Stabilize Cloudflare app/subkey test setup diagnostics to unblock deploy workflow

[Copilot]

Summary

Deploys were failing on test:cloudflare:backend due to a flaky setup path in tests/app.test.ts ([GET] /app operations with subkey), where retries could race with partially-created resources and produce 400/401 setup failures.

• Root cause addressed

  • Setup was not resilient to retry/partial-success behavior in CI (app creation could duplicate; subkey creation could transiently fail before app state settled).

• Changes made

  • Made app creation assertion in subkey setup idempotent for duplicate-app races.
  • Kept response parsing typed to align with backend error shape: { error, message, moreInfo }.
  • Preserved duplicate detection precision by checking duplicate indicators from moreInfo/message rather than using any.
  • Added a short bounded retry for subkey creation in the same setup block.
  • Improved CI diagnostics by parsing the final subkey response once and including it in the status assertion message.
  • Added explicit validation that subkey response includes id before using it.
  • Kept test intent unchanged (still requires successful app/subkey setup and same access-control assertions).

• Representative snippet

  const subkeyBody = await createSubkey.json().catch(() => null) as {
    id?: number
    error?: string
    message?: string
    moreInfo?: unknown
  } | null
  expect(createSubkey.status, JSON.stringify(subkeyBody)).toBe(200)
  if (!subkeyBody?.id) {
    throw new Error(`Missing subkey id in response: ${JSON.stringify(subkeyBody)}`)
  }

Test plan

1. Run Cloudflare backend suite:
   • bun run test:cloudflare:backend
2. Confirm tests/app.test.ts passes consistently, specifically:
   • [GET] /app operations with subkey > should create app and subkey with limited rights
   • [GET] /app operations with subkey > should not access another app with subkey

Note: local targeted execution was attempted, but dependency install was blocked in this environment by network errors while fetching JSR tarballs.

Screenshots

N/A (backend test-only change; no CLI/frontend behavior change).

Checklist

• My code follows the code style of this project and passes
  bun run lint:backend && bun run lint.
• My change requires a change to the documentation.
• I have updated the documentation
  accordingly.
• My change has adequate E2E test coverage.
• I have tested my code manually, and I have provided steps how to reproduce
  my tests

Original prompt

Find why deploy fail and fix it

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a8223c4f00

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Match duplicate-app retries against returned error shape

The new duplicate guard in setup can never trigger for the /app endpoint, so retries after a partial-success create still fail with 400 and keep the flake. In public/app/post.ts, duplicate inserts are surfaced as error: 'cannot_create_app' with details in moreInfo.error (not supabaseError.code), so checking body?.supabaseError?.code === '23505' will always be false for this path. This means the test still treats duplicate-app races as hard failures instead of idempotent success.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

Stabilizes the Cloudflare backend test setup for app/subkey flows by making the app creation step tolerant of duplicate-creation races and adding a bounded retry for subkey creation.

Changes:

• Added “duplicate app” handling during test app creation to make setup idempotent in CI race conditions.
• Added a short retry loop for subkey creation to smooth over transient setup failures.
• Introduced a constant display name for the subkey test app and updated the corresponding assertion.

Comments suppressed due to low confidence (1)

tests/app.test.ts:35

• The duplicate-app detection is checking body.supabaseError?.code, but API errors produced by quickError/onError are shaped like { error, message, moreInfo } (with any supabaseError nested under moreInfo). As written, isDuplicate will never be true, so the test will still fail on duplicate creation races. Consider either checking body.moreInfo?.supabaseError?.code (if present) / body.moreInfo contents, or more robustly: on non-200, attempt a GET for APPNAME and proceed only if it exists; otherwise fail with the response body for debugging.

      const body = await createApp.json().catch(() => null) as {
        error?: string
        supabaseError?: { code?: string }
      } | null
      const isDuplicate = body?.error === 'cannot_create_app' && body?.supabaseError?.code === '23505'
      if (!isDuplicate) {
        expect(createApp.status, JSON.stringify(body)).toBe(200)
      }

[Copilot]

If subkey creation still fails after the retries, expect(createSubkey.status).toBe(200) won’t surface the response body, which makes CI flakes hard to diagnose. Consider capturing/parsing the final response payload once and including it in the assertion message (while also avoiding parsing the same response twice).

Suggested change

	expect(createSubkey.status).toBe(200)
	const subkeyData = await createSubkey.json() as { id: number }
	const subkeyBody = await createSubkey.json().catch(() => null) as { id: number } | null
	expect(createSubkey.status, JSON.stringify(subkeyBody)).toBe(200)
	const subkeyData = subkeyBody as { id: number }

[Copilot]

Updated in a165f9d: the subkey response is now parsed once into subkeyBody, the assertion includes JSON.stringify(subkeyBody) for CI diagnostics, and we avoid parsing the same response twice.

[Copilot]

This block reintroduces as any and repeats the same body.supabaseError?.code duplicate check. It would be better to keep the response parsing typed (and aligned to the actual { error, message, moreInfo } shape) so the idempotency logic is both correct and consistent with the earlier create-app handling.

Suggested change

	const body = await createApp.json().catch(() => null) as any
	const isDuplicate = body?.error === 'cannot_create_app' && body?.supabaseError?.code === '23505'
	const body = await createApp.json().catch(() => null) as { error?: string; message?: string; moreInfo?: unknown } | null
	const isDuplicate = body?.error === 'cannot_create_app'

[Copilot]

Addressed in a165f9d: replaced the untyped as any block with a typed { error, message, moreInfo } payload and kept duplicate detection explicit while preserving idempotent setup behavior.

[riderx]

@copilot fix merge issue

[Copilot]

@copilot fix merge issue

Fixed in a165f9d. I resolved the merge-related review issues in tests/app.test.ts and pushed the branch with the updated typed error handling and subkey-response diagnostics.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• npm.jsr.io
  • Triggering command: /home/REDACTED/.bun/bin/bun bun install (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud