npm - @86d-app/reviews - Versions diffs - 0.0.4 → 0.0.13 - Mend

@86d-app/reviews 0.0.4 → 0.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (104) hide show

package/.turbo/turbo-build.log +1 -0
package/AGENTS.md +54 -18
package/README.md +150 -41
package/dist/__tests__/controllers.test.d.ts +2 -0
package/dist/__tests__/controllers.test.d.ts.map +1 -0
package/dist/__tests__/endpoint-security.test.d.ts +2 -0
package/dist/__tests__/endpoint-security.test.d.ts.map +1 -0
package/dist/__tests__/new-features.test.d.ts +2 -0
package/dist/__tests__/new-features.test.d.ts.map +1 -0
package/dist/__tests__/service-impl.test.d.ts +2 -0
package/dist/__tests__/service-impl.test.d.ts.map +1 -0
package/dist/admin/components/index.d.ts +4 -0
package/dist/admin/components/index.d.ts.map +1 -0
package/dist/admin/components/review-analytics.d.ts +2 -0
package/dist/admin/components/review-analytics.d.ts.map +1 -0
package/dist/admin/components/review-list.d.ts +2 -0
package/dist/admin/components/review-list.d.ts.map +1 -0
package/dist/admin/components/review-moderation.d.ts +6 -0
package/dist/admin/components/review-moderation.d.ts.map +1 -0
package/dist/admin/endpoints/approve-review.d.ts +16 -0
package/dist/admin/endpoints/approve-review.d.ts.map +1 -0
package/dist/admin/endpoints/delete-review.d.ts +16 -0
package/dist/admin/endpoints/delete-review.d.ts.map +1 -0
package/dist/admin/endpoints/get-review.d.ts +16 -0
package/dist/admin/endpoints/get-review.d.ts.map +1 -0
package/dist/admin/endpoints/index.d.ts +167 -0
package/dist/admin/endpoints/index.d.ts.map +1 -0
package/dist/admin/endpoints/list-reports.d.ts +17 -0
package/dist/admin/endpoints/list-reports.d.ts.map +1 -0
package/dist/admin/endpoints/list-review-requests.d.ts +11 -0
package/dist/admin/endpoints/list-review-requests.d.ts.map +1 -0
package/dist/admin/endpoints/list-reviews.d.ts +18 -0
package/dist/admin/endpoints/list-reviews.d.ts.map +1 -0
package/dist/admin/endpoints/reject-review.d.ts +16 -0
package/dist/admin/endpoints/reject-review.d.ts.map +1 -0
package/dist/admin/endpoints/respond-review.d.ts +19 -0
package/dist/admin/endpoints/respond-review.d.ts.map +1 -0
package/dist/admin/endpoints/review-analytics.d.ts +6 -0
package/dist/admin/endpoints/review-analytics.d.ts.map +1 -0
package/dist/admin/endpoints/review-request-stats.d.ts +6 -0
package/dist/admin/endpoints/review-request-stats.d.ts.map +1 -0
package/dist/admin/endpoints/send-review-request.d.ts +23 -0
package/dist/admin/endpoints/send-review-request.d.ts.map +1 -0
package/dist/admin/endpoints/update-report.d.ts +22 -0
package/dist/admin/endpoints/update-report.d.ts.map +1 -0
package/dist/index.d.ts +8 -0
package/dist/index.d.ts.map +1 -0
package/dist/schema.d.ts +136 -0
package/dist/schema.d.ts.map +1 -0
package/dist/service-impl.d.ts +6 -0
package/dist/service-impl.d.ts.map +1 -0
package/dist/service.d.ts +149 -0
package/dist/service.d.ts.map +1 -0
package/dist/store/components/_hooks.d.ts +6 -0
package/dist/store/components/_hooks.d.ts.map +1 -0
package/dist/store/components/_utils.d.ts +3 -0
package/dist/store/components/_utils.d.ts.map +1 -0
package/dist/store/components/distribution-bars.d.ts +5 -0
package/dist/store/components/distribution-bars.d.ts.map +1 -0
package/dist/store/components/index.d.ts +18 -0
package/dist/store/components/index.d.ts.map +1 -0
package/dist/store/components/product-reviews.d.ts +5 -0
package/dist/store/components/product-reviews.d.ts.map +1 -0
package/dist/store/components/review-card.d.ts +18 -0
package/dist/store/components/review-card.d.ts.map +1 -0
package/dist/store/components/review-form.d.ts +5 -0
package/dist/store/components/review-form.d.ts.map +1 -0
package/dist/store/components/reviews-summary.d.ts +4 -0
package/dist/store/components/reviews-summary.d.ts.map +1 -0
package/dist/store/components/star-display.d.ts +5 -0
package/dist/store/components/star-display.d.ts.map +1 -0
package/dist/store/components/star-picker.d.ts +5 -0
package/dist/store/components/star-picker.d.ts.map +1 -0
package/dist/store/endpoints/index.d.ts +116 -0
package/dist/store/endpoints/index.d.ts.map +1 -0
