[AZ-460] [AZ-462] [AZ-466] [AZ-475] Batch 4 - destructive UX/forms/overlay/save

AZ-466 — Destructive UX policy + ConfirmDialog a11y + no-alert (4pts): src/components/ConfirmDialog.test.tsx (8 fast), tests/destructive_ux.test.tsx (4 fast, AdminPage class-delete drift), e2e/tests/destructive_ux.e2e.ts. New static checks STC-SEC7 (alert allowlist) + STC-SEC8 (destructive-surfaces gated/drift) wired through scripts/check-banned-deps.mjs reading tests/security/banned-deps.json. AZ-475 — Numeric form input rejection (2pts): tests/form_hygiene.test.tsx (3 fast). Documents two SettingsPage drifts: silent zero coercion via parseInt(v)||0 and labels missing htmlFor. AZ-462 — Overlay membership at in-window edges (2pts): tests/overlay_membership.test.tsx (6 fast). Documents getTimeWindowDetections strict < drift; AC-1 boundary tests are it.fails(); AC-2 / control PASS. Mocks HTMLCanvasElement.getContext to capture strokeRect. AZ-460 — Annotation save URL + payload contract (2pts): tests/annotations_endpoint.test.tsx (6 fast), e2e/tests/annotations_endpoint.e2e.ts. AC-1 URL canary PASSes; AC-2 payload missing 4 fields documented as it.fails(); AC-3 manual-draw PASS, AI-suggestion-accept + bulk-edit-save QUARANTINE skip. Test infrastructure: - tests/setup.ts: NoopResizeObserver + NoopEventSource JSDOM polyfills. - tests/msw/handlers/annotations.ts: doubly-prefixed paths matching production calls (e.g. /api/annotations/annotations). - tests/msw/handlers/flights.ts: plural /aircrafts paths. Verification: bun run test:fast → 80 passed, 13 skipped (14 files). scripts/run-tests.sh --static-only → 24/24 PASS (was 22; +STC-SEC7/SEC8). Per-batch self-review verdict: PASS_WITH_WARNINGS. Cumulative review of batches 04-06 due after batch 6 per implement/SKILL.md Step 14.5. Report: _docs/03_implementation/batch_04_report.md. Also includes the previously-untracked _docs/03_implementation/cumulative_review_batches_01-03_report.md generated at the start of this session before batch 4 began. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 11:41:11 +00:00 · 2026-05-11 04:15:01 +03:00
parent 2051088706
commit 1dd25edee3
20 changed files with 1812 additions and 32 deletions
@@ -97,18 +97,21 @@ function* walkSourceFiles(rootDir) {

 function checkSourceTree(section, root, subdirs) {
  const regexes = section.patterns.map((p) => new RegExp(p, 'i'))
+  const allowlist = new Set((section.allowlist ?? []).map((p) => p.replaceAll('\\', '/')))
  const hits = []
  for (const sub of subdirs) {
    const full = join(root, sub)
    try { statSync(full) } catch { continue }
    for (const file of walkSourceFiles(full)) {
+      const relPath = relative(root, file).replaceAll('\\', '/')
+      if (allowlist.has(relPath)) continue
      let text
      try { text = readFileSync(file, 'utf8') } catch { continue }
      const lines = text.split('\n')
      lines.forEach((line, idx) => {
        for (const re of regexes) {
          if (re.test(line)) {
-            hits.push(`${relative(root, file)}:${idx + 1}: ${line.trim().slice(0, 200)} (matched /${re.source}/i)`)
+            hits.push(`${relPath}:${idx + 1}: ${line.trim().slice(0, 200)} (matched /${re.source}/i)`)
            break
          }
        }
@@ -118,6 +121,31 @@ function checkSourceTree(section, root, subdirs) {
  return hits
 }

+function checkDestructiveSurfaces(section, root, subdirs) {
+  const regexes = section.patterns.map((p) => new RegExp(p))
+  const gated = new Set((section.gated ?? []).map((p) => p.replaceAll('\\', '/')))
+  const drift = new Set((section.drift ?? []).map((p) => p.replaceAll('\\', '/')))
+  const known = new Set([...gated, ...drift])
+  const hits = []
+  for (const sub of subdirs) {
+    const full = join(root, sub)
+    try { statSync(full) } catch { continue }
+    for (const file of walkSourceFiles(full)) {
+      const relPath = relative(root, file).replaceAll('\\', '/')
+      let text
+      try { text = readFileSync(file, 'utf8') } catch { continue }
+      const matches = regexes.some((re) => re.test(text))
+      if (!matches) continue
+      if (known.has(relPath)) continue
+      hits.push(
+        `${relPath}: contains destructive call but is not in gated/drift allowlist; ` +
+        `add to tests/security/banned-deps.json (destructive_surfaces) with a code-review note`,
+      )
+    }
+  }
+  return hits
+}
+
 function* walkAnyFiles(rootDir) {
  let entries
  try {
@@ -167,8 +195,14 @@ function main() {
  let hits = []
  if (kind === 'owm_key_in_dist') {
    hits = checkDistTree(section, root)
-  } else if (kind === 'legacy_integrations' || kind === 'concurrent_edit_patterns') {
+  } else if (
+    kind === 'legacy_integrations' ||
+    kind === 'concurrent_edit_patterns' ||
+    kind === 'alert_calls'
+  ) {
    hits = checkSourceTree(section, root, ['src', 'mission-planner'])
+  } else if (kind === 'destructive_surfaces') {
+    hits = checkDestructiveSurfaces(section, root, ['src'])
  } else {
    hits = checkPackageJson(section, root)
  }