Production readiness: remove fake features, add tests/CI, security headers, legal pages, payment handling

- Remove fake detection features (motion/face/object recording settings, notification settings)
- Add test infrastructure with 17 tests (health, nodes, cameras, MCP keys) and CI pipeline
- Fix Swagger/Redoc access by adding /docs and /redoc to SPA middleware passthrough
- Add security headers (X-Content-Type-Options, X-Frame-Options, HSTS, Referrer-Policy, Permissions-Policy)
- Add Terms of Service and Privacy Policy pages with footer links
- Handle payment failure webhooks with in-app past-due banner
- Fix StaticPool/NullPool selection for in-memory vs file-based SQLite
- Clean up ~200 lines of dead CSS from removed features

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Sbussiso

.github/workflows/deploy.yml

@@ -1,14 +1,35 @@
-name: Deploy
+name: Test & Deploy
 
 on:
   push:
     branches:
       - master
 
 jobs:
+  test:
+    name: Run Tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+
+      - name: Set up Python
+        run: uv python install 3.12
+
+      - name: Install dependencies
+        working-directory: backend
+        run: uv sync --extra dev
+
+      - name: Run tests
+        working-directory: backend
+        run: uv run pytest -v
+
   deploy:
     name: Deploy to Fly.io
     runs-on: ubuntu-latest
+    needs: test
     concurrency:
       group: deploy
       cancel-in-progress: true

backend/app/api/cameras.py

@@ -9,7 +9,6 @@
 from app.schemas.schemas import (
     CameraGroupCreate,
     RecordingSettings,
-    NotificationSettings,
 )
 
 router = APIRouter(prefix="/api", tags=["api"])
@@ -211,36 +210,7 @@ async def get_all_settings(
 ):
     """Get all settings for the user's organization."""
     return {
-        "notifications": {
-            "motion_notifications": Setting.get(
-                db, user.org_id, "motion_notifications", "true"
-            )
-            == "true",
-            "face_notifications": Setting.get(
-                db, user.org_id, "face_notifications", "true"
-            )
-            == "true",
-            "object_notifications": Setting.get(
-                db, user.org_id, "object_notifications", "true"
-            )
-            == "true",
-            "toast_notifications": Setting.get(
-                db, user.org_id, "toast_notifications", "true"
-            )
-            == "true",
-        },
         "recording": {
-            "motion_recording": Setting.get(
-                db, user.org_id, "motion_recording", "false"
-            )
-            == "true",
-            "face_recording": Setting.get(db, user.org_id, "face_recording", "false")
-            == "true",
-            "object_recording": Setting.get(
-                db, user.org_id, "object_recording", "false"
-            )
-            == "true",
-            "post_buffer": int(Setting.get(db, user.org_id, "post_buffer", "5")),
             "scheduled_recording": Setting.get(
                 db, user.org_id, "scheduled_recording", "false"
             )
@@ -253,64 +223,12 @@ async def get_all_settings(
     }
 
 
-@router.get("/settings/notifications")
-async def get_notification_settings(
-    user: AuthUser = Depends(require_view), db: Session = Depends(get_db)
-):
-    """Get notification settings."""
-    return {
-        "motion_notifications": Setting.get(
-            db, user.org_id, "motion_notifications", "true"
-        )
-        == "true",
-        "face_notifications": Setting.get(db, user.org_id, "face_notifications", "true")
-        == "true",
-        "object_notifications": Setting.get(
-            db, user.org_id, "object_notifications", "true"
-        )
-        == "true",
-        "toast_notifications": Setting.get(
-            db, user.org_id, "toast_notifications", "true"
-        )
-        == "true",
-    }
-
-
-@router.post("/settings/notifications")
-async def update_notification_settings(
-    data: NotificationSettings,
-    user: AuthUser = Depends(require_admin),
-    db: Session = Depends(get_db),
-):
-    """Update notification settings. Requires admin."""
-    Setting.set(
-        db, user.org_id, "motion_notifications", str(data.motion_notifications).lower()
-    )
-    Setting.set(
-        db, user.org_id, "face_notifications", str(data.face_notifications).lower()
-    )
-    Setting.set(
-        db, user.org_id, "object_notifications", str(data.object_notifications).lower()
-    )
-    Setting.set(
-        db, user.org_id, "toast_notifications", str(data.toast_notifications).lower()
-    )
-    return {"success": True}
-
-
 @router.get("/settings/recording")
 async def get_recording_settings(
     user: AuthUser = Depends(require_view), db: Session = Depends(get_db)
 ):
     """Get recording settings."""
     return {
-        "motion_recording": Setting.get(db, user.org_id, "motion_recording", "false")
-        == "true",
-        "face_recording": Setting.get(db, user.org_id, "face_recording", "false")
-        == "true",
-        "object_recording": Setting.get(db, user.org_id, "object_recording", "false")
-        == "true",
-        "post_buffer": int(Setting.get(db, user.org_id, "post_buffer", "5")),
         "scheduled_recording": Setting.get(
             db, user.org_id, "scheduled_recording", "false"
         )
@@ -329,10 +247,6 @@ async def update_recording_settings(
     db: Session = Depends(get_db),
 ):
     """Update recording settings. Requires admin."""
-    Setting.set(db, user.org_id, "motion_recording", str(data.motion_recording).lower())
-    Setting.set(db, user.org_id, "face_recording", str(data.face_recording).lower())
-    Setting.set(db, user.org_id, "object_recording", str(data.object_recording).lower())
-    Setting.set(db, user.org_id, "post_buffer", str(data.post_buffer))
     Setting.set(
         db, user.org_id, "scheduled_recording", str(data.scheduled_recording).lower()
     )