package/dist/store/endpoints/list-my-reviews.d.ts +30 -0
package/dist/store/endpoints/list-my-reviews.d.ts.map +1 -0
package/dist/store/endpoints/list-product-reviews.d.ts +23 -0
package/dist/store/endpoints/list-product-reviews.d.ts.map +1 -0
package/dist/store/endpoints/mark-helpful.d.ts +18 -0
package/dist/store/endpoints/mark-helpful.d.ts.map +1 -0
package/dist/store/endpoints/report-review.d.ts +27 -0
package/dist/store/endpoints/report-review.d.ts.map +1 -0
package/dist/store/endpoints/submit-review.d.ts +25 -0
package/dist/store/endpoints/submit-review.d.ts.map +1 -0
package/package.json +3 -3
package/src/__tests__/controllers.test.ts +1074 -0
package/src/__tests__/endpoint-security.test.ts +559 -0
package/src/__tests__/new-features.test.ts +618 -0
package/src/__tests__/service-impl.test.ts +1 -1
package/src/admin/endpoints/index.ts +4 -0
package/src/admin/endpoints/list-reports.ts +25 -0
package/src/admin/endpoints/update-report.ts +22 -0
package/src/index.ts +7 -1
package/src/schema.ts +28 -0
package/src/service-impl.ts +151 -3
package/src/service.ts +61 -0
package/src/store/endpoints/index.ts +2 -0
package/src/store/endpoints/list-my-reviews.ts +1 -1
package/src/store/endpoints/list-product-reviews.ts +6 -2
package/src/store/endpoints/mark-helpful.ts +21 -2
package/src/store/endpoints/report-review.ts +38 -0
package/src/store/endpoints/submit-review.ts +33 -7
package/COMPONENTS.md +0 -34

package/src/__tests__/endpoint-security.test.ts ADDED Viewed

@@ -0,0 +1,559 @@
+import { createMockDataService } from "@86d-app/core/test-utils";
+import { beforeEach, describe, expect, it } from "vitest";
+import type { Review } from "../service";
+import { createReviewController } from "../service-impl";
+/**
+ * Security regression tests for reviews endpoints.
+ *
+ * Covers: identity derivation, trust elevation prevention, ownership isolation,
+ * nonexistent resource guards, moderation integrity, review request deduplication,
+ * analytics accuracy, and data isolation.
+ */
+describe("reviews endpoint security", () => {
+	let mockData: ReturnType<typeof createMockDataService>;
+	let controller: ReturnType<typeof createReviewController>;
+	beforeEach(() => {
+		mockData = createMockDataService();
+		controller = createReviewController(mockData);
+	});
+	/** Helper to create a review with sensible defaults. */
+	async function seedReview(
+		overrides: Partial<Parameters<typeof controller.createReview>[0]> = {},
+	): Promise<Review> {
+		return controller.createReview({
+			productId: "prod_1",
+			authorName: "Test User",
+			authorEmail: "test@example.com",
+			rating: 4,
+			body: "Test review body",
+			isVerifiedPurchase: false,
+			...overrides,
+		});
+	}
+	// ── Identity & Trust Elevation ──────────────────────────────────────
+	describe("customerId server-derivation", () => {
+		it("creates review with customerId=undefined for guest users", async () => {
+			const review = await seedReview({ customerId: undefined });
+			expect(review.id).toBeDefined();
+			expect(review.customerId).toBeUndefined();
+			expect(review.isVerifiedPurchase).toBe(false);
+		});
+		it("creates review with server-provided customerId", async () => {
+			const review = await seedReview({ customerId: "session_user_id" });
+			expect(review.customerId).toBe("session_user_id");
+		});
+		it("isVerifiedPurchase defaults to false from endpoint", async () => {
+			const review = await seedReview({ isVerifiedPurchase: false });
+			expect(review.isVerifiedPurchase).toBe(false);
+		});
+		it("isVerifiedPurchase cannot be elevated by passing true when autoApprove is off", async () => {
+			// Even if the controller receives isVerifiedPurchase=true, the endpoint
+			// should always pass false. Here we verify the controller stores whatever
+			// it receives, proving the endpoint is the trust boundary.
+			const review = await seedReview({ isVerifiedPurchase: true });
+			expect(review.isVerifiedPurchase).toBe(true); // controller stores it
+			// The ENDPOINT never passes true — this test documents the controller's role.
+		});
+	});
+	// ── Review Status & Default Behavior ────────────────────────────────
+	describe("review status defaults", () => {
+		it("new reviews default to pending status", async () => {
+			const review = await seedReview();
+			expect(review.status).toBe("pending");
+		});
+		it("new reviews with autoApprove enabled default to approved", async () => {
+			const autoController = createReviewController(mockData, {
+				autoApprove: true,
+			});
+			const review = await autoController.createReview({
+				productId: "prod_1",
+				authorName: "Auto User",
+				authorEmail: "auto@example.com",
+				rating: 5,
+				body: "Great!",
+				isVerifiedPurchase: false,
+			});
+			expect(review.status).toBe("approved");
+		});
+		it("helpfulCount starts at zero", async () => {
+			const review = await seedReview();
+			expect(review.helpfulCount).toBe(0);
+		});
+		it("merchantResponse starts as undefined", async () => {
+			const review = await seedReview();
+			expect(review.merchantResponse).toBeUndefined();
+		});
+	});
+	// ── Ownership Isolation ─────────────────────────────────────────────
+	describe("customer review isolation", () => {
+		it("listReviewsByCustomer returns only that customer's reviews", async () => {
+			await seedReview({
+				customerId: "customer_A",
+				authorEmail: "a@example.com",
+			});
+			await seedReview({
+				customerId: "customer_B",
+				authorEmail: "b@example.com",
+			});
+			await seedReview({
+				customerId: "customer_A",
+				authorEmail: "a@example.com",
+				productId: "prod_2",
+			});
+			const { reviews, total } =
+				await controller.listReviewsByCustomer("customer_A");
+			expect(total).toBe(2);
+			for (const r of reviews) {
+				expect(r.customerId).toBe("customer_A");
+			}
+		});
+		it("listReviewsByCustomer returns empty for unknown customer", async () => {
+			await seedReview({ customerId: "customer_A" });
+			const { reviews, total } =
+				await controller.listReviewsByCustomer("nonexistent");
+			expect(total).toBe(0);
+			expect(reviews).toHaveLength(0);
+		});
+		it("listReviewsByCustomer respects status filter", async () => {
+			const r1 = await seedReview({
+				customerId: "cust_1",
+				productId: "p1",
+			});
+			await seedReview({ customerId: "cust_1", productId: "p2" });
+			await controller.updateReviewStatus(r1.id, "approved");
+			const { reviews } = await controller.listReviewsByCustomer("cust_1", {
+				status: "approved",
+			});
+			expect(reviews).toHaveLength(1);
+			expect(reviews[0]?.productId).toBe("p1");
+		});
+	});
+	// ── Product Review Isolation ────────────────────────────────────────
+	describe("product review isolation", () => {
+		it("listReviewsByProduct returns only that product's reviews", async () => {
+			await seedReview({ productId: "prod_A" });
+			await seedReview({ productId: "prod_B" });
+			await seedReview({ productId: "prod_A", rating: 3 });
+			const reviews = await controller.listReviewsByProduct("prod_A");
+			expect(reviews).toHaveLength(2);
+			for (const r of reviews) {
+				expect(r.productId).toBe("prod_A");
+			}
+		});
+		it("listReviewsByProduct with approvedOnly excludes pending/rejected", async () => {
+			const r1 = await seedReview({ productId: "prod_X" });
+			const r2 = await seedReview({
+				productId: "prod_X",
+				authorEmail: "b@test.com",
+			});
+			await seedReview({
+				productId: "prod_X",
+				authorEmail: "c@test.com",
+			});
+			await controller.updateReviewStatus(r1.id, "approved");
+			await controller.updateReviewStatus(r2.id, "rejected");
+			const reviews = await controller.listReviewsByProduct("prod_X", {
+				approvedOnly: true,
+			});
+			expect(reviews).toHaveLength(1);
+			expect(reviews[0]?.id).toBe(r1.id);
+		});
+		it("rating summary only includes approved reviews", async () => {
+			const r1 = await seedReview({ productId: "sum_p", rating: 5 });
+			await seedReview({
+				productId: "sum_p",
+				rating: 1,
+				authorEmail: "x@test.com",
+			});
+			await controller.updateReviewStatus(r1.id, "approved");
+			// Second review stays pending
+			const summary = await controller.getProductRatingSummary("sum_p");
+			expect(summary.count).toBe(1);
+			expect(summary.average).toBe(5);
+		});
+	});
+	// ── Nonexistent Resource Guards ─────────────────────────────────────
+	describe("nonexistent resource handling", () => {
+		it("getReview returns null for fabricated ID", async () => {
+			const result = await controller.getReview("nonexistent_id");
+			expect(result).toBeNull();
+		});
+		it("updateReviewStatus returns null for fabricated ID", async () => {
+			const result = await controller.updateReviewStatus(
+				"nonexistent_id",
+				"approved",
+			);
+			expect(result).toBeNull();
+		});
+		it("deleteReview returns false for fabricated ID", async () => {
+			const result = await controller.deleteReview("nonexistent_id");
+			expect(result).toBe(false);
+		});
+		it("addMerchantResponse returns null for fabricated ID", async () => {
+			const result = await controller.addMerchantResponse(
+				"nonexistent_id",
+				"Thanks!",
+			);
+			expect(result).toBeNull();
+		});
+		it("markHelpful returns null for fabricated ID", async () => {
+			const result = await controller.markHelpful("nonexistent_id");
+			expect(result).toBeNull();
+		});
+	});
+	// ── