test(v1.4): close coverage gaps surfaced during production validation#35
Merged
Conversation
Comprehensive review of v1.4 test coverage after tonight's end-to-end validation. Five real bugs surfaced during the upgrade-flow walkthrough; three were unit-testable, plus seven additional coverage gaps in production-critical paths. Backend (+10, 999 total) Stripe API shape (3) — current_period_end migration to items[] caused empty subscription_expires_at after live cancellation testing: - test_subscription_updated_root_period_end_preferred_over_items locks in the backwards-compat ordering: root wins when both are present - test_subscription_updated_empty_items_array_safe defends against malformed payloads with empty items.data - (test_subscription_updated_reads_period_end_from_items_array already added in slice 5 hotfix) Webhook audit + forensics (3) — previously untested branches: - test_payment_failed_audit_row_preserves_status asserts the old/new status equality on payment_failed (analytics depends on this shape) - test_unknown_event_type_still_recorded_for_forensics covers the "ignore unknown event_type" code path that must still save the payload to stripe_events for operator forensics - test_handler_crash_preserves_claim_row_for_operator_runbook locks in the contract documented in billing.handle_webhook_event's docstring: partial-failure mid-handler leaves the claim row, requiring manual DELETE FROM stripe_events to re-enable Stripe's retry CSP defensive coding (4) — fix + tests for SUPABASE_URL bare-hostname bug that surfaced in production: - new api._supabase_csp_origin() helper prepends https:// when missing, preventing silent CSP breakage from operator-set env var typos - TestCSPSupabaseOrigin class covers: bare hostname gets https://, https:// passthrough, unset → empty, whitespace trimmed - Same helper now used in CSP middleware; backend auth.py JWKS lookup is unaffected (it builds its own URL from project ref) Frontend (+2, 203 total) - useAuth: persisted session triggers getMe() on mount without waiting for onAuthStateChange — regression test for tonight's silent INITIAL_SESSION race condition where returning users were stuck on "Loading…" forever - useBilling: strips ?billing=success from URL after refresh — covers the post-checkout URL cleanup that was implemented but untested Verification: 1202 tests pass (999 backend + 203 frontend), zero regressions, ruff + typescript clean. What's deliberately NOT added (out of scope or different defense): - E2E test framework (would have caught the build-time env var bug more decisively than any unit test — separate effort) - CI workflow assertion that VITE_PUBLIC_SUPABASE_* are present (lint-style check on workflows, not in test suite) - Modal width computed-style assertion (CSS specificity bug; better addressed by adopting a CSS-in-JS or design-system constraint) - Live webhook fixture recorder (would help future API version migrations like the items[] one; separate tooling effort) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds 12 tests + small CSP defensive fix for SUPABASE_URL bare-hostname bug. 1202 tests passing, zero regressions.
🤖 Generated with Claude Code