fix: harden DB/Redis setup with escaping, auth, login probes, and SQLite schema

- Add shDq() helper and apply it to all values embedded in shell double-quoted
  strings, preventing $ and backtick injection in generated setup commands
- Fix Redis sed delimiter bug: replace s/.../.../ with delete-then-append so
  passwords containing / no longer break the sed pattern
- MongoDB: enable security.authorization in mongod.conf when a password is
  provided; skip user creation (was silently failing with || true) when no
  password is given, as SCRAM auth requires pwd
- Add post-setup login probes for Postgres, MySQL, MongoDB, and Redis when a
  password is configured, so credential typos surface at setup time rather
  than at runtime
- Replace DatabaseConfig flat interface with a discriminated union
  (SqliteDatabaseConfig | NetworkDatabaseConfig): SQLite only requires name,
  network DBs get min(1) validation on host/name/user, and port: 0 workaround
  in init.ts is removed
- Replace unreachable return 'true' SQLite fallthrough with throw
- Export buildDbSetupCommand and buildRedisSetupCommand and add 18 unit tests
  covering each DB type, password presence, login probe inclusion, the /
  regression, and $ escaping

Author: devalade

src/cli/commands/backup.ts

@@ -82,16 +82,18 @@ export async function cmdBackupSetup(
         process.exit(1);
       }
 
+      const db = config.database;
+      const netDb = db && db.type !== 'sqlite' ? db : undefined;
       const script = buildBackupScript({
         remotePath: config.remotePath,
         s3Bucket,
         s3Prefix,
         s3Endpoint,
-        dbType: config.database?.type,
-        dbName: config.database?.name,
-        dbUser: config.database?.user,
-        dbHost: config.database?.host,
-        dbPort: config.database?.port,
+        dbType: db?.type,
+        dbName: db?.name,
+        dbUser: netDb?.user,
+        dbHost: netDb?.host,
+        dbPort: netDb?.port,
       });
 
       const b64 = Buffer.from(script).toString('base64');

src/cli/commands/config.ts

@@ -61,13 +61,12 @@ export async function cmdConfigShow(cwd: string, options: { config?: string }):
       }
 
       if (config.database) {
-        ui.section('Database', [
-          ['type', config.database.type],
-          ['host', config.database.host],
-          ['port', String(config.database.port)],
-          ['name', config.database.name],
-          ['user', config.database.user],
-        ]);
+        const db = config.database;
+        const rows: [string, string][] = [['type', db.type], ['name', db.name]];
+        if (db.type !== 'sqlite') {
+          rows.push(['host', db.host], ['port', String(db.port)], ['user', db.user]);
+        }
+        ui.section('Database', rows);
       }
     },
     { configPath: options.config },

src/cli/commands/init.ts

@@ -418,7 +418,7 @@ function generateConfig(opts: ConfigOptions): string {
 
   if (opts.dbType) {
     if (opts.dbType === 'sqlite') {
-      lines.push(`  .database({ type: 'sqlite', host: 'localhost', port: 0, name: '${opts.dbName ?? './data.db'}', user: '' })`);
+      lines.push(`  .database({ type: 'sqlite', name: '${opts.dbName ?? './data.db'}' })`);
     } else {
       const dbOpts = [
         `type: '${opts.dbType}'`,

src/cli/commands/setup.ts

@@ -111,60 +111,86 @@ function sh(s: string): string {
   return s.replace(/'/g, "'\"'\"'");
 }
 
-function buildDbSetupCommand(db: DatabaseConfig): string {
+function shDq(s: string): string {
+  return s.replace(/\\/g, '\\\\').replace(/"/g, '\\"').replace(/\$/g, '\\$').replace(/`/g, '\\`');
+}
+
+export function buildDbSetupCommand(db: DatabaseConfig): string {
+  if (db.type === 'sqlite') {
+    throw new Error(`buildDbSetupCommand called for sqlite — caller should guard against this`);
+  }
+
   // preamble uses ';' so the conditional SUDO/PG_RUN assignments don't break
   // the '&&' chain when running as root (EUID=0 makes [ -ne 0 ] exit 1)
   const preamble = 'SUDO=""; [ "$EUID" -ne 0 ] && SUDO="sudo"; PG_RUN="runuser -u postgres --"; [ "$EUID" -ne 0 ] && PG_RUN="sudo -u postgres"';
 
