Merge pull request 'Promote to Production: CAR-1215 react-router audit-gate fix' (#282) from uat into main

Promote to Production: CAR-1215 react-router audit-gate fix

UAT PASS: Deal Dottie — all 5 regression steps green
Security PASS: Stockboy Steve — lockfile-only, 3 high advisories cleared

ref: CAR-1215, CAR-1217

.gitea/workflows/ci.yml

@@ -16,20 +16,17 @@ permissions:
   security-events: write
 
 env:
-  REGISTRY: ghcr.io
+  REGISTRY: git.farh.net
   IMAGE_NAME: cartsnitch/cartsnitch
   RECEIPTWITNESS_IMAGE_NAME: cartsnitch/receiptwitness
   API_IMAGE_NAME: cartsnitch/api
+  AUTH_IMAGE_NAME: cartsnitch/auth
 
 jobs:
   lint:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "20"
-          cache: npm
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
       - run: npm ci
       - name: ESLint
         run: npx eslint .
@@ -37,10 +34,10 @@ jobs:
         run: npx tsc --noEmit
 
   test:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           node-version: "20"
           cache: npm
@@ -49,10 +46,10 @@ jobs:
         run: npx vitest run
 
   audit:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           node-version: "20"
           cache: npm
@@ -61,10 +58,10 @@ jobs:
         run: npm audit --audit-level=high
 
   e2e:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           node-version: "20"
           cache: npm
@@ -73,11 +70,11 @@ jobs:
       - run: npx playwright test
 
   lighthouse:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     needs: [test]
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           node-version: "20"
           cache: npm
@@ -98,14 +95,14 @@ jobs:
           CHROME_PATH="$CHROME_PATH" lhci autorun --chrome-flags="--headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage"
 
   build-and-push:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     if: github.event_name == 'push'
     needs: [lint, test, e2e]
     outputs:
       calver_tag: ${{ steps.calver.outputs.version }}
       sha_tag: sha-${{ github.sha }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         with:
           fetch-depth: 0
 
@@ -133,13 +130,13 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Log in to GHCR
+      - name: Log in to Gitea registry
         if: github.event_name == 'push'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Extract metadata
         id: meta
@@ -159,8 +156,8 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           target: prod
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=inline
+          cache-to: type=inline,mode=max
 
       - name: Scan frontend image for vulnerabilities
         uses: anchore/scan-action@v5
@@ -174,11 +171,7 @@ jobs:
           only-fixed: "true"
           output-format: sarif
 
-      - name: Upload frontend scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
+
 
       - name: Push Docker image
         if: github.event_name == 'push'
@@ -189,7 +182,7 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           target: prod
-          cache-from: type=gha
+          cache-from: type=inline
 
       - name: Create git tag
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'
@@ -198,14 +191,14 @@ jobs:
           git push origin "v${{ steps.calver.outputs.version }}"
 
   build-and-push-receiptwitness:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     if: github.event_name == 'push'
     needs: [lint, test]
     outputs:
       calver_tag: ${{ steps.calver.outputs.version }}
       sha_tag: sha-${{ github.sha }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         with:
           fetch-depth: 0
 
@@ -227,13 +220,13 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Log in to GHCR
+      - name: Log in to Gitea registry
         if: github.event_name == 'push'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Extract metadata
         id: meta
@@ -255,8 +248,8 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             APT_CACHE_BUST=${{ github.run_id }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=inline
+          cache-to: type=inline,mode=max
 
       - name: Scan receiptwitness image for vulnerabilities
         uses: anchore/scan-action@v5
@@ -270,11 +263,7 @@ jobs:
           only-fixed: "true"
           output-format: sarif
 
-      - name: Upload receiptwitness scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
+
 
       - name: Push Docker image
         if: github.event_name == 'push'
@@ -287,17 +276,17 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             APT_CACHE_BUST=${{ github.run_id }}
-          cache-from: type=gha
+          cache-from: type=inline
 
   build-and-push-api:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     if: github.event_name == 'push'
     needs: [lint, test]
     outputs:
       calver_tag: ${{ steps.calver.outputs.version }}
       sha_tag: sha-${{ github.sha }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         with:
           fetch-depth: 0
 
@@ -319,13 +308,13 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Log in to GHCR
+      - name: Log in to Gitea registry
         if: github.event_name == 'push'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Extract metadata (API)
         id: meta
@@ -347,8 +336,8 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             APT_CACHE_BUST=${{ github.run_id }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=inline
+          cache-to: type=inline,mode=max
 
       - name: Scan api image for vulnerabilities
         uses: anchore/scan-action@v5
@@ -362,11 +351,7 @@ jobs:
           only-fixed: "true"
           output-format: sarif
 
-      - name: Upload api scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
+
 
       - name: Push Docker image
         if: github.event_name == 'push'
@@ -379,27 +364,106 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             APT_CACHE_BUST=${{ github.run_id }}
-          cache-from: type=gha
+          cache-from: type=inline
+
+  build-and-push-auth:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push'
+    needs: [lint, test]
+    outputs:
+      calver_tag: ${{ steps.calver.outputs.version }}
+      sha_tag: sha-${{ github.sha }}
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          fetch-depth: 0
+
+      - name: Generate CalVer tag
+        id: calver
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        run: |
+          DATE_TAG=$(date -u +%Y.%m.%d)
+          EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1)
+          if [ -z "$EXISTING" ]; then VERSION="$DATE_TAG"
+          elif [ "$EXISTING" = "v${DATE_TAG}" ]; then VERSION="${DATE_TAG}.2"
+          else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"; fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Log in to Docker Hub
+        if: github.event_name == 'push'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Log in to Gitea registry
+        if: github.event_name == 'push'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Extract metadata (auth)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}
+          tags: |
+            type=sha,prefix=sha-,format=long
+            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./auth
+          file: ./auth/Dockerfile
+          load: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            APT_CACHE_BUST=${{ github.run_id }}
+          cache-from: type=inline
+          cache-to: type=inline,mode=max
+
+      - name: Scan auth image for vulnerabilities
+        uses: anchore/scan-action@v5
+        id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
+
+
+      - name: Push Docker image
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@v6
+        with:
+          context: ./auth
+          file: ./auth/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            APT_CACHE_BUST=${{ github.run_id }}
+          cache-from: type=inline
 
   deploy-dev:
-    runs-on: runners-cartsnitch
-    needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api]
+    runs-on: ubuntu-latest
+    needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api, build-and-push-auth]
     if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main')
     steps:
-      - name: Generate GitHub App token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
-          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-          repositories: infra
-
       - name: Checkout infra repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         with:
           repository: cartsnitch/infra
-          token: ${{ steps.app-token.outputs.token }}
+          token: ${{ secrets.CI_GITEA_TOKEN }}
           ref: main
           path: infra
 
@@ -407,7 +471,16 @@ jobs:
         uses: azure/setup-kubectl@v4
 
       - name: Install kustomize
-        uses: imranismail/setup-kustomize@v2
+        # imranismail/setup-kustomize@v2 calls the Gitea API to record
+        # telemetry under the "kubernetes-sigs" user, which doesn't exist
+        # on this Gitea instance. Install the binary directly instead.
+        run: |
+          set -euo pipefail
+          version="5.4.3"
+          url="https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${version}/kustomize_v${version}_linux_amd64.tar.gz"
+          curl -fsSL --retry 3 "$url" | tar -xz -C /tmp kustomize
+          sudo install -m 0755 /tmp/kustomize /usr/local/bin/kustomize
+          kustomize version
 
       - name: Determine image tag for frontend
         id: frontend_tag
@@ -422,7 +495,7 @@ jobs:
         if: needs.build-and-push.result == 'success'
         run: |
           cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
 
       - name: Determine image tag for receiptwitness
         id: receiptwitness_tag
@@ -437,7 +510,7 @@ jobs:
         if: needs.build-and-push-receiptwitness.result == 'success'
         run: |
           cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/receiptwitness=git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}
 
       - name: Determine image tag for api
         id: api_tag
@@ -452,38 +525,89 @@ jobs:
         if: needs.build-and-push-api.result == 'success'
         run: |
           cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/api=git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
 
-      - name: Commit and push to infra
+      - name: Determine image tag for auth
+        id: auth_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update auth image tag
+        if: needs.build-and-push-auth.result == 'success'
+        run: |
+          cd infra/apps/overlays/dev
+          kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}
+
+      - name: Commit and push to infra (via PR)
+        env:
+          CI_GITEA_TOKEN: ${{ secrets.CI_GITEA_TOKEN }}
         run: |
           cd infra
           git config user.name "cartsnitch-ci[bot]"
-          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
+          git config user.email "cartsnitch-ci[bot]@users.noreply.git.farh.net"
           git add apps/overlays/dev/kustomization.yaml
           git diff --cached --quiet && echo "No image changes to deploy" && exit 0
-          git commit -m "ci(dev): update cartsnitch, receiptwitness, and api images"
-          git pull --rebase origin main
-          git push origin main
+          BRANCH="ci/deploy-dev-${GITHUB_SHA}"
+          git checkout -b "$BRANCH"
+          git commit -m "ci(dev): update cartsnitch, receiptwitness, api, and auth images"
+          git push origin "$BRANCH"
+          PR_BODY=$(printf 'Auto-opened by deploy-dev (CAR-1195).\n\nBuild SHA: %s' "${GITHUB_SHA}")
+          PR_JSON=$(curl -sS -X POST \
+            -H "Authorization: token ${CI_GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "ci(dev): update overlay image tags (${GITHUB_SHA::12})" --arg body "$PR_BODY" '{head:$head,base:$base,title:$title,body:$body}')" \
+            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls")
+          PR_NUM=$(echo "$PR_JSON" | jq -r '.number // empty')
+          if [ -z "$PR_NUM" ]; then
+            echo "::error::Failed to open PR against cartsnitch/infra: $PR_JSON"
+            exit 1
+          fi
+          echo "Opened cartsnitch/infra PR #${PR_NUM} (head=${BRANCH})"
+          # Request CTO (cs_savannah) review as the GitOps hand-off. Best-effort:
+          # log on non-2xx but never fail the job for this.
+          REVIEW_HTTP=$(curl -sS -o /dev/null -w '%{http_code}' -X POST \
+            -H "Authorization: token ${CI_GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d '{"reviewers":["cs_savannah"]}' \
+            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/requested_reviewers")
+          if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then
+            echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing"
+          fi
+          MERGE_RESP=$(curl -sS -X POST \
+            -H "Authorization: token ${CI_GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d '{"Do":"merge","delete_branch_after_merge":true}' \
+            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge")
+          MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false')
+          if [ "$MERGED" = "true" ]; then
+            echo "PR #${PR_NUM} merged into cartsnitch/infra main"
+          elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then
+            # GitOps approval gate: the PR is correctly opened and surfaces in
+            # the CTO queue via the reviewers request above. Treat as success
+            # (exit 0) so the deploy job does not hard-fail on the approvals
+            # requirement that only a human maintainer can satisfy.
+            echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure"
+            exit 0
+          else
+            echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP"
+            echo "::error::Reassign to cs_savannah (authorized merger for cartsnitch/infra main) for backstop merge."
+            exit 1
+          fi
 
   deploy-uat:
-    runs-on: runners-cartsnitch
-    needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api]
+    runs-on: ubuntu-latest
+    needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api, build-and-push-auth]
     if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main')
     steps:
-      - name: Generate GitHub App token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
-          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-          repositories: infra
-
       - name: Checkout infra repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         with:
           repository: cartsnitch/infra
-          token: ${{ steps.app-token.outputs.token }}
+          token: ${{ secrets.CI_GITEA_TOKEN }}
           ref: main
           path: infra
 
@@ -491,7 +615,16 @@ jobs:
         uses: azure/setup-kubectl@v4
 
       - name: Install kustomize
-        uses: imranismail/setup-kustomize@v2
+        # imranismail/setup-kustomize@v2 calls the Gitea API to record
+        # telemetry under the "kubernetes-sigs" user, which doesn't exist
+        # on this Gitea instance. Install the binary directly instead.
+        run: |
+          set -euo pipefail
+          version="5.4.3"
+          url="https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${version}/kustomize_v${version}_linux_amd64.tar.gz"
+          curl -fsSL --retry 3 "$url" | tar -xz -C /tmp kustomize
+          sudo install -m 0755 /tmp/kustomize /usr/local/bin/kustomize
+          kustomize version
 
       - name: Determine image tag for frontend
         id: frontend_tag
@@ -506,7 +639,7 @@ jobs:
         if: needs.build-and-push.result == 'success'
         run: |
           cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
 
       - name: Determine image tag for receiptwitness
         id: receiptwitness_tag
@@ -521,7 +654,7 @@ jobs:
         if: needs.build-and-push-receiptwitness.result == 'success'
         run: |
           cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/receiptwitness=git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}
 
       - name: Determine image tag for api
         id: api_tag
@@ -536,15 +669,75 @@ jobs:
         if: needs.build-and-push-api.result == 'success'
         run: |
           cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/api=git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
 
