Tests: add email-gating API coverage; robust task-uncancel seeding; re-quarantine flaky onboarding e2e

- Issue 2 (coverage gap): add HoneyDueAPITests/AuthGatingAPITests — verifies the backend's RequireVerified gate (unverified -> 403, verified -> 200) at the API layer, since UI-test mode bypasses verification. NOTE: surfaced that the gate is applied to only the share-code routes, not residence/task routes — unverified users are NOT broadly blocked (flagged for product/backend). - Issue 4: TaskCRUDUITests seedAccountPreconditions now guarantees a residence (no silent early-return), so the cancelled-task precondition always populates; XCTUnwrap replaces the misleading "not seeded" skip. The two uncancel tests now skip with the ACCURATE reason: cancelled tasks are intentionally hidden from the Tasks Kanban and the iOS Tasks view has no "show cancelled" surface (product gap). - Issue 3: re-quarantine testF110 after a hardening attempt — the register->verify transition is irreducibly flaky; coverage is redundant with OnboardingTaskCache + the F-series. Skip reason is now precise, with a TODO to stabilize the handoff. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-06 09:17:31 -05:00
parent 73a60c886d
commit 912888f14c
4 changed files with 272 additions and 40 deletions
@@ -0,0 +1,143 @@
 import XCTest
 /// Email-verification gating tests against the real backend's `RequireVerified`
 /// middleware.
 ///
 /// The app's UI-test mode bypasses email verification, so the rule
 /// "an unverified user is blocked from the app" is not exercised by the UI
 /// suite. These tests close that gap by hitting a `RequireVerified`-gated
 /// endpoint directly with a real Kratos session token and asserting the gate
 /// behaves as designed:
 ///
 /// - Test A (negative): an UNVERIFIED account is rejected with **403** by the
 ///   verification gate.
 /// - Test B (positive control): a VERIFIED account is NOT blocked (200/list),
 ///   proving the 403 in Test A is the verification gate and not an unrelated
 ///   failure.
 ///
 /// Both run entirely via the API — no app launch required.
 final class AuthGatingAPITests: XCTestCase {
    /// `POST /residences/:id/generate-share-code/` is wrapped with the
    /// `RequireVerified` middleware in the Go router (see
    /// `setupResidenceRoutes` — only the share-code/share-package generation
    /// routes carry the gate). Because the middleware runs BEFORE the handler,
    /// an unverified caller is rejected with 403 regardless of whether the
    /// residence id exists — making it a clean, setup-free probe of the gate.
    private func gatedPath(residenceId: Int) -> String {
        "/residences/\(residenceId)/generate-share-code/"
    }
    /// Kratos identity emails created during a test, deleted in tearDown.
    private var createdEmails: [String] = []
    /// Residence ids created during a test (verified path), deleted in tearDown.
    private var createdResidences: [(token: String, id: Int)] = []
    override func setUpWithError() throws {
        continueAfterFailure = false
        guard TestAccountAPIClient.isBackendReachable() else {
            throw XCTSkip("Local backend is not reachable at \(TestAccountAPIClient.baseURL)")
        }
    }
    override func tearDownWithError() throws {
        // True teardown: clean residences first (need their owner's token), then
        // remove every Kratos identity we provisioned. Both are idempotent and
        // run even if a test failed mid-way.
        for res in createdResidences {
            _ = TestAccountAPIClient.deleteResidence(token: res.token, id: res.id)
        }
        createdResidences.removeAll()
        for email in createdEmails {
            _ = TestAccountAPIClient.deleteKratosIdentity(email: email)
        }
        createdEmails.removeAll()
        try super.tearDownWithError()
    }
    // MARK: - Test A: unverified user is blocked
    /// An unverified account must be rejected by the `RequireVerified` gate with
    /// a 403 when it tries to reach a gated endpoint.
    func test01_unverifiedUserIsBlockedWith403() throws {
        let runId = UUID().uuidString.prefix(6)
        let email = "authgate_unverified_\(runId)@test.com"
        createdEmails.append(email)
        guard let session = TestAccountAPIClient.createUnverifiedAccount(
            username: "authgate_unverified_\(runId)",
            email: email,
            password: "TestPass123!"
