test: full test suite (Vitest + pgTAP + Playwright) + TDD plan restructure

Add a 4-layer test stack covering RLS, triggers, and UI flows for Fases 0–2a,
then restructure every plan file so future fases start with tests and end with
a verification gate.

Test suite
- packages/test-utils: Vitest integration tests signing HS256 JWTs via jose so
  each test acts as a specific seed user (createClientAs + createAdminClient)
- supabase/tests: pgTAP for accept_invitation(), item_frequency trigger, and
  promote-on-admin-leave; each file self-installs pgtap extension
- apps/web/tests: Playwright E2E with live Keycloak login per test (storageState
  caching doesn't rehydrate Supabase's session state reliably)
- just test-all chains the three suites; test-db forwards POSTGRES_PASSWORD
  as PGPASSWORD with ON_ERROR_STOP=1 so failures abort the chain

Supabase auth gotcha
- PostgREST queries inside onAuthStateChange deadlock on GoTrue's navigator.locks
  auth lock (getAccessToken → getSession → initializePromise waits on the same
  lock that's held during event dispatch). Fix is two defenses: a pass-through
  lock in $lib/supabase, and a setTimeout(0) defer in root +layout.svelte to
  push loadUserCollectives out of the callback's microtask chain. Either alone
  is insufficient; both together unblock the Playwright suite.

Env key rotation
- apps/web/.env.development had a stale demo anon key signed with a different
  secret than root .env; Vite inlined that into the browser bundle so Kong (which
  uses the root .env value) rejected every request with 401. Aligned the two
  files and added a memory entry to flag this for the next rotation.

Plan restructure (TDD)
- Every fase now opens with X.0 Tests primero and closes with X.Z Verificación
  final. Completed fases (0, 1, 2a) show the pattern retroactively with the
  tests that currently cover them; pending fases (2b, 3, 4) list the tests to
  write before implementation.

Docs
- CLAUDE.md status line reports 54 + 12 + 15 = 81 green tests, adds gotchas
  #11 (auth-lock deadlock) and #12 (no storageState caching)
- README.md adds a TDD methodology section and the test-all command
- .gitignore excludes Playwright's generated reports and auth state

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-13 01:40:16 +02:00
parent 3af1276c15
commit f396897cb5
39 changed files with 2889 additions and 97 deletions

View File

@@ -0,0 +1,31 @@
import pg from 'pg';
const { Pool } = pg;
let pool: InstanceType<typeof Pool> | null = null;
function getPool(): InstanceType<typeof Pool> {
if (!pool) {
pool = new Pool({
host: 'localhost',
port: 5432,
user: 'postgres',
password: process.env.POSTGRES_PASSWORD || 'postgres',
database: 'postgres'
});
}
return pool;
}
/** Execute raw SQL directly against the dev database (bypasses RLS). */
export async function sql(query: string, params: unknown[] = []): Promise<pg.QueryResult> {
return getPool().query(query, params);
}
/** Close the connection pool (call in afterAll if using db-helpers). */
export async function closePool(): Promise<void> {
if (pool) {
await pool.end();
pool = null;
}
}

View File

@@ -0,0 +1,3 @@
export * from './seed-constants.js';
export * from './supabase-clients.js';
export * from './db-helpers.js';

View File

@@ -0,0 +1,10 @@
// Fixed UUIDs matching supabase/seed.sql and keycloak/realm-export.json
export const ANA_ID = '11111111-1111-1111-1111-111111111111'; // admin
export const BORJA_ID = '22222222-2222-2222-2222-222222222222'; // member
export const CARMEN_ID = '33333333-3333-3333-3333-333333333333'; // member
export const DAVID_ID = '44444444-4444-4444-4444-444444444444'; // guest
export const EVA_ID = '55555555-5555-5555-5555-555555555555'; // no collective
export const COLLECTIVE_ID = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa';
export const SEED_LIST_ID = 'bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb'; // "Weekly shop"

View File

@@ -0,0 +1,52 @@
import { createClient } from '@supabase/supabase-js';
import { SignJWT } from 'jose';
import type { Database } from '@colectivo/types';
function requiredEnv(key: string): string {
const value = process.env[key];
if (!value) throw new Error(`Missing required env var: ${key}`);
return value;
}
/**
* Sign a GoTrue-compatible JWT for a seed user using the shared SUPABASE_JWT_SECRET.
* This lets integration tests act as any seed user without going through Keycloak.
*/
async function signToken(userId: string): Promise<string> {
const secret = new TextEncoder().encode(requiredEnv('SUPABASE_JWT_SECRET'));
return new SignJWT({ role: 'authenticated' })
.setProtectedHeader({ alg: 'HS256' })
.setSubject(userId)
.setAudience('authenticated')
.setIssuedAt()
.setExpirationTime('1h')
.sign(secret);
}
/**
* Create a Supabase client that authenticates as the given seed user.
* RLS policies see auth.uid() = userId.
*/
export async function createClientAs(userId: string) {
const token = await signToken(userId);
return createClient<Database>(
requiredEnv('PUBLIC_SUPABASE_URL'),
requiredEnv('PUBLIC_SUPABASE_ANON_KEY'),
{
global: { headers: { Authorization: `Bearer ${token}` } },
auth: { persistSession: false, autoRefreshToken: false }
}
);
}
/**
* Create a service-role client that bypasses RLS entirely.
* Use only for test setup and cleanup — never in assertions.
*/
export function createAdminClient() {
return createClient<Database>(
requiredEnv('PUBLIC_SUPABASE_URL'),
requiredEnv('SUPABASE_SERVICE_ROLE_KEY'),
{ auth: { persistSession: false, autoRefreshToken: false } }
);
}