fix: stabilize logging, logs API, CORS, auth, and repo validation

[codxbrexx]

Summary

This PR fixes a bunch of stability and security issues in the local FaaS backend to get everything running smoothly.

Note: The new UI dashboard has been extracted to a separate repository based on maintainer feedback, so there is no UI code in this PR.

What We Did

1. Better Logging

• The Issue: The old logger could get stuck in an infinite loop looking for an unused color code, crashing the server.
• The Fix: We completely rewrote the logger! It now assigns colors in a safe, round-robin way. Log lines are now cleanly parsed, leveled (INFO, WARN, ERROR, DEBUG, HTTP), and timestamps are added so that log aggregators can easily parse them. Multi-line logs (like stack traces) finally stay together instead of splitting weirdly.

2. Working Logs API

• The Issue: The POST /api/deploy/logs endpoint was just a stub that returned 'TODO: Implement Logs...'.
• The Fix: We replaced the stub with a real implementation that reads from our new structured log files. It supports filtering logs by deployment suffix and fetching them incrementally.

3. Enabled CORS

• The Issue: Frontend apps (like our dashboard running on port 5173) couldn't make requests to the FaaS API because of CORS errors.
• The Fix: Added a lightweight CORS middleware directly into api.ts. It allows common local development ports (3000, 5173) and supports auth headers.

4. Basic Auth Skeleton

• The Issue: Lack of mock authentication for local development.
• The Fix: Added a local users.json auth scaffold with login/signup endpoints and a default dev@metacall.io account.

5. Repository Security Fixes

• The Issue: Git shell commands were using raw user-input URLs, creating a major command-injection vulnerability.
• The Fix: We added strict validation. Repo URLs must start with standard Git prefixes (https://, ssh://, git@), and branch names are strictly validated before any exec() command runs.

6. Inspect Stability

• The Issue: Querying an incomplete deployment where packages wasn't set yet would throw an error and break the entire /api/inspect endpoint.
• The Fix: Incomplete deployments are now safely skipped instead of crashing the process.

7. Deployment Promises Fixed

• The Issue: There was a race condition in deployProcess where a promise could settle twice across different IPC exits.
• The Fix: Added an isSettled safety check inside the promise resolution.

8. Docker Compose Healthcheck Fix

• The Issue: The automated CI integration test often failed because the test container fired before the actual FaaS server was ready.
• The Fix: Added a healthcheck to the Docker Compose faas service. The tests now won't trigger until FaaS is actively serving on localhost:9000/api/readiness.

9. Cleaned Up Merged Code & Formatting

• The Issue: This PR initially carried some lifecycle fixes we already merged in PR fix: stabilize FaaS lifecycle hooks (env injection, cwd, async execution) #100, which would cause conflicts. Prettier also accidentally messed up the .yml Github actions.
• The Fix: We manually removed the already-merged lifecycle tests from this branch. We restored the *.yml ignore rule in .prettierignore, reverted the GitHub Action formatting, and did a general cleanup of leftover files (like removing mocha_log.txt).

Tasks

• Re-architected logger.ts to assign colors safely and emit structured format
• Implemented POST /api/deploy/logs with line-polling support
• Injected CORS middleware into api.ts
• Built mocked users.json authentication scaffold with login/signup endpoints
• Secured exec() commands in repository.ts with strict git URL/branch validation
• Fixed isSettled race condition inside deploy.ts promises
• Added Docker Compose healthcheck to stabilize CI wait times

What Is Left To Do

• Implement WebSocket support for real-time log streaming (we are currently just polling)
• Connect auth endpoints to a real production database
• Improve end-to-end (E2E) testing coverage around Git deployments
• Tie-in the separated Dashboard UI repository with this API backend

Testing Verification

• Unit Tests: npm test successfully passes all 28 logging-utility unit tests!

• Integration Tests: Passing locally via sudo docker compose up --build --exit-code-from test.

Note: Once we have to make a new repo for the UI, we could have to update the CORS middleware to allow the UI to make requests to the backend.