Skip to content

test(app): cover tokens, scopes, bearer auth, and audit logs#735

Merged
HugoRCD merged 1 commit into
mainfrom
test/v5-app-coverage
Apr 20, 2026
Merged

test(app): cover tokens, scopes, bearer auth, and audit logs#735
HugoRCD merged 1 commit into
mainfrom
test/v5-app-coverage

Conversation

@HugoRCD
Copy link
Copy Markdown
Owner

@HugoRCD HugoRCD commented Apr 20, 2026

Summary

  • Unit coverage: `generateToken` / `hashToken` / `safeEqualHex` (guards against the "undefined"-in-token regression, Crockford alphabet, uniqueness, timing-safe comparison) and `requireTokenScope` (noop on web sessions, 403 on missing permission / out-of-scope team / project / environment).
  • E2E coverage: tokens REST API (plaintext once, hidden on list, scopes persisted, Bearer auth, legacy cookie + deprecation headers, read-only scope rejects a variable POST and allows the matching read, expiry, invalid, DELETE revokes) and `/audit-logs` (filter + limit + 400 validation).
  • Fixes a pre-existing flake in the CLI E2E flow: `shelve pull` now runs with `--yes` so std-env's AI-agent detection does not hang the test when the harness runs under Cursor / Claude / etc.

Test plan

  • `pnpm --filter @shelve/app test` passes (103/103).
  • `pnpm --filter @shelve/app lint` passes.
  • Unit tests hermetic — no DB / network.

PR order

This is PR 2/4 in the v5 follow-up series. Independent from PR 1 (CLI tests); can land in any order.

@HugoRCD
test(app): cover tokens, scopes, bearer auth, and audit logs
6811ca2 
Closes the coverage gaps introduced by v5 on the app side.

Unit tests
- `generateToken` / `hashToken` / `safeEqualHex`: guard against the
  "undefined"-in-token regression, verify Crockford alphabet usage,
  uniqueness across 1k draws, sha256 hex output, and timing-safe
  comparison behaviour.
- `requireTokenScope`: noop on web sessions, 403 on missing
  permission / out-of-scope team / project / environment, and passes
  when scopes match or are unrestricted.

E2E flows
- `tokens`: POST returns plaintext once, GET never does; scopes
  persisted; Bearer auth works; legacy cookie auth still works but
  returns Deprecation / Sunset headers; read-only scope rejects a
  variable POST and allows the matching read; expired tokens return
  401; invalid tokens return 401; DELETE revokes.
- `audit-logs`: feed is structurally sound, action filtering applies,
  limit is enforced, invalid limits return 400.

The CLI pull E2E now passes `--yes` so it stays non-interactive when
the harness runs inside an AI-agent environment (std-env would
otherwise prompt for confirmation and hang).
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
shelve-app Ready Ready Preview, Comment, Open in v0 Apr 20, 2026 5:08pm
shelve-lp Ready Ready Preview, Comment Apr 20, 2026 5:08pm
shelve-vault Ready Ready Preview, Comment Apr 20, 2026 5:08pm

@github-actions github-actions Bot added the test label Apr 20, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 20, 2026

Thank you for following the naming conventions! 🙏

@HugoRCD HugoRCD merged commit 7967ea5 into main Apr 20, 2026
13 of 14 checks passed
@HugoRCD HugoRCD deleted the test/v5-app-coverage branch April 20, 2026 17:07
@github-actions github-actions Bot mentioned this pull request Apr 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HugoRCD