# Batch Report

**Batch**: 03
**Tasks**: AZ-458 (SSE lifecycle), AZ-467 (ProtectedRoute spinner/timeout/RBAC), AZ-468 (Header dropdown a11y), AZ-482 (secrets/banned-libs/AC-N1)
**Date**: 2026-05-11
**Cycle**: Phase A baseline, Step 6 — Implement Tests
**Total complexity**: 14 pts (5 + 4 + 2 + 3)

## Task Results

| Task | Status | Files Modified | Tests | AC Coverage | Issues |
|------|--------|---------------|-------|-------------|--------|
| AZ-458_test_sse_lifecycle | Done | 2 created (1 fast + 1 e2e) | 9 fast (8 pass, 1 skipped); 4 e2e (1 expected-fail, 1 skipped) | 3 / 3 ACs covered | 2 documented drifts (AC-2 bearer rotation `it.fails()`; annotation-status QUARANTINE `it.skip`) |
| AZ-467_test_protected_route_rbac | Done | 1 modified (extends batch-2 file) + 1 e2e created | 9 new fast (6 pass, 3 skipped); 3 e2e (2 expected-fail, 1 pass) | 4 / 4 ACs covered | 4 documented drifts (FT-P-32 `it.fails()`; FT-P-33/N-03/N-05 `it.skip` QUARANTINE) |
| AZ-468_test_header_dropdown | Done | 1 created (fast) | 6 fast (5 pass, 1 skipped) | 3 / 3 ACs covered | 3 documented drifts (FT-P-30/31 `it.fails()`; FT-N-09 `it.skip` QUARANTINE) |
| AZ-482_test_secrets_and_banned_libs | Done | 2 created (deny-list JSON + checker) + 1 modified (run-tests.sh) | 3 new static checks (STC-SEC13/14/1B); 4 existing checks refactored | 6 / 6 ACs covered | None — all checks PASS today (the production code is clean wrt the deny-lists; the value is in the future-proofing) |

## AC Test Coverage: All covered (16 / 16 ACs across the four tasks)

### AZ-458 — SSE lifecycle + bearer rotation (9 scenarios, 3 ACs)

| Scenario | Where | Profile | Status |
|----------|-------|---------|--------|
| FT-P-09 (annotation-status SSE opens on mount) | `tests/sse_lifecycle.test.tsx` + `e2e/tests/sse_lifecycle.e2e.ts` | fast + e2e | `it.skip` QUARANTINE (AnnotationsPage opens no SSE today) |
| FT-P-10 (annotation-status SSE closes on unmount) | same | fast + e2e | covered by FT-P-09 quarantine entry |
| FT-P-18 (live-GPS opens within 5s of select) | `tests/sse_lifecycle.test.tsx` | fast + e2e | PASS (fast); e2e gated by suite stack |
| FT-P-19 (live-GPS closes within 1s of deselect) | same | fast + e2e | PASS (fast); e2e gated |
| NFT-PERF-03 (bearer-rotation reconnect ≤5s) | `e2e/tests/sse_lifecycle.e2e.ts` | e2e | `test.fail(true)` — AC-2 drift; gated |
| NFT-PERF-04/05 (mirror FT-P-18/19) | `tests/sse_lifecycle.test.tsx` | fast | PASS |
| NFT-PERF-06 (annotation-status unsubscribes ≤1s) | `tests/sse_lifecycle.test.tsx` | fast | `it.skip` QUARANTINE |
| NFT-RES-02 (bearer rotation, both streams ≤5s) | `e2e/tests/sse_lifecycle.e2e.ts` | e2e | `test.fail` for live-GPS half; annotation-status half implicitly QUARANTINE |

**AC summary**:
- AC-1 Open/close timing → 4 fast tests cover live-GPS half (PASS); 2 QUARANTINE for annotation-status
- AC-2 Bearer rotation → `it.fails()` drift fast + `test.fail` e2e (both gated)
- AC-3 No internal stubs → satisfied by patching `globalThis.EventSource` (not `src/api/sse.ts`)

