AntFleet

Disagreement · 5502fb0d-anthropic-1

Tests share a single middleware response across all `it` blocks, weakening isolation and hiding per-request bugs

mismatch
repo e24ef98c·PR #5·reviewed 2 weeks ago

Primary finding

Tests share a single middleware response across all `it` blocks, weakening isolation and hiding per-request bugs

lowtest-gaphigh
  • apps/web/middleware.test.ts:20-22
`middleware(makeReq())` is invoked once at describe-body evaluation time and the same `res` object is reused across every `it`. If a future change makes header behavior request-dependent (e.g., path-based CSP relaxation), tests will keep passing because they never re-invoke the middleware per case. It also means a test that mutated `res.headers` would leak into others. Low severity today since headers are static, but it's a latent maintainability issue and a pattern that violates test isolation.

Recommendation

Move `const res = middleware(makeReq())` into a `beforeEach` or invoke per test, so future request-dependent logic is exercised correctly.

Counterpart finding

Outdated/misleading test comment about importing SECURITY_HEADERS

lowdocs-gaphigh
  • apps/web/middleware.test.ts:8-10
  • apps/web/middleware.test.ts:12
  • apps/web/middleware.test.ts:19-21
  • apps/web/middleware.ts:13
  • apps/web/middleware.ts:44
The test file comment claims SECURITY_HEADERS is imported via re-export and tested directly, but the code instantiates the middleware and inspects the resulting response headers. SECURITY_HEADERS is not exported from middleware.ts, making the comment inaccurate/outdated.

Recommendation

Update the test comment to reflect the actual approach (calling middleware and inspecting the response). Alternatively, export SECURITY_HEADERS from middleware.ts and adjust the test to import and validate it directly, if that approach is preferred.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