Skip to main content

Automated testing scope (RSMS suite)

This document lists functionality, design decisions, and risk areas that merit automated tests, grounded in the current codebase and repository documentation. It is a coverage checklist, not a test plan with cases or owners.

Related docs: rsms-api-fastapi/docs/design-decisions.md, rsms-api-fastapi/docs/auth-planning.md, rsms-api-fastapi/docs/auth-implementation.md, rsms-results-storage-design, rsms-engine-data-flow, rsms-worker-implementation-plan, rsms-mass-balance-legacy-parity, rsms-master-tasklist.


1. Goals and test layers

LayerTypical scopeSuites in this repo today
UnitPure helpers (IDs, domain parsing, JSON rounding, bag merge logic)rsms-api-fastapi/tests/, rsms-worker-function/tests/ (partial)
Service / API integrationFastAPI TestClient + dependency overrides or fakes for AzureSparse
Worker integrationQueue message → local run folder (optional; often slow / needs EXEs)Minimal
E2EBrowser + real or dockerized backendsNone for React

Prioritize unit + API integration for the FastAPI service; add contract tests between API and worker payloads.


2. RSMS API (FastAPI) — authentication and sessions

Documented in rsms-api-fastapi/docs/auth-implementation.md and rsms-api-fastapi/docs/auth-planning.md.

TopicWhy testNotes
LoginCore entry; password verify + JWT shapeWrong password → 401; success → access + refresh tokens
RefreshSPA longevityValid refresh → new access; invalid / wrong type → 401
Access JWTAll protected routesMissing / malformed / expired → 401 with WWW-Authenticate
Token payloadSecuritysub must be UUID; type: "access" enforced; user must exist in store
GET /auth/meClient bootstrapReturns user without password; 401 if not logged in
LogoutContractIf implemented as stateless, document behavior; any cookie clearing
Password hashingRegressionbcrypt verify path; do not store plaintext
JWT settingsOpsJWT_ACCESS_TOKEN_EXPIRE_MINUTES, JWT_REFRESH_TOKEN_EXPIRE_DAYS, algorithm HS256

3. RSMS API — role-based authorization (RBAC)

Matrix from rsms-api-fastapi/docs/auth-planning.md and rsms-api-fastapi/docs/auth-implementation.md.

Areasuper_adminanalystviewer
User CRUD (/users)Allow403403
POST/PUT/DELETE riverbasinAllow403403
GET riverbasinAllowAllowAllow
POST/PUT/DELETE scenarioAllowAllow403
GET scenario / listAllowAllowAllow (subject to domain rules below)
POST …/run (enqueue)AllowAllow403
GET …/engine-files.zipAllowAllow403 (if unchanged)

Automated checks: fixed user fixtures per role + TestClient; assert exact HTTP status (401 vs 403).


4. RSMS API — scenario author domain (tenant-style gate)

Implementations: app/auth/scenario_domain.py, RSMS_SCENARIO_DOMAIN_ENFORCEMENT in config, guards in app/main.py and app/results/service.py.

TopicWhy test
Domain extractionNormalization; invalid emails
Same domain vs other domainCore policy
super_admin bypassMust not regress
Legacy / non-email authorLocked out for non-admin
Toggle RSMS_SCENARIO_DOMAIN_ENFORCEMENT=falseDev / migration
Results routesSame as scenario read
404 vs 403Product choice

5. RSMS API — scenario author immutability

Design: author is server-set on create; not on ScenarioCreate / ScenarioUpdate models.

TopicWhy test
PUT body must not change authorEven if clients send extra JSON
POST createauthor in response matches authenticated user email

6. RSMS API — IDs and entity hierarchy

Docs: rsms-api-fastapi/docs/design-decisions.md (note: prose still mentions UUIDs in places; implementation uses R-YYMMDD-xxx / S-YYMMDD-xxx in app/ids.py).

TopicWhy test
normalize_riverbasin_id / normalize_scenario_idRegex, casing, whitespace
HTTP mappingUser-facing errors
next_*_idCollision avoidance
Scenario partition keyData model
Run + zip: basin matchSafety

7. RSMS API — Azure Table / blob behavior (with fakes)

TopicWhy test
In-memory fallbackDev without Azure
Scenario JSON bagsRegression
Status coercionLegacy strings
spill_date_epoch vs scenario_created_at_epochField semantics
Riverbasin createSize limits, 503
Delete riverbasin cascadeData loss path
Delete scenarioResults cleanup

8. RSMS API — worker queue and engine artifacts

TopicWhy test
Enqueue payloadContract with worker
503 when queue not configuredOps
202 + status QueuedUX
Engine zipEmpty vs zip stream

9. RSMS API — results read path

Docs: rsms-results-storage-design (§2–4, JSON rounding).

TopicWhy test
Plume table decodeBinary float32 layouts
Concentration JSON roundingStable API
Mile / hour axis roundingAvoid float tails
Missing scenario / wrong basinErrors
Mass balance + edge JSONBlob read path
RMI / river-mile axisGeometry
RESULTS_API_ENABLEDFeature flag

10. RSMS worker (rsms-worker-function)

Docs: rsms-engine-data-flow, rsms-worker-ohio-riverflows-tls.

TopicWhy test
Queue message parsingContract
ID helpers parity with APISingle contract
RMI/blob helpersInput validation
nfq_from_api / RiverFlows clientProduction fragility
Results write pathSSOT alignment
Engine workflow (full)Expensive

11. RiverFlows API (Django) — if treated as part of the suite

Not required for “RSMS API only,” but worker depends on it.

TopicWhy test
multi-riverflows-duration (or equivalent)Worker NFQ merge
AuthIf any
TLS / hostAlign with rsms-worker-ohio-riverflows-tls

12. Frontend (rsms-frontend-react)

No automated tests are present today; high-value targets:

TopicWhy testSuggested tool
Auth: token attach, 401 → loginCore UXVitest + MSW, or Playwright
Role-gated UIMatch RBACComponent tests: hide run/create for viewer
Scenario list / detailDomain errorsMock API 404 for foreign scenario
Results chartsRegressionVisual or data snapshot with fixed API fixtures
RoutingDeep linksE2E: ScenariosPage / ResultsPage URL-driven state (see in-file comments in rsms-frontend-react/src/pages/ScenariosPage.jsx)

13. Cross-cutting and non-functional

TopicWhy test
CORS configurationSPA + API split
Trusted hostsProduction hardening
Logging / healthOps
Mass balance parityScience trust

14. Suggested priorities (pragmatic)

  1. P0 — API: RBAC matrix + domain access + results guard (integration tests with auth overrides and fake storage).
  2. P0 — API: ID normalization and “scenario not in basin” on run/zip.
  3. P1 — API: Scenario bag merge / status coercion; enqueue + Queued update.
  4. P1 — Worker: Queue payload + ID parity tests run in CI on every PR.
  5. P2 — Results: Rounding and tolerance behavior (table-driven unit tests from design doc).
  6. P2 — Frontend: Smoke E2E login + one scenario flow.
  7. P3 — Full engine: Nightly or manual pipeline with real EXEs.

15. Maintenance

When design docs change (storage keys, roles, domain policy, ID format), update this document and add or adjust tests in the same change. When OpenAPI changes, regenerate or refresh client fixtures used in integration tests.