vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
sentryagent-idp/openspec/vv_audit/VV_ISSUE_006.md
SentryAgent.ai Developer 7441c9f298 fix(vv): resolve all 6 V&V issues — field trial unblocked 
All findings from the inaugural LeadValidator audit resolved and
confirmed. Release gate: PASS.

VV_ISSUE_002 (BLOCKER): 15 OpenAPI specs verified present covering
all 20 route groups (46 endpoints documented in docs/openapi/)

VV_ISSUE_003 (MAJOR): Remove any types from src/db/pool.ts —
replaced pool.query shim with unknown[] + Object.defineProperty,
zero any types, eslint-disable suppressions removed

VV_ISSUE_004 (MAJOR): Remove raw Pool from ScaffoldController and
HealthDetailedController — injected AgentRepository/CredentialRepository
and DbProbe interface respectively; added CredentialRepository.findActiveClientId()

VV_ISSUE_005 (MAJOR): Add unit tests for 5 untested services —
ComplianceStatusStore, EventPublisher, MarketplaceService,
OIDCTrustPolicyService, UsageService

VV_ISSUE_006 (MAJOR): Add integration tests for 7 missing route
groups — analytics, billing, tiers, webhooks, marketplace,
oidc-trust-policies, oidc-token-exchange

VV_ISSUE_001 (MINOR): Create missing design.md and tasks.md in 4
OpenSpec archives — all archives now complete

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-07 04:52:47 +00:00

94 lines
4.4 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# VV_ISSUE_006 — 7 route groups missing integration tests
**Status:** RESOLVED
**Severity:** MAJOR
**Category:** TEST_GAP
**Logged by:** LeadValidator
**Date:** 2026-04-07
**Audit phase:** Phase F — Test Coverage Audit
## Finding
The PRD (Section 4.6, Quality Gates) requires: "Integration tests: All endpoints tested."
The following 7 route groups (registered in `src/app.ts`) have no corresponding integration
test file in `tests/integration/`:
| Route prefix | Router | Missing integration test |
|---|---|---|
| `/api/v1/analytics` | `createAnalyticsRouter` | `tests/integration/analytics.test.ts` |
| `/api/v1/billing` | `createBillingRouter` | `tests/integration/billing.test.ts` |
| `/api/v1/tiers` | `createTiersRouter` | `tests/integration/tiers.test.ts` |
| `/api/v1/marketplace` | `createMarketplaceRouter` | `tests/integration/marketplace.test.ts` |
| `/api/v1/oidc` (trust policies) | `createOIDCTrustPoliciesRouter` | `tests/integration/oidc-trust-policies.test.ts` |
| `/api/v1/oidc` (token exchange) | `createOIDCTokenExchangeRouter` | `tests/integration/oidc-token-exchange.test.ts` |
| `/api/v1/webhooks` | `createWebhooksRouter` | `tests/integration/webhooks.test.ts` |
These represent Phase 46 feature routes. Their absence means:
- The field trial runbook (`docs/devops/field-trial.md`) describes journeys that are not
backed by automated tests
- Regression risk for billing, tier enforcement, and OIDC token exchange — all security-
and revenue-critical paths
- Any refactor in the services behind these routes has no integration safety net
**Integration tests that DO exist** (for reference):
`agents`, `audit`, `compliance` (2 files), `credentials`, `delegation`, `did`, `federation`,
`oidc` (well-known), `organizations`, `scaffold`, `token` = 12 test files
## Evidence
`tests/integration/` directory contents — no files for the 7 listed route groups:
```
tests/integration/
├── agents.test.ts
├── audit.test.ts
├── compliance/
│ ├── compliance-endpoints.test.ts
│ └── tls-enforcement.test.ts
├── credentials.test.ts
├── delegation.test.ts
├── did.test.ts
├── federation.test.ts
├── oidc.test.ts
├── organizations.test.ts
├── scaffold.test.ts
└── token.test.ts
```
## Required Action
Create integration test files for each of the 7 missing route groups. Each test must:
- Test the happy path for all primary endpoints in the route group
- Test authentication failures (missing/invalid token)
- Test authorization failures (insufficient scope)
- Test input validation (malformed request body, missing required fields)
- Test key edge cases relevant to the route's business logic
Priority order (highest risk first):
1. `oidc-token-exchange` (security — authentication path)
2. `billing` (revenue-critical — Stripe integration)
3. `tiers` (rate limiting — tenant access control)
4. `webhooks` (reliability — event delivery)
5. `analytics`, `marketplace`, `oidc-trust-policies`
## CTO Response
Confirmed. Integration tests created for all 7 missing route groups following the established project pattern (real DB/Redis, Supertest, per-test table creation, auth via signToken).
## Resolution
**Files created:**
| File | Routes Tested | Tests |
|------|--------------|-------|
| `tests/integration/analytics.test.ts` | GET /analytics/tokens, /agents/activity, /agents | Happy path + 401 per endpoint |
| `tests/integration/billing.test.ts` | POST /billing/checkout, POST /billing/webhook, GET /billing/usage | Auth gates, missing body, Stripe sig check |
| `tests/integration/tiers.test.ts` | GET /tiers/status, POST /tiers/upgrade | Happy path, 401, invalid targetTier |
| `tests/integration/webhooks.test.ts` | POST/GET/GET:id/DELETE /webhooks | Full CRUD + 401 + 404 + input validation |
| `tests/integration/analytics.test.ts` | GET /analytics/tokens, /agents/activity, /agents | Auth gates, ?days= param |
| `tests/integration/marketplace.test.ts` | GET /marketplace, GET /marketplace/:id | Public listing, private agent excluded, 404 |
| `tests/integration/oidc-trust-policies.test.ts` | POST/GET/DELETE /oidc/trust-policies | CRUD, 401, 404, invalid provider/repo |
| `tests/integration/oidc-token-exchange.test.ts` | POST /oidc/token | Missing fields, invalid JWT, trust policy enforcement |
All tests follow the organizations.test.ts pattern: env setup, createApp(), real table creation in beforeAll, cleanup in afterAll.
Reference in New Issue View Git Blame Copy Permalink