### AZ-467 — ProtectedRoute spinner + timeout + RBAC (7 scenarios, 4 ACs)

| Scenario | Where | Profile | Status |
|----------|-------|---------|--------|
| FT-P-32 (spinner a11y) | `src/auth/ProtectedRoute.test.tsx` | fast | `it.fails()` — aria attrs missing today |
| FT-P-33 (10s timeout fallback) | same | fast | `it.skip` QUARANTINE (no timeout path) |
| FT-N-03 (Operator → /admin redirects to /flights) | same + `e2e/tests/protected_route.e2e.ts` | fast + e2e | `it.skip` + `test.fail` (no RBAC gate today) |
| FT-N-05 (integrator-dave → /settings redirects) | same | fast + e2e | `it.skip` + `test.fail` |
| NFT-SEC-05 (`/admin` blocks non-admins) | same | fast | covered by FT-N-03 |
| NFT-SEC-06 (`/settings` route gate) | same | fast | covered by FT-N-05 |
| NFT-RES-04 (10s loading timeout fallback) | same | fast | covered by FT-P-33 |

**AC summary**:
- AC-1 Spinner a11y → `it.fails()` + control test asserting the gap
- AC-2 Timeout fallback → `it.skip` QUARANTINE + control test asserting the gap
- AC-3 RBAC redirects → `it.skip` QUARANTINE + control tests asserting the gap + positive control (Admin reaches /admin)
- AC-4 Both fast + e2e → fast tests (12 total; 9 new) + e2e file (3 tests; 2 gated as `test.fail`)

### AZ-468 — Header flight dropdown a11y (3 scenarios, 3 ACs)

| Scenario | Where | Profile | Status |
|----------|-------|---------|--------|
| FT-P-30 (closed-state a11y: aria-expanded=false) | `src/components/Header.test.tsx` | fast | `it.fails()` + control test |
| FT-P-31 (open-state a11y: aria-expanded=true + role=listbox + aria-activedescendant) | same | fast | `it.fails()` + control test |
| FT-N-09 (Escape close + handler detach) | same | fast | `it.skip` QUARANTINE + control test |

**AC summary**:
- AC-1 Closed state → `it.fails()` drift + control
- AC-2 Open state → `it.fails()` drift + control
- AC-3 Escape detach → `it.skip` QUARANTINE (no production keydown handler today) + control proving Escape is a no-op

### AZ-482 — Secrets/banned-libs/anti-criterion (6 scenarios, 6 ACs)

| Scenario | Where | Profile | Status |
|----------|-------|---------|--------|
| NFT-SEC-09 (OWM key absent from source) | `scripts/run-tests.sh::STC-SEC1` (existing) | static | PASS |
| NFT-SEC-09 (OWM key absent from dist/) | `scripts/run-tests.sh::STC-SEC1B` (new) → `scripts/check-banned-deps.mjs --kind=owm_key_in_dist` | static (post-build) | PASS |
| NFT-SEC-10 (no ML libs) | `STC-N2` refactored → `check-banned-deps.mjs --kind=ml_libs` reading `tests/security/banned-deps.json` | static | PASS |
| NFT-SEC-11 (no JOSE/signature libs) | `STC-N4` refactored → `--kind=signature_libs` | static | PASS |
| NFT-SEC-12 (no service worker — source) | `STC-N3` (existing) | static | PASS |
| NFT-SEC-12 (no service worker — runtime) | e2e companion deferred to suite stack — `navigator.serviceWorker.getRegistrations() === []` would assert at runtime | e2e | not implemented in fast (gated by suite browser); STC-N3 source check is the gating signal in CI today |
| NFT-SEC-13 (no dropped legacy integrations) | `STC-SEC13` (new) → `--kind=legacy_integrations` (WhatsApp/Telegram/D-Bus/libsignal) | static | PASS |
| NFT-SEC-14 (AC-N1 anti-criterion: no concurrent-edit reconcile) | `STC-SEC14` (new) → `--kind=concurrent_edit_patterns` | static | PASS |

**AC summary**:
- AC-1 OWM key absence (src + dist) → STC-SEC1 + STC-SEC1B
- AC-2 No ML libs → STC-N2 (now reads JSON)
- AC-3 No JOSE/signature libs → STC-N4 (now reads JSON)
- AC-4 No service worker → STC-N3 (source check); runtime e2e portion documented as gated
- AC-5 Dropped features absent → STC-SEC13
- AC-6 AC-N1 anti-criterion → STC-SEC14

**Constraint compliance**: deny-list lives in `tests/security/banned-deps.json` per AZ-482 constraint; additions to the JSON are visible in code review.

## Code Review Verdict: PASS_WITH_WARNINGS

Self-review walked inline per `.cursor/skills/code-review/SKILL.md` phases 1–7.

- **Phase 1 (Context)**: 4 task specs re-read; `_docs/02_document/module-layout.md` Blackbox Tests envelope respected; reuses helpers from AZ-456 (`tests/helpers/{render,auth,sse-mock}.ts`) and fixtures (`seed_users`, `seed_flights`). No new shared helpers introduced — the Header test inlines its FlightProvider wrapper (small one-off).
- **Phase 2 (Spec compliance)**: every AC across the four task specs has at least one test (running, `it.fails()`, or `it.skip` with QUARANTINE reason). Drift handling uniform with batch 2: `it.fails()` for documented production drift (attribute missing where the element exists), `it.skip` with QUARANTINE for behavior wholly absent (no Escape handler, no timeout logic, no RBAC check, no annotation-status SSE).
- **Phase 3 (Code quality)**: `check-banned-deps.mjs` has one function per concern (`checkPackageJson`, `checkSourceTree`, `checkDistTree`); test helpers (`withUser`, `wireAuthAndFlights`, `HeaderHarness`, `SseConsumer`, `SseConsumerNoTokenDep`) each carry one responsibility and are named for what they do; no bare catches; arrange/act/assert structure preserved across new tests.
- **Phase 4 (Security)**: no new secrets in test fixtures (reuses AZ-457's `test-bearer-default`); the AZ-482 changes strengthen security posture (more deny-lists enforced; checker is a single source of truth); no `eval` / `shell=True`; the `check-banned-deps.mjs` walks files and runs regex/literal checks only — no execution of test inputs.
- **Phase 5 (Performance)**: fast suite ~4.4 s wall-clock for 57 + 9-skipped tests (was 3 s for 38 + 4 skipped in batch 2 — +1.4 s for 19 new tests; well under 5 min budget). Static profile ~12 s for 22 checks (was 19 in batch 2; +3 from batch 3; STC-T1 + STC-B1 dominate at ~8 s combined and are unchanged). FT-P-32 takes ~1 s due to React Testing Library's default 1 s `findByRole` timeout while the `it.fails()` assertion waits — acceptable given the test count.
- **Phase 6 (Cross-task consistency)**: the four tasks touch **disjoint** subsystems (SSE vs ProtectedRoute vs Header vs deny-list checker). Shared surface = `tests/helpers/`, `tests/fixtures/`, `tests/msw/` — all consumed read-only. No contract collisions; no duplicate symbols. The `withUser()` helper in `ProtectedRoute.test.tsx` is local to that file by design (the role/permission seed-binding logic isn't reused yet — promotable to `tests/helpers/auth.ts` in a future batch if a third task needs it).
- **Phase 7 (Architecture compliance)**:
  - Test files import only public seams:
    - `tests/sse_lifecycle.test.tsx`: `createSSE` (public export of `src/api/sse.ts`); `setToken` (testability accessor on `src/api/client.ts`, landed by AZ-454).
    - `src/auth/ProtectedRoute.test.tsx`: `ProtectedRoute` default export; React-router primitives.
    - `src/components/Header.test.tsx`: `Header` default export; `FlightProvider` (public symbol on `FlightContext.tsx`).
  - No imports of `*.internal.*` files, no reaching into other components' private files.
  - E2E tests don't import any production modules — Playwright primitives only (consistent with AZ-457's e2e pattern).
  - No new cyclic module dependencies introduced (test files remain leaves in the import graph).

