2026-04-07 21:58:25 -04:00
|
|
|
import 'dotenv/config';
|
|
|
|
|
import express from 'express';
|
|
|
|
|
import cors from 'cors';
|
2026-05-27 14:06:41 -04:00
|
|
|
import session from 'express-session';
|
|
|
|
|
import connectPgSimple from 'connect-pg-simple';
|
|
|
|
|
const PgStore = connectPgSimple(session);
|
2026-05-19 23:50:19 -04:00
|
|
|
import os from 'node:os';
|
2026-05-20 17:25:11 -04:00
|
|
|
import { exec } from 'node:child_process';
|
2026-04-07 21:58:25 -04:00
|
|
|
import pool from './db/pool.js';
|
|
|
|
|
import { errorHandler } from './middleware/errors.js';
|
2026-05-27 14:13:21 -04:00
|
|
|
import { requireAuth } from './middleware/auth.js';
|
2026-05-20 15:53:26 -04:00
|
|
|
import { loadS3ConfigFromDb } from './s3/client.js';
|
2026-04-07 21:58:25 -04:00
|
|
|
|
2026-05-15 23:40:12 -04:00
|
|
|
// Routes
|
2026-04-07 21:58:25 -04:00
|
|
|
import assetsRouter from './routes/assets.js';
|
|
|
|
|
import projectsRouter from './routes/projects.js';
|
|
|
|
|
import binsRouter from './routes/bins.js';
|
|
|
|
|
import jobsRouter from './routes/jobs.js';
|
|
|
|
|
import captureRouter from './routes/capture.js';
|
2026-04-07 22:05:39 -04:00
|
|
|
import uploadRouter from './routes/upload.js';
|
|
|
|
|
import recordersRouter from './routes/recorders.js';
|
2026-04-18 13:42:09 -04:00
|
|
|
import settingsRouter from './routes/settings.js';
|
|
|
|
|
import amppRouter from './routes/ampp.js';
|
2026-05-18 21:25:36 -04:00
|
|
|
import groupsRouter from './routes/groups.js';
|
2026-05-18 19:54:41 -04:00
|
|
|
import sequencesRouter from './routes/sequences.js';
|
2026-05-19 23:50:19 -04:00
|
|
|
import systemRouter from './routes/system.js';
|
|
|
|
|
import clusterRouter from './routes/cluster.js';
|
feat: SDK deployment UI, proxy encoding global settings, S3 env fallback
- Settings: drop AMPP tab, rename GPU/Transcoding → Proxy encoding
with explicit 'applied to every ingested file' wording, expose
CPU codec/preset options when GPU is off
- New Capture SDKs tab (Settings): upload Blackmagic / AJA / Deltacast
SDK archives (.zip / .tar.gz) staged to /sdk/<vendor>/ inside mam-api;
BMD is fully wired into the FFmpeg build pipeline, AJA + Deltacast
staging-only pending FFmpeg patches
- mam-api: new /api/v1/sdk routes (multer upload, extract, list, delete);
Dockerfile gets unzip+tar; docker-compose mounts /mnt/NVME/MAM/sdk:/sdk
- proxy worker now reads proxy-encoding settings from DB on every job,
builds args for libx264 / NVENC / VAAPI, falls back to libx264 on
hardware-encode failure
- settings GET /s3 falls back to S3_* env vars when DB is empty so the
UI reflects what's actually wired (fixes 'not configured' false alarm)
2026-05-22 22:58:32 -04:00
|
|
|
import sdkRouter from './routes/sdk.js';
|
feat(scheduler): recorder scheduling — UI, CRUD, tick loop, recurrence
- New Ingest → Schedule page: upcoming/past/all tabs, status badges
(pending / recording / completed / cancelled / failed), 10s
auto-refresh, cancel/delete actions
- New Schedule modal: name, recorder dropdown, datetime-local start/end,
recurrence (one-shot / daily / weekly), sensible defaults (+5min / +35min)
- Backend: migration 009 (recorder_schedules), routes/schedules.js
(list/create/edit/cancel/delete), scheduler.js tick loop polling every
15s; transitions trigger /recorders/:id/start and /stop via in-process
HTTP so we reuse the full container orchestration path
- Recurring schedules: tick loop auto-queues the next occurrence on
completion (daily = +24h, weekly = +7d)
- Sidebar + app.jsx route wired in, schedule-row table style added
2026-05-22 23:19:24 -04:00
|
|
|
import schedulesRouter from './routes/schedules.js';
|
2026-05-22 23:30:10 -04:00
|
|
|
import metricsRouter from './routes/metrics.js';
|
feat(comments): persistent frame-anchored comments on asset detail
- migration 010: asset_comments table (id, asset_id, user_id, body,
frame_ms, resolved, timestamps) with index on asset_id+created_at
- new routes mounted at /api/v1/assets/:assetId/comments — GET/POST/
PATCH/DELETE with author join (display_name + initials), nullable
user_id so comments still attach when AUTH_ENABLED is off
- Asset detail loads comments from the API on mount instead of the
empty ZAMPP_DATA.COMMENTS seed; addComment POSTs and merges the
returned row; resolved-toggle and delete are wired
- CommentsList: new trash-icon delete action per comment, helpful
empty-state copy ('Add one below to mark a frame'), tooltips on
the timestamp and resolved buttons
Now editor comments survive page reload, are visible to other users
via the same API, and pin reliably to frame_ms (integer) instead of
a parsed HH:MM:SS:FF string.
2026-05-23 00:21:11 -04:00
|
|
|
import commentsRouter from './routes/comments.js';
|
2026-05-23 16:05:41 -04:00
|
|
|
import importsRouter from './routes/imports.js';
|
2026-05-26 18:45:50 -04:00
|
|
|
import storageRouter from './routes/storage.js';
|
chore: 1.2 ship-prep sweep — close 38 issues
Frontend / UX / a11y
- Sidebar collapse/expand toggle with localStorage persistence (#142)
- Settings sections wrap inputs in <form> with Enter-to-submit + native
validation; password autocomplete=new-password (#141, #138)
- Asset thumbnails get descriptive alt text (#140)
- Production deploy now precompiles JSX via esbuild and loads the
production React UMD instead of dev builds + in-browser Babel (#139,
#122)
- Search wrapper gets role=search; global search input gets aria-label,
role=combobox, aria-controls/aria-expanded/aria-activedescendant
wiring (#137, #135)
- Dashboard and Library no longer share the same nav icon (#136)
- Sidebar collapses off-canvas with a topbar menu button below 768 px;
mobile default is collapsed (#134)
- --text-3 bumped to #8B92A0 for WCAG AA contrast on --bg-0 (#133)
- Schedule and Library routes were rendering empty inside the .main
flex container — switched to flex:1 + min-height:0 (#131, #132,
editor + asset detail get the same fix)
- Jobs nav badge now polls /jobs?status=active every 10 s and reflects
the live count (#130, #113)
- aria-label sweep on every icon-only button (#126)
- Premiere panel release list moved to window.PREMIERE_RELEASES in
data.jsx; Editor + Settings read from the same source (#125)
- Typo setPgMclips → setPgmClips (#124)
- Stray console.error / console.warn calls gated behind
window.DF_LOG.{warn,error} (#123)
- Hardcoded /api/v1 paths route through window.ZAMPP_API_PREFIX (#115)
- Schedule rows no longer crash on null recorder_id (#117)
- EditorKeyboard guards against document.activeElement === null (#116)
- Unmount-safe timers for PasswordResetModal, Containers, Editor (#111)
- Player seek clamps below totalMs, server-side range clamping +
uncached 416 on EOF, client-side EOF-stall watchdog (#143)
- Duration badge overlap fix on narrow asset cards (#52)
Backend / security / reliability
- GET /recorders fixed N+1: single LATERAL JOIN for live_asset_id;
Docker inspects bounded to actually-recording rows (#121)
- Upload disk-storage (multer.diskStorage) streams parts to S3 instead
of buffering 500 MB in RAM (#120)
- /assets list clamps limit to MAX_LIMIT=500 to prevent OOM (#119)
- SDK upload archive listing + post-extract sanitize block zip-slip /
tar-slip and symlink escapes (#118)
- Migrations track applied state in schema_migrations, run in a
transaction, and exit non-zero on failure (#107)
- node-agent BMD_COUNT override uses BMD_DEVICE_PREFIX; filesystem
detection wins (#109, #127)
- GPU_COUNT override now merges with nvidia-smi enrichment (#108)
- /cluster/heartbeat requires a node-bound token or admin user;
tokens carry bound_hostname (#106)
- /recorders/:id/start error responses no longer echo the Docker
create payload — env vars stay out of client responses (#105)
- /recorders/probe restricts schemes (srt/rtmp/rtsp/udp/rtp), blocks
private + loopback hosts for non-admins, denies common service
ports (#104)
- Scheduler tick guarded by a Postgres advisory lock; pending/running
rows claimed via UPDATE...RETURNING + FOR UPDATE SKIP LOCKED to
survive multi-node deploys (#103)
- UUID validateUuid('id') param middleware on every /:id route (#102)
- Error handler scrubs Postgres error messages and 5xx detail (#101)
- Graceful SIGTERM/SIGINT shutdown — stops scheduler, drains the HTTP
server, ends the pool, 25 s force-exit watchdog (#100)
- AMPP sync moved from fire-and-forget to a persisted retry queue
(ampp_sync_status / attempts / next_attempt_at + scheduler retry
loop with exponential backoff) (#77)
Migrations
- 019: api_tokens.bound_hostname (#106)
- 020: assets.ampp_sync_status + retry bookkeeping (#77)
Other
- Defer #92 Growing-files per-upload toggle, #80 Audio tab, #57
Dashboard redesign, #56 Editor SPA polish phase 3, #114 S3
migration tool to v1.3
2026-05-26 22:06:14 -04:00
|
|
|
import { startSchedulerLoop, stopSchedulerLoop } from './scheduler.js';
|
2026-05-24 12:43:08 -04:00
|
|
|
import { startCleanupLoop } from './tasks/cleanupTempSegments.js';
|
2026-04-07 21:58:25 -04:00
|
|
|
|
2026-05-15 23:40:12 -04:00
|
|
|
const app = express();
|
2026-04-07 21:58:25 -04:00
|
|
|
const PORT = process.env.PORT || 3000;
|
|
|
|
|
|
2026-05-15 23:40:12 -04:00
|
|
|
// ── Middleware ────────────────────────────────────────────────────────────────
|
2026-05-27 14:06:41 -04:00
|
|
|
// Tightened CORS — once cookies carry authority, `origin: true` would let
|
|
|
|
|
// any site forge requests with the cookie. Drive the allowlist from env.
|
|
|
|
|
const allowedOrigins = (process.env.ALLOWED_ORIGINS || '')
|
|
|
|
|
.split(',').map(s => s.trim()).filter(Boolean);
|
|
|
|
|
app.use(cors({
|
|
|
|
|
origin: (origin, cb) => {
|
|
|
|
|
// No Origin header (same-origin or curl) — allow.
|
|
|
|
|
if (!origin) return cb(null, true);
|
|
|
|
|
if (allowedOrigins.length === 0 || allowedOrigins.includes(origin)) return cb(null, true);
|
2026-05-27 14:11:09 -04:00
|
|
|
// Reject cleanly: omit the Allow-Origin header so the browser surfaces
|
|
|
|
|
// a real CORS error instead of a 500 from a thrown Error in the callback.
|
|
|
|
|
console.warn('[cors] rejected origin:', origin);
|
|
|
|
|
return cb(null, false);
|
2026-05-27 14:06:41 -04:00
|
|
|
},
|
|
|
|
|
credentials: true,
|
|
|
|
|
}));
|
2026-04-07 22:05:39 -04:00
|
|
|
app.use(express.json({ limit: '50mb' }));
|
2026-04-07 21:58:25 -04:00
|
|
|
|
2026-05-27 14:06:41 -04:00
|
|
|
// Trust the reverse proxy only when explicitly told to (production HTTPS).
|
|
|
|
|
if (process.env.TRUST_PROXY === 'true') app.set('trust proxy', 1);
|
|
|
|
|
|
2026-05-27 14:11:09 -04:00
|
|
|
// Hard-fail when production-mode auth has no stable session secret. Without
|
|
|
|
|
// this, express-session falls back to an in-memory random secret which
|
|
|
|
|
// invalidates every session on restart and breaks multi-node deployments.
|
|
|
|
|
if (process.env.AUTH_ENABLED === 'true' && !process.env.SESSION_SECRET) {
|
|
|
|
|
console.error('[fatal] SESSION_SECRET is required when AUTH_ENABLED=true');
|
|
|
|
|
process.exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-27 14:06:41 -04:00
|
|
|
// Session — actually wired this time. See specs/2026-05-27-auth-system-design.md.
|
|
|
|
|
app.use(session({
|
2026-05-27 14:11:09 -04:00
|
|
|
store: new PgStore({ pool, tableName: 'sessions', pruneSessionInterval: 60 * 15 /* seconds = 15 min */ }),
|
2026-05-27 14:06:41 -04:00
|
|
|
secret: process.env.SESSION_SECRET,
|
|
|
|
|
name: 'dragonflight.sid',
|
|
|
|
|
cookie: {
|
|
|
|
|
httpOnly: true,
|
|
|
|
|
sameSite: 'lax',
|
|
|
|
|
secure: process.env.TRUST_PROXY === 'true',
|
|
|
|
|
path: '/',
|
|
|
|
|
maxAge: 8 * 3600 * 1000,
|
|
|
|
|
},
|
|
|
|
|
rolling: false, // sliding renewal handled in requireAuth so idle + absolute can be enforced separately
|
|
|
|
|
resave: false,
|
|
|
|
|
saveUninitialized: false,
|
|
|
|
|
}));
|
|
|
|
|
|
2026-05-26 23:39:58 -04:00
|
|
|
// ── Health ────────────────────────────────────────────────────────────────────
|
2026-05-15 23:40:12 -04:00
|
|
|
app.get('/health', (_req, res) => res.json({ status: 'ok' }));
|
|
|
|
|
|
2026-05-27 14:13:21 -04:00
|
|
|
// ── Auth gate ─────────────────────────────────────────────────────────────────
|
2026-05-27 14:18:27 -04:00
|
|
|
// req.path is relative to the /api/v1 mount, so /auth/login NOT /api/v1/auth/login.
|
2026-05-27 14:13:21 -04:00
|
|
|
const UNAUTH_PATHS = new Set(['/auth/login', '/auth/setup', '/auth/setup-required']);
|
2026-05-27 14:18:27 -04:00
|
|
|
// Service-auth carve-outs: node-agent uses migration 019's bound-hostname
|
|
|
|
|
// api_token mechanism, not user auth. Today only /cluster/heartbeat is
|
|
|
|
|
// reached without a user session — operator/UI endpoints in cluster.js
|
|
|
|
|
// (containers restart, DELETE /:id, blackmagic device queries) ARE expected
|
|
|
|
|
// to require auth. If node-agent grows another endpoint, add it here.
|
|
|
|
|
// TODO: long-term, issue node-agent a real bound api_token and drop this carve-out.
|
|
|
|
|
const SERVICE_PATHS = new Set(['/cluster/heartbeat']);
|
2026-05-27 14:13:21 -04:00
|
|
|
app.use('/api/v1', (req, res, next) => {
|
|
|
|
|
if (UNAUTH_PATHS.has(req.path)) return next();
|
2026-05-27 14:18:27 -04:00
|
|
|
if (SERVICE_PATHS.has(req.path)) return next();
|
2026-05-27 14:13:21 -04:00
|
|
|
return requireAuth(req, res, next);
|
|
|
|
|
});
|
|
|
|
|
|
2026-05-15 23:40:12 -04:00
|
|
|
// ── API Routes ────────────────────────────────────────────────────────────────
|
|
|
|
|
app.use('/api/v1/assets', assetsRouter);
|
|
|
|
|
app.use('/api/v1/projects', projectsRouter);
|
|
|
|
|
app.use('/api/v1/bins', binsRouter);
|
|
|
|
|
app.use('/api/v1/jobs', jobsRouter);
|
|
|
|
|
app.use('/api/v1/capture', captureRouter);
|
|
|
|
|
app.use('/api/v1/upload', uploadRouter);
|
2026-04-07 22:05:39 -04:00
|
|
|
app.use('/api/v1/recorders', recordersRouter);
|
2026-05-15 23:40:12 -04:00
|
|
|
app.use('/api/v1/settings', settingsRouter);
|
|
|
|
|
app.use('/api/v1/ampp', amppRouter);
|
2026-05-18 21:25:36 -04:00
|
|
|
app.use('/api/v1/groups', groupsRouter);
|
|
|
|
|
app.use('/api/v1/sequences', sequencesRouter);
|
2026-05-19 23:50:19 -04:00
|
|
|
app.use('/api/v1/system', systemRouter);
|
|
|
|
|
app.use('/api/v1/cluster', clusterRouter);
|
feat: SDK deployment UI, proxy encoding global settings, S3 env fallback
- Settings: drop AMPP tab, rename GPU/Transcoding → Proxy encoding
with explicit 'applied to every ingested file' wording, expose
CPU codec/preset options when GPU is off
- New Capture SDKs tab (Settings): upload Blackmagic / AJA / Deltacast
SDK archives (.zip / .tar.gz) staged to /sdk/<vendor>/ inside mam-api;
BMD is fully wired into the FFmpeg build pipeline, AJA + Deltacast
staging-only pending FFmpeg patches
- mam-api: new /api/v1/sdk routes (multer upload, extract, list, delete);
Dockerfile gets unzip+tar; docker-compose mounts /mnt/NVME/MAM/sdk:/sdk
- proxy worker now reads proxy-encoding settings from DB on every job,
builds args for libx264 / NVENC / VAAPI, falls back to libx264 on
hardware-encode failure
- settings GET /s3 falls back to S3_* env vars when DB is empty so the
UI reflects what's actually wired (fixes 'not configured' false alarm)
2026-05-22 22:58:32 -04:00
|
|
|
app.use('/api/v1/sdk', sdkRouter);
|
feat(scheduler): recorder scheduling — UI, CRUD, tick loop, recurrence
- New Ingest → Schedule page: upcoming/past/all tabs, status badges
(pending / recording / completed / cancelled / failed), 10s
auto-refresh, cancel/delete actions
- New Schedule modal: name, recorder dropdown, datetime-local start/end,
recurrence (one-shot / daily / weekly), sensible defaults (+5min / +35min)
- Backend: migration 009 (recorder_schedules), routes/schedules.js
(list/create/edit/cancel/delete), scheduler.js tick loop polling every
15s; transitions trigger /recorders/:id/start and /stop via in-process
HTTP so we reuse the full container orchestration path
- Recurring schedules: tick loop auto-queues the next occurrence on
completion (daily = +24h, weekly = +7d)
- Sidebar + app.jsx route wired in, schedule-row table style added
2026-05-22 23:19:24 -04:00
|
|
|
app.use('/api/v1/schedules', schedulesRouter);
|
2026-05-22 23:30:10 -04:00
|
|
|
app.use('/api/v1/metrics', metricsRouter);
|
feat(comments): persistent frame-anchored comments on asset detail
- migration 010: asset_comments table (id, asset_id, user_id, body,
frame_ms, resolved, timestamps) with index on asset_id+created_at
- new routes mounted at /api/v1/assets/:assetId/comments — GET/POST/
PATCH/DELETE with author join (display_name + initials), nullable
user_id so comments still attach when AUTH_ENABLED is off
- Asset detail loads comments from the API on mount instead of the
empty ZAMPP_DATA.COMMENTS seed; addComment POSTs and merges the
returned row; resolved-toggle and delete are wired
- CommentsList: new trash-icon delete action per comment, helpful
empty-state copy ('Add one below to mark a frame'), tooltips on
the timestamp and resolved buttons
Now editor comments survive page reload, are visible to other users
via the same API, and pin reliably to frame_ms (integer) instead of
a parsed HH:MM:SS:FF string.
2026-05-23 00:21:11 -04:00
|
|
|
app.use('/api/v1/assets/:assetId/comments', commentsRouter);
|
2026-05-23 16:05:41 -04:00
|
|
|
app.use('/api/v1/imports', importsRouter);
|
2026-05-26 18:45:50 -04:00
|
|
|
app.use('/api/v1/storage', storageRouter);
|
2026-04-07 21:58:25 -04:00
|
|
|
|
2026-05-15 23:40:12 -04:00
|
|
|
// ── Error handler ─────────────────────────────────────────────────────────────
|
2026-04-07 21:58:25 -04:00
|
|
|
app.use(errorHandler);
|
|
|
|
|
|
2026-05-15 23:40:12 -04:00
|
|
|
// ── Start ────────────────────────────────────────────────────────────────────
|
2026-05-18 07:29:50 -04:00
|
|
|
import { readdirSync, readFileSync } from 'node:fs';
|
|
|
|
|
import { fileURLToPath } from 'node:url';
|
|
|
|
|
import { dirname, join } from 'node:path';
|
|
|
|
|
|
|
|
|
|
const __dirnameMig = dirname(fileURLToPath(import.meta.url));
|
|
|
|
|
async function runMigrations() {
|
chore: 1.2 ship-prep sweep — close 38 issues
Frontend / UX / a11y
- Sidebar collapse/expand toggle with localStorage persistence (#142)
- Settings sections wrap inputs in <form> with Enter-to-submit + native
validation; password autocomplete=new-password (#141, #138)
- Asset thumbnails get descriptive alt text (#140)
- Production deploy now precompiles JSX via esbuild and loads the
production React UMD instead of dev builds + in-browser Babel (#139,
#122)
- Search wrapper gets role=search; global search input gets aria-label,
role=combobox, aria-controls/aria-expanded/aria-activedescendant
wiring (#137, #135)
- Dashboard and Library no longer share the same nav icon (#136)
- Sidebar collapses off-canvas with a topbar menu button below 768 px;
mobile default is collapsed (#134)
- --text-3 bumped to #8B92A0 for WCAG AA contrast on --bg-0 (#133)
- Schedule and Library routes were rendering empty inside the .main
flex container — switched to flex:1 + min-height:0 (#131, #132,
editor + asset detail get the same fix)
- Jobs nav badge now polls /jobs?status=active every 10 s and reflects
the live count (#130, #113)
- aria-label sweep on every icon-only button (#126)
- Premiere panel release list moved to window.PREMIERE_RELEASES in
data.jsx; Editor + Settings read from the same source (#125)
- Typo setPgMclips → setPgmClips (#124)
- Stray console.error / console.warn calls gated behind
window.DF_LOG.{warn,error} (#123)
- Hardcoded /api/v1 paths route through window.ZAMPP_API_PREFIX (#115)
- Schedule rows no longer crash on null recorder_id (#117)
- EditorKeyboard guards against document.activeElement === null (#116)
- Unmount-safe timers for PasswordResetModal, Containers, Editor (#111)
- Player seek clamps below totalMs, server-side range clamping +
uncached 416 on EOF, client-side EOF-stall watchdog (#143)
- Duration badge overlap fix on narrow asset cards (#52)
Backend / security / reliability
- GET /recorders fixed N+1: single LATERAL JOIN for live_asset_id;
Docker inspects bounded to actually-recording rows (#121)
- Upload disk-storage (multer.diskStorage) streams parts to S3 instead
of buffering 500 MB in RAM (#120)
- /assets list clamps limit to MAX_LIMIT=500 to prevent OOM (#119)
- SDK upload archive listing + post-extract sanitize block zip-slip /
tar-slip and symlink escapes (#118)
- Migrations track applied state in schema_migrations, run in a
transaction, and exit non-zero on failure (#107)
- node-agent BMD_COUNT override uses BMD_DEVICE_PREFIX; filesystem
detection wins (#109, #127)
- GPU_COUNT override now merges with nvidia-smi enrichment (#108)
- /cluster/heartbeat requires a node-bound token or admin user;
tokens carry bound_hostname (#106)
- /recorders/:id/start error responses no longer echo the Docker
create payload — env vars stay out of client responses (#105)
- /recorders/probe restricts schemes (srt/rtmp/rtsp/udp/rtp), blocks
private + loopback hosts for non-admins, denies common service
ports (#104)
- Scheduler tick guarded by a Postgres advisory lock; pending/running
rows claimed via UPDATE...RETURNING + FOR UPDATE SKIP LOCKED to
survive multi-node deploys (#103)
- UUID validateUuid('id') param middleware on every /:id route (#102)
- Error handler scrubs Postgres error messages and 5xx detail (#101)
- Graceful SIGTERM/SIGINT shutdown — stops scheduler, drains the HTTP
server, ends the pool, 25 s force-exit watchdog (#100)
- AMPP sync moved from fire-and-forget to a persisted retry queue
(ampp_sync_status / attempts / next_attempt_at + scheduler retry
loop with exponential backoff) (#77)
Migrations
- 019: api_tokens.bound_hostname (#106)
- 020: assets.ampp_sync_status + retry bookkeeping (#77)
Other
- Defer #92 Growing-files per-upload toggle, #80 Audio tab, #57
Dashboard redesign, #56 Editor SPA polish phase 3, #114 S3
migration tool to v1.3
2026-05-26 22:06:14 -04:00
|
|
|
// Issue #107 — previously the loop swallowed errors and let the server boot
|
|
|
|
|
// on a half-migrated schema. Now: track applied migrations in a table, run
|
|
|
|
|
// every pending one inside a transaction, and exit non-zero on failure so
|
|
|
|
|
// the orchestrator restarts (and so an operator notices) instead of serving
|
|
|
|
|
// 500s for the next month.
|
2026-05-18 07:29:50 -04:00
|
|
|
const dir = join(__dirnameMig, 'db', 'migrations');
|
|
|
|
|
let files = [];
|
|
|
|
|
try { files = readdirSync(dir).filter(f => f.endsWith('.sql')).sort(); } catch { return; }
|
chore: 1.2 ship-prep sweep — close 38 issues
Frontend / UX / a11y
- Sidebar collapse/expand toggle with localStorage persistence (#142)
- Settings sections wrap inputs in <form> with Enter-to-submit + native
validation; password autocomplete=new-password (#141, #138)
- Asset thumbnails get descriptive alt text (#140)
- Production deploy now precompiles JSX via esbuild and loads the
production React UMD instead of dev builds + in-browser Babel (#139,
#122)
- Search wrapper gets role=search; global search input gets aria-label,
role=combobox, aria-controls/aria-expanded/aria-activedescendant
wiring (#137, #135)
- Dashboard and Library no longer share the same nav icon (#136)
- Sidebar collapses off-canvas with a topbar menu button below 768 px;
mobile default is collapsed (#134)
- --text-3 bumped to #8B92A0 for WCAG AA contrast on --bg-0 (#133)
- Schedule and Library routes were rendering empty inside the .main
flex container — switched to flex:1 + min-height:0 (#131, #132,
editor + asset detail get the same fix)
- Jobs nav badge now polls /jobs?status=active every 10 s and reflects
the live count (#130, #113)
- aria-label sweep on every icon-only button (#126)
- Premiere panel release list moved to window.PREMIERE_RELEASES in
data.jsx; Editor + Settings read from the same source (#125)
- Typo setPgMclips → setPgmClips (#124)
- Stray console.error / console.warn calls gated behind
window.DF_LOG.{warn,error} (#123)
- Hardcoded /api/v1 paths route through window.ZAMPP_API_PREFIX (#115)
- Schedule rows no longer crash on null recorder_id (#117)
- EditorKeyboard guards against document.activeElement === null (#116)
- Unmount-safe timers for PasswordResetModal, Containers, Editor (#111)
- Player seek clamps below totalMs, server-side range clamping +
uncached 416 on EOF, client-side EOF-stall watchdog (#143)
- Duration badge overlap fix on narrow asset cards (#52)
Backend / security / reliability
- GET /recorders fixed N+1: single LATERAL JOIN for live_asset_id;
Docker inspects bounded to actually-recording rows (#121)
- Upload disk-storage (multer.diskStorage) streams parts to S3 instead
of buffering 500 MB in RAM (#120)
- /assets list clamps limit to MAX_LIMIT=500 to prevent OOM (#119)
- SDK upload archive listing + post-extract sanitize block zip-slip /
tar-slip and symlink escapes (#118)
- Migrations track applied state in schema_migrations, run in a
transaction, and exit non-zero on failure (#107)
- node-agent BMD_COUNT override uses BMD_DEVICE_PREFIX; filesystem
detection wins (#109, #127)
- GPU_COUNT override now merges with nvidia-smi enrichment (#108)
- /cluster/heartbeat requires a node-bound token or admin user;
tokens carry bound_hostname (#106)
- /recorders/:id/start error responses no longer echo the Docker
create payload — env vars stay out of client responses (#105)
- /recorders/probe restricts schemes (srt/rtmp/rtsp/udp/rtp), blocks
private + loopback hosts for non-admins, denies common service
ports (#104)
- Scheduler tick guarded by a Postgres advisory lock; pending/running
rows claimed via UPDATE...RETURNING + FOR UPDATE SKIP LOCKED to
survive multi-node deploys (#103)
- UUID validateUuid('id') param middleware on every /:id route (#102)
- Error handler scrubs Postgres error messages and 5xx detail (#101)
- Graceful SIGTERM/SIGINT shutdown — stops scheduler, drains the HTTP
server, ends the pool, 25 s force-exit watchdog (#100)
- AMPP sync moved from fire-and-forget to a persisted retry queue
(ampp_sync_status / attempts / next_attempt_at + scheduler retry
loop with exponential backoff) (#77)
Migrations
- 019: api_tokens.bound_hostname (#106)
- 020: assets.ampp_sync_status + retry bookkeeping (#77)
Other
- Defer #92 Growing-files per-upload toggle, #80 Audio tab, #57
Dashboard redesign, #56 Editor SPA polish phase 3, #114 S3
migration tool to v1.3
2026-05-26 22:06:14 -04:00
|
|
|
|
|
|
|
|
await pool.query(`
|
|
|
|
|
CREATE TABLE IF NOT EXISTS schema_migrations (
|
|
|
|
|
filename TEXT PRIMARY KEY,
|
|
|
|
|
applied_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
|
|
|
|
|
checksum_sha TEXT
|
|
|
|
|
)
|
|
|
|
|
`);
|
|
|
|
|
|
|
|
|
|
// Allow forcing a re-run via env when iterating locally.
|
|
|
|
|
const force = process.env.MIGRATIONS_FORCE === '1';
|
|
|
|
|
const allowFailures = process.env.MIGRATIONS_ALLOW_FAILURES === '1';
|
|
|
|
|
|
|
|
|
|
const appliedRes = await pool.query('SELECT filename FROM schema_migrations');
|
|
|
|
|
const applied = new Set(appliedRes.rows.map(r => r.filename));
|
|
|
|
|
|
2026-05-18 07:29:50 -04:00
|
|
|
for (const f of files) {
|
chore: 1.2 ship-prep sweep — close 38 issues
Frontend / UX / a11y
- Sidebar collapse/expand toggle with localStorage persistence (#142)
- Settings sections wrap inputs in <form> with Enter-to-submit + native
validation; password autocomplete=new-password (#141, #138)
- Asset thumbnails get descriptive alt text (#140)
- Production deploy now precompiles JSX via esbuild and loads the
production React UMD instead of dev builds + in-browser Babel (#139,
#122)
- Search wrapper gets role=search; global search input gets aria-label,
role=combobox, aria-controls/aria-expanded/aria-activedescendant
wiring (#137, #135)
- Dashboard and Library no longer share the same nav icon (#136)
- Sidebar collapses off-canvas with a topbar menu button below 768 px;
mobile default is collapsed (#134)
- --text-3 bumped to #8B92A0 for WCAG AA contrast on --bg-0 (#133)
- Schedule and Library routes were rendering empty inside the .main
flex container — switched to flex:1 + min-height:0 (#131, #132,
editor + asset detail get the same fix)
- Jobs nav badge now polls /jobs?status=active every 10 s and reflects
the live count (#130, #113)
- aria-label sweep on every icon-only button (#126)
- Premiere panel release list moved to window.PREMIERE_RELEASES in
data.jsx; Editor + Settings read from the same source (#125)
- Typo setPgMclips → setPgmClips (#124)
- Stray console.error / console.warn calls gated behind
window.DF_LOG.{warn,error} (#123)
- Hardcoded /api/v1 paths route through window.ZAMPP_API_PREFIX (#115)
- Schedule rows no longer crash on null recorder_id (#117)
- EditorKeyboard guards against document.activeElement === null (#116)
- Unmount-safe timers for PasswordResetModal, Containers, Editor (#111)
- Player seek clamps below totalMs, server-side range clamping +
uncached 416 on EOF, client-side EOF-stall watchdog (#143)
- Duration badge overlap fix on narrow asset cards (#52)
Backend / security / reliability
- GET /recorders fixed N+1: single LATERAL JOIN for live_asset_id;
Docker inspects bounded to actually-recording rows (#121)
- Upload disk-storage (multer.diskStorage) streams parts to S3 instead
of buffering 500 MB in RAM (#120)
- /assets list clamps limit to MAX_LIMIT=500 to prevent OOM (#119)
- SDK upload archive listing + post-extract sanitize block zip-slip /
tar-slip and symlink escapes (#118)
- Migrations track applied state in schema_migrations, run in a
transaction, and exit non-zero on failure (#107)
- node-agent BMD_COUNT override uses BMD_DEVICE_PREFIX; filesystem
detection wins (#109, #127)
- GPU_COUNT override now merges with nvidia-smi enrichment (#108)
- /cluster/heartbeat requires a node-bound token or admin user;
tokens carry bound_hostname (#106)
- /recorders/:id/start error responses no longer echo the Docker
create payload — env vars stay out of client responses (#105)
- /recorders/probe restricts schemes (srt/rtmp/rtsp/udp/rtp), blocks
private + loopback hosts for non-admins, denies common service
ports (#104)
- Scheduler tick guarded by a Postgres advisory lock; pending/running
rows claimed via UPDATE...RETURNING + FOR UPDATE SKIP LOCKED to
survive multi-node deploys (#103)
- UUID validateUuid('id') param middleware on every /:id route (#102)
- Error handler scrubs Postgres error messages and 5xx detail (#101)
- Graceful SIGTERM/SIGINT shutdown — stops scheduler, drains the HTTP
server, ends the pool, 25 s force-exit watchdog (#100)
- AMPP sync moved from fire-and-forget to a persisted retry queue
(ampp_sync_status / attempts / next_attempt_at + scheduler retry
loop with exponential backoff) (#77)
Migrations
- 019: api_tokens.bound_hostname (#106)
- 020: assets.ampp_sync_status + retry bookkeeping (#77)
Other
- Defer #92 Growing-files per-upload toggle, #80 Audio tab, #57
Dashboard redesign, #56 Editor SPA polish phase 3, #114 S3
migration tool to v1.3
2026-05-26 22:06:14 -04:00
|
|
|
if (!force && applied.has(f)) continue;
|
2026-05-18 07:29:50 -04:00
|
|
|
const sql = readFileSync(join(dir, f), 'utf8');
|
chore: 1.2 ship-prep sweep — close 38 issues
Frontend / UX / a11y
- Sidebar collapse/expand toggle with localStorage persistence (#142)
- Settings sections wrap inputs in <form> with Enter-to-submit + native
validation; password autocomplete=new-password (#141, #138)
- Asset thumbnails get descriptive alt text (#140)
- Production deploy now precompiles JSX via esbuild and loads the
production React UMD instead of dev builds + in-browser Babel (#139,
#122)
- Search wrapper gets role=search; global search input gets aria-label,
role=combobox, aria-controls/aria-expanded/aria-activedescendant
wiring (#137, #135)
- Dashboard and Library no longer share the same nav icon (#136)
- Sidebar collapses off-canvas with a topbar menu button below 768 px;
mobile default is collapsed (#134)
- --text-3 bumped to #8B92A0 for WCAG AA contrast on --bg-0 (#133)
- Schedule and Library routes were rendering empty inside the .main
flex container — switched to flex:1 + min-height:0 (#131, #132,
editor + asset detail get the same fix)
- Jobs nav badge now polls /jobs?status=active every 10 s and reflects
the live count (#130, #113)
- aria-label sweep on every icon-only button (#126)
- Premiere panel release list moved to window.PREMIERE_RELEASES in
data.jsx; Editor + Settings read from the same source (#125)
- Typo setPgMclips → setPgmClips (#124)
- Stray console.error / console.warn calls gated behind
window.DF_LOG.{warn,error} (#123)
- Hardcoded /api/v1 paths route through window.ZAMPP_API_PREFIX (#115)
- Schedule rows no longer crash on null recorder_id (#117)
- EditorKeyboard guards against document.activeElement === null (#116)
- Unmount-safe timers for PasswordResetModal, Containers, Editor (#111)
- Player seek clamps below totalMs, server-side range clamping +
uncached 416 on EOF, client-side EOF-stall watchdog (#143)
- Duration badge overlap fix on narrow asset cards (#52)
Backend / security / reliability
- GET /recorders fixed N+1: single LATERAL JOIN for live_asset_id;
Docker inspects bounded to actually-recording rows (#121)
- Upload disk-storage (multer.diskStorage) streams parts to S3 instead
of buffering 500 MB in RAM (#120)
- /assets list clamps limit to MAX_LIMIT=500 to prevent OOM (#119)
- SDK upload archive listing + post-extract sanitize block zip-slip /
tar-slip and symlink escapes (#118)
- Migrations track applied state in schema_migrations, run in a
transaction, and exit non-zero on failure (#107)
- node-agent BMD_COUNT override uses BMD_DEVICE_PREFIX; filesystem
detection wins (#109, #127)
- GPU_COUNT override now merges with nvidia-smi enrichment (#108)
- /cluster/heartbeat requires a node-bound token or admin user;
tokens carry bound_hostname (#106)
- /recorders/:id/start error responses no longer echo the Docker
create payload — env vars stay out of client responses (#105)
- /recorders/probe restricts schemes (srt/rtmp/rtsp/udp/rtp), blocks
private + loopback hosts for non-admins, denies common service
ports (#104)
- Scheduler tick guarded by a Postgres advisory lock; pending/running
rows claimed via UPDATE...RETURNING + FOR UPDATE SKIP LOCKED to
survive multi-node deploys (#103)
- UUID validateUuid('id') param middleware on every /:id route (#102)
- Error handler scrubs Postgres error messages and 5xx detail (#101)
- Graceful SIGTERM/SIGINT shutdown — stops scheduler, drains the HTTP
server, ends the pool, 25 s force-exit watchdog (#100)
- AMPP sync moved from fire-and-forget to a persisted retry queue
(ampp_sync_status / attempts / next_attempt_at + scheduler retry
loop with exponential backoff) (#77)
Migrations
- 019: api_tokens.bound_hostname (#106)
- 020: assets.ampp_sync_status + retry bookkeeping (#77)
Other
- Defer #92 Growing-files per-upload toggle, #80 Audio tab, #57
Dashboard redesign, #56 Editor SPA polish phase 3, #114 S3
migration tool to v1.3
2026-05-26 22:06:14 -04:00
|
|
|
const client = await pool.connect();
|
2026-05-18 07:29:50 -04:00
|
|
|
try {
|
chore: 1.2 ship-prep sweep — close 38 issues
Frontend / UX / a11y
- Sidebar collapse/expand toggle with localStorage persistence (#142)
- Settings sections wrap inputs in <form> with Enter-to-submit + native
validation; password autocomplete=new-password (#141, #138)
- Asset thumbnails get descriptive alt text (#140)
- Production deploy now precompiles JSX via esbuild and loads the
production React UMD instead of dev builds + in-browser Babel (#139,
#122)
- Search wrapper gets role=search; global search input gets aria-label,
role=combobox, aria-controls/aria-expanded/aria-activedescendant
wiring (#137, #135)
- Dashboard and Library no longer share the same nav icon (#136)
- Sidebar collapses off-canvas with a topbar menu button below 768 px;
mobile default is collapsed (#134)
- --text-3 bumped to #8B92A0 for WCAG AA contrast on --bg-0 (#133)
- Schedule and Library routes were rendering empty inside the .main
flex container — switched to flex:1 + min-height:0 (#131, #132,
editor + asset detail get the same fix)
- Jobs nav badge now polls /jobs?status=active every 10 s and reflects
the live count (#130, #113)
- aria-label sweep on every icon-only button (#126)
- Premiere panel release list moved to window.PREMIERE_RELEASES in
data.jsx; Editor + Settings read from the same source (#125)
- Typo setPgMclips → setPgmClips (#124)
- Stray console.error / console.warn calls gated behind
window.DF_LOG.{warn,error} (#123)
- Hardcoded /api/v1 paths route through window.ZAMPP_API_PREFIX (#115)
- Schedule rows no longer crash on null recorder_id (#117)
- EditorKeyboard guards against document.activeElement === null (#116)
- Unmount-safe timers for PasswordResetModal, Containers, Editor (#111)
- Player seek clamps below totalMs, server-side range clamping +
uncached 416 on EOF, client-side EOF-stall watchdog (#143)
- Duration badge overlap fix on narrow asset cards (#52)
Backend / security / reliability
- GET /recorders fixed N+1: single LATERAL JOIN for live_asset_id;
Docker inspects bounded to actually-recording rows (#121)
- Upload disk-storage (multer.diskStorage) streams parts to S3 instead
of buffering 500 MB in RAM (#120)
- /assets list clamps limit to MAX_LIMIT=500 to prevent OOM (#119)
- SDK upload archive listing + post-extract sanitize block zip-slip /
tar-slip and symlink escapes (#118)
- Migrations track applied state in schema_migrations, run in a
transaction, and exit non-zero on failure (#107)
- node-agent BMD_COUNT override uses BMD_DEVICE_PREFIX; filesystem
detection wins (#109, #127)
- GPU_COUNT override now merges with nvidia-smi enrichment (#108)
- /cluster/heartbeat requires a node-bound token or admin user;
tokens carry bound_hostname (#106)
- /recorders/:id/start error responses no longer echo the Docker
create payload — env vars stay out of client responses (#105)
- /recorders/probe restricts schemes (srt/rtmp/rtsp/udp/rtp), blocks
private + loopback hosts for non-admins, denies common service
ports (#104)
- Scheduler tick guarded by a Postgres advisory lock; pending/running
rows claimed via UPDATE...RETURNING + FOR UPDATE SKIP LOCKED to
survive multi-node deploys (#103)
- UUID validateUuid('id') param middleware on every /:id route (#102)
- Error handler scrubs Postgres error messages and 5xx detail (#101)
- Graceful SIGTERM/SIGINT shutdown — stops scheduler, drains the HTTP
server, ends the pool, 25 s force-exit watchdog (#100)
- AMPP sync moved from fire-and-forget to a persisted retry queue
(ampp_sync_status / attempts / next_attempt_at + scheduler retry
loop with exponential backoff) (#77)
Migrations
- 019: api_tokens.bound_hostname (#106)
- 020: assets.ampp_sync_status + retry bookkeeping (#77)
Other
- Defer #92 Growing-files per-upload toggle, #80 Audio tab, #57
Dashboard redesign, #56 Editor SPA polish phase 3, #114 S3
migration tool to v1.3
2026-05-26 22:06:14 -04:00
|
|
|
await client.query('BEGIN');
|
|
|
|
|
await client.query(sql);
|
|
|
|
|
await client.query(
|
|
|
|
|
`INSERT INTO schema_migrations (filename) VALUES ($1)
|
|
|
|
|
ON CONFLICT (filename) DO UPDATE SET applied_at = NOW()`,
|
|
|
|
|
[f]
|
|
|
|
|
);
|
|
|
|
|
await client.query('COMMIT');
|
2026-05-18 07:29:50 -04:00
|
|
|
console.log('[migration] applied ' + f);
|
|
|
|
|
} catch (err) {
|
chore: 1.2 ship-prep sweep — close 38 issues
Frontend / UX / a11y
- Sidebar collapse/expand toggle with localStorage persistence (#142)
- Settings sections wrap inputs in <form> with Enter-to-submit + native
validation; password autocomplete=new-password (#141, #138)
- Asset thumbnails get descriptive alt text (#140)
- Production deploy now precompiles JSX via esbuild and loads the
production React UMD instead of dev builds + in-browser Babel (#139,
#122)
- Search wrapper gets role=search; global search input gets aria-label,
role=combobox, aria-controls/aria-expanded/aria-activedescendant
wiring (#137, #135)
- Dashboard and Library no longer share the same nav icon (#136)
- Sidebar collapses off-canvas with a topbar menu button below 768 px;
mobile default is collapsed (#134)
- --text-3 bumped to #8B92A0 for WCAG AA contrast on --bg-0 (#133)
- Schedule and Library routes were rendering empty inside the .main
flex container — switched to flex:1 + min-height:0 (#131, #132,
editor + asset detail get the same fix)
- Jobs nav badge now polls /jobs?status=active every 10 s and reflects
the live count (#130, #113)
- aria-label sweep on every icon-only button (#126)
- Premiere panel release list moved to window.PREMIERE_RELEASES in
data.jsx; Editor + Settings read from the same source (#125)
- Typo setPgMclips → setPgmClips (#124)
- Stray console.error / console.warn calls gated behind
window.DF_LOG.{warn,error} (#123)
- Hardcoded /api/v1 paths route through window.ZAMPP_API_PREFIX (#115)
- Schedule rows no longer crash on null recorder_id (#117)
- EditorKeyboard guards against document.activeElement === null (#116)
- Unmount-safe timers for PasswordResetModal, Containers, Editor (#111)
- Player seek clamps below totalMs, server-side range clamping +
uncached 416 on EOF, client-side EOF-stall watchdog (#143)
- Duration badge overlap fix on narrow asset cards (#52)
Backend / security / reliability
- GET /recorders fixed N+1: single LATERAL JOIN for live_asset_id;
Docker inspects bounded to actually-recording rows (#121)
- Upload disk-storage (multer.diskStorage) streams parts to S3 instead
of buffering 500 MB in RAM (#120)
- /assets list clamps limit to MAX_LIMIT=500 to prevent OOM (#119)
- SDK upload archive listing + post-extract sanitize block zip-slip /
tar-slip and symlink escapes (#118)
- Migrations track applied state in schema_migrations, run in a
transaction, and exit non-zero on failure (#107)
- node-agent BMD_COUNT override uses BMD_DEVICE_PREFIX; filesystem
detection wins (#109, #127)
- GPU_COUNT override now merges with nvidia-smi enrichment (#108)
- /cluster/heartbeat requires a node-bound token or admin user;
tokens carry bound_hostname (#106)
- /recorders/:id/start error responses no longer echo the Docker
create payload — env vars stay out of client responses (#105)
- /recorders/probe restricts schemes (srt/rtmp/rtsp/udp/rtp), blocks
private + loopback hosts for non-admins, denies common service
ports (#104)
- Scheduler tick guarded by a Postgres advisory lock; pending/running
rows claimed via UPDATE...RETURNING + FOR UPDATE SKIP LOCKED to
survive multi-node deploys (#103)
- UUID validateUuid('id') param middleware on every /:id route (#102)
- Error handler scrubs Postgres error messages and 5xx detail (#101)
- Graceful SIGTERM/SIGINT shutdown — stops scheduler, drains the HTTP
server, ends the pool, 25 s force-exit watchdog (#100)
- AMPP sync moved from fire-and-forget to a persisted retry queue
(ampp_sync_status / attempts / next_attempt_at + scheduler retry
loop with exponential backoff) (#77)
Migrations
- 019: api_tokens.bound_hostname (#106)
- 020: assets.ampp_sync_status + retry bookkeeping (#77)
Other
- Defer #92 Growing-files per-upload toggle, #80 Audio tab, #57
Dashboard redesign, #56 Editor SPA polish phase 3, #114 S3
migration tool to v1.3
2026-05-26 22:06:14 -04:00
|
|
|
await client.query('ROLLBACK').catch(() => {});
|
|
|
|
|
console.error('[migration] FAILED ' + f + ': ' + err.message);
|
|
|
|
|
client.release();
|
|
|
|
|
if (allowFailures) continue;
|
|
|
|
|
// Hard fail — better to crash now than serve traffic on a broken schema.
|
|
|
|
|
console.error('[migration] aborting startup. Set MIGRATIONS_ALLOW_FAILURES=1 to override.');
|
|
|
|
|
process.exit(1);
|
2026-05-18 07:29:50 -04:00
|
|
|
}
|
chore: 1.2 ship-prep sweep — close 38 issues
Frontend / UX / a11y
- Sidebar collapse/expand toggle with localStorage persistence (#142)
- Settings sections wrap inputs in <form> with Enter-to-submit + native
validation; password autocomplete=new-password (#141, #138)
- Asset thumbnails get descriptive alt text (#140)
- Production deploy now precompiles JSX via esbuild and loads the
production React UMD instead of dev builds + in-browser Babel (#139,
#122)
- Search wrapper gets role=search; global search input gets aria-label,
role=combobox, aria-controls/aria-expanded/aria-activedescendant
wiring (#137, #135)
- Dashboard and Library no longer share the same nav icon (#136)
- Sidebar collapses off-canvas with a topbar menu button below 768 px;
mobile default is collapsed (#134)
- --text-3 bumped to #8B92A0 for WCAG AA contrast on --bg-0 (#133)
- Schedule and Library routes were rendering empty inside the .main
flex container — switched to flex:1 + min-height:0 (#131, #132,
editor + asset detail get the same fix)
- Jobs nav badge now polls /jobs?status=active every 10 s and reflects
the live count (#130, #113)
- aria-label sweep on every icon-only button (#126)
- Premiere panel release list moved to window.PREMIERE_RELEASES in
data.jsx; Editor + Settings read from the same source (#125)
- Typo setPgMclips → setPgmClips (#124)
- Stray console.error / console.warn calls gated behind
window.DF_LOG.{warn,error} (#123)
- Hardcoded /api/v1 paths route through window.ZAMPP_API_PREFIX (#115)
- Schedule rows no longer crash on null recorder_id (#117)
- EditorKeyboard guards against document.activeElement === null (#116)
- Unmount-safe timers for PasswordResetModal, Containers, Editor (#111)
- Player seek clamps below totalMs, server-side range clamping +
uncached 416 on EOF, client-side EOF-stall watchdog (#143)
- Duration badge overlap fix on narrow asset cards (#52)
Backend / security / reliability
- GET /recorders fixed N+1: single LATERAL JOIN for live_asset_id;
Docker inspects bounded to actually-recording rows (#121)
- Upload disk-storage (multer.diskStorage) streams parts to S3 instead
of buffering 500 MB in RAM (#120)
- /assets list clamps limit to MAX_LIMIT=500 to prevent OOM (#119)
- SDK upload archive listing + post-extract sanitize block zip-slip /
tar-slip and symlink escapes (#118)
- Migrations track applied state in schema_migrations, run in a
transaction, and exit non-zero on failure (#107)
- node-agent BMD_COUNT override uses BMD_DEVICE_PREFIX; filesystem
detection wins (#109, #127)
- GPU_COUNT override now merges with nvidia-smi enrichment (#108)
- /cluster/heartbeat requires a node-bound token or admin user;
tokens carry bound_hostname (#106)
- /recorders/:id/start error responses no longer echo the Docker
create payload — env vars stay out of client responses (#105)
- /recorders/probe restricts schemes (srt/rtmp/rtsp/udp/rtp), blocks
private + loopback hosts for non-admins, denies common service
ports (#104)
- Scheduler tick guarded by a Postgres advisory lock; pending/running
rows claimed via UPDATE...RETURNING + FOR UPDATE SKIP LOCKED to
survive multi-node deploys (#103)
- UUID validateUuid('id') param middleware on every /:id route (#102)
- Error handler scrubs Postgres error messages and 5xx detail (#101)
- Graceful SIGTERM/SIGINT shutdown — stops scheduler, drains the HTTP
server, ends the pool, 25 s force-exit watchdog (#100)
- AMPP sync moved from fire-and-forget to a persisted retry queue
(ampp_sync_status / attempts / next_attempt_at + scheduler retry
loop with exponential backoff) (#77)
Migrations
- 019: api_tokens.bound_hostname (#106)
- 020: assets.ampp_sync_status + retry bookkeeping (#77)
Other
- Defer #92 Growing-files per-upload toggle, #80 Audio tab, #57
Dashboard redesign, #56 Editor SPA polish phase 3, #114 S3
migration tool to v1.3
2026-05-26 22:06:14 -04:00
|
|
|
client.release();
|
2026-05-18 07:29:50 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
await runMigrations();
|
|
|
|
|
|
2026-05-20 15:53:26 -04:00
|
|
|
// Load S3 config from DB so any settings saved via the Settings page override env vars
|
|
|
|
|
await loadS3ConfigFromDb();
|
|
|
|
|
|
2026-05-19 23:50:19 -04:00
|
|
|
// ── Cluster self-heartbeat ────────────────────────────────────────────────────
|
|
|
|
|
function getLocalIp() {
|
2026-05-20 16:16:09 -04:00
|
|
|
// Prefer an explicit override — useful when running inside Docker where
|
|
|
|
|
// os.networkInterfaces() returns container bridge IPs, not the host LAN IP.
|
|
|
|
|
if (process.env.NODE_IP) return process.env.NODE_IP;
|
|
|
|
|
|
2026-05-19 23:50:19 -04:00
|
|
|
const ifaces = os.networkInterfaces();
|
|
|
|
|
for (const name of Object.keys(ifaces)) {
|
|
|
|
|
for (const iface of (ifaces[name] || [])) {
|
|
|
|
|
if (iface.family === 'IPv4' && !iface.internal) return iface.address;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return '127.0.0.1';
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-20 17:25:11 -04:00
|
|
|
// Detect NVIDIA GPUs available to this container via nvidia-smi.
|
|
|
|
|
// Returns an array like [{ index: 0, name: 'Tesla P4', memory_mb: 7680 }, ...]
|
|
|
|
|
// or an empty array if nvidia-smi is unavailable or no GPUs found.
|
|
|
|
|
function detectGpus() {
|
|
|
|
|
return new Promise(resolve => {
|
|
|
|
|
exec(
|
|
|
|
|
'nvidia-smi --query-gpu=index,name,memory.total --format=csv,noheader,nounits',
|
|
|
|
|
{ timeout: 5000 },
|
|
|
|
|
(err, stdout) => {
|
|
|
|
|
if (err || !stdout.trim()) return resolve([]);
|
|
|
|
|
const gpus = stdout.trim().split('\n').map(line => {
|
|
|
|
|
const parts = line.split(',').map(s => s.trim());
|
|
|
|
|
return {
|
|
|
|
|
index: parseInt(parts[0], 10),
|
|
|
|
|
name: parts[1] || 'Unknown GPU',
|
|
|
|
|
memory_mb: parseInt(parts[2], 10) || 0,
|
|
|
|
|
};
|
|
|
|
|
}).filter(g => !isNaN(g.index));
|
|
|
|
|
resolve(gpus);
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
async function selfHeartbeat() {
|
2026-05-19 23:50:19 -04:00
|
|
|
const load = os.loadavg()[0];
|
|
|
|
|
const total = os.totalmem();
|
|
|
|
|
const used = total - os.freemem();
|
2026-05-20 17:25:11 -04:00
|
|
|
const gpus = await detectGpus();
|
|
|
|
|
|
|
|
|
|
const capabilities = { gpus, blackmagic: [] };
|
|
|
|
|
|
2026-05-19 23:50:19 -04:00
|
|
|
pool.query(
|
|
|
|
|
`INSERT INTO cluster_nodes
|
|
|
|
|
(hostname, ip_address, role, version, api_url,
|
2026-05-20 17:25:11 -04:00
|
|
|
cpu_usage, mem_used_mb, mem_total_mb, capabilities, last_seen)
|
|
|
|
|
VALUES ($1,$2,'primary',$3,$4,$5,$6,$7,$8,NOW())
|
2026-05-19 23:50:19 -04:00
|
|
|
ON CONFLICT (hostname) DO UPDATE SET
|
|
|
|
|
ip_address = EXCLUDED.ip_address,
|
|
|
|
|
cpu_usage = EXCLUDED.cpu_usage,
|
|
|
|
|
mem_used_mb = EXCLUDED.mem_used_mb,
|
|
|
|
|
mem_total_mb = EXCLUDED.mem_total_mb,
|
2026-05-20 17:25:11 -04:00
|
|
|
capabilities = EXCLUDED.capabilities,
|
2026-05-19 23:50:19 -04:00
|
|
|
last_seen = NOW()`,
|
|
|
|
|
[
|
2026-05-21 07:50:52 -04:00
|
|
|
process.env.NODE_HOSTNAME || os.hostname(),
|
2026-05-19 23:50:19 -04:00
|
|
|
getLocalIp(),
|
|
|
|
|
process.env.npm_package_version || null,
|
|
|
|
|
`http://${getLocalIp()}:${PORT}`,
|
|
|
|
|
parseFloat(load.toFixed(2)),
|
|
|
|
|
Math.round(used / 1024 / 1024),
|
|
|
|
|
Math.round(total / 1024 / 1024),
|
2026-05-20 17:25:11 -04:00
|
|
|
JSON.stringify(capabilities),
|
2026-05-19 23:50:19 -04:00
|
|
|
]
|
|
|
|
|
).catch(err => console.error('[cluster] heartbeat failed:', err.message));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
setInterval(selfHeartbeat, 30_000);
|
|
|
|
|
selfHeartbeat();
|
|
|
|
|
|
chore: 1.2 ship-prep sweep — close 38 issues
Frontend / UX / a11y
- Sidebar collapse/expand toggle with localStorage persistence (#142)
- Settings sections wrap inputs in <form> with Enter-to-submit + native
validation; password autocomplete=new-password (#141, #138)
- Asset thumbnails get descriptive alt text (#140)
- Production deploy now precompiles JSX via esbuild and loads the
production React UMD instead of dev builds + in-browser Babel (#139,
#122)
- Search wrapper gets role=search; global search input gets aria-label,
role=combobox, aria-controls/aria-expanded/aria-activedescendant
wiring (#137, #135)
- Dashboard and Library no longer share the same nav icon (#136)
- Sidebar collapses off-canvas with a topbar menu button below 768 px;
mobile default is collapsed (#134)
- --text-3 bumped to #8B92A0 for WCAG AA contrast on --bg-0 (#133)
- Schedule and Library routes were rendering empty inside the .main
flex container — switched to flex:1 + min-height:0 (#131, #132,
editor + asset detail get the same fix)
- Jobs nav badge now polls /jobs?status=active every 10 s and reflects
the live count (#130, #113)
- aria-label sweep on every icon-only button (#126)
- Premiere panel release list moved to window.PREMIERE_RELEASES in
data.jsx; Editor + Settings read from the same source (#125)
- Typo setPgMclips → setPgmClips (#124)
- Stray console.error / console.warn calls gated behind
window.DF_LOG.{warn,error} (#123)
- Hardcoded /api/v1 paths route through window.ZAMPP_API_PREFIX (#115)
- Schedule rows no longer crash on null recorder_id (#117)
- EditorKeyboard guards against document.activeElement === null (#116)
- Unmount-safe timers for PasswordResetModal, Containers, Editor (#111)
- Player seek clamps below totalMs, server-side range clamping +
uncached 416 on EOF, client-side EOF-stall watchdog (#143)
- Duration badge overlap fix on narrow asset cards (#52)
Backend / security / reliability
- GET /recorders fixed N+1: single LATERAL JOIN for live_asset_id;
Docker inspects bounded to actually-recording rows (#121)
- Upload disk-storage (multer.diskStorage) streams parts to S3 instead
of buffering 500 MB in RAM (#120)
- /assets list clamps limit to MAX_LIMIT=500 to prevent OOM (#119)
- SDK upload archive listing + post-extract sanitize block zip-slip /
tar-slip and symlink escapes (#118)
- Migrations track applied state in schema_migrations, run in a
transaction, and exit non-zero on failure (#107)
- node-agent BMD_COUNT override uses BMD_DEVICE_PREFIX; filesystem
detection wins (#109, #127)
- GPU_COUNT override now merges with nvidia-smi enrichment (#108)
- /cluster/heartbeat requires a node-bound token or admin user;
tokens carry bound_hostname (#106)
- /recorders/:id/start error responses no longer echo the Docker
create payload — env vars stay out of client responses (#105)
- /recorders/probe restricts schemes (srt/rtmp/rtsp/udp/rtp), blocks
private + loopback hosts for non-admins, denies common service
ports (#104)
- Scheduler tick guarded by a Postgres advisory lock; pending/running
rows claimed via UPDATE...RETURNING + FOR UPDATE SKIP LOCKED to
survive multi-node deploys (#103)
- UUID validateUuid('id') param middleware on every /:id route (#102)
- Error handler scrubs Postgres error messages and 5xx detail (#101)
- Graceful SIGTERM/SIGINT shutdown — stops scheduler, drains the HTTP
server, ends the pool, 25 s force-exit watchdog (#100)
- AMPP sync moved from fire-and-forget to a persisted retry queue
(ampp_sync_status / attempts / next_attempt_at + scheduler retry
loop with exponential backoff) (#77)
Migrations
- 019: api_tokens.bound_hostname (#106)
- 020: assets.ampp_sync_status + retry bookkeeping (#77)
Other
- Defer #92 Growing-files per-upload toggle, #80 Audio tab, #57
Dashboard redesign, #56 Editor SPA polish phase 3, #114 S3
migration tool to v1.3
2026-05-26 22:06:14 -04:00
|
|
|
const server = app.listen(PORT, () => {
|
2026-05-15 23:40:12 -04:00
|
|
|
const authMode = process.env.AUTH_ENABLED === 'true' ? 'ENABLED' : 'DISABLED (set AUTH_ENABLED=true for production)';
|
2026-04-07 21:58:25 -04:00
|
|
|
console.log(`MAM API listening on port ${PORT}`);
|
2026-05-15 23:40:12 -04:00
|
|
|
console.log(`Authentication: ${authMode}`);
|
feat(scheduler): recorder scheduling — UI, CRUD, tick loop, recurrence
- New Ingest → Schedule page: upcoming/past/all tabs, status badges
(pending / recording / completed / cancelled / failed), 10s
auto-refresh, cancel/delete actions
- New Schedule modal: name, recorder dropdown, datetime-local start/end,
recurrence (one-shot / daily / weekly), sensible defaults (+5min / +35min)
- Backend: migration 009 (recorder_schedules), routes/schedules.js
(list/create/edit/cancel/delete), scheduler.js tick loop polling every
15s; transitions trigger /recorders/:id/start and /stop via in-process
HTTP so we reuse the full container orchestration path
- Recurring schedules: tick loop auto-queues the next occurrence on
completion (daily = +24h, weekly = +7d)
- Sidebar + app.jsx route wired in, schedule-row table style added
2026-05-22 23:19:24 -04:00
|
|
|
// Boot the recorder scheduler tick loop after the HTTP server is live so
|
|
|
|
|
// the loop's self-calls to /recorders/:id/start|stop reach a ready socket.
|
|
|
|
|
startSchedulerLoop();
|
2026-05-24 12:43:08 -04:00
|
|
|
|
|
|
|
|
// Boot the temp-segment cleanup loop (runs hourly).
|
|
|
|
|
startCleanupLoop();
|
2026-04-07 21:58:25 -04:00
|
|
|
});
|
chore: 1.2 ship-prep sweep — close 38 issues
Frontend / UX / a11y
- Sidebar collapse/expand toggle with localStorage persistence (#142)
- Settings sections wrap inputs in <form> with Enter-to-submit + native
validation; password autocomplete=new-password (#141, #138)
- Asset thumbnails get descriptive alt text (#140)
- Production deploy now precompiles JSX via esbuild and loads the
production React UMD instead of dev builds + in-browser Babel (#139,
#122)
- Search wrapper gets role=search; global search input gets aria-label,
role=combobox, aria-controls/aria-expanded/aria-activedescendant
wiring (#137, #135)
- Dashboard and Library no longer share the same nav icon (#136)
- Sidebar collapses off-canvas with a topbar menu button below 768 px;
mobile default is collapsed (#134)
- --text-3 bumped to #8B92A0 for WCAG AA contrast on --bg-0 (#133)
- Schedule and Library routes were rendering empty inside the .main
flex container — switched to flex:1 + min-height:0 (#131, #132,
editor + asset detail get the same fix)
- Jobs nav badge now polls /jobs?status=active every 10 s and reflects
the live count (#130, #113)
- aria-label sweep on every icon-only button (#126)
- Premiere panel release list moved to window.PREMIERE_RELEASES in
data.jsx; Editor + Settings read from the same source (#125)
- Typo setPgMclips → setPgmClips (#124)
- Stray console.error / console.warn calls gated behind
window.DF_LOG.{warn,error} (#123)
- Hardcoded /api/v1 paths route through window.ZAMPP_API_PREFIX (#115)
- Schedule rows no longer crash on null recorder_id (#117)
- EditorKeyboard guards against document.activeElement === null (#116)
- Unmount-safe timers for PasswordResetModal, Containers, Editor (#111)
- Player seek clamps below totalMs, server-side range clamping +
uncached 416 on EOF, client-side EOF-stall watchdog (#143)
- Duration badge overlap fix on narrow asset cards (#52)
Backend / security / reliability
- GET /recorders fixed N+1: single LATERAL JOIN for live_asset_id;
Docker inspects bounded to actually-recording rows (#121)
- Upload disk-storage (multer.diskStorage) streams parts to S3 instead
of buffering 500 MB in RAM (#120)
- /assets list clamps limit to MAX_LIMIT=500 to prevent OOM (#119)
- SDK upload archive listing + post-extract sanitize block zip-slip /
tar-slip and symlink escapes (#118)
- Migrations track applied state in schema_migrations, run in a
transaction, and exit non-zero on failure (#107)
- node-agent BMD_COUNT override uses BMD_DEVICE_PREFIX; filesystem
detection wins (#109, #127)
- GPU_COUNT override now merges with nvidia-smi enrichment (#108)
- /cluster/heartbeat requires a node-bound token or admin user;
tokens carry bound_hostname (#106)
- /recorders/:id/start error responses no longer echo the Docker
create payload — env vars stay out of client responses (#105)
- /recorders/probe restricts schemes (srt/rtmp/rtsp/udp/rtp), blocks
private + loopback hosts for non-admins, denies common service
ports (#104)
- Scheduler tick guarded by a Postgres advisory lock; pending/running
rows claimed via UPDATE...RETURNING + FOR UPDATE SKIP LOCKED to
survive multi-node deploys (#103)
- UUID validateUuid('id') param middleware on every /:id route (#102)
- Error handler scrubs Postgres error messages and 5xx detail (#101)
- Graceful SIGTERM/SIGINT shutdown — stops scheduler, drains the HTTP
server, ends the pool, 25 s force-exit watchdog (#100)
- AMPP sync moved from fire-and-forget to a persisted retry queue
(ampp_sync_status / attempts / next_attempt_at + scheduler retry
loop with exponential backoff) (#77)
Migrations
- 019: api_tokens.bound_hostname (#106)
- 020: assets.ampp_sync_status + retry bookkeeping (#77)
Other
- Defer #92 Growing-files per-upload toggle, #80 Audio tab, #57
Dashboard redesign, #56 Editor SPA polish phase 3, #114 S3
migration tool to v1.3
2026-05-26 22:06:14 -04:00
|
|
|
|
|
|
|
|
// Issue #100 — graceful shutdown. Without this, `docker stop` (SIGTERM) killed
|
|
|
|
|
// the process mid-scheduler-tick, leaving Redis connections and Docker
|
|
|
|
|
// sockets dangling and producing partial DB writes. Now: stop the scheduler,
|
|
|
|
|
// finish in-flight HTTP requests, close PG/Redis pools, and exit cleanly
|
|
|
|
|
// (or hard-exit after 25 s if something is stuck).
|
|
|
|
|
let _shuttingDown = false;
|
|
|
|
|
async function gracefulShutdown(signal) {
|
|
|
|
|
if (_shuttingDown) return;
|
|
|
|
|
_shuttingDown = true;
|
|
|
|
|
console.log(`[shutdown] received ${signal} — closing gracefully…`);
|
|
|
|
|
|
|
|
|
|
// Stop accepting new requests + wind down the scheduler tick.
|
|
|
|
|
try { stopSchedulerLoop(); } catch (_) {}
|
|
|
|
|
|
|
|
|
|
// Force-exit watchdog so a hung connection can't keep us alive forever.
|
|
|
|
|
const killSwitch = setTimeout(() => {
|
|
|
|
|
console.error('[shutdown] forced exit after 25s timeout');
|
|
|
|
|
process.exit(1);
|
|
|
|
|
}, 25_000);
|
|
|
|
|
killSwitch.unref();
|
|
|
|
|
|
|
|
|
|
// Stop the HTTP server (waits for in-flight requests to finish).
|
|
|
|
|
await new Promise(resolve => server.close(resolve));
|
|
|
|
|
|
|
|
|
|
// Close DB pool + S3 client + any other resources. Best-effort.
|
|
|
|
|
try { await pool.end(); } catch (e) { console.warn('[shutdown] pool.end:', e.message); }
|
|
|
|
|
|
|
|
|
|
console.log('[shutdown] clean exit');
|
|
|
|
|
process.exit(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
process.on('SIGTERM', () => gracefulShutdown('SIGTERM'));
|
|
|
|
|
process.on('SIGINT', () => gracefulShutdown('SIGINT'));
|
|
|
|
|
process.on('uncaughtException', (err) => {
|
|
|
|
|
console.error('[fatal] uncaughtException:', err);
|
|
|
|
|
gracefulShutdown('uncaughtException');
|
|
|
|
|
});
|
|
|
|
|
process.on('unhandledRejection', (reason) => {
|
|
|
|
|
console.error('[fatal] unhandledRejection:', reason);
|
|
|
|
|
});
|
