test(ultraplan-local): add SC3(b) source_findings structural test

Synthetic plan.md fixture with source_findings: block-style YAML list of 3 40-char hex IDs in frontmatter, plus minimal plan structure (Title + Implementation Plan + 1 Step + Manifest). 3 tests verify: 1. plan-validator accepts a plan with source_findings (additive optional field) 2. frontmatter parser extracts source_findings as array of strings 3. each ID matches the 40-char lowercase hex format from finding-id.mjs Closes the SC3(b) gap flagged by adversarial review (scope-guardian Gap 2). LLM-level behavior (planner emitting source_findings) remains non-testable without live invocation; this covers the structural contract. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 17:23:30 +02:00 · 2026-05-01 17:23:30 +02:00 · ea715b65de
commit ea715b65de
parent dff278f02a
2 changed files with 107 additions and 0 deletions
--- a/plugins/ultraplan-local/tests/fixtures/ultrareview/plan-with-source-findings.md
+++ b/plugins/ultraplan-local/tests/fixtures/ultrareview/plan-with-source-findings.md
@ -0,0 +1,44 @@
+---
+plan_version: "1.7"
+source_findings:
+  - 763d174e6c519fafbadcba5d1706708479e36e61
+  - d2d0e27875ae9ef0d818cb08bb6f14e6d33c4232
+  - 7861519c326c207aabf17072db51c469bebc217b
+---
+
+# Remediation Plan: JWT auth review findings
+
+> Generated by ultraplan-local v3.2.0 on 2026-05-01 — `plan_version: 1.7`.
+>
+> Synthetic fixture — Handover 6 SC3(b) structural test only.
+
+## Context
+
+This synthetic plan is consumed by `tests/lib/source-findings.test.mjs` to verify
+the structural contract of Handover 6: a plan generated from a `type: ultrareview`
+brief carries a `source_findings:` block-style YAML list of 40-char hex IDs in
+its frontmatter. The IDs trace back to the consumed findings in `review.md`.
+
+This is NOT a runnable plan. It exists only to exercise the parser.
+
+## Implementation Plan
+
+### Step 1: Fix `UNIMPLEMENTED_CRITERION` in `lib/handlers/login.mjs:23`
+
+- **Files:** `lib/handlers/login.mjs`
+- **Changes:** Return 401 with WWW-Authenticate header when password mismatch occurs.
+- **Verify:** `node --test tests/handlers/login.test.mjs` → expected: pass.
+- **Checkpoint:** `git commit -m "fix(auth): login returns 401 on invalid credentials"`
+- **Manifest:**
+  ```yaml
+  manifest:
+    expected_paths:
+      - lib/handlers/login.mjs
+    min_file_count: 1
+    commit_message_pattern: "^fix\\(auth\\): login returns 401"
+    bash_syntax_check: []
+    forbidden_paths: []
+    must_contain:
+      - path: lib/handlers/login.mjs
+        pattern: "401"
+  ```
--- a/plugins/ultraplan-local/tests/lib/source-findings.test.mjs
+++ b/plugins/ultraplan-local/tests/lib/source-findings.test.mjs
@ -0,0 +1,63 @@
+// tests/lib/source-findings.test.mjs
+// SC3(b) structural test for Handover 6.
+//
+// The brief requires `plan.md` produced from a `type: ultrareview` brief to
+// contain `source_findings: [<id>, ...]` in its frontmatter. Without an
+// automated test, SC3(b) is unverified.
+//
+// This test exercises the STRUCTURAL contract:
+//   1. plan-validator accepts a plan with source_findings (additive optional field)
+//   2. frontmatter parser extracts source_findings as an array of strings
+//   3. each ID is 40-char hex (matches lib/parsers/finding-id.mjs format)
+//
+// LLM behavior (the planner actually emitting source_findings when it consumes
+// a review.md) is non-testable without live invocation — this test only covers
+// the schema half.
+
+import { test } from 'node:test';
+import { strict as assert } from 'node:assert';
+import { readFileSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { parseDocument } from '../../lib/util/frontmatter.mjs';
+import { validatePlan } from '../../lib/validators/plan-validator.mjs';
+
+const HERE = dirname(fileURLToPath(import.meta.url));
+const ROOT = join(HERE, '..', '..');
+const FIXTURE = join(ROOT, 'tests/fixtures/ultrareview/plan-with-source-findings.md');
+
+const HEX_ID_RE = /^[0-9a-f]{40}$/;
+
+test('plan-validator accepts plan.md with source_findings field', () => {
+  const result = validatePlan(FIXTURE, { strict: true });
+  assert.ok(
+    result.valid,
+    `plan-validator rejected synthetic plan with source_findings: ` +
+    `${(result.errors || []).map(e => `[${e.code}] ${e.message}`).join('; ')}`,
+  );
+});
+
+test('frontmatter parser extracts source_findings as array of strings', () => {
+  const text = readFileSync(FIXTURE, 'utf-8');
+  const doc = parseDocument(text);
+  assert.ok(doc.valid, `frontmatter did not parse: ${(doc.errors || []).map(e => e.message).join(', ')}`);
+  const sf = doc.parsed.frontmatter && doc.parsed.frontmatter.source_findings;
+  assert.ok(Array.isArray(sf), `frontmatter.source_findings is not an array (got ${typeof sf})`);
+  assert.ok(sf.length > 0, 'frontmatter.source_findings is empty — fixture should carry at least one ID');
+  for (const id of sf) {
+    assert.strictEqual(typeof id, 'string', `source_findings entry is not a string: ${JSON.stringify(id)}`);
+  }
+});
+
+test('source_findings IDs match the format from finding-id.mjs (40-char hex)', () => {
+  const text = readFileSync(FIXTURE, 'utf-8');
+  const doc = parseDocument(text);
+  const sf = doc.parsed.frontmatter.source_findings;
+  for (const id of sf) {
+    assert.ok(
+      HEX_ID_RE.test(id),
+      `source_findings ID ${JSON.stringify(id)} is not 40-char lowercase hex ` +
+      `(format produced by lib/parsers/finding-id.mjs computeFindingId)`,
+    );
+  }
+});