Phase 3: Add web-test CI job, harden security gates, add P0 tests

[ComBba]

Summary

CI Changes

• Add web-test job running vitest (was missing entirely from CI)
• bandit: remove || true, enforce --severity-level high
• npm audit: remove || true, enforce --audit-level=high
• mypy: replace || true with continue-on-error: true

New Tests

• zero-prompt-api.test.ts — 8 tests (startSession, actions, SSE parsing)
• sse-client.test.ts — 6 tests (JSON/text parsing, error, abort, comments)
• test_event_bus.py — 8 tests (register, fan-out, overflow, multi-client)

Changes

• 4 files changed, +358 lines
• Web: 2 → 5 test files (9 → 31 tests)

Test plan

• 31 web tests pass (5 test files)
• 41 agent auth+event_bus tests pass
• Web build succeeds

🤖 Generated with Claude Code

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f2c4a91f-a82d-4fe9-8032-62d8fdf68cbf

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch phase-3/tests-ci-hardening

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces new test suites for the event bus system in the agent and the SSE client and Zero Prompt API in the web frontend. The feedback focuses on improving the robustness and maintainability of these tests. Specifically, it is recommended to use the queue's maxsize property in the event bus tests instead of hardcoding capacity values. Additionally, for the frontend SSE client tests, replacing fixed setTimeout delays with Vitest's waitFor utility is suggested to reduce flakiness and improve execution speed.

[gemini-code-assist]

Avoid hardcoding the queue capacity (300) in the test, as it mirrors a hardcoded value in the implementation. This makes the test fragile to changes in the production code's configuration. It is better to use the maxsize property of the queue object to ensure the test remains valid even if the capacity is adjusted.

Suggested change

	for i in range(300):
	push_zp_event({"session_id": "s1", "type": f"event_{i}"})
	assert q.qsize() == 300
	# Fill the queue to max
	for i in range(q.maxsize):
	push_zp_event({"session_id": "s1", "type": f"event_{i}"})
	assert q.qsize() == q.maxsize

[gemini-code-assist]

Add waitFor to the Vitest imports to enable more robust and efficient asynchronous testing, replacing the fixed setTimeout delays used throughout the file.

Suggested change

	import { describe, it, expect, vi, beforeEach } from "vitest";
	import { describe, it, expect, vi, beforeEach, waitFor } from "vitest";

[gemini-code-assist]

Using a fixed setTimeout delay to wait for asynchronous stream processing is a common source of test flakiness and unnecessarily increases test execution time. Consider using waitFor to poll for the expected condition, which is more robust and efficient. This pattern should be applied to all similar instances in this file.

Suggested change

	await new Promise((r) => setTimeout(r, 50));
	await waitFor(() => expect(events.length).toBe(2));