Test gaps: no frontend/integration tests; unit tests encode insecure auth as expected

[waritctd]

Severity: Medium (test quality)

Backend has 81 @Test methods across 11 files (decent), but there are meaningful gaps:

1. Unit tests codify the insecure auth contract. AuthServiceTest.derivesHrRoleFromHrMdMnDivision logs in with password "GLR-42" — the employee code — and asserts the login succeeds. The tests treat the password-equals-employee-code behavior as the expected contract. When the auth rework lands (see private advisory GHSA-2fm4-74wf-99rh), these must be rewritten to assert hashed-credential verification and to reject the employee code as a password.

2. No integration tests. All backend tests use Mockito mocks; no test exercises the real SQL/repository layer (e.g. Testcontainers + Postgres). Dynamic SQL in EmployeeRepository/TicketRepository is untested against a real DB.

3. No frontend tests at all. frontend/package.json has no test runner and empty devDependencies. Permission/routing logic (app/permissions.js, useHrData.js) and the API client are untested.

Remediation

• Add Vitest + React Testing Library; cover permissions, useHrData, and api/client (CSRF header logic).
• Add Testcontainers-based repository integration tests.
• Rewrite auth tests alongside the credential rework.