fix(test): honor directory= URL param on core test runner#2292
Merged
fix(test): honor directory= URL param on core test runner#2292
Conversation
The core test runner at /wheels/core/tests hardcoded directory="wheels.tests.specs" when instantiating TestBox, so the documented `&directory=...` URL param was silently dropped. Package specs in vendor/<name>/tests had no HTTP entry point even though docs advertised the pattern. Read url.directory and pass it through, guarded by a conservative allowlist (wheels.tests.* or vendor.<pkg>.tests.*) since the endpoint is unauthenticated — defense-in-depth against arbitrary CFC compilation through whatever mappings happen to be registered. Verified end-to-end against a fresh LuCLI server: - baseline full suite: 3327 pass / 182 bundles / 24.2s - &directory=wheels.tests.specs.model: 803 pass / 32 bundles / 1.6s - &directory=vendor.wheels-fake-pkg.tests: 1 pass / 1 bundle / 6ms - &directory=../../../etc (rejected): 3327 pass (falls back to default) Also flips the "not honoured yet" aside in packages.mdx to working guidance, and adds the per-package row to the filter table in running-tests-locally.mdx. Closes #2280 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
url.directoryinvendor/wheels/tests/runner.cfmand passes it through toTestBox, guarded by an allowlist (wheels.tests.*orvendor.<pkg>.tests.*) since/wheels/core/testsis unauthenticated.directory=URL param to scope TestBox bundles #2280" aside indigging-deeper/packages.mdxto working guidance and adds the per-package row to the filter table intesting/running-tests-locally.mdx.tools/test-local.sh— the issue author's concern that it "drops unmapped filters" was off; thecasestatement falls through and the filter is already appended as&directory=$FILTER. It's the server that was dropping the param.Closes #2280.
Why the allowlist
The core test runner endpoint has no auth gate — it only exists safely because it's a dev-only surface. Without validation,
url.directorywould let anyone who reaches the endpoint drive arbitrary CFC compilation through whatever mappings happen to be registered. The regex pins the input to the two legitimate roots and silently falls back to the core default on anything else.Verification (fresh LuCLI server in a worktree)
/wheels/core/tests?db=sqlite&format=json&directory=wheels.tests.specs.model&directory=vendor.wheels-fake-pkg.testsvendor.wheels-fake-pkg.tests.FakeSpec&directory=../../../etcRegex unit-tested offline against 14 positive/negative cases (0 failures).
Follow-up (not in this PR)
Discovered while verifying:
directory=wheels.tests.specs.model.postSpec(documented atrunning-tests-locally.mdx:99as "filter to a single spec file") has always returned 0 bundles — TestBox'saddDirectory()resolves the dot-path to a filesystem directory, so a trailing.cfcdoesn't match. Pre-existing docs drift unrelated to #2280. Fix separately by either (a) removing the docs claim, or (b) addingurl.bundlessupport to the core runner (the app runner attests/runner.cfm:98-105already does this).Test plan
bash tools/test-local.sh modellocally — should finish in seconds, not ~25s🤖 Generated with Claude Code