chadstart 1.0.0

package/test/seeder.test.js

@@ -0,0 +1,279 @@
+'use strict';
+
+const assert = require('assert');
+const path = require('path');
+const fs = require('fs');
+const os = require('os');
+const bcrypt = require('bcryptjs');
+const { buildCore } = require('../core/entity-engine');
+const dbModule = require('../core/db');
+const { seedAll, ADMIN_EMAIL, ADMIN_PASSWORD } = require('../core/seeder');
+
+describe('seeder', () => {
+  let seedDbPath;
+  let firstSeedResult;
+  const seedCore = buildCore({
+    name: 'SeedTest',
+    entities: {
+      Author: {
+        authenticable: true,
+        properties: ['name'],
+        seedCount: 3,
+      },
+      Article: {
+        properties: [
+          { name: 'title', type: 'string' },
+          { name: 'body', type: 'text' },
+          { name: 'views', type: 'integer' },
+          { name: 'published', type: 'boolean' },
+        ],
+        belongsTo: ['Author'],
+        seedCount: 5,
+      },
+    },
+  });
+
+  before(async () => {
+    seedDbPath = path.join(os.tmpdir(), `chadstart-seed-${Date.now()}.db`);
+    dbModule.initDb(seedCore, seedDbPath);
+    firstSeedResult = await seedAll(seedCore);
+  });
+
+  after(() => { fs.unlinkSync(seedDbPath); });
+
+  it('seedAll returns correct counts', () => {
+    assert.strictEqual(firstSeedResult.summary.Author, 3);
+    assert.strictEqual(firstSeedResult.summary.Article, 5);
+  });
+
+  it('seedAll inserts rows into the database', () => {
+    const authors = dbModule.findAll('author', {}, { perPage: 100 });
+    assert.ok(authors.total >= 3);
+    const articles = dbModule.findAll('article', {}, { perPage: 100 });
+    assert.ok(articles.total >= 5);
+  });
+
+  it('seedAll creates authenticable records with email field', () => {
+    const authors = dbModule.findAll('author', {}, { perPage: 100 });
+    for (const a of authors.data) {
+      assert.ok(typeof a.email === 'string' && a.email.includes('@'));
+      assert.ok(typeof a.password === 'string' && a.password.length > 0);
+    }
+  });
+
+  it('seedAll links belongsTo FK to a seeded parent', () => {
+    const articles = dbModule.findAll('article', {}, { perPage: 100 });
+    for (const art of articles.data) {
+      assert.ok(art.author_id !== null && art.author_id !== undefined);
+    }
+  });
+
+  it('seedAll respects default seedCount of 50', async () => {
+    const defaultCore = buildCore({
+      name: 'DefaultSeed',
+      entities: { Tag: { properties: ['label'] } },
+    });
+    const defaultDbPath = path.join(os.tmpdir(), `chadstart-seed-default-${Date.now()}.db`);
+    dbModule.initDb(defaultCore, defaultDbPath);
+    const result = await seedAll(defaultCore);
+    assert.strictEqual(result.summary.Tag, 50);
+    fs.unlinkSync(defaultDbPath);
+    // Restore the original seedCore DB for subsequent tests in this describe block
+    dbModule.initDb(seedCore, seedDbPath);
+  });
+
+  it('seedAll creates admin@chadstart.com in authenticable entities', () => {
+    assert.ok(firstSeedResult.adminEntities.includes('Author'));
+    assert.strictEqual(firstSeedResult.adminEmail, ADMIN_EMAIL);
+    assert.strictEqual(firstSeedResult.adminPassword, ADMIN_PASSWORD);
+  });
+
+  it('seedAll creates admin user with correct email in the database', () => {
+    dbModule.initDb(seedCore, seedDbPath);
+    const admins = dbModule.findAllSimple('author', { email: ADMIN_EMAIL });
+    assert.strictEqual(admins.length, 1);
+    assert.strictEqual(admins[0].email, ADMIN_EMAIL);
+  });
+
+  it('seedAll creates admin user in a fresh database', async () => {
+    const freshCore = buildCore({
+      name: 'FreshAdminTest',
+      entities: {
+        User: {
+          authenticable: true,
+          properties: ['name'],
+          seedCount: 2,
+        },
+      },
+    });
+    const freshDbPath = path.join(os.tmpdir(), `chadstart-seed-admin-${Date.now()}.db`);
+    dbModule.initDb(freshCore, freshDbPath);
+    const result = await seedAll(freshCore);
+    assert.ok(result.adminEntities.includes('User'));
+    const admins = dbModule.findAllSimple('user', { email: ADMIN_EMAIL });
+    assert.strictEqual(admins.length, 1);
+    assert.strictEqual(admins[0].email, ADMIN_EMAIL);
+    fs.unlinkSync(freshDbPath);
+  });
+
+  it('seedAll does not create duplicate admin user when one already exists', async () => {
+    const dupCore = buildCore({
+      name: 'DupAdminTest',
+      admin: { enable_entity: false },
+      entities: {
+        Member: {
+          authenticable: true,
+          properties: ['name'],
+          seedCount: 2,
+        },
+      },
+    });
+    const dupDbPath = path.join(os.tmpdir(), `chadstart-seed-dup-${Date.now()}.db`);
+    dbModule.initDb(dupCore, dupDbPath);
+    // Manually create the admin user before seeding
+    dbModule.create('member', {
+      email: ADMIN_EMAIL,
+      password: bcrypt.hashSync(ADMIN_PASSWORD, 10),
+      name: 'pre-existing admin',
+    });
+    // seedAll should not create a duplicate
+    const result = await seedAll(dupCore);
+    assert.strictEqual(result.adminEntities.length, 0);
+    const admins = dbModule.findAllSimple('member', { email: ADMIN_EMAIL });
+    assert.strictEqual(admins.length, 1);
+    fs.unlinkSync(dupDbPath);
+  });
+});
+
+describe('seeder – property types', () => {
+  let tmp;
+  const core = buildCore({
+    name: 'TypeTest',
+    entities: {
+      Sample: {
+        properties: [
+          { name: 'myText',      type: 'text' },
+          { name: 'myRichText',  type: 'richText' },
+          { name: 'myInt',       type: 'integer' },
+          { name: 'myFloat',     type: 'float' },
+          { name: 'myReal',      type: 'real' },
+          { name: 'myMoney',     type: 'money' },
+          { name: 'myBool',      type: 'boolean' },
+          { name: 'myDate',      type: 'date' },
+          { name: 'myTimestamp', type: 'timestamp' },
+          { name: 'myEmail',     type: 'email' },
+          { name: 'myLink',      type: 'link' },
+          { name: 'myPass',      type: 'password' },
+          { name: 'myChoice',    type: 'choice' },
+          { name: 'myLocation',  type: 'location' },
+          { name: 'myFile',      type: 'file' },
+          { name: 'myImage',     type: 'image' },
+          { name: 'myJson',      type: 'json' },
+          { name: 'myUnknown',   type: 'custom_unknown' },
+          { name: 'myOption',    type: 'string', options: ['a', 'b', 'c'] },
+        ],
+        seedCount: 3,
+      },
+    },
+  });
+
+  before(() => {
+    tmp = path.join(os.tmpdir(), `chadstart-seedtypes-${Date.now()}.db`);
+    dbModule.initDb(core, tmp);
+  });
+
+  after(() => { fs.unlinkSync(tmp); });
+
+  it('seedAll generates values for every property type', async () => {
+    const result = await seedAll(core);
+    assert.strictEqual(result.summary.Sample, 3);
+    const rows = dbModule.findAll('sample', {}, { perPage: 100 });
+    assert.strictEqual(rows.total, 3);
+    const r = rows.data[0];
+    assert.ok(typeof r.myText === 'string' && r.myText.length > 0);
+    assert.ok(typeof r.myRichText === 'string');
+    assert.ok(typeof r.myInt === 'number');
+    assert.ok(typeof r.myFloat === 'number');
+    assert.ok(typeof r.myReal === 'number');
+    assert.ok(typeof r.myMoney === 'number');
+    assert.ok(r.myBool === 0 || r.myBool === 1);
+    assert.ok(typeof r.myDate === 'string' && r.myDate.length === 10);
+    assert.ok(typeof r.myTimestamp === 'string');
+    assert.ok(r.myEmail.includes('@'));
+    assert.ok(r.myLink.startsWith('https://'));
+    assert.ok(typeof r.myPass === 'string' && r.myPass.length > 0);
+    assert.ok(typeof r.myChoice === 'string');
+    assert.ok(r.myLocation.includes(','));
+    assert.ok(r.myFile.startsWith('/uploads/'));
+    assert.ok(r.myImage.startsWith('/uploads/'));
+    assert.doesNotThrow(() => JSON.parse(r.myJson));
+    assert.ok(typeof r.myUnknown === 'string');
+    assert.ok(['a', 'b', 'c'].includes(r.myOption));
+  });
+
+  it('seedAll seeds a single entity exactly once', async () => {
+    const singleCore = buildCore({
+      name: 'SingleTest',
+      entities: { Config: { single: true, properties: ['key', 'value'] } },
+    });
+    const singleTmp = path.join(os.tmpdir(), `chadstart-seedsingle-${Date.now()}.db`);
+    dbModule.initDb(singleCore, singleTmp);
+    const result = await seedAll(singleCore);
+    assert.strictEqual(result.summary.Config, 1);
+    fs.unlinkSync(singleTmp);
+  });
+});
+
+describe('seeder – authenticable entities with explicit email/password properties', () => {
+  let tmp;
+  const core = buildCore({
+    name: 'AuthPropTest',
+    entities: {
+      Customer: {
+        authenticable: true,
+        // email and password explicitly listed — seeder should handle these correctly
+        properties: [
+          { name: 'email', type: 'email' },
+          { name: 'password', type: 'password' },
+          { name: 'name', type: 'string' },
+        ],
+        seedCount: 3,
+      },
+    },
+  });
+
+  before(() => {
+    tmp = path.join(os.tmpdir(), `chadstart-authprop-${Date.now()}.db`);
+    dbModule.initDb(core, tmp);
+  });
+
+  after(() => { fs.unlinkSync(tmp); });
+
+  it('initDb does not fail with duplicate email/password columns', () => {
+    // The DB was already initialised in before() — if we get here, no duplicate column error
+    const cols = dbModule.getDb().pragma('table_info("customer")').map((r) => r.name);
+    assert.ok(cols.includes('email'));
+    assert.ok(cols.includes('password'));
+    assert.ok(cols.includes('name'));
+    // email should appear exactly once
+    assert.strictEqual(cols.filter((c) => c === 'email').length, 1);
+    assert.strictEqual(cols.filter((c) => c === 'password').length, 1);
+  });
+
+  it('seedAll succeeds and creates records with valid email addresses', async () => {
+    const result = await seedAll(core);
+    assert.strictEqual(result.summary.Customer, 3);
+    const rows = dbModule.findAll('customer', {}, { perPage: 100 });
+    assert.ok(rows.total >= 3);
+    for (const r of rows.data) {
+      assert.ok(typeof r.email === 'string' && r.email.includes('@'), `email should contain @, got: ${r.email}`);
+      assert.ok(typeof r.password === 'string' && r.password.length > 0);
+    }
+  });
+
+  it('seedAll creates admin user with correct email when entity has explicit email property', async () => {
+    const admins = dbModule.findAllSimple('customer', { email: ADMIN_EMAIL });
+    assert.strictEqual(admins.length, 1);
+    assert.strictEqual(admins[0].email, ADMIN_EMAIL);
+  });
+});

package/test/settings.test.js

@@ -0,0 +1,109 @@
+'use strict';
+
+const assert = require('assert');
+const { buildCore } = require('../core/entity-engine');
+const { validateSchema } = require('../core/schema-validator');
+const { buildApiLimiters } = require('../server/express-server');
+
+describe('rateLimits', () => {
+  it('schema accepts top-level rateLimits', () => {
+    assert.strictEqual(validateSchema({
+      name: 'App',
+      rateLimits: [
+        { name: 'short',  limit: 2,  ttl: 1000 },
+        { name: 'medium', limit: 50, ttl: 60000 },
+      ],
+    }), true);
+  });
+
+  it('schema rejects rateLimit missing required name', () => {
+    assert.throws(() => validateSchema({ name: 'App', rateLimits: [{ limit: 2, ttl: 1000 }] }));
+  });
+
+  it('schema rejects rateLimit missing required limit', () => {
+    assert.throws(() => validateSchema({ name: 'App', rateLimits: [{ name: 'short', ttl: 1000 }] }));
+  });
+
+  it('schema rejects rateLimit missing required ttl', () => {
+    assert.throws(() => validateSchema({ name: 'App', rateLimits: [{ name: 'short', limit: 2 }] }));
+  });
+
+  it('schema rejects unknown top-level key', () => {
+    assert.throws(() => validateSchema({ name: 'App', unknownKey: true }));
+  });
+
+  it('schema rejects settings property (removed)', () => {
+    assert.throws(() => validateSchema({ name: 'App', settings: { rateLimits: [] } }));
+  });
+
+  it('buildCore exposes top-level rateLimits', () => {
+    const core = buildCore({
+      name: 'App',
+      rateLimits: [
+        { name: 'short',  limit: 2,  ttl: 1000 },
+        { name: 'medium', limit: 50, ttl: 60000 },
+      ],
+    });
+    assert.ok(core.rateLimits);
+    assert.strictEqual(core.rateLimits.length, 2);
+    assert.strictEqual(core.rateLimits[0].name,  'short');
+    assert.strictEqual(core.rateLimits[0].limit, 2);
+    assert.strictEqual(core.rateLimits[0].ttl,   1000);
+    assert.strictEqual(core.rateLimits[1].name,  'medium');
+  });
+
+  it('buildCore sets rateLimits to null when not provided', () => {
+    const core = buildCore({ name: 'App' });
+    assert.strictEqual(core.rateLimits, null);
+  });
+});
+
+describe('env vars', () => {
+  it('PORT env var sets server port', () => {
+    const saved = process.env.PORT;
+    process.env.PORT = '4242';
+    delete process.env.CHADSTART_PORT;
+    const core = buildCore({ name: 'App' });
+    if (saved === undefined) delete process.env.PORT; else process.env.PORT = saved;
+    assert.strictEqual(core.port, 4242);
+  });
+
+  it('CHADSTART_PORT takes precedence over PORT', () => {
+    const savedC = process.env.CHADSTART_PORT;
+    const savedP = process.env.PORT;
+    process.env.CHADSTART_PORT = '5555';
+    process.env.PORT = '6666';
+    const core = buildCore({ name: 'App' });
+    if (savedC === undefined) delete process.env.CHADSTART_PORT; else process.env.CHADSTART_PORT = savedC;
+    if (savedP === undefined) delete process.env.PORT; else process.env.PORT = savedP;
+    assert.strictEqual(core.port, 5555);
+  });
+});
+
+describe('buildApiLimiters', () => {
+  it('returns 1 default limiter when no rateLimits', () => {
+    const core = buildCore({ name: 'App' });
+    const limiters = buildApiLimiters(core);
+    assert.strictEqual(limiters.length, 1);
+    assert.strictEqual(typeof limiters[0], 'function');
+  });
+
+  it('returns one limiter per configured rateLimit entry', () => {
+    const core = buildCore({
+      name: 'App',
+      rateLimits: [
+        { name: 'short',  limit: 2,  ttl: 1000 },
+        { name: 'medium', limit: 50, ttl: 60000 },
+      ],
+    });
+    const limiters = buildApiLimiters(core);
+    assert.strictEqual(limiters.length, 2);
+    assert.ok(limiters.every((l) => typeof l === 'function'));
+  });
+
+  it('falls back to default when rateLimits is empty array', () => {
+    const core = buildCore({ name: 'App', rateLimits: [] });
+    const limiters = buildApiLimiters(core);
+    assert.strictEqual(limiters.length, 1);
+  });
+});

package/test/telemetry.test.js

@@ -0,0 +1,254 @@
+'use strict';
+
+const assert = require('assert');
+const { getTelemetryConfig, parseOtlpHeaders, shutdownTelemetry } = require('../core/telemetry');
+const { validateSchema } = require('../core/schema-validator');
+const { buildCore } = require('../core/entity-engine');
+
+// Helper: set/restore env vars around a test
+function withEnv(vars, fn) {
+  const saved = {};
+  for (const [k, v] of Object.entries(vars)) {
+    saved[k] = process.env[k];
+    if (v === undefined) delete process.env[k]; else process.env[k] = v;
+  }
+  try { return fn(); } finally {
+    for (const [k, v] of Object.entries(saved)) {
+      if (v === undefined) delete process.env[k]; else process.env[k] = v;
+    }
+  }
+}
+
+describe('parseOtlpHeaders', () => {
+  it('parses a single key=value pair', () => {
+    const h = parseOtlpHeaders('authorization=Bearer token123');
+    assert.strictEqual(h.authorization, 'Bearer token123');
+  });
+
+  it('parses multiple comma-separated pairs', () => {
+    const h = parseOtlpHeaders('x-api-key=secret,x-tenant=acme');
+    assert.strictEqual(h['x-api-key'], 'secret');
+    assert.strictEqual(h['x-tenant'], 'acme');
+  });
+
+  it('trims whitespace around keys and values', () => {
+    const h = parseOtlpHeaders(' x-key = myvalue ');
+    assert.strictEqual(h['x-key'], 'myvalue');
+  });
+
+  it('handles a value that contains = signs', () => {
+    const h = parseOtlpHeaders('authorization=Basic dXNlcjpwYXNz==');
+    assert.strictEqual(h.authorization, 'Basic dXNlcjpwYXNz==');
+  });
+
+  it('skips pairs without = separator', () => {
+    const h = parseOtlpHeaders('noequals,k=v');
+    assert.strictEqual(Object.keys(h).length, 1);
+    assert.strictEqual(h.k, 'v');
+  });
+
+  it('returns an empty object for an empty string', () => {
+    const h = parseOtlpHeaders('');
+    assert.deepStrictEqual(h, {});
+  });
+});
+
+describe('getTelemetryConfig – disabled', () => {
+  it('returns null when no env var and no yaml config', () => {
+    withEnv({ OTEL_ENABLED: undefined }, () => {
+      assert.strictEqual(getTelemetryConfig(null), null);
+    });
+  });
+
+  it('returns null when settings object has no telemetry key', () => {
+    withEnv({ OTEL_ENABLED: undefined }, () => {
+      assert.strictEqual(getTelemetryConfig({ rateLimits: [] }), null);
+    });
+  });
+
+  it('returns null when telemetry.enabled is explicitly false', () => {
+    withEnv({ OTEL_ENABLED: undefined }, () => {
+      assert.strictEqual(getTelemetryConfig({ telemetry: { enabled: false } }), null);
+    });
+  });
+
+  it('returns null when OTEL_ENABLED is set to a non-true value', () => {
+    withEnv({ OTEL_ENABLED: 'false' }, () => {
+      assert.strictEqual(getTelemetryConfig(null), null);
+    });
+  });
+});
+
+describe('getTelemetryConfig – enabled via env var', () => {
+  it('returns config when OTEL_ENABLED=true', () => {
+    withEnv({ OTEL_ENABLED: 'true', OTEL_SERVICE_NAME: undefined, OTEL_EXPORTER_OTLP_ENDPOINT: undefined, OTEL_EXPORTER_OTLP_HEADERS: undefined }, () => {
+      const cfg = getTelemetryConfig(null);
+      assert.ok(cfg);
+      assert.strictEqual(cfg.enabled, true);
+    });
+  });
+
+  it('uses default serviceName when none provided', () => {
+    withEnv({ OTEL_ENABLED: 'true', OTEL_SERVICE_NAME: undefined, OTEL_EXPORTER_OTLP_ENDPOINT: undefined, OTEL_EXPORTER_OTLP_HEADERS: undefined }, () => {
+      const cfg = getTelemetryConfig(null);
+      assert.strictEqual(cfg.serviceName, 'chadstart-app');
+    });
+  });
+
+  it('uses default endpoint when none provided', () => {
+    withEnv({ OTEL_ENABLED: 'true', OTEL_SERVICE_NAME: undefined, OTEL_EXPORTER_OTLP_ENDPOINT: undefined, OTEL_EXPORTER_OTLP_HEADERS: undefined }, () => {
+      const cfg = getTelemetryConfig(null);
+      assert.strictEqual(cfg.endpoint, 'http://localhost:4318');
+    });
+  });
+
+  it('reads serviceName from OTEL_SERVICE_NAME env var', () => {
+    withEnv({ OTEL_ENABLED: 'true', OTEL_SERVICE_NAME: 'env-service', OTEL_EXPORTER_OTLP_ENDPOINT: undefined, OTEL_EXPORTER_OTLP_HEADERS: undefined }, () => {
+      const cfg = getTelemetryConfig(null);
+      assert.strictEqual(cfg.serviceName, 'env-service');
+    });
+  });
+
+  it('reads endpoint from OTEL_EXPORTER_OTLP_ENDPOINT env var', () => {
+    withEnv({ OTEL_ENABLED: 'true', OTEL_SERVICE_NAME: undefined, OTEL_EXPORTER_OTLP_ENDPOINT: 'http://otel-collector:4318', OTEL_EXPORTER_OTLP_HEADERS: undefined }, () => {
+      const cfg = getTelemetryConfig(null);
+      assert.strictEqual(cfg.endpoint, 'http://otel-collector:4318');
+    });
+  });
+
+  it('reads headers from OTEL_EXPORTER_OTLP_HEADERS env var', () => {
+    withEnv({ OTEL_ENABLED: 'true', OTEL_SERVICE_NAME: undefined, OTEL_EXPORTER_OTLP_ENDPOINT: undefined, OTEL_EXPORTER_OTLP_HEADERS: 'authorization=Bearer mysecret' }, () => {
+      const cfg = getTelemetryConfig(null);
+      assert.deepStrictEqual(cfg.headers, { authorization: 'Bearer mysecret' });
+    });
+  });
+
+  it('returns empty headers when OTEL_EXPORTER_OTLP_HEADERS is not set', () => {
+    withEnv({ OTEL_ENABLED: 'true', OTEL_SERVICE_NAME: undefined, OTEL_EXPORTER_OTLP_ENDPOINT: undefined, OTEL_EXPORTER_OTLP_HEADERS: undefined }, () => {
+      const cfg = getTelemetryConfig(null);
+      assert.deepStrictEqual(cfg.headers, {});
+    });
+  });
+});
+
+describe('getTelemetryConfig – enabled via yaml', () => {
+  it('returns config when telemetry.enabled is true', () => {
+    withEnv({ OTEL_ENABLED: undefined, OTEL_SERVICE_NAME: undefined, OTEL_EXPORTER_OTLP_ENDPOINT: undefined, OTEL_EXPORTER_OTLP_HEADERS: undefined }, () => {
+      const cfg = getTelemetryConfig({ enabled: true });
+      assert.ok(cfg);
+      assert.strictEqual(cfg.enabled, true);
+    });
+  });
+
+  it('reads serviceName from yaml', () => {
+    withEnv({ OTEL_ENABLED: undefined, OTEL_SERVICE_NAME: undefined, OTEL_EXPORTER_OTLP_ENDPOINT: undefined, OTEL_EXPORTER_OTLP_HEADERS: undefined }, () => {
+      const cfg = getTelemetryConfig({ enabled: true, serviceName: 'yaml-service' });
+      assert.strictEqual(cfg.serviceName, 'yaml-service');
+    });
+  });
+
+  it('reads endpoint from yaml', () => {
+    withEnv({ OTEL_ENABLED: undefined, OTEL_SERVICE_NAME: undefined, OTEL_EXPORTER_OTLP_ENDPOINT: undefined, OTEL_EXPORTER_OTLP_HEADERS: undefined }, () => {
+      const cfg = getTelemetryConfig({ enabled: true, endpoint: 'http://my-collector:4318' });
+      assert.strictEqual(cfg.endpoint, 'http://my-collector:4318');
+    });
+  });
+
+  it('env var serviceName overrides yaml', () => {
+    withEnv({ OTEL_ENABLED: undefined, OTEL_SERVICE_NAME: 'env-wins', OTEL_EXPORTER_OTLP_ENDPOINT: undefined, OTEL_EXPORTER_OTLP_HEADERS: undefined }, () => {
+      const cfg = getTelemetryConfig({ enabled: true, serviceName: 'yaml-service' });
+      assert.strictEqual(cfg.serviceName, 'env-wins');
+    });
+  });
+
+  it('env var endpoint overrides yaml', () => {
+    withEnv({ OTEL_ENABLED: undefined, OTEL_SERVICE_NAME: undefined, OTEL_EXPORTER_OTLP_ENDPOINT: 'http://env-collector:4318', OTEL_EXPORTER_OTLP_HEADERS: undefined }, () => {
+      const cfg = getTelemetryConfig({ enabled: true, endpoint: 'http://yaml-collector:4318' });
+      assert.strictEqual(cfg.endpoint, 'http://env-collector:4318');
+    });
+  });
+
+  it('yaml has no headers field (secrets must come from env)', () => {
+    withEnv({ OTEL_ENABLED: undefined, OTEL_SERVICE_NAME: undefined, OTEL_EXPORTER_OTLP_ENDPOINT: undefined, OTEL_EXPORTER_OTLP_HEADERS: undefined }, () => {
+      const cfg = getTelemetryConfig({ enabled: true });
+      // Headers are always empty when OTEL_EXPORTER_OTLP_HEADERS env var is absent
+      assert.deepStrictEqual(cfg.headers, {});
+    });
+  });
+
+  it('OTEL_ENABLED=true overrides yaml enabled: false', () => {
