azaion/ui
1
0
Fork 0
mirror of https://github.com/azaion/ui.git synced 2026-06-21 10:31:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-460] [AZ-462] [AZ-466] [AZ-475] Batch 4 - destructive UX/forms/overlay/save

Browse Source 
AZ-466 — Destructive UX policy + ConfirmDialog a11y + no-alert (4pts):
  src/components/ConfirmDialog.test.tsx (8 fast),
  tests/destructive_ux.test.tsx (4 fast, AdminPage class-delete drift),
  e2e/tests/destructive_ux.e2e.ts. New static checks STC-SEC7 (alert
  allowlist) + STC-SEC8 (destructive-surfaces gated/drift) wired through
  scripts/check-banned-deps.mjs reading tests/security/banned-deps.json.

AZ-475 — Numeric form input rejection (2pts):
  tests/form_hygiene.test.tsx (3 fast). Documents two SettingsPage drifts:
  silent zero coercion via parseInt(v)||0 and labels missing htmlFor.

AZ-462 — Overlay membership at in-window edges (2pts):
  tests/overlay_membership.test.tsx (6 fast). Documents getTimeWindowDetections
  strict < drift; AC-1 boundary tests are it.fails(); AC-2 / control PASS.
  Mocks HTMLCanvasElement.getContext to capture strokeRect.

AZ-460 — Annotation save URL + payload contract (2pts):
  tests/annotations_endpoint.test.tsx (6 fast),
  e2e/tests/annotations_endpoint.e2e.ts. AC-1 URL canary PASSes; AC-2
  payload missing 4 fields documented as it.fails(); AC-3 manual-draw
  PASS, AI-suggestion-accept + bulk-edit-save QUARANTINE skip.

Test infrastructure:
  - tests/setup.ts: NoopResizeObserver + NoopEventSource JSDOM polyfills.
  - tests/msw/handlers/annotations.ts: doubly-prefixed paths matching
    production calls (e.g. /api/annotations/annotations).
  - tests/msw/handlers/flights.ts: plural /aircrafts paths.

Verification: bun run test:fast → 80 passed, 13 skipped (14 files).
scripts/run-tests.sh --static-only → 24/24 PASS (was 22; +STC-SEC7/SEC8).
Per-batch self-review verdict: PASS_WITH_WARNINGS. Cumulative review
of batches 04-06 due after batch 6 per implement/SKILL.md Step 14.5.
Report: _docs/03_implementation/batch_04_report.md.

Also includes the previously-untracked
_docs/03_implementation/cumulative_review_batches_01-03_report.md
generated at the start of this session before batch 4 began.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-11 04:15:01 +03:00
parent 2051088706
commit 1dd25edee3
20 changed files with 1812 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/02_tasks/todo/AZ-460_test_annotations_endpoint.md → _docs/02_tasks/done/AZ-460_test_annotations_endpoint.md
View File
_docs/02_tasks/todo/AZ-462_test_overlay_membership.md → _docs/02_tasks/done/AZ-462_test_overlay_membership.md
View File
_docs/02_tasks/todo/AZ-466_test_destructive_ux.md → _docs/02_tasks/done/AZ-466_test_destructive_ux.md
View File
_docs/02_tasks/todo/AZ-475_test_form_hygiene.md → _docs/02_tasks/done/AZ-475_test_form_hygiene.md
View File
_docs/03_implementation/batch_04_report.md
+228
View File
@@ -0,0 +1,228 @@
# Batch Report
**Batch**: 04
**Tasks**: AZ-466 (Destructive UX policy + ConfirmDialog + no-alert), AZ-475 (Numeric form hygiene), AZ-462 (Overlay window membership), AZ-460 (Annotation save URL + payload contract)
**Date**: 2026-05-11
**Cycle**: Phase A baseline, Step 6 — Implement Tests
**Total complexity**: 10 pts (4 + 2 + 2 + 2)
## Task Results
| Task | Status | Files Modified | Tests | AC Coverage | Issues |
|------|--------|---------------|-------|-------------|--------|
| AZ-466_test_destructive_ux | Done | 2 created (1 ConfirmDialog unit + 1 cross-component); 1 e2e created; 1 modified (`tests/security/banned-deps.json` adds `alert_calls` + `destructive_surfaces`); 1 modified (`scripts/check-banned-deps.mjs` + `scripts/run-tests.sh` add STC-SEC7 / STC-SEC8) | 8 fast `ConfirmDialog.test.tsx` (7 pass, 1 skipped); 4 fast `tests/destructive_ux.test.tsx` (3 pass + 1 skip QUARANTINE incl. 2 `it.fails()`); 2 e2e `e2e/tests/destructive_ux.e2e.ts` (both `test.fail`); 2 new static checks (PASS) | 5 / 5 ACs covered | 5 documented drifts: ConfirmDialog missing 4 a11y attrs (`role="dialog"`, `aria-modal`, `aria-labelledby`, `aria-describedby`); no focus trap; AdminPage class-delete bypasses ConfirmDialog (file in `destructive_surfaces.drift`); `alert()` allowlist seeded with 4 production callsites (Phase B drains it) |
| AZ-475_test_form_hygiene | Done | 1 created (`tests/form_hygiene.test.tsx`) | 3 fast (2 pass, including 1 control + 1 `it.fails()` per AC) | 2 / 2 ACs covered | 2 documented drifts: `<label>` lacks `htmlFor`; `parseInt(v) \|\| 0` silently coerces empty/non-numeric to 0 and PUTs |
| AZ-462_test_overlay_membership | Done | 1 created (`tests/overlay_membership.test.tsx`) | 6 fast (5 pass, including 2 `it.fails()` for AC-1 inclusive boundary) | 3 / 3 ACs covered | 1 documented drift: `getTimeWindowDetections` uses strict `<` instead of `<=`; AC-1 boundary tests are `it.fails()` until production lifts the operator |
| AZ-460_test_annotations_endpoint | Done | 1 created (`tests/annotations_endpoint.test.tsx`); 1 e2e created (`e2e/tests/annotations_endpoint.e2e.ts`); 1 modified (`tests/msw/handlers/annotations.ts` doubly-prefixed paths); 1 modified (`tests/msw/handlers/flights.ts` plural `aircrafts` paths) | 6 fast (4 pass, 2 skipped QUARANTINE, including 1 `it.fails()` for AC-2 payload shape); 3 e2e (1 skip-on-no-seed, 2 `test.fail` for AC-2) | 3 / 3 ACs covered | 2 documented drifts: save body sends only `{mediaId, time, detections}` instead of the 6-field wire contract `{Source, WaypointId, videoTime, mediaId, detections, status}`; AI-suggestion-accept and bulk-edit-save entry points wholly absent in production (`it.skip` QUARANTINE) |
## AC Test Coverage: All covered (13 / 13 ACs across the four tasks)
### AZ-466 — Destructive UX policy (5 ACs, 14 scenarios)
| Scenario | Where | Profile | Status |
|----------|-------|---------|--------|
| AC-1 / FT-P-04 (ConfirmDialog `role="dialog"` + aria-modal) | `src/components/ConfirmDialog.test.tsx` | fast | `it.fails()` — both attrs missing |
| AC-1 / FT-P-05 (ConfirmDialog labeled by title via aria-labelledby + described by message) | same | fast | `it.fails()` — neither attr today |
| AC-1 / FT-P-06 (Escape key closes dialog) | same | fast | PASS — production already calls onClose on Escape |
| AC-1 / focus-trap (Tab cycles within dialog) | same | fast | `it.skip` QUARANTINE — no trap implemented |
| AC-1 / control: dialog renders (positive sanity) | same | fast | PASS |
| AC-1 / control: confirm/cancel callbacks fire | same | fast | PASS |
| AC-1 / control: hidden when closed | same | fast | PASS |
| AC-2 / FT-P-26 (Delete → Confirm → DELETE fires) | `tests/destructive_ux.test.tsx` + `e2e/tests/destructive_ux.e2e.ts` | fast + e2e | `it.fails()` (fast) + `test.fail` (e2e) — AdminPage bypasses ConfirmDialog |
| AC-2 / FT-N-07 (Delete → Cancel → no DELETE) | same | fast + e2e | `it.fails()` + `test.fail` |
| AC-2 / control: production today deletes immediately | `tests/destructive_ux.test.tsx` | fast | PASS — pins drift |
| AC-3 / no `alert()` outside allowlist | `scripts/run-tests.sh::STC-SEC7``check-banned-deps.mjs --kind=alert_calls` | static | PASS (allowlist enforced; new alerts FAIL) |
| AC-4 / FT-P-27 (every destructive surface gated or in drift list) | `STC-SEC8``--kind=destructive_surfaces` | static | PASS (3 files: 2 gated, 1 drift) |
| AC-4 / runtime mirror (one example via class-delete) | `tests/destructive_ux.test.tsx` | fast | covered by AC-2 above |
| AC-5 / NFT-SEC-07 (no `alert()` in `src/`) | `STC-SEC7` (allowlist) | static | PASS — static check is the gating signal |
**AC summary**:
- AC-1 ConfirmDialog a11y → 4 `it.fails()` + 1 `it.skip` + 4 controls; FT-P-06 (Escape) PASS.
- AC-2 Delete-confirm-cancel happy path → `it.fails()` + control + e2e companion (`test.fail`).
- AC-3 / AC-5 No `alert()` → STC-SEC7 with 4-entry allowlist (Phase B drains).
- AC-4 Destructive surfaces enumeration → STC-SEC8 file-level heuristic (3 files: `MediaList.tsx` and `FlightsPage.tsx` gated; `AdminPage.tsx` in drift).
### AZ-475 — Numeric form input rejection (2 ACs, 3 scenarios)
| Scenario | Where | Profile | Status |
|----------|-------|---------|--------|
| AC-1 / FT-N-11 (clear → validation error + no PUT) | `tests/form_hygiene.test.tsx` | fast | `it.fails()` — silent zero today |
| AC-1 / control: production silently coerces empty input to 0 and PUTs | same | fast | PASS — pins drift |
| AC-2 / FT-N-12 (non-numeric → validation error + no PUT) | same | fast | `it.fails()` — same coercion path |
**AC summary**:
- AC-1 Empty input rejection → `it.fails()` + control proving `defaultCameraWidth: 0` PUTs today.
- AC-2 Non-numeric rejection → `it.fails()` (the `<input type="number">` path swallows non-numeric chars; the helper sets the value via dispatchEvent to force the React state).
### AZ-462 — Overlay membership at in-window edges (3 ACs, 6 scenarios)
| Scenario | Where | Profile | Status |
|----------|-------|---------|--------|
| AC-1 / FT-P-14 (annotation EXACTLY on lower bound IS rendered) | `tests/overlay_membership.test.tsx` | fast | `it.fails()` — strict `<` excludes boundary |
| AC-1 / FT-P-15 (annotation EXACTLY on upper bound IS rendered) | same | fast | `it.fails()` — same drift |
| AC-1 / control: strict `<` excludes the boundary today | same | fast | PASS — pins drift |
| AC-2 / FT-N-01 (annotation BEFORE lower bound NOT rendered) | same | fast | PASS |
| AC-2 / FT-N-02 (annotation AFTER upper bound NOT rendered) | same | fast | PASS |
| AC-2 / positive control: annotation INSIDE the window IS rendered | same | fast | PASS — proves test apparatus would observe a render |
**AC summary**:
- AC-1 Inclusive boundary → 2 `it.fails()` + control proving exclusion today.
- AC-2 Strict exclusion outside the window → 2 PASS + positive control (apparatus sanity).
- AC-3 Canvas-output assertion (not React state) → satisfied by mocking `HTMLCanvasElement.prototype.getContext` to capture every `strokeRect` call.
### AZ-460 — Annotation save URL + payload contract (3 ACs, 6 scenarios)
| Scenario | Where | Profile | Status |
|----------|-------|---------|--------|
| AC-1 / FT-P-07 (URL canary: `/api/annotations/annotations`) | `tests/annotations_endpoint.test.tsx` + `e2e/tests/annotations_endpoint.e2e.ts` | fast + e2e | PASS (fast) — production already POSTs the doubly-prefixed URL; e2e gated by suite stack |
| AC-2 / FT-P-08 (required-fields: Source, WaypointId, videoTime, mediaId, detections, status) | same | fast + e2e | `it.fails()` + `test.fail` — production sends only `{mediaId, time, detections}` |
| AC-2 / control: production sends partial body (`{mediaId, detections}`) | `tests/annotations_endpoint.test.tsx` | fast | PASS — pins drift |
| AC-3 / manual-draw / select-existing entry point | same + e2e | fast + e2e | PASS — exercises the only wired entry point |
| AC-3 / AI-suggestion-accept entry point | same | fast | `it.skip` QUARANTINE — no production path today |
| AC-3 / bulk-edit-save entry point | same | fast | `it.skip` QUARANTINE — no production path today |
**AC summary**:
- AC-1 URL canary → PASS for the only wired save path; e2e companion gated.
- AC-2 Required fields → `it.fails()` for the missing 4 fields; control pins the partial-body drift.
- AC-3 Multi-entry-point coverage → 1 PASS for manual-draw + 2 `it.skip` QUARANTINE for unimplemented paths (test shape documented in skip comments).
## Code Review Verdict: PASS_WITH_WARNINGS
Self-review walked inline per `.cursor/skills/code-review/SKILL.md` phases 17.
- **Phase 1 (Context)**: 4 task specs re-read; `_docs/02_document/module-layout.md` Blackbox Tests envelope respected; reuses helpers from AZ-456 (`tests/helpers/{render,auth}.ts`) and fixtures (`seed_users`, `seed_flights`). No new shared helpers introduced — the form-hygiene file inlines a small `inputForLabel(...)` DOM-traversal helper because SettingsPage's labels lack `htmlFor` (drift documented in the test header).
- **Phase 2 (Spec compliance)**: every AC across the four task specs has at least one test (running, `it.fails()`, or `it.skip` with QUARANTINE reason). Drift handling uniform with batches 13: `it.fails()` for documented production drift (attribute/operator/payload-field exists in spec but absent in code); `it.skip` for behavior wholly absent (AI-suggestion-accept save, bulk-edit save, focus trap inside ConfirmDialog).
- **Phase 3 (Code quality)**: `check-banned-deps.mjs`'s new `checkDestructiveSurfaces` is a single function with one responsibility (file-level heuristic comparing `gated` `drift` against the live filesystem); `tests/security/banned-deps.json` `alert_calls` and `destructive_surfaces` sections each have an `ac:` field, a `scope:` field, an explicit `match:` description, and inline `$*_comment` hooks for code review; the test files use Arrange/Act/Assert structure consistently; no bare `catch` blocks; no error suppression.
- **Phase 4 (Security)**: no new secrets in test fixtures (reuses AZ-457's `test-bearer-default`); the AZ-466 changes strengthen security posture (every `alert()` and every destructive surface is now allowlisted and code-review-visible); the new static checks fail-closed on additions; the `check-banned-deps.mjs` walks files and runs ripgrep / regex over them — no execution of test inputs.
- **Phase 5 (Performance)**: fast suite **5.5 s wall-clock** for 80 + 13-skipped tests across 14 files (was 4.4 s for 57 + 9 skipped in batch 3 — +1.1 s for 23 new tests, well under the 5 min budget). Static profile **~16 s** for 24 checks (was 12 s for 22 in batch 3; +4 s primarily from the two new STC-SEC7 / STC-SEC8 checks reading `tests/security/banned-deps.json`). The `it.fails()` tests each consume ~1 s waiting for the assertion to NOT match — same shape as batches 13, acceptable.
- **Phase 6 (Cross-task consistency)**: the four tasks touch **disjoint** subsystems (ConfirmDialog + AdminPage destructive UX vs SettingsPage form hygiene vs CanvasEditor overlay vs AnnotationsPage save). Shared surface = `tests/helpers/`, `tests/fixtures/`, `tests/msw/`, `tests/security/banned-deps.json` — all consumed read-only or strictly extended (new sections, never modifying existing ones). No contract collisions; no duplicate symbols.
- **Phase 7 (Architecture compliance)**:
- Test files import only public seams:
- `src/components/ConfirmDialog.test.tsx`: `ConfirmDialog` default export.
- `tests/destructive_ux.test.tsx`: `AdminPage` default export.
- `tests/form_hygiene.test.tsx`: `SettingsPage` default export.
- `tests/overlay_membership.test.tsx`: `CanvasEditor` default export + `AnnotationSource`/`AnnotationStatus`/etc. enums (public types).
- `tests/annotations_endpoint.test.tsx`: `AnnotationsPage` default export + `FlightProvider` (public symbol on `FlightContext.tsx`) + public enums.
- No imports of `*.internal.*` files, no reaching into other components' private files.
- E2E tests don't import any production modules — Playwright primitives only (consistent with batches 13).
- No new cyclic module dependencies introduced.
- Test setup: `tests/setup.ts` gained two no-op JSDOM polyfills (`ResizeObserver` and `EventSource`). These are environment polyfills (not production code workarounds), and per-test installations of richer stubs (e.g. `tests/sse_lifecycle.test.tsx`'s EventSource fake) override + restore — verified by re-running batch 3's SSE suite alongside the new tests with no regressions.
### Findings
1. **Low / Maintainability / Drift** — AZ-466 AC-1 four ConfirmDialog a11y attributes (`role="dialog"`, `aria-modal`, `aria-labelledby`, `aria-describedby`) are missing today; FT-P-04 / FT-P-05 are `it.fails()`. The Escape handler exists (FT-P-06 PASSes), but no focus trap (`it.skip` QUARANTINE). **Recommendation**: file `feat(confirm-dialog): a11y attrs + focus trap` in Phase B. Touches one file (`src/components/ConfirmDialog.tsx`); should also localize the title via `t()` if the existing copy is hard-coded.
2. **Low / Maintainability / Drift** — AZ-466 AC-4 `AdminPage.handleDeleteClass` calls `api.delete` without ConfirmDialog. The file is recorded in `tests/security/banned-deps.json::destructive_surfaces.drift` to keep the static check passing while making the gap visible in code review. **Recommendation**: `feat(admin): gate class-delete via ConfirmDialog` — moves `src/features/admin/AdminPage.tsx` from `drift` to `gated` and flips FT-P-26 / FT-N-07 from `it.fails()` to PASS.
3. **Low / Maintainability / Drift** — AZ-466 AC-3 / AC-5 `alert()` allowlist contains 4 callsites (`MediaList.tsx`, `FlightsPage.tsx`, `JsonEditorDialog.tsx`, `flightPlan.tsx`). Each is a per-feature blocker dialog or validation message that should migrate to a non-blocking toast or an inline error. **Recommendation**: 4 small Phase B tasks (one per file), each removing one allowlist entry — measurable progress.
4. **Low / Maintainability / Drift** — AZ-475 AC-1 silent-zero coercion AND `<label>` without `htmlFor`. Two related drifts in the same file (`SettingsPage.tsx`). **Recommendation**: combined Phase B task `feat(settings): numeric input validation + label association` that lands a `useNumericField()` hook (or equivalent) and adds `id`/`htmlFor` so screen readers and `getByLabelText` both work.
5. **Low / Maintainability / Drift** — AZ-462 AC-1 strict `<` in `getTimeWindowDetections` → boundary annotations are dropped. **Recommendation**: one-character production change (`<``<=`) + flip FT-P-14/15 from `it.fails()` to PASS. Confirm with the suite annotations service that `lowerBound` and `upperBound` are inclusive on the wire.
6. **Low / Architecture / Drift** — AZ-460 AC-2 save body shape (4 missing fields). The fields touch the wire contract; the suite annotations service must be checked to see what it expects today. **Recommendation**: a Phase B task `feat(annotations-save): emit Source/WaypointId/videoTime/status` that lifts the body shape. May require a coordinated change with the annotations service if the server today happily accepts the partial body.
7. **Low / Architecture / Drift** — AZ-460 AC-3 only one save entry point exists. The AI-suggestion-accept and bulk-edit-save paths are documented in `it.skip` QUARANTINE comments with the test shape they should take when the production paths land. **Recommendation**: 2 Phase B feature tasks (AI-accept, bulk-edit) — the test side is ready to be activated by removing the `.skip`.
8. **Low / Architecture / Drift (test infrastructure)**`tests/msw/handlers/annotations.ts` and `tests/msw/handlers/flights.ts` both gained doubly-prefixed / plural paths (`/api/annotations/annotations`, `/api/flights/aircrafts`) to match what production callers actually use. The single-prefix paths are kept for backward compatibility with batch 13 tests. **Recommendation**: Phase B tracker entry `chore(test-infra): drop the single-prefix annotation/flight paths` once production has been confirmed to use only the doubly-prefixed/plural shapes everywhere.
9. **Low / Architecture / Drift (test infrastructure)**`tests/msw/handlers/admin.ts` `/api/admin/users` returns `paginate(seedUsers)` while `AdminPage` reads it as a flat `User[]`. The destructive-UX test override returns `[]` (flat) to keep AdminPage from crashing. **Recommendation**: confirm whether the suite admin service emits a flat array or a paginated payload, then align the MSW default with production. Either way, file as `chore(admin-handler): align msw with prod /admin/users shape`.
10. **Low / Architecture / Interpretation (carried over from batches 13)** — Test helpers (`tests/helpers/{render,auth,sse-mock}.ts`) and the polyfills in `tests/setup.ts` import / patch production accessors. Reaffirmed per the batch-1 / 2 / 3 rule: "Black-box discipline applies to test bodies, not to test setup helpers / composition-root wrappers / consumer-pattern mirrors". The polyfills are JSDOM environment plumbing (no-op stubs for browser APIs JSDOM doesn't ship), not production-code workarounds.
## Auto-Fix Attempts: 0
## Stuck Agents: None
## Files Changed (10)
### Created — `src/` (1)
```
src/components/ConfirmDialog.test.tsx # AZ-466 fast — 8 tests (1 skipped)
```
### Created — `tests/` (3)
```
tests/destructive_ux.test.tsx # AZ-466 fast — 4 tests (1 skipped)
tests/form_hygiene.test.tsx # AZ-475 fast — 3 tests
tests/overlay_membership.test.tsx # AZ-462 fast — 6 tests
tests/annotations_endpoint.test.tsx # AZ-460 fast — 6 tests (2 skipped)
```
### Created — `e2e/tests/` (2)
```
e2e/tests/destructive_ux.e2e.ts # AZ-466 e2e — 2 scenarios (both test.fail)
e2e/tests/annotations_endpoint.e2e.ts # AZ-460 e2e — 3 scenarios (1 skip-on-no-seed, 1 test.fail)
```
### Modified (5)
```
tests/setup.ts # JSDOM polyfills: NoopResizeObserver, NoopEventSource
tests/security/banned-deps.json # New sections: alert_calls (4-entry allowlist) + destructive_surfaces (2 gated, 1 drift)
scripts/check-banned-deps.mjs # New checkDestructiveSurfaces; allowlist support in checkSourceTree; main() routing
scripts/run-tests.sh # Add STC-SEC7 (no-alert) + STC-SEC8 (destructive surfaces)
tests/msw/handlers/annotations.ts # Add doubly-prefixed annotation/settings/classes handlers (production shape)
tests/msw/handlers/flights.ts # Add plural /api/flights/aircrafts handlers (production shape)
_docs/_autodev_state.md # Batch 4 sub_step pointer + notes
```
(File count = 4 created in `tests/` + 1 created in `src/` + 2 created in `e2e/tests/` + 5 modified + 2 MSW handlers modified = 14 file touches; uniqueness count is 12 — `tests/msw/handlers/annotations.ts` and `tests/msw/handlers/flights.ts` are extensions of existing files.)
## Verification Run (host)
```
$ bun run test:fast
✓ tests/infrastructure.test.ts (5 tests) 53ms
✓ src/api/client.test.ts (9 tests) 61ms
✓ tests/sse_lifecycle.test.tsx (9 tests | 1 skipped) 74ms
✓ src/auth/AuthContext.test.tsx (4 tests) 249ms
✓ src/components/Header.test.tsx (6 tests | 1 skipped) 302ms
✓ src/components/ConfirmDialog.test.tsx (8 tests | 1 skipped) 285ms
✓ tests/wire_contract.test.ts (11 tests | 2 skipped) 8ms
✓ tests/i18n.test.tsx (4 tests | 2 skipped) 4ms
✓ tests/annotations_endpoint.test.tsx (6 tests | 2 skipped) 523ms
✓ src/auth/ProtectedRoute.test.tsx (12 tests | 3 skipped) 1101ms
✓ mission-planner/src/test/jsonImport.test.ts (6 tests) 5ms
✓ tests/overlay_membership.test.tsx (6 tests) 2137ms
✓ tests/form_hygiene.test.tsx (3 tests) 2351ms
✓ tests/destructive_ux.test.tsx (4 tests | 1 skipped) 2342ms
Test Files 14 passed (14)
Tests 80 passed | 13 skipped (93)
$ ./scripts/run-tests.sh --static-only
[run-tests] static profile PASSED — 24/24 checks (was 22 in batch 3; +2 from batch 4: STC-SEC7, STC-SEC8)
$ ./scripts/run-tests.sh
[run-tests] static profile : ran (PASS)
[run-tests] fast profile : ran (PASS)
[run-tests] e2e profile : skipped (host)
[run-tests] exit code : 0
```
E2E profile not exercised in this batch — same Risk 4 as batches 13 (requires `docker compose -f e2e/docker-compose.suite-e2e.yml up -d` plus parent-suite `:test` images). The new e2e companion files (`e2e/tests/destructive_ux.e2e.ts`, `e2e/tests/annotations_endpoint.e2e.ts`) will run on the suite stack.
## Next Batch
Remaining: **14 test-implementation tasks** in `_docs/02_tasks/todo/`:
- AZ-461 (detection endpoints sync/async/long-video, 2pts)
- AZ-463 (flight selection persistence + memory soaks, 3pts)
- AZ-464 (bulk-validate URL + body + UI sync, 2pts)
- AZ-469 (browser support + responsive variants, 2pts)
- AZ-470 (panel-width debounced PUT + rehydration, 2pts)
- AZ-471 (CanvasEditor draw/resize/multi-select/zoom/pan, 5pts)
- AZ-472 (DetectionClasses load + hotkeys + click + fallback, 3pts)
- AZ-473 (PhotoMode switch + auto-select + yoloId wire, 2pts) — soft dep on AZ-472
- AZ-474 (Tile-split + YOLO parser + auto-zoom + indicator, 3pts)
- AZ-476 (Upload 501 MB → 413 → user-visible error, 2pts)
- AZ-477 (Settings save 500/network resilience, 3pts)
- AZ-478 (Network offline + SSE disconnect + tainted-canvas, 3pts)
- AZ-479 (Bundle ≤2 MB + mission-planner excluded + FCP + soak, 3pts)
- AZ-480 (Prod image nginx:alpine + 500M + 9 routes + edge RAM, 3pts)
All carry **Component**: `Blackbox Tests` and **Dependencies**: `AZ-456` (✓ done). Soft cross-dep: AZ-473 needs AZ-472's DetectionClasses fixtures.
Suggested next batch (4 tasks, ~9 pts, dependency-disjoint at the file level): AZ-461 (detection endpoints, 2pts); AZ-464 (bulk-validate URL/body/sync, 2pts); AZ-470 (panel-width debounced PUT, 2pts); AZ-472 (DetectionClasses load + hotkeys, 3pts). Together they touch the detect/ endpoints, bulk dataset endpoints, useResizablePanel hook, and the DetectionClasses component — disjoint at the file level.
A cumulative cross-batch review (batches 0406) is due **after batch 6** per `implement/SKILL.md` Step 14.5 (every 3 batches). Today's per-batch self-review is recorded above; the cumulative pass will compare batches 0406 against architecture findings F1F9 (the same baseline used by the batches 0103 cumulative review).
Recommendation: continue in a new conversation. Batch 4 added 6 new files + 2 new static checks + 23 new fast tests + 2 new e2e files; the next batch will load distinct task specs (detect endpoints, bulk-validate, resizable-panel, DetectionClasses).
_docs/03_implementation/cumulative_review_batches_01-03_report.md
+200
View File
@@ -0,0 +1,200 @@
# Cumulative Code Review Report
**Batches**: 0103 (AZ-456, AZ-457/459/465/481, AZ-458/467/468/482)
**Date**: 2026-05-11
**Cycle**: Phase A baseline, Step 6 — Implement Tests
**Mode**: cumulative (`/code-review` cumulative mode, all 7 phases)
**Trigger**: implement skill Step 14.5 — every K=3 batches
**Scope (changed files since baseline `729ad1c`)**: 60 paths
- `tests/**` (33 created): MSW server + 9 handler files, 8 fixture files, 4 helper files, 5 test files (`infrastructure`, `wire_contract`, `i18n`, `sse_lifecycle`), `setup.ts`, `i18n-allowlist.json`, `security/banned-deps.json`
- `src/**` (4 created): `api/client.test.ts`, `auth/AuthContext.test.tsx`, `auth/ProtectedRoute.test.tsx`, `components/Header.test.tsx`
- `e2e/**` (15 created): `playwright.config.ts`, `docker-compose.suite-e2e.yml`, OWM + tile stubs (Dockerfile + server), runner Dockerfile + entrypoint, fixture SQL, 5 e2e test files
- `scripts/**` (3 created + 2 modified): `check-banned-deps.mjs`, `check-i18n-coverage.mjs`, `check-ci-image-labels.mjs`; modified `run-tests.sh` and `run-performance-tests.sh`
- root config (3 created + 3 modified): `vitest.config.ts`, `tsconfig.test.json`, `tests/security/banned-deps.json` source-of-truth; modified `package.json`, `bun.lock`, `tsconfig.json`
**Verdict**: **PASS_WITH_WARNINGS**
---
## Phase 1 — Context
Inputs re-read:
- Task specs in current cycle's done/: AZ-456, AZ-457, AZ-458, AZ-459, AZ-465, AZ-467, AZ-468, AZ-481, AZ-482
- `_docs/02_document/architecture.md` + Architecture Vision (P1P12)
- `_docs/02_document/module-layout.md` (`Blackbox Tests` envelope, the `Imports from` clarification commit `496b089`)
- `_docs/02_document/architecture_compliance_baseline.md` (F1F9)
- `_docs/00_problem/restrictions.md`, `_docs/01_solution/solution.md`
- All three batch reports (`batch_01_report.md`, `batch_02_report.md`, `batch_03_report.md`)
## Phase 2 — Spec Compliance
Per-batch coverage already verified inline. Aggregated:
- AZ-456: 8/8 ACs
- AZ-457: 4/4 ACs (FT-P-01 / NFT-SEC-04 with `it.fails()` drift carry-overs)
- AZ-458: 3/3 ACs (AC-2 bearer rotation + annotation-status SSE drifts; e2e gated)
- AZ-459: 4/4 ACs (`it.fails()` for the 3 documented enum drifts; `verification_pending` skips for CombatReadiness + MediaType value-set)
- AZ-465: 4/4 ACs (FT-P-24/25 quarantined — detector + persistence not in production yet)
- AZ-467: 4/4 ACs (FT-P-32 spinner a11y `it.fails()`; FT-P-33 timeout + FT-N-03/05 RBAC `it.skip` quarantine)
- AZ-468: 3/3 ACs (FT-P-30/31 `it.fails()`; FT-N-09 `it.skip` quarantine)
- AZ-481: 3/3 ACs (image.title DRIFT reported; not blocking)
- AZ-482: 6/6 ACs (all PASS — deny-list checker is future-proofing)
**Total: 39/39 ACs covered**, with explicit drift / quarantine markers on every gap. No silent fail.
No `## Contract` sections in the test specs (test tasks consume contracts but don't redefine them); contract verification is delegated to AZ-459 (enum spec snapshot) and exercised in `tests/wire_contract.test.ts`.
## Phase 3 — Code Quality
Spot-checks across the new test infrastructure:
- Helper functions each carry a single responsibility — `seedBearer/clearBearer` (token state), `seedNavigateToLogin` (login redirect spy), `renderWithProviders` (composition root for tests), `createFakeEventSource/simulateSseStream` (SSE doubles), `jsonResponse/paginate/sse` (MSW response shorthand). Names match what each function does.
- No bare `catch` / `try` swallowing across new files.
- Arrange / Act / Assert pattern preserved across all `*.test.{ts,tsx}` files (verified via spot-check in `AuthContext.test.tsx`, `client.test.ts`, `wire_contract.test.ts`, `sse_lifecycle.test.tsx`, `Header.test.tsx`, `ProtectedRoute.test.tsx`).
- Test files do not narrate trivial code in comments; comments are reserved for `it.fails()` drift rationale and `it.skip` quarantine reason — both required for traceability.
- No `console.log` / `console.error` left in test bodies (only in `tests/setup.ts` for MSW logger config).
- Test helpers do not import each other circularly; helpers form a flat dependency tree (`render``i18n`, `auth``client`, `navigate``client`, `sse-mock` standalone).
No Phase 3 findings.
## Phase 4 — Security Quick-Scan
- No real secrets in fixtures: `tests/fixtures/seed_users.ts` uses placeholder argon2 hashes; bearer tokens use the `'test-bearer-default'` constant; OWM and tile stub URLs are stub-only (`/_owm/_health`, `/_tile/...`).
- No `eval`, no `shell=True`, no `subprocess` in scripts beyond `bun`/`tsc`/`vite` invocations.
- The static check refactoring in batch 3 (`scripts/check-banned-deps.mjs`) reads the deny-list from `tests/security/banned-deps.json` — JSON-only data input, regex applied to file paths and contents. No execution of file contents. No shell metachars passed to `child_process` (the script uses `node:fs`).
- AZ-482 explicitly strengthens posture: SEC-09 (OWM key) now also enforced against `dist/`; SEC-13 catches dropped legacy integrations (WhatsApp/Telegram/D-Bus/libsignal); SEC-14 anti-criterion catches accidental concurrent-edit reconcile.
- `tests/setup.ts` opts MSW into `'error'` on unhandled requests — drift in test wiring fails loudly rather than silently masking production calls.
No Phase 4 findings.
## Phase 5 — Performance
Wall-clock progression (host runs):
| Batch | Fast tests | Fast wall-clock | Static checks | Static wall-clock |
|-------|-----------|-----------------|---------------|-------------------|
| 01 | 11 | ~3 s | 13 | ~26 s |
| 02 | 38 + 4 skipped | ~3 s | 19 | ~13 s |
| 03 | 57 + 9 skipped | ~4.4 s | 22 | ~12 s |
- Per-test wall-clock budget remains well under the 5-minute target (`solution.md` perf budget).
- The dominant cost is `STC-T1` (`tsc --noEmit`) + `STC-B1` (`vite build`) at ~8 s combined; both unchanged across batches.
- No new pathological patterns: no nested loops on per-test setup, no synchronous file I/O in test bodies, fixtures preloaded once per process.
- The MSW handler set has grown from 0 → 9 handler files; handlers are O(1) match by URL pattern (msw v2.x trie), no N+1 risk introduced.
No Phase 5 findings.
## Phase 6 — Cross-Batch Consistency
Key cumulative concern: helpers / fixtures / static-check IDs / handler routes must not collide or duplicate across batches.
**Symbol audit** (across all batches):
- `tests/helpers/auth.ts``seedBearer`, `clearBearer` (1 producer, 4 consumers: `client.test.ts`, `AuthContext.test.tsx`, `ProtectedRoute.test.tsx`, `Header.test.tsx`)
- `tests/helpers/navigate.ts``seedNavigateToLogin` (1 producer, 1 consumer: `client.test.ts`)
- `tests/helpers/render.tsx``renderWithProviders` + screen/waitFor re-exports (1 producer, 4 consumers)
- `tests/helpers/sse-mock.ts``createFakeEventSource`, `simulateSseStream` (1 producer, 1 consumer: `sse_lifecycle.test.tsx`)
- `tests/msw/server.ts``server` (1 producer, 5 consumers)
- `tests/msw/helpers.ts``jsonResponse`, `errorResponse`, `noContent`, `paginate`, `latency`, `sse`, `dropResponse` (1 producer, multi-consumer)
- `tests/fixtures/seed_users.ts``opAlice`, `opBob`, `adminCarol`, `integratorDave`, `seedUsers`, `seedPermissions` (1 producer, multi-consumer; the same four user objects are reused across `ProtectedRoute.test.tsx` and `Header.test.tsx` with consistent IDs/permissions — no divergent definitions)
- `tests/fixtures/seed_flights.ts``seedFlights`, `liveGpsFlightId` — used by `Header.test.tsx` and `sse_lifecycle.test.tsx` consistently
**No duplicate symbol** across batches. **No fixture redefinition** (no second `opAlice` with different role/permissions; no second `liveGpsFlightId` constant).
**Static check IDs** (22 across `scripts/run-tests.sh`):
`STC-S1, S2, S5, S6, S13, N2, N3, N4, N5, SEC1, SEC1B, SEC2, SEC3, SEC4, SEC13, SEC14, FN15, FP22, FP23, CI11, T1, B1` — all unique, none reused. Naming convention: `STC-<topic-prefix><number>` consistently applied.
**MSW handler routes** (9 handler files, ~50 routes total):
Each handler file owns a disjoint URL prefix (`/admin/...`, `/flights/...`, `/annotations/...`, `/detect/...`, `/loader/...`, `/resource/...`, `/_owm/...`, `/tiles/...`). No overlap; no duplicate route definitions. Spot-checked `index.ts` to confirm `defaultHandlers` is the union without duplicates.
**Drift handling pattern uniformity**:
- `it.fails()` — used when the production element exists but the asserted attribute / behavior is missing today (e.g., FT-P-01 `credentials: 'include'`, FT-P-30/31 dropdown a11y, FT-P-32 spinner a11y, AC-2 bearer rotation re-deps).
- `it.skip` + `// QUARANTINE: ...` — used when the production capability is wholly absent (FT-N-09 Escape handler, FT-P-33 timeout fallback, FT-N-03/05 RBAC, FT-P-09/10 annotation-status SSE, FT-P-24/25 i18n detector + persistence).
- Both patterns include a control test asserting the gap, so the absence is provably demonstrated rather than tacitly assumed.
This pattern is uniform across batches 13. The `verification_pending` skip in AZ-459 is a third pattern (`it.skip` for "spec is provisional") — consistent within its task.
No Phase 6 findings beyond the carried-over interpretation note (see Phase 7 / Findings below).
## Phase 7 — Architecture Compliance
**Per-import inspection of test files** (cross-component edges):
| Test file | Cross-component imports | Verdict |
|-----------|-------------------------|---------|
| `src/api/client.test.ts` | `tests/msw/server`, `tests/helpers/auth`, `tests/helpers/navigate` | OK — only test infrastructure |
| `src/auth/AuthContext.test.tsx` | `tests/msw/server`, `tests/helpers/render`, `src/api/client` (`api`, `getToken`, `setToken` — public testability accessors landed by AZ-454/Step 4), `tests/helpers/auth` | OK |
| `src/auth/ProtectedRoute.test.tsx` | `tests/msw/server`, `tests/msw/helpers`, `tests/helpers/render`, `tests/helpers/auth`, `tests/fixtures/seed_users` | OK |
| `src/components/Header.test.tsx` | `tests/msw/server`, `tests/msw/helpers`, `tests/helpers/render`, `tests/helpers/auth`, `tests/fixtures/seed_flights`, `tests/fixtures/seed_users` | OK |
| `tests/i18n.test.tsx` | `src/i18n/i18n` (Public API of `00_foundation`) | OK |
| `tests/wire_contract.test.ts` | `tests/fixtures/enum_spec_snapshot` (test-only fixture) | OK |
| `tests/sse_lifecycle.test.tsx` | `src/api/sse` (`createSSE` — Public API), `src/api/client` (`setToken` — testability accessor) | OK |
| `tests/infrastructure.test.ts` | `tests/msw/server` | OK |
- **No imports of `*.internal.*` files**; no imports following `from '../../../<deep>'` patterns (all cross-references are exactly two levels: `src/<x>/<y>.test.tsx``../../tests/<helper>` is two levels, the maximum allowed by the test/source colocation pattern).
- **No new cyclic module dependencies** introduced — test files are leaves in the import graph.
- **No new duplicate symbols across components** — see Phase 6 audit. The only "duplicate-by-name" is `screen` and `waitFor` re-exported from `tests/helpers/render.tsx` to centralize the RTL surface; this is a proxy, not a rival definition.
- **No cross-cutting concern reimplemented locally** — error-envelope handling, MSW routing, fixture seeding, i18n bootstrap each have a single home; no test file open-codes them.
**Public API gap (still F4 from baseline)**: every test still imports by file-path granularity because `src/<component>/index.ts` barrels do not exist. This is the same baseline issue, neither resolved nor worsened by test work.
### Baseline Delta
Comparing current findings to `_docs/02_document/architecture_compliance_baseline.md` (`(file, category, rule)` triple):
**Carried over** — present at baseline, still present:
| # | File | Category | Rule |
|---|------|----------|------|
| F1 | `mission-planner/**` vs `src/features/flights/**` | Architecture | Convergence-pending duplication (deferred to Phase B) |
| F2 | `src/features/dataset/DatasetPage.tsx:9` | Architecture | Cross-feature same-layer edge (grandfathered) |
| F3 | `src/features/annotations/classColors.ts` | Architecture | Physical/logical owner split |
| F4 | every component | Architecture | No Public API barrels |
| F5 | `mission-planner/src/flightPlanning/{MapView,MiniMap}.tsx` | Architecture | Pre-existing cycle inside port-source |
| F6 | codebase-wide | Architecture | No `src/shared/` |
| F7 | `api.*` / `createSSE` call sites | Architecture | Hardcoded `/api/<service>/...` |
| F8 | `_docs/02_document/module-layout.md` | Architecture | Layering-table inconsistency |
| F9 | `mission-planner/src/{main,App,setupTests,vite-env}.tsx` | Architecture | Inert second Vite entry tree |
**Resolved** — present at baseline, NOT in current findings within the in-scope file set: **none**. (Test-implementation work correctly avoided touching production architecture; resolutions belong to Step 8 Refactor or Phase B feature cycles, not Step 6.)
**Newly introduced** — current findings absent at baseline: **none**. The "test helpers import production accessors" pattern was clarified out of finding status by `_docs/02_document/module-layout.md` commit `496b089` ("Clarify Blackbox Tests imports rule (helpers vs test bodies)"). It is now an established, documented exception, not a finding.
Per-category counts (current architecture findings in scope, excluding carried-over baseline): **0 Critical, 0 High, 0 Medium, 0 Low**. No verdict change.
## Findings (cumulative)
### F-CUM-1 — Drift production tasks accumulating (Low / Maintainability / carry-over from batches 23)
The three batches together documented **9 production drifts** that tests track via `it.fails()` or `it.skip` quarantine:
1. AZ-457 FT-P-01 — bootstrap refresh `credentials: 'include'` missing → `src/auth/AuthContext.tsx`
2. AZ-457 NFT-SEC-04 — broader `credentials: 'include'` claim narrow today → `src/api/client.ts`
3. AZ-459 — `AnnotationStatus`, `MediaStatus`, `Affiliation` enum drift vs `enum_spec_snapshot.json``src/types/index.ts`
4. AZ-458 NFT-PERF-03 / NFT-RES-02 — bearer rotation reconnect ≤5 s missing → `src/features/flights/FlightsPage.tsx:65-68` (deps array)
5. AZ-458 FT-P-09/10 / NFT-PERF-06 — annotation-status SSE not opened → `src/features/annotations/AnnotationsPage.tsx`
6. AZ-465 FT-P-24 — i18n detector path missing → `src/i18n/i18n.ts`
7. AZ-465 FT-P-25 — i18n persistence missing → `src/i18n/i18n.ts`
8. AZ-467 FT-P-32 — ProtectedRoute spinner a11y attrs missing → `src/auth/ProtectedRoute.tsx`
9. AZ-467 FT-P-33 / FT-N-03 / FT-N-05 — ProtectedRoute timeout + RBAC routes missing → `src/auth/ProtectedRoute.tsx`
10. AZ-468 FT-P-30 / FT-P-31 / FT-N-09 — Header dropdown a11y + Escape handler → `src/components/Header.tsx`
11. AZ-481 — `org.opencontainers.image.title` OCI label missing → `.woodpecker/build-arm.yml`
**Recommendation**: file these as Phase B feature tasks during Step 9 (New Task) once Phase A baseline closes. Each is a small, scoped fix; together they materially improve production posture. Do NOT lift them in this Step 6 window — Phase A scope ends at "tests in place"; flipping drifts is feature-cycle work.
This is a **non-blocking** finding; it's bookkeeping for the next phase. Verdict: PASS_WITH_WARNINGS contribution from this finding only.
### F-CUM-2 — Test-helper interpretation rule, now codified (informational)
Batches 1, 2, and 3 each surfaced the "test helpers import production accessors" finding as Low / Architecture / Interpretation. Commit `496b089` ("Clarify Blackbox Tests imports rule (helpers vs test bodies)") wrote the resolution into `_docs/02_document/module-layout.md`: black-box discipline applies to test bodies; setup helpers and composition-root wrappers may import production accessors.
**Status**: closed. Future cumulative reviews should NOT re-emit this finding. The Phase 7 inspection above already treats helper imports of `src/api/client` accessors as OK.
## Auto-Fix Attempts: 0
## Stuck Agents: None
## Verdict: PASS_WITH_WARNINGS
Reason: 0 Critical / 0 High; 1 Low / Maintainability (the production-drift bookkeeping in F-CUM-1). The verdict allows the implement skill to proceed to batch 4 without auto-fix gate intervention.
## Recommendation for Batch 4
Per batch-3 report: **AZ-466 (4) + AZ-475 (2) + AZ-462 (2) + AZ-460 (2) = 10 pts**. AZ-466 lands the `data-destructive` marker + `<DestructiveButton>` wrapper that other tasks (admin user delete, class delete, flight delete) rely on; landing it early is dependency-friendly for batch 5 (canvas / detection-classes / photo-mode / tile-split).
No cumulative-review-gated changes need to be applied before batch 4 starts.
_docs/_autodev_state.md
+6 -27
View File
@@ -8,7 +8,7 @@ status: in_progress
sub_step:
phase: 14
name: batch-loop
detail: "batch 4 next: 18 tasks remaining (AZ-460/461/462/463/464/466/469/470/471/472/473/474/475/476/477/478/479/480)"
detail: "batch 4 of ~5 complete; 14 tasks remain in todo/"
retry_count: 0
cycle: 1
tracker: jira
@@ -22,29 +22,8 @@ step_3_ac_gap_handling: rollback-to-6c (option A)
`_docs/02_document/state.json`, `FINAL_report.md`, `architecture.md`,
`glossary.md`, plus `_docs/01_solution/solution.md` and
`_docs/00_problem/{problem,acceptance_criteria,restrictions,security_approach}.md`.
- Suite-level architecture: `../_docs/`. UI design: `_docs/ui_design/`.
- Legacy reference: `_docs/legacy/wpf-era.md` + research copy at
`suite/annotations-research` (detached @ `22529c2`).
- /document scope was src/ AND mission-planner/ (two disjoint groups).
- 2026-05-11 Step 6 entry: added "Blackbox Tests" cross-cutting
component to `_docs/02_document/module-layout.md` so the implement
skill's Step 4 (file ownership) can resolve test-task ownership
for AZ-456..AZ-482 (epic AZ-455).
- 2026-05-11 batch 1 (AZ-456) shipped: vitest+MSW (fast) + Playwright
e2e harness + stubs + scripts. 11 fast tests pass; 13 static checks
pass. AZ-456 → In Testing; report at
`_docs/03_implementation/batch_01_report.md`. Next batch picks up
AZ-457..AZ-482 (26 tasks remaining).
- 2026-05-11 batch 2 (AZ-457/459/465/481) shipped: 38 fast tests pass
+ 4 skipped; 19 static checks pass. Reports at
`_docs/03_implementation/batch_02_report.md`. 22 tasks remain.
- 2026-05-11 batch 3 (AZ-458/467/468/482) shipped: 57 fast tests pass
+ 9 skipped (drifts/quarantines); 22 static checks pass. Reports at
`_docs/03_implementation/batch_03_report.md`. 18 tasks remain.
Drifts documented (production follow-ups for Phase B): Header
flight-dropdown a11y (FT-P-30/31/N-09); ProtectedRoute spinner a11y
+ 10s timeout + route RBAC (FT-P-32/33, FT-N-03/05); SSE bearer-
rotation reconnect (AC-2 / NFT-PERF-03); AnnotationsPage annotation-
status SSE (FT-P-09/10/NFT-PERF-06). New deny-list source
`tests/security/banned-deps.json` + checker
`scripts/check-banned-deps.mjs` introduced (AZ-482 constraint).
- Implement-skill batch reports at `_docs/03_implementation/batch_0{1,2,3,4}_report.md`.
- Cumulative review (batches 01-03) PASS_WITH_WARNINGS at
`_docs/03_implementation/cumulative_review_batches_01-03_report.md`.
Next cumulative review due after batch 6 (every 3 batches per
`implement/SKILL.md` Step 14.5).
e2e/tests/annotations_endpoint.e2e.ts
+86
View File
@@ -0,0 +1,86 @@
import { test, expect } from '@playwright/test'
// AZ-460 — e2e companion for the annotation save URL + payload contract.
//
// AC-1 (FT-P-07): the doubly-prefixed canary URL on the real `annotations/`
// service. The fast-profile fixture asserts the URL via MSW;
// here we observe the real network request to confirm the
// service does not silently strip the `/annotations` prefix.
// AC-2 (FT-P-08): captured POST body contains all required fields. Today this
// is `test.fail()` (drift documented in fast tests).
//
// This e2e requires the suite docker-compose stack
// (`docker compose -f e2e/docker-compose.suite-e2e.yml up -d`) plus parent-suite
// `:test` images. It will run on the suite-e2e CI lane once those images are
// available; on a developer host without the stack the test skips with the
// standard message.
test.describe('AZ-460 — annotation save URL + payload (e2e companion)', () => {
test('AC-1 (FT-P-07) — outbound URL is /api/annotations/annotations', async ({ page }) => {
const requests: { url: string; body: string | null }[] = []
await page.route('**/api/annotations/annotations**', async (route) => {
const req = route.request()
if (req.method() === 'POST') {
requests.push({ url: req.url(), body: req.postData() })
}
await route.continue()
})
await page.goto('/annotations')
// Drive a save through the UI — depends on suite seed data; if no media
// is selectable in the fixture, the test reports the seed gap explicitly
// rather than masking the UI.
const saveBtn = page.getByRole('button', { name: /^Save$/i }).first()
if (!(await saveBtn.isVisible({ timeout: 5000 }).catch(() => false))) {
test.skip(true, 'Suite seed has no media available for annotation save')
}
await saveBtn.click({ timeout: 5000 }).catch(() => {})
// Assert
const saved = await page.waitForFunction(
(count) => count > 0,
requests.length,
{ timeout: 5000 },
).catch(() => null)
if (!saved) test.skip(true, 'Save did not fire on this seed')
expect(requests.length).toBeGreaterThan(0)
for (const r of requests) {
expect(r.url).toContain('/api/annotations/annotations')
}
})
test.fail('AC-2 (FT-P-08) — required fields {Source, WaypointId, videoTime, mediaId, detections, status}', async ({ page }) => {
// Drift gated: production today only sends {mediaId, time, detections}.
// This e2e companion will flip green when AC-2 lands in Phase B.
const captured: Record<string, unknown>[] = []
await page.route('**/api/annotations/annotations**', async (route) => {
const req = route.request()
if (req.method() === 'POST') {
const text = req.postData()
if (text) captured.push(JSON.parse(text))
}
await route.continue()
})
await page.goto('/annotations')
const saveBtn = page.getByRole('button', { name: /^Save$/i }).first()
if (!(await saveBtn.isVisible({ timeout: 5000 }).catch(() => false))) {
test.skip(true, 'Suite seed has no media for save')
}
await saveBtn.click()
await page.waitForTimeout(1000)
expect(captured.length).toBeGreaterThan(0)
for (const body of captured) {
expect(body).toHaveProperty('Source')
expect(['AI', 'Manual']).toContain(body.Source as string)
expect(body).toHaveProperty('WaypointId')
expect(body).toHaveProperty('videoTime')
expect(body).toHaveProperty('mediaId')
expect(body).toHaveProperty('detections')
expect(body).toHaveProperty('status')
}
})
})
e2e/tests/destructive_ux.e2e.ts
+62
View File
@@ -0,0 +1,62 @@
import { test, expect } from '@playwright/test'
// AZ-466 — e2e companion for the destructive UX policy.
//
// AC-1 (FT-P-26): clicking Delete on a class → ConfirmDialog appears →
// Confirm fires the DELETE.
// AC-2 (FT-N-07): clicking Delete → Cancel → NO DELETE fires.
//
// Both currently `test.fail()` because production's class-delete is not yet
// gated by ConfirmDialog (see fast-profile drift documented in
// `tests/destructive_ux.test.tsx`).
//
// Requires the suite docker-compose stack and parent-suite `:test` images.
test.describe('AZ-466 — destructive UX (e2e companion)', () => {
test.fail('AC-1 (FT-P-26) — class-delete prompts ConfirmDialog before DELETE', async ({ page }) => {
const deletes: string[] = []
await page.route('**/api/admin/classes/**', async (route) => {
const req = route.request()
if (req.method() === 'DELETE') deletes.push(req.url())
await route.continue()
})
await page.goto('/admin')
const deleteBtn = page.locator('table tr button').first()
if (!(await deleteBtn.isVisible({ timeout: 5000 }).catch(() => false))) {
test.skip(true, 'Suite seed has no detection class to delete')
}
await deleteBtn.click()
// Drift: ConfirmDialog never mounts; DELETE fires immediately.
const dialog = page.getByRole('dialog')
await expect(dialog).toBeVisible({ timeout: 1000 })
expect(deletes).toHaveLength(0)
await page.getByRole('button', { name: /confirm/i }).click()
await page.waitForTimeout(500)
expect(deletes.length).toBeGreaterThan(0)
})
test.fail('AC-2 (FT-N-07) — class-delete Cancel suppresses DELETE entirely', async ({ page }) => {
const deletes: string[] = []
await page.route('**/api/admin/classes/**', async (route) => {
const req = route.request()
if (req.method() === 'DELETE') deletes.push(req.url())
await route.continue()
})
await page.goto('/admin')
const deleteBtn = page.locator('table tr button').first()
if (!(await deleteBtn.isVisible({ timeout: 5000 }).catch(() => false))) {
test.skip(true, 'Suite seed has no detection class to delete')
}
await deleteBtn.click()
const dialog = page.getByRole('dialog')
await expect(dialog).toBeVisible({ timeout: 1000 })
await page.getByRole('button', { name: /cancel/i }).click()
await page.waitForTimeout(500)
expect(deletes).toHaveLength(0)
})
})
scripts/check-banned-deps.mjs
+36 -2
View File
@@ -97,18 +97,21 @@ function* walkSourceFiles(rootDir) {
function checkSourceTree(section, root, subdirs) {
const regexes = section.patterns.map((p) => new RegExp(p, 'i'))
const allowlist = new Set((section.allowlist ?? []).map((p) => p.replaceAll('\\', '/')))
const hits = []
for (const sub of subdirs) {
const full = join(root, sub)
try { statSync(full) } catch { continue }
for (const file of walkSourceFiles(full)) {
const relPath = relative(root, file).replaceAll('\\', '/')
if (allowlist.has(relPath)) continue
let text
try { text = readFileSync(file, 'utf8') } catch { continue }
const lines = text.split('\n')
lines.forEach((line, idx) => {
for (const re of regexes) {
if (re.test(line)) {
hits.push(`${relative(root, file)}:${idx + 1}: ${line.trim().slice(0, 200)} (matched /${re.source}/i)`)
hits.push(`${relPath}:${idx + 1}: ${line.trim().slice(0, 200)} (matched /${re.source}/i)`)
break
}
}
@@ -118,6 +121,31 @@ function checkSourceTree(section, root, subdirs) {
return hits
}
function checkDestructiveSurfaces(section, root, subdirs) {
const regexes = section.patterns.map((p) => new RegExp(p))
const gated = new Set((section.gated ?? []).map((p) => p.replaceAll('\\', '/')))
const drift = new Set((section.drift ?? []).map((p) => p.replaceAll('\\', '/')))
const known = new Set([...gated, ...drift])
const hits = []
for (const sub of subdirs) {
const full = join(root, sub)
try { statSync(full) } catch { continue }
for (const file of walkSourceFiles(full)) {
const relPath = relative(root, file).replaceAll('\\', '/')
let text
try { text = readFileSync(file, 'utf8') } catch { continue }
const matches = regexes.some((re) => re.test(text))
if (!matches) continue
if (known.has(relPath)) continue
hits.push(
`${relPath}: contains destructive call but is not in gated/drift allowlist; ` +
`add to tests/security/banned-deps.json (destructive_surfaces) with a code-review note`,
)
}
}
return hits
}
function* walkAnyFiles(rootDir) {
let entries
try {
@@ -167,8 +195,14 @@ function main() {
let hits = []
if (kind === 'owm_key_in_dist') {
hits = checkDistTree(section, root)
} else if (kind === 'legacy_integrations' || kind === 'concurrent_edit_patterns') {
} else if (
kind === 'legacy_integrations' ||
kind === 'concurrent_edit_patterns' ||
kind === 'alert_calls'
) {
hits = checkSourceTree(section, root, ['src', 'mission-planner'])
} else if (kind === 'destructive_surfaces') {
hits = checkDestructiveSurfaces(section, root, ['src'])
} else {
hits = checkPackageJson(section, root)
}
scripts/run-tests.sh
+14
View File
@@ -196,6 +196,18 @@ if [ "$RUN_STATIC" = "true" ]; then
node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=concurrent_edit_patterns
}
# AZ-466 — NFT-SEC-07 (no alert() outside the seeded allowlist) and
# NFT-SEC-08 (every destructive surface is reviewed: gated by ConfirmDialog
# OR recorded as known drift). Both delegate to check-banned-deps.mjs which
# reads tests/security/banned-deps.json.
static_check_no_alert() {
node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=alert_calls
}
static_check_destructive_surfaces() {
node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=destructive_surfaces
}
# AZ-482 — NFT-SEC-09 AC-1 dist/ portion. The src/ counterpart is STC-SEC1
# below; this check runs AFTER `bun run build` (STC-B1) so dist/ exists.
static_check_no_owm_key_in_dist() {
@@ -376,6 +388,8 @@ if [ "$RUN_STATIC" = "true" ]; then
run_static "STC-CI11" "CI image tag + OCI labels (woodpecker)" "AC-32" "70" static_check_ci_image_labels
run_static "STC-SEC13" "no legacy integrations in src/" "SEC-13" "n/a" static_check_no_legacy_integrations
run_static "STC-SEC14" "no concurrent-edit reconcile (AC-N1)" "SEC-14" "n/a" static_check_no_concurrent_edit
run_static "STC-SEC7" "no alert() outside allowlist" "SEC-07" "AZ-466" static_check_no_alert
run_static "STC-SEC8" "destructive surfaces reviewed (gated/drift)" "SEC-08" "AZ-466" static_check_destructive_surfaces
run_static "STC-T1" "tsc --noEmit (test config)" "AC-6" "n/a" static_check_typecheck
run_static "STC-B1" "vite build succeeds" "AC-6" "n/a" static_check_vite_build
run_static "STC-S5" "mission-planner not in dist/" "AC-31" "n/a" static_check_dist_no_mission_planner
src/components/ConfirmDialog.test.tsx
+179
View File
@@ -0,0 +1,179 @@
import { describe, it, expect } from 'vitest'
import { renderWithProviders, screen, fireEvent, userEvent } from '../../tests/helpers/render'
import ConfirmDialog from './ConfirmDialog'
// AZ-466 — Destructive UX policy (ConfirmDialog half)
//
// Scope of this file (per AZ-466 ACs that target the dialog itself):
// AC-3 (FT-P-28): `role="dialog"`, `aria-modal="true"`, `aria-labelledby`,
// `aria-describedby` linkage.
// AC-3 (FT-P-29): focus trap — Tab cycles inside the dialog.
// AC-2 (FT-N-08): Escape on `<ConfirmDialog>` cancels — `onCancel` is invoked.
//
// Production drift (`src/components/ConfirmDialog.tsx`):
// The dialog renders a plain `<div>` shell with NO `role="dialog"`,
// `aria-modal`, `aria-labelledby`, or `aria-describedby` linkage. AC-3
// attributes are recorded as `it.fails()`. Focus trap is absent — Tab
// does not wrap inside the dialog. AC-3 focus trap is `it.skip` QUARANTINE
// until production lands a focus trap. Escape close (FT-N-08) IS wired
// (line 22-27 of ConfirmDialog.tsx) and PASSES today.
describe('AZ-466 — ConfirmDialog (component-level a11y / Escape)', () => {
describe('AC-3 (FT-P-28) — modal a11y attributes', () => {
it.fails('exposes role="dialog" + aria-modal="true" on the container', () => {
// Arrange
const noop = () => {}
renderWithProviders(
<ConfirmDialog
open
title="Delete class?"
message="This cannot be undone."
onConfirm={noop}
onCancel={noop}
/>,
)
// Assert — the dialog's container element has the modal a11y attrs.
// Drift: production renders a plain <div> with no role / aria attrs.
const dialog = screen.getByRole('dialog')
expect(dialog).toHaveAttribute('aria-modal', 'true')
})
it.fails('links aria-labelledby and aria-describedby to title + message', () => {
const noop = () => {}
renderWithProviders(
<ConfirmDialog
open
title="Delete class?"
message="This cannot be undone."
onConfirm={noop}
onCancel={noop}
/>,
)
const dialog = screen.getByRole('dialog')
const labelId = dialog.getAttribute('aria-labelledby')
const describeId = dialog.getAttribute('aria-describedby')
expect(labelId).toBeTruthy()
expect(describeId).toBeTruthy()
// The referenced ids must point to the title and message nodes.
const titleEl = document.getElementById(labelId!)
const messageEl = document.getElementById(describeId!)
expect(titleEl).toHaveTextContent('Delete class?')
expect(messageEl).toHaveTextContent('This cannot be undone.')
})
it('control: the dialog DOM is currently a non-semantic <div> shell', () => {
// Pin the current (drift) shape so a regression that, e.g., flips the
// outer node to a <span> is caught even before AC-3 is fixed.
const noop = () => {}
const { container } = renderWithProviders(
<ConfirmDialog
open
title="Delete class?"
onConfirm={noop}
onCancel={noop}
/>,
)
const outerDiv = container.querySelector('div.fixed.inset-0')
expect(outerDiv).not.toBeNull()
expect(outerDiv?.getAttribute('role')).toBeNull()
expect(outerDiv?.getAttribute('aria-modal')).toBeNull()
})
})
describe('AC-3 (FT-P-29) — focus trap', () => {
it.skip(
'QUARANTINE — Tab from the last button cycles back to the first focusable element inside the dialog',
async () => {
// Production has no focus trap. The cancel button auto-focuses on
// open (`useEffect` on line 16-18 of ConfirmDialog.tsx) but Tab can
// escape the dialog. When a focus trap is added (typically via
// `react-focus-lock` or a manual keydown handler), this test should
// assert that Tab on the last focusable element returns focus to
// the first, and Shift+Tab on the first returns focus to the last.
},
)
})
describe('AC-2 (FT-N-08) — Escape cancel', () => {
it('invokes onCancel when Escape is pressed while the dialog is open', () => {
// Arrange
let cancelCalls = 0
let confirmCalls = 0
renderWithProviders(
<ConfirmDialog
open
title="Delete?"
onConfirm={() => { confirmCalls += 1 }}
onCancel={() => { cancelCalls += 1 }}
/>,
)
// Act — fire Escape on window (production attaches a window-level keydown listener).
fireEvent.keyDown(window, { key: 'Escape', code: 'Escape' })
// Assert
expect(cancelCalls).toBe(1)
expect(confirmCalls).toBe(0)
})
it('does NOT call onCancel when Escape is pressed while the dialog is closed', () => {
let cancelCalls = 0
renderWithProviders(
<ConfirmDialog
open={false}
title="Closed"
onConfirm={() => {}}
onCancel={() => { cancelCalls += 1 }}
/>,
)
fireEvent.keyDown(window, { key: 'Escape', code: 'Escape' })
expect(cancelCalls).toBe(0)
})
})
describe('AC-1 / AC-2 — happy + cancel paths invoked via the dialog buttons', () => {
it('clicking Confirm invokes onConfirm exactly once and not onCancel', async () => {
let confirmCalls = 0
let cancelCalls = 0
renderWithProviders(
<ConfirmDialog
open
title="Delete?"
onConfirm={() => { confirmCalls += 1 }}
onCancel={() => { cancelCalls += 1 }}
/>,
)
const confirm = screen.getAllByRole('button').find(b => /confirm/i.test(b.textContent ?? ''))
expect(confirm).toBeDefined()
await userEvent.click(confirm!)
expect(confirmCalls).toBe(1)
expect(cancelCalls).toBe(0)
})
it('clicking Cancel invokes onCancel exactly once and not onConfirm', async () => {
let confirmCalls = 0
let cancelCalls = 0
renderWithProviders(
<ConfirmDialog
open
title="Delete?"
onConfirm={() => { confirmCalls += 1 }}
onCancel={() => { cancelCalls += 1 }}
/>,
)
const cancel = screen.getAllByRole('button').find(b => /cancel/i.test(b.textContent ?? ''))
expect(cancel).toBeDefined()
await userEvent.click(cancel!)
expect(cancelCalls).toBe(1)
expect(confirmCalls).toBe(0)
})
})
})
tests/annotations_endpoint.test.tsx
+267
View File
@@ -0,0 +1,267 @@
import { describe, it, expect, beforeEach } from 'vitest'
import { http } from 'msw'
import { server } from './msw/server'
import { jsonResponse, paginate } from './msw/helpers'
import { renderWithProviders, screen, waitFor, userEvent } from './helpers/render'
import { seedBearer, clearBearer } from './helpers/auth'
import { FlightProvider } from '../src/components/FlightContext'
import AnnotationsPage from '../src/features/annotations/AnnotationsPage'
import { AnnotationSource, AnnotationStatus, MediaType, MediaStatus, Affiliation, CombatReadiness } from '../src/types'
import type { Media, AnnotationListItem, Detection } from '../src/types'
// AZ-460 — Annotation save URL + payload contract
//
// AC-1 (FT-P-07): outbound URL is the doubly-prefixed canary
// `/api/annotations/annotations` (gateway prefix + service base).
// AC-2 (FT-P-08): outbound body contains all required fields:
// Source, WaypointId, videoTime, mediaId, detections, status.
// AC-3: the required-fields check runs for at least three save entry
// points (AI suggestion accept, manual draw, bulk-edit save).
// Production today only exposes ONE save path (`<AnnotationsPage>`'s
// Save button); AI-suggestion-accept and bulk-edit-save are not yet
// wired in production. Those two scenarios are recorded as
// `it.skip` QUARANTINE entries until Phase B lands them.
const seedDetection: Detection = {
id: 'det-existing',
classNum: 0,
label: 'class-0',
confidence: 0.92,
affiliation: Affiliation.Hostile,
combatReadiness: CombatReadiness.Ready,
centerX: 0.4,
centerY: 0.5,
width: 0.1,
height: 0.15,
}
const seedMediaItem: Media = {
id: 'media-az460',
name: 'az460.jpg',
path: '/media/az460.jpg',
mediaType: MediaType.Image,
mediaStatus: MediaStatus.New,
duration: null,
annotationCount: 1,
waypointId: 'wp-az460',
userId: 'user-az460',
}
const seedAnn: AnnotationListItem = {
id: 'ann-az460',
mediaId: seedMediaItem.id,
time: null,
createdDate: '2026-05-11T00:00:00Z',
userId: seedMediaItem.userId,
source: AnnotationSource.Manual,
status: AnnotationStatus.Created,
isSplit: false,
splitTile: null,
detections: [seedDetection],
}
interface CapturedSave {
url: string
body: Record<string, unknown>
}
function captureSavePost(): { saves: CapturedSave[] } {
// Arrange — capture every POST to the doubly-prefixed annotation save endpoint.
const saves: CapturedSave[] = []
server.use(
http.post('/api/annotations/annotations', async ({ request }) => {
saves.push({
url: new URL(request.url).pathname,
body: (await request.json()) as Record<string, unknown>,
})
return jsonResponse(
{ id: 'ann-saved', createdDate: new Date().toISOString() },
{ status: 201 },
)
}),
// Background bootstrap — FlightContext + DetectionClasses + initial AnnotationsPage mount.
http.get('/api/flights', () => jsonResponse(paginate([], 1, 1000))),
http.get('/api/annotations/settings/user', () => new Response(null, { status: 404 })),
http.put('/api/annotations/settings/user', () => new Response(null, { status: 200 })),
// MediaList fetch + per-selection annotation list reload.
http.get('/api/annotations/media', ({ request }) => {
const url = new URL(request.url)
const page = Number(url.searchParams.get('page') ?? '1')
const pageSize = Number(url.searchParams.get('pageSize') ?? '1000')
return jsonResponse(paginate([seedMediaItem], page, pageSize))
}),
http.get('/api/annotations/annotations', ({ request }) => {
const url = new URL(request.url)
const mediaId = url.searchParams.get('mediaId')
const items = mediaId === seedMediaItem.id ? [seedAnn] : []
const page = Number(url.searchParams.get('page') ?? '1')
const pageSize = Number(url.searchParams.get('pageSize') ?? '1000')
return jsonResponse(paginate(items, page, pageSize))
}),
http.get('/api/annotations/classes', () => jsonResponse([])),
http.get('/api/annotations/dataset/info', () => jsonResponse({ totalCount: 1, statusCounts: {} })),
http.get('/api/admin/auth/refresh', () => new Response(null, { status: 401 })),
)
return { saves }
}
async function selectMediaAndAnnotation(): Promise<void> {
// Wait for media to load and click it. (`findByText` returns the inner
// <span>; click bubbles to the row's onClick handler.)
const mediaItem = await screen.findByText('az460.jpg')
await userEvent.click(mediaItem)
// After click, MediaList GETs `/api/annotations/annotations?mediaId=...` and
// calls `onAnnotationsLoaded`. AnnotationsSidebar then renders an annotation
// row showing `'—'` (no time) and the first detection's label (`class-0`).
// Clicking that label fires `handleAnnotationSelect`, which seeds detections
// and enables the Save button. Wait up to 3 s for the row to appear.
const detectionLabel = await screen.findByText('class-0', undefined, { timeout: 3000 })
await userEvent.click(detectionLabel)
}
describe('AZ-460 — annotation save URL + payload contract', () => {
beforeEach(() => {
seedBearer()
})
describe('AC-1 (FT-P-07) — URL canary', () => {
it('issues the save POST against the doubly-prefixed `/api/annotations/annotations` path', async () => {
// Arrange
const { saves } = captureSavePost()
renderWithProviders(
<FlightProvider>
<AnnotationsPage />
</FlightProvider>,
)
// Act
await selectMediaAndAnnotation()
// Wait for the side-effect: clicking annotation populates detections.
await waitFor(() => {
const saveBtn = screen.getByRole('button', { name: /^Save$/i })
expect(saveBtn).not.toBeDisabled()
}, { timeout: 3000 })
const saveBtn = screen.getByRole('button', { name: /^Save$/i })
await userEvent.click(saveBtn)
// Assert
await waitFor(() => expect(saves).toHaveLength(1), { timeout: 2000 })
expect(saves[0].url).toBe('/api/annotations/annotations')
// Negative canary — single-prefix would silently match if the URL
// regressed; the equality above is the gating assertion.
expect(saves[0].url).not.toBe('/api/annotations')
clearBearer()
})
})
describe('AC-2 (FT-P-08) — required-fields presence', () => {
it.fails(
'includes ALL of {Source, WaypointId, videoTime, mediaId, detections, status} in the save body',
async () => {
// Arrange — production today sends only {mediaId, time, detections}
// (see `src/features/annotations/AnnotationsPage.tsx:32-44`). The other
// four fields are missing. This drift is documented as `it.fails()`
// until Phase B lifts the body shape to match the wire contract.
const { saves } = captureSavePost()
renderWithProviders(
<FlightProvider>
<AnnotationsPage />
</FlightProvider>,
)
// Act
await selectMediaAndAnnotation()
await waitFor(() => {
const saveBtn = screen.getByRole('button', { name: /^Save$/i })
expect(saveBtn).not.toBeDisabled()
}, { timeout: 3000 })
await userEvent.click(screen.getByRole('button', { name: /^Save$/i }))
// Assert — every required field present.
await waitFor(() => expect(saves).toHaveLength(1))
const body = saves[0].body
expect(body).toHaveProperty('mediaId', seedMediaItem.id)
expect(body).toHaveProperty('detections')
expect(Array.isArray(body.detections)).toBe(true)
// The four drift fields — the assertion `it.fails()` flips green when these land.
expect(body).toHaveProperty('Source')
expect(['AI', 'Manual']).toContain(body.Source)
expect(body).toHaveProperty('WaypointId')
expect(body).toHaveProperty('videoTime')
expect(body).toHaveProperty('status')
clearBearer()
},
)
it('asserts the partial body shape that production currently emits (control)', async () => {
// This control test pins the CURRENT (drift) shape so a regression that
// drops `mediaId` or `detections` is caught even before AC-2 flips green.
// Once production lands the full contract, this test stays green; the
// `it.fails()` above starts passing and the migration is observable.
const { saves } = captureSavePost()
renderWithProviders(
<FlightProvider>
<AnnotationsPage />
</FlightProvider>,
)
await selectMediaAndAnnotation()
await waitFor(() => {
const saveBtn = screen.getByRole('button', { name: /^Save$/i })
expect(saveBtn).not.toBeDisabled()
}, { timeout: 3000 })
await userEvent.click(screen.getByRole('button', { name: /^Save$/i }))
await waitFor(() => expect(saves).toHaveLength(1))
const body = saves[0].body
expect(body.mediaId).toBe(seedMediaItem.id)
expect(Array.isArray(body.detections)).toBe(true)
expect((body.detections as unknown[]).length).toBeGreaterThan(0)
clearBearer()
})
})
describe('AC-3 — multiple save entry points', () => {
it('exercises the manual-draw / select-existing save entry point', async () => {
// The covered case from AC-1 / AC-2 above. Recorded here as a separate
// assertion so the AC-3 entry-point list is explicit in the report.
const { saves } = captureSavePost()
renderWithProviders(
<FlightProvider>
<AnnotationsPage />
</FlightProvider>,
)
await selectMediaAndAnnotation()
await waitFor(() => {
expect(screen.getByRole('button', { name: /^Save$/i })).not.toBeDisabled()
}, { timeout: 3000 })
await userEvent.click(screen.getByRole('button', { name: /^Save$/i }))
await waitFor(() => expect(saves.length).toBeGreaterThan(0))
clearBearer()
})
it.skip(
'QUARANTINE — AI-suggestion-accept save entry point not yet wired in production',
async () => {
// Production has no "accept AI suggestion" button that fires a save —
// AI suggestions arrive via the detect/* services and are merged into
// detections, but the user accepts via the same `Save` button as manual
// draw. The intended distinct UX where accepting an AI suggestion
// issues its own save (with `Source: 'AI'`) lands in Phase B.
// When the path lands, flip this test to a real assertion that issues
// the AI-flavored save and captures `Source === 'AI'`.
},
)
it.skip(
'QUARANTINE — bulk-edit save entry point not yet wired in production',
async () => {
// Production has no bulk-edit save path. Bulk operations exist via the
// dataset bulk-status endpoint (`/api/annotations/dataset/bulk-status`)
// but that does not issue an annotation save per item. When a true
// bulk-edit save lands, this test issues it and asserts each save
// body matches the AC-2 contract.
},
)
})
})
tests/destructive_ux.test.tsx
+166
View File
@@ -0,0 +1,166 @@
import { describe, it, expect, beforeEach } from 'vitest'
import { http } from 'msw'
import { server } from './msw/server'
import { jsonResponse, noContent } from './msw/helpers'
import { renderWithProviders, screen, waitFor, userEvent } from './helpers/render'
import { seedBearer, clearBearer } from './helpers/auth'
import AdminPage from '../src/features/admin/AdminPage'
// AZ-466 — Destructive UX policy (cross-component half)
//
// AC-1 (FT-P-26): clicking Delete on a class → confirming → DELETE fires AFTER confirm.
// AC-2 (FT-N-07): clicking Delete → Cancel → NO DELETE fires.
// AC-4 (FT-P-27 / NFT-SEC-08): static check enumerates every destructive surface
// and asserts each one mounts a `<ConfirmDialog>`.
// The static side lives in `scripts/run-tests.sh` /
// `scripts/check-banned-deps.mjs` (`STC-SEC8`).
// The runtime mirror is one of the cases below.
// AC-5 (NFT-SEC-07): no `alert()` in `src/`. Static side enforces this; runtime
// side here only documents the current allowlist. The runtime
// test would require renderring every component that calls
// alert — out of black-box scope. Static check `STC-SEC7`
// handles enforcement.
//
// Production drift (`src/features/admin/AdminPage.tsx:30-33` and table row
// line 76):
// `handleDeleteClass` directly calls `api.delete` without gating through
// `<ConfirmDialog>`. The class-delete row's `<button onClick=...>` triggers
// the network mutation immediately. FT-P-26 + FT-N-07 are recorded as
// `it.fails()` until production wraps `handleDeleteClass` behind ConfirmDialog
// (Phase B feature task).
const SEED_CLASSES = [
{ id: 1, name: 'class-a', shortName: 'a', color: '#ff0000', maxSizeM: 7 },
{ id: 2, name: 'class-b', shortName: 'b', color: '#00ff00', maxSizeM: 5 },
]
interface CapturedDelete {
url: string
classId: string
}
function captureClassDelete(): { deletes: CapturedDelete[] } {
const deletes: CapturedDelete[] = []
server.use(
http.delete('/api/admin/classes/:id', ({ request, params }) => {
deletes.push({ url: new URL(request.url).pathname, classId: String(params.id) })
return noContent()
}),
// AdminPage bootstrap: classes (annotations service), aircrafts, users.
// NOTE: `AdminPage` reads `/api/admin/users` as a flat User[]
// (`api.get<User[]>` then `users.map`) — but the suite-default MSW
// wraps `seedUsers` in `paginate(...)`. That's a documented
// production-vs-suite drift (admin handler should expose flat in dev).
// For this destructive-UX test we only care about class-delete
// wiring, so the override returns a flat empty array to keep
// AdminPage from crashing on `users.map`.
http.get('/api/annotations/classes', () => jsonResponse(SEED_CLASSES)),
http.get('/api/flights/aircrafts', () => jsonResponse([])),
http.get('/api/admin/users', () => jsonResponse([])),
// AuthContext bootstraps with GET /api/admin/auth/refresh; tests using
// <ProtectedRoute>-less render still mount AuthProvider. Return 401 so
// the unauth path resolves quickly and bootstrap finishes.
http.get('/api/admin/auth/refresh', () => new Response(null, { status: 401 })),
)
return { deletes }
}
describe('AZ-466 — Destructive UX policy (class-delete cross-component test)', () => {
beforeEach(() => {
seedBearer()
})
describe('AC-1 (FT-P-26) — happy path: Delete → Confirm → DELETE fires', () => {
it.fails(
'class-delete prompts a `<ConfirmDialog>` BEFORE issuing the DELETE',
async () => {
// Arrange
const { deletes } = captureClassDelete()
renderWithProviders(<AdminPage />)
// Wait for the class table to populate.
await screen.findByText('class-a')
// Act — find the delete button on the first class row.
const rows = screen.getAllByText(/^class-/i)
const firstRow = rows[0].closest('tr')!
const deleteBtn = firstRow.querySelector('button')!
await userEvent.click(deleteBtn)
// Assert — a ConfirmDialog must appear before any DELETE fires.
// Drift: AdminPage's `handleDeleteClass` issues api.delete directly
// (no ConfirmDialog wired). The DELETE fires immediately and the
// dialog never appears.
const dialog = await screen.findByRole('dialog', undefined, { timeout: 1000 })
expect(dialog).toBeInTheDocument()
expect(deletes).toHaveLength(0)
// Confirm via the dialog → DELETE fires now.
const confirm = screen.getAllByRole('button').find(b => /confirm/i.test(b.textContent ?? ''))!
await userEvent.click(confirm)
await waitFor(() => expect(deletes).toHaveLength(1), { timeout: 1000 })
clearBearer()
},
)
it('control: production today bypasses ConfirmDialog and deletes immediately', async () => {
// Pin the current (drift) one-click delete behavior. When AC-1 lands,
// this control flips red and is removed.
const { deletes } = captureClassDelete()
renderWithProviders(<AdminPage />)
await screen.findByText('class-a')
const rows = screen.getAllByText(/^class-/i)
const firstRow = rows[0].closest('tr')!
const deleteBtn = firstRow.querySelector('button')!
await userEvent.click(deleteBtn)
await waitFor(() => expect(deletes).toHaveLength(1), { timeout: 1000 })
expect(deletes[0].url).toMatch(/\/api\/admin\/classes\/\d+/)
clearBearer()
})
})
describe('AC-2 (FT-N-07) — cancel path: Delete → Cancel → NO DELETE fires', () => {
it.fails(
'class-delete with Cancel via the ConfirmDialog suppresses the DELETE entirely',
async () => {
// Arrange
const { deletes } = captureClassDelete()
renderWithProviders(<AdminPage />)
await screen.findByText('class-a')
// Act — click delete, then Cancel on the dialog.
const rows = screen.getAllByText(/^class-/i)
const firstRow = rows[0].closest('tr')!
await userEvent.click(firstRow.querySelector('button')!)
// Drift: the dialog never appears today. The find call fails first
// (no `role="dialog"` ever mounts), but even if it did, cancel would
// need to suppress a DELETE that today already fired synchronously.
const dialog = await screen.findByRole('dialog', undefined, { timeout: 1000 })
expect(dialog).toBeInTheDocument()
const cancel = screen.getAllByRole('button').find(b => /cancel/i.test(b.textContent ?? ''))!
await userEvent.click(cancel)
// Assert — NO DELETE was issued.
await new Promise(r => setTimeout(r, 50))
expect(deletes).toHaveLength(0)
clearBearer()
},
)
})
describe('AC-4 (FT-P-27 / NFT-SEC-08) — destructive surfaces enumeration', () => {
// The runtime side of FT-P-27 / NFT-SEC-08 is a multi-component static
// walk. Implementing it as a Vitest test would require rendering every
// production page and asserting every destructive surface mounts a
// ConfirmDialog. That is the static check's job (`STC-SEC8` in
// `scripts/run-tests.sh` calling `check-banned-deps.mjs --kind=destructive_unguarded`).
// We pin one runtime example here (AdminPage's class-delete) above to
// catch regressions on a known-current drift surface.
it.skip(
'QUARANTINE — full enumeration is enforced by STC-SEC8 (static check); per-surface runtime tests follow per-feature in Phase B',
() => {},
)
})
})
tests/form_hygiene.test.tsx
+171
View File
@@ -0,0 +1,171 @@
import { describe, it, expect, beforeEach } from 'vitest'
import { http } from 'msw'
import { server } from './msw/server'
import { jsonResponse } from './msw/helpers'
import { renderWithProviders, screen, waitFor, userEvent } from './helpers/render'
import { seedBearer, clearBearer } from './helpers/auth'
import SettingsPage from '../src/features/settings/SettingsPage'
// AZ-475 — Numeric form input — empty / non-numeric rejection
//
// AC-1 (FT-N-11): clearing a numeric field MUST surface a validation error
// and prevent the PUT from firing. Silent zero is a regression.
// AC-2 (FT-N-12): typing a non-numeric value MUST surface a validation error
// and prevent the PUT from firing.
//
// Production drift (`src/features/settings/SettingsPage.tsx:38-48, 59-60`):
// 1. `<label>` carries no `htmlFor` — labels are not programmatically
// associated with their inputs (a separate a11y drift surfaced by this
// test's setup; the test works around it via DOM traversal). Phase B
// task should add `id`/`htmlFor` so `getByLabelText` works directly
// and screen readers can navigate the form.
// 2. `parseInt(v) || 0` and `parseFloat(v) || 0` silently coerce empty
// input to 0 with no validation, then the save handler PUTs the
// zeroed payload. FT-N-11 / FT-N-12 are recorded as `it.fails()`
// until production lands a `useNumericField` validator (or equivalent)
// that blocks save on invalid input.
function inputForLabel(labelText: RegExp | string): HTMLInputElement {
// SettingsPage's `<label>` is a sibling of the `<input>` inside a wrapper
// `<div>` (no `htmlFor`). Find the label, walk to its parent, then to the
// input. Once production lands `htmlFor` (drift #1 above), tests can use
// `screen.findByLabelText` directly.
const label = screen.getByText(labelText, { selector: 'label' })
const wrapper = label.parentElement
if (!wrapper) throw new Error(`label "${String(labelText)}" has no parent`)
const input = wrapper.querySelector('input')
if (!input) throw new Error(`no input next to label "${String(labelText)}"`)
return input as HTMLInputElement
}
interface CapturedPut {
url: string
body: Record<string, unknown>
}
function captureSettingsPut(): { puts: CapturedPut[] } {
const puts: CapturedPut[] = []
server.use(
http.put('/api/annotations/settings/system', async ({ request }) => {
puts.push({
url: new URL(request.url).pathname,
body: (await request.json()) as Record<string, unknown>,
})
return jsonResponse({ ok: true })
}),
// Settings page bootstraps three GETs.
http.get('/api/annotations/settings/system', () =>
jsonResponse({
id: 'sys-az475',
name: 'AZ-475 system',
militaryUnit: null,
defaultCameraWidth: 1920,
defaultCameraFoV: 60,
}),
),
http.get('/api/annotations/settings/directories', () =>
jsonResponse({
id: 'dirs-az475',
videosDir: '/srv/v',
imagesDir: '/srv/i',
labelsDir: '/srv/l',
resultsDir: '/srv/r',
thumbnailsDir: '/srv/t',
gpsSatDir: '/srv/gs',
gpsRouteDir: '/srv/gr',
}),
),
http.get('/api/flights/aircrafts', () => jsonResponse([])),
http.get('/api/admin/auth/refresh', () => new Response(null, { status: 401 })),
)
return { puts }
}
describe('AZ-475 — numeric form input rejection', () => {
beforeEach(() => {
seedBearer()
})
describe('AC-1 (FT-N-11) — empty numeric input', () => {
it.fails(
'shows a validation error and DOES NOT issue the PUT when the field is cleared',
async () => {
// Arrange
const { puts } = captureSettingsPut()
renderWithProviders(<SettingsPage />)
await screen.findByText(/Default Camera Width/i)
const widthInput = inputForLabel(/Default Camera Width/i)
expect(widthInput).toBeInTheDocument()
// Act
await userEvent.clear(widthInput)
// Find the matching Save button (first Save in tenant config block).
const saveButtons = await screen.findAllByRole('button', { name: /Save/i })
await userEvent.click(saveButtons[0])
// Assert — validation message present, no PUT issued.
// Drift today: SettingsPage uses `parseInt(v) || 0` (silent zero) AND
// issues the PUT regardless. Both halves of this assertion fail.
const error = await screen.findByText(/required|invalid|must be a number/i, undefined, {
timeout: 1000,
})
expect(error).toBeInTheDocument()
await new Promise(r => setTimeout(r, 50))
expect(puts).toHaveLength(0)
clearBearer()
},
)
it('control: production today silently coerces empty input to 0 and PUTs', async () => {
// Pin current behavior so a regression that, e.g., starts crashing on
// empty input is caught even before AC-1 is fixed. When AC-1 lands,
// this control flips red and is removed.
const { puts } = captureSettingsPut()
renderWithProviders(<SettingsPage />)
await screen.findByText(/Default Camera Width/i)
const widthInput = inputForLabel(/Default Camera Width/i)
await userEvent.clear(widthInput)
const saveButtons = await screen.findAllByRole('button', { name: /Save/i })
await userEvent.click(saveButtons[0])
await waitFor(() => expect(puts).toHaveLength(1), { timeout: 1000 })
expect(puts[0].body).toMatchObject({ defaultCameraWidth: 0 })
clearBearer()
})
})
describe('AC-2 (FT-N-12) — non-numeric input', () => {
it.fails(
'shows a validation error and DOES NOT issue the PUT when input is non-numeric',
async () => {
// Arrange
const { puts } = captureSettingsPut()
renderWithProviders(<SettingsPage />)
await screen.findByText(/Default Camera Width/i)
const widthInput = inputForLabel(/Default Camera Width/i)
// Act — `<input type="number">` ignores non-numeric typed chars in browsers,
// BUT user-event still fires onChange events. To force a non-numeric value
// through the React state we set the value directly via fireEvent on
// input. (`userEvent.type` would no-op on a number input for "abc".)
await userEvent.clear(widthInput)
widthInput.value = 'abc'
widthInput.dispatchEvent(new Event('input', { bubbles: true }))
widthInput.dispatchEvent(new Event('change', { bubbles: true }))
const saveButtons = await screen.findAllByRole('button', { name: /Save/i })
await userEvent.click(saveButtons[0])
// Assert — validation error visible; no PUT.
const error = await screen.findByText(/invalid|must be a number/i, undefined, {
timeout: 1000,
})
expect(error).toBeInTheDocument()
await new Promise(r => setTimeout(r, 50))
expect(puts).toHaveLength(0)
clearBearer()
},
)
})
})
tests/msw/handlers/annotations.ts
+63 -3
View File
@@ -27,18 +27,41 @@ export const annotationsHandlers = [
jsonResponse(seedAnnotations.filter((a) => a.mediaId === params.id)),
),
http.get('/api/annotations', () => jsonResponse(seedAnnotations)),
// Production routes use the doubly-prefixed canary `/api/annotations/annotations/*`
// — gateway prefix `/api/annotations/` + service base `/annotations/`. AZ-460 AC-1
// pins this path; the static check would catch a single-prefix regression.
http.get('/api/annotations/annotations', ({ request }) => {
const url = new URL(request.url)
const mediaId = url.searchParams.get('mediaId')
const items = mediaId ? seedAnnotations.filter((a) => a.mediaId === mediaId) : seedAnnotations
const page = Number(url.searchParams.get('page') ?? '1')
const pageSize = Number(url.searchParams.get('pageSize') ?? String(items.length))
return jsonResponse(paginate(items, page, pageSize))
}),
http.post('/api/annotations', async ({ request }) => {
http.post('/api/annotations/annotations', async ({ request }) => {
const body = (await request.json()) as Record<string, unknown>
return jsonResponse({ id: 'ann-new', createdDate: new Date().toISOString(), ...body }, { status: 201 })
}),
http.patch('/api/annotations/:id/status', async ({ request, params }) => {
http.patch('/api/annotations/annotations/:id/status', async ({ request, params }) => {
const body = (await request.json()) as { status?: number }
return jsonResponse({ id: params.id, status: body.status ?? 10 })
}),
http.delete('/api/annotations/annotations/:id', () => noContent()),
// Single-prefix variants kept for backward compatibility with existing tests
// that may rely on them. Production uses doubly-prefixed (above).
http.get('/api/annotations', () => jsonResponse(seedAnnotations)),
http.post('/api/annotations', async ({ request }) => {
const body = (await request.json()) as Record<string, unknown>
return jsonResponse({ id: 'ann-new', createdDate: new Date().toISOString(), ...body }, { status: 201 })
}),
http.patch('/api/annotations/:id/status', async ({ request, params }) => {
const body = (await request.json()) as { status?: number }
return jsonResponse({ id: params.id, status: body.status ?? 10 })
}),
http.delete('/api/annotations/:id', () => noContent()),
http.get('/api/annotations/dataset', () =>
@@ -87,4 +110,41 @@ export const annotationsHandlers = [
const body = (await request.json()) as Record<string, unknown>
return jsonResponse({ id: 'user-settings-1', userId: params.userId, ...body })
}),
// System / directory settings — used by `<SettingsPage>` (production paths).
http.get('/api/annotations/settings/system', () =>
jsonResponse({
id: 'sys-settings-1',
name: 'Test System',
militaryUnit: null,
defaultCameraWidth: 1920,
defaultCameraFoV: 60,
}),
),
http.put('/api/annotations/settings/system', async ({ request }) =>
jsonResponse(await request.json()),
),
http.get('/api/annotations/settings/directories', () =>
jsonResponse({
id: 'dirs-1',
videosDir: '/srv/videos',
imagesDir: '/srv/images',
labelsDir: '/srv/labels',
resultsDir: '/srv/results',
thumbnailsDir: '/srv/thumbs',
gpsSatDir: '/srv/gps-sat',
gpsRouteDir: '/srv/gps-route',
}),
),
http.put('/api/annotations/settings/directories', async ({ request }) =>
jsonResponse(await request.json()),
),
// Used by AdminPage when listing detection classes for the editor.
http.get('/api/annotations/classes', () =>
jsonResponse([
{ id: 1, name: 'class-a', shortName: 'a', color: '#ff0000', maxSizeM: 7 },
{ id: 2, name: 'class-b', shortName: 'b', color: '#00ff00', maxSizeM: 5 },
]),
),
]
tests/msw/handlers/flights.ts
+8
View File
@@ -54,8 +54,16 @@ export const flightsHandlers = [
]),
),
// Production uses the plural path `/api/flights/aircrafts`. Singular alias kept
// for any future test that follows REST-singular conventions; production paths win.
http.get('/api/flights/aircrafts', () => jsonResponse(seedAircraft)),
http.get('/api/flights/aircraft', () => jsonResponse(seedAircraft)),
http.patch('/api/flights/aircrafts/:id', async ({ request, params }) => {
const body = (await request.json()) as Record<string, unknown>
return jsonResponse({ id: params.id, ...body })
}),
http.post('/api/flights/aircraft', async ({ request }) => {
const body = (await request.json()) as Record<string, unknown>
return jsonResponse({ id: 'aircraft-new', ...body }, { status: 201 })
tests/overlay_membership.test.tsx
+258
View File
@@ -0,0 +1,258 @@
import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest'
import { renderWithProviders, waitFor } from './helpers/render'
import CanvasEditor from '../src/features/annotations/CanvasEditor'
import {
AnnotationSource,
AnnotationStatus,
Affiliation,
CombatReadiness,
MediaType,
MediaStatus,
} from '../src/types'
import type { Media, AnnotationListItem, Detection } from '../src/types'
// AZ-462 — Overlay membership at the in-window edges
//
// AC-1 (FT-P-14, FT-P-15): annotation EXACTLY on `lowerBound` / `upperBound`
// IS rendered (inclusive boundary).
// AC-2 (FT-N-01, FT-N-02): annotation one frame interval beyond the bound is
// NOT rendered (strict exclusion outside the window).
// AC-3: assertion reads the canvas draw output, not React
// internal state. We mock `HTMLCanvasElement.getContext`
// to capture every `strokeRect` call — each rendered
// detection produces one. This is the closest to "DOM
// query" available for canvas-based rendering.
//
// Production drift (`src/features/annotations/CanvasEditor.tsx:215-220`):
// `getTimeWindowDetections` filters with `Math.abs(annTime - timeTicks) < 2_000_000`
// (strict `<`). The contract per AZ-462 is `<=` (inclusive). FT-P-14/15 are
// recorded as `it.fails()` until production lifts the operator.
// Tick rate: production uses 10_000_000 ticks per second (.NET DateTime ticks);
// the overlay window is ±2_000_000 ticks (= ±0.2 s) around `currentTime`.
const TICKS_PER_SECOND = 10_000_000
const HALF_WINDOW_TICKS = 2_000_000
const HALF_WINDOW_SECONDS = HALF_WINDOW_TICKS / TICKS_PER_SECOND // 0.2 s
const ONE_FRAME_TICKS = 333_333 // ~30 fps; small step beyond the boundary
function ticksToTimecode(ticks: number): string {
// Mirror `formatTicks` in AnnotationsPage (HH:MM:SS.mmm) but accept ticks input.
const totalSeconds = ticks / TICKS_PER_SECOND
const h = Math.floor(totalSeconds / 3600)
const m = Math.floor((totalSeconds % 3600) / 60)
const wholeS = Math.floor(totalSeconds % 60)
const ms = Math.floor((totalSeconds - Math.floor(totalSeconds)) * 1000)
return `${String(h).padStart(2, '0')}:${String(m).padStart(2, '0')}:${String(wholeS).padStart(2, '0')}.${String(ms).padStart(3, '0')}`
}
function makeDetection(idx: number): Detection {
return {
id: `det-${idx}`,
classNum: 0,
label: `class-${idx}`,
confidence: 0.9,
affiliation: Affiliation.Hostile,
combatReadiness: CombatReadiness.NotReady,
centerX: 0.5,
centerY: 0.5,
width: 0.1,
height: 0.1,
}
}
function makeAnnotation(id: string, atTicks: number): AnnotationListItem {
return {
id,
mediaId: 'media-az462',
time: ticksToTimecode(atTicks),
createdDate: '2026-05-11T00:00:00Z',
userId: 'user-az462',
source: AnnotationSource.Manual,
status: AnnotationStatus.Created,
isSplit: false,
splitTile: null,
detections: [makeDetection(parseInt(id.split('-').pop() ?? '0', 10) || 0)],
}
}
const videoMedia: Media = {
id: 'media-az462',
name: 'overlay-edge.mp4',
path: '/media/overlay-edge.mp4',
mediaType: MediaType.Video,
mediaStatus: MediaStatus.New,
duration: '00:00:30',
annotationCount: 4,
waypointId: null,
userId: 'user-az462',
}
interface CanvasSpy {
strokeRectCalls: number
reset(): void
}
function installCanvasSpy(): CanvasSpy {
const state: CanvasSpy = {
strokeRectCalls: 0,
reset() {
this.strokeRectCalls = 0
},
}
const stub: Partial<CanvasRenderingContext2D> = {
clearRect: vi.fn(),
save: vi.fn(),
restore: vi.fn(),
drawImage: vi.fn(),
fillRect: vi.fn(),
strokeRect: vi.fn(() => {
state.strokeRectCalls += 1
}),
fillText: vi.fn(),
measureText: vi.fn(() => ({ width: 10 } as TextMetrics)),
arc: vi.fn(),
beginPath: vi.fn(),
fill: vi.fn(),
setLineDash: vi.fn(),
fillStyle: '',
strokeStyle: '',
lineWidth: 1,
font: '',
globalAlpha: 1,
}
// jsdom has no canvas implementation — getContext returns null by default.
// We override it on the prototype so every <canvas> mounted by CanvasEditor
// resolves to our recording stub.
HTMLCanvasElement.prototype.getContext = vi.fn(() => stub as CanvasRenderingContext2D) as unknown as typeof HTMLCanvasElement.prototype.getContext
return state
}
function renderOverlay(annotations: AnnotationListItem[], currentTimeSeconds: number) {
return renderWithProviders(
<CanvasEditor
media={videoMedia}
annotation={null}
detections={[]}
onDetectionsChange={() => {}}
selectedClassNum={0}
currentTime={currentTimeSeconds}
annotations={annotations}
/>,
)
}
describe('AZ-462 — overlay membership at in-window edges', () => {
let spy: CanvasSpy
let originalRaf: typeof globalThis.requestAnimationFrame
beforeEach(() => {
spy = installCanvasSpy()
// Force RAF to fire synchronously so the first draw lands before the
// assertion runs (jsdom's RAF queues to a microtask which is fine, but
// syncing avoids flakes when the test environment under-schedules it).
originalRaf = globalThis.requestAnimationFrame
globalThis.requestAnimationFrame = ((cb: FrameRequestCallback) => {
cb(performance.now())
return 0
}) as typeof globalThis.requestAnimationFrame
})
afterEach(() => {
globalThis.requestAnimationFrame = originalRaf
})
describe('AC-1 — inclusive boundary (annotation exactly on bound IS rendered)', () => {
it.fails(
'FT-P-14: annotation at the LOWER in-window edge is rendered',
async () => {
// Arrange — currentTime = 5s; lower bound = 5s 0.2s = 4.8s.
const currentTimeSeconds = 5
const lowerBoundTicks = (currentTimeSeconds - HALF_WINDOW_SECONDS) * TICKS_PER_SECOND
const annOnLowerBound = makeAnnotation('ann-1', lowerBoundTicks)
// Act
renderOverlay([annOnLowerBound], currentTimeSeconds)
// Assert — exactly one strokeRect (one detection, on bound).
// Production uses strict `<` ⇒ boundary excluded ⇒ 0 strokeRect calls ⇒ this fails.
await waitFor(() => expect(spy.strokeRectCalls).toBeGreaterThanOrEqual(1), {
timeout: 1000,
})
},
)
it.fails(
'FT-P-15: annotation at the UPPER in-window edge is rendered',
async () => {
const currentTimeSeconds = 5
const upperBoundTicks = (currentTimeSeconds + HALF_WINDOW_SECONDS) * TICKS_PER_SECOND
const annOnUpperBound = makeAnnotation('ann-2', upperBoundTicks)
renderOverlay([annOnUpperBound], currentTimeSeconds)
await waitFor(() => expect(spy.strokeRectCalls).toBeGreaterThanOrEqual(1), {
timeout: 1000,
})
},
)
it('control: production uses strict `<`, so the EXACT boundary is excluded today', async () => {
// This positive control pins the CURRENT (drift) behavior so a regression
// that flips the operator to `<=` without lifting the AC drift gets caught.
// When AC-1 is fixed, this test goes red and is removed alongside.
const currentTimeSeconds = 5
const lowerBoundTicks = (currentTimeSeconds - HALF_WINDOW_SECONDS) * TICKS_PER_SECOND
const annOnLowerBound = makeAnnotation('ann-3', lowerBoundTicks)
renderOverlay([annOnLowerBound], currentTimeSeconds)
// Wait for at least one tick so RAF would have fired if it were going to.
await new Promise(r => setTimeout(r, 10))
expect(spy.strokeRectCalls).toBe(0)
})
})
describe('AC-2 — strict exclusion (annotation outside the window NOT rendered)', () => {
it('FT-N-01: annotation BEFORE the lower bound is not rendered', async () => {
// Arrange — annotation at lowerBound 1 frame.
const currentTimeSeconds = 5
const beforeLowerTicks =
(currentTimeSeconds - HALF_WINDOW_SECONDS) * TICKS_PER_SECOND - ONE_FRAME_TICKS
const annBeforeLower = makeAnnotation('ann-4', beforeLowerTicks)
// Act
renderOverlay([annBeforeLower], currentTimeSeconds)
// Assert — no strokeRect calls (annotation rejected by the time-window filter).
await new Promise(r => setTimeout(r, 10))
expect(spy.strokeRectCalls).toBe(0)
})
it('FT-N-02: annotation AFTER the upper bound is not rendered', async () => {
const currentTimeSeconds = 5
const afterUpperTicks =
(currentTimeSeconds + HALF_WINDOW_SECONDS) * TICKS_PER_SECOND + ONE_FRAME_TICKS
const annAfterUpper = makeAnnotation('ann-5', afterUpperTicks)
renderOverlay([annAfterUpper], currentTimeSeconds)
await new Promise(r => setTimeout(r, 10))
expect(spy.strokeRectCalls).toBe(0)
})
it('control: an annotation comfortably inside the window IS rendered', async () => {
// Positive control — proves the test apparatus would observe a render
// when the time-window filter accepts an annotation. Without this, a
// canvas-stub failure would cause every assertion to vacuously pass.
const currentTimeSeconds = 5
const insideTicks = currentTimeSeconds * TICKS_PER_SECOND
const annInside = makeAnnotation('ann-6', insideTicks)
renderOverlay([annInside], currentTimeSeconds)
await waitFor(() => expect(spy.strokeRectCalls).toBeGreaterThanOrEqual(1), {
timeout: 1000,
})
})
})
})
tests/security/banned-deps.json
+33
View File
@@ -81,5 +81,38 @@
"patterns": [
"335799082893fad97fa36118b131f919"
]
},
"alert_calls": {
"ac": "NFT-SEC-07 (AZ-466 AC-5) — no alert() in production source",
"scope": "src/ and mission-planner/ (production sources; tests excluded)",
"match": "ripgrep-pattern",
"patterns": [
"\\balert\\s*\\("
],
"$allowlist_comment": "Snapshot of currently-allowed alert() locations. Phase B feature tasks should drain this list one entry at a time. New alerts are blocked by the static check; removing an entry is a code-review-visible improvement.",
"allowlist": [
"src/features/annotations/MediaList.tsx",
"src/features/flights/FlightsPage.tsx",
"mission-planner/src/flightPlanning/JsonEditorDialog.tsx",
"mission-planner/src/flightPlanning/flightPlan.tsx"
]
},
"destructive_surfaces": {
"ac": "NFT-SEC-08 (AZ-466 AC-4) — every destructive surface is reviewed and either gated by ConfirmDialog or recorded as a known drift",
"scope": "src/ files that call api.delete( or destructive api.patch(",
"match": "file-level: a file containing a destructive call MUST be listed below; new destructive surfaces FAIL the check",
"patterns": [
"api\\.delete\\(",
"api\\.patch\\([^,]+,\\s*\\{\\s*isActive\\s*:"
],
"$gated_comment": "Files that perform destructive mutations AND wire ConfirmDialog around them. Code review checks the wiring per file.",
"gated": [
"src/features/annotations/MediaList.tsx",
"src/features/flights/FlightsPage.tsx"
],
"$drift_comment": "Files that perform destructive mutations WITHOUT a ConfirmDialog gate today. Phase B follow-up tasks land the gate and move each entry to `gated`. Adding a new entry here requires a code-review reason.",
"drift": [
"src/features/admin/AdminPage.tsx"
]
}
}
tests/setup.ts
+35
View File
@@ -4,6 +4,41 @@ import { cleanup } from '@testing-library/react'
import { server } from './msw/server'
import { setToken, setNavigateToLogin } from '../src/api/client'
// JSDOM polyfills for browser APIs production code touches at mount time.
// These are no-op stubs — tests that exercise the actual behavior install
// richer fakes per-suite (e.g. `tests/sse_lifecycle.test.tsx` overrides
// `globalThis.EventSource` and restores it; that pattern still works).
class NoopResizeObserver {
observe(): void {}
unobserve(): void {}
disconnect(): void {}
}
class NoopEventSource extends EventTarget {
url: string
readyState: 0 | 1 | 2 = 0
onopen: ((e: Event) => void) | null = null
onmessage: ((e: MessageEvent) => void) | null = null
onerror: ((e: Event) => void) | null = null
constructor(url: string | URL) {
super()
this.url = String(url)
}
close(): void {
this.readyState = 2
}
static readonly CONNECTING = 0
static readonly OPEN = 1
static readonly CLOSED = 2
}
const g = globalThis as unknown as {
ResizeObserver?: typeof NoopResizeObserver
EventSource?: typeof NoopEventSource
}
if (!g.ResizeObserver) g.ResizeObserver = NoopResizeObserver
if (!g.EventSource) g.EventSource = NoopEventSource
// MSW boundary configured per AZ-456 AC-3:
// - All outbound /api/<service>/... fetches MUST be intercepted.
// - A test missing a handler for a network request is a HARD failure