fix ci

add ci
2026-02-11 22:41:01 -05:00 · 2026-02-11 22:38:50 -05:00
33 changed files with 753 additions and 492 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -44,6 +44,3 @@ data

 # Dev TLS certs (self-signed for local testing)
 .dev-certs
-
-# CI artifact (kaniko reads .tags for image tag list)
-.tags
--- a/.woodpecker/ci.yml
+++ b/.woodpecker/ci.yml
@@ -0,0 +1,51 @@
+steps:
+  - name: lint
+    image: node:24-slim
+    commands:
+      - npm ci
+      - npm run lint
+    when:
+      - event: pull_request
+
+  - name: test
+    image: node:24-slim
+    environment:
+      CI: "true"
+    commands:
+      - npm run test
+    when:
+      - event: pull_request
+
+  - name: e2e
+    image: mcr.microsoft.com/playwright:v1.58.2-noble
+    commands:
+      - npm ci
+      - npm run test:e2e
+    environment:
+      CI: "true"
+      NODE_TLS_REJECT_UNAUTHORIZED: "0"
+    when:
+      - event: pull_request
+
+  - name: docker-build
+    image: woodpeckerci/plugin-docker-buildx
+    settings:
+      repo: git.keligrubb.com/${CI_REPO_OWNER}/${CI_REPO_NAME}
+      registry: git.keligrubb.com
+      tags: latest
+      dry_run: true
+    when:
+      - event: pull_request
+
+  - name: docker-build-push
+    image: woodpeckerci/plugin-docker-buildx
+    settings:
+      repo: git.keligrubb.com/${CI_REPO_OWNER}/${CI_REPO_NAME}
+      registry: git.keligrubb.com
+      tags: latest,${CI_COMMIT_SHA:0:7}
+      username: ${CI_REPO_OWNER}
+      password:
+        from_secret: gitea_registry_token
+    when:
+      - event: push
+        branch: main
--- a/.woodpecker/pr.yml
+++ b/.woodpecker/pr.yml
@@ -1,38 +0,0 @@
-when:
-  - event: pull_request
-
-steps:
-  - name: lint
-    image: node:24-slim
-    depends_on: []
-    commands:
-      - npm ci
-      - npm run lint
-
-  - name: test
-    image: node:24-slim
-    depends_on: []
-    commands:
-      - npm ci
-      - npm run test
-
-  - name: e2e
-    image: mcr.microsoft.com/playwright:v1.58.2-noble
-    depends_on: []
-    commands:
-      - npm ci
-      - ./scripts/gen-dev-cert.sh
-      - npm run test:e2e
-    environment:
-      NODE_TLS_REJECT_UNAUTHORIZED: "0"
-
-  - name: docker-build
-    image: woodpeckerci/plugin-kaniko
-    depends_on: []
-    settings:
-      repo: ${CI_REPO_OWNER}/${CI_REPO_NAME}
-      registry: git.keligrubb.com
-      tags: latest
-      dry-run: true
-      single-snapshot: true
-      cleanup: true
--- a/.woodpecker/push.yml
+++ b/.woodpecker/push.yml
@@ -1,36 +0,0 @@
-when:
-  - event: push
-    branch: main
-
-steps:
-  - name: release
-    image: alpine
-    commands:
-      - apk add --no-cache git
-      - ./scripts/release.sh
-    environment:
-      GITEA_REPO_TOKEN:
-        from_secret: gitea_repo_token
-
-  - name: docker
-    image: woodpeckerci/plugin-kaniko
-    depends_on: [release]
-    settings:
-      repo: ${CI_REPO_OWNER}/${CI_REPO_NAME}
-      registry: git.keligrubb.com
-      username: ${CI_REPO_OWNER}
-      password:
-        from_secret: gitea_registry_token
-      single-snapshot: true
-      cleanup: true
-
-  - name: helm
-    image: alpine/helm
-    depends_on: [release]
-    environment:
-      GITEA_REGISTRY_TOKEN:
-        from_secret: gitea_registry_token
-    commands:
-      - apk add --no-cache curl
-      - helm package helm/kestrelos
-      - curl -sf -u $CI_REPO_OWNER:$GITEA_REGISTRY_TOKEN -X POST --upload-file kestrelos-*.tgz https://git.keligrubb.com/api/packages/$CI_REPO_OWNER/helm/api/charts
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +0,0 @@
-## [0.2.0] - 2026-02-12
-### Changed
- add a new release system (#3)
-
-# Changelog
-
-All notable changes to this project will be documented in this file.
--- a/5
+++ b/5
@@ -1,4 +1,5 @@
-FROM node:24-slim AS builder
+# Build stage
+FROM node:22-alpine AS builder

 WORKDIR /app

@@ -9,7 +10,7 @@ COPY . .
 RUN npm run build

 # Run stage
-FROM node:24-slim AS runner
+FROM node:22-alpine AS runner

 # Run as non-root user (node user exists in official image)
 USER node
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ Open http://localhost:3000. The app requires login by default; you will see the

 Camera and geolocation in the browser require a **secure context** (HTTPS) when you open the app from your phone. To test Share live from a device on your LAN without buying a domain or cert:

-1. Generate a self-signed cert (once). Use your machine's LAN IP so the phone can use it:
+1. Generate a self-signed cert (once). Use your machine’s LAN IP so the phone can use it:
   ```bash
   chmod +x scripts/gen-dev-cert.sh
   ./scripts/gen-dev-cert.sh 192.168.1.123
@@ -34,7 +34,7 @@ Camera and geolocation in the browser require a **secure context** (HTTPS) when
   npm run dev
   ```

-3. On your phone, open **https://192.168.1.123:3000** (same IP you passed above). Accept the browser's “untrusted certificate” warning once (e.g. Advanced → Proceed). Then log in and use Share live; camera and location will work.
+3. On your phone, open **https://192.168.1.123:3000** (same IP you passed above). Accept the browser’s “untrusted certificate” warning once (e.g. Advanced → Proceed). Then log in and use Share live; camera and location will work.

 Without the certs, `npm run dev` still runs over HTTP as before.

@@ -48,7 +48,7 @@ The **Share live** feature uses WebRTC for real-time video streaming from mobile
 - **Mediasoup** server (runs automatically in the Nuxt process)
 - **mediasoup-client** (browser library, included automatically)

-**Streaming from a phone on your LAN:** The server auto-detects your machine's LAN IP (from network interfaces) and uses it for WebRTC. Open **https://<your-LAN-IP>:3000** on both phone and laptop (same IP as for your dev cert). To override (e.g. Docker or multiple NICs), set `MEDIASOUP_ANNOUNCED_IP`. Ensure firewall allows UDP/TCP ports 40000–49999 on the server.
+**Streaming from a phone on your LAN:** The server auto-detects your machine’s LAN IP (from network interfaces) and uses it for WebRTC. Open **https://<your-LAN-IP>:3000** on both phone and laptop (same IP as for your dev cert). To override (e.g. Docker or multiple NICs), set `MEDIASOUP_ANNOUNCED_IP`. Ensure firewall allows UDP/TCP ports 40000–49999 on the server.

 See [docs/live-streaming.md](docs/live-streaming.md) for architecture details.

@@ -62,10 +62,10 @@ See [docs/live-streaming.md](docs/live-streaming.md) for architecture details.

 ## Configuration

- **Devices**: Manage cameras/devices via the API (`/api/devices`) or the Members/Cameras UI. Each device needs `name`, `device_type`, `lat`, `lng`, `stream_url`, and `source_type` (`mjpeg` or `hls`).
+- **Feeds**: Edit `server/data/feeds.json` to add cameras/feeds. Each feed needs `id`, `name`, `lat`, `lng`, `streamUrl`, and `sourceType` (`mjpeg` or `hls`). Home Assistant and other sources use the same shape; use proxy URLs for HA.
 - **Environment**: No required env vars for basic run. For production, set `HOST=0.0.0.0` and `PORT` as needed (e.g. in Docker/Helm).
 - **Authentication**: The login page always offers password sign-in (local). Optionally set `BOOTSTRAP_EMAIL` and `BOOTSTRAP_PASSWORD` before the first run to create the first admin; otherwise a default admin is created and its credentials are printed in the terminal. To also show an OIDC sign-in button, configure `OIDC_ISSUER`, `OIDC_CLIENT_ID`, `OIDC_CLIENT_SECRET`, and optionally `OIDC_LABEL`, `OIDC_REDIRECT_URI`. See [docs/auth.md](docs/auth.md) for provider-specific examples.
- **Bootstrap admin** (when using local auth): The server initializes the database and runs bootstrap at startup. On first run (no users in the database), it creates the first admin. If you set `BOOTSTRAP_EMAIL` and `BOOTSTRAP_PASSWORD` before starting, that account is created. If you don't set them, a default admin is created (identifier: `admin`) with a random password and the credentials are printed in the terminal—copy them and sign in at `/login`, then change the password or add users via Members. Use **Members** to change roles (admin, leader, member). Only admins can change roles; admins and leaders can edit POIs.
+- **Bootstrap admin** (when using local auth): The server initializes the database and runs bootstrap at startup. On first run (no users in the database), it creates the first admin. If you set `BOOTSTRAP_EMAIL` and `BOOTSTRAP_PASSWORD` before starting, that account is created. If you don’t set them, a default admin is created (identifier: `admin`) with a random password and the credentials are printed in the terminal—copy them and sign in at `/login`, then change the password or add users via Members. Use **Members** to change roles (admin, leader, member). Only admins can change roles; admins and leaders can edit POIs.
 - **Database**: SQLite file at `data/kestrelos.db` (created automatically). Contains users, sessions, and POIs.

 ## Docker
@@ -77,34 +77,16 @@ docker run -p 3000:3000 kestrelos:latest

 ## Kubernetes (Helm)

-**From Gitea registry:**
 ```bash
-helm repo add keligrubb --username YOUR_USER --password YOUR_TOKEN https://git.keligrubb.com/api/packages/keligrubb/helm
-helm repo update
-helm install kestrelos keligrubb/kestrelos
-```
-
-**From source:**
-```bash
-helm install kestrelos ./helm/kestrelos
+helm install kestrelos ./helm/kestrelos --set image.repository=your-registry/kestrelos --set image.tag=latest
 ```

 Health: `GET /health` (overview), `GET /health/live` (liveness), `GET /health/ready` (readiness). Probes are configured in the Helm chart. Optional: enable Ingress in `helm/kestrelos/values.yaml`.

-## Releases
-
-Merges to `main` trigger a semver release. Use one of these prefixes in your PR title to set the version bump:
-
- `major:` – breaking changes
- `minor:` – new features
- `patch:` – bug fixes, docs (default if no prefix)
-
-Example: `minor: Add map layer toggle`
-
 ## Security

- Device data is validated server-side; only valid entries are returned.
- Stream URLs are sanitized to `http://` or `https://` only; other protocols are rejected.
+- Feed list is validated server-side (`getValidFeeds`); only valid entries are returned.
+- Stream URLs are treated as untrusted; the UI only uses `http://` or `https://` URLs for display.

 ## License

--- a/app/components/KestrelMap.vue
+++ b/app/components/KestrelMap.vue
@@ -214,6 +214,10 @@
 import 'leaflet/dist/leaflet.css'

 const props = defineProps({
+  feeds: {
+    type: Array,
+    default: () => [],
+  },
  devices: {
    type: Array,
    default: () => [],
@@ -378,7 +382,8 @@ function updateMarkers() {
    if (m) m.remove()
  })

-  const validSources = (props.devices || []).filter(f => typeof f?.lat === 'number' && typeof f?.lng === 'number')
+  const feedSources = [...(props.feeds || []), ...(props.devices || [])]
+  const validSources = feedSources.filter(f => typeof f?.lat === 'number' && typeof f?.lng === 'number')
  markersRef.value = validSources.map(item =>
    L.marker([item.lat, item.lng]).addTo(ctx.map).on('click', () => emit('select', item)),
  )
@@ -617,7 +622,7 @@ onBeforeUnmount(() => {
  destroyMap()
 })

-watch(() => props.devices, () => updateMarkers(), { deep: true })
+watch(() => [props.feeds, props.devices], () => updateMarkers(), { deep: true })
 watch([() => props.pois, () => props.canEditPois], () => updatePoiMarkers(), { deep: true })
 watch(() => props.liveSessions, () => updateLiveMarkers(), { deep: true })
 </script>
--- a/app/pages/index.vue
+++ b/app/pages/index.vue
@@ -3,6 +3,7 @@
    <div class="relative h-2/3 w-full md:h-full md:flex-1">
      <ClientOnly>
        <KestrelMap
+          :feeds="[]"
          :devices="devices ?? []"
          :pois="pois ?? []"
          :live-sessions="liveSessions ?? []"
--- a/helm/kestrelos/Chart.yaml
+++ b/helm/kestrelos/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: kestrelos
 description: KestrelOS TOC for OSINT feeds - map, camera feeds, offline tiles
 type: application
-version: 0.2.0
-appVersion: "0.2.0"
+version: 0.1.0
+appVersion: "0.1.0"
--- a/helm/kestrelos/values.yaml
+++ b/helm/kestrelos/values.yaml
@@ -1,8 +1,8 @@
 replicaCount: 1

 image:
-  repository: git.keligrubb.com/keligrubb/kestrelos
-  tag: 0.2.0
+  repository: kestrelos
+  tag: latest
  pullPolicy: IfNotPresent

 service:
--- a/package-lock.json
+++ b/package-lock.json
@@ -22,7 +22,6 @@
        "ws": "^8.18.0"
      },
      "devDependencies": {
-        "@iconify-json/tabler": "^1.2.26",
        "@nuxt/eslint": "^1.15.0",
        "@nuxt/test-utils": "^4.0.0",
        "@playwright/test": "^1.58.2",
@@ -1434,16 +1433,6 @@
        "url": "https://github.com/sponsors/nzakas"
      }
    },
-    "node_modules/@iconify-json/tabler": {
-      "version": "1.2.26",
-      "resolved": "https://registry.npmjs.org/@iconify-json/tabler/-/tabler-1.2.26.tgz",
-      "integrity": "sha512-92G+ZD70AZgeJf07JfQzH+isnai6DwPcMBuF/qL1F+xAxdXCJzGd3w2RmsRvOmB+w1ImmWEEDms50QivQIjd6g==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@iconify/types": "*"
-      }
-    },
    "node_modules/@iconify/collections": {
      "version": "1.0.649",
      "resolved": "https://registry.npmjs.org/@iconify/collections/-/collections-1.0.649.tgz",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,5 @@
 {
  "name": "kestrelos",
-  "version": "0.2.0",
  "private": true,
  "type": "module",
  "scripts": {
@@ -33,7 +32,6 @@
    "ws": "^8.18.0"
  },
  "devDependencies": {
-    "@iconify-json/tabler": "^1.2.26",
    "@nuxt/eslint": "^1.15.0",
    "@nuxt/test-utils": "^4.0.0",
    "@playwright/test": "^1.58.2",
--- a/playwright.config.js
+++ b/playwright.config.js
@@ -35,7 +35,6 @@ export default defineConfig({
      name: 'desktop-chrome',
      use: {
        ...devices['Desktop Chrome'],
-        permissions: ['camera', 'microphone', 'geolocation'],
        launchOptions: {
          args: [
            '--use-fake-ui-for-media-stream',
@@ -53,10 +52,10 @@ export default defineConfig({
  ],
  webServer: {
    command: 'npm run dev',
-    url: 'https://localhost:3000/health/ready',
-    reuseExistingServer: !process.env.CI, // Don't reuse in CI (always start fresh)
-    timeout: 180_000, // 3 minutes (180 seconds) for server startup (CI can be slower)
+    url: 'https://localhost:3000/health',
+    reuseExistingServer: true, // Always reuse existing server for E2E tests
+    timeout: 120 * 1000, // 2 minutes for server startup
    ignoreHTTPSErrors: true,
  },
-  timeout: process.env.CI ? 180_000 : 60_000, // 3 minutes in CI, 1 minute locally (WebRTC setup takes time)
+  timeout: 60 * 1000, // 60 seconds per test (WebRTC setup takes time)
 })
--- a/scripts/release.sh
+++ b/scripts/release.sh
@@ -1,56 +0,0 @@
-#!/bin/sh
-set -e
-
-# version
-msg="${CI_COMMIT_MESSAGE:-}"
-bump=patch
-echo "$msg" | grep -qi minor: && bump=minor
-echo "$msg" | grep -qi major: && bump=major
-cur=$(awk '/"version"/ { match($0, /[0-9]+\.[0-9]+\.[0-9]+/); print substr($0, RSTART, RLENGTH); exit }' package.json)
-major=$(echo "$cur" | cut -d. -f1); minor=$(echo "$cur" | cut -d. -f2); patch=$(echo "$cur" | cut -d. -f3)
-case "$bump" in major) major=$((major+1)); minor=0; patch=0 ;; minor) minor=$((minor+1)); patch=0 ;; patch) patch=$((patch+1)) ;; esac
-newVersion="$major.$minor.$patch"
-[ -z "$cur" ] && { echo "error: could not read version from package.json"; exit 1; }
-
-# changelog entry (strip prefix from first line)
-changelogEntry=$(echo "$msg" | head -1 | awk '{sub(/^[mM]ajor:[ \t]*/,""); sub(/^[mM]inor:[ \t]*/,""); sub(/^[pP]atch:[ \t]*/,""); print}')
-[ -z "$changelogEntry" ] && changelogEntry="Release v$newVersion"
-
-# bump files
-awk -v v="$newVersion" '/"version"/ { sub(/[0-9]+\.[0-9]+\.[0-9]+/, v) } { print }' package.json > package.json.tmp && mv package.json.tmp package.json
-awk -v v="$newVersion" '/^version:/ { $0 = "version: " v }; /^appVersion:/ { $0 = "appVersion: \"" v "\"" }; { print }' helm/kestrelos/Chart.yaml > helm/kestrelos/Chart.yaml.tmp && mv helm/kestrelos/Chart.yaml.tmp helm/kestrelos/Chart.yaml
-awk -v v="$newVersion" '/^  tag:/ { $0 = "  tag: " v }; { print }' helm/kestrelos/values.yaml > helm/kestrelos/values.yaml.tmp && mv helm/kestrelos/values.yaml.tmp helm/kestrelos/values.yaml
-
-# changelog
-new="## [$newVersion] - $(date +%Y-%m-%d)
-### Changed
- $changelogEntry
-
-"
-{ [ ! -f CHANGELOG.md ] && printf '# Changelog\n\n'; printf '%s' "$new"; [ -f CHANGELOG.md ] && cat CHANGELOG.md; } > CHANGELOG.md.tmp && mv CHANGELOG.md.tmp CHANGELOG.md
-
-# git
-git config user.email "ci@kestrelos" && git config user.name "CI"
-git add package.json helm/kestrelos/Chart.yaml helm/kestrelos/values.yaml CHANGELOG.md
-git commit -m "release v$newVersion [skip ci]"
-url="https://${CI_REPO_OWNER}:${GITEA_REPO_TOKEN}@${CI_FORGE_URL#https://}/${CI_REPO_OWNER}/${CI_REPO_NAME}.git"
-git tag "v$newVersion"
-# artifact for kaniko (tag list)
-printf '%s\n%s\n' "$newVersion" "latest" > .tags
-retry() { n=0; while ! "$@"; do n=$((n+1)); [ $n -ge 3 ] && return 1; sleep 2; done; }
-retry git push "$url" HEAD:main "v$newVersion"
-
-# gitea release
-body="## Changelog
-### Changed
- $changelogEntry
-
-## Installation
- [Docker image](${CI_FORGE_URL}/${CI_REPO_OWNER}/-/packages/container/${CI_REPO_NAME})
- [Helm chart](${CI_FORGE_URL}/${CI_REPO_OWNER}/-/packages/helm)"
-release_url="${CI_FORGE_URL}/api/v1/repos/${CI_REPO_OWNER}/${CI_REPO_NAME}/releases"
-echo "$body" | awk -v tag="v$newVersion" 'BEGIN{printf "{\"tag_name\":\"" tag "\",\"name\":\"" tag "\",\"body\":\""} { gsub(/\\/,"\\\\"); gsub(/"/,"\\\""); if (NR>1) printf "\\n"; printf "%s", $0 } END{printf "\"}\n"}' > /tmp/release.json
-wget -q -O /dev/null --post-file=/tmp/release.json \
-  --header="Authorization: token ${GITEA_REPO_TOKEN}" \
-  --header="Content-Type: application/json" \
-  "$release_url"
--- a/server/api/live/webrtc/create-transport.post.js
+++ b/server/api/live/webrtc/create-transport.post.js
@@ -26,7 +26,7 @@ export default defineEventHandler(async (event) => {
  const url = getRequestURL(event)
  const requestHost = url.hostname
  const router = await getRouter(sessionId)
-  const { transport, params } = await createTransport(router, requestHost)
+  const { transport, params } = await createTransport(router, Boolean(isProducer), requestHost)

  if (isProducer) {
    updateLiveSession(sessionId, {
--- a/server/plugins/db.init.js
+++ b/server/plugins/db.init.js
@@ -1,11 +1,14 @@
 import { getDb, closeDb } from '../utils/db.js'
+import { migrateFeedsToDevices } from '../utils/migrateFeedsToDevices.js'

 /**
- * Initialize DB at server startup.
+ * Initialize DB (and run bootstrap if no users) at server startup
+ * so credentials are printed in the terminal before any request.
 * Close DB on server shutdown to avoid native sqlite3 crashes in worker teardown.
 */
+
 export default defineNitroPlugin((nitroApp) => {
-  void getDb()
+  void getDb().then(() => migrateFeedsToDevices())
  nitroApp.hooks.hook('close', () => {
    closeDb()
  })
--- a/server/utils/bootstrap.js
+++ b/server/utils/bootstrap.js
@@ -1,29 +0,0 @@
-import { randomBytes } from 'node:crypto'
-import { hashPassword } from './password.js'
-
-const DEFAULT_ADMIN_IDENTIFIER = 'admin'
-const PASSWORD_CHARS = 'abcdefghjkmnopqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ23456789'
-
-const generateRandomPassword = () => {
-  const bytes = randomBytes(14)
-  return Array.from(bytes, b => PASSWORD_CHARS[b % PASSWORD_CHARS.length]).join('')
-}
-
-export async function bootstrapAdmin(run, get) {
-  const row = await get('SELECT COUNT(*) as n FROM users')
-  if (row?.n !== 0) return
-
-  const email = process.env.BOOTSTRAP_EMAIL?.trim()
-  const password = process.env.BOOTSTRAP_PASSWORD
-  const identifier = (email && password) ? email : DEFAULT_ADMIN_IDENTIFIER
-  const plainPassword = (email && password) ? password : generateRandomPassword()
-
-  await run(
-    'INSERT INTO users (id, identifier, password_hash, role, created_at, auth_provider, oidc_issuer, oidc_sub) VALUES (?, ?, ?, ?, ?, ?, ?, ?)',
-    [crypto.randomUUID(), identifier, hashPassword(plainPassword), 'admin', new Date().toISOString(), 'local', null, null],
-  )
-
-  if (!email || !password) {
-    console.log(`\n[KestrelOS] No bootstrap admin configured. Default admin created. Sign in at /login with:\n\n  Identifier: ${identifier}\n  Password:   ${plainPassword}\n\n  Set BOOTSTRAP_EMAIL and BOOTSTRAP_PASSWORD to use your own credentials on first run.\n`)
-  }
-}
--- a/server/utils/db.js
+++ b/server/utils/db.js
@@ -2,27 +2,38 @@ import { join } from 'node:path'
 import { mkdirSync, existsSync } from 'node:fs'
 import { createRequire } from 'node:module'
 import { promisify } from 'node:util'
-import { bootstrapAdmin } from './bootstrap.js'
+import { randomBytes } from 'node:crypto'
+import { hashPassword } from './password.js'
+
+const DEFAULT_ADMIN_IDENTIFIER = 'admin'
+const DEFAULT_PASSWORD_LENGTH = 14
+const PASSWORD_CHARS = 'abcdefghjkmnopqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ23456789'
+
+function generateRandomPassword() {
+  const bytes = randomBytes(DEFAULT_PASSWORD_LENGTH)
+  let s = ''
+  for (let i = 0; i < DEFAULT_PASSWORD_LENGTH; i++) {
+    s += PASSWORD_CHARS[bytes[i] % PASSWORD_CHARS.length]
+  }
+  return s
+}

 const require = createRequire(import.meta.url)
 const sqlite3 = require('sqlite3')

-const SCHEMA_VERSION = 2
-const DB_BUSY_TIMEOUT_MS = 5000
-
 let dbInstance = null
+/** Set by tests to use :memory: or a temp path */
 let testPath = null

