chadstart 1.0.0

package/test/hot-reload.test.js

@@ -0,0 +1,153 @@
+'use strict';
+
+const assert = require('assert');
+const path = require('path');
+const fs = require('fs');
+const os = require('os');
+const http = require('http');
+const { buildApp } = require('../server/express-server');
+const { signToken } = require('../core/auth');
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function tmpYaml(name, obj) {
+  const YAML = require('yaml');
+  const file = path.join(os.tmpdir(), `cs-hr-${name}-${Date.now()}.yaml`);
+  fs.writeFileSync(file, YAML.stringify(obj), 'utf8');
+  return file;
+}
+
+async function jsonFetch(url, opts = {}) {
+  const res = await fetch(url, opts);
+  const body = await res.json();
+  return { status: res.status, body };
+}
+
+// ---------------------------------------------------------------------------
+
+describe('hot-reload', () => {
+  let yamlFile, server, port, reloadFn;
+
+  const baseConfig = {
+    name: 'HotReloadTest',
+    entities: {
+      Admin: { authenticable: true, properties: ['name'] },
+      Post:  { properties: ['title'] },
+    },
+  };
+
+  before(async () => {
+    yamlFile = tmpYaml('base', baseConfig);
+
+    let currentApp = null;
+    const dispatcher = (req, res) => currentApp(req, res);
+    server = http.createServer(dispatcher);
+
+    async function reload() {
+      const result = await buildApp(yamlFile, reload);
+      currentApp = result.app;
+      return result;
+    }
+    reloadFn = reload;
+
+    await reload();
+    await new Promise((resolve) => server.listen(0, '127.0.0.1', resolve));
+    port = server.address().port;
+  });
+
+  after(async () => {
+    await new Promise((resolve) => server.close(resolve));
+    if (fs.existsSync(yamlFile)) fs.unlinkSync(yamlFile);
+  });
+
+  it('server starts and /health reflects the initial config', async () => {
+    const { status, body } = await jsonFetch(`http://127.0.0.1:${port}/health`);
+    assert.strictEqual(status, 200);
+    assert.strictEqual(body.name, 'HotReloadTest');
+  });
+
+  it('/admin/schema lists initial entities', async () => {
+    const { status, body } = await jsonFetch(`http://127.0.0.1:${port}/admin/schema`);
+    assert.strictEqual(status, 200);
+    const names = body.entities.map((e) => e.name);
+    assert.ok(names.includes('Admin'));
+    assert.ok(names.includes('Post'));
+  });
+
+  it('hot reload swaps app — new entity appears after reload', async () => {
+    // Write updated config with an extra entity
+    const YAML = require('yaml');
+    const updated = {
+      ...baseConfig,
+      name: 'HotReloadTest',
+      entities: {
+        ...baseConfig.entities,
+        Comment: { properties: ['text'] },
+      },
+    };
+    fs.writeFileSync(yamlFile, YAML.stringify(updated), 'utf8');
+
+    // Trigger reload
+    await reloadFn();
+
+    // Schema must now include Comment
+    const { status, body } = await jsonFetch(`http://127.0.0.1:${port}/admin/schema`);
+    assert.strictEqual(status, 200);
+    const names = body.entities.map((e) => e.name);
+    assert.ok(names.includes('Comment'), 'Comment entity should appear after reload');
+  });
+
+  it('PUT /admin/config returns reloading:true when reloadFn is provided', async () => {
+    const token = signToken({ id: 'test', entity: 'Admin' });
+    const newConfig = { ...baseConfig, name: 'Reloaded' };
+
+    const { status, body } = await jsonFetch(`http://127.0.0.1:${port}/admin/config`, {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${token}` },
+      body: JSON.stringify(newConfig),
+    });
+
+    assert.strictEqual(status, 200);
+    assert.strictEqual(body.success, true);
+    assert.strictEqual(body.reloading, true);
+  });
+
+  it('server is still responsive during and after reload', async () => {
+    // Reload a few times and confirm the server stays up
+    for (let i = 0; i < 3; i++) {
+      const YAML = require('yaml');
+      const cfg = { ...baseConfig, name: `Reload-${i}` };
+      fs.writeFileSync(yamlFile, YAML.stringify(cfg), 'utf8');
+      await reloadFn();
+    }
+    const { status } = await jsonFetch(`http://127.0.0.1:${port}/health`);
+    assert.strictEqual(status, 200);
+  });
+
+  it('buildApp without reloadFn — PUT /admin/config returns no reloading flag', async () => {
+    const yamlFile2 = tmpYaml('noreload', baseConfig);
+    try {
+      const { app } = await buildApp(yamlFile2, null);
+      const testServer = http.createServer(app);
+      await new Promise((resolve) => testServer.listen(0, '127.0.0.1', resolve));
+      const p = testServer.address().port;
+
+      const token = signToken({ id: 'test', entity: 'Admin' });
+      const { status, body } = await jsonFetch(`http://127.0.0.1:${p}/admin/config`, {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${token}` },
+        body: JSON.stringify(baseConfig),
+      });
+
+      assert.strictEqual(status, 200);
+      assert.strictEqual(body.success, true);
+      assert.strictEqual(body.reloading, undefined, 'reloading flag should not be set when no reloadFn');
+
+      await new Promise((resolve) => testServer.close(resolve));
+    } finally {
+      if (fs.existsSync(yamlFile2)) fs.unlinkSync(yamlFile2);
+    }
+  });
+});

package/test/i18n.test.js

@@ -0,0 +1,173 @@
+'use strict';
+
+const assert = require('assert');
+const path   = require('path');
+const fs     = require('fs');
+
+// ── Unit tests for i18n helpers in express-server.js ──────────────────────────
+// We test loadLocale() and parseLang() by requiring the server module and
+// exercising the locale files directly, without starting a full HTTP server.
+
+const LOCALES_DIR = path.join(__dirname, '..', 'locales');
+const EN_LOCALE   = path.join(LOCALES_DIR, 'en', 'admin.json');
+
+describe('i18n – locale files', () => {
+  it('English locale file exists', () => {
+    assert.ok(fs.existsSync(EN_LOCALE), `Expected ${EN_LOCALE} to exist`);
+  });
+
+  it('English locale is valid JSON', () => {
+    const raw = fs.readFileSync(EN_LOCALE, 'utf8');
+    let parsed;
+    assert.doesNotThrow(() => { parsed = JSON.parse(raw); });
+    assert.strictEqual(typeof parsed, 'object');
+  });
+
+  it('English locale has all required top-level sections', () => {
+    const locale = JSON.parse(fs.readFileSync(EN_LOCALE, 'utf8'));
+    const required = ['page', 'login', 'sidebar', 'header', 'modal', 'table', 'toast', 'config'];
+    for (const key of required) {
+      assert.ok(key in locale, `Missing top-level key: ${key}`);
+    }
+  });
+
+  it('login section has required keys', () => {
+    const { login } = JSON.parse(fs.readFileSync(EN_LOCALE, 'utf8'));
+    const required = [
+      'title', 'collection_label', 'collection_placeholder',
+      'change_collection', 'hide_collection',
+      'email_label', 'password_label', 'sign_in', 'signing_in', 'errors',
+    ];
+    for (const key of required) {
+      assert.ok(key in login, `login.${key} is missing`);
+    }
+  });
+
+  it('login.errors section has required keys', () => {
+    const { login } = JSON.parse(fs.readFileSync(EN_LOCALE, 'utf8'));
+    const required = [
+      'no_admin_collections', 'all_fields_required',
+      'collection_not_found', 'login_failed', 'network_error',
+    ];
+    for (const key of required) {
+      assert.ok(key in login.errors, `login.errors.${key} is missing`);
+    }
+  });
+
+  it('table section has required keys', () => {
+    const { table } = JSON.parse(fs.readFileSync(EN_LOCALE, 'utf8'));
+    const required = ['no_records', 'actions', 'edit', 'delete', 'delete_confirm'];
+    for (const key of required) {
+      assert.ok(key in table, `table.${key} is missing`);
+    }
+  });
+
+  it('config section has all tab description keys', () => {
+    const { config } = JSON.parse(fs.readFileSync(EN_LOCALE, 'utf8'));
+    const tabs = ['general', 'entities', 'functions', 'files', 'settings', 'all'];
+    for (const tab of tabs) {
+      assert.ok(tab in config.tabs,         `config.tabs.${tab} is missing`);
+      assert.ok(tab in config.descriptions, `config.descriptions.${tab} is missing`);
+    }
+  });
+
+  it('all string values in the locale are non-empty strings', () => {
+    const locale = JSON.parse(fs.readFileSync(EN_LOCALE, 'utf8'));
+    function check(obj, path) {
+      for (const [k, v] of Object.entries(obj)) {
+        const cur = `${path}.${k}`;
+        if (typeof v === 'string') {
+          assert.ok(v.length > 0, `Empty string at ${cur}`);
+        } else if (typeof v === 'object' && v !== null) {
+          check(v, cur);
+        }
+      }
+    }
+    check(locale, 'locale');
+  });
+});
+
+// ── Integration tests for GET /admin/i18n/:lang route ─────────────────────────
+// These tests build the Express app with a minimal config and hit the route.
+
+const http     = require('http');
+const os       = require('os');
+const { buildApp } = require('../server/express-server');
+
+/** Fire a GET request and collect the full response body. */
+function get(port, path) {
+  return new Promise((resolve, reject) => {
+    const req = http.request({ hostname: '127.0.0.1', port, path, method: 'GET' }, (res) => {
+      let body = '';
+      res.on('data', chunk => { body += chunk; });
+      res.on('end', () => resolve({ status: res.statusCode, headers: res.headers, body }));
+    });
+    req.on('error', reject);
+    req.end();
+  });
+}
+
+describe('i18n – GET /admin/i18n/:lang route', () => {
+  let server, port;
+
+  before(async () => {
+    // Write a minimal config YAML to a temp file so buildApp has something to load
+    const tmp   = path.join(os.tmpdir(), `cs-i18n-test-${Date.now()}.yaml`);
+    const yaml  = `name: i18nTest\nport: 0\nentities:\n  Post:\n    properties:\n      - title\n`;
+    fs.writeFileSync(tmp, yaml);
+
+    const { app } = await buildApp(tmp, null);
+    server = http.createServer(app);
+    await new Promise(r => server.listen(0, '127.0.0.1', r));
+    port = server.address().port;
+  });
+
+  after(done => server.close(done));
+
+  it('returns 200 and JSON for the English locale', async () => {
+    const { status, headers, body } = await get(port, '/admin/i18n/en');
+    assert.strictEqual(status, 200);
+    assert.ok(headers['content-type'].includes('application/json'), 'Expected JSON content-type');
+    const locale = JSON.parse(body);
+    assert.strictEqual(typeof locale, 'object');
+    assert.ok('login' in locale);
+    assert.ok('table' in locale);
+  });
+
+  it('falls back to English for an unknown language', async () => {
+    const { status, body } = await get(port, '/admin/i18n/xx');
+    assert.strictEqual(status, 200);
+    const locale = JSON.parse(body);
+    assert.ok('login' in locale, 'Fallback locale should contain login section');
+  });
+
+  it('returns 404 when no locale is found and English is missing', async () => {
+    // We can verify this indirectly: requesting a non-existent but valid-format lang
+    // should still return 200 (falls back to English).  Only when English is also
+    // absent would it return 404, which we cannot easily replicate without mocking fs.
+    // Instead, confirm that an unreachable language gracefully returns the EN fallback.
+    const { status } = await get(port, '/admin/i18n/zz');
+    assert.strictEqual(status, 200);
+  });
+
+  it('rejects invalid lang params (path traversal characters) and falls back to English', async () => {
+    // Dots and slashes are not valid in lang codes; loadLocale() rejects them via
+    // the /^[a-z]{2,3}$/ regex and falls back to English. Test a percent-encoded dot
+    // sequence that the route param might receive.
+    const { status, body } = await get(port, '/admin/i18n/..%2Fetc');
+    // Express will decode %2F to / which splits the route — expect 404 from Express router
+    // OR the route matches and loadLocale safely falls back to English (200).
+    assert.ok(status === 200 || status === 404, `Unexpected status ${status}`);
+    if (status === 200) {
+      const locale = JSON.parse(body);
+      assert.ok('login' in locale, 'Fallback locale must be the English locale');
+    }
+  });
+
+  it('strips invalid characters from lang codes before file lookup', async () => {
+    // A lang param like "en!!" would be sanitised to "en" by parseLang/loadLocale.
+    // Express will reject chars like "!" at the router level, so just verify "en" works.
+    const { status } = await get(port, '/admin/i18n/en');
+    assert.strictEqual(status, 200);
+  });
+});

package/test/middleware.test.js

@@ -0,0 +1,76 @@
+'use strict';
+
+const assert = require('assert');
+const path = require('path');
+const fs = require('fs');
+const os = require('os');
+const http = require('http');
+const express = require('express');
+const { buildCore } = require('../core/entity-engine');
+const dbModule = require('../core/db');
+const { registerApiRoutes } = require('../core/api-generator');
+const { signToken } = require('../core/auth');
+
+describe('runMiddlewares – SDK injection', () => {
+  let testServer, port, functionsDir, tmp;
+  const mwCore = buildCore({
+    name: 'MwTest',
+    entities: {
+      Item: {
+        properties: ['name'],
+        middlewares: { beforeCreate: [{ function: 'testMwFunction' }] },
+      },
+    },
+  });
+
+  before(async () => {
+    tmp = path.join(os.tmpdir(), `chadstart-mw-${Date.now()}.db`);
+    dbModule.initDb(mwCore, tmp);
+
+    functionsDir = path.join(os.tmpdir(), `chadstart-functions-${Date.now()}`);
+    fs.mkdirSync(functionsDir, { recursive: true });
+    const functionPath = path.join(functionsDir, 'testMwFunction.js');
+    fs.writeFileSync(functionPath, `
+      module.exports = async (req, res, chadstart) => {
+        req.app._lastSdkArg = chadstart;
+      };
+    `);
+
+    process.env.CHADSTART_FUNCTIONS_FOLDER = functionsDir;
+    delete require.cache[require.resolve(functionPath)];
+
+    const testApp = express();
+    testApp.use(express.json());
+    registerApiRoutes(testApp, mwCore, () => {});
+    testApp.get('/_inspect', (req, res) => res.json({ hasSdk: req.app._lastSdkArg != null }));
+
+    testServer = http.createServer(testApp);
+    await new Promise((resolve) => testServer.listen(0, resolve));
+    port = testServer.address().port;
+  });
+
+  after(async () => {
+    await new Promise((resolve) => testServer.close(resolve));
+    delete process.env.CHADSTART_FUNCTIONS_FOLDER;
+    fs.rmSync(functionsDir, { recursive: true, force: true });
+    fs.unlinkSync(tmp);
+  });
+
+  it('middleware function receives (req, res, chadstart) – sdk is passed', async () => {
+    const res = await fetch(`http://127.0.0.1:${port}/api/collections/item`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${signToken({ id: 'a1', entity: 'Admin' })}` },
+      body: JSON.stringify({ name: 'Widget' }),
+    });
+    assert.strictEqual(res.status, 201);
+    const data = await res.json();
+    assert.strictEqual(data.name, 'Widget');
+
+    const inspect = await fetch(`http://127.0.0.1:${port}/_inspect`).then((r) => r.json());
+    assert.strictEqual(inspect.hasSdk, true, 'chadstart SDK should be passed to middleware functions');
+  });
+
+  it('CHADSTART_FUNCTIONS_FOLDER env var is used by middleware runner', () => {
+    assert.strictEqual(process.env.CHADSTART_FUNCTIONS_FOLDER, functionsDir);
+  });
+});

package/test/openapi.test.js

@@ -0,0 +1,67 @@
+'use strict';
+
+const assert = require('assert');
+const { buildCore } = require('../core/entity-engine');
+const { generateOpenApiSpec } = require('../core/openapi');
+
+describe('openapi', () => {
+  it('generates valid spec', () => {
+    const spec = generateOpenApiSpec(buildCore({ name: 'Blog', entities: { Post: { properties: ['title'] } } }));
+    assert.strictEqual(spec.openapi, '3.0.0');
+    assert.ok(spec.paths['/api/collections/post']);
+    assert.ok(spec.paths['/api/collections/post/{id}']);
+  });
+
+  it('includes file bucket paths', () => {
+    const spec = generateOpenApiSpec(buildCore({ name: 'App', files: { uploads: { path: '/tmp/uploads' } } }));
+    assert.ok(spec.paths['/files/uploads']);
+  });
+
+  it('includes auth paths for authenticable entities', () => {
+    const spec = generateOpenApiSpec(buildCore({ name: 'App', entities: { Admin: { authenticable: true, properties: ['name'] } } }));
+    assert.ok(spec.paths['/api/auth/admin/signup']);
+    assert.ok(spec.paths['/api/auth/admin/login']);
+    assert.ok(spec.paths['/api/auth/admin/me']);
+  });
+
+  it('security on restricted entity', () => {
+    const spec = generateOpenApiSpec(buildCore({ name: 'App', entities: { Post: { properties: ['t'], policies: { read: [{ access: 'public' }], create: [{ access: 'restricted' }] } } } }));
+    assert.ok(!spec.paths['/api/collections/post'].get.security);
+    assert.ok(spec.paths['/api/collections/post'].post.security);
+  });
+
+  it('single entity uses /api/singles/ path', () => {
+    const spec = generateOpenApiSpec(buildCore({ name: 'App', entities: { Home: { single: true, properties: ['title'] } } }));
+    assert.ok(spec.paths['/api/singles/home']);
+    assert.ok(spec.paths['/api/singles/home'].put, 'PUT should exist for singles');
+  });
+
+  it('collection spec includes PUT endpoint', () => {
+    const spec = generateOpenApiSpec(buildCore({ name: 'App', entities: { Post: { properties: ['t'] } } }));
+    assert.ok(spec.paths['/api/collections/post/{id}'].put, 'PUT should exist for collections');
+  });
+
+  it('openapi includes pagination params', () => {
+    const spec = generateOpenApiSpec(buildCore({ name: 'App', entities: { Post: { properties: ['t'] } } }));
+    const params = spec.paths['/api/collections/post'].get.parameters;
+    assert.ok(params.some((p) => p.name === 'page'));
+    assert.ok(params.some((p) => p.name === 'perPage'));
+    assert.ok(params.some((p) => p.name === 'orderBy'));
+    assert.ok(params.some((p) => p.name === 'relations'));
+  });
+
+  it('openapi hides hidden properties', () => {
+    const spec = generateOpenApiSpec(buildCore({ name: 'App', entities: { Post: { properties: ['title', { name: 'secret', type: 'string', hidden: true }] } } }));
+    const schema = spec.components.schemas.Post;
+    assert.ok(schema.properties.title);
+    assert.ok(!schema.properties.secret, 'hidden prop should not be in schema');
+  });
+
+  it('openapi entity schema has UUID id and timestamps', () => {
+    const spec = generateOpenApiSpec(buildCore({ name: 'App', entities: { Post: { properties: ['t'] } } }));
+    const schema = spec.components.schemas.Post;
+    assert.strictEqual(schema.properties.id.format, 'uuid');
+    assert.ok(schema.properties.createdAt);
+    assert.ok(schema.properties.updatedAt);
+  });
+});

package/test/schema-validator.test.js

@@ -0,0 +1,83 @@
+'use strict';
+
+const assert = require('assert');
+const path = require('path');
+const fs = require('fs');
+
+describe('schema-validator', () => {
+  const { validateSchema } = require('../core/schema-validator');
+
+  it('accepts valid minimal config', () => assert.strictEqual(validateSchema({ name: 'Test' }), true));
+  it('rejects missing name', () => assert.throws(() => validateSchema({}), /name/i));
+  it('rejects non-string name', () => assert.throws(() => validateSchema({ name: 42 }), /must be string/i));
+  it('accepts entities map', () => assert.strictEqual(validateSchema({ name: 'App', entities: { Post: { properties: ['title'] } } }), true));
+  it('rejects entities as array', () => assert.throws(() => validateSchema({ name: 'App', entities: [] }), /must be object/i));
+  it('rejects unknown property type', () => {
+    assert.throws(() => validateSchema({ name: 'App', entities: { Post: { properties: [{ name: 'x', type: 'banana' }] } } }));
+  });
+  it('accepts authenticable entity', () => assert.strictEqual(validateSchema({ name: 'App', entities: { Admin: { authenticable: true, properties: ['name'] } } }), true));
+  it('rejects authenticable as non-boolean', () => assert.throws(() => validateSchema({ name: 'App', entities: { Admin: { authenticable: 'yes' } } })));
+  it('accepts policies', () => assert.strictEqual(validateSchema({ name: 'App', entities: { Post: { properties: ['title'], policies: { read: [{ access: 'public' }], create: [{ access: 'restricted', allow: 'Admin' }] } } } }), true));
+  it('rejects unknown policy rule', () => assert.throws(() => validateSchema({ name: 'App', entities: { Post: { policies: { unknown: [{ access: 'public' }] } } } })));
+  it('accepts validation rules', () => assert.strictEqual(validateSchema({ name: 'App', entities: { Post: { properties: ['title'], validation: { title: { required: true } } } } }), true));
+  it('accepts hooks', () => assert.strictEqual(validateSchema({ name: 'App', entities: { Post: { hooks: { beforeCreate: [{ url: 'https://example.com' }] } } } }), true));
+  it('accepts middlewares', () => assert.strictEqual(validateSchema({ name: 'App', entities: { Post: { middlewares: { afterCreate: [{ function: 'sendEmail' }] } } } }), true));
+  it('accepts belongsToMany', () => assert.strictEqual(validateSchema({ name: 'App', entities: { Player: { properties: ['name'], belongsToMany: ['Skill'] }, Skill: { properties: ['name'] } } }), true));
+  it('accepts single entity', () => assert.strictEqual(validateSchema({ name: 'App', entities: { Home: { single: true, properties: ['title'] } } }), true));
+  it('rejects function missing function field', () => assert.throws(() => validateSchema({ name: 'App', functions: { bad: { triggers: [{ type: 'http', method: 'GET', path: '/bad' }] } } })));
+  it('rejects deprecated endpoints key', () => assert.throws(() => validateSchema({ name: 'App', endpoints: { hello: { path: '/hello', method: 'GET', function: 'hello.js' } } })));
+  it('accepts new-format function with triggers', () => assert.strictEqual(validateSchema({ name: 'App', functions: { hello: { runtime: 'js', function: 'hello.js', triggers: [{ type: 'http', method: 'GET', path: '/hello' }] } } }), true));
+  it('rejects old-format function with path+method (no triggers)', () => assert.throws(() => validateSchema({ name: 'App', functions: { hello: { path: '/hello', method: 'GET', function: 'hello.js' } } })));
+  it('accepts function with cron trigger and predefined schedule', () => assert.strictEqual(validateSchema({ name: 'App', functions: { daily: { function: 'daily.js', triggers: [{ type: 'cron', schedule: '@daily' }] } } }), true));
+  it('accepts function with event trigger', () => assert.strictEqual(validateSchema({ name: 'App', functions: { onEvt: { function: 'onEvt.js', triggers: [{ type: 'event', name: 'user.created' }] } } }), true));
+  it('accepts python runtime function', () => assert.strictEqual(validateSchema({ name: 'App', functions: { fn: { runtime: 'python', function: 'fn.py', triggers: [{ type: 'http', method: 'POST', path: '/fn' }] } } }), true));
+  it('rejects unknown runtime', () => assert.throws(() => validateSchema({ name: 'App', functions: { fn: { runtime: 'deno', function: 'fn.js', triggers: [{ type: 'http', method: 'GET', path: '/fn' }] } } })));
+  it('accepts http trigger with public policy', () => assert.strictEqual(validateSchema({ name: 'App', functions: { fn: { function: 'fn.js', triggers: [{ type: 'http', method: 'GET', path: '/fn', policies: [{ access: 'public' }] }] } } }), true));
+  it('accepts http trigger with restricted policy and allow', () => assert.strictEqual(validateSchema({ name: 'App', functions: { fn: { function: 'fn.js', triggers: [{ type: 'http', method: 'GET', path: '/fn', policies: [{ access: 'restricted', allow: 'Admin' }] }] } } }), true));
+  it('accepts http trigger with admin policy', () => assert.strictEqual(validateSchema({ name: 'App', functions: { fn: { function: 'fn.js', triggers: [{ type: 'http', method: 'GET', path: '/fn', policies: [{ access: 'admin' }] }] } } }), true));
+  it('accepts http trigger with forbidden policy', () => assert.strictEqual(validateSchema({ name: 'App', functions: { fn: { function: 'fn.js', triggers: [{ type: 'http', method: 'GET', path: '/fn', policies: [{ access: 'forbidden' }] }] } } }), true));
+  it('accepts groups', () => assert.strictEqual(validateSchema({ name: 'App', groups: { T: { properties: [{ name: 'author', type: 'string' }] } } }), true));
+  it('rejects invalid file bucket', () => assert.throws(() => validateSchema({ name: 'App', files: { uploads: {} } }), /path/i));
+  it('rejects invalid plugin', () => assert.throws(() => validateSchema({ name: 'App', plugins: [{ name: 'bad' }] })));
+  it('accepts emoji access', () => assert.strictEqual(validateSchema({ name: 'App', entities: { Post: { policies: { read: [{ access: '🌐' }] } } } }), true));
+  it('rejects unknown top-level key', () => assert.throws(() => validateSchema({ name: 'App', userCollections: { Admin: {} } })));
+  it('error message names the unknown top-level property', () => {
+    try { validateSchema({ name: 'App', settings: {} }); assert.fail('should throw'); }
+    catch (e) { assert.match(e.message, /unknown property 'settings'/); }
+  });
+  it('error message names the unknown nested property', () => {
+    try { validateSchema({ name: 'App', telemetry: { enabled: true, secret: 'x' } }); assert.fail('should throw'); }
+    catch (e) { assert.match(e.message, /unknown property 'secret'/); }
+  });
+  it('error message lists allowed enum values on type violation', () => {
+    try { validateSchema({ name: 'App', entities: { U: { properties: [{ name: 'a', type: 'badtype' }] } } }); assert.fail('should throw'); }
+    catch (e) { assert.match(e.message, /string, text/); }
+  });
+  it('suppresses redundant oneOf noise from error message', () => {
+    try { validateSchema({ name: 'App', entities: { U: { properties: [{ name: 'a', type: 'badtype' }] } } }); assert.fail('should throw'); }
+    catch (e) { assert.doesNotMatch(e.message, /oneOf/); }
+  });
+  it('accepts sentry config with environment and tracesSampleRate', () => assert.strictEqual(validateSchema({ name: 'App', sentry: { environment: 'production', tracesSampleRate: 0.5 } }), true));
+  it('accepts sentry config with debug flag', () => assert.strictEqual(validateSchema({ name: 'App', sentry: { debug: true } }), true));
+  it('rejects sentry tracesSampleRate greater than 1', () => assert.throws(() => validateSchema({ name: 'App', sentry: { tracesSampleRate: 2 } })));
+  it('rejects sentry tracesSampleRate less than 0', () => assert.throws(() => validateSchema({ name: 'App', sentry: { tracesSampleRate: -0.1 } })));
+  it('rejects sentry config with unknown key (dsn not allowed in yaml)', () => assert.throws(() => validateSchema({ name: 'App', sentry: { dsn: 'https://x@sentry.io/1' } })));
+});
+
+describe('json-schema', () => {
+  const { validateSchema } = require('../core/schema-validator');
+  const { loadYaml } = require('../core/yaml-loader');
+
+  it('chadstart.schema.json is valid JSON', () => {
