fix(ci): resolve Test Suite, Playwright E2E, and CodeQL failures#77
Open
devin-ai-integration[bot] wants to merge 7 commits into
Open
fix(ci): resolve Test Suite, Playwright E2E, and CodeQL failures#77devin-ai-integration[bot] wants to merge 7 commits into
devin-ai-integration[bot] wants to merge 7 commits into
Conversation
Vitest 4 requires vi.fn() mock implementations to use 'function' or 'class' (not arrow functions) to be usable with 'new'. The SignJWT mock used an arrow function, so 'new SignJWT()' in the agent login path threw 'is not a constructor', causing 4 agent.login test failures. Converted all 14 jose mocks to function form. Co-Authored-By: Patrick Munis <pmunis@gmail.com>
- Add all production-required env vars + SECURITY_FAIL_OPEN=true to the Playwright and k6-smoke jobs so the server starts and the security orchestrator fails open when the Rust/Go/Python sidecars are absent in CI. - Seed agent/admin/supervisor fixtures (scripts/seed-e2e.mjs) before the E2E and smoke runs so AGT001/1234 login works. - AgentLogin: add data-digit hooks to the PIN pad and read the agent code from a ref so a fast Continue click uses the latest keyed value (fixes a controlled-input race under automation). - Remove the duplicate CodeQL job from security-scan.yml; codeql.yml is the single authoritative analysis (fixes the SARIF category collision). Co-Authored-By: Patrick Munis <pmunis@gmail.com>
Contributor
Author
Original prompt from Patrick
|
Contributor
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
Co-Authored-By: Patrick Munis <pmunis@gmail.com>
…selector
- CodeQL Python: drop the mass 'pip install every requirements.txt' loop that
exhausted the runner disk (~80MB left) and crashed analyze; CodeQL uses
buildless Python extraction and does not need installed deps.
- E2E: the post-login dashboard gate expect(page.locator('text=Cash In'))
matched two legitimate elements (quick-action chip + dashboard tile),
a strict-mode violation. Add .first() to match the click on the next line.
Co-Authored-By: Patrick Munis <pmunis@gmail.com>
Co-Authored-By: Patrick Munis <pmunis@gmail.com>
…orkflow The active E2E check is e2e-playwright.yml (NODE_ENV=test), which seeded only via seed-comprehensive.mjs — randomized AGT#### agents with no PIN hash. The specs log in as AGT001/1234, ADMIN1/0000, SUP001/9999, so login never reached the dashboard and every post-login assertion failed. Add scripts/seed-e2e.mjs (idempotent upsert of the fixtures) after the comprehensive seed. Co-Authored-By: Patrick Munis <pmunis@gmail.com>
…ctors The in-process connection throttle (50 req/10s) and per-IP rate limiters return 503/429 when Playwright drives the whole app from a single IP, so the app shell and API become unreachable mid-suite. Gate them behind an explicit, default-off DISABLE_RATE_LIMITS flag and set it for the E2E jobs. Also fix two genuine test-selector bugs in spec 08 (strict-mode match on the SSO text, and a malformed mixed CSS+text selector for the PIN pad). Co-Authored-By: Patrick Munis <pmunis@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the three CI failure classes discovered after PR #61 merged into
main:1. Test Suite — 4
agent.loginfailures (already committed here).Under vitest 4 + node 22,
new SignJWT()in tests failed because thejosemock used an arrow function (not constructable). Switched the mock to a regularfunctionso it can be constructed. Full suite: 4299 pass, 0 fail.2. Playwright E2E — server never started / every request blocked / no login fixture.
Three independent root causes, all fixed:
NODE_ENV=production,server/lib/envValidation.tsrequires 14 secrets and exits if any is missing. The Playwright/k6 jobs only setJWT_SECRET. Added the remaining required vars as CI test values./api/*request returned429 "DDoS service unavailable".securityOrchestrator.tsfails closed in production (SECURITY_FAIL_OPENdefaults to false), so when the Rust DDoS / Go PBAC / Python Fraud sidecars are absent — as they are in CI — all requests are blocked. Set the documented escape hatchSECURITY_FAIL_OPEN=truefor the CI jobs (production deployments still run the sidecars and stay fail-closed).scripts/seed-e2e.mjs(schema-correct camelCase columns, bcrypt-hashed PINs, idempotent upsert) and a seed step before the Playwright and k6 runs, providingAGT001/1234,ADMIN1/0000,SUP001/9999.Also two client fixes so the login flow drives cleanly under automation (verified locally end-to-end through PIN entry → dashboard):
data-digitattributes to the PIN pad buttons (the E2E selectorbutton[data-digit="1"]had no matching hook).AgentLoginnow reads the agent code from aref, so a fast Continue click uses the latest keyed value instead of a stale controlled-input state (previously produced a spurious "Enter a valid agent code").3. CodeQL check collision.
Two workflows defined a check named "CodeQL Analysis" for
javascript-typescript(codeql.ymland a duplicate job insecurity-scan.yml), uploading two SARIFs for the same category → collision that failed the check. Removed the duplicate;codeql.yml(JS/TS + Go + Python) is the single authoritative run.Notes / follow-up
text=Cash Inmatches two elements → Playwright strict-mode violation) and some admin/MDM/CBN specs assume domain fixtures beyond the login seed. These are stale-selector / missing-fixture issues in the specs, not app regressions — I'd like your call on whether to update those specs vs. expand the seed data before touching them.actions/checkout@v7,actions/upload-artifact@v7) came from dependabot bumps and are left as-is.Link to Devin session: https://app.devin.ai/sessions/3ebd42bf0430422a9a2bd85ed9f9cd4c
Requested by: @munisp