azaion/ui
1
0
Fork 0
mirror of https://github.com/azaion/ui.git synced 2026-06-21 14:51:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6c7e29722f3c3931faaa3103244951d02df153a4
ui/scripts/run-tests.sh
T
Oleksandr Bezdieniezhnykh c368f60853 [AZ-511] classColors carve-out to src/class-colors/ (closes F3) 
Move src/features/annotations/classColors.ts to its own component directory
src/class-colors/ with a proper barrel; update the 4 consumer imports to go
through the barrel; remove the F3-pending exemption from STC-ARCH-01 and from
the architecture test fixture; clean up the 5 coupled doc/script touchpoints.
Closes baseline finding F3 and retires the 5-coupled-places carry-over surface
logged in LESSONS.md 2026-05-12.

- Add `class-colors` to scripts/check-arch-imports.mjs COMPONENT_DIRS so deep
  imports past the new barrel are caught symmetric to every other component.
- Replace the architecture test "exemption WORKS" fixture with the stronger
  "deep import into class-colors NOW FAILS" assertion (Risk 4 mitigation).
- module-layout.md: Layout Rules + Per-Component Mapping (11_class-colors,
  06_annotations, 03_shared-ui) + Verification Needed #1 + shared/class-colors
  block all updated to reflect the new home.
- 11_class-colors/description.md: Caveats §7 + Module Inventory updated.
- architecture_compliance_baseline.md: F3 marked CLOSED with full pre-resolution
  context preserved (mirrors AZ-485/F4 + AZ-486/F7 pattern); F4 carry-forward
  exemption note retired.
- 04_verification_log.md: open questions #1 + #8 marked RESOLVED.
- Build passes with no circular-import warnings (AC-4); fast suite 231/13
  skipped green (AC-5); static profile green (AC-3 — zero exemptions remain).

Batch report: _docs/03_implementation/batch_14_cycle3_report.md

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-13 03:08:36 +03:00

668 lines
28 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Azaion UI — unit + blackbox test runner.
#
# Drives the test profiles specified in
# _docs/02_document/tests/environment.md and AZ-456:
# - static : repo + dist artifact checks (no runtime, host)
# - fast : Bun + Vitest + jsdom + MSW (host)
# - e2e : Playwright (Chromium + Firefox) inside the suite docker stack
#
# Reports land under ./test-output/ per AZ-456 (CSV + JUnit XML).
#
# Usage:
# scripts/run-tests.sh # static + fast (default; gates every commit per CI/CD Integration)
# scripts/run-tests.sh --unit-only # alias for default — fast + static, no e2e
# scripts/run-tests.sh --all # static + fast + e2e
# scripts/run-tests.sh --e2e-only # only the e2e profile
# scripts/run-tests.sh --static-only # only the static checks
# scripts/run-tests.sh --fast-only # only the fast profile
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
SUITE_ROOT="$(cd "$PROJECT_ROOT/.." && pwd)"
RESULTS_DIR="$PROJECT_ROOT/test-output"
RUN_STATIC=true
RUN_FAST=true
RUN_E2E=false
for arg in "$@"; do
case "$arg" in
--unit-only) RUN_STATIC=true; RUN_FAST=true; RUN_E2E=false ;;
--all) RUN_STATIC=true; RUN_FAST=true; RUN_E2E=true ;;
--e2e-only) RUN_STATIC=false; RUN_FAST=false; RUN_E2E=true ;;
--static-only) RUN_STATIC=true; RUN_FAST=false; RUN_E2E=false ;;
--fast-only) RUN_STATIC=false; RUN_FAST=true; RUN_E2E=false ;;
-h|--help)
sed -n '2,18p' "$0" | sed 's/^# \{0,1\}//'
exit 0
;;
*)
echo "Unknown argument: $arg" >&2
echo "Run with --help for usage." >&2
exit 2
;;
esac
done
E2E_COMPOSE_STARTED_HERE=false
cleanup() {
if [ "$E2E_COMPOSE_STARTED_HERE" = "true" ]; then
docker compose -f "$PROJECT_ROOT/e2e/docker-compose.suite-e2e.yml" down -v --remove-orphans || true
fi
}
trap cleanup EXIT
mkdir -p "$RESULTS_DIR"
cd "$PROJECT_ROOT"
echo "[run-tests] project root: $PROJECT_ROOT"
echo "[run-tests] suite root : $SUITE_ROOT"
echo "[run-tests] results dir : $RESULTS_DIR"
echo "[run-tests] profiles : static=$RUN_STATIC fast=$RUN_FAST e2e=$RUN_E2E"
# ----------------------------------------------------------------------------
# Install dependencies (mandatory — a fresh CI runner has nothing).
# ----------------------------------------------------------------------------
if [ "$RUN_FAST" = "true" ] || [ "$RUN_STATIC" = "true" ]; then
if ! command -v bun >/dev/null 2>&1; then
echo "[run-tests] FATAL: bun is required (project pins bun@1.3.11 per package.json packageManager)." >&2
exit 1
fi
echo "[run-tests] installing dependencies..."
if [ -f "$PROJECT_ROOT/bun.lock" ] || [ -f "$PROJECT_ROOT/bun.lockb" ]; then
bun install --frozen-lockfile
else
bun install
fi
fi
OVERALL_EXIT=0
# CSV rollup format (AZ-456 § Test Reporting):
# Test ID,Test Name,Profile,Execution Time (ms),Result,Error Message,Traces to AC,Traces to results_report.md row
csv_header() {
echo 'Test ID,Test Name,Profile,Execution Time (ms),Result,Error Message,Traces to AC,Traces to results_report.md row' > "$1"
}
csv_record() {
# $1 file, $2 id, $3 name, $4 profile, $5 exec_ms, $6 result, $7 err, $8 ac, $9 row
local file="$1" id="$2" name="$3" profile="$4" exec_ms="$5" result="$6" err="$7" ac="$8" row="$9"
# Escape any embedded quotes so the CSV stays well-formed.
err="${err//\"/\"\"}"
name="${name//\"/\"\"}"
printf '%s,"%s",%s,%s,%s,"%s",%s,%s\n' "$id" "$name" "$profile" "$exec_ms" "$result" "$err" "$ac" "$row" >> "$file"
}
# Portable millisecond clock — GNU coreutils `date +%s%3N` is unavailable on
# macOS / BSD, so fall back to python3 unconditionally.
millis() {
python3 -c 'import time; print(int(time.time()*1000))'
}
# ----------------------------------------------------------------------------
# Static profile — repo checks, type-check, build, ripgrep.
# Source: _docs/02_document/tests/blackbox-tests.md, security-tests.md,
# resource-limit-tests.md, traceability-matrix.md "STC-*" candidates.
# ----------------------------------------------------------------------------
if [ "$RUN_STATIC" = "true" ]; then
echo "[run-tests] === static profile ==="
STATIC_REPORT="$RESULTS_DIR/static-report.csv"
csv_header "$STATIC_REPORT"
STATIC_FAIL=0
run_static() {
# $1 id, $2 name, $3 ac, $4 row, $5 cmd
local id="$1" name="$2" ac="$3" row="$4"
shift 4
local start_ms result err
start_ms=$(millis)
if err=$("$@" 2>&1); then
result=PASS
else
result=FAIL
STATIC_FAIL=1
fi
local end_ms
end_ms=$(millis)
local exec_ms=$((end_ms - start_ms))
local err_summary=""
if [ "$result" = "FAIL" ]; then
err_summary=$(printf '%s' "$err" | tr '\n' ' ' | head -c 240)
echo " $result $id ${exec_ms}ms"
echo " $err_summary"
else
echo " $result $id ${exec_ms}ms"
fi
csv_record "$STATIC_REPORT" "$id" "$name" "static" "$exec_ms" "$result" "$err_summary" "$ac" "$row"
}
static_check_strict() {
if node -e 'const t=require("./tsconfig.json"); process.exit((t.compilerOptions && t.compilerOptions.strict === true) ? 0 : 1)' 2>/dev/null; then
return 0
fi
bunx tsc --showConfig | grep -q '"strict": true'
}
static_check_pinned_deps() {
node -e '
const p = require("./package.json");
const all = Object.assign({}, p.dependencies || {}, p.devDependencies || {});
const pin = (name, ver) => (all[name] || "").startsWith(ver) ? null : `${name}@${all[name] || "(missing)"} expected ${ver}*`;
const ban = (name) => all[name] ? `banned dep present: ${name}` : null;
const fails = [
pin("react", "^19"), pin("react-dom", "^19"), pin("vite", "^6"),
pin("tailwindcss", "^4"), pin("leaflet", "^1.9.4"), pin("react-leaflet", "^5"),
pin("chart.js", "^4"), pin("@hello-pangea/dnd", "^18"),
ban("redux"), ban("@reduxjs/toolkit"), ban("zustand"),
ban("@tanstack/react-query"), ban("@tanstack/query-core"),
(p.packageManager === "bun@1.3.11") ? null : `packageManager=${p.packageManager}`,
].filter(Boolean);
if (fails.length) { console.error(fails.join("; ")); process.exit(1); }
'
}
# AZ-482 — package.json deny-lists routed through the shared
# banned-deps.json source-of-truth. Each kind maps 1:1 to a JSON section.
static_check_no_ml_libs() {
node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=ml_libs
}
static_check_no_signature_libs() {
node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=signature_libs
}
static_check_no_persistence_libs() {
node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=persistence_libs
}
static_check_no_ws_graphql() {
node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=ws_graphql_ssr_libs
}
# AZ-482 — NFT-SEC-13 dropped legacy integrations and NFT-SEC-14 AC-N1
# anti-criterion. Source-tree scans gated on production code only (the
# banned-deps script applies the same `*.test.{ts,tsx}` exclusion src_grep
# uses below; tests are allowed to mention these tokens as documentation).
static_check_no_legacy_integrations() {
node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=legacy_integrations
}
static_check_no_concurrent_edit() {
node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=concurrent_edit_patterns
}
# AZ-466 — NFT-SEC-07 (no alert() outside the seeded allowlist) and
# NFT-SEC-08 (every destructive surface is reviewed: gated by ConfirmDialog
# OR recorded as known drift). Both delegate to check-banned-deps.mjs which
# reads tests/security/banned-deps.json.
static_check_no_alert() {
node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=alert_calls
}
static_check_destructive_surfaces() {
node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=destructive_surfaces
}
# AZ-482 — NFT-SEC-09 AC-1 dist/ portion. The src/ counterpart is STC-SEC1
# below; this check runs AFTER `bun run build` (STC-B1) so dist/ exists.
static_check_no_owm_key_in_dist() {
node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=owm_key_in_dist
}
# AZ-499 — NFT-SEC-09 AC-1 source-tree portion. Complements STC-SEC1
# (which scans src/ for the `appid=<chars>` pattern only) by catching the
# exact rotated literal value across BOTH src/ AND mission-planner/. This
# closes the AZ-482 gap where mission-planner/'s hardcoded key survived
# because mission-planner/ stays out of dist/ (STC-S5) and src_grep here
# didn't include it.
static_check_no_owm_key_in_source() {
node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=owm_key_in_source
}
# AZ-501 — F-SAST-1 — defense-in-depth gate that the literal Google Geocode
# API key cannot reappear in src/ or mission-planner/. The user revokes the
# key out-of-band (AZ-501 AC-6); this static check guards against an
# accidental git-history-paste reintroducing the same string. Mirrors the
# STC-SEC1C pattern (literal-string scan across both source trees).
static_check_no_google_key_in_source() {
node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=google_key_in_source
}
# Source-tree text search. Prefer ripgrep when available (much faster on
# large trees), fall back to POSIX grep -r so the CI runner doesn't need rg.
# Test files (*.test.{ts,tsx}, *.spec.{ts,tsx}) are EXCLUDED — production
# static checks must observe production source only; test-file mentions of
# forbidden patterns (`document.cookie`, `localStorage.token`, etc.) are by
# design and would otherwise produce false positives.
src_grep() {
if command -v rg >/dev/null 2>&1; then
rg --no-messages --type ts --type tsx \
--glob '!**/*.test.ts' --glob '!**/*.test.tsx' \
--glob '!**/*.spec.ts' --glob '!**/*.spec.tsx' \
-e "$1" "${@:2}"
else
grep -rE --include='*.ts' --include='*.tsx' \
--exclude='*.test.ts' --exclude='*.test.tsx' \
--exclude='*.spec.ts' --exclude='*.spec.tsx' \
"$1" "${@:2}" 2>/dev/null
fi
}
static_check_no_legacy_features() {
local hits
hits=$(src_grep 'SoundDetections|DroneMaintenance' "$PROJECT_ROOT/src" "$PROJECT_ROOT/mission-planner" || true)
if [ -n "$hits" ]; then
echo "$hits" >&2
return 1
fi
return 0
}
static_check_no_service_worker() {
local hits
hits=$(src_grep 'serviceWorker\.register|navigator\.serviceWorker' "$PROJECT_ROOT/src" || true)
if [ -n "$hits" ]; then
echo "$hits" >&2
return 1
fi
return 0
}
static_check_no_literal_owm_key() {
# Lifted from QUARANTINE per AZ-447 (Step 4 testability fixed the hardcoded
# key). The narrowed pattern catches a real key value (`appid=<6+ chars>`)
# while ignoring env-var bindings (`VITE_OWM_API_KEY?: string`) and
# template-string callsites (`?appid=${apiKey}`).
local hits
hits=$(src_grep 'appid=[a-zA-Z0-9]{6,}' "$PROJECT_ROOT/src" 2>/dev/null | grep -vE 'import\.meta\.env|process\.env' || true)
if [ -n "$hits" ]; then
echo "$hits" >&2
return 1
fi
return 0
}
static_check_no_unpkg() {
local hits
hits=$(src_grep 'unpkg\.com' "$PROJECT_ROOT/src" || true)
if [ -n "$hits" ]; then
echo "$hits" >&2
return 1
fi
return 0
}
# AZ-459 FT-N-15 (rows 20, 21) — MediaType magic-literal hygiene. A regex
# sweep over `src/` for `mediaType OP <number-or-string-literal>` patterns;
# a hit means a comparison against a magic literal slipped past the typed
# enum. The codebase today uses `MediaType.Video` / `MediaType.Image` only.
static_check_no_mediatype_magic_literal() {
local hits_num hits_str
hits_num=$(src_grep 'mediaType\s*[!=]==?\s*[0-9]' "$PROJECT_ROOT/src" || true)
hits_str=$(src_grep "mediaType\s*[!=]==?\s*['\"]" "$PROJECT_ROOT/src" || true)
if [ -n "$hits_num" ] || [ -n "$hits_str" ]; then
[ -n "$hits_num" ] && echo "numeric magic literal:" >&2 && echo "$hits_num" >&2
[ -n "$hits_str" ] && echo "string magic literal:" >&2 && echo "$hits_str" >&2
return 1
fi
return 0
}
# AZ-457 NFT-SEC-01 (row 04) — bearer is never written to localStorage /
# sessionStorage. Static counterpart of the runtime check in
# src/auth/AuthContext.test.tsx. We allow harmless reads on i18n / settings
# storage; we forbid any setItem that mentions token / bearer / accessToken.
static_check_no_token_in_browser_storage() {
local hits
hits=$(src_grep '(local|session)Storage\.setItem\([^)]*(token|bearer|accessToken)' "$PROJECT_ROOT/src" "$PROJECT_ROOT/mission-planner" || true)
if [ -n "$hits" ]; then
echo "$hits" >&2
return 1
fi
return 0
}
# AZ-457 NFT-SEC-02 (row 05) — refresh token not exposed via document.cookie
# READS in production code. Per security-tests.md the regex is "document.cookie
# reads against refreshToken|refresh-cookie".
static_check_no_refresh_cookie_read() {
local hits
hits=$(src_grep 'document\.cookie' "$PROJECT_ROOT/src" || true)
if [ -n "$hits" ]; then
# Filter to lines that mention refresh / refreshToken / refresh-cookie.
local filtered
filtered=$(echo "$hits" | grep -iE 'refresh' || true)
