end();
+  });
+}
+
+// ── Test suite ───────────────────────────────────────────────────────────────
+
+describe(`DB integration – ${DB_ENGINE}`, function () {
+  this.timeout(30000);
+
+  let server, port, adminToken, adminId;
+  let _sqliteTmpPath; // used only in SQLite mode
+
+  before(async function () {
+    // In SQLite mode (local dev smoke-test), write to a temp file
+    if (DB_ENGINE === 'sqlite') {
+      _sqliteTmpPath = path.join(os.tmpdir(), `integ-test-${Date.now()}.db`);
+      process.env.DB_PATH = _sqliteTmpPath;
+    }
+
+    const { app } = await buildApp(YAML_PATH, null);
+    server = http.createServer(app);
+    await new Promise((resolve) => server.listen(0, resolve));
+    port = server.address().port;
+
+    // Unique e-mail per run so re-runs on the same DB don't collide
+    const email = `integ-admin-${Date.now()}@test.com`;
+    const su = await req({
+      port, method: 'POST', path: '/api/auth/admin/signup',
+      body: { email, password: 'secret123', name: 'Integration Admin' },
+    });
+    assert.strictEqual(su.status, 201, `Admin signup failed: ${JSON.stringify(su.body)}`);
+    adminToken = su.body.token;
+    adminId    = su.body.user.id;
+  });
+
+  after(async function () {
+    if (server) await new Promise((resolve) => server.close(resolve));
+    await dbModule.closeDb();
+    if (_sqliteTmpPath) {
+      try { fs.unlinkSync(_sqliteTmpPath); } catch { /* ignore */ }
+    }
+  });
+
+  // ── Health ─────────────────────────────────────────────────────────────────
+
+  describe('GET /health', () => {
+    it('returns ok', async () => {
+      const r = await req({ port, path: '/health' });
+      assert.strictEqual(r.status, 200);
+      assert.strictEqual(r.body.status, 'ok');
+    });
+  });
+
+  // ── Auth ───────────────────────────────────────────────────────────────────
+
+  describe('Auth – Admin collection', () => {
+    it('signup returns 201 with token and user', async () => {
+      const email = `integ-signup-${Date.now()}@test.com`;
+      const r = await req({
+        port, method: 'POST', path: '/api/auth/admin/signup',
+        body: { email, password: 'pass123', name: 'Signup User' },
+      });
+      assert.strictEqual(r.status, 201);
+      assert.ok(r.body.token, 'should return a token');
+      assert.ok(r.body.user.id, 'should return a user id');
+      assert.strictEqual(r.body.user.email, email);
+      assert.ok(!r.body.user.password, 'password must not be exposed');
+    });
+
+    it('signup returns 409 for duplicate email', async () => {
+      const email = `integ-dup-${Date.now()}@test.com`;
+      await req({ port, method: 'POST', path: '/api/auth/admin/signup', body: { email, password: 'x' } });
+      const r = await req({ port, method: 'POST', path: '/api/auth/admin/signup', body: { email, password: 'y' } });
+      assert.strictEqual(r.status, 409);
+    });
+
+    it('login returns 200 with token for valid credentials', async () => {
+      const email = `integ-login-${Date.now()}@test.com`;
+      await req({ port, method: 'POST', path: '/api/auth/admin/signup', body: { email, password: 'myPass' } });
+      const r = await req({ port, method: 'POST', path: '/api/auth/admin/login', body: { email, password: 'myPass' } });
+      assert.strictEqual(r.status, 200);
+      assert.ok(r.body.token);
+    });
+
+    it('login returns 401 for wrong password', async () => {
+      const email = `integ-badpw-${Date.now()}@test.com`;
+      await req({ port, method: 'POST', path: '/api/auth/admin/signup', body: { email, password: 'correct' } });
+      const r = await req({ port, method: 'POST', path: '/api/auth/admin/login', body: { email, password: 'wrong' } });
+      assert.strictEqual(r.status, 401);
+    });
+
+    it('GET /me returns current user', async () => {
+      const r = await req({
+        port, path: '/api/auth/admin/me',
+        headers: { Authorization: `Bearer ${adminToken}` },
+      });
+      assert.strictEqual(r.status, 200);
+      assert.strictEqual(r.body.id, adminId);
+    });
+
+    it('GET /me returns 401 without token', async () => {
+      const r = await req({ port, path: '/api/auth/admin/me' });
