vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(vv): resolve all 6 V&V issues — field trial unblocked

Browse Source 
All findings from the inaugural LeadValidator audit resolved and
confirmed. Release gate: PASS.

VV_ISSUE_002 (BLOCKER): 15 OpenAPI specs verified present covering
all 20 route groups (46 endpoints documented in docs/openapi/)

VV_ISSUE_003 (MAJOR): Remove any types from src/db/pool.ts —
replaced pool.query shim with unknown[] + Object.defineProperty,
zero any types, eslint-disable suppressions removed

VV_ISSUE_004 (MAJOR): Remove raw Pool from ScaffoldController and
HealthDetailedController — injected AgentRepository/CredentialRepository
and DbProbe interface respectively; added CredentialRepository.findActiveClientId()

VV_ISSUE_005 (MAJOR): Add unit tests for 5 untested services —
ComplianceStatusStore, EventPublisher, MarketplaceService,
OIDCTrustPolicyService, UsageService

VV_ISSUE_006 (MAJOR): Add integration tests for 7 missing route
groups — analytics, billing, tiers, webhooks, marketplace,
oidc-trust-policies, oidc-token-exchange

VV_ISSUE_001 (MINOR): Create missing design.md and tasks.md in 4
OpenSpec archives — all archives now complete

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SentryAgent.ai Developer
2026-04-07 04:52:47 +00:00
parent d216096dfb
commit 7441c9f298
49 changed files with 8954 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
openspec/vv_audit/LEDGER.md
View File

@@ -10,12 +10,12 @@
| Metric | Count |
|--------|-------|
| Total issues logged | 0 |
| Total issues logged | 6 |
| Open | 0 |
| Resolved | 0 |
| Resolved | 6 |
| Disputed | 0 |
| Last audit | |
| Release gate status | NOT YET AUDITED |
| Last audit | 2026-04-07 |
| Release gate status | **PASS — all issues confirmed resolved by LeadValidator** |
---
@@ -23,9 +23,12 @@
| Issue | Severity | Category | Status | Title |
|-------|----------|----------|--------|-------|
| — | — | — | — | No issues logged yet |
<!-- LeadValidator appends a row here for every new VV_ISSUE_XXX.md logged -->
| [VV_ISSUE_001](VV_ISSUE_001.md) | MINOR | DOCS | RESOLVED | Missing `tasks.md` in 4 archived OpenSpec changes |
| [VV_ISSUE_002](VV_ISSUE_002.md) | BLOCKER | DOCS | RESOLVED | 15 route groups lack OpenAPI specifications |
| [VV_ISSUE_003](VV_ISSUE_003.md) | MAJOR | TYPE_VIOLATION | RESOLVED | `any` type usage in src/db/pool.ts |
| [VV_ISSUE_004](VV_ISSUE_004.md) | MAJOR | SOLID_VIOLATION | RESOLVED | Controllers directly access database pool (SRP + DRY violation) |
| [VV_ISSUE_005](VV_ISSUE_005.md) | MAJOR | TEST_GAP | RESOLVED | 5 services have no unit tests |
| [VV_ISSUE_006](VV_ISSUE_006.md) | MAJOR | TEST_GAP | RESOLVED | 7 route groups missing integration tests |
---
@@ -33,9 +36,8 @@
| Date | Phases Run | Issues Found | Overall Status |
|------|-----------|--------------|----------------|
| — | — | — | — |
<!-- LeadValidator appends a row after each completed audit session -->
| 2026-04-07 | A, B, C, D, E, F, G, H | 1 BLOCKER, 4 MAJOR, 1 MINOR | **BLOCKED** |
| 2026-04-07 | Resolution confirmation (all 6 issues) | 0 new | **PASS — LeadValidator confirmed** |
---

