fix(server): restore DI, embed tfstate at build, fix error handling (#33)

## Summary

- **Restore Nest.js DI**: replaced `tsx watch` with `tsc -b --watch` +
`node --watch` in the server's dev script — tsx 4.x/esbuild silently
drops `emitDecoratorMetadata`, breaking all constructor injection so
every service injected as `undefined`
- **Build-time tfstate embedding**: new `app/scripts/embed-tfstate.mjs`
runs as `predev`/`prebuild` hook, pulling live state via `terraform
state pull` (any backend) and writing it to
`app/packages/server/src/generated/tfstate.ts`; `ConfigService` uses it
as a fallback when the runtime `terraform.tfstate` file is absent
- **API error handling**: `api.ts` now throws on non-2xx responses
instead of resolving with the error body, preventing silent failures
downstream; `CostPanel` gets defensive `?.` chaining on `daily`;
`DiscordPanel` catches load errors and shows a user-friendly message
instead of getting stuck on "Loading…"

## Test plan

- [ ] `npm run dev` from `app/` runs `terraform state pull`, embeds real
state, and Nest boots with all DI resolved (no `undefined` service
errors)
- [ ] Games list populates from embedded tfstate when
`terraform/terraform.tfstate` is absent
- [ ] API 500 responses surface as errors in the UI rather than silent
empty state
- [ ] Cost panel renders without crashing when cost data is unavailable
- [ ] Discord panel shows "unavailable" message instead of spinning
forever when infra isn't deployed
- [ ] `npm test` passes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: CoderCoco

CLAUDE.md

@@ -83,6 +83,8 @@ When adding a game, only edit `terraform.tfvars`. Don't hand-write new resources
 
 `ConfigService.getTfOutputs()` (in `app/packages/server/src/services/ConfigService.ts`) parses `terraform.tfstate` as JSON and caches it in-memory. `invalidateCache()` is called on `/api/games` and `/api/status` to pick up new deploys. The app's container mounts `./terraform:/app/terraform:ro` — this path coupling matters if directory structure changes. The parsed `TfOutputs` shape now also exposes `discord_table_name`, `discord_bot_token_secret_arn`, `discord_public_key_secret_arn`, and `interactions_invoke_url` so `DiscordConfigService` can reach the Discord stores without extra env-var plumbing.
 
+**Build-time state embedding**: `app/scripts/embed-tfstate.mjs` runs automatically via `predev` and `prebuild` npm lifecycle hooks. It reads Terraform state (via `terraform state pull`, or a file path from `TF_STATE_PATH` / the first CLI arg) and writes `app/packages/server/src/generated/tfstate.ts` with the state serialized as a JSON literal. `ConfigService` imports this as `EMBEDDED_TFSTATE` and uses it as a fallback when the runtime `terraform.tfstate` file is absent — useful in Docker or CI environments where the Terraform directory isn't mounted. When neither source is available, `getTfOutputs()` returns `null` and callers degrade gracefully. The generated file is committed as `null` (no real state) and is overwritten at dev/build time.
+
 ### API authentication
 
 Every `/api/*` route is gated behind a bearer token via `ApiTokenGuard` in `app/packages/server/src/guards/api-token.guard.ts`, registered globally in `AppModule` as an `APP_GUARD` provider so it applies to every controller automatically. The token comes from env `API_TOKEN` (wins, even when set to empty to deliberately disable) or `api_token` in `server_config.json`. In production (`NODE_ENV=production`), boot aborts in `main.ts` if no token is configured. In dev, a warning is logged and unauthenticated requests are allowed for convenience. The web client stores the token in `localStorage` under key `apiToken` and sends it as `Authorization: Bearer`. Don't remove the guard or bypass it on individual controllers — Copilot flagged the unauthenticated surface as a security issue and this is the fix.

app/package.json

@@ -10,7 +10,9 @@
     "packages/lambda/*"
   ],
   "scripts": {
+    "predev": "node scripts/embed-tfstate.mjs",
     "dev": "concurrently -n server,client -c cyan,magenta \"npm run dev -w @gsd/server\" \"npm run dev -w @gsd/web\"",
+    "prebuild": "node scripts/embed-tfstate.mjs",
     "build": "npm run build -w @gsd/shared && npm run build -w @gsd/server && npm run build -w @gsd/web",
     "build:lambdas": "npm run build -w @gsd/shared && npm run build -w @gsd/lambda-interactions -w @gsd/lambda-followup -w @gsd/lambda-update-dns -w @gsd/lambda-watchdog",
     "start": "node packages/server/dist/main.js",

app/packages/server/package.json

@@ -5,7 +5,7 @@
   "type": "module",
   "main": "./dist/main.js",
   "scripts": {
-    "dev": "tsx watch src/main.ts",
+    "dev": "tsc -b && concurrently -k -n tsc,node \"tsc -b --watch --preserveWatchOutput\" \"node --enable-source-maps --watch dist/main.js\"",
     "build": "tsc -b",
     "start": "node dist/main.js"
   },

app/packages/server/src/generated/tfstate.ts

@@ -0,0 +1,2 @@
+// Auto-generated by scripts/embed-tfstate.mjs — do not edit by hand
+export const EMBEDDED_TFSTATE: Record<string, unknown> | null = null;

app/packages/server/src/services/ConfigService.test.ts

@@ -16,6 +16,20 @@ vi.mock('../logger.js', () => ({
   },
 }));
 
+/**
+ * Mutable holder for the build-time embedded Terraform state.
+ * Tests that exercise the EMBEDDED_TFSTATE fallback path set this before
+ * calling `getTfOutputs()`; all other tests leave it as `null` so they
+ * don't accidentally exercise the fallback.
+ */
+let mockEmbeddedState: Record<string, unknown> | null = null;
+
+vi.mock('../generated/tfstate.js', () => ({
+  get EMBEDDED_TFSTATE() {
+    return mockEmbeddedState;
+  },
+}));
+
 import { readFileSync, writeFileSync, existsSync } from 'fs';
 import { ConfigService } from './ConfigService.js';
 
@@ -38,14 +52,37 @@ describe('ConfigService', () => {
 
   beforeEach(() => {
     service = new ConfigService();
+    mockEmbeddedState = null;
   });
 
   describe('getTfOutputs', () => {
-    it('should return null and warn when the state file does not exist', () => {
+    it('should return null when both the state file and embedded state are absent', () => {
       mockExists.mockReturnValue(false);
       expect(service.getTfOutputs()).toBeNull();
     });
 
+    it('should use EMBEDDED_TFSTATE as fallback when the state file is absent', () => {
+      mockEmbeddedState = {
+        outputs: {
+          aws_region: { value: 'us-west-1' },
+          game_names: { value: ['minecraft'] },
+        },
+      };
+      mockExists.mockReturnValue(false);
+      const outputs = service.getTfOutputs();
+      expect(outputs).not.toBeNull();
+      expect(outputs!.aws_region).toBe('us-west-1');
+      expect(outputs!.game_names).toEqual(['minecraft']);
+      expect(outputs!.subnet_ids).toBe('');
+    });
+
+    it('should prefer the runtime state file over EMBEDDED_TFSTATE when both are present', () => {
+      mockEmbeddedState = { outputs: { aws_region: { value: 'embedded-region' } } };
+      mockExists.mockReturnValue(true);
+      mockRead.mockReturnValue(makeState({ aws_region: { value: 'runtime-region' } }));
+      expect(service.getTfOutputs()!.aws_region).toBe('runtime-region');
+    });
+
     it('should parse outputs and fill defaults for missing keys', () => {
       mockExists.mockReturnValue(true);
       mockRead.mockReturnValue(

app/packages/server/src/services/ConfigService.ts

@@ -3,13 +3,37 @@ import { readFileSync, writeFileSync, existsSync } from 'fs';
 import { join, dirname } from 'path';
 import { fileURLToPath } from 'url';
 import { logger } from '../logger.js';
+import { EMBEDDED_TFSTATE } from '../generated/tfstate.js';
 
-// Workspace move: ConfigService now lives one extra directory level deep
-// (app/packages/server/src/services/ instead of app/src/server/services/),
-// so the relative walk to the repo's `terraform/` folder needs one more `..`.
 const __dirname = dirname(fileURLToPath(import.meta.url));
-const TF_STATE_PATH = join(__dirname, '../../../../../../terraform/terraform.tfstate');
-const CONFIG_PATH = join(__dirname, '../../../../../../app/server_config.json');
+
+/**
+ * Probes candidate relative paths from __dirname in order and returns the
+ * first that exists on disk.  Falls back to the first candidate when none
+ * exist so callers get a deterministic (missing-file) path rather than
+ * undefined behaviour.
+ *
+ * Needed because the depth from __dirname to the repo/workspace root differs
+ * between environments:
+ *   - local source tree  (src/services or dist/services inside repo): 5 levels up → repo root
+ *   - Docker image       (dist/services inside /app):                  4 levels up → /app
+ */
+function resolveRuntimePath(...relativeCandidates: string[]): string {
+  for (const rel of relativeCandidates) {
+    const resolved = join(__dirname, rel);
+    if (existsSync(resolved)) return resolved;
+  }
+  return join(__dirname, relativeCandidates[0]);
+}
+
+const TF_STATE_PATH = resolveRuntimePath(
+  '../../../../../terraform/terraform.tfstate',
+  '../../../../terraform/terraform.tfstate',
+);
+const CONFIG_PATH = resolveRuntimePath(
+  '../../../../../app/server_config.json',
+  '../../../../server_config.json',
+);
 
 /**
  * Shape of the subset of Terraform root outputs the management app consumes.
@@ -79,22 +103,33 @@ export class ConfigService {
 
   /**
    * Parse `terraform/terraform.tfstate` (once, then memoised) and project the
-   * pieces the app cares about. Returns `null` when the state file is absent
-   * (pre-`terraform apply`) or unparseable — callers treat that as "infra
-   * not deployed yet" and degrade gracefully.
+   * pieces the app cares about. Falls back to the state embedded at build time
+   * by `scripts/embed-tfstate.mjs` when the runtime file is absent. Returns
+   * `null` when neither source is available — callers treat that as "infra not
+   * deployed yet" and degrade gracefully.
    */
   getTfOutputs(): TfOutputs | null {
     if (this.tfCache) return this.tfCache;
 
-    if (!existsSync(TF_STATE_PATH)) {
+    type RawState = { outputs?: Record<string, { value: unknown }> };
+    let raw: RawState;
+
+    if (existsSync(TF_STATE_PATH)) {
+      try {
+        raw = JSON.parse(readFileSync(TF_STATE_PATH, 'utf-8')) as RawState;
+      } catch (err) {
+        logger.error('Failed to parse Terraform state', { err, path: TF_STATE_PATH });
+        return null;
+      }
+    } else if (EMBEDDED_TFSTATE) {
+      logger.debug('Using build-time embedded Terraform state');
+      raw = EMBEDDED_TFSTATE as unknown as RawState;
+    } else {
       logger.warn('Terraform state not found', { path: TF_STATE_PATH });
       return null;
     }
 
     try {
-      const raw = JSON.parse(readFileSync(TF_STATE_PATH, 'utf-8')) as {
-        outputs?: Record<string, { value: unknown }>;
-      };
       const out = raw.outputs ?? {};
       const get = <T>(key: string, fallback: T): T =>
         key in out ? (out[key]!.value as T) : fallback;
@@ -121,7 +156,7 @@ export class ConfigService {
       logger.debug('Loaded Terraform outputs', { games: this.tfCache.game_names });
       return this.tfCache;
     } catch (err) {
-      logger.error('Failed to parse Terraform state', { err, path: TF_STATE_PATH });
+      logger.error('Failed to parse Terraform state', { err });
       return null;
     }
   }

app/packages/web/src/api.ts

@@ -133,6 +133,7 @@ async function request<T>(url: string, init?: RequestInit): Promise<T> {
     unauthorizedHandler?.();
     return new Promise<T>(() => undefined);
   }
+  if (!res.ok) throw new Error(`API error ${res.status}`);
   return res.json() as Promise<T>;
 }
 

app/packages/web/src/components/CostPanel.tsx

@@ -17,13 +17,13 @@ export function CostPanel({ estimates }: Props) {
     void api.costsActual().then(setActual);
   }, []);
 
-  const maxCost = Math.max(...(actual?.daily.map((d) => d.cost) ?? [0]), 0.001);
+  const maxCost = Math.max(...(actual?.daily?.map((d) => d.cost) ?? [0]), 0.001);
 
   return (
     <div style={panelStyle}>
       <h2 style={headingStyle}>Actual Costs (7 days)</h2>
 
-      {actual?.daily.length ? (
+      {actual?.daily?.length ? (
         <>
           <div style={{ display: 'flex', alignItems: 'flex-end', gap: '3px', height: '72px', marginBottom: '0.5rem' }}>
             {actual.daily.map((d) => (

app/packages/web/src/components/DiscordPanel.tsx

@@ -24,12 +24,18 @@ const ALL_ACTIONS: DiscordAction[] = ['start', 'stop', 'status'];
  */
 export function DiscordPanel({ games }: { games: string[] }) {
   const [cfg, setCfg] = useState<DiscordConfigRedacted | null>(null);
+  const [loadError, setLoadError] = useState(false);
   const [tab, setTab] = useState<'bot' | 'guilds' | 'admins' | 'perms'>('bot');
   const [busy, setBusy] = useState(false);
 
   /** Re-fetch the (redacted) Discord config from the API after mutations. */
   async function refresh() {
-    setCfg(await api.discordConfig());
+    try {
+      setCfg(await api.discordConfig());
+      setLoadError(false);
+    } catch {
+      setLoadError(true);
+    }
   }
   useEffect(() => {
     void refresh();
@@ -39,7 +45,9 @@ export function DiscordPanel({ games }: { games: string[] }) {
     return (
       <div style={panelStyle}>
         <h2 style={headingStyle}>Discord Bot</h2>
-        <div style={{ color: 'var(--text-dim)', fontSize: '0.85rem' }}>Loading…</div>
+        <div style={{ color: 'var(--text-dim)', fontSize: '0.85rem' }}>
+          {loadError ? 'Discord config unavailable — infrastructure not deployed yet.' : 'Loading…'}
+        </div>
       </div>
     );
   }

app/scripts/embed-tfstate.mjs

@@ -0,0 +1,87 @@
+#!/usr/bin/env node
+// Reads Terraform state at build time and writes
+// app/packages/server/src/generated/tfstate.ts with the parsed state
+// embedded as a JSON literal. ConfigService imports it as a fallback when the
+// state file is not present at runtime (e.g. dev without a terraform apply).
+//
+// State resolution order:
+//   1. First CLI argument (path to a local tfstate file)
+//        node scripts/embed-tfstate.mjs /path/to/terraform.tfstate
+//   2. TF_STATE_PATH env var (path to a local tfstate file)
+//        TF_STATE_PATH=/path/to/terraform.tfstate npm run build
+//   3. Default: run `terraform state pull` from <repo-root>/terraform/
+//      This works for any backend (local file or remote S3/GCS/etc.) as long
+//      as `terraform` is on PATH and AWS credentials are available.
+
+import { readFileSync, writeFileSync, mkdirSync } from 'fs';
+import { join, resolve, dirname } from 'path';
+import { fileURLToPath } from 'url';
+import { execSync } from 'child_process';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+function getRepoRoot() {
+  try {
+    // --git-common-dir returns the main .git directory in both the main
+    // working tree (as a relative path) and git worktrees (as an absolute
+    // path). Resolving it against __dirname makes it absolute in both cases.
+    const commonDir = execSync('git rev-parse --git-common-dir', {
+      encoding: 'utf-8',
+      cwd: __dirname,
+    }).trim();
+    return resolve(__dirname, commonDir, '..');
+  } catch {
+    return resolve(__dirname, '../..');
+  }
+}
+
+const outDir = join(__dirname, '../packages/server/src/generated');
+const outPath = join(outDir, 'tfstate.ts');
+
+mkdirSync(outDir, { recursive: true });
+
+function writeStub(json) {
+  writeFileSync(
+    outPath,
+    `// Auto-generated by scripts/embed-tfstate.mjs — do not edit by hand\n` +
+    `export const EMBEDDED_TFSTATE: Record<string, unknown> | null = ${json};\n`,
+  );
+}
+
+function embedFromFile(filePath) {
+  const raw = JSON.parse(readFileSync(filePath, 'utf-8'));
+  writeStub(JSON.stringify(raw));
+  console.log(`[embed-tfstate] Embedded state from ${filePath}`);
+}
+
+// --- Resolution ---
+
+if (process.argv[2] || process.env.TF_STATE_PATH) {
+  const filePath = resolve(process.argv[2] ?? process.env.TF_STATE_PATH);
+  try {
+    embedFromFile(filePath);
+  } catch (err) {
+    console.error(`[embed-tfstate] Failed to read ${filePath}:`, err.message);
+    writeStub('null');
+    process.exit(1);
+  }
+  process.exit(0);
+}
+
+// Default: pull live state from the configured backend via `terraform state pull`
+const tfDir = join(getRepoRoot(), 'terraform');
+console.log(`[embed-tfstate] Running 'terraform state pull' in ${tfDir} ...`);
+try {
+  const raw = execSync('terraform state pull', {
+    encoding: 'utf-8',
+    cwd: tfDir,
+    stdio: ['inherit', 'pipe', 'inherit'],
+  });
+  const parsed = JSON.parse(raw);
+  writeStub(JSON.stringify(parsed));
+  console.log('[embed-tfstate] Embedded live Terraform state');
+} catch (err) {
+  console.warn(`[embed-tfstate] 'terraform state pull' failed — embedding null. (${err.message})`);
+  writeStub('null');
+  // Non-fatal: the server will degrade gracefully without state
+}