Charon/docs/reports/qa_report.md

# QA/Security Validation Report - PR1 Remediation Branch

**Date:** 2026-02-19
**Scope:** Mandatory QA/security gates for PR1 remediation in `/projects/Charon`.

## Gate Results (Required Sequence)

| # | Gate | Command(s) | Status | Evidence / Artifacts |
|---|---|---|---|---|
| 1 | E2E prerequisite rebuild decision | `git --no-pager diff --name-only` + `docker ps -a` + `/projects/Charon/.github/skills/scripts/skill-runner.sh docker-rebuild-e2e` | **PASS** | Runtime-impacting changes detected in `backend/**` and `frontend/**`; E2E env rebuilt successfully; container `charon-e2e` healthy |
| 2a | Playwright targeted verification (notifications) | `npx playwright test tests/settings/notifications.spec.ts tests/security/security-dashboard.spec.ts --project=firefox` | **PASS** | `28 passed (1.3m)` for notifications suite |
| 2b | Security-project equivalent (required due config exclusion) | `npx playwright test tests/security/security-dashboard.spec.ts --project=firefox --list` then `npx playwright test tests/security/security-dashboard.spec.ts --project=security-tests` | **PASS** | Firefox listing returned `No tests found` because `tests/security/**` is ignored for firefox project; equivalent `security-tests` run passed `10 passed (27.7s)` |
| 3 | Local patch coverage preflight | `bash scripts/local-patch-report.sh` | **PASS** | Artifacts verified: `test-results/local-patch-report.md`, `test-results/local-patch-report.json` |
| 4 | Backend coverage/tests | `/projects/Charon/.github/skills/scripts/skill-runner.sh test-backend-coverage` | **PASS** | First attempt blocked by missing `CHARON_ENCRYPTION_KEY`; rerun with generated valid key passed. Coverage: statements `87.2%`, lines `87.6%`, gate min `85%` |
| 5a | Frontend coverage/tests | `/projects/Charon/.github/skills/scripts/skill-runner.sh test-frontend-coverage` | **PASS** | Coverage summary: statements `87.68%`, lines `88.58%`, gate `PASS` vs min `85%` |
| 5b | Frontend type-check | `cd frontend && npm run type-check` | **PASS** | `tsc --noEmit` completed with no TS errors |
| 6 | Pre-commit fast hooks | `pre-commit run --all-files` | **FAIL** | Hook `check-version-match` failed: `.version (v0.18.13) does not match latest Git tag (v0.19.0)` |
| 7a | Trivy filesystem scan | `/projects/Charon/.github/skills/scripts/skill-runner.sh security-scan-trivy` | **PASS** | Report summary shows 0 vulnerabilities and 0 secrets across scanned targets |
| 7b | Docker image scan (CI-aligned skill) | `/projects/Charon/.github/skills/scripts/skill-runner.sh security-scan-docker-image` | **FAIL** | Grype summary: Critical `0`, High `1`, Total `14`; skill exits failure on High/Critical policy |
| 7c | CodeQL Go CI-aligned | Task: `Security: CodeQL Go Scan (CI-Aligned) [~60s]` | **PASS** | Completed; output file `codeql-results-go.sarif` |
| 7d | CodeQL JS CI-aligned | Task: `Security: CodeQL JS Scan (CI-Aligned) [~90s]` | **PASS** | Completed; output file `codeql-results-js.sarif` |
| 7e | CodeQL High/Critical validation | `pre-commit run --hook-stage manual codeql-check-findings --all-files` | **PASS** | `No security issues found in go code` and `No security issues found in js code` |

## Security Blocker Details

### Docker Image Scan Failure (Blocking)

- Source artifact: `grype-results.json`
- Unresolved high/critical findings:

| Severity | ID | Package | Installed | Fixed Version |
|---|---|---|---|---|
| High | GHSA-69x3-g4r3-p962 | github.com/slackhq/nebula | v1.9.7 | 1.10.3 |

## Notes on Non-Run/Blocked Conditions

- No gate was skipped.
- One intermediate command was blocked by environment precondition and immediately remediated:
  - Backend coverage initial failure: `Error: CHARON_ENCRYPTION_KEY is required for backend tests`.
  - Workaround used: set a valid generated base64 32-byte key, then reran backend coverage successfully.

## Final Verdict

- **Overall Result: FAIL**
- Failing gates:
  1. `pre-commit run --all-files` (`check-version-match`)
  2. Docker image security gate (`security-scan-docker-image`) due unresolved High vulnerability