DocumentDrivenDX
diff --git a/‎.ddx/beads.jsonl‎
Lines changed: 4 additions & 0 deletions b/‎.ddx/beads.jsonl‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 1 addition & 36 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 1 addition & 36 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 1 addition & 1 deletion b/‎Cargo.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎crates/axon-cli/src/service.rs‎
Lines changed: 32 additions & 2 deletions b/‎crates/axon-cli/src/service.rs‎
Lines changed: 32 additions & 2 deletions
diff --git a/‎crates/axon-server/src/control_plane.rs‎
Lines changed: 77 additions & 1 deletion b/‎crates/axon-server/src/control_plane.rs‎
Lines changed: 77 additions & 1 deletion
diff --git a/‎crates/axon-server/src/tenant_router.rs‎
Lines changed: 87 additions & 6 deletions b/‎crates/axon-server/src/tenant_router.rs‎
Lines changed: 87 additions & 6 deletions
@@ -111,45 +111,10 @@ jobs:
   e2e-postgres:
     name: E2E (PostgreSQL)
     runs-on: ubuntu-latest
-    services:
-      postgres:
-        image: postgres:16-alpine
-        env:
-          POSTGRES_USER: axon
-          POSTGRES_PASSWORD: axon
-          POSTGRES_DB: postgres
-        ports:
-          - 5432:5432
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 5s
-          --health-timeout 5s
-          --health-retries 5
-    env:
-      AXON_POSTGRES_DSN: postgresql://axon:axon@localhost:5432/postgres
     steps:
       - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
       - uses: oven-sh/setup-bun@v2
       - run: cd ui && bun install
-      - run: cd ui && bun run build
-      - run: cargo build -p axon-cli
-      - name: Start Axon PostgreSQL E2E server
-        run: |
-          target/debug/axon serve \
-            --no-auth \
-            --storage postgres \
-            --postgres-dsn "$AXON_POSTGRES_DSN" \
-            --http-port 4171 \
-            --ui-dir ui/build > /tmp/axon-e2e.log 2>&1 &
-          echo $! > /tmp/axon-e2e.pid
-          for i in $(seq 1 60); do
-            if curl -fsS http://localhost:4171/health >/dev/null; then
-              exit 0
-            fi
-            sleep 1
-          done
-          cat /tmp/axon-e2e.log
-          exit 1
-      - run: cd ui && AXON_E2E_BASE_URL=http://host.docker.internal:4171 bun run test:e2e:postgres
+      - run: cd ui && bun run test:e2e:postgres
@@ -15,7 +15,7 @@ members = [
 resolver = "2"
 
 [workspace.package]
-version = "0.2.4"
+version = "0.2.5"
 edition = "2021"
 license = "MIT OR Apache-2.0"
 repository = "https://github.com/DocumentDrivenDX/axon"
 
@@ -65,7 +65,7 @@ After=network.target
 
 [Service]
 Type=simple
-ExecStart={binary_path} serve --no-auth --sqlite-path @SQLITE_PATH@ --control-plane-path @CONTROL_PLANE_PATH@
+ExecStart={binary_path} serve --no-auth --tls-self-signed --sqlite-path @SQLITE_PATH@ --control-plane-path @CONTROL_PLANE_PATH@
 Restart=on-failure
 RestartSec=5
 StandardOutput=journal
@@ -88,7 +88,7 @@ After=network.target
 Type=simple
 User=axon
 Group=axon
-ExecStart={binary_path} serve --no-auth --sqlite-path @SQLITE_PATH@ --control-plane-path @CONTROL_PLANE_PATH@
+ExecStart={binary_path} serve --no-auth --tls-self-signed --sqlite-path @SQLITE_PATH@ --control-plane-path @CONTROL_PLANE_PATH@
 Restart=on-failure
 RestartSec=5
 StandardOutput=journal
@@ -232,6 +232,7 @@ const LAUNCHD_PLIST_TEMPLATE: &str = r#"<?xml version="1.0" encoding="UTF-8"?>
         <string>{binary_path}</string>
         <string>serve</string>
         <string>--no-auth</string>
+        <string>--tls-self-signed</string>
         <string>--sqlite-path</string>
         <string>@SQLITE_PATH@</string>
         <string>--control-plane-path</string>
@@ -369,3 +370,32 @@ fn run_cmd(program: &str, args: &[&str]) -> Result<()> {
         anyhow::bail!("{} {} exited with {}", program, args.join(" "), status);
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn systemd_user_unit_enables_self_signed_tls() {
+        assert!(
+            SYSTEMD_USER_UNIT.contains("serve --no-auth --tls-self-signed --sqlite-path"),
+            "user systemd service must install with TLS enabled by default",
+        );
+    }
+
+    #[test]
+    fn systemd_global_unit_enables_self_signed_tls() {
+        assert!(
+            SYSTEMD_GLOBAL_UNIT.contains("serve --no-auth --tls-self-signed --sqlite-path"),
+            "global systemd service must install with TLS enabled by default",
+        );
+    }
+
+    #[test]
+    fn launchd_plist_enables_self_signed_tls() {
+        assert!(
+            LAUNCHD_PLIST_TEMPLATE.contains("<string>--tls-self-signed</string>"),
+            "launchd service must install with TLS enabled by default",
+        );
+    }
+}
@@ -160,7 +160,10 @@ impl ControlPlaneDb {
                 .execute(&self.pool),
         );
 