-const SCHEMA = {
-  schema_version: 'CREATE TABLE IF NOT EXISTS schema_version (version INTEGER PRIMARY KEY)',
-  users: `CREATE TABLE IF NOT EXISTS users (
+const USERS_SQL = `CREATE TABLE IF NOT EXISTS users (
  id TEXT PRIMARY KEY,
  identifier TEXT UNIQUE NOT NULL,
  password_hash TEXT NOT NULL,
  role TEXT NOT NULL DEFAULT 'member',
  created_at TEXT NOT NULL
-  )`,
-  users_v2: `CREATE TABLE users_new (
+)`
+
+const USERS_V2_SQL = `CREATE TABLE users_new (
  id TEXT PRIMARY KEY,
  identifier TEXT UNIQUE NOT NULL,
  password_hash TEXT,
@@ -31,23 +42,23 @@ const SCHEMA = {
  auth_provider TEXT NOT NULL DEFAULT 'local',
  oidc_issuer TEXT,
  oidc_sub TEXT
-  )`,
-  users_oidc_index: `CREATE UNIQUE INDEX IF NOT EXISTS users_oidc_unique ON users(oidc_issuer, oidc_sub) WHERE oidc_issuer IS NOT NULL AND oidc_sub IS NOT NULL`,
-  sessions: `CREATE TABLE IF NOT EXISTS sessions (
+)`
+const USERS_OIDC_UNIQUE = `CREATE UNIQUE INDEX IF NOT EXISTS users_oidc_unique ON users(oidc_issuer, oidc_sub) WHERE oidc_issuer IS NOT NULL AND oidc_sub IS NOT NULL`
+const SESSIONS_SQL = `CREATE TABLE IF NOT EXISTS sessions (
  id TEXT PRIMARY KEY,
  user_id TEXT NOT NULL,
  created_at TEXT NOT NULL,
  expires_at TEXT NOT NULL,
  FOREIGN KEY(user_id) REFERENCES users(id)
-  )`,
-  pois: `CREATE TABLE IF NOT EXISTS pois (
+)`
+const POIS_SQL = `CREATE TABLE IF NOT EXISTS pois (
  id TEXT PRIMARY KEY,
  lat REAL NOT NULL,
  lng REAL NOT NULL,
  label TEXT NOT NULL DEFAULT '',
  icon_type TEXT NOT NULL DEFAULT 'pin'
-  )`,
-  devices: `CREATE TABLE IF NOT EXISTS devices (
+)`
+const DEVICES_SQL = `CREATE TABLE IF NOT EXISTS devices (
  id TEXT PRIMARY KEY,
  name TEXT NOT NULL DEFAULT '',
  device_type TEXT NOT NULL,
@@ -57,117 +68,88 @@ const SCHEMA = {
  stream_url TEXT NOT NULL DEFAULT '',
  source_type TEXT NOT NULL DEFAULT 'mjpeg',
  config TEXT
-  )`,
-}
+)`

-const getDbPath = () => {
+function getDbPath() {
  if (testPath) return testPath
-  if (process.env.DB_PATH) return process.env.DB_PATH
  const dir = join(process.cwd(), 'data')
  if (!existsSync(dir)) mkdirSync(dir, { recursive: true })
  return join(dir, 'kestrelos.db')
 }

-const getSchemaVersion = async (get) => {
-  try {
-    const row = await get('SELECT version FROM schema_version ORDER BY version DESC LIMIT 1')
-    return row?.version || 0
-  }
-  catch {
-    return 0
+async function bootstrap(db) {
+  if (testPath) return
+  const row = await db.get('SELECT COUNT(*) as n FROM users')
+  if (row?.n !== 0) return
+  const email = process.env.BOOTSTRAP_EMAIL?.trim()
+  const password = process.env.BOOTSTRAP_PASSWORD
+  const identifier = (email && password) ? email : DEFAULT_ADMIN_IDENTIFIER
+  const plainPassword = (email && password) ? password : generateRandomPassword()
+  const id = crypto.randomUUID()
+  const now = new Date().toISOString()
+  await db.run(
+    'INSERT INTO users (id, identifier, password_hash, role, created_at, auth_provider, oidc_issuer, oidc_sub) VALUES (?, ?, ?, ?, ?, ?, ?, ?)',
+    [id, identifier, hashPassword(plainPassword), 'admin', now, 'local', null, null],
+  )
+  if (!email || !password) {
+    console.log('\n[KestrelOS] No bootstrap admin configured. Default admin created. Sign in at /login with:\n')
+
+    console.log(`  Identifier: ${identifier}\n  Password:   ${plainPassword}\n`)
+
+    console.log('  Set BOOTSTRAP_EMAIL and BOOTSTRAP_PASSWORD to use your own credentials on first run.\n')
  }
 }

-const setSchemaVersion = (run, version) => run('INSERT OR REPLACE INTO schema_version (version) VALUES (?)', [version])
-
-const migrateToV2 = async (run, all) => {
+async function migrateUsersIfNeeded(run, all) {
  const info = await all('PRAGMA table_info(users)')
  if (info.some(c => c.name === 'auth_provider')) return
-
-  await run('BEGIN TRANSACTION')
-  try {
-    await run(SCHEMA.users_v2)
-    await run('INSERT INTO users_new (id, identifier, password_hash, role, created_at, auth_provider, oidc_issuer, oidc_sub) SELECT id, identifier, password_hash, role, created_at, ?, ?, ? FROM users', ['local', null, null])
+  await run(USERS_V2_SQL)
+  await run(
+    `INSERT INTO users_new (id, identifier, password_hash, role, created_at, auth_provider, oidc_issuer, oidc_sub)
+     SELECT id, identifier, password_hash, role, created_at, 'local', NULL, NULL FROM users`,
+  )
  await run('DROP TABLE users')
  await run('ALTER TABLE users_new RENAME TO users')
-    await run(SCHEMA.users_oidc_index)
-    await run('COMMIT')
-  }
-  catch (error) {
-    await run('ROLLBACK').catch(() => {})
-    throw error
-  }
-}
-
-const runMigrations = async (run, all, get) => {
-  const version = await getSchemaVersion(get)
-  if (version >= SCHEMA_VERSION) return
-  if (version < 2) {
-    await migrateToV2(run, all)
-    await setSchemaVersion(run, 2)
-  }
-}
-
-const initDb = async (db, run, all, get) => {
-  try {
-    await run('PRAGMA journal_mode = WAL')
-  }
-  catch {
-    // WAL not supported (e.g., network filesystem)
-  }
-  db.configure('busyTimeout', DB_BUSY_TIMEOUT_MS)
-
-  await run(SCHEMA.schema_version)
-  await run(SCHEMA.users)
-  await runMigrations(run, all, get)
-  await run(SCHEMA.sessions)
-  await run(SCHEMA.pois)
-  await run(SCHEMA.devices)
-
-  if (!testPath) await bootstrapAdmin(run, get)
+  await run(USERS_OIDC_UNIQUE)
 }

 export async function getDb() {
  if (dbInstance) return dbInstance
-
-  const db = new sqlite3.Database(getDbPath(), (err) => {
-    if (err) {
-      console.error('[db] Failed to open database:', err.message)
-      throw err
-    }
-  })
-
+  const path = getDbPath()
+  const db = new sqlite3.Database(path)
  const run = promisify(db.run.bind(db))
  const all = promisify(db.all.bind(db))
  const get = promisify(db.get.bind(db))
-
-  try {
-    await initDb(db, run, all, get)
-  }
-  catch (error) {
-    db.close()
-    console.error('[db] Database initialization failed:', error.message)
-    throw error
-  }
-
+  await run(USERS_SQL)
+  await migrateUsersIfNeeded(run, all)
+  await run(SESSIONS_SQL)
+  await run(POIS_SQL)
+  await run(DEVICES_SQL)
+  await bootstrap({ run, get })
  dbInstance = { db, run, all, get }
  return dbInstance
 }

+/**
+ * Close the DB connection. Call on server shutdown to avoid native sqlite3 crashes in worker teardown.
+ */
 export function closeDb() {
-  if (!dbInstance) return
+  if (dbInstance) {
    try {
-    dbInstance.db.close((err) => {
-      if (err) console.error('[db] Error closing database:', err.message)
-    })
+      dbInstance.db.close()
    }
-  catch (error) {
-    console.error('[db] Error closing database:', error.message)
+    catch {
+      // ignore if already closed
    }
    dbInstance = null
+  }
 }

+/**
+ * For tests: use in-memory DB and reset singleton.
+ * @param {string} path - e.g. ':memory:'
+ */
 export function setDbPathForTest(path) {
-  testPath = path || null
+  testPath = path
  closeDb()
 }
--- a/server/utils/deviceUtils.js
+++ b/server/utils/deviceUtils.js
@@ -1,12 +1,8 @@
+import { sanitizeStreamUrl } from './feedUtils.js'
+
 const DEVICE_TYPES = Object.freeze(['alpr', 'nvr', 'doorbell', 'feed', 'traffic', 'ip', 'drone'])
 const SOURCE_TYPES = Object.freeze(['mjpeg', 'hls'])

-const sanitizeStreamUrl = (url) => {
-  if (typeof url !== 'string' || !url.trim()) return ''
-  const u = url.trim()
-  return (u.startsWith('https://') || u.startsWith('http://')) ? u : ''
-}
-
 /** @typedef {{ id: string, name: string, device_type: string, vendor: string | null, lat: number, lng: number, stream_url: string, source_type: string, config: string | null }} DeviceRow */

 /**
--- a/server/utils/feedUtils.js
+++ b/server/utils/feedUtils.js
@@ -0,0 +1,54 @@
+/**
+ * Validates a single feed object shape (pure function).
+ * @param {unknown} item
+ * @returns {boolean} True if item has id, name, lat, lng with correct types.
+ */
+export function isValidFeed(item) {
+  if (!item || typeof item !== 'object') return false
+  const o = /** @type {Record<string, unknown>} */ (item)
+  return (
+    typeof o.id === 'string'
+    && typeof o.name === 'string'
+    && typeof o.lat === 'number'
+    && typeof o.lng === 'number'
+  )
+}
+
+/**
+ * Returns a safe stream URL (http/https only) or empty string. Prevents javascript:, data:, etc.
+ * @param {unknown} url
+ * @returns {string} Safe http(s) URL or empty string.
+ */
+export function sanitizeStreamUrl(url) {
+  if (typeof url !== 'string' || !url.trim()) return ''
+  const u = url.trim()
+  if (u.startsWith('https://') || u.startsWith('http://')) return u
+  return ''
+}
+
+/**
+ * Sanitizes a validated feed for API response: safe streamUrl and sourceType only.
+ * @param {{ id: string, name: string, lat: number, lng: number, [key: string]: unknown }} feed
+ * @returns {{ id: string, name: string, lat: number, lng: number, streamUrl: string, sourceType: string, description?: string }} Sanitized feed for API.
+ */
+export function sanitizeFeedForResponse(feed) {
+  return {
+    id: feed.id,
+    name: feed.name,
+    lat: feed.lat,
+    lng: feed.lng,
+    streamUrl: sanitizeStreamUrl(feed.streamUrl),
+    sourceType: feed.sourceType === 'hls' ? 'hls' : 'mjpeg',
+    ...(typeof feed.description === 'string' ? { description: feed.description } : {}),
+  }
+}
+
+/**
+ * Filters and returns only valid feeds from an array (pure function).
+ * @param {unknown[]} list
+ * @returns {Array<{ id: string, name: string, lat: number, lng: number }>} Array of valid feed objects.
+ */
+export function getValidFeeds(list) {
+  if (!Array.isArray(list)) return []
+  return list.filter(isValidFeed)
+}
--- a/server/utils/liveSessions.js
+++ b/server/utils/liveSessions.js
@@ -1,17 +1,43 @@
+/**
+ * In-memory store for live sharing sessions (camera + location).
+ * Sessions expire after TTL_MS without an update.
+ */
+
 import { closeRouter, getProducer, getTransport } from './mediasoup.js'

-const TTL_MS = 60_000
+const TTL_MS = 60_000 // 60 seconds without update = inactive
+
 const sessions = new Map()

-export const createSession = (userId, label = '') => {
+/**
+ * @typedef {{
+ *   id: string
+ *   userId: string
+ *   label: string
+ *   lat: number
+ *   lng: number
+ *   updatedAt: number
+ *   routerId: string | null
+ *   producerId: string | null
+ *   transportId: string | null
+ * }} LiveSession
+ */
+
+/**
+ * @param {string} userId
+ * @param {string} [label]
+ * @returns {LiveSession} The created live session.
+ */
+export function createSession(userId, label = '') {
  const id = crypto.randomUUID()
+  const now = Date.now()
  const session = {
    id,
    userId,
    label: (label || 'Live').trim() || 'Live',
    lat: 0,
    lng: 0,
-    updatedAt: Date.now(),
+    updatedAt: now,
    routerId: null,
    producerId: null,
    transportId: null,
@@ -20,16 +46,34 @@ export const createSession = (userId, label = '') => {
  return session
 }

-export const getLiveSession = id => sessions.get(id)
-
-export const getActiveSessionByUserId = (userId) => {
-  const now = Date.now()
-  for (const s of sessions.values()) {
-    if (s.userId === userId && now - s.updatedAt <= TTL_MS) return s
-  }
+/**
+ * @param {string} id
+ * @returns {LiveSession | undefined} The session or undefined.
+ */
+export function getLiveSession(id) {
+  return sessions.get(id)
 }

-export const updateLiveSession = (id, updates) => {
+/**
+ * Get an existing active session for a user (for replacing with a new one).
+ * @param {string} userId
+ * @returns {LiveSession | undefined} The first active session for the user, or undefined.
+ */
+export function getActiveSessionByUserId(userId) {
+  const now = Date.now()
+  for (const [, s] of sessions) {
+    if (s.userId === userId && now - s.updatedAt <= TTL_MS) {
+      return s
+    }
+  }
+  return undefined
+}
+
+/**
+ * @param {string} id
+ * @param {{ lat?: number, lng?: number, routerId?: string | null, producerId?: string | null, transportId?: string | null }} updates
+ */
+export function updateLiveSession(id, updates) {
  const session = sessions.get(id)
  if (!session) return
  const now = Date.now()
@@ -41,52 +85,74 @@ export const updateLiveSession = (id, updates) => {
  session.updatedAt = now
 }

-export const deleteLiveSession = id => sessions.delete(id)
-
-export const clearSessions = () => sessions.clear()
-
-const cleanupSession = async (session) => {
-  if (session.producerId) {
-    const producer = getProducer(session.producerId)
-    producer?.close()
-  }
-  if (session.transportId) {
-    const transport = getTransport(session.transportId)
-    transport?.close()
-  }
-  if (session.routerId) {
-    await closeRouter(session.id).catch((err) => {
-      console.error(`[liveSessions] Error closing router for expired session ${session.id}:`, err)
-    })
-  }
+/**
+ * @param {string} id
+ */
+export function deleteLiveSession(id) {
+  sessions.delete(id)
 }

-export const getActiveSessions = async () => {
-  const now = Date.now()
-  const active = []
-  const expired = []
+/**
+ * Clear all sessions (for tests only).
+ */
+export function clearSessions() {
+  sessions.clear()
+}

-  for (const session of sessions.values()) {
-    if (now - session.updatedAt <= TTL_MS) {
-      active.push({
-        id: session.id,
-        userId: session.userId,
-        label: session.label,
-        lat: session.lat,
-        lng: session.lng,
-        updatedAt: session.updatedAt,
-        hasStream: Boolean(session.producerId),
+/**
+ * Returns sessions updated within TTL_MS (active only).
+ * Also cleans up expired sessions.
+ * @returns {Promise<Array<{ id: string, userId: string, label: string, lat: number, lng: number, updatedAt: number, hasStream: boolean }>>} Active sessions with hasStream flag.
+ */
+export async function getActiveSessions() {
+  const now = Date.now()
+  const result = []
+  const expiredIds = []
+  for (const [id, s] of sessions) {
+    if (now - s.updatedAt <= TTL_MS) {
+      result.push({
+        id: s.id,
+        userId: s.userId,
+        label: s.label,
+        lat: s.lat,
+        lng: s.lng,
+        updatedAt: s.updatedAt,
+        hasStream: Boolean(s.producerId),
      })
    }
    else {
-      expired.push(session)
+      expiredIds.push(id)
+    }
+  }
+  // Clean up expired sessions and their WebRTC resources
+  for (const id of expiredIds) {
+    const session = sessions.get(id)
+    if (session) {
+      // Clean up producer if it exists
+      if (session.producerId) {
+        const producer = getProducer(session.producerId)
+        if (producer) {
+          producer.close()
        }
      }

-  for (const session of expired) {
-    await cleanupSession(session)
-    sessions.delete(session.id)
+      // Clean up transport if it exists
+      if (session.transportId) {
+        const transport = getTransport(session.transportId)
+        if (transport) {
+          transport.close()
+        }
      }

-  return active
+      // Clean up router
+      if (session.routerId) {
+        await closeRouter(id).catch((err) => {
+          console.error(`[liveSessions] Error closing router for expired session ${id}:`, err)
+        })
+      }
+
+      sessions.delete(id)
+    }
+  }
+  return result
 }
--- a/server/utils/mediasoup.js
+++ b/server/utils/mediasoup.js
@@ -1,18 +1,21 @@
+/**
+ * Mediasoup SFU (Selective Forwarding Unit) setup and management.
+ * Handles WebRTC router, transport, producer, and consumer creation.
+ */
+
 import os from 'node:os'
 import mediasoup from 'mediasoup'

 let worker = null
-const routers = new Map()
-const transports = new Map()
-export const producers = new Map()
+const routers = new Map() // sessionId -> Router
+const transports = new Map() // transportId -> WebRtcTransport
+export const producers = new Map() // producerId -> Producer

-const MEDIA_CODECS = [
-  { kind: 'video', mimeType: 'video/H264', clockRate: 90000, parameters: { 'packetization-mode': 1, 'profile-level-id': '42e01f' } },
-  { kind: 'video', mimeType: 'video/VP8', clockRate: 90000 },
-  { kind: 'video', mimeType: 'video/VP9', clockRate: 90000 },
-]
-
-export const getWorker = async () => {
+/**
+ * Initialize Mediasoup worker (singleton).
+ * @returns {Promise<mediasoup.types.Worker>} The Mediasoup worker.
+ */
+export async function getWorker() {
  if (worker) return worker
  worker = await mediasoup.createWorker({
    logLevel: process.env.NODE_ENV === 'development' ? 'debug' : 'warn',
@@ -27,15 +30,50 @@ export const getWorker = async () => {
  return worker
 }

-export const getRouter = async (sessionId) => {
-  const existing = routers.get(sessionId)
-  if (existing) return existing
-  const router = await (await getWorker()).createRouter({ mediaCodecs: MEDIA_CODECS })
+/**
+ * Create or get a router for a live session.
+ * @param {string} sessionId
+ * @returns {Promise<mediasoup.types.Router>} Router for the session.
+ */
+export async function getRouter(sessionId) {
+  if (routers.has(sessionId)) {
+    return routers.get(sessionId)
+  }
+  const w = await getWorker()
+  const router = await w.createRouter({
+    mediaCodecs: [
+      {
+        kind: 'video',
+        mimeType: 'video/H264',
+        clockRate: 90000,
+        parameters: {
+          'packetization-mode': 1,
+          'profile-level-id': '42e01f',
+        },
+      },
+      {
+        kind: 'video',
+        mimeType: 'video/VP8',
+        clockRate: 90000,
+      },
+      {
+        kind: 'video',
+        mimeType: 'video/VP9',
+        clockRate: 90000,
+      },
+    ],
+  })
  routers.set(sessionId, router)
  return router
 }

-const isIPv4 = (host) => {
+/**
+ * True if the string is a valid IPv4 address (numeric a.b.c.d, each octet 0-255).
+ * Used to accept request Host as announced IP only when it's safe (no hostnames/DNS rebinding).
+ * @param {string} host
+ * @returns {boolean} True if host is a valid IPv4 address.
+ */
+function isIPv4(host) {
  if (typeof host !== 'string' || !host) return false
  const parts = host.split('.')
  if (parts.length !== 4) return false
@@ -46,24 +84,45 @@ const isIPv4 = (host) => {
  return true
 }

-const getAnnouncedIpFromInterfaces = () => {
-  for (const addrs of Object.values(os.networkInterfaces())) {
+/**
+ * First non-internal IPv4 from network interfaces (no env read).
+ * @returns {string | null} First non-internal IPv4 address or null.
+ */
+function getAnnouncedIpFromInterfaces() {
+  const ifaces = os.networkInterfaces()
+  for (const addrs of Object.values(ifaces)) {
    if (!addrs) continue
    for (const addr of addrs) {
-      if (addr.family === 'IPv4' && !addr.internal) return addr.address
+      if (addr.family === 'IPv4' && !addr.internal) {
+        return addr.address
+      }
    }
  }
  return null
 }

-const resolveAnnouncedIp = (requestHost) => {
+/**
+ * Resolve announced IP: env override, then request host if IPv4, then auto-detect. Pure and deterministic.
+ * @param {string | undefined} requestHost - Host header from the client.
+ * @returns {string | null} The IP to announce in ICE, or null for localhost-only.
+ */
+function resolveAnnouncedIp(requestHost) {
  const envIp = process.env.MEDIASOUP_ANNOUNCED_IP?.trim()
  if (envIp) return envIp
  if (requestHost && isIPv4(requestHost)) return requestHost
  return getAnnouncedIpFromInterfaces()
 }

-export const createTransport = async (router, requestHost = undefined) => {
+/**
+ * Create a WebRTC transport for a router.
+ * @param {mediasoup.types.Router} router
+ * @param {boolean} _isProducer - true for publisher, false for consumer (reserved for future use)
+ * @param {string} [requestHost] - Hostname from the request (e.g. getRequestURL(event).hostname). If a valid IPv4, used as announced IP so the client can reach the server.
+ * @returns {Promise<{ transport: mediasoup.types.WebRtcTransport, params: object }>} Transport and connection params.
+ */
+// eslint-disable-next-line no-unused-vars
+export async function createTransport(router, _isProducer = false, requestHost = undefined) {
+  // LAN first so the phone (and remote viewers) try the reachable IP before 127.0.0.1 (loopback on the client).
  const announcedIp = resolveAnnouncedIp(requestHost)
  const listenIps = announcedIp
    ? [{ ip: '0.0.0.0', announcedIp }, { ip: '127.0.0.1' }]
@@ -79,10 +138,10 @@ export const createTransport = async (router, requestHost = undefined) => {
    console.error('[mediasoup] Transport creation failed:', err)
    throw new Error(`Failed to create transport: ${err.message || String(err)}`)
  })
-
  transports.set(transport.id, transport)
-  transport.on('close', () => transports.delete(transport.id))
-
+  transport.on('close', () => {
+    transports.delete(transport.id)
+  })
  return {
    transport,
    params: {
@@ -94,22 +153,61 @@ export const createTransport = async (router, requestHost = undefined) => {
  }
 }

-export const getTransport = transportId => transports.get(transportId)
+/**
+ * Get transport by ID.
+ * @param {string} transportId
+ * @returns {mediasoup.types.WebRtcTransport | undefined} Transport or undefined.
+ */
+export function getTransport(transportId) {
+  return transports.get(transportId)
+}

-export const createProducer = async (transport, track) => {
+/**
+ * Create a producer (publisher's video track).
+ * @param {mediasoup.types.WebRtcTransport} transport
+ * @param {MediaStreamTrack} track
+ * @returns {Promise<mediasoup.types.Producer>} The producer.
+ */
+export async function createProducer(transport, track) {
  const producer = await transport.produce({ track })
  producers.set(producer.id, producer)
-  producer.on('close', () => producers.delete(producer.id))
+  producer.on('close', () => {
+    producers.delete(producer.id)
+  })
  return producer
 }

-export const getProducer = producerId => producers.get(producerId)
+/**
+ * Get producer by ID.
+ * @param {string} producerId
+ * @returns {mediasoup.types.Producer | undefined} Producer or undefined.
+ */
+export function getProducer(producerId) {
+  return producers.get(producerId)
+}

-export const getTransports = () => transports
+/**
+ * Get transports Map (for cleanup).
+ * @returns {Map<string, mediasoup.types.WebRtcTransport>} Map of transport ID to transport.
+ */
+export function getTransports() {
+  return transports
+}

-export const createConsumer = async (transport, producer, rtpCapabilities) => {
-  if (producer.closed) throw new Error('Producer is closed')
-  if (producer.paused) await producer.resume()
+/**
+ * Create a consumer (viewer subscribes to producer's stream).
+ * @param {mediasoup.types.WebRtcTransport} transport
+ * @param {mediasoup.types.Producer} producer
+ * @param {boolean} rtpCapabilities
+ * @returns {Promise<{ consumer: mediasoup.types.Consumer, params: object }>} Consumer and connection params.
+ */
+export async function createConsumer(transport, producer, rtpCapabilities) {
+  if (producer.closed) {
+    throw new Error('Producer is closed')
+  }
+  if (producer.paused) {
+    await producer.resume()
+  }

  const consumer = await transport.consume({
    producerId: producer.id,
@@ -131,7 +229,11 @@ export const createConsumer = async (transport, producer, rtpCapabilities) => {
  }
 }

-export const closeRouter = async (sessionId) => {
+/**
+ * Clean up router for a session.
+ * @param {string} sessionId
+ */
+export async function closeRouter(sessionId) {
  const router = routers.get(sessionId)
  if (router) {
    router.close()
@@ -139,4 +241,10 @@ export const closeRouter = async (sessionId) => {
  }
 }

