Dev

[kainovaii]

Pull Request: Core v2.5.0 — Tests & Internal Hardening

Summary

Adds 249 unit tests across 16 test classes covering every critical subsystem, eliminates magic strings via enums and constants, fixes thread safety issues in static registries, and replaces silent exception swallowing with proper logging.

---

Changes

1. Unit test suite (249 tests)

Added: 16 test classes

• ContainerTest — DI resolve, singleton, constructor/field injection, circular detection, interface binding
• BlueprintTest — SQL generation per DB type (SQLite, MySQL, PostgreSQL), modifiers, full table scenarios
• AuthPasswordTest — BCrypt hash/check, unicode, long passwords
• AuthTest — login/logout, session attributes, user resolution, hasRole, token auth, brute force integration
• LoginRateLimiterTest — lockout after 5 failures, IP/username independence, reset on success
• RouteLoaderTest — resolvePrefix edge cases (trailing slash, whitespace, no annotation), named routes
• RequestValidatorTest — all 14 validation rules, chained rules, early stop, validateSafe
• ValidationErrorsTest — add, first-error-only, count, defensive copy
• EnvLoaderTest — .env loading, get/getRequired/getInt/getBoolean, singleton guard
• ArgParserTest — positional params, options, flags, defaults, type coercion, variadic
• InMemoryCacheDriverTest — put/get, TTL expiry, forget, putAll/getAll
• CacheTest — facade delegation, remember pattern
• CsrfTokenRepositoryTest — token generation, validation, expiry, removal
• RoleCheckerTest — registration of roles, login-required, token-required paths
• LocalDiskTest — read/write/delete/list, stream, URL generation, path traversal protection
• StorageManagerTest — disk selection, delegation, multi-disk isolation, chaining

New test dependency: mockito-core 5.14.2 (scope: test)

2. DatabaseType enum — eliminates DB type magic strings

Added: DatabaseType.java
Modified: DB.java, Migration.java, MigrationManager.java, DatabaseLoader.java

• Replaces all "sqlite" / "mysql" / "postgresql" string comparisons with DatabaseType.SQLITE / MYSQL / POSTGRESQL
• DB.getType() now returns DatabaseType instead of String
• Blueprint constructor takes DatabaseType instead of String
• DatabaseType.fromString() handles null/empty with SQLITE default

3. SessionKeys constants — eliminates session attribute magic strings

Added: SessionKeys.java
Modified: Auth.java, RouteHandler.java

• "logged", "user_id", "username", "role", "flash_error" replaced with SessionKeys.* constants

4. EnvKeys constants — eliminates environment variable magic strings

Added: EnvKeys.java
Modified: Obsidian.java, WebServer.java, ErrorHandler.java, RoleChecker.java, DatabaseLoader.java, CacheLoader.java, StorageLoader.java, PebbleTemplateEngine.java, FlowScriptExtension.java

• All "ENVIRONMENT", "PORT_WEB", "DB_TYPE", "CACHE_DRIVER", "STORAGE_*", "SITE_URL" replaced with EnvKeys.* constants

5. Thread safety — concurrent collections in static registries

Modified: RoleChecker.java, MiddlewareManager.java, Route.java, TemplateManager.java

• HashMap → ConcurrentHashMap
• HashSet → ConcurrentHashMap.newKeySet()
• ArrayList → CopyOnWriteArrayList

6. Silent exception handling — catch ignored → proper logging

Modified: Auth.java, ArgParser.java, CommandDiscovery.java, CliComponents.java

• catch (Exception ignored) {} replaced with logger.warn() / logger.debug() where appropriate
• Auth.java: TokenResolver instantiation failure is now logged (was silently swallowed)
• CliComponents.java: InterruptedException now restores interrupt flag via Thread.currentThread().interrupt()
• Added Logger field to Auth, ArgParser, CommandDiscovery

---

Breaking Changes

DB.getType() returns DatabaseType instead of String. Apps comparing with "sqlite" must use DatabaseType.SQLITE instead. All other changes are internal.