        ) else {
            XCTFail("Could not create unverified account")
            return
        }
        // Hit the RequireVerified-gated endpoint with the unverified session
        // token. The gate runs before the handler, so a non-existent residence
        // id (999_999) still produces the 403 from the verification middleware
        // rather than a 404 from the handler — no residence setup required.
        let result = TestAccountAPIClient.rawRequest(
            method: "POST",
            path: gatedPath(residenceId: 999_999),
            body: [:],
            token: session.token
        )
        XCTAssertEqual(
            result.statusCode, 403,
            "Unverified user should be blocked by the RequireVerified gate with 403, got \(result.statusCode): \(result.errorBody ?? "nil")"
        )
    }
    // MARK: - Test B: verified user is not blocked (positive control)
    /// A verified account must pass the `RequireVerified` gate — i.e. the gated
    /// endpoint must NOT return 403. This proves Test A's 403 is the
    /// verification gate, not an unrelated rejection.
    func test02_verifiedUserIsNotBlocked() throws {
        let runId = UUID().uuidString.prefix(6)
        let email = "authgate_verified_\(runId)@test.com"
        createdEmails.append(email)
        guard let session = TestAccountAPIClient.createVerifiedAccount(
            username: "authgate_verified_\(runId)",
            email: email,
            password: "TestPass123!"
        ) else {
            XCTFail("Could not create verified account")
            return
        }
        // The verified caller must own a real residence so the share-code
        // handler (which runs AFTER it passes the gate) returns a clean 200
        // rather than a 404. This is what makes it a positive control: it
        // exercises the gate AND succeeds past it.
        guard let residence = TestAccountAPIClient.createResidence(
            token: session.token,
            name: "AuthGate Verified \(runId)"
        ) else {
            XCTFail("Verified user should be able to create a residence")
            return
        }
        createdResidences.append((token: session.token, id: residence.id))
        let result = TestAccountAPIClient.rawRequest(
            method: "POST",
            path: gatedPath(residenceId: residence.id),
            body: [:],
            token: session.token
        )
        XCTAssertNotEqual(
            result.statusCode, 403,
            "Verified user should NOT be blocked by the RequireVerified gate, but got 403: \(result.errorBody ?? "nil")"
        )
        XCTAssertEqual(
            result.statusCode, 200,
            "Verified user should pass the gate and generate a share code (200), got \(result.statusCode): \(result.errorBody ?? "nil")"
        )
    }
 }
@@ -129,22 +129,30 @@ final class OnboardingUITests: BaseUITestCase {
    /// create account → verify email — then confirms the app lands on main tabs,
    /// which indicates the residence was bootstrapped during onboarding.
    func testF110_startFreshCreatesResidenceAfterVerification() throws {
-        // QUARANTINED: this end-to-end onboarding flow (register → Kratos verify →
+        // QUARANTINED (after a hardening attempt): the full Start-Fresh → Kratos
-        // home-profile → first-task → main tabs) is flaky at the verify handoff,
+        // verify → main-tabs flow is irreducibly flaky at the register→verify
-        // failing at different points across runs. Its unique coverage — a
+        // transition (the verification screen intermittently doesn't appear after
-        // residence being auto-created during onboarding — is already proven by
+        // the create-account submit; failures land at different points across
-        // OnboardingTaskCacheUITests (register → verify → tasks on residence
+        // runs). The SAME transition is exercised reliably by
-        // detail) and the F101–F108/F111 navigation tests. TODO: harden the
+        // OnboardingTaskCacheUITests (register → verify → tasks), and onboarding
-        // verify-screen handoff and re-enable.
+        // navigation is covered by F101–F108/F111 — so this test's coverage is
-        throw XCTSkip("Flaky end-to-end onboarding flow; coverage provided by OnboardingTaskCacheUITests + F-series. TODO: harden and re-enable.")
+        // fully redundant. Skipping is preferred over a flaky red in the suite.
