test(ultraplan-local): add SC3(b) source_findings structural test

Synthetic plan.md fixture with source_findings: block-style YAML list of 3 40-char hex IDs in frontmatter, plus minimal plan structure (Title + Implementation Plan + 1 Step + Manifest). 3 tests verify: 1. plan-validator accepts a plan with source_findings (additive optional field) 2. frontmatter parser extracts source_findings as array of strings 3. each ID matches the 40-char lowercase hex format from finding-id.mjs Closes the SC3(b) gap flagged by adversarial review (scope-guardian Gap 2). LLM-level behavior (planner emitting source_findings) remains non-testable without live invocation; this covers the structural contract. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 17:23:30 +02:00 · 2026-05-01 17:23:30 +02:00 · ea715b65de
commit ea715b65de
parent dff278f02a
2 changed files with 107 additions and 0 deletions
--- a/plugins/ultraplan-local/tests/fixtures/ultrareview/plan-with-source-findings.md
+++ b/plugins/ultraplan-local/tests/fixtures/ultrareview/plan-with-source-findings.md
@ -0,0 +1,44 @@
+---
+plan_version: "1.7"
+source_findings:
+  - 763d174e6c519fafbadcba5d1706708479e36e61
+  - d2d0e27875ae9ef0d818cb08bb6f14e6d33c4232
+  - 7861519c326c207aabf17072db51c469bebc217b
+---
+
+# Remediation Plan: JWT auth review findings
+
+> Generated by ultraplan-local v3.2.0 on 2026-05-01 — `plan_version: 1.7`.
+>
+> Synthetic fixture — Handover 6 SC3(b) structural test only.
+
+## Context
+
+This synthetic plan is consumed by `tests/lib/source-findings.test.mjs` to verify
+the structural contract of Handover 6: a plan generated from a `type: ultrareview`
+brief carries a `source_findings:` block-style YAML list of 40-char hex IDs in
+its frontmatter. The IDs trace back to the consumed findings in `review.md`.
+
+This is NOT a runnable plan. It exists only to exercise the parser.
+
+## Implementation Plan
+
+### Step 1: Fix `UNIMPLEMENTED_CRITERION` in `lib/handlers/login.mjs:23`
+
+- **Files:** `lib/handlers/login.mjs`
+- **Changes:** Return 401 with WWW-Authenticate header when password mismatch occurs.
+- **Verify:** `node --test tests/handlers/login.test.mjs` → expected: pass.
+- **Checkpoint:** `git commit -m "fix(auth): login returns 401 on invalid credentials"`
+- **Manifest:**
+  ```yaml
+  manifest:
+    expected_paths:
+      - lib/handlers/login.mjs
+    min_file_count: 1
+    commit_message_pattern: "^fix\\(auth\\): login returns 401"
+    bash_syntax_check: []
+    forbidden_paths: []
+    must_contain:
+      - path: lib/handlers/login.mjs
+        pattern: "401"
+  ```