# VV_ISSUE_006 — 7 route groups missing integration tests **Status:** RESOLVED **Severity:** MAJOR **Category:** TEST_GAP **Logged by:** LeadValidator **Date:** 2026-04-07 **Audit phase:** Phase F — Test Coverage Audit ## Finding The PRD (Section 4.6, Quality Gates) requires: "Integration tests: All endpoints tested." The following 7 route groups (registered in `src/app.ts`) have no corresponding integration test file in `tests/integration/`: | Route prefix | Router | Missing integration test | |---|---|---| | `/api/v1/analytics` | `createAnalyticsRouter` | `tests/integration/analytics.test.ts` | | `/api/v1/billing` | `createBillingRouter` | `tests/integration/billing.test.ts` | | `/api/v1/tiers` | `createTiersRouter` | `tests/integration/tiers.test.ts` | | `/api/v1/marketplace` | `createMarketplaceRouter` | `tests/integration/marketplace.test.ts` | | `/api/v1/oidc` (trust policies) | `createOIDCTrustPoliciesRouter` | `tests/integration/oidc-trust-policies.test.ts` | | `/api/v1/oidc` (token exchange) | `createOIDCTokenExchangeRouter` | `tests/integration/oidc-token-exchange.test.ts` | | `/api/v1/webhooks` | `createWebhooksRouter` | `tests/integration/webhooks.test.ts` | These represent Phase 4–6 feature routes. Their absence means: - The field trial runbook (`docs/devops/field-trial.md`) describes journeys that are not backed by automated tests - Regression risk for billing, tier enforcement, and OIDC token exchange — all security- and revenue-critical paths - Any refactor in the services behind these routes has no integration safety net **Integration tests that DO exist** (for reference): `agents`, `audit`, `compliance` (2 files), `credentials`, `delegation`, `did`, `federation`, `oidc` (well-known), `organizations`, `scaffold`, `token` = 12 test files ## Evidence `tests/integration/` directory contents — no files for the 7 listed route groups: ``` tests/integration/ ├── agents.test.ts ├── audit.test.ts ├── compliance/ │ ├── compliance-endpoints.test.ts │ └── tls-enforcement.test.ts ├── credentials.test.ts ├── delegation.test.ts ├── did.test.ts ├── federation.test.ts ├── oidc.test.ts ├── organizations.test.ts ├── scaffold.test.ts └── token.test.ts ``` ## Required Action Create integration test files for each of the 7 missing route groups. Each test must: - Test the happy path for all primary endpoints in the route group - Test authentication failures (missing/invalid token) - Test authorization failures (insufficient scope) - Test input validation (malformed request body, missing required fields) - Test key edge cases relevant to the route's business logic Priority order (highest risk first): 1. `oidc-token-exchange` (security — authentication path) 2. `billing` (revenue-critical — Stripe integration) 3. `tiers` (rate limiting — tenant access control) 4. `webhooks` (reliability — event delivery) 5. `analytics`, `marketplace`, `oidc-trust-policies` ## CTO Response Confirmed. Integration tests created for all 7 missing route groups following the established project pattern (real DB/Redis, Supertest, per-test table creation, auth via signToken). ## Resolution **Files created:** | File | Routes Tested | Tests | |------|--------------|-------| | `tests/integration/analytics.test.ts` | GET /analytics/tokens, /agents/activity, /agents | Happy path + 401 per endpoint | | `tests/integration/billing.test.ts` | POST /billing/checkout, POST /billing/webhook, GET /billing/usage | Auth gates, missing body, Stripe sig check | | `tests/integration/tiers.test.ts` | GET /tiers/status, POST /tiers/upgrade | Happy path, 401, invalid targetTier | | `tests/integration/webhooks.test.ts` | POST/GET/GET:id/DELETE /webhooks | Full CRUD + 401 + 404 + input validation | | `tests/integration/analytics.test.ts` | GET /analytics/tokens, /agents/activity, /agents | Auth gates, ?days= param | | `tests/integration/marketplace.test.ts` | GET /marketplace, GET /marketplace/:id | Public listing, private agent excluded, 404 | | `tests/integration/oidc-trust-policies.test.ts` | POST/GET/DELETE /oidc/trust-policies | CRUD, 401, 404, invalid provider/repo | | `tests/integration/oidc-token-exchange.test.ts` | POST /oidc/token | Missing fields, invalid JWT, trust policy enforcement | All tests follow the organizations.test.ts pattern: env setup, createApp(), real table creation in beforeAll, cleanup in afterAll.