TST-54: Rigorous test expansion wave tracker (2026-04-03)

[Chris0Jeky]

Overview

Master tracker for the rigorous test expansion wave seeded 2026-04-03. These issues are designed to push the system to its limits with integration tests, edge cases, adversarial inputs, and failure modes.

Current automated test count: ~4600+ (backend ~2990+ + frontend 1592 + E2E). Backend totals estimated after three 2026-04-04 delivery waves; full-suite recertification needed.

Security Bug Found During Audit

• SEC-20: ChangePassword does not verify caller identity — any user can change another user's password #722 — SEC-20: ChangePassword does not verify caller identity — FIXED in PR Fix ChangePassword identity bypass (SEC-20) #732

Priority I — Golden Path and Critical Gaps

• TST-36: Capture → triage → proposal → review → board end-to-end integration test #703 — Capture → triage → proposal → review → board end-to-end integration test — Delivered (PR TST-36: Golden path integration test for capture-to-board pipeline #735, 7 tests)

Priority II — Security and Data Integrity

• TST-32: Infrastructure repository integration tests — SQLite query correctness #699 — Infrastructure repository integration tests — Delivered (PR Add infrastructure repository integration tests (#699) #730, 77 tests)
• TST-33: LlmQueueToProposalWorker integration tests — the untested critical path #700 — LlmQueueToProposalWorker tests — Delivered (PR TST-33: Add LlmQueueToProposalWorker integration tests #734, 24 tests)
• TST-35: Controller HTTP integration tests — untested API surfaces #702 — Controller HTTP integration tests — Delivered (PR Add HTTP integration tests for untested API surfaces #738, 67 tests)
• TST-37: Cross-user data isolation integration tests — prove no data leaks #704 — Cross-user data isolation tests — Delivered (PR Add cross-user data isolation integration tests #733, 38 tests)
• TST-38: Concurrency and race condition stress tests #705 — Concurrency and race condition stress tests — Open
• TST-40: OAuth and authentication edge case integration tests #707 — OAuth and authentication edge cases — Delivered (PR TST-40: OAuth and authentication edge case tests #737, 44 tests)
• TST-55: OAuth static auth code store and token lifecycle integration tests #723 — OAuth static auth code store and token lifecycle tests — Open
• TST-56: Frontend HTTP interceptor and router auth guard tests #725 — Frontend HTTP interceptor and router auth guard tests — Open

Priority III — Depth and Confidence

• TST-34: Domain entity state machine exhaustive tests — CommandRun, ArchiveItem, ChatSession #701 — Domain entity state machine exhaustive tests — Delivered (PR Test: exhaustive domain entity state machine tests (#701) #740, 174 tests)
• TST-39: SignalR hub and realtime integration tests #706 — SignalR hub and realtime integration tests — Delivered (PR Test: SignalR hub and realtime integration tests (#706) #751, 19 tests)
• TST-41: Automation proposal lifecycle edge cases — expiry, conflict, partial execution #708 — Automation proposal lifecycle edge cases — Delivered (PR Add proposal lifecycle edge case tests (TST-41) #736, 74 tests)
• TST-42: LLM provider abstraction and tool-calling edge case tests #709 — LLM provider and tool-calling edge cases — Delivered (PR Test: LLM provider abstraction and tool-calling edge cases (#709) #747, 101 tests)
• TST-43: Webhook delivery reliability and SSRF boundary tests #710 — Webhook delivery reliability and SSRF boundary tests — Delivered (PR test: webhook delivery reliability and SSRF boundary (#710) #756, 78+ tests)
• TST-44: Frontend store integration tests — stores + real API module interaction #711 — Frontend store integration tests — Open
• TST-45: E2E scenario expansion — error states, edge journeys, and degraded modes #712 — E2E scenario expansion — Open
• TST-46: Data export/import round-trip integrity tests #713 — Data export/import round-trip integrity tests — Delivered (PR Test: data export/import round-trip integrity tests (#713) #752, 64 tests)
• TST-47: API error contract regression and boundary validation tests #714 — API error contract regression and boundary validation — Delivered (PR Test: API error contract regression and boundary validation (#714) #753, 57 tests)
• TST-48: Archive and restore lifecycle integration tests #715 — Archive and restore lifecycle integration tests — Delivered (PR Test: archive and restore lifecycle integration tests (#715) #755, 74 tests)
• TST-49: Frontend view and component coverage gaps — untested views and critical components #716 — Frontend view and component coverage gaps — Open
• TST-51: Board metrics and analytics accuracy verification tests #718 — Board metrics accuracy verification — Delivered (PR Test: board metrics and analytics accuracy verification (#718) #749, 61 tests)
• TST-52: Notification delivery, deduplication, and preference filtering integration tests #719 — Notification delivery and deduplication integration tests — Delivered (PR Test: notification delivery, deduplication, and preference filtering (#719) #746, 36 tests)
• TST-53: Resilience and degraded-mode behavior tests — what happens when things break #720 — Resilience and degraded-mode behavior tests — Open
• TST-57: Webhook HMAC signature verification and end-to-end delivery chain test #726 — Webhook HMAC signature verification — Delivered (PR test: webhook HMAC signature verification (#726) #750, 11 tests)

Priority IV — Hardening

• TST-50: Stress the boundaries — property-based and adversarial input tests #717 — Property-based and adversarial input tests — Open

Progress Summary

17 of 22 issues delivered (plus SEC-20 fix). ~960+ new tests across three delivery waves. 8 issues remain open: #705, #711, #712, #716, #717, #720, #723, #725.

Key Themes

1. Integration over isolation: Most services have good unit tests; the gaps are at integration boundaries where services interact
2. Cross-user data isolation: Multiple manual sessions surfaced data leaks — systematic proof needed
3. Security boundaries: ChangePassword identity bypass (SEC-20: ChangePassword does not verify caller identity — any user can change another user's password #722), OAuth code store scaling, JWT lifecycle
4. Failure modes and resilience: The "boring" paths that cause production incidents
5. Concurrency: SQLite + background workers + SignalR = many concurrent-access patterns worth stressing
6. The golden path: Capture → proposal → review → board is the product — one integration test for this is worth 100 unit tests
7. Frontend boundaries: HTTP interceptor and router auth guard are completely untested despite being crossed by every request

Relationship to Existing Issues

• Extends TST-15: Testing harness improvement wave tracker (2026-02-23 pack reconciliation) #254 (testing harness improvement wave, delivered)