+    withEnv({ OTEL_ENABLED: 'true', OTEL_SERVICE_NAME: undefined, OTEL_EXPORTER_OTLP_ENDPOINT: undefined, OTEL_EXPORTER_OTLP_HEADERS: undefined }, () => {
+      const cfg = getTelemetryConfig({ enabled: false });
+      assert.ok(cfg);
+      assert.strictEqual(cfg.enabled, true);
+    });
+  });
+});
+
+describe('schema: telemetry', () => {
+  it('schema accepts telemetry with enabled only', () => {
+    assert.strictEqual(validateSchema({ name: 'App', telemetry: { enabled: true } }), true);
+  });
+
+  it('schema accepts top-level telemetry', () => {
+    assert.strictEqual(validateSchema({
+      name: 'App',
+      telemetry: { enabled: true, serviceName: 'my-service', endpoint: 'http://localhost:4318' },
+    }), true);
+  });
+
+  it('schema accepts telemetry with all non-secret fields', () => {
+    assert.strictEqual(validateSchema({
+      name: 'App',
+      telemetry: {
+        enabled: true,
+        serviceName: 'my-service',
+        endpoint: 'http://localhost:4318',
+      },
+    }), true);
+  });
+
+  it('schema accepts disabled telemetry', () => {
+    assert.strictEqual(validateSchema({ name: 'App', telemetry: { enabled: false } }), true);
+  });
+
+  it('schema accepts empty telemetry object', () => {
+    assert.strictEqual(validateSchema({ name: 'App', telemetry: {} }), true);
+  });
+
+  it('schema rejects unknown telemetry key', () => {
+    assert.throws(() => validateSchema({ name: 'App', telemetry: { enabled: true, headers: {} } }));
+  });
+
+  it('schema rejects telemetry with enabled as non-boolean', () => {
+    assert.throws(() => validateSchema({ name: 'App', telemetry: { enabled: 'yes' } }));
+  });
+
+  it('schema rejects settings property (removed)', () => {
+    assert.throws(() => validateSchema({ name: 'App', settings: { telemetry: { enabled: true } } }));
+  });
+});
+
+describe('buildCore: telemetry passthrough', () => {
+  it('exposes top-level telemetry when provided', () => {
+    const core = buildCore({
+      name: 'App',
+      telemetry: { enabled: true, serviceName: 'top-svc', endpoint: 'http://host:4318' },
+    });
+    assert.ok(core.telemetry);
+    assert.strictEqual(core.telemetry.enabled, true);
+    assert.strictEqual(core.telemetry.serviceName, 'top-svc');
+    assert.strictEqual(core.telemetry.endpoint, 'http://host:4318');
+  });
+
+  it('sets telemetry to null when not provided', () => {
+    const core = buildCore({ name: 'App' });
+    assert.strictEqual(core.telemetry, null);
+  });
+});
+
+describe('shutdownTelemetry', () => {
+  it('resolves without error when SDK was never initialized', async () => {
+    await assert.doesNotReject(() => shutdownTelemetry());
+  });
+});

package/test/test.js

@@ -0,0 +1,17 @@
+'use strict';
+// Tests have been split into focused files. Run them with: npm test
+// Each *.test.js file covers one feature area:
+//   schema-validator.test.js  – schema validation
+//   entity-engine.test.js     – entity engine & buildCore
+//   db.test.js                – database CRUD, filters, relations
+//   openapi.test.js           – OpenAPI spec generation
+//   yaml-loader.test.js       – YAML config loading
+//   auth.test.js              – JWT auth & middleware
+//   validation.test.js        – request body validation & defaults
+//   seeder.test.js            – database seeder
+//   upload.test.js            – file upload helpers & sharp integration
+//   groups.test.js            – group property serialization & validation
+//   settings.test.js          – rate limits, env vars, API limiters
+//   sdk.test.js               – backend SDK (createBackendSdk)
+//   access-policies.test.js   – access policy enforcement
+//   middleware.test.js        – middleware SDK injection