-        // Step 3: drop obsolete junction tables introduced in earlier schema revisions.
+        // Step 3: backfill db_name for tenants created before slugs existed.
+        self.backfill_missing_tenant_db_names()?;
+
+        // Step 4: drop obsolete junction tables introduced in earlier schema revisions.
         self.block_on(sqlx::query("DROP TABLE IF EXISTS tenant_databases").execute(&self.pool))
             .map_err(AxonError::Storage)?;
 
@@ -178,6 +181,34 @@ impl ControlPlaneDb {
         Ok(())
     }
 
+    fn backfill_missing_tenant_db_names(&self) -> Result<(), AxonError> {
+        let rows = self
+            .block_on(
+                sqlx::query(
+                    "SELECT id, name FROM tenants
+                     WHERE db_name = '' OR db_name IS NULL
+                     ORDER BY created_at",
+                )
+                .fetch_all(&self.pool),
+            )
+            .map_err(AxonError::Storage)?;
+
+        for row in rows {
+            let id: String = row.get("id");
+            let name: String = row.get("name");
+            let db_name = tenant_db_slug(&name, &id);
+            self.block_on(
+                sqlx::query("UPDATE tenants SET db_name = ? WHERE id = ?")
+                    .bind(db_name)
+                    .bind(id)
+                    .execute(&self.pool),
+            )
+            .map_err(AxonError::Storage)?;
+        }
+
+        Ok(())
+    }
+
     // -- cors_origins ----------------------------------------------------------
 
     /// List all configured CORS allowed origins.
@@ -363,6 +394,32 @@ impl ControlPlaneDb {
     }
 }
 
+fn tenant_db_slug(name: &str, id: &str) -> String {
+    let slug: String = name
+        .chars()
+        .map(|c| {
+            if c.is_alphanumeric() {
+                c.to_ascii_lowercase()
+            } else {
+                '-'
+            }
+        })
+        .collect();
+    let slug: String = slug
+        .split('-')
+        .filter(|s| !s.is_empty())
+        .collect::<Vec<_>>()
+        .join("-");
+
+    let id_prefix: String = id.chars().filter(|c| c != &'-').take(8).collect();
+
+    if slug.is_empty() {
+        format!("tenant-{id_prefix}")
+    } else {
+        format!("{slug}-{id_prefix}")
+    }
+}
+
 // ---------------------------------------------------------------------------
 // Tests
 // ---------------------------------------------------------------------------
@@ -404,6 +461,25 @@ mod tests {
         assert!(!tables.contains(&"tenant_databases".to_string()));
     }
 
+    #[test]
+    fn migrate_backfills_empty_tenant_db_names() {
+        let db = setup();
+        db.create_tenant(
+            "019d87ba-2e17-7060-8d23-bc8b0aac9c53",
+            "Nexiq",
+            "",
+            "2026-04-13T16:43:38Z",
+        )
+        .expect("create legacy tenant");
+
+        db.migrate().expect("migration should backfill db_name");
+
+        let tenant = db
+            .get_tenant("019d87ba-2e17-7060-8d23-bc8b0aac9c53")
+            .expect("tenant");
+        assert_eq!(tenant.db_name, "nexiq-019d87ba");
+    }
+
     // -- tenants ------------------------------------------------------------
 
     #[test]
 
@@ -30,6 +30,62 @@ fn logical_database_from_slug(slug: &str) -> &str {
         .unwrap_or(DEFAULT_DATABASE)
 }
 
