Fix backend startup crash and improve order-by-id retrieval

[fuzziecoder]

Motivation

• The backend was crashing at startup due to a broken node:sqlite / JSON hybrid flow and scanned all orders to find a single order which is inefficient and error-prone.
• The change standardizes persistence to a simple file-backed store and provides a direct lookup for single orders to make the API reliable in constrained runtimes.

Description

• Replaced the mixed SQLite approach with a consistent JSON file datastore in backend/db.js and switched the default DB file to backend/data/brocode.json.
• Implemented database.getOrderById(orderId) to fetch a single order directly from the file-backed state and used it in the GET /api/orders/:id route in backend/server.js.
• Converted deleteUserCompletely and related logic to operate on the in-memory JSON state and persist() instead of using missing SQLite statements, and removed leftover SQLite-specific code.
• Updated wording in backend/README.md and the server startup log to reflect the local JSON database path and override example.

Testing

• Started the backend with node backend/server.js and observed a successful boot log showing the local DB path (succeeded).
• Exercised the health endpoint via curl http://localhost:4000/api/health and received a valid JSON status response (succeeded).
• Verified login with POST /api/auth/login using the seeded credentials and received a demo token and user payload (succeeded).
• Verified GET /api/orders/ord-1 (authorized) returned the expected order payload using the new getOrderById path (succeeded).

---

Codex Task

---

Summary by CodeRabbit

• New Features
  • Directly retrieve an order by its ID; returns a clear 404 if not found.
• Security
  • Orders endpoint now requires an authorization header.
• Performance
  • Faster, more reliable order retrieval and local persistence behavior.
• Documentation
  • Updated guidance on configuring the local database file and override path environment variable.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
brocode-spot-update-app	Ready	Preview, Comment	Feb 23, 2026 2:34pm

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e86b08d and 2a78d77.

📒 Files selected for processing (3)

• backend/README.md
• backend/db.js
• backend/server.js

---

📝 Walkthrough

Walkthrough

The pull request replaces SQLite-backed data persistence with a JSON-file-based in-memory state management system. Key changes include removing SQLite table operations and prepared statements from the database layer, introducing seeded in-memory state, adding a getOrderById() method, simplifying transactional operations, and updating server routes and documentation accordingly.

Changes

Cohort / File(s)	Summary
Database persistence layer refactor backend/db.js	Removed SQLite tables, prepared statements, and transactional logic. Replaced with in-memory state backed by JSON file persistence. Added getOrderById(orderId) method for order retrieval with item mapping. Simplified deleteUserCompletely from transactional cascade delete to in-memory array filtering. Removed 8 database abstraction methods tied to SQLite.
Server route and logging updates backend/server.js	Updated GET /api/orders/:id to use new getOrderById() method with Authorization header validation. Returns 404 if order not found, 200 with order data if found. Changed startup log message to reflect JSON-based database instead of SQLite file path.
Documentation backend/README.md	Updated references from SQLite database files to JSON file (brocode.json) and BROCODE_DB_PATH environment variable override mechanism.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• PR #28: Adds SQLite-backed database layer that this PR replaces with JSON-file-backed in-memory state, making these PRs directly inverse operations on the same persistence layer.
• PR #34: Implements the same GET /api/orders/:id endpoint with identical Authorization header checks and 404/200 response behavior.
• PR #36: Performs the identical refactor from SQLite to JSON-backed in-memory database storage in backend/db.js with equivalent state-management logic changes.

Suggested labels

apertre3.0, hard

Poem

🐰 SQLite's gone, JSON takes the stage,
No tables now, just files of age,
In-memory state, so quick and light,
Hopping data left and right! 🌙

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/fix-backend-performance-issue-and-raise-pr

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 5 additional findings.