[AZ-458] [AZ-467] [AZ-468] [AZ-482] Batch 3 - SSE/RBAC/Header/security tests

Implements 4 blackbox-test tasks for AZ-455 Phase A baseline:

- AZ-458 SSE lifecycle + bearer rotation: 9 fast tests (8 pass, 1
  QUARANTINE for annotation-status); 4 e2e scenarios (gated by suite
  stack). Uses tests/helpers/sse-mock.ts with globalThis.EventSource
  monkey-patch per AC-3 (no stub of src/api/sse.ts). AC-2 bearer
  rotation captured as documented drift via it.fails() — FlightsPage
  useEffect deps do not include the token today.

- AZ-467 ProtectedRoute spinner + timeout + RBAC: 9 new fast tests
  extending the AZ-457 file (6 pass, 3 QUARANTINE), plus 3 e2e
  scenarios. FT-P-32 spinner a11y is it.fails() drift; FT-P-33 timeout
  and FT-N-03/05 RBAC redirects are it.skip QUARANTINE (no production
  behavior today). Positive control: admin_carol reaches /admin.

- AZ-468 Header flight-dropdown a11y: 6 fast tests (5 pass, 1
  QUARANTINE). FT-P-30/31 are it.fails() drift (aria-expanded /
  role=listbox / aria-activedescendant currently missing); FT-N-09
  is it.skip QUARANTINE (no document keydown handler exists).

- AZ-482 Secrets + banned-libs + AC-N1 anti-criterion: 3 new static
  checks (STC-SEC13 legacy integrations, STC-SEC14 concurrent-edit,
  STC-SEC1B dist/ OWM key) plus refactor of 4 existing checks
  (STC-N2/N4/S13/S6) to read from tests/security/banned-deps.json
  via scripts/check-banned-deps.mjs per AZ-482 constraint
  ("deny-list lives in tests/security/banned-deps.json so additions
  are visible in code review"). All 22 static checks PASS.

Totals: 57 fast tests pass + 9 skipped; 22/22 static checks pass.
Self-review verdict PASS_WITH_WARNINGS — all five findings are
documented drifts captured by it.fails() / it.skip QUARANTINE +
control tests. See _docs/03_implementation/batch_03_report.md
for the per-task / per-AC matrix and recommended Phase B follow-up
production tasks (Header a11y; ProtectedRoute spinner/timeout/RBAC;
SSE bearer-rotation reconnect; AnnotationsPage SSE).

Co-authored-by: Cursor <cursoragent@cursor.com>

scripts/check-banned-deps.mjs

@@ -0,0 +1,184 @@
+#!/usr/bin/env node
+// AZ-482 — static deny-list enforcement driven by tests/security/banned-deps.json.
+//
+// One canonical implementation that the run-tests.sh static profile delegates to,
+// so adding or removing a banned dependency / pattern is a one-file change visible
+// in code review (per AZ-482 constraint).
+//
+// Usage:
+//   node scripts/check-banned-deps.mjs --kind=<key> [--root=<repo-root>]
+//
+// Exit code 0 on PASS (no hits); non-zero on FAIL (writes the hit list to stderr).
+
+import { readFileSync, statSync, readdirSync } from 'node:fs'
+import { join, dirname, resolve, relative } from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+const __filename = fileURLToPath(import.meta.url)
+const __dirname = dirname(__filename)
+
+function parseArgs(argv) {
+  const out = { kind: null, root: resolve(__dirname, '..') }
+  for (const a of argv.slice(2)) {
+    if (a.startsWith('--kind=')) out.kind = a.slice('--kind='.length)
+    else if (a.startsWith('--root=')) out.root = resolve(a.slice('--root='.length))
+    else if (a === '-h' || a === '--help') {
+      // eslint-disable-next-line no-console
+      console.error('Usage: check-banned-deps.mjs --kind=<key> [--root=<repo-root>]')
+      process.exit(0)
+    }
+  }
+  if (!out.kind) {
+    process.stderr.write('check-banned-deps: --kind is required\n')
+    process.exit(2)
+  }
+  return out
+}
+
+function loadDenylist(root) {
+  const path = join(root, 'tests', 'security', 'banned-deps.json')
+  return JSON.parse(readFileSync(path, 'utf8'))
+}
+
+function loadPackageJson(root) {
+  return JSON.parse(readFileSync(join(root, 'package.json'), 'utf8'))
+}
+
+function namesFromPackageJson(pkg) {
+  return Object.keys({ ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) })
+}
+
+function checkPackageJson(section, root) {
+  const pkg = loadPackageJson(root)
+  const names = namesFromPackageJson(pkg)
+  const regexes = section.patterns.map((p) => new RegExp(p, 'i'))
+  const hits = []
+  for (const name of names) {
+    for (const re of regexes) {
+      if (re.test(name)) {
+        hits.push(`${name} matched /${re.source}/i`)
+        break
+      }
+    }
+  }
+  return hits
+}
+
+// File walker — yields paths under `dir` that match the included extensions.
+// Skips dist/, node_modules/, test-output/, and any `*.test.{ts,tsx}` /
+// `*.spec.{ts,tsx}` files (production source only, mirrors run-tests.sh src_grep).
+const IGNORED_DIRS = new Set([
+  'node_modules', 'dist', 'build', 'test-output', 'test-results',
+  'coverage', '.git', '.cache', 'playwright-report', 'blob-report',
+])
+const SOURCE_EXT = ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs']
+const TEST_NAME_RE = /\.(test|spec)\.(ts|tsx|js|jsx|mjs|cjs)$/i
+
+function* walkSourceFiles(rootDir) {
+  let entries
+  try {
+    entries = readdirSync(rootDir, { withFileTypes: true })
+  } catch {
+    return
+  }
+  for (const entry of entries) {
+    const full = join(rootDir, entry.name)
+    if (entry.isDirectory()) {
+      if (IGNORED_DIRS.has(entry.name)) continue
+      yield* walkSourceFiles(full)
+    } else if (entry.isFile()) {
+      const ext = '.' + entry.name.split('.').pop()
+      if (!SOURCE_EXT.includes(ext)) continue
+      if (TEST_NAME_RE.test(entry.name)) continue
+      yield full
+    }
+  }
+}
+
+function checkSourceTree(section, root, subdirs) {
+  const regexes = section.patterns.map((p) => new RegExp(p, 'i'))
+  const hits = []
+  for (const sub of subdirs) {
+    const full = join(root, sub)
+    try { statSync(full) } catch { continue }
+    for (const file of walkSourceFiles(full)) {
+      let text
+      try { text = readFileSync(file, 'utf8') } catch { continue }
+      const lines = text.split('\n')
+      lines.forEach((line, idx) => {
+        for (const re of regexes) {
+          if (re.test(line)) {
+            hits.push(`${relative(root, file)}:${idx + 1}: ${line.trim().slice(0, 200)} (matched /${re.source}/i)`)
+            break
+          }
+        }
+      })
+    }
+  }
+  return hits
+}
+
+function* walkAnyFiles(rootDir) {
+  let entries
+  try {
+    entries = readdirSync(rootDir, { withFileTypes: true })
+  } catch {
+    return
+  }
+  for (const entry of entries) {
+    const full = join(rootDir, entry.name)
+    if (entry.isDirectory()) {
+      if (IGNORED_DIRS.has(entry.name)) continue
+      yield* walkAnyFiles(full)
+    } else if (entry.isFile()) {
+      yield full
+    }
+  }
+}
+
+function checkDistTree(section, root) {
+  const dist = join(root, 'dist')
+  try { statSync(dist) } catch {
+    process.stderr.write('dist/ missing — run `bun run build` before this check\n')
+    process.exit(1)
+  }
+  const hits = []
+  for (const file of walkAnyFiles(dist)) {
+    let text
+    try { text = readFileSync(file, 'utf8') } catch { continue }
+    for (const literal of section.patterns) {
+      if (text.includes(literal)) {
+        hits.push(`${relative(root, file)} contains banned literal: ${literal}`)
+      }
+    }
+  }
+  return hits
+}
+
+function main() {
+  const { kind, root } = parseArgs(process.argv)
+  const denylist = loadDenylist(root)
+  const section = denylist[kind]
+  if (!section) {
+    process.stderr.write(`unknown --kind=${kind}; available: ${Object.keys(denylist).filter((k) => !k.startsWith('$')).join(', ')}\n`)
+    process.exit(2)
+  }
+
+  let hits = []
+  if (kind === 'owm_key_in_dist') {
+    hits = checkDistTree(section, root)
+  } else if (kind === 'legacy_integrations' || kind === 'concurrent_edit_patterns') {
+    hits = checkSourceTree(section, root, ['src', 'mission-planner'])
+  } else {
+    hits = checkPackageJson(section, root)
+  }
+
+  if (hits.length) {
+    process.stderr.write(`banned (${kind} / ${section.ac}):\n`)
+    for (const h of hits) process.stderr.write(`  ${h}\n`)
+    process.exit(1)
+  }
+  process.exit(0)
+}
+
+main()

