fix: runtime bugs found during first Docker run + integration tests

Bugs fixed:
- resolve_model queried non-existent admin_provider_models table (use JSONB query on admin_providers)
- key_prefix VARCHAR(10) too short for 11-char prefix (migration to VARCHAR(12))
- API key test schema missing additionalProperties: false (OpenAI strict mode)
- CSP missing font-src data: directive (PDF font embedding blocked)
- Magic link URL not logged in test mode (can't verify without real email)
- Rust 1.85 Docker image too old for dependencies (bumped to 1.88)

Tests added to prevent recurrence:
- schema_meets_openai_strict_mode_requirements: validates additionalProperties on all objects
- key_prefix_full_length_stored_in_db: verifies 11-char prefix survives DB round-trip
- generate_pipeline_resolves_model_from_admin_config: exercises full generation pipeline

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

CLAUDE.md

@@ -117,7 +117,7 @@ cd frontend && npx tsc --noEmit
 - `GET /api/v1/admin/users` — user list
 - `PUT /api/v1/admin/users/:id/role` — role management
 
-## Database (10 migrations)
+## Database (11 migrations)
 Tables: `users`, `sessions`, `magic_link_tokens`, `user_settings`, `sources`, `syntheses`, `admin_providers`, `admin_rate_limits`, `user_api_keys`, `audit_log`
 
 ## Environment Variables

backend/Dockerfile

@@ -18,28 +18,18 @@ RUN npm run build
 # ===================================================================
 # Stage 2: Build the Rust backend
 # ===================================================================
-FROM rust:1.85-bookworm AS builder
+FROM rust:1.88-bookworm AS builder
 
 WORKDIR /app
 
-# Copy manifests first for dependency caching
+# Copy manifests and source for building
 COPY backend/Cargo.toml backend/Cargo.lock ./
-
-# Create a dummy main.rs to build dependencies
-RUN mkdir src && echo "fn main() {}" > src/main.rs
-RUN cargo build --release
-RUN rm -rf src
-
-# Copy the actual source code and migrations
 COPY backend/src/ src/
 COPY backend/migrations/ migrations/
 
 # Set sqlx offline mode (no live DB needed during build)
 ENV SQLX_OFFLINE=true
 
-# Touch main.rs so cargo knows the source changed
-RUN touch src/main.rs
-
 RUN cargo build --release
 
 # ===================================================================

backend/migrations/20260322000011_widen_key_prefix.sql

@@ -0,0 +1,2 @@
+-- Widen key_prefix from VARCHAR(10) to VARCHAR(12) to fit "12345678..." (8 chars + "...")
+ALTER TABLE user_api_keys ALTER COLUMN key_prefix TYPE VARCHAR(12);

backend/src/handlers/api_keys.rs

@@ -132,7 +132,8 @@ pub async fn test_key(
                 "type": "string"
             }
         },
-        "required": ["greeting"]
+        "required": ["greeting"],
+        "additionalProperties": false
     });
 
     // Use a simple, deterministic prompt for testing

backend/src/router.rs

@@ -117,7 +117,7 @@ pub fn build_router(state: AppState, config: &AppConfig) -> Router {
         .layer(SetResponseHeaderLayer::overriding(
             HeaderName::from_static("content-security-policy"),
             HeaderValue::from_static(
-                "default-src 'self'; script-src 'self' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline'; frame-src https://challenges.cloudflare.com; img-src 'self' data:; connect-src 'self'",
+                "default-src 'self'; script-src 'self' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline'; frame-src https://challenges.cloudflare.com; img-src 'self' data:; font-src 'self' data:; connect-src 'self'",
             ),
         ));
 

backend/src/services/email.rs

@@ -90,6 +90,10 @@ pub async fn send_magic_link(
 ) -> Result<(), AppError> {
     let verify_url = format!("{}/api/v1/auth/verify?token={}", app_url, raw_token);
 
+    if api_key == TEST_API_KEY {
+        tracing::info!(to = to, url = %verify_url, "Magic link (test mode — click to verify)");
+    }
+
     let html = format!(
         r#"<!DOCTYPE html>
 <html>

backend/src/services/llm/schema.rs

@@ -52,7 +52,8 @@ pub fn build_category_schema(categories: &[String]) -> Value {
                 "description": "A concise summary of the article"
             }
         },
-        "required": ["title", "url", "summary"]
+        "required": ["title", "url", "summary"],
+        "additionalProperties": false
     });
 
     let mut properties = serde_json::Map::new();
@@ -74,7 +75,8 @@ pub fn build_category_schema(categories: &[String]) -> Value {
     serde_json::json!({
         "type": "object",
         "properties": properties,
-        "required": required
+        "required": required,
+        "additionalProperties": false
     })
 }
 
@@ -109,6 +111,10 @@ mod tests {
         let required = schema["required"].as_array().unwrap();
         assert_eq!(required.len(), 1);
         assert_eq!(required[0], "category_0");
+
+        // OpenAI strict mode: additionalProperties must be false on all objects
+        assert_eq!(schema["additionalProperties"], false);
+        assert_eq!(items["additionalProperties"], false);
     }
 
     #[test]
@@ -182,6 +188,65 @@ mod tests {
         assert!(item_required_strs.contains(&"summary"));
     }
 
+    #[test]
+    fn schema_meets_openai_strict_mode_requirements() {
+        let categories = vec!["Test".to_string(), "Other".to_string()];
+        let schema = build_category_schema(&categories);
+
+        // Every "type": "object" must have "additionalProperties": false
+        assert_eq!(
+            schema["additionalProperties"], false,
+            "Root object must have additionalProperties: false"
+        );
+        let items = &schema["properties"]["category_0"]["items"];
+        assert_eq!(
+            items["additionalProperties"], false,
+            "News item object must have additionalProperties: false"
+        );
+
+        // All properties must be listed in required
+        let props: Vec<&str> = schema["properties"]
+            .as_object()
+            .unwrap()
+            .keys()
+            .map(|k| k.as_str())
+            .collect();
+        let required: Vec<&str> = schema["required"]
+            .as_array()
+            .unwrap()
+            .iter()
+            .map(|v| v.as_str().unwrap())
+            .collect();
+        for prop in &props {
+            assert!(
+                required.contains(prop),
+                "Property '{}' must be in required array",
+                prop
+            );
+        }
+
+        // News item required fields must match properties
+        let item_props: Vec<&str> = items["properties"]
+            .as_object()
+            .unwrap()
+            .keys()
+            .map(|k| k.as_str())
+            .collect();
+        let item_required: Vec<&str> = items["required"]
+            .as_array()
+            .unwrap()
+            .iter()
+            .map(|v| v.as_str().unwrap())
+            .collect();
+        for prop in &item_props {
+            assert!(
+                item_required.contains(prop),
+                "News item property '{}' must be in required array",
+                prop
+            );
+        }
+    }
+
     #[test]
     fn schema_with_special_characters_in_category_name() {
         let categories = vec![

backend/src/services/synthesis.rs

@@ -537,12 +537,12 @@ async fn resolve_provider_and_key(
 /// Looks up the first enabled model for the provider from the admin config.
 /// Falls back to sensible defaults if no admin-configured models exist.
 async fn resolve_model(state: &AppState, provider_name: &str) -> Result<String, AppError> {
-    // Try to get the first enabled model from admin config
+    // Try to get the default model from the admin_providers JSONB models array
     let model = sqlx::query_scalar::<_, String>(
         r#"
-        SELECT model_id FROM admin_provider_models
-        WHERE provider = $1 AND enabled = true
-        ORDER BY created_at ASC
+        SELECT m->>'model_id'
+        FROM admin_providers, jsonb_array_elements(models) AS m
+        WHERE provider_name = $1 AND is_enabled = true AND (m->>'is_default')::boolean = true
         LIMIT 1
         "#,
     )

backend/tests/api_keys_test.rs

@@ -643,3 +643,45 @@ async fn test_key_with_configured_key_returns_test_result() {
         "'message' field should be a string"
     );
 }
+
+// ═══════════════════════════════════════════════════════════════════════════
+// Key Prefix DB Constraint
+// ═══════════════════════════════════════════════════════════════════════════
+
+#[tokio::test]
+async fn key_prefix_full_length_stored_in_db() {
+    if !require_test_db() {
+        eprintln!("SKIPPED: TEST_DATABASE_URL not set");
+        return;
+    }
+
+    let app = common::TestApp::new().await;
+    let (_user_id, session) = app
+        .create_authenticated_user("apikeys-prefix-db@example.com")
+        .await;
+
+    // Use a key long enough to produce max prefix length (8 chars + "..." = 11 chars)
+    let body = serde_json::json!({
+        "provider_name": "openai",
+        "api_key": "sk-proj-abcdefghijklmnopqrstuvwxyz123456"
+    });
+    let (status, resp) = app
+        .post_with_session("/api/v1/user/api-keys", &body, &session)
+        .await;
+    assert_eq!(
+        status,
+        StatusCode::OK,
+        "Storing a key with 11-char prefix (8+...) must not violate DB constraints"
+    );
+
+    let prefix = resp["key_prefix"].as_str().unwrap();
+    assert_eq!(prefix, "sk-proj-...", "key_prefix should be first 8 chars + '...'");
+
+    // Verify it round-trips through GET
+    let (list_status, list_resp) = app
+        .get_with_session("/api/v1/user/api-keys", &session)
+        .await;
+    assert_eq!(list_status, StatusCode::OK);
+    let keys = list_resp.as_array().unwrap();
+    assert_eq!(keys[0]["key_prefix"], "sk-proj-...");
+}

backend/tests/api_syntheses_test.rs

@@ -13,6 +13,7 @@
 
 mod common;
 
+use axum::body::Body;
 use axum::http::StatusCode;
 
 fn require_test_db() -> bool {
@@ -602,3 +603,97 @@ async fn generate_twice_returns_error_for_second() {
     );
     assert_eq!(resp2["error"], "bad_request");
 }
+
+// ═══════════════════════════════════════════════════════════════════════════
+// Generation Pipeline — Model Resolution
+// ═══════════════════════════════════════════════════════════════════════════
+
+/// Verify that triggering generation with a configured provider exercises
+/// the model resolution SQL query against the real database schema.
+/// The generation will fail at the LLM call (fake API key), but that confirms
+/// settings load, model resolution, provider creation, and schema building
+/// all succeed — which is the code path that had the admin_provider_models bug.
+#[tokio::test]
+async fn generate_pipeline_resolves_model_from_admin_config() {
+    if !require_test_db() {
+        eprintln!("SKIPPED: TEST_DATABASE_URL not set");
+        return;
+    }
+
+    let app = common::TestApp::new().await;
+    let (user_id, session) = app
+        .create_authenticated_user("synth-model-resolve@example.com")
+        .await;
+
+    // Configure user settings with provider and categories
+    let settings = serde_json::json!({
+        "categories": ["Test Category"],
+        "ai_provider": "openai",
+        "ai_model": "",
+        "ai_model_writing": ""
+    });
+    let (settings_status, _) = app
+        .put_with_session("/api/v1/settings", &settings, &session)
+        .await;
+    assert_eq!(settings_status, StatusCode::OK, "Settings save should succeed");
+
+    // Store a fake API key — we don't need a real one, just need to get past
+    // model resolution and into the LLM call
+    let key_body = serde_json::json!({
+        "provider_name": "openai",
+        "api_key": "sk-fake-test-key-for-model-resolution"
+    });
+    let (key_status, _) = app
+        .post_with_session("/api/v1/user/api-keys", &key_body, &session)
+        .await;
+    assert_eq!(key_status, StatusCode::OK, "API key store should succeed");
+
+    // Add a source so the pipeline has something to work with
+    let source_body = serde_json::json!({
+        "title": "Test Source",
+        "url": "https://example.com"
+    });
+    let (source_status, _) = app
+        .post_with_session("/api/v1/sources", &source_body, &session)
+        .await;
+    assert_eq!(source_status, StatusCode::OK, "Source creation should succeed");
+
+    // Trigger generation — this will run async. The key assertion is that
+    // the HTTP trigger returns 202 (not 500) and the async job doesn't crash
+    // on a database error. It will fail at the LLM API call (fake key), which
+    // is expected and fine — the model resolution path was exercised.
+    let gen_body = serde_json::json!({});
+    let (gen_status, gen_resp) = app
+        .post_with_session("/api/v1/syntheses/generate", &gen_body, &session)
+        .await;
+    assert_eq!(
+        gen_status,
+        StatusCode::ACCEPTED,
+        "Generation trigger should succeed (202)"
+    );
+    let job_id = gen_resp["job_id"].as_str().expect("should have job_id");
+
+    // Wait briefly for the async job to attempt model resolution and LLM call
+    tokio::time::sleep(std::time::Duration::from_secs(3)).await;
+
+    // Poll the progress endpoint — we expect an error from the LLM call (fake key),
+    // NOT a database error about a missing table. This confirms model resolution worked.
+    let progress_url = format!("/api/v1/syntheses/generate/{}/progress", job_id);
+    let req = axum::http::Request::builder()
+        .method(axum::http::Method::GET)
+        .uri(&progress_url)
+        .header("cookie", format!("ai_synth_session={}", session))
+        .header("x-requested-with", "XMLHttpRequest")
+        .body(Body::empty())
+        .unwrap();
+
+    let (_, progress_text, _) = app.raw_request_text(req).await;
+
+    // The SSE stream should NOT contain a database error about a missing table.
+    // It should contain an LLM-related error (fake key) instead.
+    assert!(
+        !progress_text.contains("admin_provider_models"),
+        "Generation must not reference non-existent admin_provider_models table. Got: {}",
+        progress_text
+    );
+}