From ea715b65deed95b434c02e7603c97da9b3312561 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 1 May 2026 17:23:30 +0200 Subject: [PATCH] test(ultraplan-local): add SC3(b) source_findings structural test Synthetic plan.md fixture with source_findings: block-style YAML list of 3 40-char hex IDs in frontmatter, plus minimal plan structure (Title + Implementation Plan + 1 Step + Manifest). 3 tests verify: 1. plan-validator accepts a plan with source_findings (additive optional field) 2. frontmatter parser extracts source_findings as array of strings 3. each ID matches the 40-char lowercase hex format from finding-id.mjs Closes the SC3(b) gap flagged by adversarial review (scope-guardian Gap 2). LLM-level behavior (planner emitting source_findings) remains non-testable without live invocation; this covers the structural contract. Co-Authored-By: Claude Opus 4.7 --- .../ultrareview/plan-with-source-findings.md | 44 +++++++++++++ .../tests/lib/source-findings.test.mjs | 63 +++++++++++++++++++ 2 files changed, 107 insertions(+) create mode 100644 plugins/ultraplan-local/tests/fixtures/ultrareview/plan-with-source-findings.md create mode 100644 plugins/ultraplan-local/tests/lib/source-findings.test.mjs diff --git a/plugins/ultraplan-local/tests/fixtures/ultrareview/plan-with-source-findings.md b/plugins/ultraplan-local/tests/fixtures/ultrareview/plan-with-source-findings.md new file mode 100644 index 0000000..72bf3df --- /dev/null +++ b/plugins/ultraplan-local/tests/fixtures/ultrareview/plan-with-source-findings.md @@ -0,0 +1,44 @@ +--- +plan_version: "1.7" +source_findings: + - 763d174e6c519fafbadcba5d1706708479e36e61 + - d2d0e27875ae9ef0d818cb08bb6f14e6d33c4232 + - 7861519c326c207aabf17072db51c469bebc217b +--- + +# Remediation Plan: JWT auth review findings + +> Generated by ultraplan-local v3.2.0 on 2026-05-01 — `plan_version: 1.7`. +> +> Synthetic fixture — Handover 6 SC3(b) structural test only. + +## Context + +This synthetic plan is consumed by `tests/lib/source-findings.test.mjs` to verify +the structural contract of Handover 6: a plan generated from a `type: ultrareview` +brief carries a `source_findings:` block-style YAML list of 40-char hex IDs in +its frontmatter. The IDs trace back to the consumed findings in `review.md`. + +This is NOT a runnable plan. It exists only to exercise the parser. + +## Implementation Plan + +### Step 1: Fix `UNIMPLEMENTED_CRITERION` in `lib/handlers/login.mjs:23` + +- **Files:** `lib/handlers/login.mjs` +- **Changes:** Return 401 with WWW-Authenticate header when password mismatch occurs. +- **Verify:** `node --test tests/handlers/login.test.mjs` → expected: pass. +- **Checkpoint:** `git commit -m "fix(auth): login returns 401 on invalid credentials"` +- **Manifest:** + ```yaml + manifest: + expected_paths: + - lib/handlers/login.mjs + min_file_count: 1 + commit_message_pattern: "^fix\\(auth\\): login returns 401" + bash_syntax_check: [] + forbidden_paths: [] + must_contain: + - path: lib/handlers/login.mjs + pattern: "401" + ``` diff --git a/plugins/ultraplan-local/tests/lib/source-findings.test.mjs b/plugins/ultraplan-local/tests/lib/source-findings.test.mjs new file mode 100644 index 0000000..a9559f2 --- /dev/null +++ b/plugins/ultraplan-local/tests/lib/source-findings.test.mjs @@ -0,0 +1,63 @@ +// tests/lib/source-findings.test.mjs +// SC3(b) structural test for Handover 6. +// +// The brief requires `plan.md` produced from a `type: ultrareview` brief to +// contain `source_findings: [, ...]` in its frontmatter. Without an +// automated test, SC3(b) is unverified. +// +// This test exercises the STRUCTURAL contract: +// 1. plan-validator accepts a plan with source_findings (additive optional field) +// 2. frontmatter parser extracts source_findings as an array of strings +// 3. each ID is 40-char hex (matches lib/parsers/finding-id.mjs format) +// +// LLM behavior (the planner actually emitting source_findings when it consumes +// a review.md) is non-testable without live invocation — this test only covers +// the schema half. + +import { test } from 'node:test'; +import { strict as assert } from 'node:assert'; +import { readFileSync } from 'node:fs'; +import { join, dirname } from 'node:path'; +import { fileURLToPath } from 'node:url'; +import { parseDocument } from '../../lib/util/frontmatter.mjs'; +import { validatePlan } from '../../lib/validators/plan-validator.mjs'; + +const HERE = dirname(fileURLToPath(import.meta.url)); +const ROOT = join(HERE, '..', '..'); +const FIXTURE = join(ROOT, 'tests/fixtures/ultrareview/plan-with-source-findings.md'); + +const HEX_ID_RE = /^[0-9a-f]{40}$/; + +test('plan-validator accepts plan.md with source_findings field', () => { + const result = validatePlan(FIXTURE, { strict: true }); + assert.ok( + result.valid, + `plan-validator rejected synthetic plan with source_findings: ` + + `${(result.errors || []).map(e => `[${e.code}] ${e.message}`).join('; ')}`, + ); +}); + +test('frontmatter parser extracts source_findings as array of strings', () => { + const text = readFileSync(FIXTURE, 'utf-8'); + const doc = parseDocument(text); + assert.ok(doc.valid, `frontmatter did not parse: ${(doc.errors || []).map(e => e.message).join(', ')}`); + const sf = doc.parsed.frontmatter && doc.parsed.frontmatter.source_findings; + assert.ok(Array.isArray(sf), `frontmatter.source_findings is not an array (got ${typeof sf})`); + assert.ok(sf.length > 0, 'frontmatter.source_findings is empty — fixture should carry at least one ID'); + for (const id of sf) { + assert.strictEqual(typeof id, 'string', `source_findings entry is not a string: ${JSON.stringify(id)}`); + } +}); + +test('source_findings IDs match the format from finding-id.mjs (40-char hex)', () => { + const text = readFileSync(FIXTURE, 'utf-8'); + const doc = parseDocument(text); + const sf = doc.parsed.frontmatter.source_findings; + for (const id of sf) { + assert.ok( + HEX_ID_RE.test(id), + `source_findings ID ${JSON.stringify(id)} is not 40-char lowercase hex ` + + `(format produced by lib/parsers/finding-id.mjs computeFindingId)`, + ); + } +});