   if (db.type === 'postgres') {
+    const userDq = shDq(db.user);
+    const nameDq = shDq(db.name);
     const createUser = db.password
-      ? `$PG_RUN psql -c "CREATE USER \\"${sh(db.user)}\\" WITH PASSWORD '${sh(db.password)}';" 2>/dev/null || true`
-      : `$PG_RUN psql -c "CREATE USER \\"${sh(db.user)}\\";" 2>/dev/null || true`;
+      ? `$PG_RUN psql -c "CREATE USER \\"${userDq}\\" WITH PASSWORD '${shDq(db.password)}';" 2>/dev/null || true`
+      : `$PG_RUN psql -c "CREATE USER \\"${userDq}\\";" 2>/dev/null || true`;
     const commands = [
       '$SUDO apt-get install -y postgresql postgresql-contrib',
       '$SUDO systemctl enable postgresql',
       '$SUDO systemctl start postgresql',
       createUser,
-      `$PG_RUN psql -tc "SELECT 1 FROM pg_database WHERE datname='${sh(db.name)}'" | grep -q 1 || $PG_RUN createdb -O "${sh(db.user)}" "${sh(db.name)}"`,
+      `$PG_RUN psql -tc "SELECT 1 FROM pg_database WHERE datname='${nameDq}'" | grep -q 1 || $PG_RUN createdb -O "${userDq}" "${nameDq}"`,
     ];
+    if (db.password) {
+      commands.push(`PGPASSWORD='${sh(db.password)}' psql -h localhost -U '${sh(db.user)}' -d '${sh(db.name)}' -c "SELECT 1" > /dev/null`);
+    }
     return `${preamble}; ${commands.join(' && ')}`;
   }
 
   if (db.type === 'mysql') {
-    const pwClause = db.password ? `IDENTIFIED BY '${sh(db.password)}'` : '';
+    const userDq = shDq(db.user);
+    const nameDq = shDq(db.name);
+    const pwClause = db.password ? `IDENTIFIED BY '${shDq(db.password)}'` : '';
     const commands = [
       '$SUDO apt-get install -y mysql-server',
       '$SUDO systemctl enable mysql',
       '$SUDO systemctl start mysql',
-      `$SUDO mysql -e "CREATE USER IF NOT EXISTS '${sh(db.user)}'@'localhost' ${pwClause};"`,
-      `$SUDO mysql -e "CREATE DATABASE IF NOT EXISTS \\\`${sh(db.name)}\\\`;"`,
-      `$SUDO mysql -e "GRANT ALL PRIVILEGES ON \\\`${sh(db.name)}\\\`.* TO '${sh(db.user)}'@'localhost';"`,
+      `$SUDO mysql -e "CREATE USER IF NOT EXISTS '${userDq}'@'localhost' ${pwClause};"`,
+      `$SUDO mysql -e "CREATE DATABASE IF NOT EXISTS \\\`${nameDq}\\\`;"`,
+      `$SUDO mysql -e "GRANT ALL PRIVILEGES ON \\\`${nameDq}\\\`.* TO '${userDq}'@'localhost';"`,
       `$SUDO mysql -e "FLUSH PRIVILEGES;"`,
     ];
+    if (db.password) {
+      commands.push(`MYSQL_PWD='${sh(db.password)}' mysql -h 127.0.0.1 -u '${sh(db.user)}' '${sh(db.name)}' -e "SELECT 1" > /dev/null`);
+    }
     return `${preamble}; ${commands.join(' && ')}`;
   }
 
   if (db.type === 'mongodb') {
-    const createUser = db.password
-      ? `mongosh "${sh(db.name)}" --eval "db.createUser({user:'${sh(db.user)}',pwd:'${sh(db.password)}',roles:[{role:'readWrite',db:'${sh(db.name)}'}]})" 2>/dev/null || true`
-      : `mongosh "${sh(db.name)}" --eval "db.createUser({user:'${sh(db.user)}',roles:[{role:'readWrite',db:'${sh(db.name)}'}]})" 2>/dev/null || true`;
-    const commands = [
+    const installCmd =
       'if ! command -v mongod &>/dev/null; then ' +
         'curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc | $SUDO gpg --dearmor -o /usr/share/keyrings/mongodb-server-7.0.gpg; ' +
         'echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" | $SUDO tee /etc/apt/sources.list.d/mongodb-org-7.0.list; ' +
         '$SUDO apt-get update -qq && $SUDO apt-get install -y mongodb-org; ' +
-      'fi',
+      'fi';
+    const commands = [
+      installCmd,
       '$SUDO systemctl enable mongod',
       '$SUDO systemctl start mongod',
-      createUser,
     ];
+    if (db.password) {
+      const nameDq = shDq(db.name);
+      const userDq = shDq(db.user);
+      const pwdDq = shDq(db.password);
+      commands.push(
+        `if ! grep -q "authorization: enabled" /etc/mongod.conf 2>/dev/null; then echo -e "\\nsecurity:\\n  authorization: enabled" | $SUDO tee -a /etc/mongod.conf > /dev/null && $SUDO systemctl restart mongod; fi`,
+        `mongosh "${nameDq}" --eval "db.createUser({user:'${userDq}',pwd:'${pwdDq}',roles:[{role:'readWrite',db:'${nameDq}'}]})" 2>/dev/null || true`,
+        `mongosh --host localhost '${sh(db.name)}' -u '${sh(db.user)}' -p '${sh(db.password)}' --authenticationDatabase '${sh(db.name)}' --eval "db.runCommand({ping:1})" --quiet > /dev/null`,
+      );
+    }
     return `${preamble}; ${commands.join(' && ')}`;
   }
 
-  return 'true';
+  throw new Error(`Unsupported database type: ${(db as DatabaseConfig).type}`);
 }
 
-function buildRedisSetupCommand(redis: RedisConfig): string {
+export function buildRedisSetupCommand(redis: RedisConfig): string {
   const preamble = 'SUDO=""; [ "$EUID" -ne 0 ] && SUDO="sudo"';
   const parts = [
     '$SUDO apt-get install -y redis-server',
@@ -174,9 +200,10 @@ function buildRedisSetupCommand(redis: RedisConfig): string {
 
   if (redis.password) {
     parts.push(
-      `$SUDO sed -i "s/^# requirepass .*/requirepass ${sh(redis.password)}/" /etc/redis/redis.conf`,
-      `grep -q "^requirepass" /etc/redis/redis.conf || echo "requirepass ${sh(redis.password)}" | $SUDO tee -a /etc/redis/redis.conf > /dev/null`,
+      `$SUDO sed -i '/^#* *requirepass/d' /etc/redis/redis.conf`,
+      `echo "requirepass ${shDq(redis.password)}" | $SUDO tee -a /etc/redis/redis.conf > /dev/null`,
       '$SUDO systemctl restart redis-server',
+      `redis-cli -h localhost -p ${redis.port} -a '${sh(redis.password)}' PING > /dev/null 2>&1`,
     );
   }
 

src/config/schema.ts

@@ -28,14 +28,20 @@ export const HealthCheckConfigSchema = z.object({
   startupDelay: z.number().int().min(0).default(3),
 }).default({});
 
-export const DatabaseConfigSchema = z.object({
-  type: z.enum(['postgres', 'mysql', 'sqlite', 'mongodb']),
-  host: z.string(),
+const networkDbFields = {
+  host: z.string().min(1, 'Database host is required'),
   port: z.number().int().min(1).max(65535),
-  name: z.string(),
-  user: z.string(),
+  name: z.string().min(1, 'Database name is required'),
+  user: z.string().min(1, 'Database user is required'),
   password: z.string().optional(),
-}).optional();
+};
+
+export const DatabaseConfigSchema = z.discriminatedUnion('type', [
+  z.object({ type: z.literal('sqlite'), name: z.string().min(1, 'SQLite file path is required') }),
+  z.object({ type: z.literal('postgres'), ...networkDbFields }),
+  z.object({ type: z.literal('mysql'), ...networkDbFields }),
+  z.object({ type: z.literal('mongodb'), ...networkDbFields }),
+]).optional();
 
 export const RedisConfigSchema = z.object({
   host: z.string().default('localhost'),

src/shared/types.ts

@@ -4,6 +4,20 @@ export type PkgManager = 'npm' | 'yarn' | 'pnpm' | 'bun';
 
 export type DatabaseType = 'postgres' | 'mysql' | 'sqlite' | 'mongodb';
 