+      assert.strictEqual(r.status, 401);
+    });
+  });
+
+  // ── CRUD – Post collection ─────────────────────────────────────────────────
+
+  describe('CRUD – Post collection', () => {
+    let postId;
+
+    it('POST creates a record (admin-restricted)', async () => {
+      const r = await req({
+        port, method: 'POST', path: '/api/collections/post',
+        body: { title: 'Integration Test Post', content: 'Some content', published: true },
+        headers: { Authorization: `Bearer ${adminToken}` },
+      });
+      assert.strictEqual(r.status, 201, JSON.stringify(r.body));
+      assert.ok(r.body.id);
+      assert.strictEqual(r.body.title, 'Integration Test Post');
+      assert.ok(r.body.createdAt);
+      assert.ok(r.body.updatedAt);
+      postId = r.body.id;
+    });
+
+    it('POST returns 401 without token', async () => {
+      const r = await req({
+        port, method: 'POST', path: '/api/collections/post',
+        body: { title: 'No Auth Post', content: 'x' },
+      });
+      assert.strictEqual(r.status, 401);
+    });
+
+    it('GET list returns paginated data (public)', async () => {
+      const r = await req({ port, path: '/api/collections/post' });
+      assert.strictEqual(r.status, 200);
+      assert.ok(Array.isArray(r.body.data));
+      assert.ok(typeof r.body.total === 'number');
+      assert.ok(typeof r.body.currentPage === 'number');
+      assert.ok(r.body.total >= 1, 'should have at least the post we created');
+    });
+
+    it('GET list respects pagination params', async () => {
+      const r = await req({ port, path: '/api/collections/post?page=1&perPage=1' });
+      assert.strictEqual(r.status, 200);
+      assert.strictEqual(r.body.perPage, 1);
+      assert.ok(r.body.data.length <= 1);
+    });
+
+    it('GET by id returns the record (public)', async () => {
+      const r = await req({ port, path: `/api/collections/post/${postId}` });
+      assert.strictEqual(r.status, 200);
+      assert.strictEqual(r.body.id, postId);
+      assert.strictEqual(r.body.title, 'Integration Test Post');
+    });
+
+    it('GET by id returns 404 for unknown id', async () => {
+      const r = await req({ port, path: '/api/collections/post/nonexistent-id' });
+      assert.strictEqual(r.status, 404);
+    });
+
+    it('PATCH updates a field (admin-restricted)', async () => {
+      const r = await req({
+        port, method: 'PATCH', path: `/api/collections/post/${postId}`,
+        body: { title: 'Updated Title' },
+        headers: { Authorization: `Bearer ${adminToken}` },
+      });
+      assert.strictEqual(r.status, 200, JSON.stringify(r.body));
+      assert.strictEqual(r.body.title, 'Updated Title');
+      assert.strictEqual(r.body.content, 'Some content', 'other fields should not change');
+    });
+
+    it('PATCH returns 401 without token', async () => {
+      const r = await req({
+        port, method: 'PATCH', path: `/api/collections/post/${postId}`,
+        body: { title: 'Unauthorized' },
+      });
+      assert.strictEqual(r.status, 401);
+    });
+
+    it('DELETE removes the record (admin-restricted)', async () => {
+      const r = await req({
+        port, method: 'DELETE', path: `/api/collections/post/${postId}`,
+        headers: { Authorization: `Bearer ${adminToken}` },
+      });
+      assert.strictEqual(r.status, 200);
+      assert.strictEqual(r.body.id, postId);
+    });
+
+    it('GET by id returns 404 after deletion', async () => {
+      const r = await req({ port, path: `/api/collections/post/${postId}` });
+      assert.strictEqual(r.status, 404);
+    });
+  });
+
+  // ── Relations – Comment belongsTo Post ────────────────────────────────────
+
+  describe('Relations – Comment belongsTo Post', () => {
+    let parentPostId, commentId;
+
+    before(async () => {
+      // Create a parent post
+      const r = await req({
+        port, method: 'POST', path: '/api/collections/post',
+        body: { title: 'Parent Post', content: 'For comments', published: true },
+        headers: { Authorization: `Bearer ${adminToken}` },
+      });
+      parentPostId = r.body.id;
+    });
+