-export const getActiveRouters = () => Array.from(routers.keys())
+/**
+ * Get all active routers (for debugging/monitoring).
+ * @returns {Array<string>} Session IDs with active routers
+ */
+export function getActiveRouters() {
+  return Array.from(routers.keys())
+}
--- a/server/utils/migrateFeedsToDevices.js
+++ b/server/utils/migrateFeedsToDevices.js
@@ -0,0 +1,27 @@
+import { join } from 'node:path'
+import { readFileSync, existsSync } from 'node:fs'
+import { getDb } from './db.js'
+import { sanitizeStreamUrl } from './feedUtils.js'
+
+/**
+ * One-time migration: insert entries from server/data/feeds.json into devices (device_type = 'feed').
+ * No-op if devices table already has rows or feeds file is missing.
+ */
+export async function migrateFeedsToDevices() {
+  const db = await getDb()
+  const row = await db.get('SELECT COUNT(*) as n FROM devices')
+  if (row?.n > 0) return
+  const path = join(process.cwd(), 'server/data/feeds.json')
+  if (!existsSync(path)) return
+  const data = JSON.parse(readFileSync(path, 'utf8'))
+  const list = Array.isArray(data) ? data : []
+  for (const feed of list) {
+    if (!feed?.id || typeof feed.name !== 'string' || typeof feed.lat !== 'number' || typeof feed.lng !== 'number') continue
+    const streamUrl = sanitizeStreamUrl(feed.streamUrl) ?? ''
+    const sourceType = feed.sourceType === 'hls' ? 'hls' : 'mjpeg'
+    await db.run(
+      'INSERT OR IGNORE INTO devices (id, name, device_type, vendor, lat, lng, stream_url, source_type, config) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
+      [feed.id, feed.name, 'feed', null, feed.lat, feed.lng, streamUrl, sourceType, null],
+    )
+  }
+}
--- a/server/utils/webrtcSignaling.js
+++ b/server/utils/webrtcSignaling.js
@@ -32,7 +32,7 @@ export async function handleWebSocketMessage(userId, sessionId, type, data) {
      }
      case 'create-transport': {
        const router = await getRouter(sessionId)
-        const { transport, params } = await createTransport(router)
+        const { transport, params } = await createTransport(router, true)
        updateLiveSession(sessionId, { transportId: transport.id, routerId: router.id })
        return { type: 'transport-created', data: params }
      }
--- a/test/e2e/global-setup.js
+++ b/test/e2e/global-setup.js
@@ -1,58 +1,66 @@
+/**
+ * Global setup for E2E tests.
+ * Runs once before all tests.
+ */
+
 import { existsSync, mkdirSync } from 'node:fs'
 import { join, dirname } from 'node:path'
 import { fileURLToPath } from 'node:url'
 import { execSync } from 'node:child_process'

-const projectRoot = join(dirname(fileURLToPath(import.meta.url)), '../../..')
+const _dirname = dirname(fileURLToPath(import.meta.url))
+const projectRoot = join(_dirname, '../../..')
 const devCertsDir = join(projectRoot, '.dev-certs')
 const devKey = join(devCertsDir, 'key.pem')
 const devCert = join(devCertsDir, 'cert.pem')

+// Import server modules (ES modules)
 const { getDb } = await import('../../server/utils/db.js')
 const { hashPassword } = await import('../../server/utils/password.js')
 const { TEST_ADMIN } = await import('./fixtures/users.js')

-const ensureDevCerts = () => {
-  if (existsSync(devKey) && existsSync(devCert)) return
+function ensureDevCerts() {
+  if (existsSync(devKey) && existsSync(devCert)) {
+    return // Certs already exist
+  }

+  // Create .dev-certs directory
  mkdirSync(devCertsDir, { recursive: true })
+
+  // Generate self-signed cert for localhost/127.0.0.1
+  const SAN = 'subjectAltName=IP:127.0.0.1,DNS:localhost'
  try {
    execSync(
-      `openssl req -x509 -newkey rsa:2048 -keyout "${devKey}" -out "${devCert}" -days 365 -nodes -subj "/CN=localhost" -addext "subjectAltName=IP:127.0.0.1,DNS:localhost"`,
-      { cwd: projectRoot, stdio: process.env.CI ? 'pipe' : 'inherit' },
+      `openssl req -x509 -newkey rsa:2048 -keyout "${devKey}" -out "${devCert}" -days 365 -nodes -subj "/CN=localhost" -addext "${SAN}"`,
+      { cwd: projectRoot, stdio: 'inherit' },
    )
+    console.log('[test] Generated .dev-certs/key.pem and .dev-certs/cert.pem')
  }
  catch (error) {
    throw new Error(`Failed to generate dev certificates: ${error.message}`)
  }
 }

-export default async function globalSetup() {
+async function globalSetup() {
+  // Ensure dev certificates exist
  ensureDevCerts()

-  let retries = 3
-  while (retries > 0) {
-    try {
+  // Create test admin user if it doesn't exist
  const { get, run } = await getDb()
-      const existing = await get('SELECT id FROM users WHERE identifier = ?', [TEST_ADMIN.identifier])
+  const existingUser = await get('SELECT id FROM users WHERE identifier = ?', [TEST_ADMIN.identifier])

-      if (!existing) {
+  if (!existingUser) {
+    const id = crypto.randomUUID()
+    const now = new Date().toISOString()
    await run(
      'INSERT INTO users (id, identifier, password_hash, role, created_at, auth_provider, oidc_issuer, oidc_sub) VALUES (?, ?, ?, ?, ?, ?, ?, ?)',
-          [crypto.randomUUID(), TEST_ADMIN.identifier, hashPassword(TEST_ADMIN.password), TEST_ADMIN.role, new Date().toISOString(), 'local', null, null],
+      [id, TEST_ADMIN.identifier, hashPassword(TEST_ADMIN.password), TEST_ADMIN.role, now, 'local', null, null],
    )
+    console.log(`[test] Created test admin user: ${TEST_ADMIN.identifier}`)
  }
-      return
-    }
-    catch (error) {
-      if (error.message?.includes('SQLITE_BUSY') || error.message?.includes('database is locked')) {
-        retries--
-        if (retries > 0) {
-          await new Promise(resolve => setTimeout(resolve, 100 * (4 - retries)))
-          continue
-        }
-      }
-      throw error
-    }
+  else {
+    console.log(`[test] Test admin user already exists: ${TEST_ADMIN.identifier}`)
  }
 }
+
+export default globalSetup
--- a/test/e2e/live-streaming.spec.js
+++ b/test/e2e/live-streaming.spec.js
@@ -28,10 +28,8 @@ test.describe('Live Streaming E2E', () => {

  test('publisher only: start sharing and reach Live', async ({ browser, browserName }) => {
    test.skip(browserName !== 'chromium', 'Fake camera only supported in Chromium')
-    // Skip in CI - WebRTC tests are flaky with fake media devices in CI environments
-    test.skip(!!process.env.CI, 'WebRTC tests skipped in CI due to flaky fake media device support')
    const ctx = await browser.newContext({
-      permissions: ['camera', 'microphone', 'geolocation'],
+      permissions: ['geolocation'],
      geolocation: { latitude: 37.7749, longitude: -122.4194 },
    })
    const page = await ctx.newPage()
@@ -57,11 +55,9 @@ test.describe('Live Streaming E2E', () => {

  test('Mobile Safari publishes, Desktop Chrome views', async ({ browser, browserName }) => {
    test.skip(browserName !== 'chromium', 'Fake camera only supported in Chromium')
-    // Skip in CI - WebRTC tests are flaky with fake media devices in CI environments
-    test.skip(!!process.env.CI, 'WebRTC tests skipped in CI due to flaky fake media device support')
    // Publisher context (same as publisher-only test for reliability)
    const publisherContext = await browser.newContext({
-      permissions: ['camera', 'microphone', 'geolocation'],
+      permissions: ['geolocation'],
      geolocation: { latitude: 37.7749, longitude: -122.4194 },
    })
    const publisherPage = await publisherContext.newPage()
@@ -127,10 +123,8 @@ test.describe('Live Streaming E2E', () => {

  test('Mobile Safari publishes, Desktop Firefox views', async ({ browser, browserName }) => {
    test.skip(browserName !== 'chromium', 'Fake camera only supported in Chromium')
-    // Skip in CI - WebRTC tests are flaky with fake media devices in CI environments
-    test.skip(!!process.env.CI, 'WebRTC tests skipped in CI due to flaky fake media device support')
    const publisherContext = await browser.newContext({
-      permissions: ['camera', 'microphone', 'geolocation'],
+      permissions: ['geolocation'],
      geolocation: { latitude: 37.7749, longitude: -122.4194 },
    })
    const publisherPage = await publisherContext.newPage()
--- a/test/nuxt/KestrelMap.spec.js
+++ b/test/nuxt/KestrelMap.spec.js
@@ -10,24 +10,24 @@ vi.mock('leaflet.offline', () => ({ tileLayerOffline: null, savetiles: null }))
 describe('KestrelMap', () => {
  it('renders map container', async () => {
    const wrapper = await mountSuspended(KestrelMap, {
-      props: { devices: [] },
+      props: { feeds: [] },
    })
    expect(wrapper.find('[data-testid="kestrel-map"]').exists()).toBe(true)
  })

