test: add API integration suite, fixtures, and frontend unit tests

[clean6378-max-it]

Closes #39

Problem

1. No integration tests — Critical API endpoints had no full HTTP round-trip coverage.
2. Frontend JS untested — ES modules under static/js/shared/ were verified only manually.
3. Search crash regression risk — int(limit) on unvalidated query params could 500 on limit=abc.
4. No coverage gate on API layer — Parser utilities were well tested; api/ blueprints were not.

Changes

Search limit validation (Monday prerequisite, included)

• api/search.py: _parse_limit() validates limit; invalid values → 400 + {"error": "..."}.
• Default 50, cap 500, reject floats/non-numeric/< 1.
• tests/test_search.py: 5 tests (integer string, float, non-numeric, default, empty query).

Fixtures

• tests/fixtures/session_minimal.jsonl — titled session with searchable "Hello" text
• tests/fixtures/session_with_tools.jsonl — tool_use + tool result path
• tests/fixtures/session_with_thinking.jsonl — thinking block path

Python API integration tests

New tests/test_api_integration.py — 10 scenarios:

Endpoint	Tests
GET /api/projects	Non-empty list; empty base dir → []
GET /api/projects/<name>/sessions	Lists 2 fixture sessions; unknown project → []
GET /api/sessions/<name>/<id>	Happy path; 404 + error key
GET /api/search	Results; empty q; limit=abc → 400; valid limit=5

Frontend JS tests (vitest)

• package.json, package-lock.json, vitest.config.js (jsdom)
• static/js/shared/utils.test.js — 7 tests (esc, truncate, formatTs, formatDate, formatSize)
• static/js/shared/markdown.test.js — 4 tests (cleanContent, DOMPurify sanitization, fallback)
• static/js/shared/state.test.js — 3 tests (shared state object)

Coverage + CI

• requirements-dev.txt: pytest-cov>=5.0
• pyproject.toml: --cov=api --cov=utils, 60% fail-under on api/
• .github/workflows/ci.yml: integration-tests + js-tests jobs
• .gitignore: node_modules/, coverage/, coverage.xml

Out of scope

• Structured ErrorCode on error responses (Wednesday)
• Full HTTP / CLI route matrix (Wednesday)
• Playwright / browser E2E
• API reference / CONTRIBUTING.md (Thursday)
• models/ TypedDict package (Monday PR — separate branch if not merged)

Test plan

• pytest tests/test_search.py tests/test_api_integration.py -v — 15 passed
• pytest -q — 244 passed
• API coverage 62% (gate: 60% on api/)
• npm test — 14 vitest tests passed
• CI integration-tests job green
• CI js-tests job green
• CI pytest job green (full suite with coverage addopts)

pip install -r requirements-dev.txt
pytest tests/test_search.py tests/test_api_integration.py -v
pytest -q
npm ci
npm test

<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
## Summary by CodeRabbit

* **Bug Fixes**
  * Search endpoint: robust `limit` handling — defaults to 50 when omitted/blank, rejects invalid values with clear 400 errors, and caps results at 500.

* **Tests**
  * Added comprehensive API and frontend tests, fixtures, and JS unit tests covering search, utilities, state, and markdown rendering; added Vitest config and coverage reporting.

* **Chores**
  * CI updated to run integration and frontend test jobs, pin actions/Node versions, and ignore common Node/coverage artifacts.

<!-- review_stack_entry_start -->

[![Review Change Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/cppalliance/claude-code-chat-browser/pull/40?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5f09d819-7f28-412e-86b8-744a70a0d9e2

📥 Commits

Reviewing files that changed from the base of the PR and between 19941df and d7bc647.

📒 Files selected for processing (1)

• tests/test_api_integration.py

---

📝 Walkthrough

Walkthrough

Adds search limit validation, Python integration tests and fixtures, Vitest frontend unit tests and config, and CI jobs to run both suites and upload coverage artifacts.

Changes

Comprehensive Test Suite

Layer / File(s)	Summary
Search limit validation api/search.py	_parse_limit enforces default 50, min 1, max 500; search() returns HTTP 400 with {"error":...} for invalid limit instead of crashing.
Pytest config & dev deps pyproject.toml, requirements-dev.txt, tests/fixtures/*	Adds pytest/coverage config (XML output to coverage.xml, coverage targets), removes -r requirements.txt from dev requirements and adds pytest-cov>=5.0. Adds JSONL fixtures for minimal, thinking, and tool-call sessions.
Python integration tests & fixtures tests/conftest.py, tests/test_api_integration.py, tests/test_search.py	Adds Flask test client fixtures and tests covering /api/projects, /api/projects/<project>/sessions, /api/sessions/<project>/<id>, and /api/search including empty query, limit parsing, and standardized error shape assertions.
Frontend test configuration package.json, vitest.config.js	Adds Vitest dev deps and scripts in package.json; vitest.config.js sets jsdom env, test include pattern, and v8 coverage reporting.
Frontend unit tests static/js/shared/markdown.test.js, static/js/shared/state.test.js, static/js/shared/utils.test.js	Adds Vitest suites: markdown.test.js (cleanContent and renderMarkdown sanitization/fallback), state.test.js (state reset and mutability), and utils.test.js (esc, truncate, formatTs, formatDate, formatSize).
CI/CD pipeline and artifacts .github/workflows/ci.yml, .gitignore	Pins GitHub Action versions and sets job permissions; adds integration-tests job that runs targeted pytest files and uploads coverage.xml as an artifact, and js-tests job that runs Node.js tests. .gitignore excludes node_modules/, coverage/, and coverage.xml.

Sequence Diagram(s)

sequenceDiagram
  participant DevMachine
  participant GitHubActions
  participant TestClient
  participant FlaskApp
  participant JSRunner
  DevMachine->>GitHubActions: push PR (CI triggers)
  GitHubActions->>FlaskApp: run integration-tests (pytest -> coverage.xml)
  GitHubActions->>TestClient: executes pytest using test clients (conftest)
  TestClient->>FlaskApp: GET /api/search?q=...&limit=...
  FlaskApp->>FlaskApp: _parse_limit -> validate/cap
  FlaskApp-->>TestClient: 200/400 JSON
  GitHubActions->>JSRunner: run js-tests (Node v20 + vitest)
  JSRunner-->>GitHubActions: test results & coverage
  GitHubActions->>GitHubActions: upload coverage-report artifact

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• jonathanMLDev
• wpak-ai

🐰 I trimmed the markdown, ran the tests,
hopped through fixtures and CI manifests,
capped search limits, seeded sessions neat,
Vitest and pytest danced in the suite,
coverage bundled—now ready to meet.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and concisely summarizes the main changes: adding API integration tests, fixtures, and frontend unit tests, matching the primary objectives.
Linked Issues check	✅ Passed	The PR meets all primary coding requirements: integration tests cover /api/projects, /api/sessions, /api/search; search limit validation returns 400 for invalid inputs; fixtures are provided; frontend JS tests with vitest are implemented; coverage tooling is configured with 60% gate on api/.
Out of Scope Changes check	✅ Passed	All changes directly support the linked issue objectives. Updates to CI workflows, coverage configuration, and .gitignore are necessary infrastructure for the test suite and do not introduce scope creep.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch test/integration-and-frontend

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (3)

static/js/shared/state.test.js (1)

13-17: ⚡ Quick win

Reset singleton state via hook instead of inline cleanup.

If this test fails before Line 17, shared state can leak into subsequent tests.

