26 lines
1.4 KiB
Markdown
26 lines
1.4 KiB
Markdown
## QA Report — PR-2 Security Patch Posture Audit
|
|
|
|
- Date: 2026-02-23
|
|
- Scope: PR-2 only (security patch posture, admin API hardening, rollback viability)
|
|
- Verdict: **READY (PASS)**
|
|
|
|
## Gate Summary
|
|
|
|
| Gate | Status | Evidence |
|
|
| --- | --- | --- |
|
|
| Targeted E2E for PR-2 | PASS | Security settings test for Caddy Admin API URL passed (2/2). |
|
|
| Local patch preflight artifacts | PASS | `test-results/local-patch-report.md` and `.json` regenerated. |
|
|
| Coverage and type-check | PASS | Backend coverage 87.7% line / 87.4% statement; frontend type-check passed; frontend coverage preflight input passed (88.99% lines). |
|
|
| Pre-commit gate | PASS | `pre-commit run --all-files` passed after resolving version and type-check hook issues. |
|
|
| Security scans | PASS | CodeQL Go/JS CI-aligned scans passed; findings gate passed with no HIGH/CRITICAL; Trivy passed at configured severities. |
|
|
| Runtime posture + rollback | PASS | Default scenario shifted `A -> B` for PR-2 posture; rollback remains explicit via `CADDY_PATCH_SCENARIO=A`; admin API URL now validated and normalized at config load. |
|
|
|
|
## Resolved Items
|
|
|
|
1. `check-version-match` mismatch fixed by syncing `.version` to `v0.19.1`.
|
|
2. `frontend-type-check` hook stabilized to `npx tsc --noEmit` for deterministic pre-commit behavior.
|
|
|
|
## PR-2 Closure Statement
|
|
|
|
All PR-2 QA/security gates required for merge are passing. No PR-3 scope is included in this report.
|