test(browser): cover the full ceremony flows (correcting a PR #40 oversight)#41
Merged
Merged
Conversation
The updated StrykerJS report (PR #39, @bernata) lifted the SDK from 65.1% to 79.3% after the first hardening pass, leaving ceremonies.ts at 43.2% as the dominant gap: 36 of its mutants were no-coverage. The existing suite drove only the register() happy path, so authenticate(), the credential create/get helpers, the cancellation branches, and the navigator.credentials guard were never executed. These flows ARE unit-testable — CeremonyOptions.credentials injects a fake CredentialsContainer — so this drives them end to end: - authenticate(): start -> get -> finish, token returned, POST verbs, and the start-body username ?? null default; - conditional mediation set only when conditional=true (and absent otherwise); - register() start/finish body contract: displayName ?? username, label ?? null, challenge null, and both steps POSTed (kills the surviving "POST"/default and logical-operator mutants); - create/get cancellation: a null credential rejects with the cancelled error; - the navigator.credentials guard throws its clear message (jsdom has no navigator.credentials), killing the guard's conditional/string mutants. Also adds a base64url DataView/subarray case that kills the toUint8Array ArrayBufferView dispatch mutant. The few remaining base64url survivors are equivalent mutants (lenient atob, ignored out-of-bounds writes, the padding regex anchor) and are left as-is, as are the navigator typeof-flips that only differ in a non-browser environment. All 77 browser-SDK tests pass; tsc --noEmit clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #40. Adds the ceremony-flow tests that #40 should have included.
Correcting my mistake in #40
In #40 I characterised
ceremonies.ts's no-coverage mutants as effectively e2e-only — covered by the Playwright virtual-authenticator suite in the demos and therefore not worth unit-testing. That was wrong.CeremonyOptions.credentialsinjects a fakeCredentialsContainer, soauthenticate(), the credential create/get helpers, the cancellation branches, and thenavigator.credentialsguard are all fully unit-testable in jsdom. Because I skipped them, #40 leftceremonies.tsat 43.2% while every other SDK file climbed into the 94–100% range — the one remaining drag on the overall score, and avoidably so. This PR fixes that.What this adds (+10 tests; 77/77 pass;
tsc --noEmitclean)authenticate()end-to-end — start →credentials.get→ finish, token returned, POST verbs asserted,username ?? nulldefault on the start bodymediation: "conditional"set only whenconditional: true, and absent otherwiseregister()body contract —displayName ?? username,label ?? null,challenge: null, both ceremony steps POSTednullcredential rejects with the cancelled errorDataView/subarray case covering thetoUint8ArrayArrayBufferView dispatchOn the remaining survivors — intentionally left honest
A handful of mutants remain undetected: equivalent mutants in
base64url(lenientatob, ignored out-of-bounds typed-array writes, the padding-regex anchor that's moot forbtoaoutput), thenavigatortypeof-flips that only differ in a non-browser runtime, and theindex.tsbarrel.I am deliberately not adding
// Stryker disablecomments or trimming themutateglob to hide these. At this stage the mutation score should reflect what the tests actually exercised, not what the tooling is configured to overlook. The number stays honest, and these survivors stand as a visible, accurate record.🤖 Generated with Claude Code