scripts/run-tests.sh

@@ -166,44 +166,40 @@ if [ "$RUN_STATIC" = "true" ]; then
     '
   }
 
+  # AZ-482 — package.json deny-lists routed through the shared
+  # banned-deps.json source-of-truth. Each kind maps 1:1 to a JSON section.
   static_check_no_ml_libs() {
-    node -e '
-      const p = require("./package.json");
-      const all = Object.assign({}, p.dependencies || {}, p.devDependencies || {});
-      const re = /(onnxruntime|tensorflow|tflite|coreml|tfjs|@tensorflow\/|@huggingface\/|transformers\.js)/i;
-      const hits = Object.keys(all).filter(n => re.test(n));
-      if (hits.length) { console.error("banned ML deps:", hits.join(", ")); process.exit(1); }
-    '
+    node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=ml_libs
   }
 
   static_check_no_signature_libs() {
-    node -e '
-      const p = require("./package.json");
-      const all = Object.assign({}, p.dependencies || {}, p.devDependencies || {});
-      const re = /(jsrsasign|tweetnacl|@noble\/|^jose$)/i;
-      const hits = Object.keys(all).filter(n => re.test(n));
-      if (hits.length) { console.error("signature libs:", hits.join(", ")); process.exit(1); }
-    '
+    node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=signature_libs
   }
 
   static_check_no_persistence_libs() {
-    node -e '
-      const p = require("./package.json");
-      const all = Object.assign({}, p.dependencies || {}, p.devDependencies || {});
-      const re = /^(localforage|idb|dexie)$/i;
-      const hits = Object.keys(all).filter(n => re.test(n));
-      if (hits.length) { console.error("persistence libs:", hits.join(", ")); process.exit(1); }
-    '
+    node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=persistence_libs
   }
 
   static_check_no_ws_graphql() {
-    node -e '
-      const p = require("./package.json");
-      const all = Object.assign({}, p.dependencies || {}, p.devDependencies || {});
-      const re = /^(ws|socket\.io|graphql|apollo|@apollo\/|grpc-web|react-dom\/server)$/i;
-      const hits = Object.keys(all).filter(n => re.test(n));
-      if (hits.length) { console.error("banned deps:", hits.join(", ")); process.exit(1); }
-    '
+    node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=ws_graphql_ssr_libs
+  }
+
+  # AZ-482 — NFT-SEC-13 dropped legacy integrations and NFT-SEC-14 AC-N1
+  # anti-criterion. Source-tree scans gated on production code only (the
+  # banned-deps script applies the same `*.test.{ts,tsx}` exclusion src_grep
+  # uses below; tests are allowed to mention these tokens as documentation).
+  static_check_no_legacy_integrations() {
+    node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=legacy_integrations
+  }
+
+  static_check_no_concurrent_edit() {
+    node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=concurrent_edit_patterns
+  }
+
+  # AZ-482 — NFT-SEC-09 AC-1 dist/ portion. The src/ counterpart is STC-SEC1
+  # below; this check runs AFTER `bun run build` (STC-B1) so dist/ exists.
+  static_check_no_owm_key_in_dist() {
+    node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=owm_key_in_dist
   }
 
   # Source-tree text search. Prefer ripgrep when available (much faster on
@@ -378,9 +374,12 @@ if [ "$RUN_STATIC" = "true" ]; then
   run_static "STC-FP22" "i18n key parity en vs ua"       "AC-12"  "45"   static_check_i18n_parity
   run_static "STC-FP23" "no raw user strings outside t()"   "AC-12"  "46"   static_check_i18n_coverage
   run_static "STC-CI11" "CI image tag + OCI labels (woodpecker)" "AC-32" "70" static_check_ci_image_labels
+  run_static "STC-SEC13" "no legacy integrations in src/" "SEC-13" "n/a"  static_check_no_legacy_integrations
+  run_static "STC-SEC14" "no concurrent-edit reconcile (AC-N1)" "SEC-14" "n/a"  static_check_no_concurrent_edit
   run_static "STC-T1"  "tsc --noEmit (test config)"     "AC-6"   "n/a"  static_check_typecheck
   run_static "STC-B1"  "vite build succeeds"            "AC-6"   "n/a"  static_check_vite_build
   run_static "STC-S5"  "mission-planner not in dist/"   "AC-31"  "n/a"  static_check_dist_no_mission_planner
+  run_static "STC-SEC1B" "no literal OWM key in dist/"   "SEC-09" "63"   static_check_no_owm_key_in_dist
 
   if [ "$STATIC_FAIL" = "1" ]; then
     echo "[run-tests] static profile FAILED — see $STATIC_REPORT"