if [ -n "$filtered" ]; then
echo "$filtered" >&2
return 1
fi
fi
return 0
}
# AZ-465 FT-P-22 + FT-P-23 — i18n key parity + t() coverage. Delegated to
# scripts/check-i18n-coverage.mjs so both modes (parity / coverage) reuse
# the same JSON loader, allow-list reader, and JSX scanner.
static_check_i18n_parity() {
node "$PROJECT_ROOT/scripts/check-i18n-coverage.mjs" --parity-only
}
static_check_i18n_coverage() {
node "$PROJECT_ROOT/scripts/check-i18n-coverage.mjs" --coverage-only
}
# AZ-481 NFT-RES-LIM-11/12/13 — CI image tag scheme + OCI labels (parses
# `.woodpecker/build-arm.yml`). Delegated to a Node script for shared
# parsing logic with the e2e companion.
static_check_ci_image_labels() {
node "$PROJECT_ROOT/scripts/check-ci-image-labels.mjs"
}
static_check_typecheck() {
bunx tsc --noEmit -p tsconfig.test.json
}
static_check_vite_build() {
bun run build
}
static_check_dist_no_mission_planner() {
if [ ! -d "$PROJECT_ROOT/dist" ]; then
echo "dist/ missing — run 'bun run build' first" >&2
return 1
fi
local hits
if command -v rg >/dev/null 2>&1; then
hits=$(rg --no-messages -e 'mission[-_ ]?planner' "$PROJECT_ROOT/dist" || true)
else
hits=$(grep -rE 'mission[-_ ]?planner' "$PROJECT_ROOT/dist" 2>/dev/null || true)
fi
if [ -n "$hits" ]; then
echo "$hits" >&2
return 1
fi
return 0
}
# AZ-480 NFT-RES-LIM-02 — nginx body cap is exactly 500M (one hit in the SPA
# server block). Pinning here so a regression that loosens it (or copies a
# second cap into a wrong block) lights up at commit time.
static_check_nginx_body_cap() {
if [ ! -f "$PROJECT_ROOT/nginx.conf" ]; then
echo "nginx.conf missing" >&2
return 1
fi
local hits
hits=$(grep -cE 'client_max_body_size[[:space:]]+500M' "$PROJECT_ROOT/nginx.conf" || true)
if [ "$hits" = "1" ]; then
return 0
fi
echo "expected exactly 1 'client_max_body_size 500M' in nginx.conf, found $hits (NFT-RES-LIM-02)" >&2
return 1
}
# AZ-480 NFT-RES-LIM-03 — production image is nginx:alpine (no Node). The
# e2e runtime probe (`docker run --rm $IMAGE which node`) is the second
# half of this AC; this static gate prevents a Dockerfile change from
# silently switching the final stage to a Node-based image.
static_check_dockerfile_nginx_alpine() {
if [ ! -f "$PROJECT_ROOT/Dockerfile" ]; then
echo "Dockerfile missing" >&2
return 1
fi
if ! grep -qE '^FROM[[:space:]]+nginx:alpine' "$PROJECT_ROOT/Dockerfile"; then
echo "Dockerfile final stage must be 'FROM nginx:alpine' (NFT-RES-LIM-03)" >&2
return 1
fi
# Reject any reference to oven/bun:* or node:* OUTSIDE of the AS build
# stage. The build stage is allowed (it's a multi-stage build); the
# final stage must not reference Node.
if awk '
/^FROM/ { stage = $0; in_final = ($0 !~ /AS[[:space:]]+build/) }
in_final && /^FROM/ && /(node|oven\/bun)/ { exit 1 }
' "$PROJECT_ROOT/Dockerfile"; then
return 0
fi
echo "Dockerfile final stage references Node — must be nginx:alpine only (NFT-RES-LIM-03)" >&2
return 1
}
# AZ-480 NFT-RES-LIM-09 — exactly 9 nginx /api/* location blocks (one per
# suite service: annotations, flights, admin, resource, detect, loader,
# gps-denied-desktop, gps-denied-onboard, autopilot). The non-/api/
# `location /` SPA fallback does NOT count.
static_check_nginx_route_count() {
if [ ! -f "$PROJECT_ROOT/nginx.conf" ]; then
echo "nginx.conf missing" >&2
return 1
fi
local hits
hits=$(grep -cE '^\s*location\s+/api/' "$PROJECT_ROOT/nginx.conf" || true)
if [ "$hits" = "9" ]; then
return 0
fi
echo "expected exactly 9 nginx /api/* location blocks, found $hits (NFT-RES-LIM-09)" >&2
