Skip to content

test: comprehensive unit + e2e coverage across SDK (stacked on #132)#133

Draft
zeevmoney wants to merge 8 commits into
per-15315/vitest-event-based-testsfrom
per-15317/comprehensive-sdk-tests
Draft

test: comprehensive unit + e2e coverage across SDK (stacked on #132)#133
zeevmoney wants to merge 8 commits into
per-15315/vitest-event-based-testsfrom
per-15317/comprehensive-sdk-tests

Conversation

@zeevmoney

Copy link
Copy Markdown
Contributor
  • What kind of change does this PR introduce?

    Test coverage. PR#3 of a 3-PR stack — stacked on test: migrate AVA→Vitest with event-based waits (stacked on #131) #132 (base branch per-15315/vitest-event-based-tests, not main). Tests-only — zero SDK source changes. Linear: PER-15317.

  • What is the current behavior?

    After the Vitest migration (test: migrate AVA→Vitest with event-based waits (stacked on #131) #132), the suite covers retry/config/wait-for-sync units, control-plane integration, and the RBAC/ReBAC/facts/bulk/lists e2e flows — but most individual API-module methods have no fast unit coverage, and ABAC (condition sets) has no e2e.

  • What is the new behavior?

    Comprehensive unit + e2e coverage across the SDK:

    • Shared mock seam src/tests/helpers/mock-api.tscreateMockPermit() installs a capturing axios adapter on all three transports (REST config.axiosInstance, PDP enforcer.client, OPA enforcer.opaClient) and seeds API context with no network. The mock sits below all SDK logic, so the generated client's real path/param/body construction and handleApiError mapping execute for real — these tests catch regressions, they are not tautological.
    • Unit specs for every API module: resources, roles, resource-roles (incl. role-derivation/implicit-grants), role-assignments, users, tenants, resource-instances, resource-relations, relationship-tuples, condition-sets, condition-set-rules, resource-actions/attributes/action-groups, projects, environments, elements, deprecated — asserting HTTP method, scoped path, body, pagination/filter params (camelCase→snake_case), and 404/409 → PermitApiError.
    • Enforcer specs: check (string-resource parsing, default-tenant injection, OPA vs PDP path, response shaping), bulkCheck, getUserPermissions, checkAllTenants, throwOnError, and timeout passthrough.
    • Utils/config specs: context, dict, regex, http-logger, and config env parsing.
    • One new ABAC e2e e2e/condition-sets.e2e.spec.ts — the only significant flow with no prior e2e — following PR#2's conventions (unique-prefixed keys, waitForCheck not sleeps, complete tolerant afterAll, order-independent).
  • Other information:

    Tests

    • Unit tests added for all public API-module methods, the enforcer, and utils/config
    • Mocks used for all external dependencies (axios adapter seam; no network)
    • Integration/e2e: one ABAC e2e added (runs in test:ci:full on CI; not runnable locally without a backend)
    • Full no-backend suite (yarn test:ci:unit): 342 tests pass; lint clean.

    Two latent SDK bugs surfaced (characterization tests assert current behavior, clearly flagged in-code; not fixed here):

    • Enforcer.checkAllTenants sends {headers,params} as the POST body instead of axios config — tracked as PER-15318.
    • Enforcer's PermitPDPStatusError is effectively unreachable: a trailing .catch re-wraps non-200 PDP responses as PermitConnectionError. Worth a follow-up fix + Linear issue.

    Deferred follow-ups (low value, noted by review)

    • bulkCheck/getUserPermissions global-config.timeout fallback (per-call timeout is tested); checkAllTenants error path.

Generated with Claude Code

Add a shared mock seam (src/tests/helpers/mock-api.ts, createMockPermit)
that patches the axios adapter on the REST, PDP and OPA transports and
seeds API context without network, then add unit specs covering every
API module (resources, roles, resource-roles, role-assignments, users,
tenants, resource-instances, resource-relations, relationship-tuples,
condition-sets, condition-set-rules, resource-actions/attributes/
action-groups, projects, environments, elements, deprecated), the
enforcer (check/bulkCheck/getUserPermissions/checkAllTenants, string
parsing, default-tenant, OPA path, response shaping, throwOnError) and
the utils/config layer. Add one ABAC e2e (condition-sets) following the
event-based, self-cleaning conventions.

262 new unit tests; full no-backend suite is 333 tests. Tests-only; no
SDK source changes. Tests assert current behavior of two latent bugs
(checkAllTenants payload PER-15318; unreachable PermitPDPStatusError),
flagged in-code, not fixed here.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@linear-code

linear-code Bot commented Jun 28, 2026

Copy link
Copy Markdown

PER-15317

zeevmoney and others added 7 commits June 28, 2026 23:42
…rehensive-sdk-tests

* per-15315/vitest-event-based-tests:
  ci: run unit/integration/module-imports on PR, defer e2e to next PR
…rehensive-sdk-tests

* per-15315/vitest-event-based-tests:
  ci: run on all pull requests, not only those targeting main
…rehensive-sdk-tests

* per-15315/vitest-event-based-tests:
  ci: pin PDP connection to IPv4 (127.0.0.1) in the backend test run
…rehensive-sdk-tests

* per-15315/vitest-event-based-tests:
  test: make rbac useOpa checks opt-in and widen rebac CI budget
…rehensive-sdk-tests

* per-15315/vitest-event-based-tests:
  test: poll the rbac multi-result reads to remove propagation races
A userset condition set referencing user.<attr> requires that attribute
to exist on the built-in user resource; users.sync alone doesn't register
it, so the condition-set creation failed with 400 MISSING_RESOURCE_ATTRIBUTE.
Register a run-unique attribute on the __user resource before creating the
userset, reference it consistently in the condition and the synced users,
and remove it in the tolerant afterAll.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Condition sets compile to new policy (rego), which propagates slower than
role/fact writes, so the 60s default left the ABAC check timing out in CI
before the policy took effect. Match the heavier rebac budget.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant