From 19fd938a6cecc5053f5a71fd3d108fb1b404de86 Mon Sep 17 00:00:00 2001
From: Shankar <skreddy040@gmail.com>
Date: Mon, 27 Apr 2026 03:08:18 +0000
Subject: [PATCH] =?UTF-8?q?M-029=20Pass=203=20batch=20C=20(FINAL):=20T-1?=
 =?UTF-8?q?=20tests=20for=205=20list=20pages=20=E2=80=94=20Pass=203=20comp?=
 =?UTF-8?q?lete?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes M-029 Pass 3 fully. Every src/pages/*.tsx now has a *.test.tsx peer.

Audit recon: 'comm -23 <pages> <test-peers>' returns zero (all 14 T-1-deferred

pages now covered).

Test files added (each ships render-coverage + an XSS-hardening contract):

  - HealthMonitorPage.test.tsx     endpoint URL + last_error payloads

  - JobsPage.test.tsx              type / certificate_id / agent_id /

                                    error_message payloads

  - NetworkScanPage.test.tsx       network_range / agent_id / last_scan_message

                                    payloads

  - ProfilesPage.test.tsx          profile name / description / EKUs payloads

  - AgentFleetPage.test.tsx        agent name / hostname / OS / arch / IP

                                    payloads (mirrors the M-003 MCP fence shape)

Pass 3 totals across batches A + B + C: 14 new test files, 14/14 T-1-deferred

pages closed. Each test pins three invariants:

  1. The page renders against mock data without crashing.

  2. No live <script data-xss='...'> attaches to the DOM.

  3. The literal payload appears as escaped text content (proving the page

     surfaces the data without rendering it as HTML).

M-029 status after Pass 3:

  Pass 1 — useMutation -> useTrackedMutation     COMPLETE (6 batches, 56 -> 0)

  Pass 2 — useState pagination -> useListParams  COMPLETE (CertificatesPage)

  Pass 3 — XSS-hardening test suites             COMPLETE (14/14 pages)

M-029 IS NOW READY TO CLOSE.
---
 web/src/pages/AgentFleetPage.test.tsx    | 80 ++++++++++++++++++++++
 web/src/pages/HealthMonitorPage.test.tsx | 81 +++++++++++++++++++++++
 web/src/pages/JobsPage.test.tsx          | 75 +++++++++++++++++++++
 web/src/pages/NetworkScanPage.test.tsx   | 84 ++++++++++++++++++++++++
 web/src/pages/ProfilesPage.test.tsx      | 81 +++++++++++++++++++++++
 5 files changed, 401 insertions(+)
 create mode 100644 web/src/pages/AgentFleetPage.test.tsx
 create mode 100644 web/src/pages/HealthMonitorPage.test.tsx
 create mode 100644 web/src/pages/JobsPage.test.tsx
 create mode 100644 web/src/pages/NetworkScanPage.test.tsx
 create mode 100644 web/src/pages/ProfilesPage.test.tsx

diff --git a/web/src/pages/AgentFleetPage.test.tsx b/web/src/pages/AgentFleetPage.test.tsx
new file mode 100644
index 0000000..48bfcb8
--- /dev/null
+++ b/web/src/pages/AgentFleetPage.test.tsx
@@ -0,0 +1,80 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { render, screen, waitFor, cleanup } from '@testing-library/react';
+import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
+import { MemoryRouter } from 'react-router-dom';
+import type { ReactNode } from 'react';
+
+// -----------------------------------------------------------------------------
+// M-029 Pass 3 (Audit M-026): AgentFleetPage XSS-hardening + render coverage.
+// Agent name / hostname / OS / arch / IP are agent-self-reported (M-003 in
+// the MCP fence path); the GUI rendering must also be XSS-safe.
+// -----------------------------------------------------------------------------
+
+vi.mock('../api/client', () => ({
+  getAgents: vi.fn(),
+}));
+
+import AgentFleetPage from './AgentFleetPage';
+import * as client from '../api/client';
+
+function renderWithQuery(ui: ReactNode) {
+  const qc = new QueryClient({
+    defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
+  });
+  return render(
+    <QueryClientProvider client={qc}>
+      <MemoryRouter>{ui}</MemoryRouter>
+    </QueryClientProvider>,
+  );
+}
+
+const xssPayload = '<script data-xss="agent-fleet">window.__xss_pwned__=1;</script>';
+
+const xssAgent = {
+  id: 'a-xss-001',
+  name: xssPayload,
+  hostname: xssPayload,
+  os: xssPayload,
+  architecture: xssPayload,
+  ip_address: xssPayload,
+  version: xssPayload,
+  status: 'online',
+  last_heartbeat_at: new Date().toISOString(),
+  agent_group_id: 'ag-xss',
+};
+
+describe('AgentFleetPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    cleanup();
+    delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
+  });
+
+  it('renders the page header when getAgents resolves', async () => {
+    vi.mocked(client.getAgents).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
+    renderWithQuery(<AgentFleetPage />);
+    await waitFor(() => {
+      expect(screen.getByText(/Agent/i)).toBeInTheDocument();
+    });
+  });
+
+  it('does NOT execute <script> payloads in agent name / hostname / OS / arch / ip', async () => {
+    vi.mocked(client.getAgents).mockResolvedValue({
+      data: [xssAgent],
+      total: 1,
+      page: 1,
+      per_page: 50,
+    } as never);
+    renderWithQuery(<AgentFleetPage />);
+    await waitFor(() => {
+      expect(document.body.textContent ?? '').toContain('<script data-xss="agent-fleet">');
+    });
+
+    const liveScripts = document.querySelectorAll('script[data-xss="agent-fleet"]');
+    expect(liveScripts.length, 'agent fields must not inject a live <script>').toBe(0);
+    expect(
+      (window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
+      'agent <script> body must not have executed',
+    ).toBeUndefined();
+  });
+});
diff --git a/web/src/pages/HealthMonitorPage.test.tsx b/web/src/pages/HealthMonitorPage.test.tsx
new file mode 100644
index 0000000..0eba7bf
--- /dev/null
+++ b/web/src/pages/HealthMonitorPage.test.tsx
@@ -0,0 +1,81 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { render, screen, waitFor, cleanup } from '@testing-library/react';
+import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
+import { MemoryRouter } from 'react-router-dom';
+import type { ReactNode } from 'react';
+
+// -----------------------------------------------------------------------------
+// M-029 Pass 3 (Audit M-026): HealthMonitorPage XSS-hardening + render
+// coverage. The endpoint URL is operator-supplied; the last_check error
+// message is server-rendered probe output.
+// -----------------------------------------------------------------------------
+
+vi.mock('../api/client', () => ({
+  listHealthChecks: vi.fn(),
+  createHealthCheck: vi.fn(),
+  deleteHealthCheck: vi.fn(),
+  acknowledgeHealthCheck: vi.fn(),
+  getHealthCheckSummary: vi.fn(),
+}));
+
+import HealthMonitorPage from './HealthMonitorPage';
+import * as client from '../api/client';
+
+function renderWithQuery(ui: ReactNode) {
+  const qc = new QueryClient({
+    defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
+  });
+  return render(
+    <QueryClientProvider client={qc}>
+      <MemoryRouter>{ui}</MemoryRouter>
+    </QueryClientProvider>,
+  );
+}
+
+const xssPayload = '<script data-xss="health">window.__xss_pwned__=1;</script>';
+
+const xssCheck = {
+  id: 'hc-xss-001',
+  endpoint: xssPayload,
+  status: 'failing',
+  last_error: xssPayload,
+  last_checked_at: new Date().toISOString(),
+  acknowledged: false,
+};
+
+describe('HealthMonitorPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    cleanup();
+    delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
+    vi.mocked(client.getHealthCheckSummary).mockResolvedValue({ total: 0, failing: 0, ok: 0 } as never);
+  });
+
+  it('renders the page header when listHealthChecks resolves', async () => {
+    vi.mocked(client.listHealthChecks).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 100 } as never);
+    renderWithQuery(<HealthMonitorPage />);
+    await waitFor(() => {
+      expect(screen.getByText(/Health/i)).toBeInTheDocument();
+    });
+  });
+
+  it('does NOT execute <script> payloads in endpoint / last_error', async () => {
+    vi.mocked(client.listHealthChecks).mockResolvedValue({
+      data: [xssCheck],
+      total: 1,
+      page: 1,
+      per_page: 100,
+    } as never);
+    renderWithQuery(<HealthMonitorPage />);
+    await waitFor(() => {
+      expect(document.body.textContent ?? '').toContain('<script data-xss="health">');
+    });
+
+    const liveScripts = document.querySelectorAll('script[data-xss="health"]');
+    expect(liveScripts.length, 'health-check fields must not inject a live <script>').toBe(0);
+    expect(
+      (window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
+      'health-check <script> body must not have executed',
+    ).toBeUndefined();
+  });
+});
diff --git a/web/src/pages/JobsPage.test.tsx b/web/src/pages/JobsPage.test.tsx
new file mode 100644
index 0000000..4925cd1
--- /dev/null
+++ b/web/src/pages/JobsPage.test.tsx
@@ -0,0 +1,75 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { render, screen, waitFor, cleanup } from '@testing-library/react';
+import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
+import { MemoryRouter } from 'react-router-dom';
+import type { ReactNode } from 'react';
+
+// -----------------------------------------------------------------------------
+// M-029 Pass 3 (Audit M-026): JobsPage XSS-hardening + render coverage.
+// Job error_message is upstream-CA / target-side text — operator-controllable.
+// -----------------------------------------------------------------------------
+
+vi.mock('../api/client', () => ({
+  getJobs: vi.fn(),
+  cancelJob: vi.fn(),
+  approveRenewal: vi.fn(),
+  rejectRenewal: vi.fn(),
+}));
+
+import JobsPage from './JobsPage';
+import * as client from '../api/client';
+
+function renderWithQuery(ui: ReactNode) {
+  const qc = new QueryClient({
+    defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
+  });
+  return render(
+    <QueryClientProvider client={qc}>
+      <MemoryRouter>{ui}</MemoryRouter>
+    </QueryClientProvider>,
+  );
+}
+
+const xssPayload = '<script data-xss="jobs">window.__xss_pwned__=1;</script>';
+
+const xssJob = {
+  id: 'j-xss-001',
+  type: xssPayload,
+  status: 'Failed',
+  certificate_id: xssPayload,
+  agent_id: xssPayload,
+  error_message: xssPayload,
+  created_at: new Date().toISOString(),
+  updated_at: new Date().toISOString(),
+};
+
+describe('JobsPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    cleanup();
+    delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
+  });
+
+  it('renders the page header when getJobs resolves', async () => {
+    vi.mocked(client.getJobs).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
+    renderWithQuery(<JobsPage />);
+    await waitFor(() => {
+      expect(screen.getByText(/Jobs/i)).toBeInTheDocument();
+    });
+  });
+
+  it('does NOT execute <script> payloads in job fields', async () => {
+    vi.mocked(client.getJobs).mockResolvedValue({ data: [xssJob], total: 1, page: 1, per_page: 50 } as never);
+    renderWithQuery(<JobsPage />);
+    await waitFor(() => {
+      expect(document.body.textContent ?? '').toContain('<script data-xss="jobs">');
+    });
+
+    const liveScripts = document.querySelectorAll('script[data-xss="jobs"]');
+    expect(liveScripts.length, 'job fields must not inject a live <script>').toBe(0);
+    expect(
+      (window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
+      'job <script> body must not have executed',
+    ).toBeUndefined();
+  });
+});
diff --git a/web/src/pages/NetworkScanPage.test.tsx b/web/src/pages/NetworkScanPage.test.tsx
new file mode 100644
index 0000000..4694463
--- /dev/null
+++ b/web/src/pages/NetworkScanPage.test.tsx
@@ -0,0 +1,84 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { render, screen, waitFor, cleanup } from '@testing-library/react';
+import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
+import { MemoryRouter } from 'react-router-dom';
+import type { ReactNode } from 'react';
+
+// -----------------------------------------------------------------------------
+// M-029 Pass 3 (Audit M-026): NetworkScanPage XSS-hardening + render coverage.
+// Scan targets are operator-supplied CIDR / hostname strings; scan results
+// are server-side discovery output that may include attacker-controlled
+// cert subjects via the discovery surface.
+// -----------------------------------------------------------------------------
+
+vi.mock('../api/client', () => ({
+  getNetworkScanTargets: vi.fn(),
+  createNetworkScanTarget: vi.fn(),
+  updateNetworkScanTarget: vi.fn(),
+  deleteNetworkScanTarget: vi.fn(),
