Skip to content

[S24] test : s18 cert validation hardening (harness-based)#130

Merged
Doogie201 merged 2 commits intomainfrom
sprint/S24-s18-validation
Feb 24, 2026
Merged

[S24] test : s18 cert validation hardening (harness-based)#130
Doogie201 merged 2 commits intomainfrom
sprint/S24-s18-validation

Conversation

@Doogie201
Copy link
Owner

@Doogie201 Doogie201 commented Feb 24, 2026
edited
Loading

Sprint S24 — S18 Cert Validation Hardening (Harness-Based)

Sprint ID: S24-s18-validation
Objective: Validate that the S18/S18v2 cert cannot false-PASS when stderr/hydration failures occur with HTTP 200 using a harness-based approach (DI + fixtures), and audit main to ensure zero crash-probe remnants in app routes.

No crash probes / no env-var toggles / no force-dynamic used for evidence.
Log capture is fail-closed when serverLogPath is provided (unreadable log = FAIL, not silent PASS).

Acceptance Tests

  • AT-S24-01 Audit PASS: zero crash-probe remnants in app routes
  • AT-S24-02 Proof PASS: harness proves old overlay-only detection false-PASS
  • AT-S24-03 Upgrade PASS: upgraded cert FAILS for 200 + clean HTML + stderr crash
  • AT-S24-04 Clean PASS: upgraded cert PASSES for 200 + clean HTML + clean stderr
  • AT-S24-05 Main-only enforcement preserved
  • AT-S24-06 Fail-closed log collection: unreadable log = FAIL with LOG_READ_FAILED

Evidence

See docs/sprints/S24/evidence/ for all JSON receipts (AT-01 through AT-06 + gates).

Budget

File Before After Net New Budget
releaseCert.ts 99 168 +69 120
releaseCert.test.ts 165 267 +102 120

Marker Lists

OVERLAY_MARKERS: nextjs-portal, data-nextjs-dialog, data-nextjs-error, nextjs__container_errors, Unhandled Runtime Error, Maximum update depth exceeded, Internal Server Error, Application error: a server-side exception has occurred, Hydration failed

STDERR_SIGNATURES: ⨯ Error, TypeError:, ReferenceError:, SyntaxError:, RangeError:, ECONNREFUSED, EADDRINUSE, unhandledRejection, uncaughtException, Hydration failed, digest:, server-side exception

Fail-closed marker: LOG_READ_FAILED

Gates

Gate Result
Test 182 passed (40 files)
Lint Clean
Build Clean
Pre-commit hooks All passed

@Doogie201 @claude
[S24] test : s18 cert validation hardening (harness-based)
6e61627 
Upgrade releaseCert.ts with stderr/log monitoring using DI + fixture harness
tests. No crash probes, no env-var toggles, no force-dynamic in app routes.

Changes:
- Add STDERR_SIGNATURES list (12 patterns) for server log scanning
- Add StderrCheck interface and checkServerLog() function
- Extend runCert() with RunCertOptions.serverLogPath for stderr checking
- Add harness tests proving overlay-fallacy: HTTP 200 + clean HTML + stderr
  crash = old cert false-PASS, upgraded cert correct FAIL
- Audit confirms zero crash-probe remnants in app routes

AT-S24-01: Audit PASS (grep + page.tsx verification)
AT-S24-02: Harness proves old overlay-only detection false-PASS
AT-S24-03: Upgraded cert FAILS for 200 + stderr crash
AT-S24-04: Upgraded cert PASSES for 200 + clean stderr
AT-S24-05: Main-only enforcement preserved (existing checkBranch tests)

Co-Authored-By: Claude <noreply@anthropic.com>
@Doogie201 Doogie201 added evidence:attached Evidence receipts attached area:cert Certification area risk:high High risk sprint:S24 Sprint S24 type:test Testing labels Feb 24, 2026
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Feb 24, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6e616273e8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@Doogie201 @claude
fix(cert): fail-closed log collection when serverLogPath is unreadable
8d99498 
checkServerLog now returns ok:false with LOG_READ_FAILED marker when
logPath is provided but the file cannot be read, preventing silent
false-PASS due to missing evidence (AT-S24-06).

Co-Authored-By: Claude <noreply@anthropic.com>
@codecov
Copy link

codecov bot commented Feb 24, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@Doogie201 Doogie201 merged commit 51497b7 into main Feb 24, 2026
6 checks passed
@Doogie201 Doogie201 deleted the sprint/S24-s18-validation branch February 24, 2026 23:14
Doogie201 added a commit that referenced this pull request Feb 24, 2026
@Doogie201 @claude
chore: mark S24 done after PR #130 merge
ca896c0 
Co-Authored-By: Claude <noreply@anthropic.com>
@Doogie201 Doogie201 mentioned this pull request Feb 24, 2026
Merged
Doogie201 added a commit that referenced this pull request Feb 24, 2026
@Doogie201 @claude
chore: mark S24 done after PR #130 merge (#131)
339338f 
Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

area:cert Certification area evidence:attached Evidence receipts attached risk:high High risk sprint:S24 Sprint S24 type:test Testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Doogie201