ZDDC/zddc/cmd/zddc-server at 8aebb0c346c782a86dfd3d95d02ac226a20b433e - VARASYS/ZDDC

History

ZDDC cff840e225 test: lock down elevation gate, .zddc write matrix, audit-log attribution Four targeted test suites that pin the invariants exercised by the preceding audit refactor. Closes the coverage gaps identified after the admin-decider consolidation and the .zddc write-path fix. internal/policy/principal_test.go (NEW) TestAllowActionFromChainP_TruthTable — 11 cases × 5 actions = 55 assertions covering every (elevated × admin-at-level × action) combination. Pins the IsActiveAdmin short-circuit: bypass requires BOTH (in admins) AND Elevated; elevation alone confers nothing; empty email never matches. TestAllowActionFromChainP_AdminScopeDepth — root admin reaches every path; subtree admin matches in their own subtree; subtree admin does NOT match in a sibling subtree (the chain doesn't carry sibling admins lists). TestAllowActionFromChainP_BypassWinsOverWorm — elevated admin escape hatch in WORM zones, plus the negative control that an un-elevated admin does NOT bypass WORM. internal/handler/auth_invariants_test.go (appended) TestInvariant_ZddcPutMatrix — 16 sub-cases across (root / project / subtree .zddc) × (root admin / subtree admin / non-admin / anonymous) × (elevated / un-elevated). Locks down which principal can PUT which .zddc. TestInvariant_ZddcDeleteMatrix — 5 DELETE cases. TestInvariant_UnelevatedAdminNoSilentBypass — 14 anti-bypass probes: every (admin-flavour × probe-path) tuple where an un-elevated admin must 403. Single bypass leak → loud test failure. cmd/zddc-server/main_test.go (appended) TestDispatchZddcWriteRouting — full dispatcher path coverage: GET/HEAD route to ServeZddcFile (YAML or virtual placeholder); PUT/DELETE route through the .zddc-leaf carve-out into ServeFileAPI; intermediate .zddc.d/ segments still 404 at the guard. internal/handler/middleware_test.go (appended) TestAccessLog_ChainAdminLevelAttribution — 7 cases pinning the forensic record: root admin → chain_admin_level=0, subtree admin in scope → chain_admin_level=N, subtree admin out of scope → -1, un-elevated admin → -1, non-admin → -1, anonymous → -1. Cross-checks active_admin == (chain_admin_level >= 0) so a future refactor can't desync them. 92 new sub-cases total. Coverage delta on the policy package: 76.1% → 87.2%; AllowActionFromChainP 0% → 100%; activeAdminForRequest 7% → 68%. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 16:29:43 -05:00
..
main.go	refactor(audit): pre-release cleanup pass	2026-05-18 16:28:07 -05:00
main_test.go	test: lock down elevation gate, .zddc write matrix, audit-log attribution	2026-05-18 16:29:43 -05:00

ZDDC cff840e225 test: lock down elevation gate, .zddc write matrix, audit-log attribution

Four targeted test suites that pin the invariants exercised by the
preceding audit refactor. Closes the coverage gaps identified after the
admin-decider consolidation and the .zddc write-path fix.

internal/policy/principal_test.go (NEW)
  TestAllowActionFromChainP_TruthTable — 11 cases × 5 actions = 55
    assertions covering every (elevated × admin-at-level × action)
    combination. Pins the IsActiveAdmin short-circuit: bypass requires
    BOTH (in admins) AND Elevated; elevation alone confers nothing;
    empty email never matches.
  TestAllowActionFromChainP_AdminScopeDepth — root admin reaches every
    path; subtree admin matches in their own subtree; subtree admin
    does NOT match in a sibling subtree (the chain doesn't carry
    sibling admins lists).
  TestAllowActionFromChainP_BypassWinsOverWorm — elevated admin
    escape hatch in WORM zones, plus the negative control that an
    un-elevated admin does NOT bypass WORM.

internal/handler/auth_invariants_test.go (appended)
  TestInvariant_ZddcPutMatrix — 16 sub-cases across (root / project /
    subtree .zddc) × (root admin / subtree admin / non-admin /
    anonymous) × (elevated / un-elevated). Locks down which principal
    can PUT which .zddc.
  TestInvariant_ZddcDeleteMatrix — 5 DELETE cases.
  TestInvariant_UnelevatedAdminNoSilentBypass — 14 anti-bypass probes:
    every (admin-flavour × probe-path) tuple where an un-elevated
    admin must 403. Single bypass leak → loud test failure.

cmd/zddc-server/main_test.go (appended)
  TestDispatchZddcWriteRouting — full dispatcher path coverage:
    GET/HEAD route to ServeZddcFile (YAML or virtual placeholder);
    PUT/DELETE route through the .zddc-leaf carve-out into
    ServeFileAPI; intermediate .zddc.d/ segments still 404 at the
    guard.

internal/handler/middleware_test.go (appended)
  TestAccessLog_ChainAdminLevelAttribution — 7 cases pinning the
    forensic record: root admin → chain_admin_level=0, subtree admin
    in scope → chain_admin_level=N, subtree admin out of scope → -1,
    un-elevated admin → -1, non-admin → -1, anonymous → -1.
    Cross-checks active_admin == (chain_admin_level >= 0) so a future
    refactor can't desync them.

92 new sub-cases total. Coverage delta on the policy package:
76.1% → 87.2%; AllowActionFromChainP 0% → 100%;
activeAdminForRequest 7% → 68%.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-18 16:29:43 -05:00

main.go

refactor(audit): pre-release cleanup pass

2026-05-18 16:28:07 -05:00

main_test.go

test: lock down elevation gate, .zddc write matrix, audit-log attribution

2026-05-18 16:29:43 -05:00