Bug-Squash/'Works-on-my-machine' - 4 PRDs in one PR :( 👎

.github/workflows/ci.yml

@@ -83,6 +83,8 @@ jobs:
       TEST_DB_HOST: 127.0.0.1
       TEST_DB_USER: tldw
       TEST_DB_PASSWORD: tldw
+      # Align AuthNZ_Postgres conftest default DB name with service DB
+      TEST_DB_NAME: tldw_content
       TLDW_TEST_POSTGRES_REQUIRED: '1'
     steps:
       - name: Checkout
@@ -115,6 +117,9 @@ jobs:
         run: |
           echo "POSTGRES_TEST_PORT=${{ job.services.postgres.ports[5432] }}" >> "$GITHUB_ENV"
           echo "TEST_DB_PORT=${{ job.services.postgres.ports[5432] }}" >> "$GITHUB_ENV"
+          # Provide a unified DSN so any test preferring TEST_DATABASE_URL uses the right DB
+          echo "TEST_DATABASE_URL=postgresql://tldw:[email protected]:${{ job.services.postgres.ports[5432] }}/tldw_content" >> "$GITHUB_ENV"
+          echo "DATABASE_URL=postgresql://tldw:[email protected]:${{ job.services.postgres.ports[5432] }}/tldw_content" >> "$GITHUB_ENV"
 
       - name: Install additional deps for PG tests
         run: |

.github/workflows/codeql.yml

@@ -1,12 +1,20 @@
 name: CodeQL
 
 on:
+  # Run on direct pushes to protected/default branches only
   push:
-    branches: [ main, master, dev ]
+    branches: [ main, master ]
+  # Run on PRs targeting main/master/dev, not every branch
   pull_request:
-    branches: [ '**' ]
+    branches: [ main, master, dev ]
   schedule:
     - cron: '0 6 * * 1'
+  # Allow manual runs
+  workflow_dispatch:
+
+concurrency:
+  group: codeql-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
 jobs:
   analyze:

.github/workflows/sbom.yml

@@ -21,40 +21,79 @@ jobs:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
 
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Generate Python SBOM (CycloneDX)
+        run: |
+          python -m pip install -q cyclonedx-bom
+          if [ -f tldw_Server_API/requirements.txt ]; then \
+            python -m cyclonedx_bom -r tldw_Server_API/requirements.txt -o sbom-python.cdx.json; \
+          elif [ -f requirements.txt ]; then \
+            python -m cyclonedx_bom -r requirements.txt -o sbom-python.cdx.json; \
+          else \
+            echo "No requirements file found; cannot generate SBOM"; \
+            exit 1; \
+          fi
 
-      # No registry login required for public Docker Hub images used below
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v4
         with:
           node-version: '20'
 
-      - name: Generate Python SBOM from pyproject (cdxgen)
+      - name: Generate Node SBOM (CycloneDX NPM)
         run: |
-          if [ -f pyproject.toml ]; then \
-            npx @appthreat/cdxgen -t python -o sbom-python.cdx.json; \
+          if [ -f package-lock.json ]; then \
+            npx -y @cyclonedx/cyclonedx-npm --output-file sbom-node.cdx.json; \
+          elif [ -f tldw-frontend/package-lock.json ]; then \
+            (cd tldw-frontend && npx -y @cyclonedx/cyclonedx-npm --output-file ../sbom-node.cdx.json); \
+          else \
+            echo "No package-lock.json found; skipping Node SBOM"; \
           fi
 
-      - name: Generate SBOM (CycloneDX JSON)
-        uses: anchore/sbom-action@8e94d75ddd33f69f691467e42275782e4bfefe84 # v0.20.9
+      - name: Resolve CycloneDX CLI digest
+        run: |
+          set -euo pipefail
+          ref="ghcr.io/cyclonedx/cyclonedx-cli:0.30.0"
+          echo "Resolving digest for ${ref}"
+          # Prefer buildx imagetools; fallback to manifest inspect if needed
+          if docker buildx imagetools inspect "$ref" >/dev/null 2>&1; then \
+            digest=$(docker buildx imagetools inspect "$ref" | awk '/^Digest:/ {print $2; exit}'); \
+          else \
+            digest=$(docker manifest inspect "$ref" | jq -r '.manifests[0].digest' || true); \
+          fi
+          if [ -z "${digest:-}" ] || ! echo "$digest" | grep -Eq '^sha256:[0-9a-f]{64}$'; then \
+            echo "Failed to resolve digest for $ref"; \
+            exit 1; \
+          fi
+          echo "CDX_CLI_DIGEST=$digest" >> "$GITHUB_ENV"
+          echo "Resolved digest: $digest"
+
+      - name: Merge SBOMs (CycloneDX CLI)
+        run: |
+          if [ -f sbom-python.cdx.json ] && [ -f sbom-node.cdx.json ]; then \
+            docker run --rm -v "$PWD":/work -w /work ghcr.io/cyclonedx/cyclonedx-cli@${CDX_CLI_DIGEST} \
+              merge --input-files sbom-python.cdx.json sbom-node.cdx.json --output-file sbom.cdx.json; \
+          elif [ -f sbom-python.cdx.json ]; then \
+            cp sbom-python.cdx.json sbom.cdx.json; \
+          elif [ -f sbom-node.cdx.json ]; then \
+            cp sbom-node.cdx.json sbom.cdx.json; \
+          else \
+            echo "No SBOMs generated"; \
+            exit 1; \
+          fi
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v4
         with:
-          path: .
-          format: cyclonedx-json
-          output-file: sbom.cdx.json
-          upload-artifact: true
-          artifact-name: sbom-cyclonedx
-
-      - name: Validate SBOM (CycloneDX CLI - pinned)
-        id: validate_cli_pinned
+          name: sbom-cyclonedx
+          path: sbom.cdx.json
+
+      - name: Validate SBOM (CycloneDX CLI - pinned digest)
         if: ${{ hashFiles('sbom.cdx.json') != '' }}
         continue-on-error: true
-        uses: docker://cyclonedx/cyclonedx-cli:0.30.0
-        with:
-          args: >-
-            validate --input-file sbom.cdx.json
-
-      - name: Validate SBOM (CycloneDX CLI - pinned fallback)
-        if: ${{ hashFiles('sbom.cdx.json') != '' && steps.validate_cli_pinned.outcome == 'failure' }}
-        uses: docker://cyclonedx/cyclonedx-cli:0.29.1
-        with:
-          args: >-
+        run: |
+          docker run --rm -v "$PWD":/work -w /work ghcr.io/cyclonedx/cyclonedx-cli@${CDX_CLI_DIGEST} \
             validate --input-file sbom.cdx.json

sbom/Makefile

@@ -1,5 +1,9 @@
 # Simple SBOM generation helpers
 
+# CycloneDX CLI reference. Override with a digest for pinning:
+#   make CDX_CLI_REF=ghcr.io/cyclonedx/cyclonedx-cli@sha256:<digest>
+CDX_CLI_REF ?= ghcr.io/cyclonedx/cyclonedx-cli:0.30.0
+
 PY ?= python3
 NPM ?= npm
 
@@ -32,7 +36,7 @@ sbom:
 	done; \
 	if [ -n "$$files" ]; then \
 			if command -v docker >/dev/null 2>&1; then \
-				docker run --rm -v "$$PWD":/work -w /work cyclonedx/cyclonedx-cli:0.30.0 merge --input-files $$files --output-file sbom/sbom.cdx.json \
+				docker run --rm -v "$$PWD":/work -w /work $(CDX_CLI_REF) merge --input-files $$files --output-file sbom/sbom.cdx.json \
 					|| cp sbom/sbom-python.cdx.json sbom/sbom.cdx.json || true; \
 		elif command -v cyclonedx-cli >/dev/null 2>&1; then \
 			cyclonedx-cli merge --input-files $$files --output-file sbom/sbom.cdx.json || cp sbom/sbom-python.cdx.json sbom/sbom.cdx.json || true; \
@@ -50,7 +54,7 @@ sbom-validate:
 	@echo "==> Validating SBOM (if present)"
 	@if [ -f sbom/sbom.cdx.json ]; then \
 			if command -v docker >/dev/null 2>&1; then \
-				docker run --rm -v "$$PWD":/work -w /work cyclonedx/cyclonedx-cli:0.30.0 validate --input-file sbom/sbom.cdx.json || true; \
+				docker run --rm -v "$$PWD":/work -w /work $(CDX_CLI_REF) validate --input-file sbom/sbom.cdx.json || true; \
 		elif command -v cyclonedx-cli >/dev/null 2>&1; then \
 			cyclonedx-cli validate --input-file sbom/sbom.cdx.json || true; \
 		else \

sbom/README.md

@@ -10,7 +10,7 @@ Generate locally
 - Run: make sbom
 
 Artifacts:
-- sbom-python.cdx.json - Python deps from pyproject.toml (cdxgen) or requirements.txt fallback
+- sbom-python.cdx.json - Python deps from requirements.txt (cyclonedx-bom)
 - sbom-frontend.cdx.json - Node deps (if package-lock.json present)
 - sbom.cdx.json - merged SBOM (if both present)
 
@@ -20,10 +20,9 @@ Validate and scan:
 
 Notes
 -----
-- When pyproject.toml is present, the Makefile uses cdxgen to generate a Python SBOM without installing dependencies.
-- If you prefer environment-resolved versions, create a venv (e.g., via uv sync) and run:
-  - python -m pip install cyclonedx-py cyclonedx-cli
-  - cyclonedx-py -e -o sbom/sbom-python.cdx.json
+- Python SBOMs are generated via the official CycloneDX Python CLI:
+  - python -m pip install cyclonedx-bom
+  - cyclonedx-bom -r tldw_Server_API/requirements.txt -o sbom/sbom-python.cdx.json
 - For container/OS-level SBOMs, consider using syft:
   - syft dir:. -o cyclonedx-json=sbom/sbom-syft.cdx.json
   - syft <image> -o cyclonedx-json=sbom/sbom-image.cdx.json

tldw_Server_API/app/api/v1/endpoints/jobs_admin.py

@@ -777,6 +777,10 @@ async def ttl_sweep_endpoint(
     user=Depends(require_admin),
 ) -> TTLSweepResponse:
     try:
+        # Correlation IDs and diagnostics
+        from tldw_Server_API.app.core.Logging.log_context import get_ps_logger, ensure_request_id, ensure_traceparent
+        rid = ensure_request_id(request)
+        tp = ensure_traceparent(request)
         # Pre-parse raw to enforce RBAC and confirm header before validation
         try:
             raw = await request.json()
@@ -805,20 +809,43 @@ async def ttl_sweep_endpoint(
         jm = JobManager(backend=backend, db_url=db_url)
         # Now validate the request model
         req = TTLSweepRequest(**(raw or {}))
+        # Capture a single reference time to avoid boundary drift between age/runtime calculations
+        try:
+            from datetime import datetime, timezone as _tz
+            ref_now = datetime.now(tz=_tz.utc)
+        except Exception:
+            ref_now = None
+        # Diagnostics before executing
+        try:
+            get_ps_logger(request_id=rid, ps_component="endpoint", ps_job_kind="jobs").info(
+                "TTL sweep request: action=%s domain=%s queue=%s job_type=%s age=%s runtime=%s backend=%s ref_now=%s",
+                req.action, req.domain, req.queue, req.job_type, req.age_seconds, req.runtime_seconds, (backend or "sqlite"), str(ref_now) if ref_now else ""
+            )
+        except Exception:
+            pass
         affected = jm.apply_ttl_policies(
             age_seconds=req.age_seconds,
             runtime_seconds=req.runtime_seconds,
             action=req.action,
             domain=req.domain,
             queue=req.queue,
             job_type=req.job_type,
+            reference_time=ref_now,
         )
         # Refresh gauges when fully scoped to avoid stale metrics
         try:
             if req.domain and req.queue and req.job_type:
                 jm._update_gauges(domain=req.domain, queue=req.queue, job_type=req.job_type)
         except Exception:
             pass
+        # Diagnostics after executing
+        try:
+            get_ps_logger(request_id=rid, ps_component="endpoint", ps_job_kind="jobs").info(
+                "TTL sweep result: affected=%s action=%s domain=%s queue=%s job_type=%s",
+                int(affected), req.action, req.domain, req.queue, req.job_type
+            )
+        except Exception:
+            pass
         return TTLSweepResponse(affected=int(affected))
     except HTTPException:
         raise