feat: toml backend (#49)

- add TOML storage backends
- move mysql teardown/disconnect into mysql classes
- fix: don't log sensitive information

Author: msimerson

.github/copilot-instructions.md

@@ -13,7 +13,7 @@
 - Run formatting check: `npm run prettier`
 - Run coverage: `npm run test:coverage`
 
-Local tests expect MySQL plus the NicTool schema. CI initializes it with `sh sql/init-mysql.sh`, and `test.sh` recreates fixtures before each run.
+Local tests expect MySQL plus the NicTool schema. CI initializes it with `sh sql/init-mysql.sh`, and `test/run.sh` recreates fixtures before each run.
 
 ## Architecture
 
@@ -38,5 +38,5 @@ Local tests expect MySQL plus the NicTool schema. CI initializes it with `sh sql
 - Reuse the legacy-schema mapping helpers instead of hand-rolling field conversions. Most repos convert booleans, nested permission/export objects, and short API names into the older DB layout before writing and normalize them again on read.
 - When changing group or user behavior, check permission side effects too. Group creation/update touches permission rows, and user reads/write paths may change `inherit_group_permissions` handling.
 - Route tests use `init()` plus `server.inject()` instead of booting a live server. They usually establish auth by calling `POST /session` and then pass `Authorization: Bearer <token>` to protected routes.
-- The test entrypoint is `test.sh`, not raw `node --test`, when you need DB-backed behavior. It tears fixtures down, recreates them, and then runs the requested test target.
+- The test entrypoint is `test/run.sh`, not raw `node --test`, when you need DB-backed behavior. It tears fixtures down, recreates them, and then runs the requested test target.
 - Zone-record changes must preserve the existing record-field translation logic. Special cases like zero `weight`/`priority` retention for `SRV`, `URI`, `HTTPS`, and `SVCB` are intentional.

.github/workflows/ci.yml

@@ -91,6 +91,8 @@ jobs:
 
   test-docker:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v6
       - name: Generate .env
@@ -126,4 +128,4 @@ jobs:
           node-version: ${{ matrix.node-version }}
       - run: sh sql/init-mysql.sh
       - run: npm install
-      - run: sh test.sh
+      - run: sh test/run.sh

.gitignore

@@ -132,3 +132,4 @@ dist
 package-lock.json
 .release/
 conf.d/*.pem
+CLAUDE.md

CHANGELOG.md

@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
 ### Unreleased
 
+- move mysql teardown/disconnect into mysql classes
+- fix: don't log sensitive information
+- add: TOML stores for group, nameserver, permission, session
+
 ### [3.0.0-alpha.11] - 2026-04-07
 
 - decorate user & group with permissions

lib/config.js

@@ -18,7 +18,7 @@ class Config {
     const str = await fs.readFile(`./conf.d/${name}.toml`, 'utf8')
     const cfg = parse(str)
     applyEnvOverrides(name, cfg)
-    if (this.debug) console.debug(cfg)
+    // if (this.debug) console.debug(cfg)
 
     if (name === 'http') {
       const tls = await loadPEM('./conf.d')
@@ -37,7 +37,7 @@ class Config {
     const str = fsSync.readFileSync(`./conf.d/${name}.toml`, 'utf8')
     const cfg = parse(str)
     applyEnvOverrides(name, cfg)
-    if (this.debug) console.debug(cfg)
+    // if (this.debug) console.debug(cfg)
 
     if (name === 'http') {
       const tls = loadPEMSync('./conf.d')
@@ -102,7 +102,9 @@ function loadPEMSync(dir) {
 }
 
 function parsePEMBlocks(content) {
-  const keyMatch = content.match(/-----BEGIN (?:[A-Z]+ )?PRIVATE KEY-----[\s\S]*?-----END (?:[A-Z]+ )?PRIVATE KEY-----/)
+  const keyMatch = content.match(
+    /-----BEGIN (?:[A-Z]+ )?PRIVATE KEY-----[\s\S]*?-----END (?:[A-Z]+ )?PRIVATE KEY-----/,
+  )
   const certMatches = [...content.matchAll(/-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----/g)]
 
   if (!keyMatch && !certMatches.length) return null

lib/config.test.js

@@ -3,7 +3,15 @@ import { describe, it, before, after } from 'node:test'
 
 import Config from './config.js'
 
-const envOverrideKeys = ['NICTOOL_DB_HOST', 'NICTOOL_DB_PORT', 'NICTOOL_DB_USER', 'NICTOOL_DB_USER_PASSWORD', 'NICTOOL_DB_NAME', 'NICTOOL_HTTP_HOST', 'NICTOOL_HTTP_PORT']
+const envOverrideKeys = [
+  'NICTOOL_DB_HOST',
+  'NICTOOL_DB_PORT',
+  'NICTOOL_DB_USER',
+  'NICTOOL_DB_USER_PASSWORD',
+  'NICTOOL_DB_NAME',
+  'NICTOOL_HTTP_HOST',
+  'NICTOOL_HTTP_PORT',
+]
 
 describe('config', () => {
   const savedEnv = {}
@@ -27,19 +35,22 @@ describe('config', () => {
   describe('get', () => {
     it(`loads mysql config`, async () => {
       const cfg = await Config.get('mysql')
-      delete cfg.password; delete cfg.user
+      delete cfg.password
+      delete cfg.user
       assert.deepEqual(cfg, mysqlCfg)
     })
 
     it(`loads mysql config synchronously`, () => {
       const cfg = Config.getSync('mysql')
-      delete cfg.password; delete cfg.user
+      delete cfg.password
+      delete cfg.user
     })
 
     it(`loads mysql config (from cache)`, async () => {
       process.env.NODE_DEBUG = 1
       const cfg = await Config.get('mysql')
-      delete cfg.password; delete cfg.user
+      delete cfg.password
+      delete cfg.user
       assert.deepEqual(cfg, mysqlCfg)
       process.env.NODE_DEBUG = ''
     })

lib/group/store/base.js

@@ -16,6 +16,10 @@ class GroupBase {
     this.debug = args?.debug ?? false
   }
 
+  disconnect() {
+    // noop, for repos that need to clean up resources
+  }
+
   // -------------------------------------------------------------------------
   // Repo contract – subclasses must implement these
   // -------------------------------------------------------------------------

lib/group/store/mysql.js

@@ -41,11 +41,13 @@ class Group extends GroupBase {
   async addToSubgroups(gid, parent_gid, rank = 1000) {
     if (!parent_gid || parent_gid === 0) return
 
-    await Mysql.execute(...Mysql.insert('nt_group_subgroups', {
-      nt_group_id: parent_gid,
-      nt_subgroup_id: gid,
-      rank,
-    }))
+    await Mysql.execute(
+      ...Mysql.insert('nt_group_subgroups', {
+        nt_group_id: parent_gid,
+        nt_subgroup_id: gid,
+        rank,
+      }),
+    )
 
     const parent = await this.get({ id: parent_gid })
     if (parent.length === 1 && parent[0].parent_gid !== 0) {
@@ -73,9 +75,9 @@ class Group extends GroupBase {
       if (include_subgroups) {
         const subgroupRows = await Mysql.execute(
           'SELECT nt_subgroup_id FROM nt_group_subgroups WHERE nt_group_id = ?',
-          [args.id]
+          [args.id],
         )
-        const gids = [args.id, ...subgroupRows.map(r => r.nt_subgroup_id)]
+        const gids = [args.id, ...subgroupRows.map((r) => r.nt_subgroup_id)]
         where.push(`g.nt_group_id IN (${gids.join(',')})`)
       } else {
         where.push('g.nt_group_id = ?')
@@ -135,7 +137,7 @@ class Group extends GroupBase {
       if (perm) {
         await Permission.put({
           id: perm.id,
-          nameserver: { usable: Array.isArray(usable_ns) ? usable_ns : [] }
+          nameserver: { usable: Array.isArray(usable_ns) ? usable_ns : [] },
         })
       }
     }
@@ -163,6 +165,10 @@ class Group extends GroupBase {
     const r = await Mysql.execute(...Mysql.delete(`nt_group`, { nt_group_id: args.id }))
     return r.affectedRows === 1
   }
+
+  disconnect() {
+    return this.mysql?.disconnect()
+  }
 }
 
 export default Group

lib/group/test/index.js

@@ -6,7 +6,7 @@ import Group from '../index.js'
 import testCase from '../test/group.json' with { type: 'json' }
 
 after(async () => {
-  Group.mysql.disconnect()
+  Group.disconnect()
 })
 
 describe('group', function () {

lib/mysql.js

@@ -12,11 +12,8 @@ class Mysql {
   }
 
   async connect() {
-    // if (this.dbh && this.dbh?.connection?.connectionId) return this.dbh;
-
     const cfg = await Config.get('mysql')
-    if (_debug) console.log(cfg)
-
+    // if (_debug) console.log(cfg)
     this.dbh = await mysql.createConnection(cfg)
     if (_debug) console.log(`MySQL connection id ${this.dbh.connection.connectionId}`)
     return this.dbh