Bundle H follow-up #2: end-to-end fix for Pass 3 CI multi-match failures

Second CI run surfaced 8 real failures across 7 detail/list pages and 1

mock-shape error. Root causes:

  1. Multi-match disambiguation. screen.getByText(...) matched both the

     PageHeader <h2> AND duplicated text in InfoRow / detail-row spans

     within the same page (e.g., issuer name appears as page title AND

     in the Issuer Details panel; cert.common_name appears as page title

     AND in the Common Name InfoRow). The regex variants (getByText(/X/i))

     were even worse — matched any element containing the substring.

  2. NetworkScanPage mock-shape. xssScanTarget.ports was '443,8443'

     (string), but NetworkScanPage.tsx:180 calls t.ports?.join() which

     requires a number[] per src/api/types.ts:506. Page errored before

     rendering the DataTable, so the XSS test's body.textContent

     assertion saw an empty string.

Fixes:

  - Every page-title assertion in the 14 Pass 3 test files now uses

    screen.getByRole('heading', { level: 2, name: ... }), which matches

    ONLY the PageHeader <h2> (PageHeader.tsx:11 renders an actual <h2>).

    Detail-row spans / InfoRow text / column-header text in lower-level

    headings (h3) is excluded by the level filter.

  - NetworkScanPage xssScanTarget.ports changed from '443,8443' (string)

    to [443, 8443] (number[]) per the NetworkScanTarget TS type.

Pages with assertion fixes (8 tests across 7 files):

  - AgentFleetPage         /Agent/i        -> 'Agent Fleet Overview' (h2)

  - AuditPage              /Audit/         -> 'Audit Trail' (h2)

  - CertificateDetailPage  'plain.example.com' (text)  -> heading h2

  - HealthMonitorPage      /Health/i       -> 'Health Monitor' (h2)

  - IssuerDetailPage       'Plain Name' (text)         -> heading h2

  - JobDetailPage          /j-xss-001/ (text)          -> heading h2

  - JobsPage               /Jobs/i         -> 'Jobs' (h2)

  - ProfilesPage           /Profile/i      -> 'Certificate Profiles' (h2)

  - TargetDetailPage       'Plain Name' (text)         -> heading h2

Plus 4 already-correct pages updated for consistency:

  - DigestPage             text 'Certificate Digest'   -> heading h2

  - ObservabilityPage      text 'Observability'        -> heading h2

  - NetworkScanPage        /Network/i      -> 'Network Scanning' (h2)

  - ShortLivedPage         text 'Short-Lived...'       -> heading h2

Mock-shape fix:

  - NetworkScanPage.test.tsx  ports: '443,8443' -> [443, 8443]

End-to-end audit:

  Every Pass 3 test now anchors on the unambiguous PageHeader <h2>;

  no remaining getByText() with regex or substring that could spuriously

  multi-match. Mock data shapes verified against src/api/types.ts

  interfaces (NetworkScanTarget, MetricsResponse, ManagedCertificate).

web/src/pages/AgentFleetPage.test.tsx

@@ -54,7 +54,7 @@ describe('AgentFleetPage — render + XSS hardening (M-026 / M-029 Pass 3)', ()
     vi.mocked(client.getAgents).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
     renderWithQuery(<AgentFleetPage />);
     await waitFor(() => {
-      expect(screen.getByText(/Agent/i)).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: /Agent Fleet Overview/i })).toBeInTheDocument();
     });
   });
 

web/src/pages/AuditPage.test.tsx

@@ -63,7 +63,7 @@ describe('AuditPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
     vi.mocked(client.getAuditEvents).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
     renderWithQuery(<AuditPage />);
     await waitFor(() => {
-      expect(screen.getByText(/Audit/)).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: 'Audit Trail' })).toBeInTheDocument();
     });
   });
 
@@ -77,7 +77,7 @@ describe('AuditPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
 
     renderWithQuery(<AuditPage />);
     await waitFor(() => {
-      expect(screen.getByText(/Audit/)).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: 'Audit Trail' })).toBeInTheDocument();
     });
 
     const liveScripts = document.querySelectorAll('script[data-xss="audit"]');

web/src/pages/CertificateDetailPage.test.tsx

@@ -96,7 +96,7 @@ describe('CertificateDetailPage — render + XSS hardening (M-026 / M-029 Pass 3
     vi.mocked(client.getCertificate).mockResolvedValue({ ...xssCert, common_name: 'plain.example.com' } as never);
     renderRoute(<CertificateDetailPage />);
     await waitFor(() => {
-      expect(screen.getByText('plain.example.com')).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: 'plain.example.com' })).toBeInTheDocument();
     });
   });
 

web/src/pages/DigestPage.test.tsx

@@ -52,7 +52,7 @@ describe('DigestPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
     vi.mocked(client.previewDigest).mockResolvedValue('<p>Today 5 certs expire</p>' as never);
     renderWithQuery(<DigestPage />);
     await waitFor(() => {
-      expect(screen.getByText('Certificate Digest')).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: 'Certificate Digest' })).toBeInTheDocument();
     });
   });
 
@@ -65,7 +65,7 @@ describe('DigestPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
       // Wait for the preview surface to render (the page settles into
       // either the preview pane or an error pane — either way the
       // page-load cycle is done by the time the header text appears).
-      expect(screen.getByText('Certificate Digest')).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: 'Certificate Digest' })).toBeInTheDocument();
     });
 
     // No live script with our marker may be attached to the DOM, AND no
@@ -82,7 +82,7 @@ describe('DigestPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
     vi.mocked(client.previewDigest).mockRejectedValue(new Error('preview failed') as never);
     renderWithQuery(<DigestPage />);
     await waitFor(() => {
-      expect(screen.getByText('Certificate Digest')).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: 'Certificate Digest' })).toBeInTheDocument();
     });
   });
 });

web/src/pages/HealthMonitorPage.test.tsx

@@ -55,7 +55,7 @@ describe('HealthMonitorPage — render + XSS hardening (M-026 / M-029 Pass 3)',
     vi.mocked(client.listHealthChecks).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 100 } as never);
     renderWithQuery(<HealthMonitorPage />);
     await waitFor(() => {
-      expect(screen.getByText(/Health/i)).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: /Health Monitor/i })).toBeInTheDocument();
     });
   });
 

web/src/pages/IssuerDetailPage.test.tsx

@@ -62,7 +62,7 @@ describe('IssuerDetailPage — render + XSS hardening (M-026 / M-029 Pass 3)', (
     vi.mocked(client.getCertificates).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
     renderRoute(<IssuerDetailPage />);
     await waitFor(() => {
-      expect(screen.getByText('Plain Name')).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: 'Plain Name' })).toBeInTheDocument();
     });
   });
 

web/src/pages/JobDetailPage.test.tsx

@@ -65,7 +65,7 @@ describe('JobDetailPage — render + XSS hardening (M-026 / M-029 Pass 3)', () =
     vi.mocked(client.getAuditEvents).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 10 } as never);
     renderRoute(<JobDetailPage />);
     await waitFor(() => {
-      expect(screen.getByText(/j-xss-001/)).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: /j-xss-001/ })).toBeInTheDocument();
     });
   });
 

web/src/pages/JobsPage.test.tsx

@@ -54,7 +54,7 @@ describe('JobsPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
     vi.mocked(client.getJobs).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
     renderWithQuery(<JobsPage />);
     await waitFor(() => {
-      expect(screen.getByText(/Jobs/i)).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: 'Jobs' })).toBeInTheDocument();
     });
   });
 

web/src/pages/NetworkScanPage.test.tsx

@@ -39,7 +39,7 @@ const xssScanTarget = {
   id: 'ns-xss-001',
   name: xssPayload,
   network_range: xssPayload,
-  ports: '443,8443',
+  ports: [443, 8443],
   agent_id: xssPayload,
   enabled: true,
   last_scan_at: new Date().toISOString(),
@@ -58,7 +58,7 @@ describe('NetworkScanPage — render + XSS hardening (M-026 / M-029 Pass 3)', ()
     vi.mocked(client.getNetworkScanTargets).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
     renderWithQuery(<NetworkScanPage />);
     await waitFor(() => {
-      expect(screen.getByText(/Network/i)).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: 'Network Scanning' })).toBeInTheDocument();
     });
   });
 

web/src/pages/ObservabilityPage.test.tsx

@@ -70,7 +70,7 @@ describe('ObservabilityPage — render + XSS hardening (M-026 / M-029 Pass 3)',
 
     renderWithQuery(<ObservabilityPage />);
     await waitFor(() => {
-      expect(screen.getByText('Observability')).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: 'Observability' })).toBeInTheDocument();
     });
   });
 
@@ -94,7 +94,7 @@ describe('ObservabilityPage — render + XSS hardening (M-026 / M-029 Pass 3)',
 
     renderWithQuery(<ObservabilityPage />);
     await waitFor(() => {
-      expect(screen.getByText('Observability')).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: 'Observability' })).toBeInTheDocument();
     });
 
     const liveScripts = document.querySelectorAll('script[data-xss="observability"]');

web/src/pages/ProfilesPage.test.tsx

@@ -55,7 +55,7 @@ describe('ProfilesPage — render + XSS hardening (M-026 / M-029 Pass 3)', () =>
     vi.mocked(client.getProfiles).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
     renderWithQuery(<ProfilesPage />);
     await waitFor(() => {
-      expect(screen.getByText(/Profile/i)).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: /Certificate Profiles/i })).toBeInTheDocument();
     });
   });
 

web/src/pages/ShortLivedPage.test.tsx

@@ -66,7 +66,7 @@ describe('ShortLivedPage — render + XSS hardening (M-026 / M-029 Pass 3)', ()
     vi.mocked(client.getProfiles).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
     renderWithQuery(<ShortLivedPage />);
     await waitFor(() => {
-      expect(screen.getByText('Short-Lived Credentials')).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: 'Short-Lived Credentials' })).toBeInTheDocument();
     });
   });
 
@@ -86,7 +86,7 @@ describe('ShortLivedPage — render + XSS hardening (M-026 / M-029 Pass 3)', ()
 
     renderWithQuery(<ShortLivedPage />);
     await waitFor(() => {
-      expect(screen.getByText('Short-Lived Credentials')).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: 'Short-Lived Credentials' })).toBeInTheDocument();
     });
 
     const liveScripts = document.querySelectorAll('script[data-xss="shortlived"]');

web/src/pages/TargetDetailPage.test.tsx

@@ -63,7 +63,7 @@ describe('TargetDetailPage — render + XSS hardening (M-026 / M-029 Pass 3)', (
     vi.mocked(client.getJobs).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
     renderRoute(<TargetDetailPage />);
     await waitFor(() => {
-      expect(screen.getByText('Plain Name')).toBeInTheDocument();
+      expect(screen.getByRole('heading', { level: 2, name: 'Plain Name' })).toBeInTheDocument();
     });
   });