add tests batch 20

This commit is contained in:
root
2026-06-09 01:03:53 -04:00
parent 95efb9652e
commit 6be4875c5e
1502 changed files with 13797 additions and 11313 deletions
@@ -2453,3 +2453,135 @@ New coverage areas:
- A Batch 15 ultra sweep combining tenant override, owner override, secret includes, hard-delete flags, forged signatures, hostile redirects, and path traversal probes.
This batch continues the rule used by the full-surface suite: broad risk-family tests first, then deeper scenario-specific tests only when a business workflow needs dedicated assertions. Otherwise the test suite becomes a very expensive scrapbook.
### Batch 16 full-surface contract expansion
Batch 16 adds another broad risk-family layer under `tests/Feature/Api/V1/FullSurface/`. It focuses on risks that appear after an API already has route coverage but still fails in production because state, time, retries, and ownership are harder than pretending controllers are endpoints with feelings.
New coverage areas:
- Multi-step workflow compensation and partial-failure rollback expectations.
- Eventual consistency, retry headers, idempotency scope, and client operation IDs.
- Optimistic locking, stale version fields, stale ETags, and forced overwrite attempts.
- Schema evolution, deprecated aliases, and old-client/current-client compatibility.
- Money precision, currency abuse, rounding overrides, and impossible ledger values.
- Clock skew, temporal boundaries, DST-ish inputs, and client-time spoofing.
- Permission drift detection across sensitive mutating route families.
- Public endpoint identity spoofing and privileged query flag abuse.
- Device trust, kiosk/scanner replay, forged badge tokens, and client-asserted device state.
- Emergency contact, pickup delegation, guardian, and family safety boundaries.
- Accessibility/client-hint headers and locale variants that must not alter authorization.
- Import preview/commit separation, mixed bad rows, and skip-validation attempts.
- Notification suppression, opt-out bypass, quiet-hour bypass, and delivery override flags.
- Read-model/projection/dashboard routes resisting sensitive include/scope expansion.
- A Batch 16 route-graph invariant register and a broader hostile-payload regression sweep.
The purpose is not to worship test count. The purpose is to force the API to behave predictably when clients retry, lie, race, spoof time, submit stale data, or shove cross-domain IDs into every field like toddlers discovering electrical sockets.
### Batch 17: zero-trust headers, lineage, collision, and cross-domain integrity contracts
Batch 17 adds another broad full-surface layer focused on areas that still rot quietly even when route coverage looks impressive, because apparently APIs enjoy hiding their worst behavior behind successful smoke tests.
New coverage includes:
- Zero-trust handling for internal proxy, service, forwarded, and fake admin headers.
- API/web guard boundary checks so browser session identity cannot drift into API authorization.
- External ID, natural-key, email, phone, and student-number collision probes.
- Data lineage and source-attribution overposting checks.
- Student identity merge/split/dedupe safety checks.
- Academic prerequisite, finalization, lock, and publish-bypass probes.
- Attendance cutoff, backdate, future-date, excuse, and dismissal tamper-window probes.
- Closed-period financial adjustment, write-off, credit transfer, and ledger reconciliation abuse.
- Inventory custody, disposal, stock-check bypass, and asset assignment abuse.
- Communication recipient expansion, BCC/reply-to injection, and all-school broadcast abuse.
- Export column-level security and sensitive field selection probes.
- Search ranking and permission-filter bypass probes.
- Critical contract anchor preservation for auth, identity, attendance, academics, and finance payloads.
- Per-resource repeated-action and idempotency behavior for sensitive routes.
- Partial-failure error redaction for bulk/import/sync/export operations.
- A Batch 17 omega sweep combining hostile headers, payloads, includes, IDs, and privilege flags.
These tests are intentionally broad contract guards. They do not replace deep business assertions, but they make it much harder for new API routes to accidentally trust headers, leak secrets, expand scope, or let client payloads rewrite authority. A low bar, naturally, but here we are.
## Batch 18: Business Invariant, Compliance, and Finality Contracts
Batch 18 adds another broad full-surface layer focused on business invariants that are easy to lose when endpoints multiply faster than judgment.
New coverage areas:
- Role mutation and effective-permission boundaries.
- Canonical identifier immutability for users, students, parents, invoices, payments, attendance, and scores.
- Two-person approval and segregation-of-duty probes.
- Consent revocation, quiet-hour, unsubscribe, and communication compliance boundaries.
- Export watermark, auditability, and column-level leakage resistance.
- Unsafe cascade deletion, purge, archive, detach, and orphaned-record protection.
- Student medical, emergency, custody, and safety-data minimization by role.
- Finance chargeback, dispute, reversal, and ledger-integrity abuse probes.
- Class capacity, waitlist, and schedule-conflict bypass attempts.
