azaion/ui
1
0
Fork 0
mirror of https://github.com/azaion/ui.git synced 2026-06-21 09:21:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-457] [AZ-459] [AZ-465] [AZ-481] Batch 2 - auth/enum/i18n/CI tests

Browse Source 
Implements 22 blackbox test scenarios across the four batch-2 tasks:

AZ-457 - Auth & token handling (11 scenarios, fast + e2e):
- src/api/client.test.ts: FT-P-02, NFT-SEC-04, NFT-PERF-02, NFT-RES-01,
  NFT-RES-08 (apiClient surface)
- src/auth/AuthContext.test.tsx: FT-P-01 (it.fails - Step 4 drift),
  FT-P-03, NFT-SEC-01, NFT-SEC-02
- src/auth/ProtectedRoute.test.tsx: FT-N-04, NFT-RES-08 (router half)
- e2e/tests/auth.e2e.ts: FT-P-02 e2e, NFT-SEC-01/02/03 (cookie attrs
  via Playwright context.cookies(), gated by suite stack)

AZ-459 - Wire-contract enums (4 scenarios):
- tests/wire_contract.test.ts: FT-P-04 (AnnotationStatus, it.fails),
  FT-P-05 (MediaStatus + Affiliation it.fails; CombatReadiness skip
  per verification_pending), FT-P-06 (AnnotationSource control +
  spec value-set membership), FT-N-15 (typed-enum shape + skip for
  value-set verification)
- e2e/tests/wire_contract.e2e.ts: FT-P-06 against real annotations/
  service, drift-gated via AZAION_RUN_DRIFT_E2E
- scripts/run-tests.sh STC-FN15: ripgrep static for MediaType
  magic-literal hygiene

AZ-465 - i18n (4 scenarios, all static + quarantined fast):
- scripts/check-i18n-coverage.mjs: FT-P-22 (en vs ua key parity) +
  FT-P-23 (no raw user strings outside t() in src/**/*.tsx); refined
  JSX text-node regex with negative lookbehind to drop TS generics
  + arrow-function false positives
- tests/i18n-allowlist.json: snapshot of current pre-existing raw
  strings (CI gates growth per AZ-465 Constraints)
- tests/i18n.test.tsx: FT-P-24 + FT-P-25 it.skip (QUARANTINE - i18n
  detector + persistence not wired today; control tests assert the
  gap so the skip flips to a real test once Step 4 lands)

AZ-481 - CI image labels (3 scenarios, static against
  .woodpecker/build-arm.yml):
- scripts/check-ci-image-labels.mjs: NFT-RES-LIM-11 (tag scheme
  ${CI_COMMIT_BRANCH}-arm), NFT-RES-LIM-12 (revision/created/source
  PASS, image.title reported as DRIFT - foundation/CI-CD owns the
  fix), NFT-RES-LIM-13 (revision = $CI_COMMIT_SHA)

Cross-cutting:
- scripts/run-tests.sh: src_grep now excludes *.test.{ts,tsx} +
  *.spec.{ts,tsx} so production-source static checks (STC-SEC4,
  STC-FN15, etc.) don't false-positive on test prose
- tsconfig.json: exclude src/**/*.{test,spec}.{ts,tsx} so production
  tsc -b doesn't see jest-dom matchers
- _docs/03_implementation/batch_02_report.md: full per-task AC
  coverage matrix + drift inventory + verification run
- _docs/_autodev_state.md: 22 tasks remain after batch 2

Verification (host):
  fast    : 7 files, 38 passed | 4 skipped (quarantined)
  static  : 19/19 checks PASS (was 13 in batch 1; +6 from batch 2)
  e2e     : not run on host (Risk 4 - requires suite docker stack)

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-11 03:27:55 +03:00
parent 496b089102
commit ab22223580
18 changed files with 1910 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/run-tests.sh
+84 -2
View File
@@ -208,11 +208,21 @@ if [ "$RUN_STATIC" = "true" ]; then
# Source-tree text search. Prefer ripgrep when available (much faster on
# large trees), fall back to POSIX grep -r so the CI runner doesn't need rg.
# Test files (*.test.{ts,tsx}, *.spec.{ts,tsx}) are EXCLUDED — production
# static checks must observe production source only; test-file mentions of
# forbidden patterns (`document.cookie`, `localStorage.token`, etc.) are by
# design and would otherwise produce false positives.
src_grep() {
if command -v rg >/dev/null 2>&1; then
rg --no-messages --type ts --type tsx -e "$1" "${@:2}"
rg --no-messages --type ts --type tsx \
--glob '!**/*.test.ts' --glob '!**/*.test.tsx' \
--glob '!**/*.spec.ts' --glob '!**/*.spec.tsx' \
-e "$1" "${@:2}"
else
grep -rE --include='*.ts' --include='*.tsx' "$1" "${@:2}" 2>/dev/null
grep -rE --include='*.ts' --include='*.tsx' \
--exclude='*.test.ts' --exclude='*.test.tsx' \
--exclude='*.spec.ts' --exclude='*.spec.tsx' \
"$1" "${@:2}" 2>/dev/null
fi
}
@@ -260,6 +270,72 @@ if [ "$RUN_STATIC" = "true" ]; then
return 0
}
# AZ-459 FT-N-15 (rows 20, 21) — MediaType magic-literal hygiene. A regex
# sweep over `src/` for `mediaType OP <number-or-string-literal>` patterns;
# a hit means a comparison against a magic literal slipped past the typed
# enum. The codebase today uses `MediaType.Video` / `MediaType.Image` only.
static_check_no_mediatype_magic_literal() {
local hits_num hits_str
hits_num=$(src_grep 'mediaType\s*[!=]==?\s*[0-9]' "$PROJECT_ROOT/src" || true)
hits_str=$(src_grep "mediaType\s*[!=]==?\s*['\"]" "$PROJECT_ROOT/src" || true)
if [ -n "$hits_num" ] || [ -n "$hits_str" ]; then
[ -n "$hits_num" ] && echo "numeric magic literal:" >&2 && echo "$hits_num" >&2
[ -n "$hits_str" ] && echo "string magic literal:" >&2 && echo "$hits_str" >&2
return 1
fi
return 0
}
# AZ-457 NFT-SEC-01 (row 04) — bearer is never written to localStorage /
# sessionStorage. Static counterpart of the runtime check in
# src/auth/AuthContext.test.tsx. We allow harmless reads on i18n / settings
# storage; we forbid any setItem that mentions token / bearer / accessToken.
static_check_no_token_in_browser_storage() {
local hits
hits=$(src_grep '(local|session)Storage\.setItem\([^)]*(token|bearer|accessToken)' "$PROJECT_ROOT/src" "$PROJECT_ROOT/mission-planner" || true)
if [ -n "$hits" ]; then
echo "$hits" >&2
return 1
fi
return 0
}
# AZ-457 NFT-SEC-02 (row 05) — refresh token not exposed via document.cookie
# READS in production code. Per security-tests.md the regex is "document.cookie
# reads against refreshToken|refresh-cookie".
static_check_no_refresh_cookie_read() {
local hits
hits=$(src_grep 'document\.cookie' "$PROJECT_ROOT/src" || true)
if [ -n "$hits" ]; then
# Filter to lines that mention refresh / refreshToken / refresh-cookie.
local filtered
filtered=$(echo "$hits" | grep -iE 'refresh' || true)
if [ -n "$filtered" ]; then
echo "$filtered" >&2
return 1
fi
fi
return 0
}
# AZ-465 FT-P-22 + FT-P-23 — i18n key parity + t() coverage. Delegated to
# scripts/check-i18n-coverage.mjs so both modes (parity / coverage) reuse
# the same JSON loader, allow-list reader, and JSX scanner.
static_check_i18n_parity() {
node "$PROJECT_ROOT/scripts/check-i18n-coverage.mjs" --parity-only
}
static_check_i18n_coverage() {
node "$PROJECT_ROOT/scripts/check-i18n-coverage.mjs" --coverage-only
}
# AZ-481 NFT-RES-LIM-11/12/13 — CI image tag scheme + OCI labels (parses
# `.woodpecker/build-arm.yml`). Delegated to a Node script for shared
# parsing logic with the e2e companion.
static_check_ci_image_labels() {
node "$PROJECT_ROOT/scripts/check-ci-image-labels.mjs"
}
static_check_typecheck() {
bunx tsc --noEmit -p tsconfig.test.json
}
@@ -296,6 +372,12 @@ if [ "$RUN_STATIC" = "true" ]; then
run_static "STC-N3" "no service worker registration" "AC-N3" "n/a" static_check_no_service_worker
run_static "STC-SEC1" "no literal OWM key in src/" "SEC-09" "63" static_check_no_literal_owm_key
run_static "STC-SEC2" "no unpkg.com in src/" "SEC-09" "n/a" static_check_no_unpkg
run_static "STC-SEC3" "no bearer/token in browser storage" "AC-02" "04" static_check_no_token_in_browser_storage
run_static "STC-SEC4" "no document.cookie read of refresh" "AC-03" "05" static_check_no_refresh_cookie_read
run_static "STC-FN15" "no MediaType magic literal in src/" "AC-29" "20" static_check_no_mediatype_magic_literal
run_static "STC-FP22" "i18n key parity en vs ua" "AC-12" "45" static_check_i18n_parity
run_static "STC-FP23" "no raw user strings outside t()" "AC-12" "46" static_check_i18n_coverage
run_static "STC-CI11" "CI image tag + OCI labels (woodpecker)" "AC-32" "70" static_check_ci_image_labels
run_static "STC-T1" "tsc --noEmit (test config)" "AC-6" "n/a" static_check_typecheck
run_static "STC-B1" "vite build succeeds" "AC-6" "n/a" static_check_vite_build
run_static "STC-S5" "mission-planner not in dist/" "AC-31" "n/a" static_check_dist_no_mission_planner