+    it('POST comment with post FK', async () => {
+      const r = await req({
+        port, method: 'POST', path: '/api/collections/comment',
+        body: { text: 'Great post!', post_id: parentPostId },
+        headers: { Authorization: `Bearer ${adminToken}` },
+      });
+      assert.strictEqual(r.status, 201, JSON.stringify(r.body));
+      assert.ok(r.body.id);
+      assert.strictEqual(r.body.post_id, parentPostId);
+      commentId = r.body.id;
+    });
+
+    it('GET comment with ?relations=Post resolves parent', async () => {
+      const r = await req({ port, path: `/api/collections/comment/${commentId}?relations=Post` });
+      assert.strictEqual(r.status, 200);
+      assert.ok(r.body.Post, 'Post relation should be loaded');
+      assert.strictEqual(r.body.Post.id, parentPostId);
+    });
+
+    it('GET post list with ?relations=comment resolves children', async () => {
+      const r = await req({ port, path: `/api/collections/post/${parentPostId}?relations=comment` });
+      assert.strictEqual(r.status, 200);
+      assert.ok(Array.isArray(r.body.comment), 'comment relation should be an array');
+      assert.ok(r.body.comment.length >= 1);
+    });
+  });
+
+  // ── API Keys ───────────────────────────────────────────────────────────────
+
+  describe('API Keys', () => {
+    let apiKey, apiKeyId;
+
+    it('creates an API key', async () => {
+      const r = await req({
+        port, method: 'POST', path: '/api/auth/admin/api-keys',
+        body: { name: 'IntegKey', permissions: ['read'], entities: [] },
+        headers: { Authorization: `Bearer ${adminToken}` },
+      });
+      assert.strictEqual(r.status, 201);
+      assert.ok(r.body.key.startsWith('cs_'));
+      assert.strictEqual(r.body.record.name, 'IntegKey');
+      assert.ok(!r.body.record.keyHash, 'keyHash must not be exposed');
+      apiKey   = r.body.key;
+      apiKeyId = r.body.record.id;
+    });
+
+    it('API key authenticates a public route', async () => {
+      const r = await req({
+        port, path: '/api/collections/post',
+        headers: { Authorization: `Bearer ${apiKey}` },
+      });
+      assert.strictEqual(r.status, 200);
+    });
+
+    it('API key is rejected for a write operation when permission is read-only', async () => {
+      const r = await req({
+        port, method: 'POST', path: '/api/collections/post',
+        body: { title: 'Should fail', content: 'x' },
+        headers: { Authorization: `Bearer ${apiKey}` },
+      });
+      // read-only key: create is not allowed
+      assert.strictEqual(r.status, 403);
+    });
+
+    it('lists own API keys', async () => {
+      const r = await req({
+        port, path: '/api/auth/admin/api-keys',
+        headers: { Authorization: `Bearer ${adminToken}` },
+      });
+      assert.strictEqual(r.status, 200);
+      assert.ok(Array.isArray(r.body));
+      assert.ok(r.body.some((k) => k.id === apiKeyId));
+      assert.ok(r.body.every((k) => !k.keyHash), 'keyHash must never be exposed');
+    });
+
+    it('deletes the API key', async () => {
+      const r = await req({
+        port, method: 'DELETE', path: `/api/auth/admin/api-keys/${apiKeyId}`,
+        headers: { Authorization: `Bearer ${adminToken}` },
+      });
+      assert.strictEqual(r.status, 200);
+      assert.ok(r.body.success);
+    });
+
+    it('deleted API key is rejected on restricted route', async () => {
+      // Use /api/auth/admin/me which requires valid auth
+      const r = await req({
+        port, path: '/api/auth/admin/me',
+        headers: { Authorization: `Bearer ${apiKey}` },
+      });
+      assert.strictEqual(r.status, 401);
+    });
+  });
+
+  // ── Admin schema ───────────────────────────────────────────────────────────
+
+  describe('GET /admin/schema', () => {
+    it('returns entities and userCollections', async () => {
+      const r = await req({ port, path: '/admin/schema' });
+      assert.strictEqual(r.status, 200);
+      assert.ok(Array.isArray(r.body.entities));
+      assert.ok(Array.isArray(r.body.userCollections));
+      assert.ok(r.body.userCollections.every((e) => e.authenticable));
+    });
+  });
+});

