chore(autonomous-session): consolidate uncommitted work from prior session

Bundles the prior autonomous-session output that was sitting unstaged: - Em-dash sweep across src/ + tests/ (en-dash/em-dash to hyphen, ~2280 instances) - country-flag-icons rollout (CountryFlag component, replaces emoji glyphs that never rendered on Windows; lazy-loads the 3x2 SVG index as a single chunk after the per-subpath dynamic-import approach silently failed in webpack) - Admin IA Phase 1+2: 7-domain regroup, 41 to 38 pages, /admin/berths index, redirects (ocr to ai, reports to dashboard, invitations to users), docs/admin-ia-proposal.md - Per-template email tester (registry + endpoint + UI on Email admin page) - Cancel-document mode picker (delete-from-Documenso vs keep-for-audit) - Dashboard PDF report: 25 widgets, SVG charts, date-range picker, 11 resolvers - Customize-widgets per-region sortables at xl+ (charts/rails/feed); single flat sortable below xl when the layout stacks; per-viewport saved orders - Audit doc updates capturing each shipped item - Lint fixes: react-compiler immutability in DonutChart (reduce instead of let-reassign), set-state-in-effect disables in CountryFlag and UploadForSigning preview-bytes effect, unused 'confirm' destructures in interest contract + reservation tabs, unescaped apostrophe in test-template card copy
2026-05-23 00:52:59 +02:00
parent 43719b49e9
commit 221ae5784e
749 changed files with 7440 additions and 3118 deletions
--- a/tests/e2e/smoke/25-security-api.spec.ts
+++ b/tests/e2e/smoke/25-security-api.spec.ts
@@ -13,7 +13,7 @@ import { test, expect } from '@playwright/test';

 // ─────────────────────────────────────────────────────────────────────────────

-test.describe('API Security — unauthenticated access', () => {
+test.describe('API Security - unauthenticated access', () => {
  test('GET /api/v1/clients returns 401 or 403 without a session', async ({ page }) => {
    const response = await page.request.get('/api/v1/clients');
    expect([401, 403]).toContain(response.status());
@@ -29,7 +29,9 @@ test.describe('API Security — unauthenticated access', () => {
    expect([401, 403]).toContain(response.status());
  });

-  test('GET /api/v1/notifications/unread-count returns 401 or 403 without a session', async ({ page }) => {
+  test('GET /api/v1/notifications/unread-count returns 401 or 403 without a session', async ({
+    page,
+  }) => {
    const response = await page.request.get('/api/v1/notifications/unread-count');
    expect([401, 403]).toContain(response.status());
  });
@@ -55,10 +57,10 @@ test.describe('API Security — unauthenticated access', () => {

 // ─────────────────────────────────────────────────────────────────────────────

-test.describe('API Security — error response sanitization', () => {
+test.describe('API Security - error response sanitization', () => {
  test('404 on a non-existent API route does not contain stack traces', async ({ page }) => {
    const response = await page.request.get('/api/v1/nonexistent-endpoint-xyzzy');
-    // Accept any non-200 status — we just care about the body content
+    // Accept any non-200 status - we just care about the body content
    const body = await response.json().catch(() => ({ error: response.statusText() }));
    const bodyStr = JSON.stringify(body);

@@ -70,7 +72,9 @@ test.describe('API Security — error response sanitization', () => {
    expect(bodyStr).not.toContain('/app/src');
  });

-  test('unauthenticated response body follows { error } shape, no internal details', async ({ page }) => {
+  test('unauthenticated response body follows { error } shape, no internal details', async ({
+    page,
+  }) => {
    const response = await page.request.get('/api/v1/clients');
    const body = await response.json().catch(() => null);
    if (body) {
@@ -87,14 +91,16 @@ test.describe('API Security — error response sanitization', () => {
    }
  });

-  test('malformed JSON body to POST endpoint returns 400/422 without stack trace', async ({ page }) => {
-    // Send invalid JSON as body — should trigger a validation or parse error
+  test('malformed JSON body to POST endpoint returns 400/422 without stack trace', async ({
+    page,
+  }) => {
+    // Send invalid JSON as body - should trigger a validation or parse error
    const response = await page.request.post('/api/v1/clients', {
      headers: { 'Content-Type': 'application/json' },
      data: '{ invalid json }',
    });
    // Must be a client error (4xx), not a 500 stack dump
-    // (401/403 is also acceptable — auth check happens before parse)
+    // (401/403 is also acceptable - auth check happens before parse)
    expect(response.status()).toBeLessThan(600);
    const body = await response.json().catch(() => null);
    if (body) {
@@ -107,7 +113,7 @@ test.describe('API Security — error response sanitization', () => {

 // ─────────────────────────────────────────────────────────────────────────────

-test.describe('API Security — portal / CRM auth separation', () => {
+test.describe('API Security - portal / CRM auth separation', () => {
  test('portal dashboard endpoint returns 401 without portal JWT', async ({ page }) => {
    // The portal uses a separate JWT auth flow, not the CRM session cookie.
    // Even if called with no credentials, it must reject with 401.
@@ -117,12 +123,14 @@ test.describe('API Security — portal / CRM auth separation', () => {

  test('CRM login credentials cannot be used to access portal endpoints', async ({ page }) => {
    // Attempt to authenticate as a CRM user via Better Auth
-    const loginRes = await page.request.post('/api/auth/sign-in/email', {
-      data: {
-        email: 'admin@portnimara.test',
-        password: 'SuperAdmin12345!',
-      },
-    }).catch(() => null);
+    const loginRes = await page.request
+      .post('/api/auth/sign-in/email', {
+        data: {
+          email: 'admin@portnimara.test',
+          password: 'SuperAdmin12345!',
+        },
+      })
+      .catch(() => null);

    // Whether or not login succeeded, portal endpoints should be inaccessible
    // via the CRM session (portal uses a separate JWT issued by /api/portal/auth)
@@ -138,19 +146,21 @@ test.describe('API Security — portal / CRM auth separation', () => {

 // ─────────────────────────────────────────────────────────────────────────────

-test.describe('API Security — response headers', () => {
-  test('API responses do not expose internal server technology via X-Powered-By', async ({ page }) => {
+test.describe('API Security - response headers', () => {
+  test('API responses do not expose internal server technology via X-Powered-By', async ({
+    page,
+  }) => {
    const response = await page.request.get('/api/v1/clients');
-    // Next.js sets X-Powered-By by default — should be removed in production config.
+    // Next.js sets X-Powered-By by default - should be removed in production config.
    // This test documents the expectation; it warns if the header is present.
    const poweredBy = response.headers()['x-powered-by'];
    if (poweredBy) {
      console.warn(
        `⚠️  SECURITY: X-Powered-By header exposed: "${poweredBy}". ` +
-        'Set headers: { "X-Powered-By": "" } in next.config.ts to suppress.',
+          'Set headers: { "X-Powered-By": "" } in next.config.ts to suppress.',
      );
    }
-    // Not a hard fail — but the header should not be present in production
+    // Not a hard fail - but the header should not be present in production
    // expect(poweredBy).toBeUndefined();
  });