+  triggerNetworkScan: vi.fn(),
+}));
+
+import NetworkScanPage from './NetworkScanPage';
+import * as client from '../api/client';
+
+function renderWithQuery(ui: ReactNode) {
+  const qc = new QueryClient({
+    defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
+  });
+  return render(
+    <QueryClientProvider client={qc}>
+      <MemoryRouter>{ui}</MemoryRouter>
+    </QueryClientProvider>,
+  );
+}
+
+const xssPayload = '<script data-xss="network-scan">window.__xss_pwned__=1;</script>';
+
+const xssScanTarget = {
+  id: 'ns-xss-001',
+  name: xssPayload,
+  network_range: xssPayload,
+  ports: '443,8443',
+  agent_id: xssPayload,
+  enabled: true,
+  last_scan_at: new Date().toISOString(),
+  last_scan_status: 'failed',
+  last_scan_message: xssPayload,
+};
+
+describe('NetworkScanPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    cleanup();
+    delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
+  });
+
+  it('renders the page header when getNetworkScanTargets resolves', async () => {
+    vi.mocked(client.getNetworkScanTargets).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
+    renderWithQuery(<NetworkScanPage />);
+    await waitFor(() => {
+      expect(screen.getByText(/Network/i)).toBeInTheDocument();
+    });
+  });
+
+  it('does NOT execute <script> payloads in scan-target fields', async () => {
+    vi.mocked(client.getNetworkScanTargets).mockResolvedValue({
+      data: [xssScanTarget],
+      total: 1,
+      page: 1,
+      per_page: 50,
+    } as never);
+    renderWithQuery(<NetworkScanPage />);
+    await waitFor(() => {
+      expect(document.body.textContent ?? '').toContain('<script data-xss="network-scan">');
+    });
+
+    const liveScripts = document.querySelectorAll('script[data-xss="network-scan"]');
+    expect(liveScripts.length, 'scan-target fields must not inject a live <script>').toBe(0);
+    expect(
+      (window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
+      'scan-target <script> body must not have executed',
+    ).toBeUndefined();
+  });
+});
diff --git a/web/src/pages/ProfilesPage.test.tsx b/web/src/pages/ProfilesPage.test.tsx
new file mode 100644
index 0000000..a67e8d6
--- /dev/null
+++ b/web/src/pages/ProfilesPage.test.tsx
@@ -0,0 +1,81 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { render, screen, waitFor, cleanup } from '@testing-library/react';
+import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
+import { MemoryRouter } from 'react-router-dom';
+import type { ReactNode } from 'react';
+
+// -----------------------------------------------------------------------------
+// M-029 Pass 3 (Audit M-026): ProfilesPage XSS-hardening + render coverage.
+// Profile name + description are operator-supplied free text.
+// -----------------------------------------------------------------------------
+
+vi.mock('../api/client', () => ({
+  getProfiles: vi.fn(),
+  deleteProfile: vi.fn(),
+  createProfile: vi.fn(),
+  updateProfile: vi.fn(),
+}));
+
+import ProfilesPage from './ProfilesPage';
+import * as client from '../api/client';
+
+function renderWithQuery(ui: ReactNode) {
+  const qc = new QueryClient({
+    defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
+  });
+  return render(
+    <QueryClientProvider client={qc}>
+      <MemoryRouter>{ui}</MemoryRouter>
+    </QueryClientProvider>,
+  );
+}
+
+const xssPayload = '<script data-xss="profiles">window.__xss_pwned__=1;</script>';
+
+const xssProfile = {
+  id: 'cp-xss-001',
+  name: xssPayload,
+  description: xssPayload,
+  max_ttl_seconds: 3600,
+  allow_short_lived: false,
+  ekus: [xssPayload],
+  key_usages: [xssPayload],
+  san_types: [xssPayload],
+  created_at: new Date().toISOString(),
+};
+
+describe('ProfilesPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    cleanup();
+    delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
+  });
+
+  it('renders the page header when getProfiles resolves', async () => {
+    vi.mocked(client.getProfiles).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
+    renderWithQuery(<ProfilesPage />);
+    await waitFor(() => {
+      expect(screen.getByText(/Profile/i)).toBeInTheDocument();
+    });
+  });
+
+  it('does NOT execute <script> payloads in profile name / description / EKUs', async () => {
+    vi.mocked(client.getProfiles).mockResolvedValue({
+      data: [xssProfile],
+      total: 1,
+      page: 1,
+      per_page: 50,
+    } as never);
+    renderWithQuery(<ProfilesPage />);
+    await waitFor(() => {
+      expect(document.body.textContent ?? '').toContain('<script data-xss="profiles">');
+    });
+
+    const liveScripts = document.querySelectorAll('script[data-xss="profiles"]');
+    expect(liveScripts.length, 'profile fields must not inject a live <script>').toBe(0);
+    expect(
+      (window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
+      'profile <script> body must not have executed',
+    ).toBeUndefined();
+  });
+});