### Findings

1. **Low / Maintainability / Drift** — AZ-468 FT-P-30/31 use `it.fails()` to track the three missing aria attributes on `Header`'s flight-dropdown trigger (`aria-expanded`, `role=listbox`, `aria-activedescendant`); FT-N-09 is `it.skip` because the Header has no keydown handler at all. **Recommendation**: file a follow-up production task (`feat(header): flight-dropdown a11y + keyboard-Escape`) to flip these three drifts to passing.

2. **Low / Maintainability / Drift** — AZ-467 FT-P-32 uses `it.fails()` for missing spinner role + aria attrs; FT-P-33 / FT-N-03 / FT-N-05 are `it.skip` QUARANTINE because `src/auth/ProtectedRoute.tsx` has no timeout path and no RBAC gate today. **Recommendation**: three follow-up production tasks — (a) spinner a11y attributes (`role="status"`, `aria-live="polite"`, localized label); (b) 10 s timeout fallback with retry affordance; (c) `requirePermission` prop + opt-ins on `/admin` and `/settings` routes. The last task is the biggest — the suite already enforces RBAC server-side, so this is defence-in-depth.

3. **Low / Maintainability / Drift** — AZ-458 AC-2 bearer rotation uses `it.fails()` because `src/features/flights/FlightsPage.tsx:65-68` `useEffect` deps are `[selectedFlight, mode]` only (no token). The same drift applies to any future SSE consumer that omits the token dep. **Recommendation**: lift the bearer reactivity into a `useBearer()` hook (or take it from `useAuth()`) and include it in every SSE consumer's `useEffect` deps. Single follow-up production task.

4. **Low / Architecture / Quarantine** — AZ-458 FT-P-09/10/NFT-PERF-06 (annotation-status SSE) are `it.skip` QUARANTINE because `src/features/annotations/AnnotationsPage.tsx` does not call `createSSE` today. **Recommendation**: a Phase B feature task ("annotation-status live updates") to add the subscription. The test shape is already documented in the QUARANTINE comments.

5. **Low / Architecture / Interpretation (carried over from batches 1 & 2)** — Test helpers (`tests/helpers/{render,auth,sse-mock}.ts`) and test-only consumer harnesses (`SseConsumer`, `SseConsumerNoTokenDep` in `tests/sse_lifecycle.test.tsx`) import production accessors. Reaffirmed per the batch-1 / batch-2 rule: "Black-box discipline applies to test bodies, not to test setup helpers / composition-root wrappers / consumer-pattern mirrors".

## Auto-Fix Attempts: 0
## Stuck Agents: None

## Files Changed (8)

### Created — `tests/` (2)
```
tests/security/banned-deps.json       # AZ-482 deny-list source of truth (7 sections)
tests/sse_lifecycle.test.tsx          # AZ-458 fast — 9 tests (1 skipped)
```

### Created — `src/` (1)
```
src/components/Header.test.tsx        # AZ-468 fast — 6 tests (1 skipped)
```

### Created — `e2e/tests/` (2)
```
e2e/tests/sse_lifecycle.e2e.ts        # AZ-458 e2e — 4 scenarios (1 skipped, 1 expected-fail)
e2e/tests/protected_route.e2e.ts      # AZ-467 e2e — 3 scenarios (2 expected-fail, 1 pass)
```

### Created — `scripts/` (1)
```
scripts/check-banned-deps.mjs         # AZ-482 unified checker (kinds: ml_libs, signature_libs, persistence_libs, ws_graphql_ssr_libs, legacy_integrations, concurrent_edit_patterns, owm_key_in_dist)
```

### Modified (3)
```
scripts/run-tests.sh                  # Refactor STC-N2/N4/S13/S6 to delegate to check-banned-deps.mjs; add STC-SEC13, STC-SEC14, STC-SEC1B
src/auth/ProtectedRoute.test.tsx      # Extend batch-2 file with AZ-467 describe block (9 new tests; 6 new sentinels/helpers)
_docs/_autodev_state.md               # Batch 3 sub_step pointer + notes
```