package/test/middleware.test.js

@@ -25,7 +25,7 @@ describe('runMiddlewares – SDK injection', () => {
 
   before(async () => {
     tmp = path.join(os.tmpdir(), `chadstart-mw-${Date.now()}.db`);
-    dbModule.initDb(mwCore, tmp);
+    await dbModule.initDb(mwCore, tmp);
 
     functionsDir = path.join(os.tmpdir(), `chadstart-functions-${Date.now()}`);
     fs.mkdirSync(functionsDir, { recursive: true });

package/test/sdk.test.js

@@ -18,10 +18,10 @@ describe('createBackendSdk', () => {
     },
   });
 
-  before(() => {
+  before(async () => {
     tmp = path.join(os.tmpdir(), `chadstart-sdk-${Date.now()}.db`);
-    dbModule.initDb(sdkCore, tmp);
-    dbModule.create('config', { value: 'initial' });
+    await dbModule.initDb(sdkCore, tmp);
+    await dbModule.create('config', { value: 'initial' });
     sdk = createBackendSdk(sdkCore);
   });
 
@@ -37,30 +37,30 @@ describe('createBackendSdk', () => {
     assert.strictEqual(typeof iface.delete, 'function');
   });
 
-  it('from().create and findOneById work', () => {
-    const book = sdk.from('book').create({ title: 'Dune', author: 'Herbert' });
+  it('from().create and findOneById work', async () => {
+    const book = await sdk.from('book').create({ title: 'Dune', author: 'Herbert' });
     assert.strictEqual(book.title, 'Dune');
-    const found = sdk.from('book').findOneById(book.id);
+    const found = await sdk.from('book').findOneById(book.id);
     assert.strictEqual(found.author, 'Herbert');
   });
 
-  it('from().find returns paginated result', () => {
-    const result = sdk.from('book').find();
+  it('from().find returns paginated result', async () => {
+    const result = await sdk.from('book').find();
     assert.ok(Array.isArray(result.data));
     assert.ok(typeof result.total === 'number');
   });
 
-  it('from().patch updates a field', () => {
-    const book = sdk.from('book').create({ title: 'Old Title', author: 'Author' });
-    const updated = sdk.from('book').patch(book.id, { title: 'New Title' });
+  it('from().patch updates a field', async () => {
+    const book = await sdk.from('book').create({ title: 'Old Title', author: 'Author' });
+    const updated = await sdk.from('book').patch(book.id, { title: 'New Title' });
     assert.strictEqual(updated.title, 'New Title');
     assert.strictEqual(updated.author, 'Author');
   });
 
-  it('from().delete removes a record', () => {
-    const book = sdk.from('book').create({ title: 'To Delete', author: 'X' });
-    sdk.from('book').delete(book.id);
-    assert.strictEqual(sdk.from('book').findOneById(book.id), null);
+  it('from().delete removes a record', async () => {
+    const book = await sdk.from('book').create({ title: 'To Delete', author: 'X' });
+    await sdk.from('book').delete(book.id);
+    assert.strictEqual(await sdk.from('book').findOneById(book.id), null);
   });
 
   it('from() throws for unknown slug', () => {
@@ -74,13 +74,13 @@ describe('createBackendSdk', () => {
     assert.strictEqual(typeof iface.patch, 'function');
   });
 
-  it('single().get retrieves the record', () => {
-    const record = sdk.single('config').get();
+  it('single().get retrieves the record', async () => {
+    const record = await sdk.single('config').get();
     assert.strictEqual(record.value, 'initial');
   });
 
