azaion/ui
1
0
Fork 0
mirror of https://github.com/azaion/ui.git synced 2026-06-21 23:21:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
20510887066c0c6f1c834f68e7127f852c936126
ui/tests/security/banned-deps.json
T
Oleksandr Bezdieniezhnykh 2051088706 [AZ-458] [AZ-467] [AZ-468] [AZ-482] Batch 3 - SSE/RBAC/Header/security tests 
Implements 4 blackbox-test tasks for AZ-455 Phase A baseline:

- AZ-458 SSE lifecycle + bearer rotation: 9 fast tests (8 pass, 1
  QUARANTINE for annotation-status); 4 e2e scenarios (gated by suite
  stack). Uses tests/helpers/sse-mock.ts with globalThis.EventSource
  monkey-patch per AC-3 (no stub of src/api/sse.ts). AC-2 bearer
  rotation captured as documented drift via it.fails() — FlightsPage
  useEffect deps do not include the token today.

- AZ-467 ProtectedRoute spinner + timeout + RBAC: 9 new fast tests
  extending the AZ-457 file (6 pass, 3 QUARANTINE), plus 3 e2e
  scenarios. FT-P-32 spinner a11y is it.fails() drift; FT-P-33 timeout
  and FT-N-03/05 RBAC redirects are it.skip QUARANTINE (no production
  behavior today). Positive control: admin_carol reaches /admin.

- AZ-468 Header flight-dropdown a11y: 6 fast tests (5 pass, 1
  QUARANTINE). FT-P-30/31 are it.fails() drift (aria-expanded /
  role=listbox / aria-activedescendant currently missing); FT-N-09
  is it.skip QUARANTINE (no document keydown handler exists).

- AZ-482 Secrets + banned-libs + AC-N1 anti-criterion: 3 new static
  checks (STC-SEC13 legacy integrations, STC-SEC14 concurrent-edit,
  STC-SEC1B dist/ OWM key) plus refactor of 4 existing checks
  (STC-N2/N4/S13/S6) to read from tests/security/banned-deps.json
  via scripts/check-banned-deps.mjs per AZ-482 constraint
  ("deny-list lives in tests/security/banned-deps.json so additions
  are visible in code review"). All 22 static checks PASS.

Totals: 57 fast tests pass + 9 skipped; 22/22 static checks pass.
Self-review verdict PASS_WITH_WARNINGS — all five findings are
documented drifts captured by it.fails() / it.skip QUARANTINE +
control tests. See _docs/03_implementation/batch_03_report.md
for the per-task / per-AC matrix and recommended Phase B follow-up
production tasks (Header a11y; ProtectedRoute spinner/timeout/RBAC;
SSE bearer-rotation reconnect; AnnotationsPage SSE).

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-11 03:46:18 +03:00

86 lines
2.5 KiB
JSON
Raw Blame History

{
"$comment": "Single source of truth for static deny-lists exercised by scripts/run-tests.sh static profile. Adding/removing entries here is the gate code-review enforces (per AZ-482 constraint: 'deny-list lives in tests/security/banned-deps.json so additions are visible in code review'). Each section names the AC it traces to and is consumed by scripts/check-banned-deps.mjs.",
"ml_libs": {
"ac": "NFT-SEC-10",
"scope": "package.json (dependencies + devDependencies)",
"match": "regex-on-name",
"patterns": [
"onnxruntime",
"tensorflow",
"tflite",
"coreml",
"tfjs",
"@tensorflow/",
"@huggingface/",
"transformers\\.js"
]
},
"signature_libs": {
"ac": "NFT-SEC-11",
"scope": "package.json (dependencies + devDependencies)",
"match": "regex-on-name",
"patterns": [
"jsrsasign",
"tweetnacl",
"@noble/",
"^jose$",
"^jsonwebtoken$",
"^node-forge$"
]
},
"persistence_libs": {
"ac": "O2 (NFR) — no client-side persistence library",
"scope": "package.json (dependencies + devDependencies)",
"match": "regex-on-name",
"patterns": [
"^localforage$",
"^idb$",
"^dexie$"
]
},
"ws_graphql_ssr_libs": {
"ac": "O11 (NFR) — no SSR/WS/GraphQL",
"scope": "package.json (dependencies + devDependencies)",
"match": "regex-on-name",
"patterns": [
"^ws$",
"^socket\\.io$",
"^graphql$",
"^apollo$",
"@apollo/",
"^grpc-web$",
"^react-dom/server$"
]
},
"legacy_integrations": {
"ac": "NFT-SEC-13 — dropped legacy integrations not present in source",
"scope": "src/ and mission-planner/ (production sources; tests excluded)",
"match": "ripgrep-pattern",
"patterns": [
"WhatsApp",
"TelegramBot",
"D-Bus",
"libsignal"
]
},
"concurrent_edit_patterns": {
"ac": "NFT-SEC-14 (AC-N1 anti-criterion) — no concurrent-edit reconciliation surface",
"scope": "src/ and mission-planner/ (production sources; tests excluded)",
"match": "ripgrep-pattern",
"patterns": [
"concurrent.edit",
"operational.transform",
"crdt",
"y-?websocket"
]
},
"owm_key_in_dist": {
"ac": "NFT-SEC-09 (AC-1, dist/ portion) — OpenWeatherMap key not shipped in built bundle",
"scope": "dist/ (post-`bun run build` artifacts)",
"match": "literal",
"patterns": [
"335799082893fad97fa36118b131f919"
]
}
}
Reference in New Issue View Git Blame Copy Permalink