+export interface SqliteDatabaseConfig {
+  type: 'sqlite';
+  name: string;
+}
+
+export interface NetworkDatabaseConfig {
+  type: 'postgres' | 'mysql' | 'mongodb';
+  host: string;
+  port: number;
+  name: string;
+  user: string;
+  password?: string;
+}
+
 export interface SshConfig {
   host: string;
   user: string;
@@ -31,14 +45,7 @@ export interface HealthCheckConfig {
   startupDelay: number;
 }
 
-export interface DatabaseConfig {
-  type: DatabaseType;
-  host: string;
-  port: number;
-  name: string;
-  user: string;
-  password?: string;
-}
+export type DatabaseConfig = SqliteDatabaseConfig | NetworkDatabaseConfig;
 
 export interface RedisConfig {
   host: string;

tests/unit/setup.test.ts

@@ -0,0 +1,115 @@
+import { describe, it, expect } from 'vitest';
+import { buildDbSetupCommand, buildRedisSetupCommand } from '../../src/cli/commands/setup.js';
+
+describe('buildDbSetupCommand', () => {
+  it('postgres: installs, creates user and db', () => {
+    const cmd = buildDbSetupCommand({ type: 'postgres', host: 'localhost', port: 5432, name: 'mydb', user: 'myuser' });
+    expect(cmd).toContain('apt-get install -y postgresql postgresql-contrib');
+    expect(cmd).toContain('systemctl enable postgresql');
+    expect(cmd).toContain('CREATE USER \\"myuser\\"');
+    expect(cmd).toContain("datname='mydb'");
+    expect(cmd).toContain('createdb -O "myuser" "mydb"');
+  });
+
+  it('postgres: includes password in createUser when provided', () => {
+    const cmd = buildDbSetupCommand({ type: 'postgres', host: 'localhost', port: 5432, name: 'mydb', user: 'myuser', password: 'secret' });
+    expect(cmd).toContain("WITH PASSWORD 'secret'");
+  });
+
+  it('postgres: adds login probe when password is provided', () => {
+    const cmd = buildDbSetupCommand({ type: 'postgres', host: 'localhost', port: 5432, name: 'mydb', user: 'myuser', password: 'secret' });
+    expect(cmd).toContain("PGPASSWORD='secret' psql -h localhost -U 'myuser' -d 'mydb'");
+  });
+
+  it('postgres: no login probe without password', () => {
+    const cmd = buildDbSetupCommand({ type: 'postgres', host: 'localhost', port: 5432, name: 'mydb', user: 'myuser' });
+    expect(cmd).not.toContain('PGPASSWORD');
+  });
+
+  it('postgres: escapes $ in user/name with shDq to prevent shell expansion', () => {
+    const cmd = buildDbSetupCommand({ type: 'postgres', host: 'localhost', port: 5432, name: '$mydb', user: '$myuser', password: 'p' });
+    expect(cmd).toContain('\\$myuser');
+    expect(cmd).toContain('\\$mydb');
+  });
+
+  it('mysql: installs, creates user and db', () => {
+    const cmd = buildDbSetupCommand({ type: 'mysql', host: 'localhost', port: 3306, name: 'mydb', user: 'myuser' });
+    expect(cmd).toContain('apt-get install -y mysql-server');
+    expect(cmd).toContain("CREATE USER IF NOT EXISTS 'myuser'@'localhost'");
+    expect(cmd).toContain('CREATE DATABASE IF NOT EXISTS');
+    expect(cmd).toContain("GRANT ALL PRIVILEGES ON");
+    expect(cmd).toContain('FLUSH PRIVILEGES');
+  });
+
+  it('mysql: adds login probe when password is provided', () => {
+    const cmd = buildDbSetupCommand({ type: 'mysql', host: 'localhost', port: 3306, name: 'mydb', user: 'myuser', password: 'secret' });
+    expect(cmd).toContain("MYSQL_PWD='secret' mysql -h 127.0.0.1 -u 'myuser' 'mydb'");
