long-agent/user-system
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
44e60be9184c1dcd07f9e6fa706a44001ba624a4
user-system/docs/status/REAL_PROJECT_STATUS.md

1168 lines
72 KiB
Markdown
Raw Normal View History

docs: project docs, scripts, deployment configs, and evidence
2026-04-02 11:22:17 +08:00
# REAL PROJECT STATUS
## 2026-04-01 GAP修复验证更新
### 本轮验证结果
- 后端: `go vet` ✅ / `go build` ✅ / `go test`
- 前端: `lint` ✅ / `build`
- 前端测试: ⚠️ 3个失败点(预先存在,测试链路未完全恢复)
- 真实浏览器E2E: ❌ 未跑通,卡在后端健康检查就绪
### 本轮修复内容
- **GAP-01**: 角色继承递归查询 + 循环检测 + 深度限制(5层) ✅
- **GAP-02**: 密码历史记录(最近5个密码不可重复使用) ✅
- **GAP-03**: 设备信任功能(信任设备跳过2FA) ✅
- **GAP-05**: 异地登录检测(AnomalyDetector) ✅
- **GAP-06**: 设备指纹采集(browser/OS/device_id) ✅
- **GAP-08**: 前端登录页设备指纹采集 ✅
- **GAP-09**: 前端设备管理页信任状态显示 ✅
- **GAP-10**: TOTP启用时"记住此设备"选项 ✅
### 用户侧缺口(仍待实现)
- 系统设置页 - 无独立前端页面
- 全局设备管理页 - 当前仅在个人资料页(profile/security)嵌入设备管理
### API文档更新
- `docs/API.md` 更新日期至 2026-04-01
- 补充设备信任相关端点说明
### 待处理
- GAP-04: SSO CAS/SAML (PRD可选功能)
- GAP-07: SDK支持 (PRD可选功能)
## 2026-04-01 专家全面验证更新
- 已完成测试专家 + 用户专家双视角全面复核,详见 `docs/code-review/VALIDATION_REPORT_2026-04-01.md`
- 本轮后端验证:`go vet ./...` ✅、`go build ./cmd/server` ✅、`go test ./... -count=1`
- 本轮前端验证:`npm run lint` ✅、`npm run build` ✅、`npm run test -- --run`3 个失败点)、`npm run test:coverage` ⚠️、`npm run e2e:full:win` ❌(后端健康检查未就绪)
- 真实边界:本轮不能重复宣称“浏览器级真实 E2E 已重新验证闭环”;当前仅能确认后端构建/测试和前端 lint/build 仍然可信
- PRD/实现纠偏SMS 密码重置 ✅;角色继承/设备信任/异地与异常设备检测均为“部分实现”CAS/SAML 与 SDK 仍未实现
- 用户侧主要缺口:管理员管理页、系统设置页、全局设备管理页、登录日志导出、批量操作
- 当前综合评分:**8.4/10**
## 2026-03-29 Code Review Findings Update
- 完成了对项目代码的全面系统性审查,包括后端(Go)和前端(React/TypeScript)
- 发现高危问题 7 个,中危问题 13 个,低危问题 6 个
- 已更新 `docs/PROJECT_REVIEW_REPORT.md`,包含完整的问题清单和修复建议
### 高优先级问题摘要
**后端 (4个高危)**:
- OAuth `ValidateToken` 无实际验证 - 仅检查 `len(token) > 0`
- StateManager 清理 goroutine 无法停止 - 资源泄漏风险
- Rate limiter map 无界限增长 - 内存泄漏风险
- L1Cache 无最大容量限制 - 内存泄漏风险
**前端 (3个高危)**:
- `uploadAvatar` 字段名可能错误 - 功能性bug
- Webhooks 全量加载无服务端分页 - 性能和扩展性问题
- ProfileSecurityPage 未复用已有 ContactBindingsSection - 代码重复
### 文档修复
- 重写了 `docs/PROJECT_REVIEW_REPORT.md`(原文件存在编码问题)
- 记录了 DATA_MODEL 与实际实现的差异
### 仍有效的历史结论
以下结论保持不变(详见下方历史记录):
- Q-006 (告警交付就绪) - 仍等待真实SMTP验证
- Q-005 (SCA) - 已关闭
- Q-004 (覆盖率) - 已关闭
## 2026-03-29 Q-006 Alert Delivery Readiness Update
- `Q-006` still cannot be honestly declared closed.
- Repo-level closure preparation improved materially:
- added a strict live-delivery drill entrypoint in [`scripts/ops/drill-alertmanager-live-delivery.ps1`](/D:/project/scripts/ops/drill-alertmanager-live-delivery.ps1)
- the new drill refuses unresolved placeholders, `example.*` addresses/hosts, and placeholder secrets instead of producing fake success
- the drill writes only redacted config output and masked recipient evidence, so real contacts and secrets are not leaked into the repo evidence tree
- [`scripts/ops/validate-alerting-package.ps1`](/D:/project/scripts/ops/validate-alerting-package.ps1) now falls back to the latest available baseline report across prior evidence dates, removing a date-rollover false blocker
- Validation passed:
- `powershell -ExecutionPolicy Bypass -File scripts/ops/validate-alerting-package.ps1 -EvidenceDate 2026-03-29`
- `powershell -ExecutionPolicy Bypass -File scripts/ops/drill-alertmanager-render.ps1 -EvidenceDate 2026-03-29`
- `powershell -ExecutionPolicy Bypass -File scripts/ops/drill-alertmanager-live-delivery.ps1 -EvidenceDate 2026-03-29 -EnvFilePath deployment/alertmanager/alertmanager.env.example`
- Latest real outcomes:
- structural alerting package validation still passes
- render drill still passes
- the new live-delivery drill fails closed against `alertmanager.env.example`, which is the correct behavior and proves the path does not fake production closure
- Real remaining blocker:
- `Q-006` now narrows to one external proof item: a real non-placeholder env/secret source plus a successful live SMTP acceptance run for the configured on-call receivers
- Evidence:
- [`docs/evidence/ops/2026-03-29/alerting/ALERTING_PACKAGE_20260329-100315.md`](/D:/project/docs/evidence/ops/2026-03-29/alerting/ALERTING_PACKAGE_20260329-100315.md)
- [`docs/evidence/ops/2026-03-29/alerting/20260329-100315/ALERTMANAGER_RENDER_DRILL.md`](/D:/project/docs/evidence/ops/2026-03-29/alerting/20260329-100315/ALERTMANAGER_RENDER_DRILL.md)
- [`docs/evidence/ops/2026-03-29/alerting/20260329-100315/ALERTMANAGER_LIVE_DELIVERY_DRILL.md`](/D:/project/docs/evidence/ops/2026-03-29/alerting/20260329-100315/ALERTMANAGER_LIVE_DELIVERY_DRILL.md)
## 2026-03-28 Q-005 SCA Closure Update
- `Q-005` can now be honestly declared closed.
- Real closure evidence:
- the latest frontend full dependency-tree scan is now clean
- the latest production dependency scan remains clean
- the latest backend reachable vulnerability scan remains clean
- Frontend dependency remediation completed:
- upgraded `vite` to `8.0.3`
- upgraded `vitest` and `@vitest/coverage-v8` to `4.1.2`
- upgraded `typescript-eslint` to `8.57.2`
- pinned the vulnerable transitive chains through `overrides`:
- `picomatch` -> `4.0.4`
- `brace-expansion` for `minimatch@3` -> `1.1.13`
- `brace-expansion` for `minimatch@10` -> `5.0.5`
- Validation passed:
- `cd frontend/admin && npm.cmd audit --omit=dev --json --registry=https://registry.npmjs.org/`
- `cd frontend/admin && npm.cmd audit --json --registry=https://registry.npmjs.org/`
- `go run golang.org/x/vuln/cmd/govulncheck@latest -json ./...`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && npm.cmd run test:coverage`
- Latest SCA result:
- `npm audit production`: `0`
- `npm audit full`: `0`
- `govulncheck reachable findings`: `0`
- Real residual note:
- one Windows cleanup warning was emitted while replacing native packages under `node_modules`, but it did not block installation or validation
- the unrelated npm user-config warning `Unknown user config "//git@github.com/"` is still external environment noise, not a project-generated failure
- Next remaining cross-cutting gap:
- `Q-006` external alert delivery evidence is now the next unclosed major governance item
- Evidence:
- [`docs/evidence/ops/2026-03-28/sca/SCA_SUMMARY_20260328-220806.md`](/D:/project/docs/evidence/ops/2026-03-28/sca/SCA_SUMMARY_20260328-220806.md)
## 2026-03-28 Q-004 Hygiene Closure Update
- The `frontend/admin` `Q-004` closure track can now be honestly declared closed.
- Real closure evidence:
- the latest full frontend `test:coverage` run no longer emits the previously recurring post-summary jsdom `AggregateError` network-noise lines
- `frontend/admin/src/app/router.tsx` remained at `100 / 100 / 100 / 100` in that same full-suite run, so the earlier transient regression is not part of the current real state
- Validation passed:
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
- statements `93.98%`
- branches `82.29%`
- functions `91.37%`
- lines `94.15%`
- Latest full test result:
- `54` passing test files
- `248` passing tests
- Real hygiene note:
- the previous jsdom `AggregateError` noise is absent in the latest successful run
- the remaining command-line warning is the external npm user-config warning `Unknown user config "//git@github.com/"`, not a project-generated frontend validation failure
- Evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-151952.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-151952.md)
## 2026-03-28 ThemeProvider Coverage Closure Update
- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Frontend theme-provider closure:
- `frontend/admin/src/app/providers/ThemeProvider.tsx` is now covered at `100 / 100 / 100 / 100`.
- `frontend/admin/src/app/providers/ThemeProvider.test.tsx` now covers locale propagation, theme-token propagation, component-level override propagation, and child rendering through `ConfigProvider`.
- Validation passed:
- `cd frontend/admin && npm.cmd run test:run -- src/app/providers/ThemeProvider.test.tsx`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
- statements `93.93%`
- branches `82.29%`
- functions `91.37%`
- lines `94.10%`
- Real remaining `Q-004` frontend gap after this closure:
- the post-summary jsdom `AggregateError` network-noise hygiene issue
- Real hygiene note:
- all previously identified frontend code hotspots in this closure track are now covered and re-verified
- the successful frontend coverage run still prints post-summary jsdom `AggregateError` network-noise lines, so the run is green but not yet fully clean
- Evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-144756.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-144756.md)
## 2026-03-28 Breadcrumb Coverage Closure Update
- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Frontend breadcrumb-hook closure:
- `frontend/admin/src/lib/hooks/useBreadcrumbs.ts` is now covered at `100 / 100 / 100 / 100`.
- the hook was simplified to remove redundant parent-injection logic that was dead under the current route model.
- `frontend/admin/src/lib/hooks/useBreadcrumbs.test.tsx` now covers root, single-segment, nested, and unknown-segment breadcrumb behavior.
- Validation passed:
- `cd frontend/admin && npm.cmd run test:run -- src/lib/hooks/useBreadcrumbs.test.tsx`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
- statements `93.84%`
- branches `82.29%`
- functions `91.21%`
- lines `94.01%`
- Real remaining `Q-004` frontend gaps after this closure:
- `src/app/providers/ThemeProvider.tsx`
- the post-summary jsdom `AggregateError` network-noise hygiene issue
- Real hygiene note:
- the successful frontend coverage run still prints post-summary jsdom `AggregateError` network-noise lines, so the run is green but not yet fully clean
- Evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-144036.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-144036.md)
## 2026-03-28 NotFound Coverage Closure Update
- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Frontend 404-page closure:
- `frontend/admin/src/pages/NotFoundPage/NotFoundPage.tsx` is now covered at `100 / 100 / 100 / 100`.
- `frontend/admin/src/pages/NotFoundPage/NotFoundPage.test.tsx` now covers 404 rendering, missing-page messaging, and navigation back to `/dashboard`.
- Validation passed:
- `cd frontend/admin && npm.cmd run test:run -- src/pages/NotFoundPage/NotFoundPage.test.tsx`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
- statements `93.69%`
- branches `81.95%`
- functions `91.24%`
- lines `93.85%`
- Real remaining `Q-004` frontend gaps after this closure:
- `src/lib/hooks/useBreadcrumbs.ts`
- `src/app/providers/ThemeProvider.tsx`
- the post-summary jsdom `AggregateError` network-noise hygiene issue
- Real hygiene note:
- the successful frontend coverage run still prints post-summary jsdom `AggregateError` network-noise lines, so the run is green but not yet fully clean
- Evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-143209.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-143209.md)
## 2026-03-28 ImportExport Coverage Closure Update
- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Frontend import/export closure:
- `frontend/admin/src/pages/admin/ImportExportPage/ImportExportPage.tsx` is now covered at `100 / 100 / 100 / 100`.
- `frontend/admin/src/pages/admin/ImportExportPage/ImportExportPage.test.tsx` now covers template format switching, validation guards, import success and warning flows, reset behavior, export field updates, and export failure handling.
- Validation passed:
- `cd frontend/admin && npm.cmd run test:run -- src/pages/admin/ImportExportPage/ImportExportPage.test.tsx`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
- statements `93.56%`
- branches `81.95%`
- functions `90.93%`
- lines `93.71%`
- Real remaining `Q-004` frontend gaps after this closure:
- `src/pages/NotFoundPage/NotFoundPage.tsx`
- `src/lib/hooks/useBreadcrumbs.ts`
- `src/app/providers/ThemeProvider.tsx`
- the post-summary jsdom `AggregateError` network-noise hygiene issue
- Real hygiene note:
- the page-local `window.getComputedStyle(..., pseudoElt)` noise introduced during the first draft of this pass has been removed
- the successful frontend coverage run still prints post-summary jsdom `AggregateError` network-noise lines, so the run is green but not yet fully clean
- Evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-142248.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-142248.md)
## 2026-03-28 Coverage Remediation Update XV
- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
- closure-grade shell coverage for `App.tsx` and `RootLayout.tsx`
- closure-grade error-boundary coverage for `ErrorBoundary.tsx`
- Latest coverage result:
- Frontend overall: statements `89.72%`, branches `77.57%`, functions `84.48%`, lines `90.64%`
- `src/app/App.tsx`: statements `100%`, branches `100%`, functions `100%`, lines `100%`
- `src/app/RootLayout.tsx`: statements `100%`, branches `100%`, functions `100%`, lines `100%`
- `src/components/common/ErrorBoundary/ErrorBoundary.tsx`: statements `100%`, branches `83.33%`, functions `100%`, lines `100%`
- Latest verified commands:
- `cd D:\project\frontend\admin && npm.cmd run test:run -- src/app/App.test.tsx src/app/RootLayout.test.tsx src/components/common/ErrorBoundary/ErrorBoundary.test.tsx`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-110341.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-110341.md)
- Real boundary:
- `App.tsx`, `RootLayout.tsx`, and `ErrorBoundary.tsx` are no longer remaining `Q-004` gaps
- `Q-004` still cannot be truthfully closed
- the next higher-value frontend gaps now narrow further to:
- `src/app/router.tsx`
- `src/pages/admin/DashboardPage/DashboardPage.tsx`
- `src/components/feedback/PageState/PageState.tsx`
- the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
- the required sequential `lint` -> `build` -> `test:coverage` path passed in this pass
## 2026-03-28 Coverage Remediation Update XIV
- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
- closure-grade auth recovery page coverage for `ForgotPasswordPage` and `ResetPasswordPage`
- Latest coverage result:
- Frontend overall: statements `89.06%`, branches `77.14%`, functions `83.56%`, lines `89.96%`
- `src/pages/auth/ForgotPasswordPage/ForgotPasswordPage.tsx`: statements `100%`, branches `75%`, functions `100%`, lines `100%`
- `src/pages/auth/ResetPasswordPage/ResetPasswordPage.tsx`: statements `95%`, branches `94.44%`, functions `100%`, lines `95%`
- `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`: statements `90.35%`, branches `75.51%`, functions `92.45%`, lines `90.13%`
- Latest verified commands:
- `cd D:\project\frontend\admin && npm.cmd run test:run -- src/pages/auth/ForgotPasswordPage/ForgotPasswordPage.test.tsx src/pages/auth/ResetPasswordPage/ResetPasswordPage.test.tsx`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-105226.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-105226.md)
- Real boundary:
- `ForgotPasswordPage` and `ResetPasswordPage` are no longer remaining `Q-004` gaps
- `Q-004` still cannot be truthfully closed
- the next higher-value frontend gaps now shift more toward:
- `src/app/App.tsx`
- `src/app/RootLayout.tsx`
- `src/app/router.tsx`
- `src/components/common/ErrorBoundary/ErrorBoundary.tsx`
- `src/pages/admin/DashboardPage/DashboardPage.tsx`
- the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
- the required sequential `lint` -> `build` -> `test:coverage` path passed in this pass
## 2026-03-28 Coverage Remediation Update XIII
- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
- closure-grade page coverage for `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`
- Latest coverage result:
- Frontend overall: statements `85.89%`, branches `74.91%`, functions `81.87%`, lines `86.71%`
- `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`: statements `90.35%`, branches `75.51%`, functions `92.45%`, lines `90.13%`
- `src/lib/http/client.ts`: statements `100%`, branches `92.30%`, functions `100%`, lines `100%`
- `src/lib/http/csrf.ts`: statements `100%`, branches `88.46%`, functions `100%`, lines `100%`
- Latest verified commands:
- `cd D:\project\frontend\admin && npm.cmd run test:run -- src/pages/admin/ProfileSecurityPage`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-104341.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-104341.md)
- Real boundary:
- `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx` is no longer a remaining `Q-004` gap
- `Q-004` still cannot be truthfully closed
- the next highest-value frontend gaps now shift more toward:
- `src/pages/auth/ForgotPasswordPage/ForgotPasswordPage.tsx`
- `src/pages/auth/ResetPasswordPage/ResetPasswordPage.tsx`
- the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
- the required sequential `lint` -> `build` -> `test:coverage` path passed in this pass
## 2026-03-28 Coverage Remediation Update XII
- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
- closure-grade module coverage for `src/lib/http/client.ts`
- a production hygiene fix for shared refresh-promise rejection handling
- Latest coverage result:
- Frontend overall: statements `83.86%`, branches `72.68%`, functions `79.87%`, lines `84.72%`
- `src/lib/http/client.ts`: statements `100%`, branches `92.30%`, functions `100%`, lines `100%`
- `src/lib/http/csrf.ts`: statements `100%`, branches `88.46%`, functions `100%`, lines `100%`
- `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`: statements `70.17%`, branches `48.97%`, functions `67.92%`, lines `70.40%`
- Latest verified commands:
- `cd D:\project\frontend\admin && npm.cmd run test:run -- src/lib/http/client.test.ts`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-102456.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-102456.md)
- Real boundary:
- `src/lib/http/client.ts` is no longer a remaining `Q-004` gap
- `Q-004` still cannot be truthfully closed
- the remaining highest-value frontend gap is now more concentrated in:
- deeper remaining `ProfileSecurityPage` branches
- the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
- the required sequential `lint` -> `build` -> `test:coverage` path passed in this pass
## 2026-03-28 Coverage Remediation Update XI
- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
- closure-grade module coverage for `src/lib/http/csrf.ts`
- Latest coverage result:
- Frontend overall: statements `80.06%`, branches `67.61%`, functions `78.00%`, lines `80.91%`
- `src/lib/http/csrf.ts`: statements `100%`, branches `88.46%`, functions `100%`, lines `100%`
- `src/lib/http/client.ts`: `52.17%`
- `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`: `70.17%`
- Latest verified commands:
- `cd D:\project\frontend\admin && npm.cmd run test:run -- src/lib/http/csrf.test.ts`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-083841.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-083841.md)
- Real boundary:
- `src/lib/http/csrf.ts` is no longer a remaining `Q-004` gap
- `Q-004` still cannot be truthfully closed
- the remaining highest-value frontend gaps are now more concentrated in:
- `src/lib/http/client.ts`
- deeper remaining `ProfileSecurityPage` branches
- the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
- the required sequential `lint` -> `build` -> `test:coverage` path passed in this pass
## 2026-03-28 Coverage Remediation Update X
- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
- closure-grade behavior coverage for `src/pages/auth/RegisterPage/RegisterPage.tsx`
- Latest coverage result:
- Frontend overall: statements `78.91%`, branches `66.06%`, functions `77.07%`, lines `79.73%`
- `src/pages/auth/RegisterPage/RegisterPage.tsx`: statements `93.42%`, branches `85.24%`, functions `87.5%`, lines `95.89%`
- `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`: `70.17%`
- `src/lib/http/client.ts`: `52.17%`
- `src/lib/http/csrf.ts`: `25.71%`
- Latest verified commands:
- `cd D:\project\frontend\admin && npm.cmd run test:run -- src/pages/auth/RegisterPage/RegisterPage.test.tsx`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-082843.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-082843.md)
- Real boundary:
- `RegisterPage` is no longer a remaining `Q-004` gap
- `Q-004` still cannot be truthfully closed
- the remaining highest-value frontend gaps are now more concentrated in:
- deeper remaining `ProfileSecurityPage` branches
- `lib/http`
- the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
- the required sequential `lint` -> `build` -> `test:coverage` path passed in this pass without a new build-path regression observation
## 2026-03-28 Coverage Remediation Update IX
- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
- closure-grade behavior coverage for `src/pages/auth/LoginPage/LoginPage.tsx`
- Latest coverage result:
- Frontend overall: statements `78.38%`, branches `64.77%`, functions `76.92%`, lines `79.19%`
- `src/pages/auth/LoginPage/LoginPage.tsx`: statements `92.56%`, branches `84.09%`, functions `86.2%`, lines `95.61%`
- `src/pages/auth/RegisterPage/RegisterPage.tsx`: `77.63%`
- `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`: `70.17%`
- `src/lib/http/client.ts`: `52.17%`
- `src/lib/http/csrf.ts`: `25.71%`
- Latest verified commands:
- `cd D:\project\frontend\admin && npm.cmd run test:run -- src/pages/auth/LoginPage/LoginPage.test.tsx`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-081514.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-081514.md)
- Real boundary:
- `LoginPage` is no longer a remaining `Q-004` gap
- `Q-004` still cannot be truthfully closed
- the remaining highest-value frontend gaps are now more concentrated in:
- `RegisterPage`
- deeper remaining `ProfileSecurityPage` branches
- `lib/http`
- the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
- one concurrent `lint` + `build` attempt produced a transient Windows/Vite `index.html` emit-path failure; the required standalone `build` rerun passed immediately afterward
- this is real observation, but not yet proven to be a deterministic repo defect
## 2026-03-28 Coverage Remediation Update VIII
- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
- closure-grade provider behavior coverage for `src/app/providers/AuthProvider.tsx`
- Latest coverage result:
- Frontend overall: statements `76.00%`, branches `63.91%`, functions `75.07%`, lines `76.84%`
- `src/app/providers`: statements `96.38%`, branches `93.75%`
- `src/app/providers/AuthProvider.tsx`: `100%`
- `src/pages/auth/LoginPage/LoginPage.tsx`: `47.93%`
- `src/pages/auth/RegisterPage/RegisterPage.tsx`: `77.63%`
- `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`: `70.17%`
- Latest verified commands:
- `cd D:\project\frontend\admin && npm.cmd run test:run -- src/app/providers/AuthProvider.test.tsx`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-075725.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-075725.md)
- Real boundary:
- `AuthProvider` is no longer a remaining `Q-004` gap
- `Q-004` still cannot be truthfully closed
- the remaining highest-value frontend gaps are now more concentrated in:
- `LoginPage`
- `RegisterPage`
- deeper remaining `ProfileSecurityPage` branches
- `lib/http`
- the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
## 2026-03-28 Coverage Remediation Update VII
- `Q-004` improved materially again after another strict remediation pass, but it still remains open.
- This pass added and verified:
- full modal/drawer coverage for the remaining `UsersPage` component cluster
- full modal/drawer coverage for the remaining `WebhooksPage` component cluster
- deeper repository coverage across role/permission/relation repositories
- A real backend defect pair was discovered and fixed during this pass:
- `internal/repository/role.go`
- explicit role create requests with `status=0` were being persisted as enabled because the DB default swallowed the zero value
- `internal/repository/permission.go`
- explicit permission create requests with `status=0` were being persisted as enabled for the same reason
- Latest coverage result:
- Frontend overall: statements `74.54%`, branches `63.57%`, functions `74.61%`, lines `75.35%`
- `src/pages/admin/UsersPage`: `95.06%`
- `src/pages/admin/WebhooksPage`: `94.92%`
- `internal/repository`: `67.1%`
- Latest verified commands:
- `go test ./internal/repository -run 'Test(RoleRepositoryLifecycleAndQueries|PermissionRepositoryLifecycleAndQueries|UserRoleAndRolePermissionRepositoriesLifecycle)$' -count=1`
- `go test ./internal/repository -cover -count=1`
- `go test ./... -count=1`
- `go vet ./...`
- `go build ./cmd/server`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-011431.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-011431.md)
- Real boundary:
- `UsersPage` is no longer a dominant uncovered admin cluster
- `WebhooksPage` is no longer a dominant uncovered admin cluster
- `internal/repository` has improved materially, but `Q-004` still cannot be truthfully closed
- the remaining highest-value gaps are now more concentrated in:
- deeper remaining `ProfileSecurityPage` branches
- `LoginPage` / `RegisterPage`
- `app/providers/AuthProvider`
- `lib/http`
- remaining repository depth outside the newly covered role/permission/relation paths
- the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
## 2026-03-28 Coverage Remediation Update VI
- `Q-004` improved materially again after another strict remediation pass, but it still remains open.
- This pass added and verified:
- deep transport-based coverage across `internal/auth/providers`
- full page/modal coverage for `RolesPage`
- full page/modal coverage for `PermissionsPage`
- page coverage for `ProfilePage`
- Latest coverage result:
- Frontend overall: statements `68.32%`, branches `54.12%`, functions `68.15%`, lines `69.28%`
- `src/pages/admin/RolesPage`: `94.53%`
- `src/pages/admin/PermissionsPage`: `93.51%`
- `src/pages/admin/ProfilePage/ProfilePage.tsx`: `91.42%`
- `internal/auth/providers`: `80.6%`
- `internal/repository`: `37.1%`
- Latest verified commands:
- `go test ./internal/auth/providers ./internal/repository -cover -count=1`
- `go test ./... -count=1`
- `go vet ./...`
- `go build ./cmd/server`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-003416.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-003416.md)
- Real boundary:
- `internal/auth/providers` is no longer one of the dominant `Q-004` blockers
- `RolesPage`, `PermissionsPage`, and `ProfilePage` are no longer dominant uncovered admin page clusters
- `Q-004` still cannot be truthfully closed because the remaining high-value gaps have narrowed to:
- `internal/repository` depth (`37.1%`)
- `UsersPage` drawers/modals
- `WebhooksPage` modal/drawer components
- deeper remaining `ProfileSecurityPage` branches
- the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
## 2026-03-27 Coverage Remediation Update V
- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
- frontend regression coverage for `LoginLogsPage`
- frontend regression coverage for `OperationLogsPage`
- deeper non-network parsing/error coverage for `internal/auth/providers`
- Latest coverage result:
- Frontend overall: statements `56.81%`, branches `44.67%`, functions `57.38%`, lines `57.57%`
- `src/pages/admin/LoginLogsPage/LoginLogsPage.tsx`: `93.1%`
- `src/pages/admin/OperationLogsPage/OperationLogsPage.tsx`: `91.52%`
- `services`: `86.2%`
- `internal/auth/providers`: `28.7%`
- `internal/repository`: `37.1%`
- Latest verified commands:
- `go test ./... -count=1`
- `go vet ./...`
- `go build ./cmd/server`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
- [`docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-233824.md`](/D:/project/docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-233824.md)
- Real boundary:
- frontend service adapters are no longer a primary `Q-004` gap
- `LoginLogsPage` and `OperationLogsPage` are no longer primary page-level hotspots
- `internal/auth/providers` improved materially but is still too shallow to declare `Q-004` closed
- the highest-value next work remains deeper provider paths plus still-uncovered admin pages/components such as `PermissionsPage`, `RolesPage`, `ProfilePage`, and multiple drawers/modals
- the latest successful frontend coverage run still emitted one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
## 2026-03-27 Coverage Remediation Update IV
- `Q-004` has continued to improve and was re-verified again, but it still remains open.
- This pass mainly closed much of the frontend service-adapter gap:
- `users.ts`
- `roles.ts`
- `devices.ts`
- `profile.ts`
- `login-logs.ts`
- `operation-logs.ts`
- `permissions.ts`
- `stats.ts`
- `import-export.ts`
- This pass also increased non-network provider coverage through:
- Alipay private-key parsing/signing tests
- Twitter PKCE auth URL tests
- OAuth helper error-body boundary tests
- Strict verification caught one more real engineering issue during this pass:
- the first version of the new permission-service tests passed under Vitest but failed under `tsc -b` because the fixture payloads did not match the real request types
- this was corrected before final sign-off
- Latest coverage result:
- Frontend overall: statements `52.05%`, branches `42.86%`, functions `51.84%`, lines `52.69%`
- `services`: `86.2%`
- `internal/auth/providers`: `15.2%`
- `internal/repository`: `37.1%`
- Latest evidence:
- [`docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-224352.md`](/D:/project/docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-224352.md)
- Real boundary:
- frontend service adapters are no longer one of the main remaining `Q-004` gaps
- `internal/auth/providers` is improved but still too shallow to declare the item closed
- the remaining high-value work should continue to target deeper provider parsing/error branches and still-uncovered admin pages/components
## 2026-03-27 Coverage Remediation Update III
- `Q-004` improved again and was re-verified, but it is still not honestly closable.
- This pass added:
- frontend regression coverage for `UsersPage`
- frontend deeper branch coverage for `ProfileSecurityPage`
- backend coverage for more of `internal/repository`
- backend non-network coverage for more of `internal/auth/providers`
- A real defect was found and fixed during this pass:
- `internal/repository/device.go`
- explicit inactive device creation (`status=0`) was being swallowed by the DB default and persisted as active
- Latest coverage result:
- Frontend overall: statements `49.18%`, branches `42.86%`, functions `44.92%`, lines `49.79%`
- `src/pages/admin/UsersPage/UsersPage.tsx`: `90.98%` statements, `68.75%` branches
- `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`: `70.17%` statements, `48.97%` branches
- `internal/repository`: `37.1%`
- `internal/auth/providers`: `8.5%`
- Latest verified commands:
- `go test ./... -count=1`
- `go vet ./...`
- `go build ./cmd/server`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
- [`docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-221835.md`](/D:/project/docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-221835.md)
- Real boundary:
- `UsersPage` and `ProfileSecurityPage` are no longer the dominant gaps they were before this pass.
- `internal/auth/providers` remains materially under-covered.
- `Q-004` should stay open until the remaining low-coverage service and provider paths are reduced further.
## 2026-03-27 Coverage Remediation Update II
- `Q-004` 在本轮继续推进并通过复验,但仍未完全关闭。
- 本轮新增覆盖与修复:
- 前端新增 `WebhooksPage` 页面测试与 `services/webhooks.ts` 服务测试。
- 后端新增 `webhook_repository` 仓储测试。
- 修复 `internal/repository/webhook_repository.go` 中显式 `status=0` 创建时被 DB 默认值吞掉的问题。
- 修复 `frontend/admin/vite.config.js`,解决当前 Windows + `Vite 8` + `--configLoader native``index.html` 被绝对路径发射导致的 `npm.cmd run build` 失败。
- 最新覆盖率结果:
- Frontend overall: statements `41.06%`, branches `38.48%`, functions `36.00%`, lines `41.47%`
- `src/pages/admin/WebhooksPage/WebhooksPage.tsx`: `93.15%`
- `src/services/webhooks.ts`: `100%`
- `internal/repository`: `15.1%`
- 最新验证命令:
- `go test ./... -count=1`
- `go vet ./...`
- `go build ./cmd/server`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- 最新证据:
- [`docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-214422.md`](/D:/project/docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-214422.md)
- 真实边界:
- 当前剩余的 `Q-004` 主要集中在 `UsersPage``ProfileSecurityPage` 深层分支,以及 `internal/auth/providers` / `internal/repository` 的更深路径。
## 2026-03-27 Coverage Remediation Update
- `Q-004 自动化覆盖率不足` 已完成一轮增补整改并复验通过,但仍未完全闭环。
- 本轮新增并稳定通过的关键测试覆盖了:
- 前端 `router``RequireAuth``RequireAdmin``AdminLayout``ImportExportPage`
- 后端 `internal/database` 启动迁移/默认数据/升级回填路径
- 后端 `internal/auth/providers` 的 URL / state 生成路径
- 这轮整改中额外收口了两个测试质量问题:
- `router.test.tsx` 之前只在 `vitest` 下能跑,`tsc -b` 会失败;现已修正为可编译。
- `internal/database/db_test.go` 在 Windows 下未释放 SQLite 句柄,导致 `TempDir` 清理失败;现已显式关闭底层连接。
- 最新覆盖率结果:
- Frontend overall: statements `37.09%`, branches `35.91%`, functions `30.30%`, lines `37.40%`
- `src/app/router.tsx`: `47.72%`
- `src/components/guards/RequireAuth.tsx`: `100%`
- `src/components/guards/RequireAdmin.tsx`: `100%`
- `src/layouts/AdminLayout/AdminLayout.tsx`: `80.00%`
- `src/pages/admin/ImportExportPage/ImportExportPage.tsx`: `83.58%`
- `internal/database`: `83.2%`
- `internal/auth/providers`: `4.0%`
- `internal/repository`: `10.5%`
- 最新验证命令:
- `go test ./... -count=1`
- `go vet ./...`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- 最新证据:
- [`docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-212336.md`](/D:/project/docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-212336.md)
- 真实边界:
- `Q-004` 已明显改善,但不能诚实表述为“自动化覆盖已充分”。
- 当前优先级仍应先继续补 `UsersPage` / `WebhooksPage` / `ProfileSecurityPage``internal/repository` / `internal/auth/providers` 深层错误分支,之后再推进 `Q-005``Q-006`
## 2026-03-27 Auth Session Hardening Closure Update
- The earlier high-priority quality-audit items around browser-side token persistence, OAuth `return_to` trust boundary, and fail-open security randomness are now closed at implementation level and re-verified.
- Backend/session closure:
- refresh continuity is now based on the backend-managed `HttpOnly` refresh cookie.
- the backend now emits a non-sensitive session-presence cookie (`ums_session_present`) so the frontend can distinguish "restore is possible" from "no server session exists".
- OAuth `return_to` no longer trusts request-derived forwarded origin inference; it is restricted to absolute paths or explicit allowlisted origins.
- security-sensitive random generation no longer silently degrades on `crypto/rand` failure.
- Frontend/session closure:
- access token, current user, and current roles are memory-only and no longer persist into `localStorage` / `sessionStorage`.
- `AuthProvider` now avoids blind `/auth/refresh` probing when no session-presence cookie exists.
- protected-route restore failure no longer loses the original route intent; redirect ownership is back on `RequireAuth`.
- post-login route races are hardened by exporting effective auth state from the in-memory session store.
- Real-browser closure:
- the supported CDP E2E path was rerun after the session model change and now passes again without the earlier `400 Bad Request` console-noise regression.
- Latest verified commands for this closure:
- `go test ./... -count=1`
- `go vet ./...`
- `go build ./cmd/server`
- `cd D:\project\frontend\admin && npm.cmd run test:run`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`
- Latest evidence:
- [`docs/evidence/ops/2026-03-27/quality/AUTH_SESSION_REMEDIATION_20260327-194100.md`](/D:/project/docs/evidence/ops/2026-03-27/quality/AUTH_SESSION_REMEDIATION_20260327-194100.md)
- Real boundary:
- this closes the earlier session-model / OAuth return-path / random-fail-open implementation gaps.
- it does not close the separate remaining boundaries around coverage depth, dev-toolchain SCA cleanup, or external production alert delivery evidence.
## 2026-03-27 First Admin Bootstrap Closure Update
- The previously real usability gap around “no default account, no first-admin product path” is now closed at product implementation level.
- Backend closure:
- added public `POST /api/v1/auth/bootstrap-admin`.
- bootstrap is guarded by `GET /api/v1/auth/capabilities -> admin_bootstrap_required`, so it is only available while the system still has no active admin.
- successful bootstrap creates the first active admin, binds the `admin` role, returns a real session, and closes the bootstrap window afterward.
- Frontend closure:
- added public `/bootstrap-admin` page.
- `/login` and `/register` now expose a real first-run admin initialization entry instead of only showing a passive warning.
- successful bootstrap now logs the operator into `/dashboard` directly.
- Supported-browser validation closure:
- `frontend/admin/scripts/run-playwright-auth-e2e.ps1` no longer depends on startup-injected admin credentials.
- the real browser E2E suite now begins with `admin-bootstrap`, proving `无默认账号 -> 初始化首个管理员 -> 进入后台 -> 登出`.
- Latest verified commands for this closure:
- `go test ./... -count=1`
- `go build ./cmd/server`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run test:run`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`
- Latest evidence:
- [`docs/evidence/ops/2026-03-27/e2e/ADMIN_BOOTSTRAP_CLOSURE_20260327-173914.md`](/D:/project/docs/evidence/ops/2026-03-27/e2e/ADMIN_BOOTSTRAP_CLOSURE_20260327-173914.md)
- Real boundary:
- this closes the first-admin product loop.
- it does not change the separate remaining boundaries around live third-party OAuth evidence and external production delivery/governance evidence.
## 2026-03-27 PRD 1.1 Email Activation Closure Update
- PRD `1.1 多种注册方式 -> 邮箱注册 -> 邮箱地址验证(发送验证邮件)` is now closed at product implementation level.
- Backend closure:
- activation emails now point to the frontend activation page instead of the raw `GET /api/v1/auth/activate` API endpoint.
- `GET /api/v1/auth/capabilities` now exposes `email_activation`, allowing the frontend to gate resend-activation UX on real capability state.
- Frontend closure:
- `/activate-account` is now a real public activation page.
- invalid or expired activation links now have a real resend-activation path instead of dropping users onto a backend JSON response.
- `/login` and `/register` success state now both expose resend-activation entry points when email activation is available.
- the activation page no longer double-consumes one-time activation tokens under React StrictMode.
- Supported-browser validation closure:
- `frontend/admin/scripts/run-playwright-auth-e2e.ps1` now starts a local SMTP capture service alongside isolated backend/frontend runtime.
- the real browser E2E suite now includes `email-activation`, covering `注册 -> 收取激活邮件 -> 打开前端激活页 -> 激活成功 -> 登录`.
- Latest verified commands for this closure:
- `go test ./... -count=1`
- `go build ./cmd/server`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run test:run`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`
- Latest evidence:
- [`docs/evidence/ops/2026-03-27/e2e/EMAIL_ACTIVATION_CLOSURE_20260327-171211.md`](/D:/project/docs/evidence/ops/2026-03-27/e2e/EMAIL_ACTIVATION_CLOSURE_20260327-171211.md)
- Real boundary:
- the supported-browser closure uses a local SMTP capture service and proves the product loop.
- it does not by itself prove live external SMTP provider deliverability.
## 2026-03-27 PRD 1.1 Self-Service Registration Closure Update
- PRD `1.1 多种注册方式` is now closed at product implementation level for the self-service frontend loop.
- Backend closure:
- the existing `POST /api/v1/auth/register` product API is now matched by a real public frontend path.
- `POST /api/v1/auth/send-code` now accepts both `purpose` and legacy `scene` payloads, preventing older clients from silently breaking while the frontend uses the normalized `purpose` contract.
- Frontend closure:
- `/register` is now a real public route linked from `/login`.
- users can complete username/password self-registration, optionally provide nickname/email, and use capability-gated phone registration when SMS is enabled.
- `/dashboard` is now admin-guarded, so newly registered non-admin users no longer land on an admin-only stats error path after first login; they settle on `/profile`.
- `/register` is treated as a public auth path during session-restore cleanup.
- Latest verified commands for this closure:
- `go test ./... -count=1`
- `go build ./cmd/server`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run test:run`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`
- Latest evidence:
- [`docs/evidence/ops/2026-03-27/e2e/SELF_SERVICE_REGISTER_CLOSURE_20260327-000848.md`](/D:/project/docs/evidence/ops/2026-03-27/e2e/SELF_SERVICE_REGISTER_CLOSURE_20260327-000848.md)
- Real boundary:
- phone registration remains capability-gated by configured SMS delivery.
- email activation remains environment-dependent on SMTP-backed delivery.
- this closes the product loop, not the separate live third-party OAuth proof layer or external production governance evidence layer.
## 2026-03-26 PRD 1.5 Account Binding Closure Update
- PRD `1.5 用户信息管理 -> 账号绑定与解绑` is now closed at product implementation level for `邮箱 / 手机号 / 社交账号`.
- Backend closure:
- self-service email bind / replace / unbind and phone bind / replace / unbind are now exposed through protected `users/me` endpoints.
- bind requires target-channel verification code plus current-account verification when password or TOTP is configured.
- unbind blocks removal if no login method would remain.
- direct self-service `PUT /api/v1/users/:id` updates of `email` / `phone` are now rejected for non-admin self flows.
- Frontend closure:
- `/profile/security` now includes a real email/phone binding management section.
- `/profile` no longer edits `email` / `phone` directly and instead routes users to verified binding flows.
- Latest verified commands for this closure:
- `go test ./... -count=1`
- `go build ./cmd/server`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run test:run`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`
- Latest evidence:
- [`docs/evidence/ops/2026-03-26/e2e/ACCOUNT_BINDING_CLOSURE_20260326-224700.md`](/D:/project/docs/evidence/ops/2026-03-26/e2e/ACCOUNT_BINDING_CLOSURE_20260326-224700.md)
- Real boundary:
- email binding remains capability-gated by SMTP-backed email code delivery.
- phone binding remains capability-gated by configured Aliyun/Tencent SMS delivery.
- this closes the product loop, not the separate live third-party OAuth proof layer.
## 2026-03-26 PRD 5.2 Closure Update
- PRD `5.2 用户信息管理 -> 创建用户` is now closed end-to-end.
- Backend closure:
- `POST /api/v1/users` is live behind existing `user:manage` authorization.
- admin-created users support initial password, optional email/phone/nickname, optional explicit roles, default-role assignment, and optional activation email when SMTP activation is configured.
- Frontend closure:
- Admin Users page now includes a real `创建用户` modal and service call path.
- E2E closure hardening:
- `frontend/admin/scripts/run-playwright-auth-e2e.ps1` no longer reuses ambient `8080/3000` services.
- the supported browser path now launches isolated backend/frontend ports and an isolated SQLite database under `%TEMP%`.
- `frontend/admin/.env.development` now defaults to `/api/v1`, so Vite proxy overrides remain effective.
- Latest verified commands for this closure:
- `go test ./... -count=1`
- `go build ./cmd/server`
- `cd D:\project\frontend\admin && npm.cmd run lint`
- `cd D:\project\frontend\admin && npm.cmd run test:run -- src/services/users.test.ts src/pages/admin/UsersPage/CreateUserModal.test.tsx`
- `cd D:\project\frontend\admin && npm.cmd run build`
- `cd D:\project\frontend\admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`
- Latest evidence:
- [`docs/evidence/ops/2026-03-26/e2e/PLAYWRIGHT_CDP_E2E_CREATE_USER_CLOSURE_20260326-190646.md`](/D:/project/docs/evidence/ops/2026-03-26/e2e/PLAYWRIGHT_CDP_E2E_CREATE_USER_CLOSURE_20260326-190646.md)
- Real boundary:
- the supported CDP browser path confirms create-user success, list-level persistence, and modal close transition initiation.
- it still does not change the earlier boundary that full OS-level automation and live third-party OAuth validation remain outside current closure.
更新日期2026-03-26
## 当前结论
- 后端主链路可构建、可测试、可运行。
- 前端管理台可构建、可 lint、可执行单元测试。
- 当前受支持的真实浏览器主验收路径是 `cd frontend/admin && npm.cmd run e2e:full:win`
- 当前项目已经完成浏览器级真实 E2E 收口,但这不等于完整 OS 级自动化。
- 运行时不再依赖 `smoke` 脚本;`smoke` 仅保留为补充诊断工具。
- 本地可审计的治理证据已形成一轮闭环,包括 SCA、备份恢复、本地回滚、观测基线、配置与环境隔离、告警包校验、告警渲染演练、密钥边界校验。
## 2026-03-26 最新收口
- 新增首登管理员初始化状态探测:
- [`internal/service/auth_capabilities.go`](/D:/project/internal/service/auth_capabilities.go)
- `GET /api/v1/auth/capabilities` 现在会返回 `admin_bootstrap_required`,用于反映系统是否仍缺少可登录的激活管理员。
- 登录页已完成首登管理员产品提示闭环:
- [`frontend/admin/src/pages/auth/LoginPage/LoginPage.tsx`](/D:/project/frontend/admin/src/pages/auth/LoginPage/LoginPage.tsx)
- 当系统不存在可用管理员时,前端会明确提示“当前版本不提供默认账号,需先完成管理员初始化”。
- 新增后端与前端回归测试,覆盖管理员初始化状态与登录页提示:
- [`internal/service/auth_capabilities_runtime_test.go`](/D:/project/internal/service/auth_capabilities_runtime_test.go)
- [`internal/api/handler/auth_capabilities_test.go`](/D:/project/internal/api/handler/auth_capabilities_test.go)
- [`frontend/admin/src/services/auth.test.ts`](/D:/project/frontend/admin/src/services/auth.test.ts)
- [`frontend/admin/src/pages/auth/LoginPage/LoginPage.test.tsx`](/D:/project/frontend/admin/src/pages/auth/LoginPage/LoginPage.test.tsx)
- 浏览器级真实 E2E 主链路已复跑通过,登录页首登提示改动未破坏既有认证流程:
- `cd frontend/admin && npm.cmd run e2e:full:win`
- 修复邮箱验证码限流回归:第二次发送从误报 `500` 恢复为 `429 Too Many Requests`
- 为邮箱限流错误增加稳定兼容识别,避免因历史乱码文案或英文限流文案导致再次误分级。
- 移除非测试代码中的最后一个 `panic`
- [`internal/auth/jwt.go`](/D:/project/internal/auth/jwt.go)
-`NewJWT` 兼容入口现在不再因非法配置直接崩进程,而是延迟到实际调用时返回 error。
- 新增闭环测试覆盖 legacy JWT 构造失败不再 panic
- [`internal/auth/jwt_closure_test.go`](/D:/project/internal/auth/jwt_closure_test.go)
- 前端 `window.alert/confirm/prompt/open` 保护链路已确认存在且有测试覆盖:
- [`frontend/admin/src/app/bootstrap/installWindowGuards.ts`](/D:/project/frontend/admin/src/app/bootstrap/installWindowGuards.ts)
## 当前运行时真实能力
- 密码登录:启用
- 邮箱验证码登录:仅在 SMTP 配置完整时启用
- 短信验证码登录:仅在阿里云或腾讯云短信配置完整时启用
- 账号绑定与解绑:邮箱 / 手机号 / 社交账号产品闭环已完成;邮箱与短信绑定分别依赖对应验证码通道配置
- 密码重置:仅在 SMTP 配置完整时启用
- 首登管理员初始化:当系统不存在激活管理员时,`/login``/register` 会基于 `GET /api/v1/auth/capabilities` 暴露 `/bootstrap-admin` 入口;初始化成功后会直接进入后台,且该入口自动关闭
- TOTP启用
- RBAC / 设备 / 日志 / Webhook / 导入导出:启用
- 健康检查:
- `GET /health`
- `GET /health/live`
- `GET /health/ready`
## 当前真实限制
- 当前支持的是浏览器级真实验证,不是完整 OS 级自动化。
- 这不覆盖系统文件选择器、系统权限弹窗、原生桌面窗口等操作系统层行为。
- 当前环境下 `playwright test` runner 仍受 `spawn EPERM` 限制,因此不作为受支持主入口。
- `agent-browser` 目前可用于观察和辅助诊断,但不能作为稳定、全量、可签字的项目 E2E 主链路证据。
- OAuth 前端闭环已完成,但仍缺少真实第三方 provider 凭证下的 live browser validation 证据。
- 生产外部交付层面的材料仍未完全闭环:
- 外部通知通道联调证据
- 外部 Secrets Manager / KMS 证据
- 多环境 CI/CD 密钥分发证据
- 跨历史版本 schema downgrade 级别的回滚兼容性证据
## 已验证命令
本轮已执行并通过:
```powershell
go test ./... -count=1
go vet ./...
go build ./cmd/server
cd D:\project\frontend\admin
npm.cmd run test:run -- src/services/auth.test.ts src/pages/auth/LoginPage/LoginPage.test.tsx
npm.cmd run lint
npm.cmd run build
npm.cmd run e2e:full:win
```
此前已形成并保留的本地治理证据命令:
```powershell
powershell -ExecutionPolicy Bypass -File scripts/ops/run-sca-evidence.ps1
powershell -ExecutionPolicy Bypass -File scripts/ops/drill-sqlite-backup-restore.ps1
powershell -ExecutionPolicy Bypass -File scripts/ops/capture-local-baseline.ps1
powershell -ExecutionPolicy Bypass -File scripts/ops/drill-config-isolation.ps1
powershell -ExecutionPolicy Bypass -File scripts/ops/drill-local-rollback.ps1
powershell -ExecutionPolicy Bypass -File scripts/ops/validate-alerting-package.ps1
powershell -ExecutionPolicy Bypass -File scripts/ops/drill-alertmanager-render.ps1
powershell -ExecutionPolicy Bypass -File scripts/ops/validate-secret-boundary.ps1
```
## 治理基线入口
- 项目级协作与真实表述规则:[`AGENTS.md`](/D:/project/AGENTS.md)
- 工程质量标准:[`docs/team/QUALITY_STANDARD.md`](/D:/project/docs/team/QUALITY_STANDARD.md)
- 生产发布核查清单:[`docs/team/PRODUCTION_CHECKLIST.md`](/D:/project/docs/team/PRODUCTION_CHECKLIST.md)
- 工程协作与文档同步指南:[`docs/team/TECHNICAL_GUIDE.md`](/D:/project/docs/team/TECHNICAL_GUIDE.md)
- 本轮项目经验沉淀:[`docs/team/PROJECT_EXPERIENCE_SUMMARY.md`](/D:/project/docs/team/PROJECT_EXPERIENCE_SUMMARY.md)
## 已有证据
- 全量真实浏览器 E2E 收口:
- [`docs/evidence/ops/2026-03-24/e2e/PLAYWRIGHT_CDP_E2E_CLOSURE_20260324-151537.md`](/D:/project/docs/evidence/ops/2026-03-24/e2e/PLAYWRIGHT_CDP_E2E_CLOSURE_20260324-151537.md)
- `agent-browser` 真实性验证:
- [`docs/evidence/ops/2026-03-24/e2e/AGENT_BROWSER_VALIDATION_20260324-162724.md`](/D:/project/docs/evidence/ops/2026-03-24/e2e/AGENT_BROWSER_VALIDATION_20260324-162724.md)
- 早期 raw CDP Windows 稳定性证据:
- [`docs/evidence/ops/2026-03-24/e2e/RAW_CDP_WINDOWS_STABILITY_20260324-121816.md`](/D:/project/docs/evidence/ops/2026-03-24/e2e/RAW_CDP_WINDOWS_STABILITY_20260324-121816.md)
- 密钥边界:
- [`docs/evidence/ops/2026-03-24/secret-boundary/20260324-104122/SECRET_BOUNDARY_DRILL.md`](/D:/project/docs/evidence/ops/2026-03-24/secret-boundary/20260324-104122/SECRET_BOUNDARY_DRILL.md)
- SCA
- [`docs/evidence/ops/2026-03-24/sca/SCA_SUMMARY_20260324-072144.md`](/D:/project/docs/evidence/ops/2026-03-24/sca/SCA_SUMMARY_20260324-072144.md)
- 备份恢复演练:
- [`docs/evidence/ops/2026-03-24/backup-restore/20260324-072353/BACKUP_RESTORE_DRILL.md`](/D:/project/docs/evidence/ops/2026-03-24/backup-restore/20260324-072353/BACKUP_RESTORE_DRILL.md)
- 本地回滚演练:
- [`docs/evidence/ops/2026-03-24/rollback/20260324-084928/ROLLBACK_DRILL.md`](/D:/project/docs/evidence/ops/2026-03-24/rollback/20260324-084928/ROLLBACK_DRILL.md)
- 本地观测基线:
- [`docs/evidence/ops/2026-03-24/observability/LOCAL_BASELINE_20260324-090637.md`](/D:/project/docs/evidence/ops/2026-03-24/observability/LOCAL_BASELINE_20260324-090637.md)
- 配置与环境隔离:
- [`docs/evidence/ops/2026-03-24/config-isolation/20260324-084915/CONFIG_ENV_ISOLATION_DRILL.md`](/D:/project/docs/evidence/ops/2026-03-24/config-isolation/20260324-084915/CONFIG_ENV_ISOLATION_DRILL.md)
- 告警包结构校验:
- [`docs/evidence/ops/2026-03-24/alerting/ALERTING_PACKAGE_20260324-102540.md`](/D:/project/docs/evidence/ops/2026-03-24/alerting/ALERTING_PACKAGE_20260324-102540.md)
- 告警渲染演练:
- [`docs/evidence/ops/2026-03-24/alerting/20260324-102553/ALERTMANAGER_RENDER_DRILL.md`](/D:/project/docs/evidence/ops/2026-03-24/alerting/20260324-102553/ALERTMANAGER_RENDER_DRILL.md)
## 对外表述建议
当前可以诚实表述为:项目已完成当前受限 Windows 环境下的浏览器级真实 E2E 收口,并具备本地可审计的一轮治理证据闭环;尚未完成的是完整 OS 级自动化、真实第三方 OAuth live 验证,以及部分生产外部交付层证据,不应夸大为“全部企业级上线材料均已闭环”。
## 2026-03-26 Social Account Binding Closure Update
- PRD social account management (`1.5`, `2.2`, `2.3`) is now closed at implementation level.
- Backend closure:
- `POST /api/v1/users/me/bind-social` now starts an authenticated OAuth binding flow instead of relying on raw `open_id` input from the product UI path.
- `GET /api/v1/auth/oauth/:provider/callback` now supports both login callback and bind callback through persisted OAuth state purpose.