-  it('accepts devices prop', async () => {
-    const devices = [
+  it('accepts feeds prop', async () => {
+    const feeds = [
      { id: '1', name: 'A', lat: 37.7, lng: -122.4, streamUrl: '', sourceType: 'mjpeg' },
    ]
    const wrapper = await mountSuspended(KestrelMap, {
-      props: { devices },
+      props: { feeds },
    })
-    expect(wrapper.props('devices')).toEqual(devices)
+    expect(wrapper.props('feeds')).toEqual(feeds)
  })

  it('has select emit', async () => {
    const wrapper = await mountSuspended(KestrelMap, {
-      props: { devices: [] },
+      props: { feeds: [] },
    })
    wrapper.vm.$emit('select', { id: 'x', name: 'X', lat: 0, lng: 0 })
    expect(wrapper.emitted('select')).toHaveLength(1)
@@ -67,7 +67,7 @@ describe('KestrelMap', () => {
  it('accepts pois and canEditPois props', async () => {
    const wrapper = await mountSuspended(KestrelMap, {
      props: {
-        devices: [],
+        feeds: [],
        pois: [{ id: 'p1', lat: 37.7, lng: -122.4, label: 'P', icon_type: 'pin' }],
        canEditPois: false,
      },
--- a/test/nuxt/api.spec.js
+++ b/test/nuxt/api.spec.js
@@ -0,0 +1,14 @@
+import { describe, it, expect } from 'vitest'
+import { getValidFeeds } from '../../server/utils/feedUtils.js'
+
+describe('API contract', () => {
+  it('getValidFeeds returns array suitable for API response', () => {
+    const raw = [
+      { id: '1', name: 'A', lat: 1, lng: 2 },
+      { id: '2', name: 'B', lat: 3, lng: 4 },
+    ]
+    const out = getValidFeeds(raw)
+    expect(Array.isArray(out)).toBe(true)
+    expect(out).toHaveLength(2)
+  })
+})
--- a/test/unit/feedUtils.spec.js
+++ b/test/unit/feedUtils.spec.js
@@ -0,0 +1,119 @@
+import { describe, it, expect } from 'vitest'
+import { isValidFeed, getValidFeeds, sanitizeStreamUrl, sanitizeFeedForResponse } from '../../server/utils/feedUtils.js'
+
+describe('feedUtils', () => {
+  describe('isValidFeed', () => {
+    it('returns true for valid feed', () => {
+      expect(isValidFeed({
+        id: '1',
+        name: 'Cam',
+        lat: 37.7,
+        lng: -122.4,
+      })).toBe(true)
+    })
+
+    it('returns false for null', () => {
+      expect(isValidFeed(null)).toBe(false)
+    })
+
+    it('returns false for missing id', () => {
+      expect(isValidFeed({ name: 'x', lat: 0, lng: 0 })).toBe(false)
+    })
+
+    it('returns false for wrong lat type', () => {
+      expect(isValidFeed({ id: '1', name: 'x', lat: '37', lng: -122 })).toBe(false)
+    })
+  })
+
+  describe('getValidFeeds', () => {
+    it('returns only valid feeds', () => {
+      const list = [
+        { id: 'a', name: 'A', lat: 1, lng: 2 },
+        null,
+        { id: 'b', name: 'B', lat: 3, lng: 4 },
+      ]
+      expect(getValidFeeds(list)).toHaveLength(2)
+    })
+
+    it('returns empty array for non-array', () => {
+      expect(getValidFeeds(null)).toEqual([])
+      expect(getValidFeeds({})).toEqual([])
+    })
+  })
+
+  describe('sanitizeStreamUrl', () => {
+    it('allows http and https', () => {
+      expect(sanitizeStreamUrl('https://example.com/stream')).toBe('https://example.com/stream')
+      expect(sanitizeStreamUrl('http://example.com/stream')).toBe('http://example.com/stream')
+    })
+
+    it('returns empty for javascript:, data:, and other schemes', () => {
+      expect(sanitizeStreamUrl('javascript:alert(1)')).toBe('')
+      expect(sanitizeStreamUrl('data:text/html,<script>')).toBe('')
+      expect(sanitizeStreamUrl('file:///etc/passwd')).toBe('')
+    })
+
+    it('returns empty for non-strings or empty', () => {
+      expect(sanitizeStreamUrl('')).toBe('')
+      expect(sanitizeStreamUrl('   ')).toBe('')
+      expect(sanitizeStreamUrl(null)).toBe('')
+      expect(sanitizeStreamUrl(123)).toBe('')
+    })
+  })
+
+  describe('sanitizeFeedForResponse', () => {
+    it('returns safe shape with sanitized streamUrl and sourceType', () => {
+      const feed = {
+        id: 'f1',
+        name: 'Cam',
+        lat: 37,
+        lng: -122,
+        streamUrl: 'https://safe.com/s',
+        sourceType: 'mjpeg',
+      }
+      const out = sanitizeFeedForResponse(feed)
+      expect(out).toEqual({
+        id: 'f1',
+        name: 'Cam',
+        lat: 37,
+        lng: -122,
+        streamUrl: 'https://safe.com/s',
+        sourceType: 'mjpeg',
+      })
+    })
+
+    it('strips dangerous streamUrl and normalizes sourceType', () => {
+      const feed = {
+        id: 'f2',
+        name: 'Bad',
+        lat: 0,
+        lng: 0,
+        streamUrl: 'javascript:alert(1)',
+        sourceType: 'hls',
+      }
+      const out = sanitizeFeedForResponse(feed)
+      expect(out.streamUrl).toBe('')
+      expect(out.sourceType).toBe('hls')
+    })
+
+    it('includes description only when string', () => {
+      const withDesc = sanitizeFeedForResponse({
+        id: 'a',
+        name: 'n',
+        lat: 0,
+        lng: 0,
+        description: 'A camera',
+      })
+      expect(withDesc.description).toBe('A camera')
+
+      const noDesc = sanitizeFeedForResponse({
+        id: 'b',
+        name: 'n',
+        lat: 0,
+        lng: 0,
+        description: 123,
+      })
+      expect(noDesc).not.toHaveProperty('description')
+    })
+  })
+})
--- a/test/unit/mediasoup.spec.js
+++ b/test/unit/mediasoup.spec.js
@@ -25,7 +25,7 @@ describe('Mediasoup', () => {

  it('should create a transport', async () => {
    const router = await getRouter(sessionId)
-    const { transport, params } = await createTransport(router)
+    const { transport, params } = await createTransport(router, true)
    expect(transport).toBeDefined()
    expect(params.id).toBe(transport.id)
    expect(params.iceParameters).toBeDefined()
@@ -35,7 +35,7 @@ describe('Mediasoup', () => {

  it('should create a transport with requestHost IPv4 and return valid params', async () => {
    const router = await getRouter(sessionId)
-    const { transport, params } = await createTransport(router, '192.168.2.100')
+    const { transport, params } = await createTransport(router, true, '192.168.2.100')
    expect(transport).toBeDefined()
    expect(params.id).toBe(transport.id)
    expect(params.iceParameters).toBeDefined()
--- a/test/unit/migrateFeedsToDevices.spec.js
+++ b/test/unit/migrateFeedsToDevices.spec.js
@@ -0,0 +1,32 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest'
+import { getDb, setDbPathForTest } from '../../server/utils/db.js'
+import { migrateFeedsToDevices } from '../../server/utils/migrateFeedsToDevices.js'
+
+describe('migrateFeedsToDevices', () => {
+  beforeEach(() => {
+    setDbPathForTest(':memory:')
+  })
+
+  afterEach(() => {
+    setDbPathForTest(null)
+  })
+
+  it('runs without error when devices table is empty', async () => {
+    const db = await getDb()
+    await expect(migrateFeedsToDevices()).resolves.toBeUndefined()
+    const rows = await db.all('SELECT id FROM devices')
+    expect(rows.length).toBeGreaterThanOrEqual(0)
+  })
+
+  it('is no-op when devices already has rows', async () => {
+    const db = await getDb()
+    await db.run(
+      'INSERT INTO devices (id, name, device_type, vendor, lat, lng, stream_url, source_type, config) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
+      ['existing', 'Existing', 'feed', null, 0, 0, '', 'mjpeg', null],
+    )
+    await migrateFeedsToDevices()
+    const rows = await db.all('SELECT id FROM devices')
+    expect(rows).toHaveLength(1)
+    expect(rows[0].id).toBe('existing')
+  })
+})
--- a/vitest.config.js
+++ b/vitest.config.js
@@ -22,6 +22,7 @@ export default defineVitestConfig({
        'app/composables/useCameras.js', // Visibility/polling branches; covered by E2E
        'server/utils/mediasoup.js', // Requires real mediasoup worker; covered by integration/E2E
        'server/utils/db.js', // Bootstrap/path branches depend on env; covered by integration
+        'server/utils/migrateFeedsToDevices.js', // File-system branches; one-time migration
        '**/*.spec.js',
        '**/*.config.js',
        '**/node_modules/**',
Author	SHA1	Message	Date
Madison Grubb	480f2508f2	fix ci	2026-02-11 22:41:01 -05:00
Madison Grubb	dc92c981e4	add ci	2026-02-11 22:38:50 -05:00