azaion/ui
1
0
Fork 0
mirror of https://github.com/azaion/ui.git synced 2026-06-22 14:11:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-458] [AZ-467] [AZ-468] [AZ-482] Batch 3 - SSE/RBAC/Header/security tests

Browse Source 
Implements 4 blackbox-test tasks for AZ-455 Phase A baseline:

- AZ-458 SSE lifecycle + bearer rotation: 9 fast tests (8 pass, 1
  QUARANTINE for annotation-status); 4 e2e scenarios (gated by suite
  stack). Uses tests/helpers/sse-mock.ts with globalThis.EventSource
  monkey-patch per AC-3 (no stub of src/api/sse.ts). AC-2 bearer
  rotation captured as documented drift via it.fails() — FlightsPage
  useEffect deps do not include the token today.

- AZ-467 ProtectedRoute spinner + timeout + RBAC: 9 new fast tests
  extending the AZ-457 file (6 pass, 3 QUARANTINE), plus 3 e2e
  scenarios. FT-P-32 spinner a11y is it.fails() drift; FT-P-33 timeout
  and FT-N-03/05 RBAC redirects are it.skip QUARANTINE (no production
  behavior today). Positive control: admin_carol reaches /admin.

- AZ-468 Header flight-dropdown a11y: 6 fast tests (5 pass, 1
  QUARANTINE). FT-P-30/31 are it.fails() drift (aria-expanded /
  role=listbox / aria-activedescendant currently missing); FT-N-09
  is it.skip QUARANTINE (no document keydown handler exists).

- AZ-482 Secrets + banned-libs + AC-N1 anti-criterion: 3 new static
  checks (STC-SEC13 legacy integrations, STC-SEC14 concurrent-edit,
  STC-SEC1B dist/ OWM key) plus refactor of 4 existing checks
  (STC-N2/N4/S13/S6) to read from tests/security/banned-deps.json
  via scripts/check-banned-deps.mjs per AZ-482 constraint
  ("deny-list lives in tests/security/banned-deps.json so additions
  are visible in code review"). All 22 static checks PASS.

Totals: 57 fast tests pass + 9 skipped; 22/22 static checks pass.
Self-review verdict PASS_WITH_WARNINGS — all five findings are
documented drifts captured by it.fails() / it.skip QUARANTINE +
control tests. See _docs/03_implementation/batch_03_report.md
for the per-task / per-AC matrix and recommended Phase B follow-up
production tasks (Header a11y; ProtectedRoute spinner/timeout/RBAC;
SSE bearer-rotation reconnect; AnnotationsPage SSE).

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-11 03:46:18 +03:00
parent 2e04a01ac9
commit 2051088706
14 changed files with 1466 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/02_tasks/done/AZ-468_test_header_dropdown.md
+50
View File
@@ -0,0 +1,50 @@
# Test — Header Flight Dropdown a11y
**Task**: AZ-468_test_header_dropdown
**Name**: Header flight dropdown — closed/open a11y + Escape handler
**Description**: Implement the 3 blackbox tests pinning the header flight dropdown's open/closed-state a11y attributes and the Escape-to-close handler-detachment behavior.
**Complexity**: 2 points
**Dependencies**: AZ-456_test_infrastructure
**Component**: 10_app-shell (Header) (Blackbox Tests)
**Tracker**: AZ-468
**Epic**: AZ-455
## Problem
The header dropdown is keyboard-traversed dozens of times per session; an a11y regression makes the app unusable for keyboard / screen-reader users. The Escape handler must detach on close — a leak that hijacks Escape elsewhere.
## Outcome
- 3 scenarios pass.
## Scope
### Included
| Scenario | Profile | Source file |
|----------|---------|-------------|
| FT-P-30 — header flight dropdown closed-state a11y | fast | blackbox-tests.md |
| FT-P-31 — header flight dropdown open-state a11y | fast | blackbox-tests.md |
| FT-N-09 — header dropdown Escape — close + handler detached | fast | blackbox-tests.md |
### Excluded
- Flight selection logic itself (covered in 08_test_flight_selection_persistence).
## Acceptance Criteria
**AC-1: Closed state**
`aria-expanded="false"`; trigger has accessible name; no `aria-activedescendant`.
**AC-2: Open state**
`aria-expanded="true"`; `role="listbox"` (or `menu`); option list has roles; `aria-activedescendant` points to a real id.
**AC-3: Escape detach**
After Escape closes the dropdown, the document-level Escape handler installed by the dropdown is removed (tracked via `addEventListener` / `removeEventListener` spies). No leakage into other components' Escape handlers.
## System Under Test Boundary
- System under test: `<Header>` flight dropdown + Escape handler.
- Allowed stubs: MSW for flights list endpoint.
- Disallowed: reading dropdown React state.
- Expected observables per `results_report.md` rows for FT-P-30, 31, FT-N-09.