zclaw_openfang

iven/zclaw_openfang

Fork 0

Commit Graph

Author	SHA1	Message	Date
iven	2e70e1a3f8	test: add 30 smoke tests for break detection across SaaS/Admin/Desktop Some checks failed CI / Lint & TypeCheck (push) Has been cancelled Details CI / Unit Tests (push) Has been cancelled Details CI / Build Frontend (push) Has been cancelled Details CI / Rust Check (push) Has been cancelled Details CI / Security Scan (push) Has been cancelled Details CI / E2E Tests (push) Has been cancelled Details Layer 1 断裂探测矩阵: - S1-S6: SaaS API 端到端 (auth/lockout/relay/permissions/billing/knowledge) - A1-A6: Admin V2 连通性 (login/dashboard/CRUD/knowledge/roles/models) - D1-D6: Desktop 聊天流 (gateway/kernel/relay/cancel/offline/error) - F1-F6: Desktop 功能闭环 (agent/hands/pipeline/memory/butler/skills) - X1-X6: 跨系统闭环 (provider→desktop/disabled user/knowledge/stats/totp/billing) Also adds: admin-v2 Playwright config, updated spec doc with cross-reference Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-10 09:47:35 +08:00
iven	c37c7218c2	test(saas): add 36 security/validation/permission tests (184 total, 0 failures) Some checks failed CI / Lint & TypeCheck (push) Has been cancelled Details CI / Unit Tests (push) Has been cancelled Details CI / Build Frontend (push) Has been cancelled Details CI / Rust Check (push) Has been cancelled Details CI / Security Scan (push) Has been cancelled Details CI / E2E Tests (push) Has been cancelled Details New test files: - auth_security_test.rs (12): account lockout DB state, lockout reset, password version invalidation, disabled account, refresh token revocation, boundary validation (username/password), role enforcement, TOTP 2FA flow - account_security_test.rs (9): role management, privilege escalation prevention, account disable/enable, cross-account access control, operation logs - relay_validation_test.rs (8): input validation (missing fields, empty messages, invalid roles), disabled provider, model listing, task isolation - permission_matrix_test.rs (7): super_admin full access, user allowed/ forbidden endpoints, public endpoints, unauthenticated rejection, API token lifecycle Discovered: account lockout runtime check broken — handlers.rs:213 parse_from_rfc3339 fails on PostgreSQL TIMESTAMPTZ::TEXT format, silently skipping lockout. DB state is correct but login not rejected.	2026-04-10 08:11:02 +08:00

Author

SHA1

Message

Date

iven

2e70e1a3f8

test: add 30 smoke tests for break detection across SaaS/Admin/Desktop

CI / Lint & TypeCheck (push) Has been cancelled

Details

CI / Unit Tests (push) Has been cancelled

Details

CI / Build Frontend (push) Has been cancelled

Details

CI / Rust Check (push) Has been cancelled

Details

CI / Security Scan (push) Has been cancelled

Details

CI / E2E Tests (push) Has been cancelled

Details

Layer 1 断裂探测矩阵:
- S1-S6: SaaS API 端到端 (auth/lockout/relay/permissions/billing/knowledge)
- A1-A6: Admin V2 连通性 (login/dashboard/CRUD/knowledge/roles/models)
- D1-D6: Desktop 聊天流 (gateway/kernel/relay/cancel/offline/error)
- F1-F6: Desktop 功能闭环 (agent/hands/pipeline/memory/butler/skills)
- X1-X6: 跨系统闭环 (provider→desktop/disabled user/knowledge/stats/totp/billing)

Also adds: admin-v2 Playwright config, updated spec doc with cross-reference

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-04-10 09:47:35 +08:00

iven

c37c7218c2

test(saas): add 36 security/validation/permission tests (184 total, 0 failures)

CI / Lint & TypeCheck (push) Has been cancelled

Details

CI / Unit Tests (push) Has been cancelled

Details

CI / Build Frontend (push) Has been cancelled

Details

CI / Rust Check (push) Has been cancelled

Details

CI / Security Scan (push) Has been cancelled

Details

CI / E2E Tests (push) Has been cancelled

Details

New test files:
- auth_security_test.rs (12): account lockout DB state, lockout reset,
  password version invalidation, disabled account, refresh token
  revocation, boundary validation (username/password), role enforcement,
  TOTP 2FA flow
- account_security_test.rs (9): role management, privilege escalation
  prevention, account disable/enable, cross-account access control,
  operation logs
- relay_validation_test.rs (8): input validation (missing fields, empty
  messages, invalid roles), disabled provider, model listing, task
  isolation
- permission_matrix_test.rs (7): super_admin full access, user allowed/
  forbidden endpoints, public endpoints, unauthenticated rejection,
  API token lifecycle

Discovered: account lockout runtime check broken — handlers.rs:213
parse_from_rfc3339 fails on PostgreSQL TIMESTAMPTZ::TEXT format,
silently skipping lockout. DB state is correct but login not rejected.

2026-04-10 08:11:02 +08:00

2 Commits