- Report drill-through row-level security and sensitive include/field abuse.
- Webhook ordering, replay, and out-of-sequence provider-event behavior.
- File scan/quarantine metadata spoofing and storage path exposure.
- API-key, service-account, and machine-identity header spoofing.
- License, entitlement, feature-flag, and module access override attempts.
- Temporal audit forgery through client timestamps, clock skew, and bogus timezones.
- Batch 18 invariant risk register and broad regression sweep.
This batch is intended to catch silent business-rule collapse: the kind where every endpoint returns JSON, every dashboard looks calm, and meanwhile a parent can request a full-school export because somebody trusted `scope=all`. Computers remain breathtakingly literal.
## Batch 19: Operational Continuity, Nested Privacy, and Allocation Integrity Contracts
Batch 19 adds another broad full-surface layer focused on the places where mature APIs quietly rot: policy conditions, nested expansion leaks, audit mutability, payment allocation, custody safety, external sync, temporary URLs, cache staleness, and operational restore surfaces. Yes, these are boring. So are seatbelts.
New coverage areas:
- Attribute-based access-control condition spoofing and scope override probes.
- Nested relationship expansion redaction across students, parents, families, invoices, attendance, and reports.
- Append-only audit, ledger, activity, and history mutation resistance.
- Payment allocation, overpayment, invoice balance, and settlement-boundary probes.
- Refund-method mismatch and provider-settlement abuse checks.
- Attendance excuse document lifecycle and client-supplied approval metadata.
- Custody restriction, pickup authorization, emergency dismissal, and guardian override abuse.
- Class transfer, transcript continuity, prerequisite, and forced reassignment probes.
- Teacher substitution, coverage-window, roster, grading, and attendance-scope boundaries.
- Communication bounce, suppression, unsubscribe, webhook replay, and header-injection behavior.
- Third-party sync canonicalization, external ID collision, and overwrite-local abuse.
- Temporary URL expiration, revocation, signed-file, disk/path, and storage exposure checks.
- Aggregate dashboard row-level scope and sensitive drill-through expansion.
- Report cache invalidation and stale-data forcing probes.
- Backup, restore, snapshot, database, and operational isolation boundaries.
- Revoked/deleted user token and reactivation boundary probes.
- Batch 19 operational/privacy invariant register and continuity regression sweep.
This batch is aimed at continuity bugs: not the obvious crash, but the quieter failure where stale reports leak private rows, old tokens still work, a provider callback rewrites payment state, or a temporary URL becomes permanent because apparently time is optional now.
## Batch 20: Continuity, Compliance, Export, and Operational Integrity Contracts
Batch 20 adds another broad full-surface contract layer focused on continuity and compliance failures that rarely show up in happy-path testing: retention conflicts, cash drawer abuse, receipt numbering, scholarship eligibility, gradebook amendment locks, attendance device trust, pickup safety, emergency broadcasts, webhook key rotation, audit exports, and analytics warehouse leakage. In other words, the parts that become expensive when they fail, because apparently bugs enjoy invoices.
New coverage areas:
- Legal hold, retention, erasure, archive, purge, and conflicting destructive-action probes.
- Cash drawer/manual payment integrity, balance override, and forged receipt-number payloads.
- Receipt numbering, invoice numbering, tax-document, PDF, and private-note export boundaries.
- Scholarship, voucher, waiver, sibling/family discount, renewal, and eligibility abuse probes.
- Gradebook locks, published report cards, post-publication amendments, and forced unlock attempts.
- Attendance geofence, kiosk/scanner device trust, replayed badges, and scan-time spoofing.
- Transportation, bus route, pickup, dismissal, guardian authorization, and unsafe release payloads.
- Emergency school closure, broadcast, notification, opt-out override, and approval metadata abuse.
- Notification dead-letter, retry, suppression, replay, and provider-message controls.
- API deprecation/sunset/legacy compatibility drift and old-client sensitive-field exposure.
- Webhook secret rotation, previous-key rollover, retired-key replay, and timestamp abuse.
- Admin audit export redaction and sensitive-column suppression.
- Class capacity, waitlist, lottery, forced assignment, and schedule-capacity boundary probes.
- Parent dispute, custody review, court-order verification, and guardian removal abuse.
- Multilingual content, translation payload, RTL/bidi, locale fallback, and publication abuse.
- Synthetic monitoring, health, metrics, debug, and internal probe exposure checks.
- Data warehouse, analytics, dashboard, raw-row, PII, financial, and medical export controls.
- Batch 20 continuity/compliance risk register and regression sweep.
This batch is meant to catch the quiet business-rule failures: the payment that balances only because the client said so, the grade changed after lock, the export that includes medical notes, the badge scan that trusts a header, and the emergency broadcast that ignores consent. Tiny details, enormous blast radius.