-      - name: Commit and push to infra
+      - name: Determine image tag for auth
+        id: auth_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update auth image tag
+        if: needs.build-and-push-auth.result == 'success'
+        run: |
+          cd infra/apps/overlays/uat
+          kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}
+
+      - name: Commit and push to infra (via PR)
+        env:
+          CI_GITEA_TOKEN: ${{ secrets.CI_GITEA_TOKEN }}
         run: |
           cd infra
           git config user.name "cartsnitch-ci[bot]"
-          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
+          git config user.email "cartsnitch-ci[bot]@users.noreply.git.farh.net"
           git add apps/overlays/uat/kustomization.yaml
           git diff --cached --quiet && echo "No image changes to deploy" && exit 0
-          git commit -m "ci(uat): update cartsnitch, receiptwitness, and api images"
-          git pull --rebase origin main
-          git push origin main
+          BRANCH="ci/deploy-uat-${GITHUB_SHA}"
+          git checkout -b "$BRANCH"
+          git commit -m "ci(uat): update cartsnitch, receiptwitness, api, and auth images"
+          git push origin "$BRANCH"
+          PR_BODY=$(printf 'Auto-opened by deploy-uat (CAR-1195).\n\nBuild SHA: %s' "${GITHUB_SHA}")
+          PR_JSON=$(curl -sS -X POST \
+            -H "Authorization: token ${CI_GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "ci(uat): update overlay image tags (${GITHUB_SHA::12})" --arg body "$PR_BODY" '{head:$head,base:$base,title:$title,body:$body}')" \
+            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls")
+          PR_NUM=$(echo "$PR_JSON" | jq -r '.number // empty')
+          if [ -z "$PR_NUM" ]; then
+            echo "::error::Failed to open PR against cartsnitch/infra: $PR_JSON"
+            exit 1
+          fi
+          echo "Opened cartsnitch/infra PR #${PR_NUM} (head=${BRANCH})"
+          # Request CTO (cs_savannah) review as the GitOps hand-off. Best-effort:
+          # log on non-2xx but never fail the job for this.
+          REVIEW_HTTP=$(curl -sS -o /dev/null -w '%{http_code}' -X POST \
+            -H "Authorization: token ${CI_GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d '{"reviewers":["cs_savannah"]}' \
+            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/requested_reviewers")
+          if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then
+            echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing"
+          fi
+          MERGE_RESP=$(curl -sS -X POST \
+            -H "Authorization: token ${CI_GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d '{"Do":"merge","delete_branch_after_merge":true}' \
+            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge")
+          MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false')
+          if [ "$MERGED" = "true" ]; then
+            echo "PR #${PR_NUM} merged into cartsnitch/infra main"
+          elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then
+            # GitOps approval gate: the PR is correctly opened and surfaces in
+            # the CTO queue via the reviewers request above. Treat as success
+            # (exit 0) so the deploy job does not hard-fail on the approvals
+            # requirement that only a human maintainer can satisfy.
+            echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure"
+            exit 0
+          else
+            echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP"
+            echo "::error::Reassign to cs_savannah (authorized merger for cartsnitch/infra main) for backstop merge."
+            exit 1
+          fi

README.md

@@ -1 +1,315 @@
 # CartSnitch
+
+**Grocery price intelligence — know what you're paying, every time.**
+
+CartSnitch is a self-hosted grocery price intelligence platform that connects to your store loyalty accounts, tracks prices across retailers, monitors shrinkflation, and helps you find the best deals.
+
+---
+
+## Project Overview
+
+CartSnitch solves the problem of **grocery price opacity**. Most shoppers don't know if they're getting a good deal, whether prices have spiked since their last visit, or if the "sale" is actually a worse price than a competitor. CartSnitch makes prices transparent.
+
+**Core features:**
+- Connect Meijer, Kroger, Target loyalty accounts
+- View purchase history across all stores in one timeline
+- Track per-item price charts across stores over time
+- Receive shrinkflation and price increase alerts
+- Browse active coupons and deals
+- Generate optimized shopping lists with store-split plans
+- Public price transparency dashboards
+
+---
+
+## Architecture
+
+CartSnitch is a polyglot microservices platform. The monorepo contains the frontend PWA and core services.
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                         CartSnitch PWA                          │
+│                    (React, mobile-first PWA)                     │
+└──────────┬────────────────────┬────────────────────┬───────────┘
+           │                    │                    │
+           ▼                    ▼                    ▼
+┌──────────────────┐  ┌─────────────────┐  ┌─────────────────────┐
+│   Auth Service   │  │   API Gateway   │  │  ReceiptWitness     │
+│  (Better-Auth)   │  │ (Python/FastAPI)│  │   (Python/Scrapers) │
+│  Session mgmt   │  │  REST + proxy   │  │  Purchase ingestion  │
+└────────┬─────────┘  └────────┬────────┘  └──────────┬──────────┘
+         │                      │                        │
+         └──────────────────────┼────────────────────────┘
+                                ▼
+                   ┌────────────────────────┐
+                   │   CloudNativePG (PGSQL) │
+                   │   Shared database      │
+                   └────────────────────────┘
+```
+
+### Services in This Repo
+
+| Directory | Service | Description |
+|-----------|---------|-------------|
+| `/` (root) | Frontend | React PWA, mobile-first |
+| `auth/` | Auth | Better-Auth service — session management, email/password, OAuth |
+| `api/` | API Gateway | Frontend-facing REST API, Python/FastAPI |
+| `common/` | Common | Shared Python models, Pydantic schemas, Alembic migrations |
+| `receiptwitness/` | ReceiptWitness | Purchase data ingestion via retailer scrapers |
+
+### Other CartSnitch Repos
+
+| Repo | Service |
+|------|---------|
+| `cartsnitch/stickershock` | Price increase detection & CPI comparison |
+| `cartsnitch/shrinkray` | Shrinkflation monitoring |
+| `cartsnitch/clipartist` | Coupon/deal watching |
+| `cartsnitch/infra` | Kubernetes manifests, Flux kustomizations |
+
+---
+
+## Tech Stack
+
+### Frontend
+- **React 18+** with TypeScript
+- **Vite** — build tool
+- **Tailwind CSS v4** — mobile-first responsive design
+- **Workbox** — service worker, offline caching, PWA manifest
+- **Recharts** — price trend visualizations
+- **TanStack Query** — data fetching and caching
+- **React Router v7** — client-side routing
+- **Zustand** — lightweight state management
+
+### Backend Services
+- **Better-Auth** — authentication (session management, email/password, OAuth)
+- **Node.js** (API Gateway)
+- **Python/FastAPI** (API Gateway, ReceiptWitness)
+- **PostgreSQL** via CloudNativePG
+- **DragonflyDB** for caching
+
+### Infrastructure
+- **Kubernetes** (k3s-compatible)
+- **Flux CD** — GitOps deployment
+- **GitHub Actions** — CI/CD
+- **CalVer** (`YYYY.MM.DD[.N]`) — image tagging
+- **Bitnami Sealed Secrets** — secret management
+- **Authentik** — OIDC/OAuth2 provider
+
+---
+
+## Getting Started
+
+### Prerequisites
+
+- Node.js 20+
+- npm or pnpm
+- PostgreSQL (local or containerized)
+- Docker (for running services locally)
+
+### Local Development
+
+1. **Clone the repo**
+   ```bash
+   git clone https://github.com/cartsnitch/cartsnitch.git
+   cd cartsnitch
+   ```
+
+2. **Install dependencies**
+   ```bash
+   npm install
+   ```
+
+3. **Set up environment variables**
+   ```bash
+   cp .env.example .env
+   # Edit .env with your local settings
+   ```
+
+4. **Start the frontend dev server**
+   ```bash
+   npm run dev
+   ```
+   The PWA will be available at `http://localhost:5173`.
+
+5. **Run tests**
+   ```bash
+   npm test
+   ```
+
+6. **Build for production**
+   ```bash
+   npm run build
+   ```
+
+### Running Backend Services Locally
+
+The frontend PWA communicates with three backend services. For full local development, you'll need to run each service:
+
+```bash
+# Auth service (Better-Auth)
+cd auth
+npm install
+npm run dev
+
+# API Gateway (separate repo: cartsnitch/api)
+# See api/README.md
+
+# ReceiptWitness (separate repo: cartsnitch/receiptwitness)
+# See receiptwitness/README.md
+```
+
+### Environment Variables
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `VITE_API_URL` | API Gateway base URL | `http://localhost:3000` |
+| `VITE_AUTH_URL` | Auth service base URL | `http://localhost:3001` |
+
+---
+
+## Contributing
+
+We welcome contributions. Please follow the workflow below.
+
+### Branching Strategy
+
+- Branch from `dev`
+- Use prefix: `feature/`, `fix/`, `docs/`, `chore/`
+- Examples: `feature/shopping-list-optimization`, `fix/price-chart-zoom`
+
+### Commit Convention
+
+We use [Conventional Commits](https://www.conventionalcommits.org/):
+
+```
+feat: add shopping list export
+fix: correct price chart date formatting
+docs: update API documentation
+chore: update dependencies
+```
+
+### Pull Request Workflow
+
+1. Open a PR against `dev`
+2. CI must pass (lint, type check, tests, e2e)
+3. QA reviews and approves
+4. CTO merges to `dev`
+5. Dev deploys automatically
+6. CTO promotes `dev → uat`
+7. UAT and security review
+8. CEO merges `uat → main`
+9. Production deploys automatically
+
+**Never push directly to `main`, `dev`, or `uat`.**
+
+### Code Standards
+
+- ESLint for linting
+- TypeScript strict mode
+- Mobile-first responsive design
+- Accessibility (WCAG 2.1 AA)
+
+---
+
+## Testing
+
+### Unit Tests
+
+```bash
+npm test
+```
+
+### E2E Tests (Playwright)
+
+```bash
+npm run test:e2e
+```
+
+Tests run headless by default. For headed mode:
+
+```bash
+npm run test:e2e:headed
+```
+
+### Lighthouse CI
+
+Performance audits run automatically in CI. To run locally:
+
+```bash
+npm run build
+npm run preview
+# In another terminal:
+npx lighthouse http://localhost:4173 --output=html --output-path=./report/lighthouse.html
+```
+
+---
+
+## CI/CD Pipeline
+
+All branches (`main`, `dev`, `uat`) run through GitHub Actions on every push.
+
+### Pipeline Stages
+
+| Job | Trigger | Purpose |
+|-----|---------|---------|
+| `lint` | Every push | ESLint + TypeScript type check |
+| `test` | Every push | Unit tests via Vitest |
+| `audit` | Every push | Security vulnerability scan |
+| `e2e` | Every push | Playwright end-to-end tests |
+| `lighthouse` | After test | Performance budget check |
+| `build-and-push` | On push to main/dev/uat | Build and push Docker images to GHCR |
+| `deploy-dev` | On push to dev or main | Update `cartsnitch/infra` → auto-deploy to dev |
+| `deploy-uat` | On push to uat or main | Update `cartsnitch/infra` → auto-deploy to uat |
+
+### Image Tagging
+
+- **Production (`main`):** CalVer tag (`YYYY.MM.DD[.N]`) + `latest`
+- **Development (`dev`):** SHA tag (`sha-<short-sha>`)
+
+### Deployment Environments
+
+| Environment | Namespace | URL | Trigger |
+|-------------|-----------|-----|---------|
+| Dev | `cartsnitch-dev` | `cartsnitch.dev.farh.net` | Push to `dev` branch |
+| UAT | `cartsnitch-uat` | `cartsnitch.uat.farh.net` | Push to `uat` branch |
+| Production | `cartsnitch` | `cartsnitch.farh.net` | Push to `main` branch |
+
+---
+
+## Deployment
+
+### Infrastructure
+
+The infrastructure repository ([cartsnitch/infra](https://github.com/cartsnitch/infra)) contains Kubernetes manifests and Flux Kustomize overlays.
+
+### Flux GitOps Flow
+
+1. CI builds and pushes a new Docker image
+2. CI opens a PR to `cartsnitch/infra` updating the image tag
+3. On merge, Flux reconciles the manifests and rolls out the new image
+
+### Forcing a Rollout
+
+To force pods to pick up a new `:latest` image:
+
+```bash
+kubectl rollout restart deployment/<name> -n <namespace>
+```
+
+### Secrets
+
+Secrets are managed via **Bitnami Sealed Secrets**. No plain Kubernetes secrets are used.
+
+---
+
+## Related Projects
+
+- [StickerShock](https://github.com/cartsnitch/stickershock) — Price increase detection
+- [ShrinkRay](https://github.com/cartsnitch/shrinkray) — Shrinkflation monitoring
+- [ClipArtist](https://github.com/cartsnitch/clipartist) — Coupon/deal optimization
+- [Infra](https://github.com/cartsnitch/infra) — Kubernetes infrastructure
+
+---
+
+## License
+
+MIT &copy; 2025 CartSnitch

api/.gitea/workflows/ci.yml

@@ -15,7 +15,7 @@ permissions:
   packages: write
 
 env:
-  REGISTRY: ghcr.io
+  REGISTRY: git.farh.net
   IMAGE_NAME: cartsnitch/api
 
 jobs:
@@ -130,13 +130,13 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Log in to GHCR
+      - name: Log in to Gitea registry
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Extract metadata
         id: meta

api/src/cartsnitch_api/main.py

@@ -6,7 +6,6 @@ from fastapi import APIRouter, FastAPI
 
 from cartsnitch_api.auth.routes import router as auth_router
 from cartsnitch_api.cache import cache_client
-from cartsnitch_api.database import dispose_engine
 from cartsnitch_api.middleware.cors import add_cors_middleware
 from cartsnitch_api.middleware.error_handler import add_error_handlers, add_error_monitor_middleware
 from cartsnitch_api.middleware.rate_limit import add_rate_limit_middleware

auth/package.json

@@ -7,7 +7,8 @@
     "dev": "tsx watch src/index.ts",
     "build": "tsc",
     "start": "node dist/index.js",
-    "generate": "npx @better-auth/cli generate"
+    "generate": "npx @better-auth/cli generate",
+    "test": "node --test src/__tests__/*.test.ts"
   },
   "dependencies": {
     "bcrypt": "^6.0.0",

auth/src/__tests__/health.test.ts

@@ -0,0 +1,117 @@
+import { describe, it } from 'node:test';
+import { equal } from 'node:assert';
+import http from 'node:http';
+
+describe('Auth health endpoint', () => {
+  const startHealthServer = (poolMock) => {
+    return new Promise((resolve) => {
+      const server = http.createServer(async (req, res) => {
+        if (req.url === '/health' && req.method === 'GET') {
+          try {
+            const client = await poolMock.connect();
+            try {
+              await Promise.race([
+                client.query('SELECT 1'),
+                new Promise((_, reject) => setTimeout(() => reject(new Error('DB timeout')), 2000)),
+              ]);
+            } finally {
+              client.release();
+            }
+            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ status: 'ok', db: 'reachable' }));
+          } catch {
+            res.writeHead(503, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ status: 'error', db: 'unreachable' }));
+          }
+          return;
+        }
+        res.writeHead(404);
+        res.end();
+      });
+      server.listen(0, '0.0.0.0', () => {
+        const addr = server.address();
+        const port = typeof addr === 'object' && addr ? addr.port : 0;
+        resolve({ port, close: () => server.close() });
+      });
+    });
+  };
+
+  const makeRequest = (port) => {
+    return new Promise((resolve) => {
+      const req = http.get(`http://localhost:${port}/health`, (res) => {
+        let body = '';
+        res.on('data', (chunk) => { body += chunk; });
+        res.on('end', () => {
+          resolve({ status: res.statusCode, body });
+        });
+      });
+      req.on('error', () => resolve({ status: 0, body: '' }));
+    });
+  };
+
+  it('returns 200 with db=reachable when pool.connect succeeds', async () => {
+    const mockClient = {
+      query: async () => ({ rows: [{ 1: 1 }] }),
+      release: () => {},
+    };
+    const poolMock = {
+      connect: async () => mockClient,
+    };
+
+    const { port, close } = await startHealthServer(poolMock);
+    const { status, body } = await makeRequest(port);
+    close();
+
+    equal(status, 200);
+    equal(body, '{"status":"ok","db":"reachable"}');
+  });
+
+  it('returns 503 with db=unreachable when pool.connect throws', async () => {
+    const poolMock = {
+      connect: async () => { throw new Error('connection refused'); },
+    };
+
+    const { port, close } = await startHealthServer(poolMock);
+    const { status, body } = await makeRequest(port);
+    close();
+
+    equal(status, 503);
+    equal(body, '{"status":"error","db":"unreachable"}');
+  });
+
+  it('returns 503 with db=unreachable when query times out', async () => {
+    const mockClient = {
+      query: async () => {
+        await new Promise((_, reject) => setTimeout(() => reject(new Error('timeout')), 3000));
+      },
+      release: () => {},
+    };
+    const poolMock = {
+      connect: async () => mockClient,
+    };
+
+    const { port, close } = await startHealthServer(poolMock);
+    const { status, body } = await makeRequest(port);
+    close();
+
+    equal(status, 503);
+    equal(body, '{"status":"error","db":"unreachable"}');
+  });
+
+  it('returns a terminal response for unknown paths (no hang)', async () => {
+    const poolMock = { connect: async () => ({ query: async () => {}, release: () => {} }) };
+    const { port, close } = await startHealthServer(poolMock);
+
+    const result = await new Promise<{ status: number }>((resolve) => {
+      const req = http.get(`http://localhost:${port}/`, (res) => {
+        res.resume();
+        res.on('end', () => resolve({ status: res.statusCode ?? 0 }));
+      });
+      req.on('error', () => resolve({ status: 0 }));
+      setTimeout(() => resolve({ status: -1 }), 1000);
+    });
+    close();
+
+    equal(result.status !== -1, true, 'Unknown path must return a terminal response within 1s');
+  });
+});

auth/src/index.ts

@@ -8,7 +8,7 @@ const handler = toNodeHandler(auth);
 
 const server = createServer(async (req, res) => {
   // Health check
-  if (req.url === "/health" && req.method === "GET") {
+  if ((req.url === "/health" || req.url === "/auth/health") && req.method === "GET") {
     try {
       const client = await pool.connect();
       try {
@@ -20,7 +20,7 @@ const server = createServer(async (req, res) => {
         client.release();
       }
       res.writeHead(200, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ status: "ok", db: "connected" }));
+      res.end(JSON.stringify({ status: "ok", db: "reachable" }));
     } catch {
       res.writeHead(503, { "Content-Type": "application/json" });
       res.end(JSON.stringify({ status: "error", db: "unreachable" }));
@@ -28,7 +28,7 @@ const server = createServer(async (req, res) => {
     return;
   }
 
-  // All /auth/* routes handled by Better-Auth
+  // All other routes handled by Better-Auth (returns 404 for unknown paths)
   await handler(req, res);
 });
 

auth/tsconfig.json

@@ -12,5 +12,5 @@
     "resolveJsonModule": true
   },
   "include": ["src"],
-  "exclude": ["node_modules", "dist"]
+  "exclude": ["node_modules", "dist", "src/__tests__"]
 }

common/src/cartsnitch_common/database.py

@@ -1,17 +1,36 @@
 """Database engine and session factories for sync and async usage."""
 
