Skip to content

test(verify): M5 — step-up + conformance matrix report#18

Merged
Bccorb merged 1 commit into
mainfrom
verify-stepup-m5
Jun 29, 2026
Merged

test(verify): M5 — step-up + conformance matrix report#18
Bccorb merged 1 commit into
mainfrom
verify-stepup-m5

Conversation

@Bccorb

@Bccorb Bccorb commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Adds M5 of the seamless verify harness: step-up plus a printed conformance matrix.
Full suite is 26/26 green (seamless verify).

The other M5 flows (TOTP, organizations, admin, JWKS) were already covered in earlier
milestones; this closes out the remaining piece (step-up) and the report.

Step-up (api/stepUp)

TOTP MFA via /totp/verify-mfa records a step-up: status goes from fresh: false to
fresh: true (method: totp). It uses the next window's TOTP code, because the API rejects
a code whose counter is not strictly greater than the last used one (enrollment consumes the
current window) and accepts up to +1 of skew.

WebAuthn step-up is not covered here: like OAuth before fells-code/seamless-auth-react#44, the
SDK exposes the methods but has no UI to drive them, and a request-context layer can't run a
real WebAuthn ceremony. It's a natural follow-on once a step-up UI exists.

Conformance matrix (lib/matrixReporter.ts)

A custom Playwright reporter prints a flow x layer (api/adapter/react) grid at the end of the
run, next to the existing JUnit + HTML reports:

  flow            api      adapter  react
  admin           ✓        -        -
  emailOtp        ✓        ✓        ✓
  magicLink       ✓        ✓        ✓
  oauth           ✓        ✓        ✓
  passkey         -        -        ✓
  register        -        ✓        ✓
  stepUp          ✓        -        -
  totp            ✓        -        -
  ...

- api/stepUp: TOTP MFA (/totp/verify-mfa) freshens /step-up/status. Uses the next
  window's code since the API rejects a counter that is not strictly greater than
  the last used one (enrollment consumes the current window).
- matrixReporter: prints a flow x layer (api/adapter/react) grid at the end of the
  run, alongside the existing JUnit + HTML reports. Full suite 26/26.
@Bccorb Bccorb merged commit 0e510aa into main Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant