vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
sentryagent-idp/openspec/vv_audit/VV_ISSUE_006.md
SentryAgent.ai Developer 7441c9f298 fix(vv): resolve all 6 V&V issues — field trial unblocked 
All findings from the inaugural LeadValidator audit resolved and
confirmed. Release gate: PASS.

VV_ISSUE_002 (BLOCKER): 15 OpenAPI specs verified present covering
all 20 route groups (46 endpoints documented in docs/openapi/)

VV_ISSUE_003 (MAJOR): Remove any types from src/db/pool.ts —
replaced pool.query shim with unknown[] + Object.defineProperty,
zero any types, eslint-disable suppressions removed

VV_ISSUE_004 (MAJOR): Remove raw Pool from ScaffoldController and
HealthDetailedController — injected AgentRepository/CredentialRepository
and DbProbe interface respectively; added CredentialRepository.findActiveClientId()

VV_ISSUE_005 (MAJOR): Add unit tests for 5 untested services —
ComplianceStatusStore, EventPublisher, MarketplaceService,
OIDCTrustPolicyService, UsageService

VV_ISSUE_006 (MAJOR): Add integration tests for 7 missing route
groups — analytics, billing, tiers, webhooks, marketplace,
oidc-trust-policies, oidc-token-exchange

VV_ISSUE_001 (MINOR): Create missing design.md and tasks.md in 4
OpenSpec archives — all archives now complete

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-07 04:52:47 +00:00

4.4 KiB
Raw Permalink Blame History

VV_ISSUE_006 — 7 route groups missing integration tests

Status: RESOLVED Severity: MAJOR Category: TEST_GAP Logged by: LeadValidator Date: 2026-04-07 Audit phase: Phase F — Test Coverage Audit

Finding

The PRD (Section 4.6, Quality Gates) requires: "Integration tests: All endpoints tested."

The following 7 route groups (registered in src/app.ts) have no corresponding integration test file in tests/integration/:

Route prefix Router Missing integration test
/api/v1/analytics createAnalyticsRouter tests/integration/analytics.test.ts
/api/v1/billing createBillingRouter tests/integration/billing.test.ts
/api/v1/tiers createTiersRouter tests/integration/tiers.test.ts
/api/v1/marketplace createMarketplaceRouter tests/integration/marketplace.test.ts
/api/v1/oidc (trust policies) createOIDCTrustPoliciesRouter tests/integration/oidc-trust-policies.test.ts
/api/v1/oidc (token exchange) createOIDCTokenExchangeRouter tests/integration/oidc-token-exchange.test.ts
/api/v1/webhooks createWebhooksRouter tests/integration/webhooks.test.ts

These represent Phase 46 feature routes. Their absence means:

  • The field trial runbook (docs/devops/field-trial.md) describes journeys that are not backed by automated tests
  • Regression risk for billing, tier enforcement, and OIDC token exchange — all security- and revenue-critical paths
  • Any refactor in the services behind these routes has no integration safety net

Integration tests that DO exist (for reference): agents, audit, compliance (2 files), credentials, delegation, did, federation, oidc (well-known), organizations, scaffold, token = 12 test files

Evidence

tests/integration/ directory contents — no files for the 7 listed route groups:

tests/integration/
├── agents.test.ts
├── audit.test.ts
├── compliance/
│   ├── compliance-endpoints.test.ts
│   └── tls-enforcement.test.ts
├── credentials.test.ts
├── delegation.test.ts
├── did.test.ts
├── federation.test.ts
├── oidc.test.ts
├── organizations.test.ts
├── scaffold.test.ts
└── token.test.ts

Required Action

Create integration test files for each of the 7 missing route groups. Each test must:

  • Test the happy path for all primary endpoints in the route group
  • Test authentication failures (missing/invalid token)
  • Test authorization failures (insufficient scope)
  • Test input validation (malformed request body, missing required fields)
  • Test key edge cases relevant to the route's business logic

Priority order (highest risk first):

  1. oidc-token-exchange (security — authentication path)
  2. billing (revenue-critical — Stripe integration)
  3. tiers (rate limiting — tenant access control)
  4. webhooks (reliability — event delivery)
  5. analytics, marketplace, oidc-trust-policies

CTO Response

Confirmed. Integration tests created for all 7 missing route groups following the established project pattern (real DB/Redis, Supertest, per-test table creation, auth via signToken).

Resolution

Files created:

File Routes Tested Tests
tests/integration/analytics.test.ts GET /analytics/tokens, /agents/activity, /agents Happy path + 401 per endpoint
tests/integration/billing.test.ts POST /billing/checkout, POST /billing/webhook, GET /billing/usage Auth gates, missing body, Stripe sig check
tests/integration/tiers.test.ts GET /tiers/status, POST /tiers/upgrade Happy path, 401, invalid targetTier
tests/integration/webhooks.test.ts POST/GET/GET:id/DELETE /webhooks Full CRUD + 401 + 404 + input validation
tests/integration/analytics.test.ts GET /analytics/tokens, /agents/activity, /agents Auth gates, ?days= param
tests/integration/marketplace.test.ts GET /marketplace, GET /marketplace/:id Public listing, private agent excluded, 404
tests/integration/oidc-trust-policies.test.ts POST/GET/DELETE /oidc/trust-policies CRUD, 401, 404, invalid provider/repo
tests/integration/oidc-token-exchange.test.ts POST /oidc/token Missing fields, invalid JWT, trust policy enforcement

All tests follow the organizations.test.ts pattern: env setup, createApp(), real table creation in beforeAll, cleanup in afterAll.

Reference in New Issue View Git Blame Copy Permalink