- `GET /api/v1/users/me/social-accounts` now returns sanitized bound-account info.
- `DELETE /api/v1/users/me/bind-social/:provider` now enforces password/TOTP verification when available and blocks unbinding if no login method would remain.
- Frontend closure:
- `/profile/security` now exposes a real social-account management section with bind entry, bound account table, callback-result handling, and guarded unbind modal.
- Validation passed:
- `go test ./... -count=1`
- `go build ./cmd/server`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run test:run -- src/services/auth.test.ts src/services/social-accounts.test.ts src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.social.test.tsx`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`
- Real remaining gap:
- live third-party OAuth provider browser evidence is still missing; this update closes the product flow, not the real-provider proof layer.
- Evidence:
- [`docs/evidence/ops/2026-03-26/e2e/SOCIAL_ACCOUNT_BINDING_CLOSURE_20260326-200220.md`](/D:/project/docs/evidence/ops/2026-03-26/e2e/SOCIAL_ACCOUNT_BINDING_CLOSURE_20260326-200220.md)
## 2026-03-28 Router Coverage Closure Update
- `Q-004` remediation progressed further, but still cannot be honestly declared closed.
- Frontend router closure:
- `frontend/admin/src/app/router.tsx` is now covered at `100 / 100 / 100 / 100`.
- `frontend/admin/src/app/router.test.tsx` now covers public/protected route registration, `RequireAuth` and `RequireAdmin` wrapping, default redirect behavior, lazy route resolution, and the invalid-export error branch.
- Validation passed:
- `cd frontend/admin && npm.cmd run test:run -- src/app/router.test.tsx`
- `cd frontend/admin && npm.cmd run test:run`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
- statements `90.74%`
- branches `77.74%`
- functions `87.40%`
- lines `90.87%`
- Real remaining `Q-004` frontend gaps after this closure:
- `src/pages/admin/DashboardPage/DashboardPage.tsx`
- `src/components/feedback/PageState/PageState.tsx`
- broader low-coverage shared/admin surfaces outside this single pass
- Real remaining hygiene issue:
- `npm.cmd run test:coverage` still exits successfully but prints one post-summary jsdom `AggregateError` network-noise line.
- Evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-121611.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-121611.md)
## 2026-03-28 Dashboard Coverage Closure Update
- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Frontend dashboard closure:
- `frontend/admin/src/pages/admin/DashboardPage/DashboardPage.tsx` is now covered at `100 / 100 / 100 / 100`.
- `frontend/admin/src/pages/admin/DashboardPage/DashboardPage.test.tsx` now covers loading, success, retriable error, retry recovery, and empty-payload fallback behavior.
- Validation passed:
- `cd frontend/admin && npm.cmd run test:run -- src/pages/admin/DashboardPage/DashboardPage.test.tsx`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
- statements `91.66%`
- branches `78.26%`
- functions `87.86%`
- lines `91.82%`
- Real remaining `Q-004` frontend gaps after this closure:
- `src/components/feedback/PageState/PageState.tsx`
- broader low-coverage shared/admin surfaces outside this single pass
- Real remaining hygiene issue:
- `npm.cmd run test:coverage` still exits successfully but prints one post-summary jsdom `AggregateError` network-noise line.
- Evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-122517.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-122517.md)
## 2026-03-28 PageState Coverage Closure Update
- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Shared page-state closure:
- `frontend/admin/src/components/feedback/PageState/PageState.tsx` is now covered at `100 / 100 / 100 / 100`.
- `frontend/admin/src/components/feedback/PageState/PageState.test.tsx` now covers loading, empty, action-button, error default, retry, and extra-action behavior.
- Validation passed:
- `cd frontend/admin && npm.cmd run test:run -- src/components/feedback/PageState/PageState.test.tsx`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
- statements `91.71%`
- branches `78.52%`
- functions `88.01%`
- lines `91.86%`
- Real remaining `Q-004` frontend gaps after this closure:
- `src/layouts/AdminLayout/AdminLayout.tsx`
- `src/pages/admin/ImportExportPage/ImportExportPage.tsx`
- `src/lib/errors/AppError.ts`
- `src/lib/storage/token-storage.ts`
- additional lower-coverage shared/admin surfaces outside this single pass
- Real remaining hygiene issue:
- `npm.cmd run test:coverage` still exits successfully but prints one post-summary jsdom `AggregateError` network-noise line.
- Evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-123228.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-123228.md)
## 2026-03-28 AdminLayout Coverage Closure Update
- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Admin shell closure:
- `frontend/admin/src/layouts/AdminLayout/AdminLayout.tsx` is now covered at `100 / 100 / 100 / 100`.
- `frontend/admin/src/layouts/AdminLayout/AdminLayout.test.tsx` now covers loading, desktop and mobile navigation, dropdown actions, collapse state, avatar and username fallback logic, and explicit child rendering.
- Validation passed:
- `cd frontend/admin && npm.cmd run test:run -- src/layouts/AdminLayout/AdminLayout.test.tsx`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
- statements `92.06%`
- branches `79.29%`
- functions `89.09%`
- lines `92.22%`
- Real remaining `Q-004` frontend gaps after this closure:
- `src/lib/storage/token-storage.ts`
- `src/lib/errors/AppError.ts`
- `src/pages/admin/ImportExportPage/ImportExportPage.tsx`
- `src/pages/NotFoundPage/NotFoundPage.tsx`
- additional lower-coverage shared/admin surfaces outside this single pass
- Real remaining hygiene issue:
- `npm.cmd run test:coverage` still exits successfully but prints one post-summary jsdom `AggregateError` network-noise line.
- Evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-124756.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-124756.md)
## 2026-03-28 Token Storage Coverage Closure Update
- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Token storage closure:
- `frontend/admin/src/lib/storage/token-storage.ts` is now covered at `100 / 100 / 100 / 100`.
- `frontend/admin/src/lib/storage/token-storage.test.ts` now covers token normalization, in-memory presence checks, explicit clearing, session cookie detection, and the no-`document` branch.
- Validation passed:
- `cd frontend/admin && npm.cmd run test:run -- src/lib/storage/token-storage.test.ts`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
- statements `92.32%`
- branches `79.63%`
- functions `89.70%`
- lines `92.49%`
- Real remaining `Q-004` frontend gaps after this closure:
- `src/lib/errors/AppError.ts`
- `src/pages/admin/ImportExportPage/ImportExportPage.tsx`
- `src/pages/NotFoundPage/NotFoundPage.tsx`
- additional lower-coverage shared/admin surfaces outside this single pass
- Real remaining hygiene issue:
- `npm.cmd run test:coverage` still exits successfully but prints one post-summary jsdom `AggregateError` network-noise line.
- Evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-125454.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-125454.md)
## 2026-03-28 AppError Coverage Closure Update
- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Error module closure:
- `frontend/admin/src/lib/errors/AppError.ts` is now covered at `100 / 100 / 100 / 100`.
- `frontend/admin/src/lib/errors/index.ts` is now covered at `100 / 100 / 100 / 100`.
- `frontend/admin/src/lib/errors/AppError.test.ts` now covers constructor defaults, factory helpers, response mapping, user-message mapping, and shared error helpers.
- Validation passed:
- `cd frontend/admin && npm.cmd run test:run -- src/lib/errors/AppError.test.ts`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
- statements `93.07%`
- branches `81.35%`
- functions `90.32%`
- lines `93.26%`
- Real remaining `Q-004` frontend gaps after this closure:
- `src/pages/admin/ImportExportPage/ImportExportPage.tsx`
- `src/pages/NotFoundPage/NotFoundPage.tsx`
- `src/lib/hooks/useBreadcrumbs.ts`
- `src/app/providers/ThemeProvider.tsx`
- additional lower-coverage shared/admin surfaces outside this single pass
- Real remaining hygiene issue:
- `npm.cmd run test:coverage` still exits successfully but prints one post-summary jsdom `AggregateError` network-noise line.
- Evidence:
- [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-140215.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-140215.md)
Reference in New Issue Copy Permalink