        // TODO: stabilize the register→verify handoff (likely an app-side timing
        // issue between Kratos identity creation and the verify-screen navigation)
        // and re-enable.
        throw XCTSkip("Flaky register→verify transition; coverage provided by OnboardingTaskCacheUITests + F-series.")
        try? XCTSkipIf(
            !TestAccountAPIClient.isBackendReachable(),
            "Local backend is not reachable — skipping ONB-005"
        )
-        // Generate unique credentials so we don't collide with other test runs
+        // Generate unique credentials so we don't collide with other test runs.
        // Capture the registered email ONCE into a local `let` and reuse it for
        // BOTH registration and the Mailpit verification-code lookup — the two
        // must be byte-for-byte identical or the code read will miss.
        let creds = TestAccountManager.uniqueCredentials(prefix: "onb005")
        let email = creds.email
        let uniqueResidenceName = "ONB005 Home \(Int(Date().timeIntervalSince1970))"
        // Step 1: Navigate Start Fresh flow to the Create Account screen
@@ -167,7 +175,7 @@ final class OnboardingUITests: BaseUITestCase {
        onbUsernameField.focusAndType(creds.username, app: app)
        onbEmailField.waitForExistenceOrFail(timeout: defaultTimeout)
-        onbEmailField.focusAndType(creds.email, app: app)
+        onbEmailField.focusAndType(email, app: app)
        onbPasswordField.waitForExistenceOrFail(timeout: defaultTimeout)
        onbPasswordField.focusAndType(creds.password, app: app)
@@ -181,11 +189,19 @@ final class OnboardingUITests: BaseUITestCase {
        createAccountButton.waitForExistenceOrFail(timeout: defaultTimeout)
        createAccountButton.forceTap()
-        // Step 4: Verify email with the debug code
+        // Step 4: Verify email with the real Kratos code from Mailpit.
        //
        // This handoff is the historically flaky part. Mirror the proven-robust
        // sequence from OnboardingTaskCacheUITests: wait for the verification
        // screen to actually LOAD before reading anything, give the screen's own
        // onAppear sendCode a brief settle to fire, then read the live code from
        // Mailpit for the captured `email`.
        let verificationScreen = VerificationScreen(app: app)
-        // If the create account button was disabled (password fields didn't fill),
+        // Wait for the screen to load (code field OR verify button). If we never
-        // we won't reach verification. Check before asserting.
+        // reach it, the form submission stalled (e.g. password fields didn't fill).
-        let verificationLoaded = verificationScreen.codeField.waitForExistence(timeout: loginTimeout)
+        verificationScreen.waitForLoad(timeout: loginTimeout)
        let verificationLoaded = verificationScreen.codeField.waitForExistence(timeout: navigationTimeout)
            || verificationScreen.verifyButton.waitForExistence(timeout: navigationTimeout)
        guard verificationLoaded else {
            // Check if the create account button is still visible (form submission failed)
            if createAccountButton.exists {
@@ -194,15 +210,20 @@ final class OnboardingUITests: BaseUITestCase {
            XCTFail("Expected verification screen to load")
            return
        }
        // The app's onboarding registration uses Kratos's real email verification
        // flow (NOT the API's DEBUG fixed code). The verify screen's onAppear fires
        // its OWN sendCode (a fresh Kratos flow), invalidating any earlier code — so
-        // read the live code from Mailpit AFTER the screen has appeared and sent it.
+        // read the live code from Mailpit AFTER the screen has appeared and had a
        // beat to send it. Reuse the SAME `email` captured at registration so the
        // lookup addresses the identical inbox.
        RunLoop.current.run(until: Date().addingTimeInterval(2.0))
-        guard let realCode = TestAccountAPIClient.latestVerificationCode(for: creds.email) else {
+        let code = TestAccountAPIClient.latestVerificationCode(for: email) ?? ""
-            throw XCTSkip("Could not read Kratos verification code from Mailpit for \(creds.email)")
+        XCTAssertFalse(
-        }
+            code.isEmpty,
-        verificationScreen.enterCode(realCode)
+            "No Kratos verification code arrived in Mailpit for \(email)"
        )
        verificationScreen.enterCode(code)
        // The Onboarding Verify button is disabled until the 6-digit code commits;
        // wait for it to enable, then tap. Fall back to the generic submit helper.
@@ -238,6 +259,9 @@ final class OnboardingUITests: BaseUITestCase {
        // which fires the residence-create POST and navigates to the First Task step.
        // The in-screen "Continue" button has no accessibility identifier and isn't
        // reliably discoverable, so drive the flow via the identified Skip button.
        // The skip button can briefly be non-hittable during the verify→homeProfile
        // screen-in transition, so confirm existence then forceTap() to bypass the
        // strict hittable check (mirrors OnboardingTaskCacheUITests).
        let skipButton = app.buttons[AccessibilityIdentifiers.Onboarding.skipButton]
        if skipButton.waitForExistence(timeout: loginTimeout) {
            skipButton.forceTap()
@@ -247,6 +271,8 @@ final class OnboardingUITests: BaseUITestCase {
        }
        // Step 5b: First Task — Skip again to complete onboarding and land on main tabs.
        // A single slow transition shouldn't fail the test: re-confirm the skip
        // button each time and forceTap, falling back to the submit-tasks button.
        if firstTaskTitle.waitForExistence(timeout: navigationTimeout) {
            if skipButton.waitForExistence(timeout: navigationTimeout) {
                skipButton.forceTap()
@@ -255,6 +281,17 @@ final class OnboardingUITests: BaseUITestCase {
            }
        }
        // Defensive retry: if a slow transition left us still on the First Task
        // step, try the skip/submit once more so timing alone doesn't fail us.
        if firstTaskTitle.waitForExistence(timeout: navigationTimeout)
            && !mainTabs.exists && !tabBar.exists {
            if skipButton.exists {
                skipButton.forceTap()
            } else if submitTasksButton.exists {
                submitTasksButton.forceTap()
            }
        }
        let reachedMain = mainTabs.waitForExistence(timeout: loginTimeout)
            || tabBar.waitForExistence(timeout: 5)
        let onbVisible = app.otherElements[UITestID.Root.onboarding].exists
@@ -26,15 +26,23 @@ final class TaskCRUDUITests: AuthenticatedUITestCase {
    override func seedAccountPreconditions(_ account: TestAccount) {
        super.seedAccountPreconditions(account)   // seeds seededResidence (requiresResidence)
-        guard let residence = seededResidence else { return }
+
        // A residence MUST exist before we can seed the cancelled tasks. The base
        // populates `seededResidence` when `requiresResidence` is true, but rather
        // than early-returning (and silently skipping the cancelled-task seeding —
        // which then makes the uncancel tests SKIP instead of run), guarantee one
        // here: fall back to seeding a residence directly if it's somehow nil.
        let residence = seededResidence ?? account.seedResidence(name: "Precondition Home")
        // TASK-010: a cancelled task that the test will uncancel/reopen.
        // createCancelledTask is non-optional — it XCTFails (and crashes) on a real
        // API failure, so a genuine break surfaces as a failure, never a silent skip.
        seededCancelledTask_uncancelFlow = TestDataSeeder.createCancelledTask(
            token: account.token,
            residenceId: residence.id
        )
-        // TASK-010 (v2): a named residence+task, cancelled, that the test restores.
+        // TASK-010 (v2): a named task, cancelled, that the test restores.
        let v2Task = account.seedTask(
            residenceId: residence.id,
            title: "Uncancel Me \(Int(Date().timeIntervalSince1970))"
@@ -42,6 +50,33 @@ final class TaskCRUDUITests: AuthenticatedUITestCase {
        seededCancelledTask_uncancelV2 = TestAccountAPIClient.cancelTask(token: account.token, id: v2Task.id) ?? v2Task
    }
    /// Try to bring a task card into view on the Tasks Kanban by its title.
    ///
    /// Refreshes via the toolbar button (the Kanban has no pull-to-refresh) and
    /// swipes the board horizontally, returning the static-text element for the
    /// card. NOTE: the backend intentionally HIDES cancelled and archived tasks
    /// from `GET /tasks/` (the board's only data source — see the API's
    /// `determineExpectedColumn`: cancelled/archived return "" = hidden). So a
    /// seeded *cancelled* task will never surface here; callers must handle the
    /// not-found case explicitly.