backend/app/api/nodes.py

@@ -274,9 +274,12 @@ async def get_plan_info(
     db: Session = Depends(get_db),
 ):
     """Return the org's current plan, usage, and limits."""
+    from app.models.models import Setting
+
     limits = get_plan_limits(user.plan)
     current_nodes = db.query(CameraNode).filter_by(org_id=user.org_id).count()
     current_cameras = db.query(Camera).filter_by(org_id=user.org_id).count()
+    payment_past_due = Setting.get(db, user.org_id, "payment_past_due", "false") == "true"
     return {
         "plan": user.plan,
         "plan_name": get_plan_display_name(user.plan),
@@ -286,6 +289,7 @@ async def get_plan_info(
             "nodes": current_nodes,
             "cameras": current_cameras,
         },
+        "payment_past_due": payment_past_due,
     }
 
 

backend/app/api/webhooks.py

@@ -1,4 +1,5 @@
 import logging
+from datetime import datetime, timezone
 from fastapi import APIRouter, Request, HTTPException, status, Depends
 from sqlalchemy.orm import Session
 from svix.webhooks import Webhook, WebhookVerificationError
@@ -69,12 +70,27 @@ async def clerk_webhook(request: Request, db: Session = Depends(get_db)):
             logger.info("Org %s subscription active on plan '%s'", org_id, plan_slug)
 
     # ── Payment failure ─────────────────────────────────────────────
-    elif event_type == "subscription.pastDue":
+    elif event_type in ("subscription.pastDue", "subscriptionItem.pastDue"):
         org_id = data.get("payer", {}).get("organization_id")
         if org_id:
+            # Record past-due timestamp for grace period tracking.
+            # Clerk will retry payment via Stripe dunning. We keep current
+            # plan access during the grace period but flag the org.
+            Setting.set(db, org_id, "payment_past_due", "true")
+            past_due_at = data.get("pastDueAt") or datetime.now(tz=timezone.utc).isoformat()
+            Setting.set(db, org_id, "payment_past_due_at", str(past_due_at))
             logger.warning("Org %s subscription is past due — payment failed", org_id)
-            # Keep current limits for a grace period; Clerk will retry payment.
-            # If you want to restrict access, downgrade here.
+
+    # ── Payment attempt result ──────────────────────────────────────
+    elif event_type == "paymentAttempt.updated":
+        org_id = data.get("payer", {}).get("organization_id")
+        payment_status = data.get("status")
+        if org_id and payment_status == "paid":
+            # Payment succeeded — clear past-due flag
+            Setting.set(db, org_id, "payment_past_due", "false")
+            logger.info("Org %s payment succeeded — past-due cleared", org_id)
+        elif org_id and payment_status == "failed":
+            logger.warning("Org %s payment attempt failed", org_id)
 
     # ── Cancellation / end ──────────────────────────────────────────
     elif event_type in ("subscriptionItem.canceled", "subscriptionItem.ended"):
@@ -84,13 +100,13 @@ async def clerk_webhook(request: Request, db: Session = Depends(get_db)):
             # so the JWT pla claim will revert. Just reset member limit.
             set_org_member_limit(org_id, PLAN_MEMBER_LIMITS["free_org"])
             Setting.set(db, org_id, "org_plan", "free_org")
+            Setting.set(db, org_id, "payment_past_due", "false")
             logger.info("Org %s subscription canceled — reverted to free limits", org_id)
 
     # ── Free trial ending soon ──────────────────────────────────────
     elif event_type == "subscriptionItem.freeTrialEnding":
         org_id = data.get("payer", {}).get("organization_id")
         if org_id:
             logger.info("Org %s free trial ending in 3 days", org_id)
-            # Future: send notification email
 
     return {"received": True}

backend/app/core/database.py

@@ -1,15 +1,20 @@
 from sqlalchemy import create_engine, event
-from sqlalchemy.pool import NullPool
+from sqlalchemy.pool import NullPool, StaticPool
 from sqlalchemy.orm import sessionmaker, declarative_base
 from app.core.config import settings
 
 # NullPool: each request gets a fresh connection and releases it immediately.
 # This is the recommended approach for SQLite in async/high-concurrency apps —
 # avoids pool exhaustion when HLS segment uploads create bursts of 15+ concurrent requests.
+#
+# Exception: in-memory SQLite requires StaticPool (shared single connection)
+# so that all operations see the same database.
+_is_memory_db = settings.DATABASE_URL == "sqlite:///:memory:" or ":memory:" in settings.DATABASE_URL
+
 engine = create_engine(
     settings.DATABASE_URL,
-    connect_args={"check_same_thread": False, "timeout": 30},
-    poolclass=NullPool,
+    connect_args={"check_same_thread": False, **({} if _is_memory_db else {"timeout": 30})},
+    poolclass=StaticPool if _is_memory_db else NullPool,
 )
 
 

backend/app/main.py

@@ -21,12 +21,15 @@
 Base.metadata.create_all(bind=engine)
 
 # Migrate existing tables: add columns that create_all won't add to existing tables.
-from sqlalchemy import inspect, text
-with engine.connect() as conn:
-    columns = [c["name"] for c in inspect(engine).get_columns("stream_access_logs")]
-    if "user_email" not in columns:
-        conn.execute(text("ALTER TABLE stream_access_logs ADD COLUMN user_email VARCHAR(255) DEFAULT ''"))
-        conn.commit()
+from sqlalchemy import inspect as sa_inspect, text
+try:
+    with engine.connect() as conn:
+        columns = [c["name"] for c in sa_inspect(engine).get_columns("stream_access_logs")]
+        if "user_email" not in columns:
+            conn.execute(text("ALTER TABLE stream_access_logs ADD COLUMN user_email VARCHAR(255) DEFAULT ''"))
+            conn.commit()
+except Exception:
+    pass  # Table doesn't exist yet (fresh DB) — create_all handles it
 
 # Build the MCP ASGI app — path="/" because the mount prefix handles /mcp
 mcp_app = mcp.http_app(path="/", stateless_http=True, json_response=True)
@@ -59,10 +62,23 @@
     CORSMiddleware,
     allow_origins=cors_origins,
     allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+    allow_headers=["Authorization", "Content-Type", "X-API-Key", "X-Node-API-Key"],
 )
 
+
+@app.middleware("http")
+async def security_headers(request: Request, call_next):
+    """Add security headers to all responses."""
+    response = await call_next(request)
+    response.headers["X-Content-Type-Options"] = "nosniff"
+    response.headers["X-Frame-Options"] = "DENY"
+    response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+    response.headers["Permissions-Policy"] = "camera=(), microphone=(), geolocation=()"
+    if request.url.scheme == "https" or os.getenv("FLY_APP_NAME"):
+        response.headers["Strict-Transport-Security"] = "max-age=63072000; includeSubDomains"
+    return response
+
 # Include API routers
 app.include_router(cameras.router)
 app.include_router(webhooks.router)
@@ -129,8 +145,8 @@ async def shutdown_event():
 
     @app.middleware("http")
     async def spa_middleware(request: Request, call_next):
-        # Let API, WebSocket, and install routes pass through
-        if request.url.path.startswith(("/api", "/ws", "/install.", "/mcp-setup.")):
+        # Let API, WebSocket, install, and OpenAPI docs routes pass through
+        if request.url.path.startswith(("/api", "/ws", "/install.", "/mcp-setup.", "/docs", "/redoc", "/openapi.json")):
             return await call_next(request)
 
         # MCP endpoint: only pass POST requests (JSON-RPC) to the MCP server;

backend/app/schemas/schemas.py

@@ -9,23 +9,12 @@ class CameraGroupCreate(BaseModel):
 
 
 class RecordingSettings(BaseModel):
-    motion_recording: bool = False
-    face_recording: bool = False
-    object_recording: bool = False
-    post_buffer: int = Field(5, ge=0, le=300)
     scheduled_recording: bool = False
     scheduled_start: str = Field("06:00", max_length=5)
     scheduled_end: str = Field("17:00", max_length=5)
     continuous_24_7: bool = False
 
 
-class NotificationSettings(BaseModel):
-    motion_notifications: bool = True
-    face_notifications: bool = True
-    object_notifications: bool = True
-    toast_notifications: bool = True
-
-
 class CameraReport(BaseModel):
     camera_id: Optional[str] = Field(None, max_length=150)
     device_path: Optional[str] = Field(None, max_length=255)

backend/pyproject.toml

@@ -19,4 +19,16 @@ dependencies = [
     "slowapi>=0.1.9",
     "websockets>=12.0",
     "fastmcp>=3.0.0",
-]
+]
+
+[project.optional-dependencies]
+dev = [
+    "pytest>=8.0.0",
+    "pytest-asyncio>=0.23.0",
+    "httpx>=0.27.0",
+]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+asyncio_mode = "auto"
+pythonpath = ["."]