[CICD] add workflows, add CORS configuration at server

Author: bnbong

.github/workflows/backend-test.yaml

@@ -0,0 +1,45 @@
+name: Backend Test
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "backend/**"
+      - "src/fall_in/core/**"
+      - "src/fall_in/net/**"
+  pull_request:
+    branches: [main]
+    paths:
+      - "backend/**"
+      - "src/fall_in/core/**"
+      - "src/fall_in/net/**"
+
+defaults:
+  run:
+    shell: bash
+    working-directory: backend
+
+jobs:
+  test:
+    name: Lint & Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Install dependencies
+        run: uv sync --extra dev
+
+      - name: Lint (ruff)
+        run: uv run ruff check app/ tests/
+
+      - name: Test (pytest)
+        run: uv run pytest --cov=app --cov-report=term-missing

.github/workflows/deploy-backend.yaml

@@ -0,0 +1,120 @@
+name: Deploy Backend
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+    paths:
+      - "backend/**"
+      - "src/fall_in/core/**"
+      - "src/fall_in/ai/**"
+      - "src/fall_in/net/**"
+      - "src/fall_in/multiplayer/models.py"
+
+# Only one deployment at a time.
+concurrency:
+  group: deploy-backend
+  cancel-in-progress: true
+
+jobs:
+  test:
+    name: Pre-deploy Test
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+        working-directory: backend
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Install dependencies
+        run: uv sync --extra dev
+
+      - name: Lint
+        run: uv run ruff check app/ tests/
+
+      - name: Test
+        run: uv run pytest -x -q
+
+  deploy:
+    name: Deploy to OCI
+    needs: test
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up SSH
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.OCI_SSH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -H "${{ secrets.OCI_HOST }}" >> ~/.ssh/known_hosts
+
+      - name: Sync source to server
+        run: |
+          rsync -azP --delete \
+            --include='backend/***' \
+            --include='src/fall_in/core/***' \
+            --include='src/fall_in/ai/***' \
+            --include='src/fall_in/net/***' \
+            --include='src/fall_in/multiplayer/models.py' \
+            --include='src/fall_in/__init__.py' \
+            --include='src/fall_in/multiplayer/__init__.py' \
+            --include='src/' \
+            --include='src/fall_in/' \
+            --include='src/fall_in/multiplayer/' \
+            --include='pyproject.toml' \
+            --include='uv.lock' \
+            --include='data/***' \
+            --exclude='*' \
+            ./ "${{ secrets.OCI_USER }}@${{ secrets.OCI_HOST }}:~/fall-in/"
+
+      - name: Build & restart on server
+        run: |
+          ssh "${{ secrets.OCI_USER }}@${{ secrets.OCI_HOST }}" << 'DEPLOY_SCRIPT'
+          set -e
+          cd ~/fall-in
+
+          # Build Docker image (ARM-native on Ampere A1).
+          docker build -t fall-in-backend -f backend/Dockerfile .
+
+          # Stop existing container (if any) and start fresh.
+          docker stop fall-in-backend 2>/dev/null || true
+          docker rm fall-in-backend 2>/dev/null || true
+
+          docker run -d \
+            --name fall-in-backend \
+            --restart unless-stopped \
+            --env-file ~/fall-in/backend/.env \
+            --network host \
+            fall-in-backend
+
+          # Wait for health check.
+          echo "Waiting for health check..."
+          for i in $(seq 1 15); do
+            if curl -sf http://localhost:8000/healthz > /dev/null 2>&1; then
+              echo "Health check passed."
+              exit 0
+            fi
+            sleep 2
+          done
+          echo "Health check failed after 30s"
+          docker logs fall-in-backend --tail 30
+          exit 1
+          DEPLOY_SCRIPT
+
+      - name: Clean up old Docker images
+        if: success()
+        run: |
+          ssh "${{ secrets.OCI_USER }}@${{ secrets.OCI_HOST }}" \
+            'docker image prune -f'

backend/.dockerignore

@@ -0,0 +1,8 @@
+__pycache__
+*.pyc
+.venv
+.env
+*.db
+.ruff_cache
+.pytest_cache
+tests/

backend/Dockerfile

@@ -0,0 +1,54 @@
+# --- Fall-In Backend ---
+# Multi-stage build optimised for ARM64 (Oracle Cloud Ampere A1).
+# Build (from repo root):
+#   docker build -t fall-in-backend -f backend/Dockerfile .
+# Run:
+#   docker run -p 8000:8000 --env-file backend/.env fall-in-backend
+
+FROM python:3.12-slim AS base
+
+# Prevent Python from writing .pyc files and enable unbuffered output.
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1
+
+WORKDIR /app
+
+# --- Dependencies stage ---
+FROM base AS deps
+
+# Install uv for fast, reproducible dependency resolution.
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
+
+# Copy only dependency metadata first (cache-friendly layer).
+COPY backend/pyproject.toml backend/uv.lock ./backend/
+COPY pyproject.toml uv.lock ./
+
+# Install backend deps (prod extras include redis).
+# The client package (fall_in.core, fall_in.ai, etc.) is needed at runtime.
+RUN cd backend && uv sync --no-dev --extra prod --no-install-project
+
+# --- Runtime stage ---
+FROM base AS runtime
+
+# Copy the virtual environment from deps stage.
+COPY --from=deps /app/backend/.venv /app/backend/.venv
+
+# Copy source code.
+COPY backend/app ./backend/app
+COPY backend/migrations ./backend/migrations
+COPY backend/alembic.ini ./backend/
+COPY src/fall_in ./src/fall_in
+COPY data ./data
+
+# Make fall_in package importable (backend pythonpath includes ../src).
+ENV PYTHONPATH="/app/src:/app/backend"
+ENV PATH="/app/backend/.venv/bin:$PATH"
+
+WORKDIR /app/backend
+
+EXPOSE 8000
+
+# Run migrations then start uvicorn.
+# --host 0.0.0.0 binds to all interfaces inside the container.
+# --workers 1 is correct for the in-memory singleton architecture.
+CMD ["sh", "-c", "alembic upgrade head && uvicorn app.main:app --host 0.0.0.0 --port 8000"]

backend/app/config.py

@@ -77,6 +77,10 @@ class Settings(BaseSettings):
     LOG_LEVEL: str = "INFO"
     ADMIN_TOKEN: str = ""
 
+    # CORS — comma-separated origins, or ["*"] for wide-open dev.
+    # Production example: "https://fallin.example.com,https://web.fallin.example.com"
+    CORS_ORIGINS: list[str] = ["*"]
+
     model_config = SettingsConfigDict(
         env_file=".env",
         env_file_encoding="utf-8",

backend/app/database.py

@@ -19,9 +19,16 @@
 
 
 def _make_engine(url: str):
-    kwargs = {}
+    kwargs: dict = {}
     if url.startswith("sqlite"):
         kwargs["connect_args"] = {"check_same_thread": False}
+    else:
+        # Production DB (PostgreSQL): detect stale connections after DB restart
+        # and set a reasonable connection timeout.
+        kwargs["pool_pre_ping"] = True
+        kwargs["pool_size"] = 5
+        kwargs["max_overflow"] = 10
+        kwargs["pool_timeout"] = 10
     return create_engine(url, **kwargs)
 
 

backend/app/main.py

@@ -13,13 +13,15 @@
 from contextlib import asynccontextmanager
 
 from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+from sqlalchemy import text
 
 from app.api import admin as admin_router
 from app.api import auth as auth_router
 from app.api import me as me_router
 from app.api import report as report_router
 from app.config import settings
-from app.database import Base, engine
+from app.database import Base, SessionLocal, engine
 from app.logging_config import configure_logging
 from app.ws import endpoint as ws_router
 
@@ -43,6 +45,15 @@ async def lifespan(app: FastAPI):
     lifespan=lifespan,
 )
 
+# CORS — allow game clients (desktop, web) and local dev.
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=settings.CORS_ORIGINS,
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
 app.include_router(auth_router.router)
 app.include_router(me_router.router)
 app.include_router(report_router.router)
@@ -52,6 +63,13 @@ async def lifespan(app: FastAPI):
 
 @app.get("/healthz", tags=["ops"])
 def health_check():
+    """Liveness probe. Verifies the DB connection pool is healthy."""
+    try:
+        db = SessionLocal()
+        db.execute(text("SELECT 1"))
+        db.close()
+    except Exception:
+        return {"status": "degraded", "db": "unreachable"}
     return {"status": "ok"}
 
 

backend/app/services/emote_service.py

@@ -161,6 +161,17 @@ def remaining_cooldown(self, conn_id: str) -> float:
         remaining = settings.EMOTE_COOLDOWN_SECONDS - (time.time() - last)
         return max(0.0, remaining)
 
+    # ------------------------------------------------------------------
+    # Connection cleanup
+    # ------------------------------------------------------------------
+
+    def cleanup_connection(self, conn_id: str) -> None:
+        """Remove all rate-limit state for a disconnected connection."""
+        self._last_sent.pop(conn_id, None)
+        self._window_history.pop(conn_id, None)
+        self._same_emote.pop(conn_id, None)
+        self._last_deny_reason.pop(conn_id, None)
+
     # ------------------------------------------------------------------
     # Lifecycle
     # ------------------------------------------------------------------

backend/app/ws/endpoint.py

@@ -32,6 +32,7 @@
 from app.models.room import SeatControllerType
 from app.repositories.match_repo import InMemoryMatchRepo
 from app.repositories.room_repo import InMemoryRoomRepo
+from app.services.emote_service import emote_service
 from app.services.match_service import MatchService
 from app.services.matchmaking_service import MatchmakingService
 from app.services.matchmaking_service import matchmaking_service as _default_matchmaking_service
@@ -228,6 +229,7 @@ async def _on_turn_ready(rc: str, m) -> None:
                         },
                     )
 
+        emote_service.cleanup_connection(conn_id)
         manager.disconnect(conn_id, session.room_code)
         logger.info(
             "ws_disconnect",