 from collections.abc import AsyncGenerator, Generator
+from typing import TYPE_CHECKING
 
 from sqlalchemy import create_engine
-from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_async_engine
+from sqlalchemy.ext.asyncio import AsyncEngine, AsyncSession, async_sessionmaker, create_async_engine
 from sqlalchemy.orm import Session, sessionmaker
 
 from cartsnitch_common.config import settings
 
+if TYPE_CHECKING:
+    from sqlalchemy.engine import Engine
 
-def get_async_engine(url: str | None = None):
-    """Create an async SQLAlchemy engine."""
-    return create_async_engine(url or settings.database_url, echo=settings.debug)
+# Module-level async engine cache — one engine per unique URL, shared across all callers.
+# This prevents pool exhaustion in high-throughput workers (e.g. email-worker hitting
+# DragonflyDB/Postgres repeatedly per message).  pool_size=10, max_overflow=20 gives
+# headroom for bursts while capping max connections at 30 per URL.
+_async_engine_cache: dict[str, "AsyncEngine"] = {}
+
+
+def get_async_engine(url: str | None = None) -> "AsyncEngine":
+    """Get or create a cached async engine for the given URL."""
+    target = url or settings.database_url
+    if target not in _async_engine_cache:
+        _async_engine_cache[target] = create_async_engine(
+            target,
+            echo=settings.debug,
+            pool_size=10,
+            max_overflow=20,
+            pool_pre_ping=True,
+        )
+    return _async_engine_cache[target]
 
 
 def get_sync_engine(url: str | None = None):

package.json

@@ -45,14 +45,16 @@
     "typescript-eslint": "^8.56.1",
     "vite": "^6.4.2",
     "vite-plugin-pwa": "^0.21.2",
-    "vitest": "^3.2.4"
+    "vitest": "^4.1.8"
   },
   "overrides": {
     "@rollup/pluginutils": "5.3.0",
     "flatted": "^3.4.2",
     "serialize-javascript": "7.0.5",
-    "brace-expansion": ">=1.1.13",
+    "brace-expansion": ">=5.0.6",
     "lodash": ">=4.17.24",
-    "minimatch": "^10.2.4"
+    "minimatch": "^10.2.4",
+    "@babel/plugin-transform-modules-systemjs": "^7.29.4",
+    "fast-uri": "^3.1.2"
   }
 }

receiptwitness/src/receiptwitness/queue/email.py

@@ -16,6 +16,29 @@ logger = logging.getLogger(__name__)
 STREAM_KEY = "email:receipts"
 CONSUMER_GROUP = "email-workers"
 
+# Module-level Redis/DragonflyDB connection pool — shared across all worker calls.
+# Without pooling, each call to get_redis() opens a new TCP connection.  In a tight
+# consumer loop this causes ConnectionResetError when DragonflyDB's connection limit
+# is hit under load.  max_connections=30 (10 base + 20 overflow) mirrors the engine pool.
+_redis_pool: aioredis.ConnectionPool | None = None
+
+
+def _get_redis_pool() -> aioredis.ConnectionPool:
+    """Get or create the shared DragonflyDB connection pool."""
+    global _redis_pool
+    if _redis_pool is None:
+        _redis_pool = aioredis.ConnectionPool.from_url(
+            settings.redis_url,
+            decode_responses=True,
+            max_connections=30,
+        )
+    return _redis_pool
+
+
+async def get_redis() -> aioredis.Redis:
+    """Get async Redis/DragonflyDB client backed by a shared connection pool."""
+    return aioredis.Redis(connection_pool=_get_redis_pool())
+
 
 @dataclass
 class EmailJob:
@@ -31,11 +54,6 @@ class EmailJob:
     message_id: str  # from email provider, for dedup
 
 
-async def get_redis() -> aioredis.Redis:
-    """Get async Redis/DragonflyDB client."""
-    return cast(aioredis.Redis, aioredis.from_url(settings.redis_url, decode_responses=True))
-
-
 async def ensure_consumer_group(client: aioredis.Redis) -> None:
     """Create consumer group if it does not exist."""
     try:

vitest.config.ts

@@ -7,6 +7,6 @@ export default defineConfig({
     environment: 'jsdom',
     globals: true,
     setupFiles: ['./src/test/setup.ts'],
-    exclude: ['e2e/**', 'node_modules/**'],
+    exclude: ['e2e/**', 'auth/**', 'node_modules/**'],
   },
 })