Skip to main content

Test Coverage

Verified snapshot: 634 Vitest cases (634 passed, 0 skipped) and 93 Playwright executions (31 specs x 3 browsers). Playwright static skip directives remain blocked in apps/terra/tests. 
# Run everything
pnpm --dir apps/terra test

# List Playwright inventory
pnpm --dir apps/terra exec playwright test --list

Summary

AreaCurrent stateNotes
Unit + Integration (Vitest)634 passing, 0 skippedDuplicate-form and notification trend suites are now active and stable
E2E policyEnforcedcheck-terra-skipped-tests.mjs blocks test.skip/describe.skip/it.skip in Terra Playwright specs
E2E inventory31 specs x 3 browsers93 total listed runs in current Playwright config
CI hard gatesEnabledCI enforces no-skipped Playwright specs and runs Chromium status smoke tests

Auth & Permissions (71 cases)

src/lib/__tests__/auth-guards.test.ts
pnpm --dir apps/terra test -- -t "Auth Guards"
Covers requireAdmin, requireSuperAdmin, requireFormAccess, requireFormViewAccess and their result-based variants (checkAdmin, checkFormAccess), plus withAdminAuth / withFormAuth wrapper decorators. Proves missing sessions, wrong roles, and nonexistent forms are all caught.
src/app/actions/__tests__/team-permissions.test.ts
pnpm --dir apps/terra test -- -t "Team Permissions"
Covers canEditForm, canViewForm, canManageTeam. Proves the critical invariant: global viewer overrides form owner. Also covers migration backwards compat and global editor override.
src/app/actions/__tests__/permissions.test.ts
pnpm --dir apps/terra test -- -t "Permission System"
Broader RBAC coverage: isSuperAdmin, getUserFormRole, cross-form access denial, privilege escalation prevention, last-owner protection, scope enforcement.
src/app/actions/__tests__/submission-management.test.ts
pnpm --dir apps/terra test -- -t "submission-management"
Scoped users with no forms see nothing. Viewers cannot bulk-modify. Editors can.
src/app/actions/__tests__/system-auth.test.ts
pnpm --dir apps/terra test -- -t "system action authorization"
Non-admins blocked from user list, admin invites, and role changes.

Data Protection (61 cases)

src/lib/__tests__/encryption.test.ts
pnpm --dir apps/terra test -- -t "Encryption Module"
Round-trip encryption, random IV, special chars, unicode, bank data, Plaid data, submission-level PII, confirmation field stripping, masking, error handling on malformed ciphertext.
src/lib/__tests__/audit.test.ts
pnpm --dir apps/terra test -- -t "Audit Module"
IP anonymization, session handling, change tracking, failure recording, all action types (form CRUD, publish, team, status, sync), entity and user activity queries.

Input Validation (123 cases)

src/lib/__tests__/security.test.ts
pnpm --dir apps/terra test -- -t "Path Traversal"
pnpm --dir apps/terra test -- -t "Open Redirect"
pnpm --dir apps/terra test -- -t "File Upload Security"
Path traversal (10+ vectors), filename cleaning, safe storage paths, open redirect prevention, external URL validation, same-origin enforcement, file type/MIME/size validation, embedded script detection, TOCTOU prevention, full upload flow integration.
src/app/actions/__tests__/files-security.test.ts
pnpm --dir apps/terra test -- -t "File Security"
Delete/URL authorization, cross-form access blocked, path traversal on operations, null bytes, empty paths, super_admin bypass.
src/app/actions/__tests__/import-security.test.ts
pnpm --dir apps/terra test -- -t "Import Security"
User impersonation prevention, session-only user ID, job isolation, image count limit, PDF size/type validation.
src/lib/__tests__/rate-limit.test.ts
pnpm --dir apps/terra test -- -t "Rate Limiting"
Limit values, fail-open/closed behavior, IP extraction from proxy headers, enumeration prevention (status < submissions), header formatting.

Integrations (66 cases)

src/app/actions/__tests__/webhooks.test.ts + src/lib/__tests__/webhook-security.test.ts
pnpm --dir apps/terra test -- -t "Webhook"
pnpm --dir apps/terra test -- -t "webhook-security"
Auth on all operations, URL validation, secret generation/regeneration, HMAC consistency, unsigned blocked in prod, timestamp freshness, fire-and-forget failure handling.
src/app/actions/__tests__/airtable-status-sync.test.ts
pnpm --dir apps/terra test -- -t "Airtable Status Sync"
Connection/disabled/unmapped skip, status validation, no-delete safety, sync loop prevention, change source tracking.
src/lib/__tests__/async-queue.test.ts
pnpm --dir apps/terra test -- -t "Async Queue"
Enqueue/complete/fail/claim/retry/cancel, operation types, backoff formula, error handling, complex payloads.

Notifications (35 cases)

src/app/actions/__tests__/notifications.test.ts
pnpm --dir apps/terra test -- -t "Notification"
Event retrieval, filtering, pagination, stats math, error categorization, and 7-day/30-day trend calculations are all running with deterministic time-mocking.
src/app/actions/__tests__/notification-test.test.tsAdmin-only enforcement, missing config handling, provider status.
src/app/actions/__tests__/form-notification-settings.test.tsAuth enforcement, get/save settings, insert vs update path, null handling.

Form Engine (95 cases)

src/components/engine/__tests__/form-renderer.test.tsx
pnpm --dir apps/terra test -- -t "FormRenderer"
Renders all fields, required indicators, read-only mode, field visibility, conditional rendering.
src/components/engine/renderer.test.tsx
pnpm --dir apps/terra test -- -t "Renderer"
Core form rendering engine: page navigation, field rendering, validation, submission flow.
src/lib/__tests__/field-key.test.ts
pnpm --dir apps/terra test -- -t "field key"
Human-readable key generation from labels, uniqueness, special character handling, collision avoidance.
src/components/engine/fields/__tests__/text-field.test.tsxText input rendering, validation, placeholder behavior, character limits, input masking.
src/components/engine/fields/__tests__/choice-field.test.tsxRadio/checkbox/dropdown rendering, selection behavior, multi-select, “other” option handling.
src/components/engine/__tests__/form-submission-integration.test.tsxEnd-to-end form fill and submit flow, validation errors, success confirmation.
src/app/actions/__tests__/duplicate-form.test.tsCovers copy schema behavior, draft reset, unique slug generation, branding/language copy, and alert/domain stripping with stable Supabase mocks.

Form Import (50 cases)

src/lib/form-import/__tests__/html-extractor.test.tsExtracts text/email inputs, select/dropdown fields, textareas. Skips hidden inputs and submit buttons.
src/lib/form-import/__tests__/element-validation.test.tsValidates extracted form elements: required fields, types, labels, options, nested structures.
src/lib/form-import/__tests__/json-extraction.test.tsParses AI-generated JSON into form schema, handles malformed input, edge cases.
src/lib/form-import/__tests__/pdf-normalization.test.ts (6 cases) src/lib/form-import/__tests__/pdf-preprocessor.test.ts (1 case)PDF text extraction, normalization, layout detection.
src/lib/form-import/__tests__/image-import.test.ts (1 case) src/lib/form-import/__tests__/import-metrics.test.ts (2 cases) src/lib/form-import/__tests__/import-review.test.ts (2 cases)Image-to-form conversion, import quality metrics, review workflow.

E2E Tests (31 specs, 93 browser executions)

Terra Playwright specs no longer rely on static test.skip/describe.skip. CI blocks new skipped directives and runs public status smoke checks in Chromium.
tests/status-lookup.spec.tsPage loads, heading visible, search form present, empty submit blocked, uppercase input accepted, validation flows.
tests/submission.spec.tsValidation errors on empty form and successful submit flow. CI fails fast when required fixtures are missing; local runs can opt into explicit fixture bypass for exploratory work.
tests/example.spec.tsPlaywright default example tests.

Known Gaps

What’s missing and the remediation plan

Security

Security review with code examples