Skip to content

fix(ci): resolve Test Suite, Playwright E2E, and CodeQL failures#77

Open
devin-ai-integration[bot] wants to merge 7 commits into
mainfrom
devin/1783608607-fix-ci-failures
Open

fix(ci): resolve Test Suite, Playwright E2E, and CodeQL failures#77
devin-ai-integration[bot] wants to merge 7 commits into
mainfrom
devin/1783608607-fix-ci-failures

Conversation

@devin-ai-integration

Copy link
Copy Markdown
Contributor

Summary

Fixes the three CI failure classes discovered after PR #61 merged into main:

1. Test Suite — 4 agent.login failures (already committed here).
Under vitest 4 + node 22, new SignJWT() in tests failed because the jose mock used an arrow function (not constructable). Switched the mock to a regular function so it can be constructed. Full suite: 4299 pass, 0 fail.

2. Playwright E2E — server never started / every request blocked / no login fixture.
Three independent root causes, all fixed:

  • Server wouldn't boot in CI. With NODE_ENV=production, server/lib/envValidation.ts requires 14 secrets and exits if any is missing. The Playwright/k6 jobs only set JWT_SECRET. Added the remaining required vars as CI test values.
  • Every /api/* request returned 429 "DDoS service unavailable". securityOrchestrator.ts fails closed in production (SECURITY_FAIL_OPEN defaults to false), so when the Rust DDoS / Go PBAC / Python Fraud sidecars are absent — as they are in CI — all requests are blocked. Set the documented escape hatch SECURITY_FAIL_OPEN=true for the CI jobs (production deployments still run the sidecars and stay fail-closed).
  • No agent to log in as. Added scripts/seed-e2e.mjs (schema-correct camelCase columns, bcrypt-hashed PINs, idempotent upsert) and a seed step before the Playwright and k6 runs, providing AGT001/1234, ADMIN1/0000, SUP001/9999.

Also two client fixes so the login flow drives cleanly under automation (verified locally end-to-end through PIN entry → dashboard):

  • Added data-digit attributes to the PIN pad buttons (the E2E selector button[data-digit="1"] had no matching hook).
  • AgentLogin now reads the agent code from a ref, so a fast Continue click uses the latest keyed value instead of a stale controlled-input state (previously produced a spurious "Enter a valid agent code").

3. CodeQL check collision.
Two workflows defined a check named "CodeQL Analysis" for javascript-typescript (codeql.yml and a duplicate job in security-scan.yml), uploading two SARIFs for the same category → collision that failed the check. Removed the duplicate; codeql.yml (JS/TS + Go + Python) is the single authoritative run.

Notes / follow-up

  • The systemic E2E blockers above are fixed. A subset of the 14 E2E specs still has test-vs-UI drift (e.g. text=Cash In matches two elements → Playwright strict-mode violation) and some admin/MDM/CBN specs assume domain fixtures beyond the login seed. These are stale-selector / missing-fixture issues in the specs, not app regressions — I'd like your call on whether to update those specs vs. expand the seed data before touching them.
  • Action versions (actions/checkout@v7, actions/upload-artifact@v7) came from dependabot bumps and are left as-is.

Link to Devin session: https://app.devin.ai/sessions/3ebd42bf0430422a9a2bd85ed9f9cd4c
Requested by: @munisp

devin-ai-integration Bot and others added 2 commits July 9, 2026 14:55
Vitest 4 requires vi.fn() mock implementations to use 'function' or 'class'
(not arrow functions) to be usable with 'new'. The SignJWT mock used an arrow
function, so 'new SignJWT()' in the agent login path threw 'is not a constructor',
causing 4 agent.login test failures. Converted all 14 jose mocks to function form.

Co-Authored-By: Patrick Munis <pmunis@gmail.com>
- Add all production-required env vars + SECURITY_FAIL_OPEN=true to the
  Playwright and k6-smoke jobs so the server starts and the security
  orchestrator fails open when the Rust/Go/Python sidecars are absent in CI.
- Seed agent/admin/supervisor fixtures (scripts/seed-e2e.mjs) before the
  E2E and smoke runs so AGT001/1234 login works.
- AgentLogin: add data-digit hooks to the PIN pad and read the agent code
  from a ref so a fast Continue click uses the latest keyed value (fixes a
  controlled-input race under automation).
- Remove the duplicate CodeQL job from security-scan.yml; codeql.yml is the
  single authoritative analysis (fixes the SARIF category collision).

Co-Authored-By: Patrick Munis <pmunis@gmail.com>
@munisp munisp self-assigned this Jul 9, 2026
@devin-ai-integration

Copy link
Copy Markdown
Contributor Author
Original prompt from Patrick

https://drive.google.com/file/d/1ko3y7OBp1tJIXGTbe2QGFRHMQfxMTWHX/view?usp=sharing

  1. Extract ALL everything in the archive
  2. how do ensure and assess that features for example domain and business logic/rules/requirements are fully impemented and production ready and complete - can you thoroughly assess each files and features to determine there are ready for production
  1. Database integration (replace in-memory with real Postgres)
  2. Inter-service HTTP wiring with retries/circuit breakers
  3. Security hardening (JWT everywhere, remove hardcoded creds, mTLS)
  4. Integration tests for critical flows
  5. Graceful shutdown, observability, alerting
    3)search for orphan, partially and generic scaffolded features across the platform - fully implement them end to end -generic CRUD-only patterns , modules with no domain logic, disconnected features, and incomplete implementations.

@devin-ai-integration

Copy link
Copy Markdown
Contributor Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@devin-ai-integration devin-ai-integration Bot changed the base branch from production-hardened to main July 9, 2026 15:37
devin-ai-integration Bot and others added 5 commits July 9, 2026 15:42
Co-Authored-By: Patrick Munis <pmunis@gmail.com>
…selector

- CodeQL Python: drop the mass 'pip install every requirements.txt' loop that
  exhausted the runner disk (~80MB left) and crashed analyze; CodeQL uses
  buildless Python extraction and does not need installed deps.
- E2E: the post-login dashboard gate expect(page.locator('text=Cash In'))
  matched two legitimate elements (quick-action chip + dashboard tile),
  a strict-mode violation. Add .first() to match the click on the next line.

Co-Authored-By: Patrick Munis <pmunis@gmail.com>
Co-Authored-By: Patrick Munis <pmunis@gmail.com>
…orkflow

The active E2E check is e2e-playwright.yml (NODE_ENV=test), which seeded only
via seed-comprehensive.mjs — randomized AGT#### agents with no PIN hash. The
specs log in as AGT001/1234, ADMIN1/0000, SUP001/9999, so login never reached
the dashboard and every post-login assertion failed. Add scripts/seed-e2e.mjs
(idempotent upsert of the fixtures) after the comprehensive seed.

Co-Authored-By: Patrick Munis <pmunis@gmail.com>
…ctors

The in-process connection throttle (50 req/10s) and per-IP rate limiters
return 503/429 when Playwright drives the whole app from a single IP, so
the app shell and API become unreachable mid-suite. Gate them behind an
explicit, default-off DISABLE_RATE_LIMITS flag and set it for the E2E jobs.

Also fix two genuine test-selector bugs in spec 08 (strict-mode match on
the SSO text, and a malformed mixed CSS+text selector for the PIN pad).

Co-Authored-By: Patrick Munis <pmunis@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant