user-system/docs/status/REAL_PROJECT_STATUS.md

# REAL PROJECT STATUS

## 2026-04-01 GAP修复验证更新

### 本轮验证结果
- 后端: `go vet` ✅ / `go build` ✅ / `go test` ✅
- 前端: `lint` ✅ / `build` ✅
- 前端测试: ⚠️ 3个失败点(预先存在，测试链路未完全恢复)
- 真实浏览器E2E: ❌ 未跑通，卡在后端健康检查就绪

### 本轮修复内容
- **GAP-01**: 角色继承递归查询 + 循环检测 + 深度限制(5层) ✅
- **GAP-02**: 密码历史记录(最近5个密码不可重复使用) ✅
- **GAP-03**: 设备信任功能(信任设备跳过2FA) ✅
- **GAP-05**: 异地登录检测(AnomalyDetector) ✅
- **GAP-06**: 设备指纹采集(browser/OS/device_id) ✅
- **GAP-08**: 前端登录页设备指纹采集 ✅
- **GAP-09**: 前端设备管理页信任状态显示 ✅
- **GAP-10**: TOTP启用时"记住此设备"选项 ✅

### 用户侧缺口(仍待实现)
- 系统设置页 - 无独立前端页面
- 全局设备管理页 - 当前仅在个人资料页(profile/security)嵌入设备管理

### API文档更新
- `docs/API.md` 更新日期至 2026-04-01
- 补充设备信任相关端点说明

### 待处理
- GAP-04: SSO CAS/SAML (PRD可选功能)
- GAP-07: SDK支持 (PRD可选功能)

## 2026-04-01 专家全面验证更新

- 已完成测试专家 + 用户专家双视角全面复核，详见 `docs/code-review/VALIDATION_REPORT_2026-04-01.md`
- 本轮后端验证：`go vet ./...` ✅、`go build ./cmd/server` ✅、`go test ./... -count=1` ✅
- 本轮前端验证：`npm run lint` ✅、`npm run build` ✅、`npm run test -- --run` ⚠️（3 个失败点）、`npm run test:coverage` ⚠️、`npm run e2e:full:win` ❌（后端健康检查未就绪）
- 真实边界：本轮不能重复宣称“浏览器级真实 E2E 已重新验证闭环”；当前仅能确认后端构建/测试和前端 lint/build 仍然可信
- PRD/实现纠偏：SMS 密码重置 ✅；角色继承/设备信任/异地与异常设备检测均为“部分实现”；CAS/SAML 与 SDK 仍未实现
- 用户侧主要缺口：管理员管理页、系统设置页、全局设备管理页、登录日志导出、批量操作
- 当前综合评分：**8.4/10**

## 2026-03-29 Code Review Findings Update

- 完成了对项目代码的全面系统性审查，包括后端(Go)和前端(React/TypeScript)
- 发现高危问题 7 个，中危问题 13 个，低危问题 6 个
- 已更新 `docs/PROJECT_REVIEW_REPORT.md`，包含完整的问题清单和修复建议

### 高优先级问题摘要

**后端 (4个高危)**:
- OAuth `ValidateToken` 无实际验证 - 仅检查 `len(token) > 0`
- StateManager 清理 goroutine 无法停止 - 资源泄漏风险
- Rate limiter map 无界限增长 - 内存泄漏风险
- L1Cache 无最大容量限制 - 内存泄漏风险

**前端 (3个高危)**:
- `uploadAvatar` 字段名可能错误 - 功能性bug
- Webhooks 全量加载无服务端分页 - 性能和扩展性问题
- ProfileSecurityPage 未复用已有 ContactBindingsSection - 代码重复

### 文档修复

- 重写了 `docs/PROJECT_REVIEW_REPORT.md`（原文件存在编码问题）
- 记录了 DATA_MODEL 与实际实现的差异

### 仍有效的历史结论

以下结论保持不变（详见下方历史记录）:
- Q-006 (告警交付就绪) - 仍等待真实SMTP验证
- Q-005 (SCA) - 已关闭
- Q-004 (覆盖率) - 已关闭

## 2026-03-29 Q-006 Alert Delivery Readiness Update

- `Q-006` still cannot be honestly declared closed.
- Repo-level closure preparation improved materially:
  - added a strict live-delivery drill entrypoint in [`scripts/ops/drill-alertmanager-live-delivery.ps1`](/D:/project/scripts/ops/drill-alertmanager-live-delivery.ps1)
  - the new drill refuses unresolved placeholders, `example.*` addresses/hosts, and placeholder secrets instead of producing fake success
  - the drill writes only redacted config output and masked recipient evidence, so real contacts and secrets are not leaked into the repo evidence tree
  - [`scripts/ops/validate-alerting-package.ps1`](/D:/project/scripts/ops/validate-alerting-package.ps1) now falls back to the latest available baseline report across prior evidence dates, removing a date-rollover false blocker
- Validation passed:
  - `powershell -ExecutionPolicy Bypass -File scripts/ops/validate-alerting-package.ps1 -EvidenceDate 2026-03-29`
  - `powershell -ExecutionPolicy Bypass -File scripts/ops/drill-alertmanager-render.ps1 -EvidenceDate 2026-03-29`
  - `powershell -ExecutionPolicy Bypass -File scripts/ops/drill-alertmanager-live-delivery.ps1 -EvidenceDate 2026-03-29 -EnvFilePath deployment/alertmanager/alertmanager.env.example`
- Latest real outcomes:
  - structural alerting package validation still passes
  - render drill still passes
  - the new live-delivery drill fails closed against `alertmanager.env.example`, which is the correct behavior and proves the path does not fake production closure
- Real remaining blocker:
  - `Q-006` now narrows to one external proof item: a real non-placeholder env/secret source plus a successful live SMTP acceptance run for the configured on-call receivers
- Evidence:
  - [`docs/evidence/ops/2026-03-29/alerting/ALERTING_PACKAGE_20260329-100315.md`](/D:/project/docs/evidence/ops/2026-03-29/alerting/ALERTING_PACKAGE_20260329-100315.md)
  - [`docs/evidence/ops/2026-03-29/alerting/20260329-100315/ALERTMANAGER_RENDER_DRILL.md`](/D:/project/docs/evidence/ops/2026-03-29/alerting/20260329-100315/ALERTMANAGER_RENDER_DRILL.md)
  - [`docs/evidence/ops/2026-03-29/alerting/20260329-100315/ALERTMANAGER_LIVE_DELIVERY_DRILL.md`](/D:/project/docs/evidence/ops/2026-03-29/alerting/20260329-100315/ALERTMANAGER_LIVE_DELIVERY_DRILL.md)

## 2026-03-28 Q-005 SCA Closure Update

- `Q-005` can now be honestly declared closed.
- Real closure evidence:
  - the latest frontend full dependency-tree scan is now clean
  - the latest production dependency scan remains clean
  - the latest backend reachable vulnerability scan remains clean
- Frontend dependency remediation completed:
  - upgraded `vite` to `8.0.3`
  - upgraded `vitest` and `@vitest/coverage-v8` to `4.1.2`
  - upgraded `typescript-eslint` to `8.57.2`
  - pinned the vulnerable transitive chains through `overrides`:
    - `picomatch` -> `4.0.4`
    - `brace-expansion` for `minimatch@3` -> `1.1.13`
    - `brace-expansion` for `minimatch@10` -> `5.0.5`
- Validation passed:
  - `cd frontend/admin && npm.cmd audit --omit=dev --json --registry=https://registry.npmjs.org/`
  - `cd frontend/admin && npm.cmd audit --json --registry=https://registry.npmjs.org/`
  - `go run golang.org/x/vuln/cmd/govulncheck@latest -json ./...`
  - `cd frontend/admin && npm.cmd run lint`
  - `cd frontend/admin && npm.cmd run build`
  - `cd frontend/admin && npm.cmd run test:coverage`
- Latest SCA result:
  - `npm audit production`: `0`
  - `npm audit full`: `0`
  - `govulncheck reachable findings`: `0`
- Real residual note:
  - one Windows cleanup warning was emitted while replacing native packages under `node_modules`, but it did not block installation or validation
  - the unrelated npm user-config warning `Unknown user config "//git@github.com/"` is still external environment noise, not a project-generated failure
- Next remaining cross-cutting gap:
  - `Q-006` external alert delivery evidence is now the next unclosed major governance item
- Evidence:
  - [`docs/evidence/ops/2026-03-28/sca/SCA_SUMMARY_20260328-220806.md`](/D:/project/docs/evidence/ops/2026-03-28/sca/SCA_SUMMARY_20260328-220806.md)

## 2026-03-28 Q-004 Hygiene Closure Update

- The `frontend/admin` `Q-004` closure track can now be honestly declared closed.
- Real closure evidence:
  - the latest full frontend `test:coverage` run no longer emits the previously recurring post-summary jsdom `AggregateError` network-noise lines
  - `frontend/admin/src/app/router.tsx` remained at `100 / 100 / 100 / 100` in that same full-suite run, so the earlier transient regression is not part of the current real state
- Validation passed:
  - `cd frontend/admin && npm.cmd run lint`
  - `cd frontend/admin && npm.cmd run build`
  - `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
  - statements `93.98%`
  - branches `82.29%`
  - functions `91.37%`
  - lines `94.15%`
- Latest full test result:
  - `54` passing test files
  - `248` passing tests
- Real hygiene note:
  - the previous jsdom `AggregateError` noise is absent in the latest successful run
  - the remaining command-line warning is the external npm user-config warning `Unknown user config "//git@github.com/"`, not a project-generated frontend validation failure
- Evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-151952.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-151952.md)

## 2026-03-28 ThemeProvider Coverage Closure Update

- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Frontend theme-provider closure:
  - `frontend/admin/src/app/providers/ThemeProvider.tsx` is now covered at `100 / 100 / 100 / 100`.
  - `frontend/admin/src/app/providers/ThemeProvider.test.tsx` now covers locale propagation, theme-token propagation, component-level override propagation, and child rendering through `ConfigProvider`.
- Validation passed:
  - `cd frontend/admin && npm.cmd run test:run -- src/app/providers/ThemeProvider.test.tsx`
  - `cd frontend/admin && npm.cmd run lint`
  - `cd frontend/admin && npm.cmd run build`
  - `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
  - statements `93.93%`
  - branches `82.29%`
  - functions `91.37%`
  - lines `94.10%`
- Real remaining `Q-004` frontend gap after this closure:
  - the post-summary jsdom `AggregateError` network-noise hygiene issue
- Real hygiene note:
  - all previously identified frontend code hotspots in this closure track are now covered and re-verified
  - the successful frontend coverage run still prints post-summary jsdom `AggregateError` network-noise lines, so the run is green but not yet fully clean
- Evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-144756.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-144756.md)

## 2026-03-28 Breadcrumb Coverage Closure Update

- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Frontend breadcrumb-hook closure:
  - `frontend/admin/src/lib/hooks/useBreadcrumbs.ts` is now covered at `100 / 100 / 100 / 100`.
  - the hook was simplified to remove redundant parent-injection logic that was dead under the current route model.
  - `frontend/admin/src/lib/hooks/useBreadcrumbs.test.tsx` now covers root, single-segment, nested, and unknown-segment breadcrumb behavior.
- Validation passed:
  - `cd frontend/admin && npm.cmd run test:run -- src/lib/hooks/useBreadcrumbs.test.tsx`
  - `cd frontend/admin && npm.cmd run lint`
  - `cd frontend/admin && npm.cmd run build`
  - `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
  - statements `93.84%`
  - branches `82.29%`
  - functions `91.21%`
  - lines `94.01%`
- Real remaining `Q-004` frontend gaps after this closure:
  - `src/app/providers/ThemeProvider.tsx`
  - the post-summary jsdom `AggregateError` network-noise hygiene issue
- Real hygiene note:
  - the successful frontend coverage run still prints post-summary jsdom `AggregateError` network-noise lines, so the run is green but not yet fully clean
- Evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-144036.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-144036.md)

## 2026-03-28 NotFound Coverage Closure Update

- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Frontend 404-page closure:
  - `frontend/admin/src/pages/NotFoundPage/NotFoundPage.tsx` is now covered at `100 / 100 / 100 / 100`.
  - `frontend/admin/src/pages/NotFoundPage/NotFoundPage.test.tsx` now covers 404 rendering, missing-page messaging, and navigation back to `/dashboard`.
- Validation passed:
  - `cd frontend/admin && npm.cmd run test:run -- src/pages/NotFoundPage/NotFoundPage.test.tsx`
  - `cd frontend/admin && npm.cmd run lint`
  - `cd frontend/admin && npm.cmd run build`
  - `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
  - statements `93.69%`
  - branches `81.95%`
  - functions `91.24%`
  - lines `93.85%`
- Real remaining `Q-004` frontend gaps after this closure:
  - `src/lib/hooks/useBreadcrumbs.ts`
  - `src/app/providers/ThemeProvider.tsx`
  - the post-summary jsdom `AggregateError` network-noise hygiene issue
- Real hygiene note:
  - the successful frontend coverage run still prints post-summary jsdom `AggregateError` network-noise lines, so the run is green but not yet fully clean
- Evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-143209.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-143209.md)

## 2026-03-28 ImportExport Coverage Closure Update

- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Frontend import/export closure:
  - `frontend/admin/src/pages/admin/ImportExportPage/ImportExportPage.tsx` is now covered at `100 / 100 / 100 / 100`.
  - `frontend/admin/src/pages/admin/ImportExportPage/ImportExportPage.test.tsx` now covers template format switching, validation guards, import success and warning flows, reset behavior, export field updates, and export failure handling.
- Validation passed:
  - `cd frontend/admin && npm.cmd run test:run -- src/pages/admin/ImportExportPage/ImportExportPage.test.tsx`
  - `cd frontend/admin && npm.cmd run lint`
  - `cd frontend/admin && npm.cmd run build`
  - `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
  - statements `93.56%`
  - branches `81.95%`
  - functions `90.93%`
  - lines `93.71%`
- Real remaining `Q-004` frontend gaps after this closure:
  - `src/pages/NotFoundPage/NotFoundPage.tsx`
  - `src/lib/hooks/useBreadcrumbs.ts`
  - `src/app/providers/ThemeProvider.tsx`
  - the post-summary jsdom `AggregateError` network-noise hygiene issue
- Real hygiene note:
  - the page-local `window.getComputedStyle(..., pseudoElt)` noise introduced during the first draft of this pass has been removed
  - the successful frontend coverage run still prints post-summary jsdom `AggregateError` network-noise lines, so the run is green but not yet fully clean
- Evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-142248.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-142248.md)

## 2026-03-28 Coverage Remediation Update XV

- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
  - closure-grade shell coverage for `App.tsx` and `RootLayout.tsx`
  - closure-grade error-boundary coverage for `ErrorBoundary.tsx`
- Latest coverage result:
  - Frontend overall: statements `89.72%`, branches `77.57%`, functions `84.48%`, lines `90.64%`
  - `src/app/App.tsx`: statements `100%`, branches `100%`, functions `100%`, lines `100%`
  - `src/app/RootLayout.tsx`: statements `100%`, branches `100%`, functions `100%`, lines `100%`
  - `src/components/common/ErrorBoundary/ErrorBoundary.tsx`: statements `100%`, branches `83.33%`, functions `100%`, lines `100%`
- Latest verified commands:
  - `cd D:\project\frontend\admin && npm.cmd run test:run -- src/app/App.test.tsx src/app/RootLayout.test.tsx src/components/common/ErrorBoundary/ErrorBoundary.test.tsx`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-110341.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-110341.md)
- Real boundary:
  - `App.tsx`, `RootLayout.tsx`, and `ErrorBoundary.tsx` are no longer remaining `Q-004` gaps
  - `Q-004` still cannot be truthfully closed
  - the next higher-value frontend gaps now narrow further to:
    - `src/app/router.tsx`
    - `src/pages/admin/DashboardPage/DashboardPage.tsx`
    - `src/components/feedback/PageState/PageState.tsx`
  - the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
  - the required sequential `lint` -> `build` -> `test:coverage` path passed in this pass

## 2026-03-28 Coverage Remediation Update XIV

- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
  - closure-grade auth recovery page coverage for `ForgotPasswordPage` and `ResetPasswordPage`
- Latest coverage result:
  - Frontend overall: statements `89.06%`, branches `77.14%`, functions `83.56%`, lines `89.96%`
  - `src/pages/auth/ForgotPasswordPage/ForgotPasswordPage.tsx`: statements `100%`, branches `75%`, functions `100%`, lines `100%`
  - `src/pages/auth/ResetPasswordPage/ResetPasswordPage.tsx`: statements `95%`, branches `94.44%`, functions `100%`, lines `95%`
  - `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`: statements `90.35%`, branches `75.51%`, functions `92.45%`, lines `90.13%`
- Latest verified commands:
  - `cd D:\project\frontend\admin && npm.cmd run test:run -- src/pages/auth/ForgotPasswordPage/ForgotPasswordPage.test.tsx src/pages/auth/ResetPasswordPage/ResetPasswordPage.test.tsx`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-105226.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-105226.md)
- Real boundary:
  - `ForgotPasswordPage` and `ResetPasswordPage` are no longer remaining `Q-004` gaps
  - `Q-004` still cannot be truthfully closed
  - the next higher-value frontend gaps now shift more toward:
    - `src/app/App.tsx`
    - `src/app/RootLayout.tsx`
    - `src/app/router.tsx`
    - `src/components/common/ErrorBoundary/ErrorBoundary.tsx`
    - `src/pages/admin/DashboardPage/DashboardPage.tsx`
  - the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
  - the required sequential `lint` -> `build` -> `test:coverage` path passed in this pass

## 2026-03-28 Coverage Remediation Update XIII

- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
  - closure-grade page coverage for `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`
- Latest coverage result:
  - Frontend overall: statements `85.89%`, branches `74.91%`, functions `81.87%`, lines `86.71%`
  - `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`: statements `90.35%`, branches `75.51%`, functions `92.45%`, lines `90.13%`
  - `src/lib/http/client.ts`: statements `100%`, branches `92.30%`, functions `100%`, lines `100%`
  - `src/lib/http/csrf.ts`: statements `100%`, branches `88.46%`, functions `100%`, lines `100%`
- Latest verified commands:
  - `cd D:\project\frontend\admin && npm.cmd run test:run -- src/pages/admin/ProfileSecurityPage`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-104341.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-104341.md)
- Real boundary:
  - `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx` is no longer a remaining `Q-004` gap
  - `Q-004` still cannot be truthfully closed
  - the next highest-value frontend gaps now shift more toward:
    - `src/pages/auth/ForgotPasswordPage/ForgotPasswordPage.tsx`
    - `src/pages/auth/ResetPasswordPage/ResetPasswordPage.tsx`
  - the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
  - the required sequential `lint` -> `build` -> `test:coverage` path passed in this pass

## 2026-03-28 Coverage Remediation Update XII

- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
  - closure-grade module coverage for `src/lib/http/client.ts`
  - a production hygiene fix for shared refresh-promise rejection handling
- Latest coverage result:
  - Frontend overall: statements `83.86%`, branches `72.68%`, functions `79.87%`, lines `84.72%`
  - `src/lib/http/client.ts`: statements `100%`, branches `92.30%`, functions `100%`, lines `100%`
  - `src/lib/http/csrf.ts`: statements `100%`, branches `88.46%`, functions `100%`, lines `100%`
  - `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`: statements `70.17%`, branches `48.97%`, functions `67.92%`, lines `70.40%`
- Latest verified commands:
  - `cd D:\project\frontend\admin && npm.cmd run test:run -- src/lib/http/client.test.ts`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-102456.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-102456.md)
- Real boundary:
  - `src/lib/http/client.ts` is no longer a remaining `Q-004` gap
  - `Q-004` still cannot be truthfully closed
  - the remaining highest-value frontend gap is now more concentrated in:
    - deeper remaining `ProfileSecurityPage` branches
  - the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
  - the required sequential `lint` -> `build` -> `test:coverage` path passed in this pass

## 2026-03-28 Coverage Remediation Update XI

- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
  - closure-grade module coverage for `src/lib/http/csrf.ts`
- Latest coverage result:
  - Frontend overall: statements `80.06%`, branches `67.61%`, functions `78.00%`, lines `80.91%`
  - `src/lib/http/csrf.ts`: statements `100%`, branches `88.46%`, functions `100%`, lines `100%`
  - `src/lib/http/client.ts`: `52.17%`
  - `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`: `70.17%`
- Latest verified commands:
  - `cd D:\project\frontend\admin && npm.cmd run test:run -- src/lib/http/csrf.test.ts`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-083841.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-083841.md)
- Real boundary:
  - `src/lib/http/csrf.ts` is no longer a remaining `Q-004` gap
  - `Q-004` still cannot be truthfully closed
  - the remaining highest-value frontend gaps are now more concentrated in:
    - `src/lib/http/client.ts`
    - deeper remaining `ProfileSecurityPage` branches
  - the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
  - the required sequential `lint` -> `build` -> `test:coverage` path passed in this pass

## 2026-03-28 Coverage Remediation Update X

- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
  - closure-grade behavior coverage for `src/pages/auth/RegisterPage/RegisterPage.tsx`
- Latest coverage result:
  - Frontend overall: statements `78.91%`, branches `66.06%`, functions `77.07%`, lines `79.73%`
  - `src/pages/auth/RegisterPage/RegisterPage.tsx`: statements `93.42%`, branches `85.24%`, functions `87.5%`, lines `95.89%`
  - `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`: `70.17%`
  - `src/lib/http/client.ts`: `52.17%`
  - `src/lib/http/csrf.ts`: `25.71%`
- Latest verified commands:
  - `cd D:\project\frontend\admin && npm.cmd run test:run -- src/pages/auth/RegisterPage/RegisterPage.test.tsx`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-082843.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-082843.md)
- Real boundary:
  - `RegisterPage` is no longer a remaining `Q-004` gap
  - `Q-004` still cannot be truthfully closed
  - the remaining highest-value frontend gaps are now more concentrated in:
    - deeper remaining `ProfileSecurityPage` branches
    - `lib/http`
  - the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
  - the required sequential `lint` -> `build` -> `test:coverage` path passed in this pass without a new build-path regression observation

## 2026-03-28 Coverage Remediation Update IX

- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
  - closure-grade behavior coverage for `src/pages/auth/LoginPage/LoginPage.tsx`
- Latest coverage result:
  - Frontend overall: statements `78.38%`, branches `64.77%`, functions `76.92%`, lines `79.19%`
  - `src/pages/auth/LoginPage/LoginPage.tsx`: statements `92.56%`, branches `84.09%`, functions `86.2%`, lines `95.61%`
  - `src/pages/auth/RegisterPage/RegisterPage.tsx`: `77.63%`
  - `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`: `70.17%`
  - `src/lib/http/client.ts`: `52.17%`
  - `src/lib/http/csrf.ts`: `25.71%`
- Latest verified commands:
  - `cd D:\project\frontend\admin && npm.cmd run test:run -- src/pages/auth/LoginPage/LoginPage.test.tsx`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-081514.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-081514.md)
- Real boundary:
  - `LoginPage` is no longer a remaining `Q-004` gap
  - `Q-004` still cannot be truthfully closed
  - the remaining highest-value frontend gaps are now more concentrated in:
    - `RegisterPage`
    - deeper remaining `ProfileSecurityPage` branches
    - `lib/http`
  - the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean
  - one concurrent `lint` + `build` attempt produced a transient Windows/Vite `index.html` emit-path failure; the required standalone `build` rerun passed immediately afterward
    - this is real observation, but not yet proven to be a deterministic repo defect

## 2026-03-28 Coverage Remediation Update VIII

- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
  - closure-grade provider behavior coverage for `src/app/providers/AuthProvider.tsx`
- Latest coverage result:
  - Frontend overall: statements `76.00%`, branches `63.91%`, functions `75.07%`, lines `76.84%`
  - `src/app/providers`: statements `96.38%`, branches `93.75%`
  - `src/app/providers/AuthProvider.tsx`: `100%`
  - `src/pages/auth/LoginPage/LoginPage.tsx`: `47.93%`
  - `src/pages/auth/RegisterPage/RegisterPage.tsx`: `77.63%`
  - `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`: `70.17%`
- Latest verified commands:
  - `cd D:\project\frontend\admin && npm.cmd run test:run -- src/app/providers/AuthProvider.test.tsx`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-075725.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-075725.md)
- Real boundary:
  - `AuthProvider` is no longer a remaining `Q-004` gap
  - `Q-004` still cannot be truthfully closed
  - the remaining highest-value frontend gaps are now more concentrated in:
    - `LoginPage`
    - `RegisterPage`
    - deeper remaining `ProfileSecurityPage` branches
    - `lib/http`
  - the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean

## 2026-03-28 Coverage Remediation Update VII

- `Q-004` improved materially again after another strict remediation pass, but it still remains open.
- This pass added and verified:
  - full modal/drawer coverage for the remaining `UsersPage` component cluster
  - full modal/drawer coverage for the remaining `WebhooksPage` component cluster
  - deeper repository coverage across role/permission/relation repositories
- A real backend defect pair was discovered and fixed during this pass:
  - `internal/repository/role.go`
    - explicit role create requests with `status=0` were being persisted as enabled because the DB default swallowed the zero value
  - `internal/repository/permission.go`
    - explicit permission create requests with `status=0` were being persisted as enabled for the same reason
- Latest coverage result:
  - Frontend overall: statements `74.54%`, branches `63.57%`, functions `74.61%`, lines `75.35%`
  - `src/pages/admin/UsersPage`: `95.06%`
  - `src/pages/admin/WebhooksPage`: `94.92%`
  - `internal/repository`: `67.1%`
- Latest verified commands:
  - `go test ./internal/repository -run 'Test(RoleRepositoryLifecycleAndQueries|PermissionRepositoryLifecycleAndQueries|UserRoleAndRolePermissionRepositoriesLifecycle)$' -count=1`
  - `go test ./internal/repository -cover -count=1`
  - `go test ./... -count=1`
  - `go vet ./...`
  - `go build ./cmd/server`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-011431.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-011431.md)
- Real boundary:
  - `UsersPage` is no longer a dominant uncovered admin cluster
  - `WebhooksPage` is no longer a dominant uncovered admin cluster
  - `internal/repository` has improved materially, but `Q-004` still cannot be truthfully closed
  - the remaining highest-value gaps are now more concentrated in:
    - deeper remaining `ProfileSecurityPage` branches
    - `LoginPage` / `RegisterPage`
    - `app/providers/AuthProvider`
    - `lib/http`
    - remaining repository depth outside the newly covered role/permission/relation paths
  - the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean

## 2026-03-28 Coverage Remediation Update VI

- `Q-004` improved materially again after another strict remediation pass, but it still remains open.
- This pass added and verified:
  - deep transport-based coverage across `internal/auth/providers`
  - full page/modal coverage for `RolesPage`
  - full page/modal coverage for `PermissionsPage`
  - page coverage for `ProfilePage`
- Latest coverage result:
  - Frontend overall: statements `68.32%`, branches `54.12%`, functions `68.15%`, lines `69.28%`
  - `src/pages/admin/RolesPage`: `94.53%`
  - `src/pages/admin/PermissionsPage`: `93.51%`
  - `src/pages/admin/ProfilePage/ProfilePage.tsx`: `91.42%`
  - `internal/auth/providers`: `80.6%`
  - `internal/repository`: `37.1%`
- Latest verified commands:
  - `go test ./internal/auth/providers ./internal/repository -cover -count=1`
  - `go test ./... -count=1`
  - `go vet ./...`
  - `go build ./cmd/server`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-003416.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-003416.md)
- Real boundary:
  - `internal/auth/providers` is no longer one of the dominant `Q-004` blockers
  - `RolesPage`, `PermissionsPage`, and `ProfilePage` are no longer dominant uncovered admin page clusters
  - `Q-004` still cannot be truthfully closed because the remaining high-value gaps have narrowed to:
    - `internal/repository` depth (`37.1%`)
    - `UsersPage` drawers/modals
    - `WebhooksPage` modal/drawer components
    - deeper remaining `ProfileSecurityPage` branches
  - the frontend coverage run still emits one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean

## 2026-03-27 Coverage Remediation Update V

- `Q-004` improved again after another strict remediation pass, but it still remains open.
- This pass added and verified:
  - frontend regression coverage for `LoginLogsPage`
  - frontend regression coverage for `OperationLogsPage`
  - deeper non-network parsing/error coverage for `internal/auth/providers`
- Latest coverage result:
  - Frontend overall: statements `56.81%`, branches `44.67%`, functions `57.38%`, lines `57.57%`
  - `src/pages/admin/LoginLogsPage/LoginLogsPage.tsx`: `93.1%`
  - `src/pages/admin/OperationLogsPage/OperationLogsPage.tsx`: `91.52%`
  - `services`: `86.2%`
  - `internal/auth/providers`: `28.7%`
  - `internal/repository`: `37.1%`
- Latest verified commands:
  - `go test ./... -count=1`
  - `go vet ./...`
  - `go build ./cmd/server`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-233824.md`](/D:/project/docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-233824.md)
- Real boundary:
  - frontend service adapters are no longer a primary `Q-004` gap
  - `LoginLogsPage` and `OperationLogsPage` are no longer primary page-level hotspots
  - `internal/auth/providers` improved materially but is still too shallow to declare `Q-004` closed
  - the highest-value next work remains deeper provider paths plus still-uncovered admin pages/components such as `PermissionsPage`, `RolesPage`, `ProfilePage`, and multiple drawers/modals
  - the latest successful frontend coverage run still emitted one post-summary jsdom `AggregateError` noise line, so the validation path is green but not yet perfectly clean

## 2026-03-27 Coverage Remediation Update IV

- `Q-004` has continued to improve and was re-verified again, but it still remains open.
- This pass mainly closed much of the frontend service-adapter gap:
  - `users.ts`
  - `roles.ts`
  - `devices.ts`
  - `profile.ts`
  - `login-logs.ts`
  - `operation-logs.ts`
  - `permissions.ts`
  - `stats.ts`
  - `import-export.ts`
- This pass also increased non-network provider coverage through:
  - Alipay private-key parsing/signing tests
  - Twitter PKCE auth URL tests
  - OAuth helper error-body boundary tests
- Strict verification caught one more real engineering issue during this pass:
  - the first version of the new permission-service tests passed under Vitest but failed under `tsc -b` because the fixture payloads did not match the real request types
  - this was corrected before final sign-off
- Latest coverage result:
  - Frontend overall: statements `52.05%`, branches `42.86%`, functions `51.84%`, lines `52.69%`
  - `services`: `86.2%`
  - `internal/auth/providers`: `15.2%`
  - `internal/repository`: `37.1%`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-224352.md`](/D:/project/docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-224352.md)
- Real boundary:
  - frontend service adapters are no longer one of the main remaining `Q-004` gaps
  - `internal/auth/providers` is improved but still too shallow to declare the item closed
  - the remaining high-value work should continue to target deeper provider parsing/error branches and still-uncovered admin pages/components

## 2026-03-27 Coverage Remediation Update III

- `Q-004` improved again and was re-verified, but it is still not honestly closable.
- This pass added:
  - frontend regression coverage for `UsersPage`
  - frontend deeper branch coverage for `ProfileSecurityPage`
  - backend coverage for more of `internal/repository`
  - backend non-network coverage for more of `internal/auth/providers`
- A real defect was found and fixed during this pass:
  - `internal/repository/device.go`
  - explicit inactive device creation (`status=0`) was being swallowed by the DB default and persisted as active
- Latest coverage result:
  - Frontend overall: statements `49.18%`, branches `42.86%`, functions `44.92%`, lines `49.79%`
  - `src/pages/admin/UsersPage/UsersPage.tsx`: `90.98%` statements, `68.75%` branches
  - `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx`: `70.17%` statements, `48.97%` branches
  - `internal/repository`: `37.1%`
  - `internal/auth/providers`: `8.5%`
- Latest verified commands:
  - `go test ./... -count=1`
  - `go vet ./...`
  - `go build ./cmd/server`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-221835.md`](/D:/project/docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-221835.md)
- Real boundary:
  - `UsersPage` and `ProfileSecurityPage` are no longer the dominant gaps they were before this pass.
  - `internal/auth/providers` remains materially under-covered.
  - `Q-004` should stay open until the remaining low-coverage service and provider paths are reduced further.

## 2026-03-27 Coverage Remediation Update II

- `Q-004` 在本轮继续推进并通过复验，但仍未完全关闭。
- 本轮新增覆盖与修复：
  - 前端新增 `WebhooksPage` 页面测试与 `services/webhooks.ts` 服务测试。
  - 后端新增 `webhook_repository` 仓储测试。
  - 修复 `internal/repository/webhook_repository.go` 中显式 `status=0` 创建时被 DB 默认值吞掉的问题。
  - 修复 `frontend/admin/vite.config.js`，解决当前 Windows + `Vite 8` + `--configLoader native` 下 `index.html` 被绝对路径发射导致的 `npm.cmd run build` 失败。
- 最新覆盖率结果：
  - Frontend overall: statements `41.06%`, branches `38.48%`, functions `36.00%`, lines `41.47%`
  - `src/pages/admin/WebhooksPage/WebhooksPage.tsx`: `93.15%`
  - `src/services/webhooks.ts`: `100%`
  - `internal/repository`: `15.1%`
- 最新验证命令：
  - `go test ./... -count=1`
  - `go vet ./...`
  - `go build ./cmd/server`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- 最新证据：
  - [`docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-214422.md`](/D:/project/docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-214422.md)
- 真实边界：
  - 当前剩余的 `Q-004` 主要集中在 `UsersPage`、`ProfileSecurityPage` 深层分支，以及 `internal/auth/providers` / `internal/repository` 的更深路径。

## 2026-03-27 Coverage Remediation Update

- `Q-004 自动化覆盖率不足` 已完成一轮增补整改并复验通过，但仍未完全闭环。
- 本轮新增并稳定通过的关键测试覆盖了：
  - 前端 `router`、`RequireAuth`、`RequireAdmin`、`AdminLayout`、`ImportExportPage`
  - 后端 `internal/database` 启动迁移/默认数据/升级回填路径
  - 后端 `internal/auth/providers` 的 URL / state 生成路径
- 这轮整改中额外收口了两个测试质量问题：
  - `router.test.tsx` 之前只在 `vitest` 下能跑，`tsc -b` 会失败；现已修正为可编译。
  - `internal/database/db_test.go` 在 Windows 下未释放 SQLite 句柄，导致 `TempDir` 清理失败；现已显式关闭底层连接。
- 最新覆盖率结果：
  - Frontend overall: statements `37.09%`, branches `35.91%`, functions `30.30%`, lines `37.40%`
  - `src/app/router.tsx`: `47.72%`
  - `src/components/guards/RequireAuth.tsx`: `100%`
  - `src/components/guards/RequireAdmin.tsx`: `100%`
  - `src/layouts/AdminLayout/AdminLayout.tsx`: `80.00%`
  - `src/pages/admin/ImportExportPage/ImportExportPage.tsx`: `83.58%`
  - `internal/database`: `83.2%`
  - `internal/auth/providers`: `4.0%`
  - `internal/repository`: `10.5%`
- 最新验证命令：
  - `go test ./... -count=1`
  - `go vet ./...`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && npm.cmd run test:coverage`
- 最新证据：
  - [`docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-212336.md`](/D:/project/docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-212336.md)
- 真实边界：
  - `Q-004` 已明显改善，但不能诚实表述为“自动化覆盖已充分”。
  - 当前优先级仍应先继续补 `UsersPage` / `WebhooksPage` / `ProfileSecurityPage` 与 `internal/repository` / `internal/auth/providers` 深层错误分支，之后再推进 `Q-005` 与 `Q-006`。

## 2026-03-27 Auth Session Hardening Closure Update

- The earlier high-priority quality-audit items around browser-side token persistence, OAuth `return_to` trust boundary, and fail-open security randomness are now closed at implementation level and re-verified.
- Backend/session closure:
  - refresh continuity is now based on the backend-managed `HttpOnly` refresh cookie.
  - the backend now emits a non-sensitive session-presence cookie (`ums_session_present`) so the frontend can distinguish "restore is possible" from "no server session exists".
  - OAuth `return_to` no longer trusts request-derived forwarded origin inference; it is restricted to absolute paths or explicit allowlisted origins.
  - security-sensitive random generation no longer silently degrades on `crypto/rand` failure.
- Frontend/session closure:
  - access token, current user, and current roles are memory-only and no longer persist into `localStorage` / `sessionStorage`.
  - `AuthProvider` now avoids blind `/auth/refresh` probing when no session-presence cookie exists.
  - protected-route restore failure no longer loses the original route intent; redirect ownership is back on `RequireAuth`.
  - post-login route races are hardened by exporting effective auth state from the in-memory session store.
- Real-browser closure:
  - the supported CDP E2E path was rerun after the session model change and now passes again without the earlier `400 Bad Request` console-noise regression.
- Latest verified commands for this closure:
  - `go test ./... -count=1`
  - `go vet ./...`
  - `go build ./cmd/server`
  - `cd D:\project\frontend\admin && npm.cmd run test:run`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-27/quality/AUTH_SESSION_REMEDIATION_20260327-194100.md`](/D:/project/docs/evidence/ops/2026-03-27/quality/AUTH_SESSION_REMEDIATION_20260327-194100.md)
- Real boundary:
  - this closes the earlier session-model / OAuth return-path / random-fail-open implementation gaps.
  - it does not close the separate remaining boundaries around coverage depth, dev-toolchain SCA cleanup, or external production alert delivery evidence.

## 2026-03-27 First Admin Bootstrap Closure Update

- The previously real usability gap around “no default account, no first-admin product path” is now closed at product implementation level.
- Backend closure:
  - added public `POST /api/v1/auth/bootstrap-admin`.
  - bootstrap is guarded by `GET /api/v1/auth/capabilities -> admin_bootstrap_required`, so it is only available while the system still has no active admin.
  - successful bootstrap creates the first active admin, binds the `admin` role, returns a real session, and closes the bootstrap window afterward.
- Frontend closure:
  - added public `/bootstrap-admin` page.
  - `/login` and `/register` now expose a real first-run admin initialization entry instead of only showing a passive warning.
  - successful bootstrap now logs the operator into `/dashboard` directly.
- Supported-browser validation closure:
  - `frontend/admin/scripts/run-playwright-auth-e2e.ps1` no longer depends on startup-injected admin credentials.
  - the real browser E2E suite now begins with `admin-bootstrap`, proving `无默认账号 -> 初始化首个管理员 -> 进入后台 -> 登出`.
- Latest verified commands for this closure:
  - `go test ./... -count=1`
  - `go build ./cmd/server`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run test:run`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-27/e2e/ADMIN_BOOTSTRAP_CLOSURE_20260327-173914.md`](/D:/project/docs/evidence/ops/2026-03-27/e2e/ADMIN_BOOTSTRAP_CLOSURE_20260327-173914.md)
- Real boundary:
  - this closes the first-admin product loop.
  - it does not change the separate remaining boundaries around live third-party OAuth evidence and external production delivery/governance evidence.

## 2026-03-27 PRD 1.1 Email Activation Closure Update

- PRD `1.1 多种注册方式 -> 邮箱注册 -> 邮箱地址验证（发送验证邮件）` is now closed at product implementation level.
- Backend closure:
  - activation emails now point to the frontend activation page instead of the raw `GET /api/v1/auth/activate` API endpoint.
  - `GET /api/v1/auth/capabilities` now exposes `email_activation`, allowing the frontend to gate resend-activation UX on real capability state.
- Frontend closure:
  - `/activate-account` is now a real public activation page.
  - invalid or expired activation links now have a real resend-activation path instead of dropping users onto a backend JSON response.
  - `/login` and `/register` success state now both expose resend-activation entry points when email activation is available.
  - the activation page no longer double-consumes one-time activation tokens under React StrictMode.
- Supported-browser validation closure:
  - `frontend/admin/scripts/run-playwright-auth-e2e.ps1` now starts a local SMTP capture service alongside isolated backend/frontend runtime.
  - the real browser E2E suite now includes `email-activation`, covering `注册 -> 收取激活邮件 -> 打开前端激活页 -> 激活成功 -> 登录`.
- Latest verified commands for this closure:
  - `go test ./... -count=1`
  - `go build ./cmd/server`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run test:run`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-27/e2e/EMAIL_ACTIVATION_CLOSURE_20260327-171211.md`](/D:/project/docs/evidence/ops/2026-03-27/e2e/EMAIL_ACTIVATION_CLOSURE_20260327-171211.md)
- Real boundary:
  - the supported-browser closure uses a local SMTP capture service and proves the product loop.
  - it does not by itself prove live external SMTP provider deliverability.

## 2026-03-27 PRD 1.1 Self-Service Registration Closure Update

- PRD `1.1 多种注册方式` is now closed at product implementation level for the self-service frontend loop.
- Backend closure:
  - the existing `POST /api/v1/auth/register` product API is now matched by a real public frontend path.
  - `POST /api/v1/auth/send-code` now accepts both `purpose` and legacy `scene` payloads, preventing older clients from silently breaking while the frontend uses the normalized `purpose` contract.
- Frontend closure:
  - `/register` is now a real public route linked from `/login`.
  - users can complete username/password self-registration, optionally provide nickname/email, and use capability-gated phone registration when SMS is enabled.
  - `/dashboard` is now admin-guarded, so newly registered non-admin users no longer land on an admin-only stats error path after first login; they settle on `/profile`.
  - `/register` is treated as a public auth path during session-restore cleanup.
- Latest verified commands for this closure:
  - `go test ./... -count=1`
  - `go build ./cmd/server`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run test:run`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-27/e2e/SELF_SERVICE_REGISTER_CLOSURE_20260327-000848.md`](/D:/project/docs/evidence/ops/2026-03-27/e2e/SELF_SERVICE_REGISTER_CLOSURE_20260327-000848.md)
- Real boundary:
  - phone registration remains capability-gated by configured SMS delivery.
  - email activation remains environment-dependent on SMTP-backed delivery.
  - this closes the product loop, not the separate live third-party OAuth proof layer or external production governance evidence layer.

## 2026-03-26 PRD 1.5 Account Binding Closure Update

- PRD `1.5 用户信息管理 -> 账号绑定与解绑` is now closed at product implementation level for `邮箱 / 手机号 / 社交账号`.
- Backend closure:
  - self-service email bind / replace / unbind and phone bind / replace / unbind are now exposed through protected `users/me` endpoints.
  - bind requires target-channel verification code plus current-account verification when password or TOTP is configured.
  - unbind blocks removal if no login method would remain.
  - direct self-service `PUT /api/v1/users/:id` updates of `email` / `phone` are now rejected for non-admin self flows.
- Frontend closure:
  - `/profile/security` now includes a real email/phone binding management section.
  - `/profile` no longer edits `email` / `phone` directly and instead routes users to verified binding flows.
- Latest verified commands for this closure:
  - `go test ./... -count=1`
  - `go build ./cmd/server`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run test:run`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-26/e2e/ACCOUNT_BINDING_CLOSURE_20260326-224700.md`](/D:/project/docs/evidence/ops/2026-03-26/e2e/ACCOUNT_BINDING_CLOSURE_20260326-224700.md)
- Real boundary:
  - email binding remains capability-gated by SMTP-backed email code delivery.
  - phone binding remains capability-gated by configured Aliyun/Tencent SMS delivery.
  - this closes the product loop, not the separate live third-party OAuth proof layer.

## 2026-03-26 PRD 5.2 Closure Update

- PRD `5.2 用户信息管理 -> 创建用户` is now closed end-to-end.
- Backend closure:
  - `POST /api/v1/users` is live behind existing `user:manage` authorization.
  - admin-created users support initial password, optional email/phone/nickname, optional explicit roles, default-role assignment, and optional activation email when SMTP activation is configured.
- Frontend closure:
  - Admin Users page now includes a real `创建用户` modal and service call path.
- E2E closure hardening:
  - `frontend/admin/scripts/run-playwright-auth-e2e.ps1` no longer reuses ambient `8080/3000` services.
  - the supported browser path now launches isolated backend/frontend ports and an isolated SQLite database under `%TEMP%`.
  - `frontend/admin/.env.development` now defaults to `/api/v1`, so Vite proxy overrides remain effective.
- Latest verified commands for this closure:
  - `go test ./... -count=1`
  - `go build ./cmd/server`
  - `cd D:\project\frontend\admin && npm.cmd run lint`
  - `cd D:\project\frontend\admin && npm.cmd run test:run -- src/services/users.test.ts src/pages/admin/UsersPage/CreateUserModal.test.tsx`
  - `cd D:\project\frontend\admin && npm.cmd run build`
  - `cd D:\project\frontend\admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`
- Latest evidence:
  - [`docs/evidence/ops/2026-03-26/e2e/PLAYWRIGHT_CDP_E2E_CREATE_USER_CLOSURE_20260326-190646.md`](/D:/project/docs/evidence/ops/2026-03-26/e2e/PLAYWRIGHT_CDP_E2E_CREATE_USER_CLOSURE_20260326-190646.md)
- Real boundary:
  - the supported CDP browser path confirms create-user success, list-level persistence, and modal close transition initiation.
  - it still does not change the earlier boundary that full OS-level automation and live third-party OAuth validation remain outside current closure.

更新日期：2026-03-26

## 当前结论

- 后端主链路可构建、可测试、可运行。
- 前端管理台可构建、可 lint、可执行单元测试。
- 当前受支持的真实浏览器主验收路径是 `cd frontend/admin && npm.cmd run e2e:full:win`。
- 当前项目已经完成浏览器级真实 E2E 收口，但这不等于完整 OS 级自动化。
- 运行时不再依赖 `smoke` 脚本；`smoke` 仅保留为补充诊断工具。
- 本地可审计的治理证据已形成一轮闭环，包括 SCA、备份恢复、本地回滚、观测基线、配置与环境隔离、告警包校验、告警渲染演练、密钥边界校验。

## 2026-03-26 最新收口

- 新增首登管理员初始化状态探测：
  - [`internal/service/auth_capabilities.go`](/D:/project/internal/service/auth_capabilities.go)
  - `GET /api/v1/auth/capabilities` 现在会返回 `admin_bootstrap_required`，用于反映系统是否仍缺少可登录的激活管理员。
- 登录页已完成首登管理员产品提示闭环：
  - [`frontend/admin/src/pages/auth/LoginPage/LoginPage.tsx`](/D:/project/frontend/admin/src/pages/auth/LoginPage/LoginPage.tsx)
  - 当系统不存在可用管理员时，前端会明确提示“当前版本不提供默认账号，需先完成管理员初始化”。
- 新增后端与前端回归测试，覆盖管理员初始化状态与登录页提示：
  - [`internal/service/auth_capabilities_runtime_test.go`](/D:/project/internal/service/auth_capabilities_runtime_test.go)
  - [`internal/api/handler/auth_capabilities_test.go`](/D:/project/internal/api/handler/auth_capabilities_test.go)
  - [`frontend/admin/src/services/auth.test.ts`](/D:/project/frontend/admin/src/services/auth.test.ts)
  - [`frontend/admin/src/pages/auth/LoginPage/LoginPage.test.tsx`](/D:/project/frontend/admin/src/pages/auth/LoginPage/LoginPage.test.tsx)
- 浏览器级真实 E2E 主链路已复跑通过，登录页首登提示改动未破坏既有认证流程：
  - `cd frontend/admin && npm.cmd run e2e:full:win`
- 修复邮箱验证码限流回归：第二次发送从误报 `500` 恢复为 `429 Too Many Requests`。
- 为邮箱限流错误增加稳定兼容识别，避免因历史乱码文案或英文限流文案导致再次误分级。
- 移除非测试代码中的最后一个 `panic`：
  - [`internal/auth/jwt.go`](/D:/project/internal/auth/jwt.go)
  - 旧 `NewJWT` 兼容入口现在不再因非法配置直接崩进程，而是延迟到实际调用时返回 error。
- 新增闭环测试覆盖 legacy JWT 构造失败不再 panic：
  - [`internal/auth/jwt_closure_test.go`](/D:/project/internal/auth/jwt_closure_test.go)
- 前端 `window.alert/confirm/prompt/open` 保护链路已确认存在且有测试覆盖：
  - [`frontend/admin/src/app/bootstrap/installWindowGuards.ts`](/D:/project/frontend/admin/src/app/bootstrap/installWindowGuards.ts)

## 当前运行时真实能力

- 密码登录：启用
- 邮箱验证码登录：仅在 SMTP 配置完整时启用
- 短信验证码登录：仅在阿里云或腾讯云短信配置完整时启用
- 账号绑定与解绑：邮箱 / 手机号 / 社交账号产品闭环已完成；邮箱与短信绑定分别依赖对应验证码通道配置
- 密码重置：仅在 SMTP 配置完整时启用
- 首登管理员初始化：当系统不存在激活管理员时，`/login` 与 `/register` 会基于 `GET /api/v1/auth/capabilities` 暴露 `/bootstrap-admin` 入口；初始化成功后会直接进入后台，且该入口自动关闭
- TOTP：启用
- RBAC / 设备 / 日志 / Webhook / 导入导出：启用
- 健康检查：
  - `GET /health`
  - `GET /health/live`
  - `GET /health/ready`

## 当前真实限制

- 当前支持的是浏览器级真实验证，不是完整 OS 级自动化。
- 这不覆盖系统文件选择器、系统权限弹窗、原生桌面窗口等操作系统层行为。
- 当前环境下 `playwright test` runner 仍受 `spawn EPERM` 限制，因此不作为受支持主入口。
- `agent-browser` 目前可用于观察和辅助诊断，但不能作为稳定、全量、可签字的项目 E2E 主链路证据。
- OAuth 前端闭环已完成，但仍缺少真实第三方 provider 凭证下的 live browser validation 证据。
- 生产外部交付层面的材料仍未完全闭环：
  - 外部通知通道联调证据
  - 外部 Secrets Manager / KMS 证据
  - 多环境 CI/CD 密钥分发证据
  - 跨历史版本 schema downgrade 级别的回滚兼容性证据

## 已验证命令

本轮已执行并通过：

```powershell
go test ./... -count=1
go vet ./...
go build ./cmd/server

cd D:\project\frontend\admin
npm.cmd run test:run -- src/services/auth.test.ts src/pages/auth/LoginPage/LoginPage.test.tsx
npm.cmd run lint
npm.cmd run build
npm.cmd run e2e:full:win
```

此前已形成并保留的本地治理证据命令：

```powershell
powershell -ExecutionPolicy Bypass -File scripts/ops/run-sca-evidence.ps1
powershell -ExecutionPolicy Bypass -File scripts/ops/drill-sqlite-backup-restore.ps1
powershell -ExecutionPolicy Bypass -File scripts/ops/capture-local-baseline.ps1
powershell -ExecutionPolicy Bypass -File scripts/ops/drill-config-isolation.ps1
powershell -ExecutionPolicy Bypass -File scripts/ops/drill-local-rollback.ps1
powershell -ExecutionPolicy Bypass -File scripts/ops/validate-alerting-package.ps1
powershell -ExecutionPolicy Bypass -File scripts/ops/drill-alertmanager-render.ps1
powershell -ExecutionPolicy Bypass -File scripts/ops/validate-secret-boundary.ps1
```

## 治理基线入口

- 项目级协作与真实表述规则：[`AGENTS.md`](/D:/project/AGENTS.md)
- 工程质量标准：[`docs/team/QUALITY_STANDARD.md`](/D:/project/docs/team/QUALITY_STANDARD.md)
- 生产发布核查清单：[`docs/team/PRODUCTION_CHECKLIST.md`](/D:/project/docs/team/PRODUCTION_CHECKLIST.md)
- 工程协作与文档同步指南：[`docs/team/TECHNICAL_GUIDE.md`](/D:/project/docs/team/TECHNICAL_GUIDE.md)
- 本轮项目经验沉淀：[`docs/team/PROJECT_EXPERIENCE_SUMMARY.md`](/D:/project/docs/team/PROJECT_EXPERIENCE_SUMMARY.md)

## 已有证据

- 全量真实浏览器 E2E 收口：
  - [`docs/evidence/ops/2026-03-24/e2e/PLAYWRIGHT_CDP_E2E_CLOSURE_20260324-151537.md`](/D:/project/docs/evidence/ops/2026-03-24/e2e/PLAYWRIGHT_CDP_E2E_CLOSURE_20260324-151537.md)
- `agent-browser` 真实性验证：
  - [`docs/evidence/ops/2026-03-24/e2e/AGENT_BROWSER_VALIDATION_20260324-162724.md`](/D:/project/docs/evidence/ops/2026-03-24/e2e/AGENT_BROWSER_VALIDATION_20260324-162724.md)
- 早期 raw CDP Windows 稳定性证据：
  - [`docs/evidence/ops/2026-03-24/e2e/RAW_CDP_WINDOWS_STABILITY_20260324-121816.md`](/D:/project/docs/evidence/ops/2026-03-24/e2e/RAW_CDP_WINDOWS_STABILITY_20260324-121816.md)
- 密钥边界：
  - [`docs/evidence/ops/2026-03-24/secret-boundary/20260324-104122/SECRET_BOUNDARY_DRILL.md`](/D:/project/docs/evidence/ops/2026-03-24/secret-boundary/20260324-104122/SECRET_BOUNDARY_DRILL.md)
- SCA：
  - [`docs/evidence/ops/2026-03-24/sca/SCA_SUMMARY_20260324-072144.md`](/D:/project/docs/evidence/ops/2026-03-24/sca/SCA_SUMMARY_20260324-072144.md)
- 备份恢复演练：
  - [`docs/evidence/ops/2026-03-24/backup-restore/20260324-072353/BACKUP_RESTORE_DRILL.md`](/D:/project/docs/evidence/ops/2026-03-24/backup-restore/20260324-072353/BACKUP_RESTORE_DRILL.md)
- 本地回滚演练：
  - [`docs/evidence/ops/2026-03-24/rollback/20260324-084928/ROLLBACK_DRILL.md`](/D:/project/docs/evidence/ops/2026-03-24/rollback/20260324-084928/ROLLBACK_DRILL.md)
- 本地观测基线：
  - [`docs/evidence/ops/2026-03-24/observability/LOCAL_BASELINE_20260324-090637.md`](/D:/project/docs/evidence/ops/2026-03-24/observability/LOCAL_BASELINE_20260324-090637.md)
- 配置与环境隔离：
  - [`docs/evidence/ops/2026-03-24/config-isolation/20260324-084915/CONFIG_ENV_ISOLATION_DRILL.md`](/D:/project/docs/evidence/ops/2026-03-24/config-isolation/20260324-084915/CONFIG_ENV_ISOLATION_DRILL.md)
- 告警包结构校验：
  - [`docs/evidence/ops/2026-03-24/alerting/ALERTING_PACKAGE_20260324-102540.md`](/D:/project/docs/evidence/ops/2026-03-24/alerting/ALERTING_PACKAGE_20260324-102540.md)
- 告警渲染演练：
  - [`docs/evidence/ops/2026-03-24/alerting/20260324-102553/ALERTMANAGER_RENDER_DRILL.md`](/D:/project/docs/evidence/ops/2026-03-24/alerting/20260324-102553/ALERTMANAGER_RENDER_DRILL.md)

## 对外表述建议

当前可以诚实表述为：项目已完成当前受限 Windows 环境下的浏览器级真实 E2E 收口，并具备本地可审计的一轮治理证据闭环；尚未完成的是完整 OS 级自动化、真实第三方 OAuth live 验证，以及部分生产外部交付层证据，不应夸大为“全部企业级上线材料均已闭环”。
## 2026-03-26 Social Account Binding Closure Update

- PRD social account management (`1.5`, `2.2`, `2.3`) is now closed at implementation level.
- Backend closure:
  - `POST /api/v1/users/me/bind-social` now starts an authenticated OAuth binding flow instead of relying on raw `open_id` input from the product UI path.
  - `GET /api/v1/auth/oauth/:provider/callback` now supports both login callback and bind callback through persisted OAuth state purpose.
  - `GET /api/v1/users/me/social-accounts` now returns sanitized bound-account info.
  - `DELETE /api/v1/users/me/bind-social/:provider` now enforces password/TOTP verification when available and blocks unbinding if no login method would remain.
- Frontend closure:
  - `/profile/security` now exposes a real social-account management section with bind entry, bound account table, callback-result handling, and guarded unbind modal.
- Validation passed:
  - `go test ./... -count=1`
  - `go build ./cmd/server`
  - `cd frontend/admin && npm.cmd run lint`
  - `cd frontend/admin && npm.cmd run test:run -- src/services/auth.test.ts src/services/social-accounts.test.ts src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.social.test.tsx`
  - `cd frontend/admin && npm.cmd run build`
  - `cd frontend/admin && powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1`
- Real remaining gap:
  - live third-party OAuth provider browser evidence is still missing; this update closes the product flow, not the real-provider proof layer.
- Evidence:
  - [`docs/evidence/ops/2026-03-26/e2e/SOCIAL_ACCOUNT_BINDING_CLOSURE_20260326-200220.md`](/D:/project/docs/evidence/ops/2026-03-26/e2e/SOCIAL_ACCOUNT_BINDING_CLOSURE_20260326-200220.md)

