mirror of
https://github.com/koala73/worldmonitor.git
synced 2026-05-13 10:36:21 +02:00
fe67111dc9
* feat: harness engineering P0 - linting, testing, architecture docs
Add foundational infrastructure for agent-first development:
- AGENTS.md: agent entry point with progressive disclosure to deeper docs
- ARCHITECTURE.md: 12-section system reference with source-file refs and ownership rule
- Biome 2.4.7 linter with project-tuned rules, CI workflow (lint-code.yml)
- Architectural boundary lint enforcing forward-only dependency direction (lint-boundaries.mjs)
- Unit test CI workflow (test.yml), all 1083 tests passing
- Fixed 9 pre-existing test failures (bootstrap sync, deploy-config headers, globe parity, redis mocks, geometry URL, import.meta.env null safety)
- Fixed 12 architectural boundary violations (types moved to proper layers)
- Added 3 missing cache tier entries in gateway.ts
- Synced cache-keys.ts with bootstrap.js
- Renamed docs/architecture.mdx to "Design Philosophy" with cross-references
- Deprecated legacy docs/Docs_To_Review/ARCHITECTURE.md
- Harness engineering roadmap tracking doc
* fix: address PR review feedback on harness-engineering-p0
- countries-geojson.test.mjs: skip gracefully when CDN unreachable
instead of failing CI on network issues
- country-geometry-overrides.test.mts: relax timing assertion
(250ms -> 2000ms) for constrained CI environments
- lint-boundaries.mjs: implement the documented api/ boundary check
(was documented but missing, causing false green)
* fix(lint): scan api/ .ts files in boundary check
The api/ boundary check only scanned .js/.mjs files, missing the 25
sebuf RPC .ts edge functions. Now scans .ts files with correct rules:
- Legacy .js: fully self-contained (no server/ or src/ imports)
- RPC .ts: may import server/ and src/generated/ (bundled at deploy),
but blocks imports from src/ application code
* fix(lint): detect import() type expressions in boundary lint
- Move AppContext back to app/app-context.ts (aggregate type that
references components/services/utils belongs at the top, not types/)
- Move HappyContentCategory and TechHQ to types/ (simple enums/interfaces)
- Boundary lint now catches import('@/layer') expressions, not just
from '@/layer' imports
- correlation-engine imports of AppContext marked boundary-ignore
(type-only imports of top-level aggregate)
273 lines
10 KiB
JavaScript
273 lines
10 KiB
JavaScript
import { strict as assert } from 'node:assert';
|
|
import { describe, it, beforeEach, afterEach, mock } from 'node:test';
|
|
|
|
const originalFetch = globalThis.fetch;
|
|
const originalEnv = { ...process.env };
|
|
|
|
function makeRequest(body, opts = {}) {
|
|
return new Request('https://worldmonitor.app/api/contact', {
|
|
method: opts.method || 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
'origin': 'https://worldmonitor.app',
|
|
...(opts.headers || {}),
|
|
},
|
|
body: body ? JSON.stringify(body) : undefined,
|
|
});
|
|
}
|
|
|
|
function validBody(overrides = {}) {
|
|
return {
|
|
name: 'Test User',
|
|
email: 'test@example.com',
|
|
organization: 'TestCorp',
|
|
phone: '+1 555 123 4567',
|
|
message: 'Hello',
|
|
source: 'enterprise-contact',
|
|
turnstileToken: 'valid-token',
|
|
...overrides,
|
|
};
|
|
}
|
|
|
|
let handler;
|
|
|
|
describe('api/contact', () => {
|
|
beforeEach(async () => {
|
|
process.env.CONVEX_URL = 'https://fake-convex.cloud';
|
|
process.env.TURNSTILE_SECRET_KEY = 'test-secret';
|
|
process.env.RESEND_API_KEY = 'test-resend-key';
|
|
process.env.VERCEL_ENV = 'production';
|
|
|
|
// Re-import to get fresh module state (rate limiter)
|
|
const mod = await import(`../api/contact.js?t=${Date.now()}`);
|
|
handler = mod.default;
|
|
});
|
|
|
|
afterEach(() => {
|
|
globalThis.fetch = originalFetch;
|
|
Object.keys(process.env).forEach(k => {
|
|
if (!(k in originalEnv)) delete process.env[k];
|
|
});
|
|
Object.assign(process.env, originalEnv);
|
|
});
|
|
|
|
describe('validation', () => {
|
|
it('rejects GET requests', async () => {
|
|
const res = await handler(new Request('https://worldmonitor.app/api/contact', {
|
|
method: 'GET',
|
|
headers: { origin: 'https://worldmonitor.app' },
|
|
}));
|
|
assert.equal(res.status, 405);
|
|
});
|
|
|
|
it('rejects missing email', async () => {
|
|
globalThis.fetch = async (url) => {
|
|
if (url.includes('turnstile')) return new Response(JSON.stringify({ success: true }));
|
|
return new Response('{}');
|
|
};
|
|
const res = await handler(makeRequest(validBody({ email: '' })));
|
|
assert.equal(res.status, 400);
|
|
const data = await res.json();
|
|
assert.match(data.error, /email/i);
|
|
});
|
|
|
|
it('rejects invalid email format', async () => {
|
|
globalThis.fetch = async (url) => {
|
|
if (url.includes('turnstile')) return new Response(JSON.stringify({ success: true }));
|
|
return new Response('{}');
|
|
};
|
|
const res = await handler(makeRequest(validBody({ email: 'not-an-email' })));
|
|
assert.equal(res.status, 400);
|
|
});
|
|
|
|
it('rejects missing name', async () => {
|
|
globalThis.fetch = async (url) => {
|
|
if (url.includes('turnstile')) return new Response(JSON.stringify({ success: true }));
|
|
return new Response('{}');
|
|
};
|
|
const res = await handler(makeRequest(validBody({ name: '' })));
|
|
assert.equal(res.status, 400);
|
|
const data = await res.json();
|
|
assert.match(data.error, /name/i);
|
|
});
|
|
|
|
it('rejects free email domains with 422', async () => {
|
|
globalThis.fetch = async (url) => {
|
|
if (url.includes('turnstile')) return new Response(JSON.stringify({ success: true }));
|
|
return new Response('{}');
|
|
};
|
|
const res = await handler(makeRequest(validBody({ email: 'test@gmail.com' })));
|
|
assert.equal(res.status, 422);
|
|
const data = await res.json();
|
|
assert.match(data.error, /work email/i);
|
|
});
|
|
|
|
it('rejects missing organization', async () => {
|
|
globalThis.fetch = async (url) => {
|
|
if (url.includes('turnstile')) return new Response(JSON.stringify({ success: true }));
|
|
return new Response('{}');
|
|
};
|
|
const res = await handler(makeRequest(validBody({ organization: '' })));
|
|
assert.equal(res.status, 400);
|
|
const data = await res.json();
|
|
assert.match(data.error, /company/i);
|
|
});
|
|
|
|
it('rejects missing phone', async () => {
|
|
globalThis.fetch = async (url) => {
|
|
if (url.includes('turnstile')) return new Response(JSON.stringify({ success: true }));
|
|
return new Response('{}');
|
|
};
|
|
const res = await handler(makeRequest(validBody({ phone: '' })));
|
|
assert.equal(res.status, 400);
|
|
const data = await res.json();
|
|
assert.match(data.error, /phone/i);
|
|
});
|
|
|
|
it('rejects invalid phone format', async () => {
|
|
globalThis.fetch = async (url) => {
|
|
if (url.includes('turnstile')) return new Response(JSON.stringify({ success: true }));
|
|
return new Response('{}');
|
|
};
|
|
const res = await handler(makeRequest(validBody({ phone: '(((((' })));
|
|
assert.equal(res.status, 400);
|
|
});
|
|
|
|
it('rejects disallowed origins', async () => {
|
|
const req = new Request('https://worldmonitor.app/api/contact', {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json', origin: 'https://evil.com' },
|
|
body: JSON.stringify(validBody()),
|
|
});
|
|
const res = await handler(req);
|
|
assert.equal(res.status, 403);
|
|
});
|
|
|
|
it('silently accepts honeypot submissions', async () => {
|
|
const res = await handler(makeRequest(validBody({ website: 'http://spam.com' })));
|
|
assert.equal(res.status, 200);
|
|
const data = await res.json();
|
|
assert.equal(data.status, 'sent');
|
|
});
|
|
});
|
|
|
|
describe('Turnstile handling', () => {
|
|
it('rejects when Turnstile verification fails', async () => {
|
|
globalThis.fetch = async (url) => {
|
|
if (url.includes('turnstile')) {
|
|
return new Response(JSON.stringify({ success: false }));
|
|
}
|
|
return new Response('{}');
|
|
};
|
|
const res = await handler(makeRequest(validBody()));
|
|
assert.equal(res.status, 403);
|
|
const data = await res.json();
|
|
assert.match(data.error, /bot/i);
|
|
});
|
|
|
|
it('rejects in production when TURNSTILE_SECRET_KEY is unset', async () => {
|
|
delete process.env.TURNSTILE_SECRET_KEY;
|
|
process.env.VERCEL_ENV = 'production';
|
|
globalThis.fetch = async () => new Response('{}');
|
|
const res = await handler(makeRequest(validBody()));
|
|
assert.equal(res.status, 403);
|
|
});
|
|
|
|
it('allows in development when TURNSTILE_SECRET_KEY is unset', async () => {
|
|
delete process.env.TURNSTILE_SECRET_KEY;
|
|
process.env.VERCEL_ENV = 'development';
|
|
let convexCalled = false;
|
|
globalThis.fetch = async (url, _opts) => {
|
|
if (url.includes('fake-convex')) {
|
|
convexCalled = true;
|
|
return new Response(JSON.stringify({ status: 'success', value: { status: 'sent' } }));
|
|
}
|
|
if (url.includes('resend')) return new Response(JSON.stringify({ id: '1' }));
|
|
return new Response('{}');
|
|
};
|
|
const res = await handler(makeRequest(validBody()));
|
|
assert.equal(res.status, 200);
|
|
});
|
|
});
|
|
|
|
describe('notification failures', () => {
|
|
it('returns emailSent: false when RESEND_API_KEY is missing', async () => {
|
|
delete process.env.RESEND_API_KEY;
|
|
globalThis.fetch = async (url) => {
|
|
if (url.includes('turnstile')) return new Response(JSON.stringify({ success: true }));
|
|
if (url.includes('fake-convex')) return new Response(JSON.stringify({ status: 'success', value: { status: 'sent' } }));
|
|
return new Response('{}');
|
|
};
|
|
const res = await handler(makeRequest(validBody()));
|
|
assert.equal(res.status, 200);
|
|
const data = await res.json();
|
|
assert.equal(data.status, 'sent');
|
|
assert.equal(data.emailSent, false);
|
|
});
|
|
|
|
it('returns emailSent: false when Resend API returns error', async () => {
|
|
globalThis.fetch = async (url) => {
|
|
if (url.includes('turnstile')) return new Response(JSON.stringify({ success: true }));
|
|
if (url.includes('fake-convex')) return new Response(JSON.stringify({ status: 'success', value: { status: 'sent' } }));
|
|
if (url.includes('resend')) return new Response('Rate limited', { status: 429 });
|
|
return new Response('{}');
|
|
};
|
|
const res = await handler(makeRequest(validBody()));
|
|
assert.equal(res.status, 200);
|
|
const data = await res.json();
|
|
assert.equal(data.status, 'sent');
|
|
assert.equal(data.emailSent, false);
|
|
});
|
|
|
|
it('returns emailSent: true on successful notification', async () => {
|
|
globalThis.fetch = async (url) => {
|
|
if (url.includes('turnstile')) return new Response(JSON.stringify({ success: true }));
|
|
if (url.includes('fake-convex')) return new Response(JSON.stringify({ status: 'success', value: { status: 'sent' } }));
|
|
if (url.includes('resend')) return new Response(JSON.stringify({ id: 'msg_123' }));
|
|
return new Response('{}');
|
|
};
|
|
const res = await handler(makeRequest(validBody()));
|
|
assert.equal(res.status, 200);
|
|
const data = await res.json();
|
|
assert.equal(data.status, 'sent');
|
|
assert.equal(data.emailSent, true);
|
|
});
|
|
|
|
it('still succeeds (stores in Convex) even when email fails', async () => {
|
|
globalThis.fetch = async (url) => {
|
|
if (url.includes('turnstile')) return new Response(JSON.stringify({ success: true }));
|
|
if (url.includes('fake-convex')) return new Response(JSON.stringify({ status: 'success', value: { status: 'sent' } }));
|
|
if (url.includes('resend')) throw new Error('Network failure');
|
|
return new Response('{}');
|
|
};
|
|
const res = await handler(makeRequest(validBody()));
|
|
assert.equal(res.status, 200);
|
|
const data = await res.json();
|
|
assert.equal(data.status, 'sent');
|
|
assert.equal(data.emailSent, false);
|
|
});
|
|
});
|
|
|
|
describe('Convex storage', () => {
|
|
it('returns 503 when CONVEX_URL is missing', async () => {
|
|
delete process.env.CONVEX_URL;
|
|
globalThis.fetch = async (url) => {
|
|
if (url.includes('turnstile')) return new Response(JSON.stringify({ success: true }));
|
|
return new Response('{}');
|
|
};
|
|
const res = await handler(makeRequest(validBody()));
|
|
assert.equal(res.status, 503);
|
|
});
|
|
|
|
it('returns 500 when Convex mutation fails', async () => {
|
|
globalThis.fetch = async (url) => {
|
|
if (url.includes('turnstile')) return new Response(JSON.stringify({ success: true }));
|
|
if (url.includes('fake-convex')) return new Response('Internal error', { status: 500 });
|
|
return new Response('{}');
|
|
};
|
|
const res = await handler(makeRequest(validBody()));
|
|
assert.equal(res.status, 500);
|
|
});
|
|
});
|
|
});
|