Charon/docs/reports/qa_report.md

# QA Report: LAPI Auth Fix and Translation Bug Fix

**Date**: 2026-02-04
**Version**: v0.3.0 (beta)
**Changes Under Review**:
1. Backend: CrowdSec key-status endpoint, bouncer auto-registration, key file fallback
2. Frontend: Key warning banner, i18n race condition fix, translations

---

## Executive Summary

| Category | Status | Details |
|----------|--------|---------|
| E2E Tests | ⚠️ ISSUES | 175 passed, 3 failed, 26 skipped |
| Backend Coverage | ⚠️ BELOW THRESHOLD | 84.8% (minimum: 85%) |
| Frontend Coverage | ✅ PASS | All tests passed |
| TypeScript Check | ✅ PASS | Zero errors |
| Pre-commit Hooks | ⚠️ AUTO-FIXED | 1 file fixed (`tests/etc/passwd`) |
| Backend Linting | ✅ PASS | go vet passed |
| Frontend Linting | ✅ PASS | ESLint passed |
| Trivy FS Scan | ✅ PASS | 0 HIGH/CRITICAL vulnerabilities |
| Docker Image Scan | ⚠️ ISSUES | 7 HIGH vulnerabilities (base image) |

**Overall Status**: ⚠️ **CONDITIONAL APPROVAL** - Issues found requiring attention

---

## 1. Playwright E2E Tests

### Results
- **Total**: 204 tests
- **Passed**: 175 (86%)
- **Failed**: 3
- **Skipped**: 26

### Failed Tests (Severity: LOW-MEDIUM)

| Test | File | Error | Severity |
|------|------|-------|----------|
| Should reject archive missing required CrowdSec fields | [crowdsec-import.spec.ts](tests/security/crowdsec-import.spec.ts#L133) | Expected 422, got 500 | MEDIUM |
| Should reject archive with path traversal attempt | [crowdsec-import.spec.ts](tests/security/crowdsec-import.spec.ts#L338) | Error message mismatch | LOW |
| Verify admin whitelist is set to 0.0.0.0/0 | [zzzz-break-glass-recovery.spec.ts](tests/security-enforcement/zzzz-break-glass-recovery.spec.ts#L147) | `admin_whitelist` undefined | LOW |

### Analysis
1. **CrowdSec Import Validation (crowdsec-import.spec.ts:133)**: Backend returns 500 instead of 422 for missing required fields - suggests error handling improvement needed.
2. **Path Traversal Detection (crowdsec-import.spec.ts:338)**: Error message says "failed to create backup" instead of security-related message - error messaging could be improved.
3. **Admin Whitelist API (zzzz-break-glass-recovery.spec.ts:147)**: API response missing `admin_whitelist` field - may be API schema change.

### Skipped Tests (26 total)
- Mostly CrowdSec-related tests that require CrowdSec to be running
- Rate limiting tests that test middleware enforcement (correctly skipped per testing scope)
- These are documented and expected skips

---

## 2. Backend Unit Tests

### Results
- **Status**: ⚠️ BELOW THRESHOLD
- **Coverage**: 84.8%
- **Threshold**: 85.0%
- **Deficit**: 0.2%

### Recommendation
Coverage is 0.2% below threshold. This is a marginal gap. Priority:
1. Check if any new code paths in the LAPI auth fix lack tests
2. Add targeted tests for CrowdSec key-status handler edge cases
3. Consider raising coverage exclusions for generated/boilerplate code if appropriate

---

## 3. Frontend Unit Tests

### Results
- **Status**: ✅ PASS
- **Test Files**: 136+ passed
- **Tests**: 1500+ passed
- **Skipped**: ~90 (documented security audit tests)

### Coverage by Area
| Area | Statement Coverage |
|------|-------------------|
| Components | 74.14% |
| Components/UI | 98.94% |
| Hooks | 98.11% |
| Pages | 83.01% |
| Utils | 96.49% |
| API | ~91% |
| Data | 100% |
| Context | 92.59% |

---

## 4. TypeScript Check

- **Status**: ✅ PASS
- **Errors**: 0
- **Command**: `npm run type-check`

---

## 5. Pre-commit Hooks

### Results
- **Status**: ⚠️ AUTO-FIXED
- **Hooks Passed**: 12/13
- **Auto-fixed**: 1 file

### Details
| Hook | Status |
|------|--------|
| fix end of files | Fixed `tests/etc/passwd` |
| trim trailing whitespace | ✅ Pass |
| check yaml | ✅ Pass |
| check for added large files | ✅ Pass |
| dockerfile validation | ✅ Pass |
| Go Vet | ✅ Pass |
| golangci-lint (Fast) | ✅ Pass |
| Check .version matches tag | ✅ Pass |
| LFS large files check | ✅ Pass |
| Prevent CodeQL DB commits | ✅ Pass |
| Prevent data/backups commits | ✅ Pass |
| Frontend TypeScript Check | ✅ Pass |
| Frontend Lint (Fix) | ✅ Pass |

**Action Required**: Commit the auto-fixed `tests/etc/passwd` file.

---

## 6. Linting

### Backend (Go)
| Linter | Status | Notes |
|--------|--------|-------|
| go vet | ✅ PASS | No issues |
| staticcheck | ⚠️ SKIPPED | Go version mismatch (1.25.6 vs 1.25.5) - not a code issue |

### Frontend (TypeScript/React)
| Linter | Status | Notes |
|--------|--------|-------|
| ESLint | ✅ PASS | No issues |

---

## 7. Security Scans

### Trivy Filesystem Scan
- **Status**: ✅ PASS
- **HIGH/CRITICAL Vulnerabilities**: 0
- **Scanned**: Source code + npm dependencies

### Docker Image Scan (Grype)
- **Status**: ⚠️ HIGH VULNERABILITIES DETECTED
- **Critical**: 0
- **High**: 7
- **Medium**: 20
- **Low**: 2
- **Negligible**: 380
- **Total**: 409

### High Severity Vulnerabilities

| CVE | Package | Version | Fixed | CVSS | Description |
|-----|---------|---------|-------|------|-------------|
| CVE-2025-13151 | libtasn1-6 | 4.20.0-2 | No fix | 7.5 | Stack-based buffer overflow |
| CVE-2025-15281 | libc-bin | 2.41-12+deb13u1 | No fix | 7.5 | wordexp WRDE_REUSE issue |
| CVE-2025-15281 | libc6 | 2.41-12+deb13u1 | No fix | 7.5 | wordexp WRDE_REUSE issue |
| CVE-2026-0915 | libc-bin | 2.41-12+deb13u1 | No fix | 7.5 | getnetbyaddr nsswitch issue |
| CVE-2026-0915 | libc6 | 2.41-12+deb13u1 | No fix | 7.5 | getnetbyaddr nsswitch issue |
| CVE-2026-0861 | libc-bin | 2.41-12+deb13u1 | No fix | 8.4 | memalign alignment issue |
| CVE-2026-0861 | libc6 | 2.41-12+deb13u1 | No fix | 8.4 | memalign alignment issue |

### Analysis
All HIGH vulnerabilities are in **base image system packages** (Debian Trixie):
- `libtasn1-6` (ASN.1 parsing library)
- `libc-bin` / `libc6` (GNU C Library)

**Mitigation Status**: No fixes currently available from Debian upstream. These affect the base OS, not application code.

**Risk Assessment**:
- **libtasn1-6 (CVE-2025-13151)**: Only exploitable if parsing malicious ASN.1 data - low risk for Charon's use case
- **glibc issues**: Require specific API usage patterns that Charon does not trigger

**Recommendation**: Monitor for Debian package updates. No immediate blocking action required for beta release.

---

## 8. Issues Requiring Resolution

### MUST FIX (Blocking)
1. **Backend Coverage**: Increase from 84.8% to 85.0% (0.2% gap)
   - Priority: Add tests for new CrowdSec key-status code paths

### SHOULD FIX (Before release)
2. **E2E Test Failures**: 3 tests failing
   - `crowdsec-import.spec.ts:133` - Fix error code consistency (500 → 422)
   - `crowdsec-import.spec.ts:338` - Improve error message clarity
   - `zzzz-break-glass-recovery.spec.ts:147` - Fix API response schema

3. **Pre-commit Auto-fix**: Commit `tests/etc/passwd` EOF fix

### MONITOR (Non-blocking)
4. **Docker Image CVEs**: 7 HIGH in base image packages
   - Monitor for Debian security updates
   - Consider if alternative base image is warranted

5. **Staticcheck Version**: Update staticcheck to Go 1.25.6+

---

## 9. Test Execution Details

| Test Suite | Duration | Workers |
|------------|----------|---------|
| Playwright E2E | 4.6 minutes | 2 |
| Backend Unit | ~30 seconds | - |
| Frontend Unit | ~102 seconds | - |

---

## 10. Approval Status

### ⚠️ CONDITIONAL APPROVAL

**Conditions for Full Approval**:
1. ✅ TypeScript compilation passing
2. ✅ Frontend linting passing
3. ✅ Backend linting passing (go vet)
4. ✅ Trivy filesystem scan clean
5. ⚠️ Backend coverage at 85%+ (currently 84.8%)
6. ⚠️ All E2E tests passing (currently 3 failing)

**Recommendation**: Address the 0.2% coverage gap and investigate the 3 E2E test failures before merging to main. The Docker image vulnerabilities are in base OS packages with no fixes available - these issues do not block the implementation.

---

*Report generated by QA Security Agent*