-  it('single().patch updates a field', () => {
-    const updated = sdk.single('config').patch({ value: 'changed' });
+  it('single().patch updates a field', async () => {
+    const updated = await sdk.single('config').patch({ value: 'changed' });
     assert.strictEqual(updated.value, 'changed');
   });
 

package/test/seeder.test.js

@@ -35,7 +35,7 @@ describe('seeder', () => {
 
   before(async () => {
     seedDbPath = path.join(os.tmpdir(), `chadstart-seed-${Date.now()}.db`);
-    dbModule.initDb(seedCore, seedDbPath);
+    await dbModule.initDb(seedCore, seedDbPath);
     firstSeedResult = await seedAll(seedCore);
   });
 
@@ -46,23 +46,23 @@ describe('seeder', () => {
     assert.strictEqual(firstSeedResult.summary.Article, 5);
   });
 
-  it('seedAll inserts rows into the database', () => {
-    const authors = dbModule.findAll('author', {}, { perPage: 100 });
+  it('seedAll inserts rows into the database', async () => {
+    const authors = await dbModule.findAll('author', {}, { perPage: 100 });
     assert.ok(authors.total >= 3);
-    const articles = dbModule.findAll('article', {}, { perPage: 100 });
+    const articles = await dbModule.findAll('article', {}, { perPage: 100 });
     assert.ok(articles.total >= 5);
   });
 
-  it('seedAll creates authenticable records with email field', () => {
-    const authors = dbModule.findAll('author', {}, { perPage: 100 });
+  it('seedAll creates authenticable records with email field', async () => {
+    const authors = await dbModule.findAll('author', {}, { perPage: 100 });
     for (const a of authors.data) {
       assert.ok(typeof a.email === 'string' && a.email.includes('@'));
       assert.ok(typeof a.password === 'string' && a.password.length > 0);
     }
   });
 
-  it('seedAll links belongsTo FK to a seeded parent', () => {
-    const articles = dbModule.findAll('article', {}, { perPage: 100 });
+  it('seedAll links belongsTo FK to a seeded parent', async () => {
+    const articles = await dbModule.findAll('article', {}, { perPage: 100 });
     for (const art of articles.data) {
       assert.ok(art.author_id !== null && art.author_id !== undefined);
     }
@@ -74,12 +74,12 @@ describe('seeder', () => {
       entities: { Tag: { properties: ['label'] } },
     });
     const defaultDbPath = path.join(os.tmpdir(), `chadstart-seed-default-${Date.now()}.db`);
-    dbModule.initDb(defaultCore, defaultDbPath);
+    await dbModule.initDb(defaultCore, defaultDbPath);
     const result = await seedAll(defaultCore);
     assert.strictEqual(result.summary.Tag, 50);
     fs.unlinkSync(defaultDbPath);
     // Restore the original seedCore DB for subsequent tests in this describe block
-    dbModule.initDb(seedCore, seedDbPath);
+    await dbModule.initDb(seedCore, seedDbPath);
   });
 
   it('seedAll creates admin@chadstart.com in authenticable entities', () => {
@@ -88,9 +88,9 @@ describe('seeder', () => {
     assert.strictEqual(firstSeedResult.adminPassword, ADMIN_PASSWORD);
   });
 
