NFDI4Chem · NishaSharma14 · Oct 9, 2025 · Oct 9, 2025 · Oct 9, 2025 · Oct 9, 2025
diff --git a/.env.ci.test → .env.ci b/.env.ci.test → .env.ci
@@ -3,6 +3,15 @@ APP_ENV=development
 APP_KEY=
 APP_DEBUG=true
 APP_URL=http://localhost:80
+
+APP_LOCALE=en
+APP_FALLBACK_LOCALE=en
+APP_FAKER_LOCALE=en_US
+APP_MAINTENANCE_DRIVER=file
+APP_MAINTENANCE_STORE=database
+PHP_CLI_SERVER_WORKERS=4
+
+BCRYPT_ROUNDS=12
 APP_DESCRIPTION='nmrXiv is currently developed as the FAIR, consensus-driven NMR data repository and computational platform. The ultimate goal is to accelerate broader coordination and data sharing among natural product (NP) researchers by enabling the storage, management, sharing and analysis of NMR data.'
 COOL_OFF_PERIOD=10
 SCHEMA_VERSION=beta
@@ -11,26 +20,32 @@ SHOW_BANNER=true
 
 GITHUB_LICENSE_URL=https://api.github.com/licenses
 EUROPEMC_WS_API=https://www.ebi.ac.uk/europepmc/webservices/rest/search
-ORCID_ID_SEARCH_API=https://pub.orcid.org/v2.1/search
-ORCID_ID_EMPLOYMENT_API=https://pub.orcid.org/v3.0/{orcid_id}/employments
-ORCID_ID_PERSON_API=https://pub.orcid.org/v3.0/{orcid_id}/person
+ORCID_BASE_URL=https://pub.orcid.org/v3.0
+CM_API=https://api.cheminf.studio/latest/
+CROSSREF_API=https://api.crossref.org/works/
+DATACITE_API=https://api.datacite.org/
+DATACITE_TEST_API=https://api.test.datacite.org
 
 LOG_CHANNEL=stack
+LOG_STACK=single
 LOG_LEVEL=debug
 
 DB_CONNECTION=pgsql
 DB_HOST=127.0.0.1
 DB_PORT=5432
-DB_DATABASE=nmrxiv
+DB_DATABASE=nmrxiv_test
 DB_USERNAME=postgres
-DB_PASSWORD=postgres
+DB_PASSWORD=password
 
 BROADCAST_CONNECTION=log
 CACHE_STORE=file
 FILESYSTEM_DRIVER=local
 QUEUE_CONNECTION=redis
 SESSION_DRIVER=redis
 SESSION_LIFETIME=120
+SESSION_ENCRYPT=false
+SESSION_PATH=/
+SESSION_DOMAIN=null
 
 MEMCACHED_HOST=memcached
 
@@ -58,6 +73,7 @@ AWS_BUCKET=nmrxiv
 AWS_BUCKET_PUBLIC=nmrxiv-public
 AWS_ENDPOINT=https://s3.uni-jena.de
 AWS_URL=https://s3.uni-jena.de
+AWS_USE_PATH_STYLE_ENDPOINT=false
 
 PUSHER_APP_ID=
 PUSHER_APP_KEY=
@@ -67,9 +83,9 @@ PUSHER_APP_CLUSTER=mt1
 MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
 MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
 
-SCOUT_DRIVER=meilisearch
-SCOUT_PREFIX=dev_
-MEILISEARCH_HOST=https://msdev.nmrxiv.org
+SCOUT_DRIVER=null
+SCOUT_PREFIX=test_
+MEILISEARCH_HOST=http://localhost:7700/
 MEILISEARCH_KEY=
 MEILISEARCH_PUBLICKEY=
 
@@ -81,4 +97,40 @@ TWITTER_CLIENT_ID=
 TWITTER_CLIENT_SECRET=
 TWITTER_REDIRECT_URL=http://localhost:80/auth/login/twitter/callback
 
+ORCID_CLIENT_ID=
+ORCID_CLIENT_SECRET=
+ORCID_REDIRECT_URL=http://localhost/auth/login/orcid/callback
+ORCID_ENVIRONMENT=sandbox
+
+NFDIAAI_CLIENT_ID=
+NFDIAAI_CLIENT_SECRET=
+NFDIAAI_REDIRECT_URL="${APP_URL}/auth/login/regapp/callback"
+
 TELESCOPE_ENABLED=false
+
+#DATACITE Properties
+DOI_HOST=datacite
+DATACITE_USERNAME=
+DATACITE_SECRET=
+DATACITE_PREFIX=
+DATACITE_ENDPOINT=https://api.test.datacite.org
+
+NMRKIT_URL=https://nodejs.nmrxiv.org
+PUBCHEM_URL=https://pubchem.ncbi.nlm.nih.gov
+COMMON_CHEMISTRY_URL=https://commonchemistry.cas.org/api
+CAS_API_TOKEN=
+CHEMISTRY_STANDARDIZE_URL=https://api.cheminf.studio/latest/chem/standardize
+
+BACKUP_KEEP_DAYS=7
+
+# CSP Configuration
+CSP_ENABLED=true
+CSP_REPORT_URI="/csp-violation-report"
+CSP_NONCE_ENABLED=true
+CSP_ENABLED_WHILE_HOT_RELOADING=false
+
+# Additional CSP sources (comma-separated, no spaces)
+# CSP_ADDITIONAL_CONNECT_SRC="https://api.example.com,https://analytics.example.com"
+# CSP_ADDITIONAL_IMG_SRC="https://cdn.example.com,https://images.example.com"
+# CSP_ADDITIONAL_SCRIPT_SRC="https://cdn.example.com"
+# CSP_ADDITIONAL_STYLE_SRC="https://fonts.example.com"
diff --git a/.env.example b/.env.example
@@ -16,16 +16,19 @@ APP_DESCRIPTION='nmrXiv is currently developed as the FAIR, consensus-driven NMR
 COOL_OFF_PERIOD=10
 SCHEMA_VERSION=beta
 
+MICHI_STANDARDS_URL=https://nfdi4chem.github.io/workshops/docs/michi/tabular/nmr/v1/table
+
 SHOW_BANNER=true
 
 GITHUB_LICENSE_URL=https://api.github.com/licenses
 EUROPEMC_WS_API=https://www.ebi.ac.uk/europepmc/webservices/rest/search
-ORCID_ID_SEARCH_API=https://pub.orcid.org/v2.1/search
-ORCID_ID_EMPLOYMENT_API=https://pub.orcid.org/v3.0/{orcid_id}/employments
-ORCID_ID_PERSON_API=https://pub.orcid.org/v3.0/{orcid_id}/person
+
+ORCID_BASE_URL=https://pub.orcid.org/v3.0
+
 CM_API=https://api.cheminf.studio/latest/
 CROSSREF_API=https://api.crossref.org/works/
 DATACITE_API=https://api.datacite.org/
+DATACITE_TEST_API=https://api.test.datacite.org
 
 
 LOG_CHANNEL=stack
@@ -115,12 +118,26 @@ DOI_HOST=datacite
 DATACITE_USERNAME=
 DATACITE_SECRET=
 DATACITE_PREFIX=
-DATACITE_ENDPOINT=
+DATACITE_ENDPOINT=https://api.test.datacite.org
 
 NMRKIT_URL=https://nodejs.nmrxiv.org
-CAS_URL=https://commonchemistry.cas.org
 PUBCHEM_URL=https://pubchem.ncbi.nlm.nih.gov
-COMMON_CHEMISTRY_URL=https://commonchemistry.cas.org
+COMMON_CHEMISTRY_URL=https://commonchemistry.cas.org/api
+CAS_API_TOKEN=
 CHEMISTRY_STANDARDIZE_URL=https://api.cheminf.studio/latest/chem/standardize
 
-BACKUP_KEEP_DAYS=7
+BACKUP_KEEP_DAYS=7
+
+# CSP Configuration
+CSP_ENABLED=true
+CSP_NONCE_ENABLED=false
+CSP_ENABLED_WHILE_HOT_RELOADING=false
+
+# Additional CSP sources (comma-separated, no spaces)
+# CSP_ADDITIONAL_CONNECT_SRC="https://api.example.com,https://analytics.example.com"
+# CSP_ADDITIONAL_IMG_SRC="https://cdn.example.com,https://images.example.com"
+# CSP_ADDITIONAL_SCRIPT_SRC="https://cdn.example.com"
+# CSP_ADDITIONAL_STYLE_SRC="https://fonts.example.com"
+
+ROR_API_URL=https://api.ror.org/organizations
+ROR_CLIENT_ID=
diff --git a/.github/workflows/dev-build.yml b/.github/workflows/dev-build.yml
@@ -16,8 +16,9 @@ env:
   REPOSITORY_NAMESPACE: nfdi4chem
 
 jobs:
+  # Lint and Security check
   lint-security:
-    name: Lint & Security (reusable)
+    name: Lint & Security
     uses: ./.github/workflows/lint-security-check.yml
     permissions:
       contents: read
@@ -27,11 +28,33 @@ jobs:
       run_js: true
       run_secrets: true
 
+  # Run tests and collect coverage
+  test-coverage:
+    name: Tests & Coverage
+    uses: ./.github/workflows/test-coverage.yml
+    needs: [lint-security]
+    secrets: inherit
+
+  # Smoke test Docker images before pushing
+  smoke-test:
+    name: Smoke test Docker images
+    uses: ./.github/workflows/docker-smoke-test.yml
+    needs: [test-coverage]
+
   # Build and publish Docker images for the development environment
-  setup-build-publish-deploy:
-    name: Build & deploy to development
+  build-and-push:
+    name: Build & push to Docker Hub
     runs-on: ubuntu-latest
-    needs: [lint-security]
+    needs: [test-coverage, smoke-test, lint-security]
+    strategy:
+      matrix:
+        image:
+          - name: app
+            file: ./deployment/Dockerfile
+            tag: app-dev-latest
+          - name: worker
+            file: ./deployment/Dockerfile.worker
+            tag: worker-dev-latest
 
     # Environment provides secrets and protection rules
     environment:
@@ -52,28 +75,15 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      # Build + push app image (tag: app-dev-latest). Uses GHA cache for speed.
-      - name: Build and push App Docker image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./deployment/Dockerfile
-          push: true
-          build-args: |
-            RELEASE_VERSION=app-dev-latest
-          tags: ${{ env.REPOSITORY_NAMESPACE }}/${{ env.REPOSITORY_NAME }}:app-dev-latest
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      # Build + push worker image (tag: worker-dev-latest)
-      - name: Build and push Worker Docker image
+      # Build and push image
+      - name: Build and push ${{ matrix.image.name }} image
         uses: docker/build-push-action@v6
         with:
           context: .
-          file: ./deployment/Dockerfile.worker
+          file: ${{ matrix.image.file }}
           push: true
           build-args: |
-            RELEASE_VERSION=worker-dev-latest
-          tags: ${{ env.REPOSITORY_NAMESPACE }}/${{ env.REPOSITORY_NAME }}:worker-dev-latest
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+            RELEASE_VERSION=${{ matrix.image.tag }}
+          tags: ${{ env.REPOSITORY_NAMESPACE }}/${{ env.REPOSITORY_NAME }}:${{ matrix.image.tag }}
+          cache-from: type=gha,scope=${{ matrix.image.name }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.image.name }}
diff --git a/.github/workflows/docker-smoke-test.yml b/.github/workflows/docker-smoke-test.yml
@@ -0,0 +1,62 @@
+name: Docker Image Smoke Tests
+
+on:
+  workflow_call:
+
+env:
+  REPOSITORY_NAME: nmrxiv
+  REPOSITORY_NAMESPACE: nfdi4chem
+
+jobs:
+  smoke-test:
+    name: Smoke test containers
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        container:
+          - name: app
+            file: ./deployment/Dockerfile
+            wait-time: 60
+          - name: worker
+            file: ./deployment/Dockerfile.worker
+            wait-time: 60
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and export ${{ matrix.container.name }} image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ${{ matrix.container.file }}
+          load: true
+          tags: ${{ env.REPOSITORY_NAMESPACE }}/${{ env.REPOSITORY_NAME }}:${{ matrix.container.name }}-test
+          cache-from: type=gha,scope=${{ matrix.container.name }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.container.name }}
+
+      - name: Start ${{ matrix.container.name }} container
+        run: |
+          docker run -d --name nmrxiv-${{ matrix.container.name }}-test \
+            -e APP_KEY=base64:$(openssl rand -base64 32) \
+            -e APP_ENV=production \
+            -e DB_CONNECTION=sqlite \
+            -e CACHE_STORE=array \
+            -e SESSION_DRIVER=array \
+            -e QUEUE_CONNECTION=sync \
+            ${{ env.REPOSITORY_NAMESPACE }}/${{ env.REPOSITORY_NAME }}:${{ matrix.container.name }}-test
+
+      - name: Wait for ${{ matrix.container.name }} container health
+        uses: stringbean/docker-healthcheck-action@v3
+        with:
+          container: nmrxiv-${{ matrix.container.name }}-test
+          wait-time: ${{ matrix.container.wait-time }}
+          require-status: running
+          require-healthy: true
+
+      - name: Cleanup ${{ matrix.container.name }} container
+        if: always()
+        run: docker rm -f nmrxiv-${{ matrix.container.name }}-test
diff --git a/.github/workflows/lint-security-check.yml b/.github/workflows/lint-security-check.yml
@@ -40,7 +40,7 @@ jobs:
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
         with:
-          php-version: '8.3'
+          php-version: '8.4'
           coverage: none
           tools: composer
           extensions: mbstring, intl, pdo, pdo_mysql, pdo_pgsql

diff --git a/.github/workflows/pr-lint.yml → .github/workflows/pr-lint-test.yml b/.github/workflows/pr-lint.yml → .github/workflows/pr-lint-test.yml
@@ -1,4 +1,4 @@
-name: PR Lint & Security
+name: PR Lint, Security and Tests
 
 on:
   pull_request:
@@ -10,6 +10,8 @@ on:
 permissions:
   contents: read
   security-events: write
+  pull-requests: write
+  checks: write
 
 jobs:
   lint-security:
@@ -19,3 +21,8 @@ jobs:
       run_php: true
       run_js: true
       run_secrets: true
+
+  test-coverage:
+    name: Tests & Coverage (PHP 8.4)
+    uses: ./.github/workflows/test-coverage.yml
+    secrets: inherit