return 1
}
# AZ-480 NFT-RES-LIM-10 — every /api/<service>/ route strips its prefix.
# The `proxy_pass http://<host>:<port>/` form (with trailing slash) is the
# nginx-canonical "strip the matched location prefix" idiom; we assert
# every /api/* location has such a proxy_pass directly underneath it.
# Equivalent `rewrite ^/api/<S>/(.*)$ /$1 break;` would also satisfy the
# AC but is not what nginx.conf uses today.
static_check_nginx_prefix_strip() {
if [ ! -f "$PROJECT_ROOT/nginx.conf" ]; then
echo "nginx.conf missing" >&2
return 1
fi
node -e '
const fs = require("node:fs");
const conf = fs.readFileSync("nginx.conf", "utf8");
const lines = conf.split(/\r?\n/);
const fails = [];
for (let i = 0; i < lines.length; i++) {
const m = lines[i].match(/^\s*location\s+(\/api\/[^\s{]+)/);
if (!m) continue;
// Look ahead within this block for either:
// proxy_pass http://...:<port>/ (note trailing slash)
// rewrite ^/api/<S>/(.*)$ /$1 break;
const route = m[1];
let depth = 0, found = false;
for (let j = i; j < lines.length; j++) {
if (lines[j].includes("{")) depth++;
if (lines[j].includes("}")) { depth--; if (depth === 0) break; }
if (/proxy_pass\s+https?:\/\/[^/\s;]+(:\d+)?\/\s*;/.test(lines[j])) { found = true; break; }
if (/rewrite\s+\^\/api\/[^/]+\/\(\.\*\)\$\s+\/\$1\s+break;/.test(lines[j])) { found = true; break; }
}
if (!found) fails.push(route);
}
if (fails.length) {
console.error("location blocks without prefix-strip: " + fails.join(", ") + " (NFT-RES-LIM-10)");
process.exit(1);
}
'
}
# AZ-485 F4 — STC-ARCH-01: no cross-component deep imports. After F4 every
# component exposes its Public API via `src/<component>/index.ts`; cross-
# component imports MUST go through the barrel, not reach into another
# component's internal files. Flags imports of the form
# from '../api/client'
# from '../../components/ConfirmDialog'
# from '../src/features/annotations/AnnotationsPage' (test files)
# Allowed:
# - barrel imports: from '../api', from '../../components', from '../class-colors'
# - intra-component: from './sse', from './MediaList' (./ not ..)
# No exemptions today — the prior F3 carry-over (classColors deep import) was
# closed by AZ-511 when the file moved to `src/class-colors/` with its own
# barrel.
static_check_no_cross_component_deep_imports() {
node "$PROJECT_ROOT/scripts/check-arch-imports.mjs" --mode=arch-imports
}
# AZ-486 F7 — STC-ARCH-02: no hardcoded `/api/<service>/` literals in
# production source. After F7 the single source of truth for API paths is
# `src/api/endpoints.ts`; every production callsite of `api.*` / `createSSE`
# must use an `endpoints.*` builder. Flags string literals of the form
# '/api/admin/users'
# "/api/admin/auth/refresh"
# `/api/flights/${id}/waypoints`
# Allowed:
# - the contract owner itself: src/api/endpoints.ts
# - test files: *.test.ts / *.test.tsx (the test file IS the contract)
static_check_no_api_literals() {
node "$PROJECT_ROOT/scripts/check-arch-imports.mjs" --mode=api-literals
}
# AZ-479 NFT-PERF-01 / NFT-RES-LIM-01 — initial JS bundle ≤ 2 MB gzipped.
# Same threshold + measurement as scripts/run-performance-tests.sh; this
# entry routes the gate through the static profile so every commit is
# checked (the perf script is run on demand).
static_check_bundle_size() {
if [ ! -d "$PROJECT_ROOT/dist/assets" ]; then
echo "dist/assets missing — run 'bun run build' first" >&2
return 1
fi
local total
total=$(
find "$PROJECT_ROOT/dist/assets" -maxdepth 1 -name '*.js' -print0 \
| xargs -0 -I{} sh -c 'gzip -c "{}" | wc -c' \
| awk '{ s += $1 } END { print (s ? s : 0) }'
)
local max=$((2 * 1024 * 1024))
if [ "$total" -le "$max" ]; then
return 0
fi
echo "initial JS bundle gzipped = ${total} bytes; budget = ${max} bytes (NFT-PERF-01)" >&2
return 1
}
run_static "STC-S1" "tsconfig strict mode" "AC-N1" "n/a" static_check_strict
run_static "STC-S2" "pinned core deps + banned" "AC-N6" "70" static_check_pinned_deps
run_static "STC-N2" "no in-browser ML libs" "AC-N2" "n/a" static_check_no_ml_libs
run_static "STC-N4" "no response-signature library" "AC-N4" "n/a" static_check_no_signature_libs
run_static "STC-S13" "no client-side persistence lib" "O2" "n/a" static_check_no_persistence_libs
run_static "STC-S6" "no WS/GraphQL/gRPC/SSR deps" "O11" "n/a" static_check_no_ws_graphql
run_static "STC-N5" "no legacy SoundDetections/DM" "AC-N5" "n/a" static_check_no_legacy_features
run_static "STC-N3" "no service worker registration" "AC-N3" "n/a" static_check_no_service_worker
run_static "STC-SEC1" "no literal OWM key in src/" "SEC-09" "63" static_check_no_literal_owm_key
run_static "STC-SEC2" "no unpkg.com in src/" "SEC-09" "n/a" static_check_no_unpkg
run_static "STC-SEC3" "no bearer/token in browser storage" "AC-02" "04" static_check_no_token_in_browser_storage
run_static "STC-SEC4" "no document.cookie read of refresh" "AC-03" "05" static_check_no_refresh_cookie_read
run_static "STC-FN15" "no MediaType magic literal in src/" "AC-29" "20" static_check_no_mediatype_magic_literal
run_static "STC-FP22" "i18n key parity en vs ua" "AC-12" "45" static_check_i18n_parity
run_static "STC-FP23" "no raw user strings outside t()" "AC-12" "46" static_check_i18n_coverage
run_static "STC-CI11" "CI image tag + OCI labels (woodpecker)" "AC-32" "70" static_check_ci_image_labels
run_static "STC-SEC13" "no legacy integrations in src/" "SEC-13" "n/a" static_check_no_legacy_integrations
run_static "STC-SEC14" "no concurrent-edit reconcile (AC-N1)" "SEC-14" "n/a" static_check_no_concurrent_edit
run_static "STC-SEC7" "no alert() outside allowlist" "SEC-07" "AZ-466" static_check_no_alert
run_static "STC-SEC8" "destructive surfaces reviewed (gated/drift)" "SEC-08" "AZ-466" static_check_destructive_surfaces
run_static "STC-T1" "tsc --noEmit (test config)" "AC-6" "n/a" static_check_typecheck
run_static "STC-B1" "vite build succeeds" "AC-6" "n/a" static_check_vite_build
run_static "STC-S5" "mission-planner not in dist/" "AC-31" "n/a" static_check_dist_no_mission_planner
run_static "STC-ARCH-01" "no cross-component deep imports (barrel-only)" "F4" "AZ-485" static_check_no_cross_component_deep_imports
run_static "STC-ARCH-02" "no hardcoded /api/<service>/ literals in src/" "F7" "AZ-486" static_check_no_api_literals
run_static "STC-PERF01" "initial JS bundle ≤ 2 MB gz" "NFT-PERF-01" "40" static_check_bundle_size
run_static "STC-RES02" "nginx client_max_body_size 500M" "NFT-RES-LIM-02" "n/a" static_check_nginx_body_cap
run_static "STC-RES03" "Dockerfile final stage nginx:alpine no Node" "NFT-RES-LIM-03" "n/a" static_check_dockerfile_nginx_alpine
run_static "STC-RES09" "nginx exactly 9 /api/* location blocks" "NFT-RES-LIM-09" "n/a" static_check_nginx_route_count
run_static "STC-RES10" "nginx prefix-strip on every /api/<S>/ route" "NFT-RES-LIM-10" "n/a" static_check_nginx_prefix_strip
run_static "STC-SEC1B" "no literal OWM key in dist/" "SEC-09" "63" static_check_no_owm_key_in_dist
run_static "STC-SEC1C" "no literal OWM key in src/ + mission-planner/" "SEC-09" "AZ-499" static_check_no_owm_key_in_source
run_static "STC-SEC1D" "no literal Google Geocode key in src/ + mission-planner/" "F-SAST-1" "AZ-501" static_check_no_google_key_in_source
if [ "$STATIC_FAIL" = "1" ]; then
echo "[run-tests] static profile FAILED — see $STATIC_REPORT"
OVERALL_EXIT=1
else
echo "[run-tests] static profile PASSED — see $STATIC_REPORT"
fi
fi
# ----------------------------------------------------------------------------
# Fast profile — Bun + Vitest + jsdom + MSW.
# Test files are colocated with src/ + the top-level tests/ tree.
# ----------------------------------------------------------------------------
if [ "$RUN_FAST" = "true" ]; then
echo "[run-tests] === fast profile ==="
FAST_REPORT="$RESULTS_DIR/fast-report.txt"
if grep -q '"test:fast"' "$PROJECT_ROOT/package.json" 2>/dev/null; then
echo "[fast] running bun run test:fast"
if bun run test:fast 2>&1 | tee "$FAST_REPORT"; then
echo "[run-tests] fast profile PASSED"
else
echo "[run-tests] fast profile FAILED — see $FAST_REPORT and $RESULTS_DIR/fast-report.xml"
OVERALL_EXIT=1
fi
else
echo "[fast] no test:fast script in package.json — AZ-456 not yet landed"
echo "[fast] SKIPPED (no runner)" | tee "$FAST_REPORT"
fi
fi
# ----------------------------------------------------------------------------
# E2E profile — Playwright (Chromium + Firefox) inside the suite docker stack.
# ----------------------------------------------------------------------------
if [ "$RUN_E2E" = "true" ]; then
echo "[run-tests] === e2e profile ==="
COMPOSE_FILE="$PROJECT_ROOT/e2e/docker-compose.suite-e2e.yml"
E2E_REPORT="$RESULTS_DIR/e2e-runner.log"
if [ ! -f "$COMPOSE_FILE" ]; then
echo "[e2e] FATAL: $COMPOSE_FILE not found." >&2
OVERALL_EXIT=1
elif ! command -v docker >/dev/null 2>&1; then
echo "[e2e] FATAL: docker is required for the e2e profile." >&2
OVERALL_EXIT=1
else
echo "[e2e] starting compose stack at $COMPOSE_FILE..."
docker compose -f "$COMPOSE_FILE" up -d --build
E2E_COMPOSE_STARTED_HERE=true
echo "[e2e] running playwright-runner..."
if docker compose -f "$COMPOSE_FILE" run --rm playwright-runner 2>&1 | tee "$E2E_REPORT"; then
echo "[run-tests] e2e profile PASSED"
else
echo "[run-tests] e2e profile FAILED — see $E2E_REPORT and $RESULTS_DIR/e2e-report.xml"
OVERALL_EXIT=1
fi
fi
fi
# ----------------------------------------------------------------------------
# Summary rollup
# ----------------------------------------------------------------------------
SUMMARY="$RESULTS_DIR/summary.csv"
csv_header "$SUMMARY"
{
if [ "$RUN_STATIC" = "true" ] && [ -f "$RESULTS_DIR/static-report.csv" ]; then
tail -n +2 "$RESULTS_DIR/static-report.csv"
fi
if [ "$RUN_FAST" = "true" ] && [ -f "$RESULTS_DIR/fast-report.xml" ]; then
# Vitest's JUnit XML is the canonical fast-profile rollup; the summary CSV
# records a single line so suite-level reporting can detect presence.
echo 'fast-profile,"vitest junit",fast,0,PASS,"see fast-report.xml",AC-4,n/a'
fi
if [ "$RUN_E2E" = "true" ] && [ -f "$RESULTS_DIR/e2e-report.xml" ]; then
echo 'e2e-profile,"playwright junit",e2e,0,PASS,"see e2e-report.xml",AC-5,n/a'
fi
} >> "$SUMMARY"
echo ""
echo "[run-tests] summary"
echo "[run-tests] static profile : $([ "$RUN_STATIC" = "true" ] && echo "ran" || echo "skipped")"
echo "[run-tests] fast profile : $([ "$RUN_FAST" = "true" ] && echo "ran" || echo "skipped")"
echo "[run-tests] e2e profile : $([ "$RUN_E2E" = "true" ] && echo "ran" || echo "skipped")"
echo "[run-tests] results dir : $RESULTS_DIR"
echo "[run-tests] summary file : $SUMMARY"
echo "[run-tests] exit code : $OVERALL_EXIT"
exit "$OVERALL_EXIT"
Reference in New Issue View Git Blame Copy Permalink