+  });
+
+  it('mysql: no login probe without password', () => {
+    const cmd = buildDbSetupCommand({ type: 'mysql', host: 'localhost', port: 3306, name: 'mydb', user: 'myuser' });
+    expect(cmd).not.toContain('MYSQL_PWD');
+  });
+
+  it('mongodb: installs and starts mongod', () => {
+    const cmd = buildDbSetupCommand({ type: 'mongodb', host: 'localhost', port: 27017, name: 'mydb', user: 'myuser' });
+    expect(cmd).toContain('command -v mongod');
+    expect(cmd).toContain('mongodb-org');
+    expect(cmd).toContain('systemctl enable mongod');
+    expect(cmd).toContain('systemctl start mongod');
+  });
+
+  it('mongodb: enables auth and creates user when password provided', () => {
+    const cmd = buildDbSetupCommand({ type: 'mongodb', host: 'localhost', port: 27017, name: 'mydb', user: 'myuser', password: 'secret' });
+    expect(cmd).toContain('authorization: enabled');
+    expect(cmd).toContain("db.createUser({user:'myuser',pwd:'secret'");
+  });
+
+  it('mongodb: adds login probe when password provided', () => {
+    const cmd = buildDbSetupCommand({ type: 'mongodb', host: 'localhost', port: 27017, name: 'mydb', user: 'myuser', password: 'secret' });
+    expect(cmd).toContain("mongosh --host localhost 'mydb' -u 'myuser' -p 'secret'");
+  });
+
+  it('mongodb: no auth or user creation without password', () => {
+    const cmd = buildDbSetupCommand({ type: 'mongodb', host: 'localhost', port: 27017, name: 'mydb', user: 'myuser' });
+    expect(cmd).not.toContain('authorization');
+    expect(cmd).not.toContain('createUser');
+  });
+
+  it('throws for sqlite', () => {
+    expect(() => buildDbSetupCommand({ type: 'sqlite', name: './data.db' })).toThrow();
+  });
+});
+
+describe('buildRedisSetupCommand', () => {
+  it('installs and starts redis', () => {
+    const cmd = buildRedisSetupCommand({ host: 'localhost', port: 6379 });
+    expect(cmd).toContain('apt-get install -y redis-server');
+    expect(cmd).toContain('systemctl enable redis-server');
+    expect(cmd).toContain('systemctl start redis-server');
+    expect(cmd).not.toContain('requirepass');
+  });
+
+  it('sets requirepass and restarts when password provided', () => {
+    const cmd = buildRedisSetupCommand({ host: 'localhost', port: 6379, password: 'secret' });
+    expect(cmd).toContain('requirepass secret');
+    expect(cmd).toContain('systemctl restart redis-server');
+  });
+
+  it('adds login probe when password provided', () => {
+    const cmd = buildRedisSetupCommand({ host: 'localhost', port: 6379, password: 'secret' });
+    expect(cmd).toContain("redis-cli -h localhost -p 6379 -a 'secret' PING");
+  });
+
+  it('does not use / as sed delimiter — password with slash must not break sed', () => {
+    const cmd = buildRedisSetupCommand({ host: 'localhost', port: 6379, password: 'pass/word' });
+    // Old code used s/.../.../ which breaks on /; new code deletes and appends instead
+    expect(cmd).not.toMatch(/sed -i "s\//);
+    expect(cmd).toContain('requirepass pass/word');
+  });
+
+  it('escapes $ in password to prevent shell expansion', () => {
+    const cmd = buildRedisSetupCommand({ host: 'localhost', port: 6379, password: '$ecret' });
+    expect(cmd).toContain('\\$ecret');
+  });
+});