1.9 KiB
1.9 KiB
QA Report — Gateway Security Hardening
Scope
- Chat HTTP auth guard hardening
- Chat WebSocket session validation
- DTO validation rules for chat and conversation payloads
- Ownership regression coverage for by-id routes
TDD
- Required: yes
- Applied: yes
- Red step: targeted tests failed on socket session reshaping and DTO role/length mismatches
- Green step: targeted tests passed after runtime and DTO alignment
Baseline Verification
| Command | Result | Evidence |
|---|---|---|
pnpm --filter @mosaic/gateway test -- src/chat/__tests__/chat-security.test.ts src/__tests__/resource-ownership.test.ts |
pass | 3 test files passed, 20 tests passed |
pnpm typecheck |
pass | turbo completed 18/18 package typecheck tasks |
pnpm lint |
pass | turbo completed 18/18 package lint tasks |
pnpm format:check |
pass | All matched files use Prettier code style! |
Situational Verification
| Acceptance Criterion | Verification Method | Evidence |
|---|---|---|
| Chat controller requires auth and current-user context | source assertion test | chat-security.test.ts checks @UseGuards(AuthGuard) and @CurrentUser() user: { id: string } |
| WebSocket handshake requires Better Auth session | unit tests for validateSocketSession() |
null handshake returns null; valid handshake returns original session object |
| Conversation messages reject non-user/assistant roles | class-validator test | system role fails validation |
| Conversation messages enforce a 32k max length | class-validator test | 32_001 chars fail validation |
| Chat request payload enforces a 10k max length | class-validator test | 10_001 chars fail validation |
| By-id routes reject cross-user access | ownership regression tests | conversations, projects, missions, tasks each raise ForbiddenException for non-owner access |
Residual Risk
- No live HTTP or WebSocket smoke test against a running gateway process was executed in this session.