fix: prevent test DB leakage from TestShell_BeforeNode

NewApp().Before() unconditionally overwrites shell.Config with a fresh
config using the default pgx driver, even when tests pre-set a config
with the txdb driver for isolation. This causes BeforeNode to open real
database connections, leaking keystore entries (encrypted_key_rings) to
the shared test database. Concurrent tests like Test_CSAKeyStore_E2E
then find unexpected keys and fail.

Guard config creation in app.Before() with a nil check so pre-set test
configs are preserved. Migrate TestShell_BeforeNode and
TestShell_RunNode_WithBeforeNode to heavyweight.FullTestDBV2 for proper
DB isolation between subtests while preventing leakage to other tests.

Author: Fletch153

core/cmd/app.go

@@ -80,15 +80,20 @@ func NewApp(s *Shell) *cli.App {
 		// logger instead.
 		lggr, closeFn := logger.NewLogger()
 
-		cfg, err := opts.New()
-		if err != nil {
-			return err
-		}
-
 		s.Logger = lggr
 		s.Registerer = prometheus.DefaultRegisterer // use the global DefaultRegisterer, should be safe since we only ever run one instance of the app per shell
 		s.CloseLogger = closeFn
-		s.Config = cfg
+
+		// Only create a new config from opts if one hasn't been pre-set.
+		// Tests pre-set s.Config with a txdb-wrapped driver for DB isolation;
+		// unconditionally overwriting it here causes DB writes to leak between tests.
+		if s.Config == nil {
+			cfg, err := opts.New()
+			if err != nil {
+				return err
+			}
+			s.Config = cfg
+		}
 
 		if c.Bool("json") {
 			s.Renderer = RendererJSON{Writer: os.Stdout}
@@ -122,11 +127,11 @@ func NewApp(s *Shell) *cli.App {
 
 		// Allow for initServerConfig to be called if the flag is provided.
 		if c.Bool("applyInitServerConfig") {
-			cfg, err = initServerConfig(&opts, s.configFiles, s.secretsFiles)
+			serverCfg, err := initServerConfig(&opts, s.configFiles, s.secretsFiles)
 			if err != nil {
 				return err
 			}
-			s.Config = cfg
+			s.Config = serverCfg
 		}
 
 		return nil

core/cmd/shell_local_test.go

@@ -507,6 +507,15 @@ func TestShell_RemoveBlocks(t *testing.T) {
 
 func TestShell_BeforeNode(t *testing.T) {
 	testutils.SkipShortDB(t)
+
+	// Use a dedicated test database so subtests share state without leaking
+	// data to the shared test database. The "incorrect password" subtest relies
+	// on a key ring created by the "correct password" subtest to verify that
+	// decryption fails with the wrong password.
+	cfg, _ := heavyweight.FullTestDBV2(t, func(c *chainlink.Config, s *chainlink.Secrets) {
+		c.Insecure.OCRDevelopmentMode = nil
+	})
+
 	tests := []struct {
 		name         string
 		pwdfile      string
@@ -519,14 +528,6 @@ func TestShell_BeforeNode(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			cfg := configtest.NewGeneralConfig(t, func(c *chainlink.Config, s *chainlink.Secrets) {
-				s.Password.Keystore = models.NewSecret("dummy")
-				c.EVM[0].Nodes[0].Name = ptr("fake")
-				c.EVM[0].Nodes[0].HTTPURL = commonconfig.MustParseURL("http://fake.com")
-				c.EVM[0].Nodes[0].WSURL = commonconfig.MustParseURL("WSS://fake.com/ws")
-				c.Insecure.OCRDevelopmentMode = nil
-			})
-
 			shell := cmd.Shell{
 				Config: cfg,
 				KeyStoreAuthenticator: cmd.TerminalKeyStoreAuthenticator{
@@ -577,6 +578,13 @@ func TestShell_BeforeNode(t *testing.T) {
 }
 
 func TestShell_RunNode_WithBeforeNode(t *testing.T) {
+	// Use a dedicated test database so subtests share state without leaking
+	// data to the shared test database. The "incorrect password" subtest relies
+	// on keystore entries from prior setup to verify decryption failure.
+	cfg, db := heavyweight.FullTestDBV2(t, func(c *chainlink.Config, s *chainlink.Secrets) {
+		c.Insecure.OCRDevelopmentMode = nil
+	})
+
 	tests := []struct {
 		name        string
 		pwdfile     string
@@ -588,16 +596,6 @@ func TestShell_RunNode_WithBeforeNode(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			cfg := configtest.NewGeneralConfig(t, func(c *chainlink.Config, s *chainlink.Secrets) {
-				s.Password.Keystore = models.NewSecret("dummy")
-				c.EVM[0].Nodes[0].Name = ptr("fake")
-				c.EVM[0].Nodes[0].HTTPURL = commonconfig.MustParseURL("http://fake.com")
-				c.EVM[0].Nodes[0].WSURL = commonconfig.MustParseURL("WSS://fake.com/ws")
-				// seems to be needed for config validate
-				c.Insecure.OCRDevelopmentMode = nil
-			})
-
-			db := pgtest.NewSqlxDB(t)
 			keyStore := cltest.NewKeyStore(t, db)
 			authProviderORM := localauth.NewORM(db, time.Minute, logger.TestLogger(t), audit.NoopLogger)