+    const schema = JSON.parse(fs.readFileSync(path.resolve(__dirname, '..', 'chadstart.schema.json'), 'utf8'));
+    assert.strictEqual(schema.$schema, 'http://json-schema.org/draft-07/schema#');
+    assert.ok(schema.properties.entities);
+    assert.ok(schema.$defs.entity);
+    assert.ok(schema.$defs.policies);
+  });
+
+  it('schema file can validate the example config', () => {
+    const config = loadYaml(path.resolve(__dirname, '..', 'chadstart.yaml'));
+    assert.strictEqual(validateSchema(config), true);
+  });
+});

package/test/sdk.test.js

@@ -0,0 +1,90 @@
+'use strict';
+
+const assert = require('assert');
+const path = require('path');
+const fs = require('fs');
+const os = require('os');
+const { buildCore } = require('../core/entity-engine');
+const dbModule = require('../core/db');
+const { createBackendSdk } = require('../core/api-generator');
+
+describe('createBackendSdk', () => {
+  let tmp, sdk;
+  const sdkCore = buildCore({
+    name: 'SdkTest',
+    entities: {
+      Book: { properties: ['title', 'author'] },
+      Config: { single: true, properties: ['value'] },
+    },
+  });
+
+  before(() => {
+    tmp = path.join(os.tmpdir(), `chadstart-sdk-${Date.now()}.db`);
+    dbModule.initDb(sdkCore, tmp);
+    dbModule.create('config', { value: 'initial' });
+    sdk = createBackendSdk(sdkCore);
+  });
+
+  after(() => { fs.unlinkSync(tmp); });
+
+  it('from() returns CRUD interface', () => {
+    const iface = sdk.from('book');
+    assert.strictEqual(typeof iface.find, 'function');
+    assert.strictEqual(typeof iface.findOneById, 'function');
+    assert.strictEqual(typeof iface.create, 'function');
+    assert.strictEqual(typeof iface.update, 'function');
+    assert.strictEqual(typeof iface.patch, 'function');
+    assert.strictEqual(typeof iface.delete, 'function');
+  });
+
+  it('from().create and findOneById work', () => {
+    const book = sdk.from('book').create({ title: 'Dune', author: 'Herbert' });
+    assert.strictEqual(book.title, 'Dune');
+    const found = sdk.from('book').findOneById(book.id);
+    assert.strictEqual(found.author, 'Herbert');
+  });
+
+  it('from().find returns paginated result', () => {
+    const result = sdk.from('book').find();
+    assert.ok(Array.isArray(result.data));
+    assert.ok(typeof result.total === 'number');
+  });
+
+  it('from().patch updates a field', () => {
+    const book = sdk.from('book').create({ title: 'Old Title', author: 'Author' });
+    const updated = sdk.from('book').patch(book.id, { title: 'New Title' });
+    assert.strictEqual(updated.title, 'New Title');
+    assert.strictEqual(updated.author, 'Author');
+  });
+
+  it('from().delete removes a record', () => {
+    const book = sdk.from('book').create({ title: 'To Delete', author: 'X' });
+    sdk.from('book').delete(book.id);
+    assert.strictEqual(sdk.from('book').findOneById(book.id), null);
+  });
+
+  it('from() throws for unknown slug', () => {
+    assert.throws(() => sdk.from('nonexistent'), /Entity not found/);
+  });
+
+  it('single() returns get/update/patch interface', () => {
+    const iface = sdk.single('config');
+    assert.strictEqual(typeof iface.get, 'function');
+    assert.strictEqual(typeof iface.update, 'function');
+    assert.strictEqual(typeof iface.patch, 'function');
+  });
+
+  it('single().get retrieves the record', () => {
+    const record = sdk.single('config').get();
+    assert.strictEqual(record.value, 'initial');
+  });
+
+  it('single().patch updates a field', () => {
+    const updated = sdk.single('config').patch({ value: 'changed' });
+    assert.strictEqual(updated.value, 'changed');
+  });
+
+  it('single() throws for unknown slug', () => {
+    assert.throws(() => sdk.single('nonexistent'), /Single entity not found/);
+  });
+});