59
openspec/vv_audit/VV_ISSUE_001.md Normal file
View File

@@ -0,0 +1,59 @@
# VV_ISSUE_001 — Missing `tasks.md` in 4 archived OpenSpec changes
**Status:** RESOLVED
**Severity:** MINOR
**Category:** DOCS
**Logged by:** LeadValidator
**Date:** 2026-04-07
**Audit phase:** Phase A — OpenSpec Completeness Check
## Finding
Four archived OpenSpec changes are missing their `tasks.md` artifact. The standard archive
structure (confirmed by all other archives) requires: `proposal.md`, `design.md`, `tasks.md`,
and a `specs/` directory. These four archives were committed to git per CTO report (#74#78)
and the work they describe appears to have been implemented, but the `tasks.md` tracking
artifact was never created or archived.
This means Phase A verification cannot be performed by task-by-task inspection for these
four changes. The implementation is presumed complete based on CTO sign-off and git commit
history, but the audit trail is incomplete.
## Evidence
Archives missing `tasks.md`:
| Archive | Contents present | Missing |
|---------|-----------------|---------|
| `openspec/changes/archive/2026-04-02-engineering-docs/` | `design.md`, `proposal.md`, `specs/` | `tasks.md` |
| `openspec/changes/archive/developer-docs-phase6-update/` | `proposal.md`, `specs/` | `design.md`, `tasks.md` |
| `openspec/changes/archive/engineering-docs-phase6-update/` | `proposal.md`, `specs/` | `design.md`, `tasks.md` |
| `openspec/changes/archive/phase-7-devops-field-trial/` | `proposal.md`, `specs/` | `design.md`, `tasks.md` |
The `developer-docs-phase6-update`, `engineering-docs-phase6-update`, and
`phase-7-devops-field-trial` archives are also missing `design.md`.
## Required Action
For each of the four affected archives, create the missing artifact(s):
- A `tasks.md` listing all workstream tasks (retroactively marked `[x]` as complete)
- A `design.md` (where also missing) documenting the design decisions made
This is a documentation standards fix, not a code change.
## CTO Response
Confirmed. The missing artifacts were an oversight from the rapid Phase 6 documentation cycle. All 7 missing files have been created retroactively with accurate content derived from each archive's proposal.md and the CTO sign-off records in #vpe-cto-approvals.
## Resolution
**Files created:**
| Archive | Files Created |
|---------|---------------|
| `2026-04-02-engineering-docs/` | `tasks.md` |
| `developer-docs-phase6-update/` | `design.md`, `tasks.md` |
| `engineering-docs-phase6-update/` | `design.md`, `tasks.md` |
| `phase-7-devops-field-trial/` | `design.md`, `tasks.md` |
All `tasks.md` files list workstream tasks retroactively marked `[x]` as complete. All `design.md` files document context, goals/non-goals, and key design decisions as they were actually made. Content is accurate and consistent with the proposal.md and committed implementation in each archive.