Proposed fix

-import { describe, it, expect } from 'vitest';
+import { describe, it, expect, beforeEach } from 'vitest';
 import { state } from './state.js';
 
 describe('state', () => {
+    beforeEach(() => {
+        state.currentProject = null;
+        state.cachedSessions = [];
+    });
+
@@
     it('allows updating currentProject', () => {
         state.currentProject = 'test-project';
         expect(state.currentProject).toBe('test-project');
-        state.currentProject = null;
     });
 });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@static/js/shared/state.test.js` around lines 13 - 17, The test mutates the
shared singleton `state` inline and cleans up only within the test, risking
leaks if the test fails; replace the inline cleanup with a test lifecycle hook
(e.g., `afterEach`) that resets the singleton so all tests always run with a
clean state — specifically reset `state.currentProject` (or call an existing
`state.reset()` method if present) in an `afterEach` hook rather than setting
`state.currentProject = null` at the end of the `it('allows updating
currentProject')` test.

static/js/shared/markdown.test.js (1)

16-23: ⚡ Quick win

Restore global mocks after each test to prevent cross-suite leakage.

This suite mutates globalThis.marked/globalThis.DOMPurify but never restores prior values, which can make other tests order-dependent.

Proposed fix

 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { cleanContent, renderMarkdown } from './markdown.js';
 
 describe('cleanContent', () => {
@@
 describe('renderMarkdown', () => {
+    let originalMarked;
+    let originalDOMPurify;
+
     beforeEach(() => {
+        originalMarked = globalThis.marked;
+        originalDOMPurify = globalThis.DOMPurify;
         globalThis.marked = {
             parse: vi.fn((text) => `<p>${text}</p>`),
         };
         globalThis.DOMPurify = {
             sanitize: vi.fn((html) => html.replace(/<script[\s\S]*?<\/script>/gi, '')),
         };
     });
+
+    afterEach(() => {
+        globalThis.marked = originalMarked;
+        globalThis.DOMPurify = originalDOMPurify;
+    });

Also applies to: 31-33

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@static/js/shared/markdown.test.js` around lines 16 - 23, The test suite
replaces globalThis.marked and globalThis.DOMPurify in beforeEach but never
restores them, causing cross-test leakage; modify the tests to save the
originals (e.g., const _origMarked = globalThis.marked, const _origDOMPurify =
globalThis.DOMPurify) before mocking in beforeEach and add an afterEach that
restores globalThis.marked = _origMarked and globalThis.DOMPurify =
_origDOMPurify (and clears any vi mocks) so both the beforeEach block(s) that
set parse and sanitize mocks are properly reverted after each test.

tests/test_search.py (1)

43-51: ⚡ Quick win

Add explicit boundary tests for limit < 1.

Given this file is the limit-validation suite, add checks for limit=0 and negative limit to lock the contract already implemented in the API.

Proposed patch

 def test_limit_default(client):
     resp = client.get("/api/search?q=Hello")
     assert resp.status_code == 200
 
 
+def test_limit_zero_rejected(client):
+    resp = client.get("/api/search?q=Hello&limit=0")
+    assert resp.status_code == 400
+    assert "error" in resp.get_json()
+
+
+def test_limit_negative_rejected(client):
+    resp = client.get("/api/search?q=Hello&limit=-5")
+    assert resp.status_code == 400
+    assert "error" in resp.get_json()
+
+
 def test_empty_query(client):
     resp = client.get("/api/search?q=")
     assert resp.status_code == 200
     assert resp.get_json() == []

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_search.py` around lines 43 - 51, Add two explicit tests in
tests/test_search.py (e.g., test_limit_zero and test_limit_negative) that call
the search endpoint with limit=0 and limit=-1 (e.g.,
client.get("/api/search?q=Hello&limit=0") and
client.get("/api/search?q=Hello&limit=-1")) and assert the API rejects these
boundaries by returning an error status (assert resp.status_code == 400) to lock
the contract for limit < 1; place them alongside the existing test_limit_default
and test_empty_query functions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 65-67: Replace tag refs with immutable commit SHAs for all GitHub
Action usages that currently use tags (e.g., actions/checkout@v4 and
actions/setup-python@v5 and the other tag refs in the file) by finding the
corresponding action repositories (actions/checkout, actions/setup-python,
etc.), selecting a specific commit SHA from the release you want to track, and
updating each usage to the full commit SHA (e.g.,
actions/checkout@<commit-sha>). Ensure every occurrence of a tag ref in the
workflow is changed to its full commit SHA so the CI runs deterministically and
securely.
- Line 65: Update every checkout step that uses "uses: actions/checkout@v4" to
include the option persist-credentials: false so the runner won't expose the
GITHUB_TOKEN to later steps; specifically modify each checkout occurrence (the
ones using actions/checkout@v4) to add a "with:" block containing
"persist-credentials: false" ensuring proper YAML indentation under the checkout
step, and apply this change to all four occurrences referenced in the workflow.
- Around line 61-98: Add an explicit permissions block to each job
(integration-tests and js-tests) to avoid default token permissions: insert a
permissions: contents: read stanza under each job definition to restrict to
least privilege, and for the integration-tests job (which runs
actions/upload-artifact) change to permissions: contents: write only if the
artifact upload fails with insufficient rights—otherwise keep read; ensure the
permissions block is placed at the same indentation level as name/runs-on for
the jobs.

In `@api/search.py`:
- Around line 19-23: The current check treats only exact empty string and misses
whitespace-only values, causing inputs like "   " to be treated as invalid;
update the limit-parsing logic (the branch around raw, the int conversion where
n = int(raw) and the except ValueError) to treat raw as blank when raw is None
or raw.strip() == "" and to call int(raw.strip()) when converting; this will
make whitespace-only input default to _DEFAULT_LIMIT and still raise ValueError
for non-numeric content.

---

Nitpick comments:
In `@static/js/shared/markdown.test.js`:
- Around line 16-23: The test suite replaces globalThis.marked and
globalThis.DOMPurify in beforeEach but never restores them, causing cross-test
leakage; modify the tests to save the originals (e.g., const _origMarked =
globalThis.marked, const _origDOMPurify = globalThis.DOMPurify) before mocking
in beforeEach and add an afterEach that restores globalThis.marked = _origMarked
and globalThis.DOMPurify = _origDOMPurify (and clears any vi mocks) so both the
beforeEach block(s) that set parse and sanitize mocks are properly reverted
after each test.

In `@static/js/shared/state.test.js`:
- Around line 13-17: The test mutates the shared singleton `state` inline and
cleans up only within the test, risking leaks if the test fails; replace the
inline cleanup with a test lifecycle hook (e.g., `afterEach`) that resets the
singleton so all tests always run with a clean state — specifically reset
`state.currentProject` (or call an existing `state.reset()` method if present)
in an `afterEach` hook rather than setting `state.currentProject = null` at the
end of the `it('allows updating currentProject')` test.

In `@tests/test_search.py`:
- Around line 43-51: Add two explicit tests in tests/test_search.py (e.g.,
test_limit_zero and test_limit_negative) that call the search endpoint with
limit=0 and limit=-1 (e.g., client.get("/api/search?q=Hello&limit=0") and
client.get("/api/search?q=Hello&limit=-1")) and assert the API rejects these
boundaries by returning an error status (assert resp.status_code == 400) to lock
the contract for limit < 1; place them alongside the existing test_limit_default
and test_empty_query functions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 486b1227-11e0-4657-8bf8-62f272633275

📥 Commits

Reviewing files that changed from the base of the PR and between 4bbb456 and 650a4a9.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (16)

• .coverage
• .github/workflows/ci.yml
• .gitignore
• api/search.py
• package.json
• pyproject.toml
• requirements-dev.txt
• static/js/shared/markdown.test.js
• static/js/shared/state.test.js
• static/js/shared/utils.test.js
• tests/fixtures/session_minimal.jsonl
• tests/fixtures/session_with_thinking.jsonl
• tests/fixtures/session_with_tools.jsonl
• tests/test_api_integration.py
• tests/test_search.py
• vitest.config.js

[coderabbitai]

🧹 Nitpick comments (1)

tests/test_search.py (1)

27-35: ⚡ Quick win

Strengthen default-limit assertions with response shape checks.

Line 29 and Line 34 only assert status code. Add list-shape assertions so these tests catch response-body regressions too.

✅ Suggested test hardening

 def test_limit_default(client_single):
     resp = client_single.get("/api/search?q=Hello")
     assert resp.status_code == 200
+    assert isinstance(resp.get_json(), list)


 def test_limit_whitespace_defaults(client_single):
     resp = client_single.get("/api/search?q=Hello&limit=%20%20%20")
     assert resp.status_code == 200
+    assert isinstance(resp.get_json(), list)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_search.py` around lines 27 - 35, Update the two tests
test_limit_default and test_limit_whitespace_defaults to validate the response
body shape in addition to status 200: parse resp.json(), assert the top-level
value is a list (e.g., isinstance(resp.json(), list) or len check) and
optionally assert each item is a dict or contains expected keys (e.g., "id" or
"text") to catch body regressions; keep the existing status_code assertions and
only add these lightweight structural checks in both functions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@tests/test_search.py`:
- Around line 27-35: Update the two tests test_limit_default and
test_limit_whitespace_defaults to validate the response body shape in addition
to status 200: parse resp.json(), assert the top-level value is a list (e.g.,
isinstance(resp.json(), list) or len check) and optionally assert each item is a
dict or contains expected keys (e.g., "id" or "text") to catch body regressions;
keep the existing status_code assertions and only add these lightweight
structural checks in both functions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6ece97f9-45c4-4c60-82e9-08c1687b4aed

📥 Commits

Reviewing files that changed from the base of the PR and between 9c75327 and 449a117.

📒 Files selected for processing (7)

• .coverage
• .github/workflows/ci.yml
• .gitignore
• pyproject.toml
• tests/conftest.py
• tests/test_api_integration.py
• tests/test_search.py

✅ Files skipped from review due to trivial changes (1)

• .gitignore

[timon0305]

This test bypasses the client fixture from conftest.py because it wants a tmp_path with no seeded sessions. Cleaner to add a third fixture client_empty (returning a client over an empty tmp_path) and use it here. Right now this test rebuilds the entire app setup inline.

[timon0305]

from None suppresses the upstream chain. For server-side debugging, you lose the original int("1.5") message ("invalid literal for int() with base 10: '1.5'"). Suggest either dropping from None so the chain stays for tracebacks, or using from exc to keep the cause visible. The client-facing message stays the same either way (it's the outer ValueError's string).

[timon0305]

The thinking-block fixture is added but test_api_integration.py and test_search.py don't reference it (only session_minimal.jsonl and session_with_tools.jsonl are copied via the conftest.py fixtures). Either remove it or add a test that exercises the thinking content-block path through the session-detail endpoint.

[timon0305]

.coverage is checked in as a tracked binary file. The same PR adds .coverage to .gitignore on the line below, but gitignore doesn't retroactively untrack files that are already tracked — the binary will keep regenerating on every CI run and getting committed unless it's explicitly untracked first.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/test_api_integration.py`:
- Around line 83-85: The test currently asserts the thinking text only on
assistant_msgs[0], which is order-dependent; update the assertion to check that
any assistant message in assistant_msgs has get("thinking") == "Considering
options carefully." (e.g., replace the index-based check with an any(...) or
equivalent on assistant_msgs) so the test passes regardless of message order
while still verifying the presence of the expected thinking field.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bd357113-1c3c-4b58-a6af-97444da65d88

📥 Commits

Reviewing files that changed from the base of the PR and between 449a117 and 19941df.

📒 Files selected for processing (3)

• api/search.py
• tests/conftest.py
• tests/test_api_integration.py