+fn is_postgres_database_identifier(name: &str) -> bool {
+    let Some(first) = name.chars().next() else {
+        return false;
+    };
+    (first.is_ascii_alphabetic() || first == '_')
+        && name.chars().all(|c| c.is_ascii_alphanumeric() || c == '_')
+}
+
+fn stable_database_hash(name: &str) -> u64 {
+    let mut hash = 0xcbf2_9ce4_8422_2325_u64;
+    for byte in name.bytes() {
+        hash ^= u64::from(byte);
+        hash = hash.wrapping_mul(0x0000_0100_0000_01b3);
+    }
+    hash
+}
+
+fn postgres_database_key(public_name: &str) -> String {
+    if is_postgres_database_identifier(public_name) {
+        return public_name.to_owned();
+    }
+
+    let mut stem = String::new();
+    let mut last_was_separator = false;
+    for byte in public_name.bytes() {
+        let next = if byte.is_ascii_alphanumeric() {
+            char::from(byte).to_ascii_lowercase()
+        } else {
+            '_'
+        };
+
+        if next == '_' {
+            if !stem.is_empty() && !last_was_separator {
+                stem.push(next);
+            }
+            last_was_separator = true;
+        } else {
+            stem.push(next);
+            last_was_separator = false;
+        }
+
+        if stem.len() >= 39 {
+            break;
+        }
+    }
+
+    while stem.ends_with('_') {
+        stem.pop();
+    }
+    if stem.is_empty() {
+        stem.push_str("db");
+    }
+
+    format!("t_{stem}_{:016x}", stable_database_hash(public_name))
+}
+
 fn ensure_logical_database<S: StorageAdapter>(storage: &mut S, slug: &str) -> Result<(), String> {
     let database = logical_database_from_slug(slug);
     if database == DEFAULT_DATABASE {
@@ -252,27 +308,31 @@ impl TenantRouter {
 
                 let superadmin_dsn = superadmin_dsn.clone();
                 let db_name_owned = db_name.to_owned();
+                let physical_db_name = postgres_database_key(&db_name_owned);
 
                 // Provision the physical database (may already exist — that's
                 // fine, we just open a connection to it).
-                let tenant_conn_str = axon_storage::tenant_dsn(&superadmin_dsn, &db_name_owned);
+                let tenant_conn_str = axon_storage::tenant_dsn(&superadmin_dsn, &physical_db_name);
 
                 // Spawn the blocking connect on a dedicated thread so we don't
                 // block the async runtime.
                 let handler = tokio::task::spawn_blocking(move || {
                     // Attempt to provision; ignore AlreadyExists.
-                    match axon_storage::provision_postgres_database(&superadmin_dsn, &db_name_owned) {
+                    match axon_storage::provision_postgres_database(
+                        &superadmin_dsn,
+                        &physical_db_name,
+                    ) {
                         Ok(()) | Err(axon_core::error::AxonError::AlreadyExists(_)) => {}
                         Err(e) => {
                             return Err(format!(
-                                "failed to provision PostgreSQL database 'axon_{db_name_owned}': {e}"
+                                "failed to provision PostgreSQL database 'axon_{physical_db_name}' for '{db_name_owned}': {e}"
                             ))
                         }
                     }
 
                     let mut storage = PostgresStorageAdapter::connect(&tenant_conn_str).map_err(|e| {
                         format!(
-                            "failed to connect to tenant PostgreSQL database 'axon_{db_name_owned}': {e}"
+                            "failed to connect to tenant PostgreSQL database 'axon_{physical_db_name}' for '{db_name_owned}': {e}"
                         )
                     })?;
                     ensure_logical_database(&mut storage, &db_name_owned)?;
@@ -360,17 +420,18 @@ impl TenantRouter {
 
                 let superadmin_dsn = superadmin_dsn.clone();
                 let db_name_owned = db_name.to_owned();
+                let physical_db_name = postgres_database_key(&db_name_owned);
 
                 tokio::task::spawn_blocking(move || {
                     match axon_storage::deprovision_postgres_database(
                         &superadmin_dsn,
-                        &db_name_owned,
+                        &physical_db_name,
                     ) {
                         Ok(()) => Ok(()),
                         // Already gone — treat as success.
                         Err(axon_core::error::AxonError::NotFound(_)) => Ok(()),
                         Err(e) => Err(format!(
-                            "failed to drop PostgreSQL database 'axon_{db_name_owned}': {e}"
+                            "failed to drop PostgreSQL database 'axon_{physical_db_name}' for '{db_name_owned}': {e}"
                         )),
                     }
                 })
@@ -402,6 +463,26 @@ mod tests {
         TenantRouter::new(tmp.to_path_buf(), default_handler)
     }
 
+    #[test]
+    fn postgres_database_key_preserves_valid_identifiers() {
+        assert_eq!(postgres_database_key("tenant_123"), "tenant_123");
+    }
+
+    #[test]
+    fn postgres_database_key_maps_public_slugs_to_safe_identifiers() {
+        let public = "e2e-smoke-mo7zvzze-019dadd5:first";
+        let key = postgres_database_key(public);
+
+        assert_ne!(key, public);
+        assert!(is_postgres_database_identifier(&key));
+        assert!(key.len() <= 58);
+        assert_eq!(key, postgres_database_key(public));
+        assert_ne!(
+            key,
+            postgres_database_key("e2e-smoke-mo7zvzze-019dadd5:second")
+        );
+    }
+
     #[tokio::test(flavor = "multi_thread")]
     async fn get_or_create_default_returns_default_handler() {
         let tmp = tempfile::tempdir().expect("tempdir");