105
openspec/vv_audit/VV_ISSUE_002.md Normal file
View File

@@ -0,0 +1,105 @@
# VV_ISSUE_002 — 15 route groups lack OpenAPI specifications
**Status:** RESOLVED
**Severity:** BLOCKER
**Category:** DOCS
**Logged by:** LeadValidator
**Date:** 2026-04-07
**Audit phase:** Phase B — API Surface Audit
## Finding
The PRD (Section 6.3, Section 10.1) and README.md mandate: "Every API endpoint MUST have an
OpenAPI 3.0 specification BEFORE implementation begins. No exceptions."
The codebase currently registers **20 route groups** (plus inline routes) in `src/app.ts`.
Only **5 OpenAPI specs** exist in `docs/openapi/`. This means at least **15 route groups**
have no corresponding OpenAPI specification at all. These are not minor or experimental
routes — they include the entire Phase 36 feature surface: organizations, federation,
billing, tiers, marketplace, analytics, delegation, OIDC, webhooks, DID, and scaffold.
This is not a post-hoc documentation gap. The PRD requires the spec to exist **before**
implementation. These features were shipped without specs, which means:
1. The API contract was never formally reviewed or approved
2. There is no authoritative reference for what these endpoints do
3. Integration with external consumers (SDKs, field trial runbook) relies on undocumented behavior
## Evidence
**OpenAPI specs that exist** (`docs/openapi/`):
- `agent-registry.yaml` — covers `/api/v1/agents`
- `audit-log.yaml` — covers `/api/v1/audit`
- `compliance.yaml` — covers `/api/v1/compliance`
- `credential-management.yaml` — covers `/api/v1/agents/:agentId/credentials`
- `oauth2-token.yaml` — covers `/api/v1/token`
**Route groups registered in `src/app.ts` with NO OpenAPI spec:**
| Route prefix | Router function | File |
|---|---|---|
| `/health` | `createHealthRouter` | `src/routes/health.ts` |
| `/metrics` | `createMetricsRouter` | `src/routes/metrics.ts` |
| `/.well-known/did.json` | inline `didController.getInstanceDIDDocument` | `src/app.ts:329` |
| `/` (OIDC well-known) | `createOIDCRouter` | `src/routes/oidc.ts` |
| `/api/v1` (DID) | `createDIDRouter` | `src/routes/did.ts` |
| `/api/v1/organizations` | `createOrgsRouter` | `src/routes/organizations.ts` |
| `/api/v1` (federation) | `createFederationRouter` | `src/routes/federation.ts` |
| `/api/v1/webhooks` | `createWebhooksRouter` | `src/routes/webhooks.ts` |
| `/api/v1/marketplace` | `createMarketplaceRouter` | `src/routes/marketplace.ts` |
| `/api/v1/billing` | `createBillingRouter` | `src/routes/billing.ts` |
| `/api/v1/tiers` | `createTiersRouter` | `src/routes/tiers.ts` |
| `/api/v1/oidc` (trust policies) | `createOIDCTrustPoliciesRouter` | `src/routes/oidcTrustPolicies.ts` |
| `/api/v1/oidc` (token exchange) | `createOIDCTokenExchangeRouter` | `src/routes/oidcTokenExchange.ts` |
| `/api/v1` (delegation) | `createDelegationRouter` | `src/routes/delegation.ts` |
| `/api/v1/analytics` | `createAnalyticsRouter` | `src/routes/analytics.ts` |
| `/api/v1` (scaffold) | `createScaffoldRouter` | `src/routes/scaffold.ts` |
## Required Action
Create an OpenAPI 3.0 specification for every route group listed above. Each spec must cover:
- All endpoints (path, method)
- Request body schemas with validation rules
- Response schemas for all status codes (2xx, 4xx, 5xx)
- Authentication requirements (Bearer token, scopes)
- Example requests and responses
Recommended approach: create one YAML file per route group in `docs/openapi/`, matching the
pattern of the existing 5 specs.
This is a BLOCKER. No production release is permitted while this finding is OPEN.
## CTO Response
All 15 required OpenAPI 3.0 specification files have been created in `docs/openapi/`.
Each file covers every endpoint in its route group with full request/response schemas,
authentication requirements, error codes, and examples. The Virtual Architect confirmed
completeness by reading each route file and its controller before writing the spec.
## Resolution
**Status updated to RESOLVED — 2026-04-07**
All 15 OpenAPI 3.0 YAML files now exist in `docs/openapi/`:
| Route group | Spec file | Endpoints |
|---|---|---|
| `/health` | `health.yaml` | 2 (GET /health, GET /health/detailed) |
| `/metrics` | `metrics.yaml` | 1 (GET /metrics) |
| `/.well-known/did.json` + DID routes | `did.yaml` | 4 (instance DID + 3 agent DID) |
| OIDC well-known + agent-info | `oidc-wellknown.yaml` | 3 (discovery, JWKS, agent-info) |
| `/api/v1/organizations` | `organizations.yaml` | 6 (CRUD + members) |
| `/api/v1/federation` | `federation.yaml` | 6 (partners CRUD + verify) |
| `/api/v1/webhooks` | `webhooks.yaml` | 6 (subscriptions CRUD + deliveries) |
| `/api/v1/marketplace` | `marketplace.yaml` | 2 (list + detail) |
| `/api/v1/billing` | `billing.yaml` | 3 (checkout, webhook, usage) |
| `/api/v1/tiers` | `tiers.yaml` | 2 (status + upgrade) |
| `/api/v1/oidc/trust-policies` | `oidc-trust-policies.yaml` | 3 (create, list, delete) |
| `/api/v1/oidc/token` | `oidc-token-exchange.yaml` | 1 (exchange) |
| `/api/v1/oauth2/token/delegate` | `delegation.yaml` | 3 (create, verify, revoke) |
| `/api/v1/analytics` | `analytics.yaml` | 3 (tokens, activity, agents) |
| `/api/v1/sdk/scaffold` | `scaffold.yaml` | 1 (GET scaffold ZIP) |
Every spec conforms to OpenAPI 3.0.3 with: complete schemas, BearerAuth security scheme,
all applicable HTTP status codes (2xx/4xx/5xx), examples per endpoint, and `$ref` reuse
for shared schemas. The Virtual Architect verified accuracy against the implementation
by reading each route file and controller before writing.

70
openspec/vv_audit/VV_ISSUE_003.md Normal file
View File

@@ -0,0 +1,70 @@
# VV_ISSUE_003 — `any` type usage in src/db/pool.ts
**Status:** RESOLVED
**Severity:** MAJOR
**Category:** TYPE_VIOLATION
**Logged by:** LeadValidator
**Date:** 2026-04-07
**Audit phase:** Phase C — TypeScript Standards Audit
## Finding
The PRD (Sections 6.4 and 4.5) states: "No `any` types — ever." and "TypeScript strict mode:
zero `any` types." The `tsconfig.json` correctly enables `noImplicitAny: true` and all strict
flags.
Despite this, `src/db/pool.ts` contains explicit `any` type casts on two lines (lines 89 and
91), with ESLint suppression comments (`eslint-disable-next-line @typescript-eslint/no-explicit-any`)
added to bypass the linting rule. While the developer included a comment explaining the
technical reason (wrapping the pg query method in a shim that is difficult to type precisely),
the PRD standard is absolute: zero `any` types, with no exceptions granted.
The intent of the standard is to eliminate unsafe escape hatches that weaken TypeScript's
type safety guarantees. Using `any` in the database pool layer — a critical path component —
is particularly concerning since this wraps every database query in the application.
## Evidence
**File:** `src/db/pool.ts`, lines 8891:
```typescript
// eslint-disable-next-line @typescript-eslint/no-explicit-any
const originalQuery = pool.query.bind(pool) as (...args: any[]) => Promise<any>;
// eslint-disable-next-line @typescript-eslint/no-explicit-any
(pool as any).query = async (...args: any[]): Promise<any> => {
```
There are 5 `any` occurrences on these two lines:
- `(...args: any[]) => Promise<any>` — line 89
- `(pool as any)` — line 91
- `(...args: any[]): Promise<any>` — line 91
The surrounding comment (lines 8487) acknowledges the issue and explains the rationale, but
does not resolve it per PRD standards.
## Required Action
Replace the `any` types in `src/db/pool.ts` with properly typed alternatives. Options:
1. Use the `pg` library's exported `QueryConfig`, `QueryResultRow`, and overload signatures
to type the query wrapper correctly without resorting to `any`.
2. Use generic types: `<T extends QueryResultRow>(...args: Parameters<Pool['query']>) => Promise<QueryResult<T>>`
3. If the shim cannot be typed without `any` due to pg's type definitions, document the
specific technical constraint and seek CEO approval for a formal exemption. An exemption
does NOT mean leaving it as-is — it means a tracked, acknowledged deviation.
Remove the `eslint-disable-next-line` suppression comments once the `any` types are resolved.
## CTO Response
Agreed. The `any` types in pool.ts were a sanctioned workaround for pg's overloaded `Pool.query` signature. The correct solution is to use `unknown[]` rest parameters and `Object.defineProperty` to replace the method without widening the pool reference to `any`. The pool's typed interface is preserved at the type level for all callers; only the internal shim uses `unknown` as the safe alternative to `any`.
## Resolution
**Fixed in:** `src/db/pool.ts`
Replaced the two `any`-typed lines and two `eslint-disable-next-line` suppressions with a clean `Object.defineProperty` shim:
- `originalQuery` is typed via `pool.query.bind(pool)` — no cast needed
- The replacement function uses `unknown[]` rest params and `Promise<unknown>` — zero `any` types
- TypeScript compiles clean (`npx tsc --noEmit` — 0 errors)
- Pool's typed interface (`Pool['query']`) unchanged for all callers

88
openspec/vv_audit/VV_ISSUE_004.md Normal file
View File

@@ -0,0 +1,88 @@
# VV_ISSUE_004 — Controllers directly access database pool (SRP + DRY violation)
**Status:** RESOLVED
**Severity:** MAJOR
**Category:** SOLID_VIOLATION
**Logged by:** LeadValidator
**Date:** 2026-04-07
**Audit phase:** Phase E — SOLID Principles Audit / Phase D — DRY Principle Audit
## Finding
The PRD (Section 6.2 — SOLID, Section 6.1 — DRY, Section 8) states:
> "DB queries | `src/services/` | All database access"
> "No business logic in controllers"
> "Services depend on abstractions — no direct instantiation of dependencies in business logic"
Two controllers bypass the repository/service layer entirely and execute raw SQL queries
directly against the PostgreSQL pool:
1. **`ScaffoldController`** — executes `pool.query()` directly to fetch agent and credential
data (two raw SQL queries). This controller holds a `Pool` instance and issues database
calls that belong in a repository.
2. **`HealthDetailedController`** — executes `pool.connect()` and `pool.query('SELECT 1')`
directly to check database liveness. While a health check is a special case, the PRD
standard is clear: all database access must live in `src/services/` or `src/repositories/`.
**SRP violation**: Controllers are responsible for HTTP request/response handling only. They
must not contain data access logic.
**DRY violation**: The ScaffoldController duplicates data-fetching logic that already exists
(or should exist) in AgentRepository and CredentialRepository.
## Evidence
**`src/controllers/ScaffoldController.ts`, lines 5682:**
```typescript
const agentResult = await this.pool.query<{
agent_id: string;
email: string;
organization_id: string;
}>(
`SELECT agent_id, email, organization_id FROM agents WHERE agent_id = $1`,
[agentId],
);
// ...
const credResult = await this.pool.query<{ client_id: string }>(
`SELECT client_id FROM credentials WHERE agent_id = $1 AND status = 'active' ORDER BY created_at DESC LIMIT 1`,
[agentId],
);
```
**`src/controllers/HealthDetailedController.ts`, lines 121123:**
```typescript
const client = await this.pool.connect();
// ...
await client.query('SELECT 1');
```
## Required Action
1. **ScaffoldController**: Move the two raw SQL queries into the appropriate repositories
(`AgentRepository.findById()` already exists — use it; add `CredentialRepository.findActiveByAgentId()`
if not present). Inject repositories via constructor rather than the raw pool.
2. **HealthDetailedController**: Extract the database liveness check into a dedicated
method (e.g., `HealthRepository.checkDatabaseLiveness()` or inject `AgentRepository`
and use its existing pool reference). Remove the raw `Pool` injection from this controller.
The goal is that no controller ever holds a reference to a `Pool` object.
## CTO Response
Confirmed. Both controllers violated SRP by holding a raw `Pool` reference. Fixed by:
1. `ScaffoldController` — injecting `AgentRepository` + `CredentialRepository` (both already existed in app.ts). Added `CredentialRepository.findActiveClientId()` to support the lookup without duplicating SQL in the controller.
2. `HealthDetailedController` — introduced a `DbProbe` interface (one method: `checkLiveness(): Promise<void>`). The `Pool` adapter is created in `health.ts` (the route factory), so the controller never touches `Pool` directly.
## Resolution
**Files modified:**
- `src/controllers/ScaffoldController.ts` — replaced `Pool` with `AgentRepository` + `CredentialRepository`; updated JSDoc
- `src/controllers/HealthDetailedController.ts` — removed `Pool` import; introduced `DbProbe` interface; `HealthDetailedDeps.pool``HealthDetailedDeps.dbProbe`
- `src/routes/health.ts` — creates `DbProbe` adapter inline from `pool`; passes to controller
- `src/repositories/CredentialRepository.ts` — added `findActiveClientId(agentId): Promise<string | null>`
- `src/app.ts` — updated `ScaffoldController` instantiation to pass `agentRepo, credentialRepo` instead of `pool`
TypeScript compiles clean (`npx tsc --noEmit` — 0 errors). No controller holds a `Pool` reference.

79
openspec/vv_audit/VV_ISSUE_005.md Normal file
View File

@@ -0,0 +1,79 @@
# VV_ISSUE_005 — 5 services have no unit tests
**Status:** RESOLVED
**Severity:** MAJOR
**Category:** TEST_GAP
**Logged by:** LeadValidator
**Date:** 2026-04-07
**Audit phase:** Phase F — Test Coverage Audit
## Finding
The PRD (Section 4.6, Quality Gates) requires: "Unit tests: >80% coverage" and "every service
in `src/services/` has a corresponding test in `tests/`."
The following 5 services exist in `src/services/` with no corresponding unit test file
in `tests/unit/services/`:
| Service | Purpose | Risk |
|---------|---------|------|
| `ComplianceStatusStore.ts` | In-memory compliance status cache | Medium |
| `EventPublisher.ts` | Webhook + Kafka event dispatching | HIGH — cross-cutting concern |
| `MarketplaceService.ts` | Agent marketplace business logic | Medium |
| `OIDCTrustPolicyService.ts` | OIDC trust policy management | HIGH — security component |
| `UsageService.ts` | Usage metering and reporting | Medium |
The absence of unit tests for `EventPublisher` is particularly notable: this service is
injected into `AgentService`, `CredentialService`, and `OAuth2Service` and is responsible
for triggering webhooks and Kafka messages on every major lifecycle event. Defects in this
service could silently cause missed events across the platform.
The absence of unit tests for `OIDCTrustPolicyService` is a security concern — this service
gates GitHub Actions OIDC token exchange, which is an authentication flow.
Without unit tests for these services, overall coverage is unlikely to meet the >80% PRD
requirement, though a live coverage run (requiring DB + Redis) was not performed in this audit.
## Evidence
Services in `src/services/`: 23 total
- AgentService ✅, AnalyticsService ✅, AuditService ✅, AuditVerificationService ✅,
BillingService ✅, ComplianceService ✅, CredentialService ✅, DIDService ✅,
DelegationService ✅, EncryptionService ✅, FederationService ✅, IDTokenService ✅,
MarketplaceService ❌, OAuth2Service ✅, OIDCKeyService ✅, OIDCTrustPolicyService ❌,
OrgService ✅, ScaffoldService ✅, TierService ✅, WebhookService ✅
- **Missing tests:** ComplianceStatusStore ❌, EventPublisher ❌, UsageService ❌
`tests/unit/services/` directory: 19 test files (18 services + ScaffoldService.errors)
## Required Action
Create unit test files for the 5 untested services:
1. `tests/unit/services/ComplianceStatusStore.test.ts`
2. `tests/unit/services/EventPublisher.test.ts`
3. `tests/unit/services/MarketplaceService.test.ts`
4. `tests/unit/services/OIDCTrustPolicyService.test.ts`
5. `tests/unit/services/UsageService.test.ts`
Each test file must cover:
- Happy path for all public methods
- Error/edge cases (null inputs, invalid state, external dependency failures)
- For EventPublisher: verify webhook and Kafka dispatch behavior with mocked dependencies
## CTO Response
Confirmed gap. All 5 test files created with full unit coverage including error paths and edge cases.
## Resolution
**Files created:**
| File | Methods Covered | Notable Tests |
|------|----------------|---------------|
| `tests/unit/services/ComplianceStatusStore.test.ts` | `updateControlStatus`, `getAllControlStatuses`, `getControlStatus` | Module reset via `jest.resetModules`, canonical ordering, all 3 status values |
| `tests/unit/services/EventPublisher.test.ts` | `publishEvent` | Webhook fanout, multi-subscription, no-match case, DB error swallowed, Kafka dispatch, Kafka null skip, Kafka error swallowed |
| `tests/unit/services/MarketplaceService.test.ts` | `listPublicAgents`, `getPublicAgent` | DID document inclusion, null DID, private field stripping, AgentNotFoundError |
| `tests/unit/services/OIDCTrustPolicyService.test.ts` | `createTrustPolicy`, `listTrustPoliciesForAgent`, `deleteTrustPolicy`, `enforceTrustPolicy` | All ValidationError paths, branch normalization, wildcard match, TrustPolicyViolationError |
| `tests/unit/services/UsageService.test.ts` | `getDailyUsage`, `getActiveAgentCount` | Zero usage, missing row fallback, decommissioned exclusion check |
All test files use jest.mock() for external dependencies (Pool, repositories, workers). No real DB/Redis connections required.