-  it('seedAll creates admin user with correct email in the database', () => {
-    dbModule.initDb(seedCore, seedDbPath);
-    const admins = dbModule.findAllSimple('author', { email: ADMIN_EMAIL });
+  it('seedAll creates admin user with correct email in the database', async () => {
+    await dbModule.initDb(seedCore, seedDbPath);
+    const admins = await dbModule.findAllSimple('author', { email: ADMIN_EMAIL });
     assert.strictEqual(admins.length, 1);
     assert.strictEqual(admins[0].email, ADMIN_EMAIL);
   });
@@ -107,10 +107,10 @@ describe('seeder', () => {
       },
     });
     const freshDbPath = path.join(os.tmpdir(), `chadstart-seed-admin-${Date.now()}.db`);
-    dbModule.initDb(freshCore, freshDbPath);
+    await dbModule.initDb(freshCore, freshDbPath);
     const result = await seedAll(freshCore);
     assert.ok(result.adminEntities.includes('User'));
-    const admins = dbModule.findAllSimple('user', { email: ADMIN_EMAIL });
+    const admins = await dbModule.findAllSimple('user', { email: ADMIN_EMAIL });
     assert.strictEqual(admins.length, 1);
     assert.strictEqual(admins[0].email, ADMIN_EMAIL);
     fs.unlinkSync(freshDbPath);
@@ -129,9 +129,9 @@ describe('seeder', () => {
       },
     });
     const dupDbPath = path.join(os.tmpdir(), `chadstart-seed-dup-${Date.now()}.db`);
-    dbModule.initDb(dupCore, dupDbPath);
+    await dbModule.initDb(dupCore, dupDbPath);
     // Manually create the admin user before seeding
-    dbModule.create('member', {
+    await dbModule.create('member', {
       email: ADMIN_EMAIL,
       password: bcrypt.hashSync(ADMIN_PASSWORD, 10),
       name: 'pre-existing admin',
@@ -139,7 +139,7 @@ describe('seeder', () => {
     // seedAll should not create a duplicate
     const result = await seedAll(dupCore);
     assert.strictEqual(result.adminEntities.length, 0);
-    const admins = dbModule.findAllSimple('member', { email: ADMIN_EMAIL });
+    const admins = await dbModule.findAllSimple('member', { email: ADMIN_EMAIL });
     assert.strictEqual(admins.length, 1);
     fs.unlinkSync(dupDbPath);
   });
@@ -177,9 +177,9 @@ describe('seeder – property types', () => {
     },
   });
 
-  before(() => {
+  before(async () => {
     tmp = path.join(os.tmpdir(), `chadstart-seedtypes-${Date.now()}.db`);
-    dbModule.initDb(core, tmp);
+    await dbModule.initDb(core, tmp);
   });
 
   after(() => { fs.unlinkSync(tmp); });
@@ -187,7 +187,7 @@ describe('seeder – property types', () => {
   it('seedAll generates values for every property type', async () => {
     const result = await seedAll(core);
     assert.strictEqual(result.summary.Sample, 3);
-    const rows = dbModule.findAll('sample', {}, { perPage: 100 });
+    const rows = await dbModule.findAll('sample', {}, { perPage: 100 });
     assert.strictEqual(rows.total, 3);
     const r = rows.data[0];
     assert.ok(typeof r.myText === 'string' && r.myText.length > 0);
@@ -217,7 +217,7 @@ describe('seeder – property types', () => {
       entities: { Config: { single: true, properties: ['key', 'value'] } },
     });
     const singleTmp = path.join(os.tmpdir(), `chadstart-seedsingle-${Date.now()}.db`);
-    dbModule.initDb(singleCore, singleTmp);
+    await dbModule.initDb(singleCore, singleTmp);
     const result = await seedAll(singleCore);
     assert.strictEqual(result.summary.Config, 1);
     fs.unlinkSync(singleTmp);
@@ -242,9 +242,9 @@ describe('seeder – authenticable entities with explicit email/password propert
     },
   });
 
-  before(() => {
+  before(async () => {
     tmp = path.join(os.tmpdir(), `chadstart-authprop-${Date.now()}.db`);
-    dbModule.initDb(core, tmp);
+    await dbModule.initDb(core, tmp);
   });
 
   after(() => { fs.unlinkSync(tmp); });
@@ -263,7 +263,7 @@ describe('seeder – authenticable entities with explicit email/password propert
   it('seedAll succeeds and creates records with valid email addresses', async () => {
     const result = await seedAll(core);
     assert.strictEqual(result.summary.Customer, 3);
-    const rows = dbModule.findAll('customer', {}, { perPage: 100 });
+    const rows = await dbModule.findAll('customer', {}, { perPage: 100 });
     assert.ok(rows.total >= 3);
     for (const r of rows.data) {
       assert.ok(typeof r.email === 'string' && r.email.includes('@'), `email should contain @, got: ${r.email}`);
@@ -272,7 +272,7 @@ describe('seeder – authenticable entities with explicit email/password propert
   });
 
   it('seedAll creates admin user with correct email when entity has explicit email property', async () => {
-    const admins = dbModule.findAllSimple('customer', { email: ADMIN_EMAIL });
+    const admins = await dbModule.findAllSimple('customer', { email: ADMIN_EMAIL });
     assert.strictEqual(admins.length, 1);
     assert.strictEqual(admins[0].email, ADMIN_EMAIL);
   });