## 2026-03-28 Router Coverage Closure Update

- `Q-004` remediation progressed further, but still cannot be honestly declared closed.
- Frontend router closure:
  - `frontend/admin/src/app/router.tsx` is now covered at `100 / 100 / 100 / 100`.
  - `frontend/admin/src/app/router.test.tsx` now covers public/protected route registration, `RequireAuth` and `RequireAdmin` wrapping, default redirect behavior, lazy route resolution, and the invalid-export error branch.
- Validation passed:
  - `cd frontend/admin && npm.cmd run test:run -- src/app/router.test.tsx`
  - `cd frontend/admin && npm.cmd run test:run`
  - `cd frontend/admin && npm.cmd run lint`
  - `cd frontend/admin && npm.cmd run build`
  - `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
  - statements `90.74%`
  - branches `77.74%`
  - functions `87.40%`
  - lines `90.87%`
- Real remaining `Q-004` frontend gaps after this closure:
  - `src/pages/admin/DashboardPage/DashboardPage.tsx`
  - `src/components/feedback/PageState/PageState.tsx`
  - broader low-coverage shared/admin surfaces outside this single pass
- Real remaining hygiene issue:
  - `npm.cmd run test:coverage` still exits successfully but prints one post-summary jsdom `AggregateError` network-noise line.
- Evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-121611.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-121611.md)

## 2026-03-28 Dashboard Coverage Closure Update

- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Frontend dashboard closure:
  - `frontend/admin/src/pages/admin/DashboardPage/DashboardPage.tsx` is now covered at `100 / 100 / 100 / 100`.
  - `frontend/admin/src/pages/admin/DashboardPage/DashboardPage.test.tsx` now covers loading, success, retriable error, retry recovery, and empty-payload fallback behavior.
- Validation passed:
  - `cd frontend/admin && npm.cmd run test:run -- src/pages/admin/DashboardPage/DashboardPage.test.tsx`
  - `cd frontend/admin && npm.cmd run lint`
  - `cd frontend/admin && npm.cmd run build`
  - `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
  - statements `91.66%`
  - branches `78.26%`
  - functions `87.86%`
  - lines `91.82%`
- Real remaining `Q-004` frontend gaps after this closure:
  - `src/components/feedback/PageState/PageState.tsx`
  - broader low-coverage shared/admin surfaces outside this single pass
- Real remaining hygiene issue:
  - `npm.cmd run test:coverage` still exits successfully but prints one post-summary jsdom `AggregateError` network-noise line.
- Evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-122517.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-122517.md)

## 2026-03-28 PageState Coverage Closure Update

- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Shared page-state closure:
  - `frontend/admin/src/components/feedback/PageState/PageState.tsx` is now covered at `100 / 100 / 100 / 100`.
  - `frontend/admin/src/components/feedback/PageState/PageState.test.tsx` now covers loading, empty, action-button, error default, retry, and extra-action behavior.
- Validation passed:
  - `cd frontend/admin && npm.cmd run test:run -- src/components/feedback/PageState/PageState.test.tsx`
  - `cd frontend/admin && npm.cmd run lint`
  - `cd frontend/admin && npm.cmd run build`
  - `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
  - statements `91.71%`
  - branches `78.52%`
  - functions `88.01%`
  - lines `91.86%`
- Real remaining `Q-004` frontend gaps after this closure:
  - `src/layouts/AdminLayout/AdminLayout.tsx`
  - `src/pages/admin/ImportExportPage/ImportExportPage.tsx`
  - `src/lib/errors/AppError.ts`
  - `src/lib/storage/token-storage.ts`
  - additional lower-coverage shared/admin surfaces outside this single pass
- Real remaining hygiene issue:
  - `npm.cmd run test:coverage` still exits successfully but prints one post-summary jsdom `AggregateError` network-noise line.
- Evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-123228.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-123228.md)

## 2026-03-28 AdminLayout Coverage Closure Update

- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Admin shell closure:
  - `frontend/admin/src/layouts/AdminLayout/AdminLayout.tsx` is now covered at `100 / 100 / 100 / 100`.
  - `frontend/admin/src/layouts/AdminLayout/AdminLayout.test.tsx` now covers loading, desktop and mobile navigation, dropdown actions, collapse state, avatar and username fallback logic, and explicit child rendering.
- Validation passed:
  - `cd frontend/admin && npm.cmd run test:run -- src/layouts/AdminLayout/AdminLayout.test.tsx`
  - `cd frontend/admin && npm.cmd run lint`
  - `cd frontend/admin && npm.cmd run build`
  - `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
  - statements `92.06%`
  - branches `79.29%`
  - functions `89.09%`
  - lines `92.22%`
- Real remaining `Q-004` frontend gaps after this closure:
  - `src/lib/storage/token-storage.ts`
  - `src/lib/errors/AppError.ts`
  - `src/pages/admin/ImportExportPage/ImportExportPage.tsx`
  - `src/pages/NotFoundPage/NotFoundPage.tsx`
  - additional lower-coverage shared/admin surfaces outside this single pass
- Real remaining hygiene issue:
  - `npm.cmd run test:coverage` still exits successfully but prints one post-summary jsdom `AggregateError` network-noise line.
- Evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-124756.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-124756.md)

## 2026-03-28 Token Storage Coverage Closure Update

- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Token storage closure:
  - `frontend/admin/src/lib/storage/token-storage.ts` is now covered at `100 / 100 / 100 / 100`.
  - `frontend/admin/src/lib/storage/token-storage.test.ts` now covers token normalization, in-memory presence checks, explicit clearing, session cookie detection, and the no-`document` branch.
- Validation passed:
  - `cd frontend/admin && npm.cmd run test:run -- src/lib/storage/token-storage.test.ts`
  - `cd frontend/admin && npm.cmd run lint`
  - `cd frontend/admin && npm.cmd run build`
  - `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
  - statements `92.32%`
  - branches `79.63%`
  - functions `89.70%`
  - lines `92.49%`
- Real remaining `Q-004` frontend gaps after this closure:
  - `src/lib/errors/AppError.ts`
  - `src/pages/admin/ImportExportPage/ImportExportPage.tsx`
  - `src/pages/NotFoundPage/NotFoundPage.tsx`
  - additional lower-coverage shared/admin surfaces outside this single pass
- Real remaining hygiene issue:
  - `npm.cmd run test:coverage` still exits successfully but prints one post-summary jsdom `AggregateError` network-noise line.
- Evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-125454.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-125454.md)

## 2026-03-28 AppError Coverage Closure Update

- `Q-004` remediation progressed again, but still cannot be honestly declared closed.
- Error module closure:
  - `frontend/admin/src/lib/errors/AppError.ts` is now covered at `100 / 100 / 100 / 100`.
  - `frontend/admin/src/lib/errors/index.ts` is now covered at `100 / 100 / 100 / 100`.
  - `frontend/admin/src/lib/errors/AppError.test.ts` now covers constructor defaults, factory helpers, response mapping, user-message mapping, and shared error helpers.
- Validation passed:
  - `cd frontend/admin && npm.cmd run test:run -- src/lib/errors/AppError.test.ts`
  - `cd frontend/admin && npm.cmd run lint`
  - `cd frontend/admin && npm.cmd run build`
  - `cd frontend/admin && npm.cmd run test:coverage`
- Frontend current full coverage:
  - statements `93.07%`
  - branches `81.35%`
  - functions `90.32%`
  - lines `93.26%`
- Real remaining `Q-004` frontend gaps after this closure:
  - `src/pages/admin/ImportExportPage/ImportExportPage.tsx`
  - `src/pages/NotFoundPage/NotFoundPage.tsx`
  - `src/lib/hooks/useBreadcrumbs.ts`
  - `src/app/providers/ThemeProvider.tsx`
  - additional lower-coverage shared/admin surfaces outside this single pass
- Real remaining hygiene issue:
  - `npm.cmd run test:coverage` still exits successfully but prints one post-summary jsdom `AggregateError` network-noise line.
- Evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-140215.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-140215.md)