# Test Run Report — Cycle 2

**Date**: 2026-05-14
**Scope**: Full E2E suite (`docker compose -f docker-compose.test.yml run --rm e2e-consumer`)
**Mode**: functional
**Trigger**: autodev existing-code Step 11 (post-Implement gate for cycle 2)

## Summary

```
TEST RESULTS: 82 passed, 0 failed, 3 skipped, 0 errors
```

Wall time: ~71 s. Re-runs of the suite during cycle 2 ranged 60–80 s.

## System-Under-Test Reality Gate

- **Database**: real Postgres 17 container (`admin-test-db-1`); SQL migrations applied via `e2e/db-init/00_run_all.sh` (now includes `09_sessions_logout_and_mission.sql`, `10_users_mfa.sql`).
- **API**: real `Azaion.AdminApi` build running in `admin-system-under-test-1`; no in-process stubs, no fakes — every test hits the same kestrel that production runs.
- **Auth**: real Argon2id verification (~250 ms per `/login` per AZ-536), real ES256 signing (per AZ-532), real `Otp.NET` TOTP verification (per AZ-534).
- **DataProtection**: `IDataProtector` keys are container-ephemeral in test (acceptable — every test seeds its own user); production must set `DataProtection:KeysFolder`.

No internal product modules are mocked or stubbed. Reality gate: **PASS**.

## Skipped Tests — Classification

All three skips are legitimate **environment-mismatch** skips per the test-run cheatsheet (the "would run if the environment were present" predicate holds).

| # | Test                                                                                               | Reason for skip                                                                                                                                  | Verdict     |
|---|----------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| 1 | `CorsHttpsTests.AZ_538_AC3_HSTS_header_present_in_production`                                      | Requires `ASPNETCORE_ENVIRONMENT=Production`; test harness runs `Development`. HSTS gate verified by code inspection of `Program.cs UseHsts`.      | Legitimate  |
| 2 | `CorsHttpsTests.AZ_538_AC4_HTTP_request_redirects_to_HTTPS_in_production`                          | Same Production-only gate; verified by code inspection of `Program.cs UseHttpsRedirection`.                                                       | Legitimate  |
| 3 | `LoginRateLimitTests.AC1_Per_ip_rate_limit_returns_429`                                            | Per-IP partition keys on `RemoteIpAddress`; in the shared-IP container test environment all requests look like one client to the limiter. Verified by ASP.NET Core RateLimiter unit tests + a manual probe documented in the AZ-537 spec. | Legitimate  |

No illegitimate skips — proceeding without resolution requests.

## Failures / Errors

None.

## Pre-Existing Flake (passed in this run)

`PasswordHashingTests.AC5_Verify_uses_constant_time_comparator_no_obvious_timing_leak` — Argon2 timing-stability assertion that occasionally trips under suite-level concurrency. Passed cleanly in the cycle-2 final run. Filed under follow-up items in the cycle implementation report.

## Outcome

**PASS** — return success to the autodev orchestrator. Auto-chain to Step 12 (Test-Spec Sync).