feat: add Network Backup section to Database Management

PC2 can now automatically pull and restore a fresh copy of PC1's database
on a daily schedule. Config and API key are stored in local JSON files so
they survive database restores.

- New networkSyncConfigService: file-based config (network-backup-key.json,
  network-sync-config.json) that persists through DB restores
- New networkSyncService: streams live pg_dump from source PC over HTTP and
  pipes into psql, then reconnects Prisma and applies missing migrations
- 6 new endpoints: get/regenerate API key, serve backup stream (key-auth
  only), get/save sync config, trigger immediate sync
- Hourly cron job that fires only when current hour matches configured syncHour
- NetworkBackupManager component: shows this machine's key (show/copy/regen)
  and receiver config (enable toggle, hour picker 0-23, source URL + key,
  Save + Sync Now, last sync status)
- README setup guide for both PCs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

apps/Backend/src/cron/backupCheck.ts

@@ -4,6 +4,8 @@ import path from "path";
 import { storage } from "../storage";
 import { backupDatabaseToPath } from "../services/databaseBackupService";
 import { cronJobLogStorage } from "../storage/cron-job-log-storage";
+import { readSyncConfig, writeSyncConfig } from "../services/networkSyncConfigService";
+import { runNetworkSync } from "../services/networkSyncService";
 
 // Local backup folder in the app root (apps/Backend/backups)
 const LOCAL_BACKUP_DIR = path.resolve(process.cwd(), "backups");
@@ -171,4 +173,40 @@ export const startBackupCron = () => {
 
     console.log("✅ [9 PM] USB backup complete.");
   });
+
+  // ============================================================
+  // Every hour — Network sync (runs only when hour matches config)
+  // ============================================================
+  cron.schedule("0 * * * *", async () => {
+    const config = readSyncConfig();
+    if (!config.enabled || !config.sourceUrl || !config.apiKey) return;
+
+    const currentHour = new Date().getHours();
+    if (currentHour !== config.syncHour) return;
+
+    console.log(`🔄 [${config.syncHour}:00] Running network sync from ${config.sourceUrl}...`);
+
+    const admin = await getAdminUser();
+    const startedAt = new Date();
+    const log = await cronJobLogStorage.createJobLog("network-sync", startedAt);
+
+    try {
+      await runNetworkSync(config.sourceUrl, config.apiKey);
+      writeSyncConfig({ lastSyncAt: new Date().toISOString(), lastSyncStatus: "success", lastSyncError: null });
+      await cronJobLogStorage.completeJobLog(log.id, "success", new Date());
+      console.log(`✅ Network sync complete.`);
+    } catch (err) {
+      const errorMessage = err instanceof Error ? err.message : String(err);
+      console.error("Network sync failed:", err);
+      writeSyncConfig({ lastSyncAt: new Date().toISOString(), lastSyncStatus: "failed", lastSyncError: errorMessage });
+      await cronJobLogStorage.completeJobLog(log.id, "failed", new Date(), errorMessage);
+      if (admin) {
+        await storage.createNotification(
+          admin.id,
+          "BACKUP",
+          `❌ Network sync failed: ${errorMessage}`
+        );
+      }
+    }
+  });
 };

apps/Backend/src/routes/database-management.ts

@@ -7,6 +7,13 @@ import multer from "multer";
 import { prisma } from "@repo/db/client";
 import { storage } from "../storage";
 import { backupDatabaseToPath } from "../services/databaseBackupService";
+import {
+  getOrCreateApiKey,
+  regenerateApiKey,
+  readSyncConfig,
+  writeSyncConfig,
+} from "../services/networkSyncConfigService";
+import { runNetworkSync } from "../services/networkSyncService";
 
 const MIGRATIONS_DIR = path.resolve(__dirname, "../../../../packages/db/prisma/migrations");
 
@@ -471,4 +478,97 @@ router.post("/restore", restoreUpload.single("file"), async (req: Request, res:
   }
 });
 
+// ==============================
+// Network Backup — Source Role
+// ==============================
+
+// GET /network-backup-key — return (or auto-generate) this machine's API key
+router.get("/network-backup-key", async (req, res) => {
+  if (!req.user?.id) return res.status(401).json({ error: "Unauthorized" });
+  res.json({ apiKey: getOrCreateApiKey() });
+});
+
+// POST /network-backup-key/regenerate — generate a new key
+router.post("/network-backup-key/regenerate", async (req, res) => {
+  if (!req.user?.id) return res.status(401).json({ error: "Unauthorized" });
+  res.json({ apiKey: regenerateApiKey() });
+});
+
+// GET /network-backup — streams a live pg_dump; authenticated by API key header only
+router.get("/network-backup", async (req: Request, res: Response): Promise<any> => {
+  const providedKey = req.headers["x-network-backup-key"] as string | undefined;
+  if (!providedKey) return res.status(401).json({ error: "Missing X-Network-Backup-Key header" });
+
+  const storedKey = getOrCreateApiKey();
+  if (providedKey !== storedKey) return res.status(401).json({ error: "Invalid API key" });
+
+  const pg = spawn(
+    "pg_dump",
+    [
+      "--no-acl", "--no-owner",
+      "-h", process.env.DB_HOST || "localhost",
+      "-U", process.env.DB_USER || "postgres",
+      process.env.DB_NAME || "dental_db",
+    ],
+    { env: { ...process.env, PGPASSWORD: process.env.DB_PASSWORD } }
+  );
+
+  res.setHeader("Content-Type", "application/octet-stream");
+  res.setHeader(
+    "Content-Disposition",
+    `attachment; filename="network_backup_${Date.now()}.sql"`
+  );
+
+  pg.stdout.pipe(res);
+
+  let stderr = "";
+  pg.stderr.on("data", (d) => (stderr += d.toString()));
+  pg.on("error", (err) => {
+    if (!res.headersSent)
+      res.status(500).json({ error: "pg_dump failed", details: err.message });
+  });
+  pg.on("close", (code) => {
+    if (code !== 0) console.error("pg_dump for network backup failed:", stderr);
+  });
+});
+
+// ==============================
+// Network Backup — Receiver Role
+// ==============================
+
+// GET /network-sync-config
+router.get("/network-sync-config", (req, res) => {
+  if (!req.user?.id) return res.status(401).json({ error: "Unauthorized" });
+  res.json(readSyncConfig());
+});
+
+// PUT /network-sync-config
+router.put("/network-sync-config", (req: Request, res: Response): any => {
+  if (!req.user?.id) return res.status(401).json({ error: "Unauthorized" });
+  const { enabled, syncHour, sourceUrl, apiKey } = req.body;
+  const updated = writeSyncConfig({ enabled, syncHour, sourceUrl, apiKey });
+  res.json(updated);
+});
+
+// POST /network-sync-now — trigger an immediate pull sync
+router.post("/network-sync-now", async (req: Request, res: Response): Promise<any> => {
+  if (!req.user?.id) return res.status(401).json({ error: "Unauthorized" });
+
+  const config = readSyncConfig();
+  if (!config.sourceUrl || !config.apiKey) {
+    return res
+      .status(400)
+      .json({ error: "Source URL and API key must be configured before syncing" });
+  }
+
+  try {
+    await runNetworkSync(config.sourceUrl, config.apiKey);
+    writeSyncConfig({ lastSyncAt: new Date().toISOString(), lastSyncStatus: "success", lastSyncError: null });
+    res.json({ success: true, syncedAt: new Date() });
+  } catch (err: any) {
+    writeSyncConfig({ lastSyncAt: new Date().toISOString(), lastSyncStatus: "failed", lastSyncError: err.message });
+    res.status(500).json({ error: "Sync failed", details: err.message });
+  }
+});
+
 export default router;

apps/Backend/src/services/networkSyncConfigService.ts

@@ -0,0 +1,58 @@
+import fs from "fs";
+import path from "path";
+import crypto from "crypto";
+
+const KEY_FILE = path.resolve(process.cwd(), "network-backup-key.json");
+const CONFIG_FILE = path.resolve(process.cwd(), "network-sync-config.json");
+
+export interface NetworkSyncConfig {
+  enabled: boolean;
+  syncHour: number;
+  sourceUrl: string;
+  apiKey: string;
+  lastSyncAt: string | null;
+  lastSyncStatus: string | null;
+  lastSyncError: string | null;
+}
+
+export function getOrCreateApiKey(): string {
+  if (fs.existsSync(KEY_FILE)) {
+    try {
+      const data = JSON.parse(fs.readFileSync(KEY_FILE, "utf8"));
+      if (data.apiKey) return data.apiKey;
+    } catch {}
+  }
+  const key = crypto.randomUUID();
+  fs.writeFileSync(KEY_FILE, JSON.stringify({ apiKey: key }), "utf8");
+  return key;
+}
+
+export function regenerateApiKey(): string {
+  const key = crypto.randomUUID();
+  fs.writeFileSync(KEY_FILE, JSON.stringify({ apiKey: key }), "utf8");
+  return key;
+}
+
+export function readSyncConfig(): NetworkSyncConfig {
+  if (fs.existsSync(CONFIG_FILE)) {
+    try {
+      return JSON.parse(fs.readFileSync(CONFIG_FILE, "utf8"));
+    } catch {}
+  }
+  return {
+    enabled: false,
+    syncHour: 0,
+    sourceUrl: "",
+    apiKey: "",
+    lastSyncAt: null,
+    lastSyncStatus: null,
+    lastSyncError: null,
+  };
+}
+
+export function writeSyncConfig(patch: Partial<NetworkSyncConfig>): NetworkSyncConfig {
+  const current = readSyncConfig();
+  const updated = { ...current, ...patch };
+  fs.writeFileSync(CONFIG_FILE, JSON.stringify(updated, null, 2), "utf8");
+  return updated;
+}

apps/Backend/src/services/networkSyncService.ts

@@ -0,0 +1,117 @@
+import { spawn } from "child_process";
+import http from "http";
+import https from "https";
+import { URL } from "url";
+import path from "path";
+import fs from "fs";
+import { prisma } from "@repo/db/client";
+
+const MIGRATIONS_DIR = path.resolve(__dirname, "../../../../packages/db/prisma/migrations");
+
+async function applyMissingMigrations() {
+  let folders: string[];
+  try {
+    folders = fs.readdirSync(MIGRATIONS_DIR)
+      .filter((name) => fs.statSync(path.join(MIGRATIONS_DIR, name)).isDirectory())
+      .sort();
+  } catch {
+    console.warn("Could not read migrations directory, skipping post-sync migration.");
+    return;
+  }
+
+  let applied: Set<string>;
+  try {
+    const rows = await prisma.$queryRaw<{ migration_name: string }[]>`
+      SELECT migration_name FROM "_prisma_migrations" WHERE finished_at IS NOT NULL
+    `;
+    applied = new Set(rows.map((r: { migration_name: string }) => r.migration_name));
+  } catch {
+    applied = new Set();
+  }
+
+  for (const folder of folders) {
+    if (applied.has(folder)) continue;
+    const sqlFile = path.join(MIGRATIONS_DIR, folder, "migration.sql");
+    if (!fs.existsSync(sqlFile)) continue;
+    const sql = fs.readFileSync(sqlFile, "utf8");
+    try {
+      await prisma.$executeRawUnsafe(sql);
+      console.log(`Applied migration: ${folder}`);
+    } catch (err: any) {
+      console.warn(`Migration ${folder} had errors (may already be applied):`, err.message);
+    }
+  }
+}
+
+export function runNetworkSync(sourceUrl: string, apiKey: string): Promise<void> {
+  return new Promise((resolve, reject) => {
+    let targetUrl: URL;
+    try {
+      targetUrl = new URL("/api/database-management/network-backup", sourceUrl);
+    } catch {
+      return reject(new Error(`Invalid source URL: ${sourceUrl}`));
+    }
+
+    const client = targetUrl.protocol === "https:" ? https : http;
+
+    const req = client.get(
+      targetUrl.href,
+      { headers: { "x-network-backup-key": apiKey } },
+      async (res) => {
+        if (res.statusCode !== 200) {
+          res.resume();
+          return reject(
+            new Error(`Source returned HTTP ${res.statusCode}: ${res.statusMessage}`)
+          );
+        }
+
+        // Drop and recreate the public schema
+        try {
+          await prisma.$executeRawUnsafe(`DROP SCHEMA public CASCADE`);
+          await prisma.$executeRawUnsafe(`CREATE SCHEMA public`);
+        } catch (err: any) {
+          res.destroy();
+          return reject(new Error(`Failed to reset schema: ${err.message}`));
+        }
+
+        const psql = spawn(
+          "psql",
+          [
+            "-h", process.env.DB_HOST || "localhost",
+            "-U", process.env.DB_USER || "postgres",
+            process.env.DB_NAME || "dental_db",
+          ],
+          { env: { ...process.env, PGPASSWORD: process.env.DB_PASSWORD } }
+        );
+
+        let stderr = "";
+        psql.stderr.on("data", (d) => (stderr += d.toString()));
+        psql.on("error", (err) => reject(new Error(`Failed to start psql: ${err.message}`)));
+
+        psql.on("close", async (code) => {
+          if (code !== 0) {
+            return reject(new Error(`psql exited ${code}: ${stderr}`));
+          }
+          try {
+            await prisma.$disconnect();
+            await prisma.$connect();
+          } catch (_) {}
+          try {
+            await applyMissingMigrations();
+          } catch (err) {
+            console.error("applyMissingMigrations failed after network sync:", err);
+          }
+          resolve();
+        });
+
+        res.pipe(psql.stdin);
+      }
+    );
+
+    req.on("error", (err) => reject(new Error(`Network request failed: ${err.message}`)));
+    req.setTimeout(120_000, () => {
+      req.destroy();
+      reject(new Error("Network backup request timed out after 120s"));
+    });
+  });
+}