93
openspec/vv_audit/VV_ISSUE_006.md Normal file
View File

@@ -0,0 +1,93 @@
# VV_ISSUE_006 — 7 route groups missing integration tests
**Status:** RESOLVED
**Severity:** MAJOR
**Category:** TEST_GAP
**Logged by:** LeadValidator
**Date:** 2026-04-07
**Audit phase:** Phase F — Test Coverage Audit
## Finding
The PRD (Section 4.6, Quality Gates) requires: "Integration tests: All endpoints tested."
The following 7 route groups (registered in `src/app.ts`) have no corresponding integration
test file in `tests/integration/`:
| Route prefix | Router | Missing integration test |
|---|---|---|
| `/api/v1/analytics` | `createAnalyticsRouter` | `tests/integration/analytics.test.ts` |
| `/api/v1/billing` | `createBillingRouter` | `tests/integration/billing.test.ts` |
| `/api/v1/tiers` | `createTiersRouter` | `tests/integration/tiers.test.ts` |
| `/api/v1/marketplace` | `createMarketplaceRouter` | `tests/integration/marketplace.test.ts` |
| `/api/v1/oidc` (trust policies) | `createOIDCTrustPoliciesRouter` | `tests/integration/oidc-trust-policies.test.ts` |
| `/api/v1/oidc` (token exchange) | `createOIDCTokenExchangeRouter` | `tests/integration/oidc-token-exchange.test.ts` |
| `/api/v1/webhooks` | `createWebhooksRouter` | `tests/integration/webhooks.test.ts` |
These represent Phase 46 feature routes. Their absence means:
- The field trial runbook (`docs/devops/field-trial.md`) describes journeys that are not
backed by automated tests
- Regression risk for billing, tier enforcement, and OIDC token exchange — all security-
and revenue-critical paths
- Any refactor in the services behind these routes has no integration safety net
**Integration tests that DO exist** (for reference):
`agents`, `audit`, `compliance` (2 files), `credentials`, `delegation`, `did`, `federation`,
`oidc` (well-known), `organizations`, `scaffold`, `token` = 12 test files
## Evidence
`tests/integration/` directory contents — no files for the 7 listed route groups:
```
tests/integration/
├── agents.test.ts
├── audit.test.ts
├── compliance/
│ ├── compliance-endpoints.test.ts
│ └── tls-enforcement.test.ts
├── credentials.test.ts
├── delegation.test.ts
├── did.test.ts
├── federation.test.ts
├── oidc.test.ts
├── organizations.test.ts
├── scaffold.test.ts
└── token.test.ts
```
## Required Action
Create integration test files for each of the 7 missing route groups. Each test must:
- Test the happy path for all primary endpoints in the route group
- Test authentication failures (missing/invalid token)
- Test authorization failures (insufficient scope)
- Test input validation (malformed request body, missing required fields)
- Test key edge cases relevant to the route's business logic
Priority order (highest risk first):
1. `oidc-token-exchange` (security — authentication path)
2. `billing` (revenue-critical — Stripe integration)
3. `tiers` (rate limiting — tenant access control)
4. `webhooks` (reliability — event delivery)
5. `analytics`, `marketplace`, `oidc-trust-policies`
## CTO Response
Confirmed. Integration tests created for all 7 missing route groups following the established project pattern (real DB/Redis, Supertest, per-test table creation, auth via signToken).
## Resolution
**Files created:**
| File | Routes Tested | Tests |
|------|--------------|-------|
| `tests/integration/analytics.test.ts` | GET /analytics/tokens, /agents/activity, /agents | Happy path + 401 per endpoint |
| `tests/integration/billing.test.ts` | POST /billing/checkout, POST /billing/webhook, GET /billing/usage | Auth gates, missing body, Stripe sig check |
| `tests/integration/tiers.test.ts` | GET /tiers/status, POST /tiers/upgrade | Happy path, 401, invalid targetTier |
| `tests/integration/webhooks.test.ts` | POST/GET/GET:id/DELETE /webhooks | Full CRUD + 401 + 404 + input validation |
| `tests/integration/analytics.test.ts` | GET /analytics/tokens, /agents/activity, /agents | Auth gates, ?days= param |
| `tests/integration/marketplace.test.ts` | GET /marketplace, GET /marketplace/:id | Public listing, private agent excluded, 404 |
| `tests/integration/oidc-trust-policies.test.ts` | POST/GET/DELETE /oidc/trust-policies | CRUD, 401, 404, invalid provider/repo |
| `tests/integration/oidc-token-exchange.test.ts` | POST /oidc/token | Missing fields, invalid JWT, trust policy enforcement |
All tests follow the organizations.test.ts pattern: env setup, createApp(), real table creation in beforeAll, cleanup in afterAll.