feat(tests): suite E2E completa + 12 edge integrations + fuzz expandido + CI#355
Merged
Merged
Conversation
…pandido + CI Edge Function Integration Tests (12 novas — total 20): - ai-recommendations: happy path, fallback, 429, CORS, SQL injection - categories-api: listagem, hierarquia, cache, params adversariais - get-visitor-info: anônimo/autenticado, LGPD, leak sensitivo - image-proxy: SSRF bloqueio (9 IPs), tipos proibidos, 502 upstream - magic-up-score: score 0-100, fatores, tier, produto inativo - manage-users: CRUD, RBAC admin-only, SQL/XSS injection - product-webhook: HMAC, idempotência, eventos typed, malformados - rate-limit-check: within/over limit, whitelist, ações independentes - semantic-search: query, scores ordenados, unicode adversarial - send-transactional-email: templates, CRLF injection, throttle - step-up-verify: OTP, replay attack, brute-force lockout, TOTP - trends-insights: períodos, RBAC, cache headers, params adversariais E2E Flows (5 novos specs): - 25-quote-full-flow: criação → kanban → templates - 26-catalog-to-kit-flow: produtos → detalhe → kit builder - 27-admin-critical-routes: 10 rotas admin com RBAC e conteúdo - 28-error-boundaries: 404 sem stack trace, XSS, informações sensíveis - 29-mobile-critical-routes: viewport 390px, overflow, touch targets Fuzz Testing: - scripts/fuzz-edge-uploads.mjs: 104 cenários (MIME políglota, SSRF, HMAC inválido, unicode adversarial, campos numéricos extremos, Content-Type bypass, headers HTTP adversariais) CI Workflows: - .github/workflows/edge-integration-all.yml: edge integration + fuzz dry-run + fuzz live (com credenciais) - .github/workflows/e2e-flows.yml: error boundaries + full flows authed + mobile viewport package.json: 8 novos scripts (test:edge:integration:all, :coverage, test:fuzz:uploads, :all, test:e2e:flows, :mobile:flows, :error-boundaries) Total: 332 testes de integração passando (20 arquivos), 104 cenários de fuzz validados em dry-run.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (22)
WalkthroughPR expande cobertura de testes: adiciona 5 suites E2E Playwright (fluxos de usuário, admin, mobile, error boundaries), 12 testes de integração Vitest para edge functions, dois workflows GitHub Actions, e atualiza scripts npm e baseline de lint. ChangesTestes E2E e Integração Contínua
Testes de Integração de Edge Functions
Infraestrutura de Testes e Lint
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Justificativa: ~3.900 linhas adicionadas, heterogêneas (workflows YAML, Playwright E2E specs, Vitest edge tests com padrões repetitivos porém densas em validações de segurança). Requer verificação de:
Possibly related issues
Possibly related PRs
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a broad automated test/verification layer for Edge Functions plus new Playwright E2E “critical flows”, and wires both into GitHub Actions for CI enforcement.
Changes:
- Added mocked Vitest integration suites for multiple Edge Functions (auth, inputs adversariais, CORS, headers, caching).
- Added a new fuzzing runner targeting uploads/webhooks/unicode/headers and npm scripts to run it.
- Added new Playwright E2E flow specs (quote, catalog→kit, admin routes, error boundaries, mobile) and CI workflows to execute them.
Reviewed changes
Copilot reviewed 22 out of 22 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/edge-functions/integration/trends-insights.test.ts | Adds integration coverage for trends-insights scenarios (filters, RBAC, cache, adversarial params, CORS). |
| tests/edge-functions/integration/step-up-verify.test.ts | Adds integration coverage for OTP verification behavior (expiry, lockout, replay, input validation, CORS). |
| tests/edge-functions/integration/send-transactional-email.test.ts | Adds integration coverage for transactional email validation, throttling, provider failures, adversarial payloads, CORS. |
| tests/edge-functions/integration/semantic-search.test.ts | Adds integration coverage for semantic search (sorting, metrics, filters, input validation, adversarial queries, auth, CORS). |
| tests/edge-functions/integration/rate-limit-check.test.ts | Adds integration coverage for rate-limit-check behavior (limits, Retry-After, whitelist, validation, auth, CORS). |
| tests/edge-functions/integration/product-webhook.test.ts | Adds integration coverage for product webhook events, HMAC validation, malformed payloads, idempotency, CORS. |
| tests/edge-functions/integration/manage-users.test.ts | Adds integration coverage for manage-users CRUD + RBAC constraints and adversarial payloads. |
| tests/edge-functions/integration/magic-up-score.test.ts | Adds integration coverage for scoring outputs, ranges, eligibility, validation, auth, CORS. |
| tests/edge-functions/integration/image-proxy.test.ts | Adds integration coverage for image proxy SSRF blocking, content-type enforcement, cache, auth, CORS. |
| tests/edge-functions/integration/get-visitor-info.test.ts | Adds integration coverage for anonymous/auth visitor info, privacy checks, CORS, and leakage protections. |
| tests/edge-functions/integration/categories-api.test.ts | Adds integration coverage for category listing/hierarchy, caching, filtering, adversarial params, DB-failure behavior, CORS. |
| tests/edge-functions/integration/ai-recommendations.test.ts | Adds integration coverage for AI recommendations (fallback, validation, auth, rate-limit, CORS/method). |
| scripts/fuzz-edge-uploads.mjs | Introduces a fuzz runner for uploads/webhooks/numeric/unicode/header adversarial cases with dry-run mode. |
| package.json | Adds scripts to run all edge integration tests + coverage and to run the new fuzz runner. |
| e2e/flows/25-quote-full-flow.spec.ts | Adds a smoke-oriented E2E spec for quote creation and related routes. |
| e2e/flows/26-catalog-to-kit-flow.spec.ts | Adds E2E spec for catalog→product→kit builder journey and related routes. |
| e2e/flows/27-admin-critical-routes.spec.ts | Adds E2E spec verifying critical admin routes load/redirect safely. |
| e2e/flows/28-error-boundaries.spec.ts | Adds E2E spec for 404/error boundaries and non-leak behavior. |
| e2e/flows/29-mobile-critical-routes.spec.ts | Adds E2E spec for mobile viewport critical routes and basic accessibility heuristics. |
| .github/workflows/edge-integration-all.yml | Adds CI workflow to run all edge integration tests + coverage and fuzz dry-run/live. |
| .github/workflows/e2e-flows.yml | Adds CI workflow to run the new Playwright flow specs (error boundaries, authed flows, mobile). |
| .eslint-baseline.json | Updates ESLint baseline snapshot counts/timestamps. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "sha256=abc", // hash curto | ||
| "invalid-format", // sem prefixo | ||
| "sha256=" + "0".repeat(64), // todos zeros | ||
| "\x00" * 100, // bytes nulos |
Comment on lines
+332
to
+333
| if (str.includes("<script>")) { | ||
| expect(!text.includes("<script>")).toBe(true); |
| timeout-minutes: 30 | ||
| if: > | ||
| github.event_name == 'push' || | ||
| (github.event_name == 'pull_request' && vars.E2E_USER_EMAIL != '') |
| - name: Wait for server | ||
| run: timeout 120 bash -c 'until curl -sf http://localhost:8080 > /dev/null 2>&1; do sleep 1; done' | ||
|
|
||
| - name: Run Error Boundaries E2E |
| env: | ||
| E2E_BASE_URL: http://localhost:8080 | ||
| PLAYWRIGHT_JSON_OUTPUT_NAME: playwright-report/results-error-boundaries.json | ||
| continue-on-error: true |
Comment on lines
+27
to
+32
| const hasHorizontalScroll = await page.evaluate(() => { | ||
| return document.documentElement.scrollWidth > document.documentElement.clientWidth; | ||
| }); | ||
| // Toleramos overflow mínimo (1px) por borda/padding | ||
| const scrollWidth = await page.evaluate(() => document.documentElement.scrollWidth); | ||
| const clientWidth = await page.evaluate(() => document.documentElement.clientWidth); |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7295682ee7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| env: | ||
| E2E_BASE_URL: http://localhost:8080 | ||
| PLAYWRIGHT_JSON_OUTPUT_NAME: playwright-report/results-error-boundaries.json | ||
| continue-on-error: true |
There was a problem hiding this comment.
This step is marked continue-on-error: true, and this workflow has no later gate that checks steps.*.outcome to convert failures back into a job failure; the only following step uploads artifacts. As a result, broken E2E specs are reported but the job still succeeds, so required checks will not block merges even when these tests fail.
Useful? React with 👍 / 👎.
| timeout-minutes: 30 | ||
| if: > | ||
| github.event_name == 'push' || | ||
| (github.event_name == 'pull_request' && vars.E2E_USER_EMAIL != '') |
There was a problem hiding this comment.
The PR condition checks vars.E2E_USER_EMAIL, but this workflow sources credentials from secrets.E2E_USER_EMAIL/E2E_USER_PASSWORD into env. If only secrets are configured (the documented setup), e2e-full-flows is skipped on pull requests even though credentials exist, so the authenticated flow suite does not run in PR validation.
Useful? React with 👍 / 👎.
| "sha256=abc", // hash curto | ||
| "invalid-format", // sem prefixo | ||
| "sha256=" + "0".repeat(64), // todos zeros | ||
| "\x00" * 100, // bytes nulos |
There was a problem hiding this comment.
Using "\x00" * 100 coerces the value to the number 0 instead of a null-byte string. In live mode this value is later used as sig.slice(...), which throws TypeError for a number and causes a deterministic fuzz-test failure whenever that case is reached, breaking the edge-fuzz-live path.
Useful? React with 👍 / 👎.
| needs: edge-integration | ||
| if: > | ||
| vars.SUPABASE_URL != '' && | ||
| secrets.SUPABASE_SERVICE_ROLE_KEY != '' |
There was a problem hiding this comment.
This job gate checks secrets.SUPABASE_SERVICE_ROLE_KEY directly inside if, but GitHub Actions does not support using secrets in conditionals this way; the condition is not a reliable secret-presence check. In practice this can cause edge-fuzz-live to be skipped even when the secret is configured, so the live fuzz suite never runs.
Useful? React with 👍 / 👎.
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Edge Function Integration Tests (12 novos)
ai-recommendationscategories-apiget-visitor-infoimage-proxymagic-up-scoremanage-usersproduct-webhookrate-limit-checksemantic-searchsend-transactional-emailstep-up-verifytrends-insightsE2E Flows (5 novos specs)
25-quote-full-flow.spec.ts— criação → kanban → templates (sem crash)26-catalog-to-kit-flow.spec.ts— catálogo → detalhe → kit builder27-admin-critical-routes.spec.ts— 10 rotas admin com RBAC e conteúdo28-error-boundaries.spec.ts— 404 sem stack trace, XSS em query param, info sensível29-mobile-critical-routes.spec.ts— viewport 390px, overflow horizontal, touch targets 44pxFuzz Testing (
scripts/fuzz-edge-uploads.mjs)104 cenários distribuídos em 5 suites:
CI Workflows
.github/workflows/edge-integration-all.ymledge-integration: roda todos 20 arquivos de integração + coverageedge-fuzz-dry-run: valida estrutura dos 104 cenários de fuzzedge-fuzz-live: executa contra Supabase real quando credenciais disponíveis.github/workflows/e2e-flows.ymle2e-error-boundaries: sem auth, valida crash/XSS/info leake2e-full-flows: auth requerida, quote/kit/admin flows completose2e-mobile: viewport iPhone 13, specs @mobileTest plan
vitest run tests/edge-functions/integration/→ 332/332 passando (20 arquivos)node scripts/fuzz-edge-uploads.mjs→ 104/104 cenários dry-run OKnode scripts/fuzz-testing.mjs→ 252 payloads gerados e validadosSUPABASE_SERVICE_ROLE_KEYno ambiente CIGenerated by Claude Code
Summary by cubic
Adds full test coverage for edge functions and critical user flows, expands fuzzing, and introduces CI gates that block merges on failures.
New Features
scripts/fuzz-edge-uploads.mjswith 104 adversarial cases across uploads, webhooks, numeric extremes, Unicode, and headers.edge-integration-all.ymlande2e-flows.ymlto run integration/E2E suites, coverage, and fuzz (dry-run/live) and block merges on failure; new npm scripts to run these locally.Migration
E2E_USER_EMAILandE2E_USER_PASSWORDfor E2E jobs.SUPABASE_SERVICE_ROLE_KEYto enable fuzz live runs.VITE_SUPABASE_URLandVITE_SUPABASE_PUBLISHABLE_KEYhave defaults; override via Secrets if needed.Written for commit 7295682. Summary will update on new commits. Review in cubic
Summary by CodeRabbit
Notas de Versão
Tests
Chores