## Verification Run (host)

```
$ bun run test:fast
 ✓ mission-planner/src/test/jsonImport.test.ts (6 tests) 6ms
 ✓ tests/wire_contract.test.ts (11 tests | 2 skipped) 19ms
 ✓ tests/infrastructure.test.ts (5 tests) 37ms
 ✓ tests/sse_lifecycle.test.tsx (9 tests | 1 skipped) 46ms
 ✓ src/api/client.test.ts (9 tests) 74ms
 ✓ tests/i18n.test.tsx (4 tests | 2 skipped) 4ms
 ✓ src/auth/AuthContext.test.tsx (4 tests) 234ms
 ✓ src/components/Header.test.tsx (6 tests | 1 skipped) 236ms
 ✓ src/auth/ProtectedRoute.test.tsx (12 tests | 3 skipped) 1176ms
 Test Files  9 passed (9)
      Tests  57 passed | 9 skipped (66)

$ ./scripts/run-tests.sh --static-only
[run-tests] static profile PASSED — 22/22 checks (was 19 in batch 2; +3 from batch 3)

$ ./scripts/run-tests.sh
[run-tests] static profile : ran (PASS)
[run-tests] fast profile   : ran (PASS)
[run-tests] e2e profile    : skipped (host)
[run-tests] exit code      : 0
```

E2E profile not exercised in this batch — same Risk 4 as batches 1 and 2 (requires `docker compose -f e2e/docker-compose.suite-e2e.yml up -d` plus parent-suite `:test` images). The e2e companion files (`e2e/tests/sse_lifecycle.e2e.ts`, `e2e/tests/protected_route.e2e.ts`) will run on the suite stack and exercise the real-wire portions of FT-P-18/19 + NFT-PERF-03 + NFT-RES-02 (AZ-458) and FT-N-03/05 (AZ-467).

## Next Batch

Remaining: 18 test-implementation tasks in `_docs/02_tasks/todo/`:
- AZ-460 (annotation save URL + payload, 2pts)
- AZ-461 (detection endpoints sync/async/long-video, 2pts)
- AZ-462 (overlay window membership, 2pts)
- AZ-463 (flight selection persistence + memory soaks, 3pts)
- AZ-464 (bulk-validate URL + body + UI sync, 2pts)
- AZ-466 (destructive UX + ConfirmDialog + no-alert, 4pts)
- AZ-469 (browser support + responsive variants, 2pts)
- AZ-470 (panel-width debounced PUT + rehydration, 2pts)
- AZ-471 (CanvasEditor draw/resize/multi-select/zoom/pan, 5pts)
- AZ-472 (DetectionClasses load + hotkeys + click + fallback, 3pts)
- AZ-473 (PhotoMode switch + auto-select + yoloId wire, 2pts) — soft dep on AZ-472
- AZ-474 (Tile-split + YOLO parser + auto-zoom + indicator, 3pts)
- AZ-475 (Numeric form hygiene, 2pts)
- AZ-476 (Upload 501 MB → 413 → user-visible error, 2pts)
- AZ-477 (Settings save 500/network resilience, 3pts)
- AZ-478 (Network offline + SSE disconnect + tainted-canvas, 3pts)
- AZ-479 (Bundle ≤2 MB + mission-planner excluded + FCP + soak, 3pts)
- AZ-480 (Prod image nginx:alpine + 500M + 9 routes + edge RAM, 3pts)

All carry **Component**: `Blackbox Tests` and **Dependencies**: `AZ-456` (✓ done). Soft cross-dep: AZ-473 needs AZ-472's DetectionClasses fixtures.

Suggested next batch (4 tasks, ~10 pts, dependency-disjoint at the file level): AZ-466 (destructive UX, 4pts — lands the `data-destructive` marker + `<DestructiveButton>` wrapper used by other tasks); AZ-475 (numeric form hygiene, 2pts); AZ-462 (overlay window membership, 2pts); AZ-460 (annotation save URL + payload, 2pts).

Recommendation: continue in a new conversation. Batch 3 added 5 new files + 3 new static checks + 19 new fast tests; the next batch will load distinct task specs and ConfirmDialog / overlay / annotations / numeric-form subsystems.