azaion/ui
1
0
Fork 0
mirror of https://github.com/azaion/ui.git synced 2026-06-21 08:11:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-458] [AZ-467] [AZ-468] [AZ-482] Batch 3 - SSE/RBAC/Header/security tests

Browse Source 
Implements 4 blackbox-test tasks for AZ-455 Phase A baseline:

- AZ-458 SSE lifecycle + bearer rotation: 9 fast tests (8 pass, 1
  QUARANTINE for annotation-status); 4 e2e scenarios (gated by suite
  stack). Uses tests/helpers/sse-mock.ts with globalThis.EventSource
  monkey-patch per AC-3 (no stub of src/api/sse.ts). AC-2 bearer
  rotation captured as documented drift via it.fails() — FlightsPage
  useEffect deps do not include the token today.

- AZ-467 ProtectedRoute spinner + timeout + RBAC: 9 new fast tests
  extending the AZ-457 file (6 pass, 3 QUARANTINE), plus 3 e2e
  scenarios. FT-P-32 spinner a11y is it.fails() drift; FT-P-33 timeout
  and FT-N-03/05 RBAC redirects are it.skip QUARANTINE (no production
  behavior today). Positive control: admin_carol reaches /admin.

- AZ-468 Header flight-dropdown a11y: 6 fast tests (5 pass, 1
  QUARANTINE). FT-P-30/31 are it.fails() drift (aria-expanded /
  role=listbox / aria-activedescendant currently missing); FT-N-09
  is it.skip QUARANTINE (no document keydown handler exists).

- AZ-482 Secrets + banned-libs + AC-N1 anti-criterion: 3 new static
  checks (STC-SEC13 legacy integrations, STC-SEC14 concurrent-edit,
  STC-SEC1B dist/ OWM key) plus refactor of 4 existing checks
  (STC-N2/N4/S13/S6) to read from tests/security/banned-deps.json
  via scripts/check-banned-deps.mjs per AZ-482 constraint
  ("deny-list lives in tests/security/banned-deps.json so additions
  are visible in code review"). All 22 static checks PASS.

Totals: 57 fast tests pass + 9 skipped; 22/22 static checks pass.
Self-review verdict PASS_WITH_WARNINGS — all five findings are
documented drifts captured by it.fails() / it.skip QUARANTINE +
control tests. See _docs/03_implementation/batch_03_report.md
for the per-task / per-AC matrix and recommended Phase B follow-up
production tasks (Header a11y; ProtectedRoute spinner/timeout/RBAC;
SSE bearer-rotation reconnect; AnnotationsPage SSE).

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-11 03:46:18 +03:00
parent 2e04a01ac9
commit 2051088706
14 changed files with 1466 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/_autodev_state.md
+14 -1
View File
@@ -8,7 +8,7 @@ status: in_progress
sub_step:
phase: 14
name: batch-loop
detail: "batch 3 next: AZ-458 + AZ-467 + AZ-468 + 1 small parallel"
detail: "batch 4 next: 18 tasks remaining (AZ-460/461/462/463/464/466/469/470/471/472/473/474/475/476/477/478/479/480)"
retry_count: 0
cycle: 1
tracker: jira
@@ -35,3 +35,16 @@ step_3_ac_gap_handling: rollback-to-6c (option A)
pass. AZ-456 → In Testing; report at
`_docs/03_implementation/batch_01_report.md`. Next batch picks up
AZ-457..AZ-482 (26 tasks remaining).
- 2026-05-11 batch 2 (AZ-457/459/465/481) shipped: 38 fast tests pass
+ 4 skipped; 19 static checks pass. Reports at
`_docs/03_implementation/batch_02_report.md`. 22 tasks remain.
- 2026-05-11 batch 3 (AZ-458/467/468/482) shipped: 57 fast tests pass
+ 9 skipped (drifts/quarantines); 22 static checks pass. Reports at
`_docs/03_implementation/batch_03_report.md`. 18 tasks remain.
Drifts documented (production follow-ups for Phase B): Header
flight-dropdown a11y (FT-P-30/31/N-09); ProtectedRoute spinner a11y
+ 10s timeout + route RBAC (FT-P-32/33, FT-N-03/05); SSE bearer-
rotation reconnect (AC-2 / NFT-PERF-03); AnnotationsPage annotation-
status SSE (FT-P-09/10/NFT-PERF-06). New deny-list source
`tests/security/banned-deps.json` + checker
`scripts/check-banned-deps.mjs` introduced (AZ-482 constraint).