    @discardableResult
    private func revealKanbanTask(titled title: String, maxSwipes: Int = 6) -> XCUIElement {
        let taskText = app.staticTexts[title]
        refreshTasks()
        if taskText.waitForExistence(timeout: defaultTimeout) { return taskText }
        let board = app.scrollViews.firstMatch.exists
            ? app.scrollViews.firstMatch
            : app.collectionViews.firstMatch
        for _ in 0..<maxSwipes {
            guard board.exists else { break }
            board.swipeLeft()
            if taskText.waitForExistence(timeout: 1.0) { return taskText }
        }
        return taskText
    }
    override func setUpWithError() throws {
        try super.setUpWithError()
@@ -254,18 +289,26 @@ final class TaskCRUDUITests: AuthenticatedUITestCase {
    func testTASK010_UncancelTaskFlow() throws {
        // Cancelled task was seeded BEFORE login (seedAccountPreconditions) so the
-        // app's post-login fetch already has it.
+        // app's post-login fetch already has it. Seeding is guaranteed (the
-        guard let cancelledTask = seededCancelledTask_uncancelFlow else {
+        // precondition seeds a residence then a cancelled task, failing hard on a
-            throw XCTSkip("Cancelled task precondition was not seeded")
+        // real API error), so a nil here is a genuine bug — surface it as a
-        }
+        // failure, not a skip.
        let cancelledTask = try XCTUnwrap(
            seededCancelledTask_uncancelFlow,
            "Cancelled task precondition was not seeded — seedAccountPreconditions failed to populate it"
        )
        navigateToTasks()
-        // Pull to refresh until the cancelled task is visible
+        // The cancelled task is seeded correctly (asserted above), but the backend
-        let taskText = app.staticTexts[cancelledTask.title]
+        // intentionally hides cancelled/archived tasks from the Tasks Kanban
-        pullToRefreshUntilVisible(taskText)
+        // (`GET /tasks/`) — the only view this tab exposes. There is currently no
        // UI affordance to display, let alone uncancel, a cancelled task from the
        // Tasks screen, so the flow cannot be exercised end-to-end here. Skip with
        // the real reason (no longer the misleading "not seeded").
        let taskText = revealKanbanTask(titled: cancelledTask.title)
        guard taskText.waitForExistence(timeout: defaultTimeout) else {
-            throw XCTSkip("Cancelled task not visible in current view")
+            throw XCTSkip("Cancelled tasks are hidden from the Tasks Kanban by design (backend omits cancelled/archived from GET /tasks/), so there is no UI surface to uncancel from. Seeding succeeded — see seedAccountPreconditions.")
        }
        taskText.forceTap()
@@ -289,17 +332,21 @@ final class TaskCRUDUITests: AuthenticatedUITestCase {
    func test15_uncancelRestorescancelledTask() throws {
        // Residence + cancelled task were seeded BEFORE login
        // (seedAccountPreconditions) so the app loads them on its post-login fetch.
-        guard let task = seededCancelledTask_uncancelV2 else {
+        // Seeding is guaranteed, so a nil here is a genuine bug — fail, don't skip.
-            throw XCTSkip("Cancelled task precondition was not seeded")
+        let task = try XCTUnwrap(
-        }
+            seededCancelledTask_uncancelV2,
            "Cancelled task precondition was not seeded — seedAccountPreconditions failed to populate it"
        )
        navigateToTasks()
-        // Pull to refresh until the cancelled task is visible
+        // Seeding succeeded (asserted above), but the backend intentionally hides
-        let taskText = app.staticTexts[task.title]
+        // cancelled/archived tasks from the Tasks Kanban (`GET /tasks/`) — the only
-        pullToRefreshUntilVisible(taskText)
+        // view this tab exposes — so there is no UI surface to uncancel from. Skip
-        guard taskText.waitForExistence(timeout: loginTimeout) else {
+        // with the real reason (no longer the misleading "not seeded").
-            throw XCTSkip("Cancelled task '\(task.title)' not visible — may require a Cancelled filter to be active")
+        let taskText = revealKanbanTask(titled: task.title)
        guard taskText.waitForExistence(timeout: defaultTimeout) else {
            throw XCTSkip("Cancelled tasks are hidden from the Tasks Kanban by design (backend omits cancelled/archived from GET /tasks/), so there is no UI surface to uncancel from. Seeding succeeded — see seedAccountPreconditions.")
        }
        taskText.forceTap()
@@ -308,9 +355,10 @@ final class TaskCRUDUITests: AuthenticatedUITestCase {
            NSPredicate(format: "label CONTAINS[c] 'Uncancel' OR label CONTAINS[c] 'Reopen' OR label CONTAINS[c] 'Restore'")
        ).firstMatch
-        guard uncancelButton.waitForExistence(timeout: defaultTimeout) else {
+        uncancelButton.waitForExistenceOrFail(
-            throw XCTSkip("No uncancel button found — feature may not yet be implemented in UI")
+            timeout: defaultTimeout,
-        }
+            message: "Uncancel/Reopen/Restore action should be available on a cancelled task"
        )
        uncancelButton.forceTap()
        // After uncancelling, the task should no longer show a Cancelled status label
@@ -21,6 +21,7 @@
 		91A9D5E4A93A022693888B95 /* TestDataSeeder.swift in Sources */ = {isa = PBXBuildFile; fileRef = C51B2E73D6FB0BDB53123DDC /* TestDataSeeder.swift */; };
 		99FB08E574AA3B88AD73DEAC /* TestDataCleaner.swift in Sources */ = {isa = PBXBuildFile; fileRef = 1579B80B44611651771CC51A /* TestDataCleaner.swift */; };
 		BEF62D0EDC3E9B922195C7ED /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 12403969C38C7CB74B1EA820 /* Foundation.framework */; };
 		BF00F008D3D5E8372B0453C7 /* AuthGatingAPITests.swift in Sources */ = {isa = PBXBuildFile; fileRef = E21CAC7CEBEF38100CFF2FD2 /* AuthGatingAPITests.swift */; };
 /* End PBXBuildFile section */
 /* Begin PBXContainerItemProxy section */
@@ -97,6 +98,7 @@
 		AD6CD907CA1045CBBC845D91 /* CompletionCardView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CompletionCardView.swift; sourceTree = "<group>"; };
 		C51B2E73D6FB0BDB53123DDC /* TestDataSeeder.swift */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.swift; name = TestDataSeeder.swift; path = HoneyDueUITests/Framework/TestDataSeeder.swift; sourceTree = "<group>"; };
 		D70FEF27FDF4EFFACCE83F54 /* TestAccountAPIClient.swift */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.swift; name = TestAccountAPIClient.swift; path = HoneyDueUITests/Framework/TestAccountAPIClient.swift; sourceTree = "<group>"; };
 		E21CAC7CEBEF38100CFF2FD2 /* AuthGatingAPITests.swift */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.swift; path = AuthGatingAPITests.swift; sourceTree = "<group>"; };
 		ECF8E25041D46376FEC29BE2 /* SharingAPITests.swift */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.swift; path = SharingAPITests.swift; sourceTree = "<group>"; };
 /* End PBXFileReference section */
@@ -337,6 +339,7 @@
 			isa = PBXGroup;
 			children = (
 				ECF8E25041D46376FEC29BE2 /* SharingAPITests.swift */,
 				E21CAC7CEBEF38100CFF2FD2 /* AuthGatingAPITests.swift */,
 			);
 			name = HoneyDueAPITests;
 			path = HoneyDueAPITests;
@@ -702,6 +705,7 @@
 				59A92CA8C3A412D8A18338C7 /* TestAccountAPIClient.swift in Sources */,
 				91A9D5E4A93A022693888B95 /* TestDataSeeder.swift in Sources */,
 				99FB08E574AA3B88AD73DEAC /* TestDataCleaner.swift in Sources */,
 				BF00F008D3D5E8372B0453C7 /* AuthGatingAPITests.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};