diff --git a/backend/tests/test_audit.py b/backend/tests/test_audit.py new file mode 100644 index 0000000..c532be0 --- /dev/null +++ b/backend/tests/test_audit.py @@ -0,0 +1,43 @@ +""" +Audit log API tests — Wave 0 xfail stubs for Phase 4. + +All tests in this file are xfail stubs. They will be implemented in Plan 04-07. +The stubs ensure pytest collects them and keeps CI green before implementation +code exists. + +Requirement: ADMIN-06 — admin audit log viewer, no doc content, export CSV. +""" +from __future__ import annotations + +import os + +import pytest + + +# --------------------------------------------------------------------------- +# ADMIN-06: Audit log viewer +# --------------------------------------------------------------------------- + + +@pytest.mark.xfail(strict=False) +async def test_audit_log_viewer(async_client, admin_user): + """GET /api/admin/audit-log returns paginated entries.""" + pytest.xfail("not implemented yet") + + +@pytest.mark.xfail(strict=False) +async def test_audit_log_no_doc_content(async_client, admin_user): + """Audit log entries contain no 'filename' or 'extracted_text' keys in metadata.""" + pytest.xfail("not implemented yet") + + +@pytest.mark.xfail(strict=False) +async def test_audit_log_regular_user_403(async_client, auth_user): + """GET /api/admin/audit-log with regular user token returns 403.""" + pytest.xfail("not implemented yet") + + +@pytest.mark.xfail(strict=False) +async def test_audit_log_export_csv(async_client, admin_user): + """GET /api/admin/audit-log/export?format=csv returns CSV content-type.""" + pytest.xfail("not implemented yet") diff --git a/backend/tests/test_documents.py b/backend/tests/test_documents.py index 0a29e0b..7a44cf7 100644 --- a/backend/tests/test_documents.py +++ b/backend/tests/test_documents.py @@ -336,3 +336,32 @@ async def test_documents_require_auth(async_client): """ resp = await async_client.get("/api/documents") assert resp.status_code in (401, 403), f"Expected 401 or 403, got {resp.status_code}" + + +# --------------------------------------------------------------------------- +# Wave 0 xfail stubs for Phase 4 DOC-02 proxy / content-stream tests +# --------------------------------------------------------------------------- + + +@pytest.mark.xfail(strict=False) +async def test_content_stream_200(async_client, auth_user): + """GET /api/documents/{id}/content returns 200 with correct Content-Type and Content-Disposition: inline.""" + pytest.xfail("not implemented yet") + + +@pytest.mark.xfail(strict=False) +async def test_content_stream_206_range(async_client, auth_user): + """GET /api/documents/{id}/content with Range header returns 206 and Content-Range header.""" + pytest.xfail("not implemented yet") + + +@pytest.mark.xfail(strict=False) +async def test_content_stream_admin_403(async_client, admin_user): + """GET /api/documents/{id}/content with admin JWT returns 403.""" + pytest.xfail("not implemented yet") + + +@pytest.mark.xfail(strict=False) +async def test_content_stream_no_presigned_url(async_client, auth_user): + """GET /api/documents/{id}/content response body does not contain any presigned URL token.""" + pytest.xfail("not implemented yet") diff --git a/backend/tests/test_security.py b/backend/tests/test_security.py new file mode 100644 index 0000000..eba552c --- /dev/null +++ b/backend/tests/test_security.py @@ -0,0 +1,36 @@ +""" +Security invariant tests — Wave 0 xfail stubs for Phase 4. + +All tests in this file are xfail stubs. They will be implemented in Plans +04-06 and 04-08 (security hardening). The stubs ensure pytest collects them +and keeps CI green before implementation code exists. + +Requirements: SEC-08 (credentials_enc exclusion), SEC-09 (delete-user-cleans-files). +""" +from __future__ import annotations + +import os + +import pytest + + +# --------------------------------------------------------------------------- +# SEC-08: credentials_enc never in API response +# --------------------------------------------------------------------------- + + +@pytest.mark.xfail(strict=False) +async def test_credentials_enc_not_in_response(async_client, auth_user): + """No API response for current user includes credentials_enc field.""" + pytest.xfail("not implemented yet") + + +# --------------------------------------------------------------------------- +# SEC-09: Delete user cleans up MinIO objects +# --------------------------------------------------------------------------- + + +@pytest.mark.xfail(strict=False) +async def test_delete_user_cleans_files(async_client, admin_user): + """Admin DELETE /api/admin/users/{id} triggers MinIO object deletion before DB removal.""" + pytest.xfail("not implemented yet")