70fb452805
[AZ-510] Auth bootstrap: POST refresh + chained /users/me
...
Replace the broken `GET /api/admin/auth/refresh` (no `credentials:'include'`)
mount-time bootstrap with `POST /api/admin/auth/refresh` (with credentials)
chained to `GET /api/admin/users/me`. Returning users with a valid HttpOnly
refresh cookie no longer flash through `/login`. Closes Finding B3 / Vision P3.
- Add module-scoped `bootstrapInflight` guard (StrictMode double-mount safety)
+ test-only reset hook exported via the `src/auth` barrel; `tests/setup.ts`
resets it in `afterEach` to prevent pending-promise leakage between tests.
- Defensive `hasPermission` against legacy `/users/me` payloads omitting
`permissions`; default MSW handler now seeds `permissions` explicitly.
- Add `endpoints.admin.usersMe()` builder (STC-ARCH-02 forbids the literal).
- Bulk-swap 15 test files from `http.get` -> `http.post` for the refresh
override so intentional bootstrap-fail tests still fail correctly.
- Update auth component description; mark B3 closed.
- Code review verdict PASS; static + fast suites green (231 / 13 skipped).
Batch report: _docs/03_implementation/batch_13_cycle3_report.md
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-05-13 02:59:31 +03:00
23746ec61d
[AZ-485] Add Public API barrels + STC-ARCH-01 (F4 close)
...
Closes architecture baseline finding F4. Every component now exposes
its Public API through `src/<component>/index.ts`; cross-component
imports go through the barrel. `scripts/check-arch-imports.mjs` plus
`STC-ARCH-01` in the static profile enforce the rule; tests in
`tests/architecture_imports.test.ts` cover AC-4/AC-5 + 2 exemption
cases. One F3-pending exemption (`classColors`) is documented in 5
places (barrel, consumer, script, doc, test) to avoid a circular
import.
Phase B cycle 1 batch 1 of 2 (epic AZ-447). Batch 2 is AZ-486
(endpoint builders) — blocked on this commit landing.
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-05-11 10:33:30 +03:00
cdebfccada
[AZ-471] [AZ-473] [AZ-478] [AZ-479] Batch 7 - canvas/photo-mode/network/perf tests
...
ci/woodpecker/push/build-arm Pipeline was successful
- AZ-471 CanvasEditor draw + 8-handle resize PASS (FT-P-39 fast +
e2e + FT-P-40 8 sub-tests). Three drifts pinned via it.fails():
Ctrl+click multi-select (FT-P-41), Ctrl+wheel zoom-around-cursor
(FT-P-42), Ctrl+drag empty-canvas pan (FT-P-43) — all rooted in
handleMouseDown's early Ctrl-gate and handleWheel's
pan-not-adjusted bug.
- AZ-473 PhotoMode 3 ACs all PASS in fast + e2e (FT-P-48 switch
filter, FT-P-49 auto-select, FT-P-50 yoloId wire across modes
P=0/20/40 — outbound classNum == classId + photoModeOffset).
- AZ-478 fast 7 + e2e 2: AC-1 user-visible offline indicator,
AC-2 tainted-canvas fallback, AC-3 SSE disconnect banner —
all drift today (it.fails fast + test.fail e2e + control
PASS for each). Service-worker negative check passes.
- AZ-479 AC-1 (bundle <= 2 MB gzipped) promoted from
on-demand perf script to per-commit static profile via new
STC-PERF01 row + static_check_bundle_size in run-tests.sh.
AC-2 (mission-planner exclusion) already covered by STC-S5.
AC-3 FCP /flights <= 3 s median (chromium suite-e2e) and
AC-4 30-min annotation soak (RUN_LONG_RUNNING=1, chromium)
scaffolded as e2e tests.
Code review: PASS (0 findings). Fast: 25/25 files, 150 passed
/ 13 skipped. Static: 25/25 PASS (incl. new STC-PERF01).
Co-authored-by: Cursor <cursoragent@cursor.com >
2026-05-11 05:58:55 +03:00
Oleksandr Bezdieniezhnykh