gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-09 15:38:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

test(gui): Vitest coverage for the 2026-05-10/11 GUI batch (Fix 12)

Browse Source 
Audit 2026-05-11 Fix 12 closure. The original GUI-batch commit
661b6db claimed 'npx tsc --noEmit PASS' but shipped no Vitest
cases for the new surfaces, leaving the regression-prevention
layer wide open. This closure backfills 35 cases across five
files; the next refactor of KeysPage's assign modal that drops
scope_type, or the AuthProvider demo-banner predicate that
gets flipped to !authRequired, surfaces in CI instead of
silently shipping.

What's added:

* web/src/pages/auth/UsersPage.test.tsx (NEW, 8 cases) — pins
  the MED-11 closure's UsersPage flow: active rows render the
  Active status pill, deactivated rows render dimmed with the
  Deactivated <timestamp> status, Deactivate button fires the
  API call after confirm() returns true and is a no-op on
  false, Reactivate button works inversely, provider filter
  narrows the underlying authListUsers call (undefined vs
  provider-id), empty list renders the placeholder, loading
  renders 'Loading users…'.

* web/src/pages/auth/AuthSettingsPage.test.tsx (EXTENDED, +4
  cases) — the pre-existing 2 cases only exercised identity +
  bootstrap status; the runtime-config panel (MED-12 closure)
  had no test. New cases cover: per-key row rendering,
  alphabetical sort (stable for log-scraping correlation),
  empty-value '(empty)' placeholder, 403 rejected query
  silently hides the panel (non-admins shouldn't see the
  shell).

* web/src/pages/auth/KeysPage.test.tsx (EXTENDED, +8 cases) —
  the HIGH-10 GUI half added scope picker + scope_id input +
  expires_at datetime-local to the assign modal but the
  pre-existing test only asserted (actor, role). New cases
  pin the third opts arg shape: global hides scope_id input,
  profile/issuer scope reveal scope_id + mark required,
  trimmed scope_id round-trips into the body, global omits
  scope_id (undefined NOT empty string), empty expires_at
  omits the field, filled expires_at gets :00Z appended for
  RFC3339 promotion, whitespace-only scope_id fires the
  'scope_id is required' typed error WITHOUT calling the
  API, actor-demo-anon row hides both assign and revoke
  affordances.

* web/src/pages/auth/RoleDetailPage.test.tsx (NEW, 9 cases) —
  no test file pre-Fix 12. Pins the MED-8 scope picker for
  AddPermissionForm: global hides scope_id, profile reveals +
  gates the Add button until scope_id is filled, submit POSTs
  {permission, scope_type: profile, scope_id} with whitespace
  trimming, global submit omits scope keys entirely, issuer
  scope path, Add button stays disabled without a permission
  selection. Plus the LOW-11 default-role delete-button hide:
  r-admin renders the role-delete-disabled-tooltip + NO
  role-delete-button, r-auditor same, custom role renders the
  delete button. The DEFAULT_ROLE_IDS set tracking the
  migration-seeded role ids is the load-bearing client-side
  decision so a future drift between migrations and the GUI
  set surfaces here too.

* web/src/components/AuthProvider.test.tsx (NEW, 5 cases) —
  the LOW-1 demo banner had no test for its visibility
  predicate. Pins all four authType branches (none → visible,
  api-key → hidden, oidc → hidden, loading → hidden to avoid
  flash) plus the rejected-getAuthInfo branch: the catch
  treats failure as an old-server-fallback to demo mode (no
  authType mutation, loading flips false), so the banner
  SHOWS — that's the actual behavior, and pinning it prevents
  a future change from silently hiding the banner when the
  /auth/info endpoint is unreachable.

Spec deviations: Phase 6 (Layout.test.tsx users-nav) and
Phase 7 (per-Fix tests for Fixes 03/05/07/09/10) live on those
fixes' own branches — already authored there. Including them
here would have produced merge conflicts.

Verify gate:

* tsc --noEmit — clean
* vitest run touched files — 40/40 pass (8 + 6 + 12 + 9 + 5,
  including the 2 + 4 + 4 pre-existing cases in the extended
  AuthSettingsPage + KeysPage files)
* full suite (162 tests across 15 files) green — no regression
  from the panel-mount-in-existing-page setup or the new
  mocked-module entries.

Refs cowork/auth-bundles-fixes-2026-05-11/12-test-vitest-gui-coverage.md.
This commit is contained in:
shankar0123
2026-05-11 12:18:08 +00:00
parent b3e3a8dbb1
commit 8564e2fcd6
6 changed files with 864 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+31
View File
@@ -2,6 +2,37 @@
## Unreleased
### Tests
- **Vitest coverage for the 2026-05-10/11 GUI batch (Audit 2026-05-11 Fix 12).**
The original GUI-batch commit `661b6db` claimed `npx tsc --noEmit PASS`
but shipped no Vitest cases for the new surfaces. The regression-
prevention layer was missing — a future refactor of `KeysPage`'s
assign modal could silently drop scope_type handling, the LOW-1 demo
banner could be hidden by a stray predicate flip, the LOW-11 hide of
the delete button on default roles could disappear and let operators
click straight into a backend 409, and nothing would surface in CI.
This closure adds 35 new test cases across five files:
`web/src/pages/auth/UsersPage.test.tsx` (new, 8 cases pinning the
active/deactivated/reactivate flow + provider filter + empty state +
loading state), `web/src/pages/auth/AuthSettingsPage.test.tsx`
(extended +4 cases pinning the MED-12 runtime-config panel —
alphabetical sort, `(empty)` placeholder, 403 silent-hide),
`web/src/pages/auth/KeysPage.test.tsx` (extended +8 cases pinning
the HIGH-10 GUI half — scope_type=global/profile/issuer body shape,
expires_at omission vs RFC3339 promotion, whitespace-only scope_id
rejection, demo-anon row mutation-button hide),
`web/src/pages/auth/RoleDetailPage.test.tsx` (new, 9 cases pinning
the MED-8 scope picker + the LOW-11 default-role delete-button hide
via the `DEFAULT_ROLE_IDS` set against `r-admin` + `r-auditor`),
`web/src/components/AuthProvider.test.tsx` (new, 5 cases pinning the
LOW-1 demo-banner visibility predicate — `authType==='none' &&
!loading` — across happy/api-key/oidc/loading/rejected branches; the
rejected-fetch path keeps the banner visible because the catch
treats it as an old-server-fallback to demo-mode, and that behavior
is pinned here so a future change surfaces in the diff). 40/40
test-file-scoped pass; `tsc --noEmit` clean.
### Security
- **Scope-aware actor-role revoke (Audit 2026-05-11 A-4).**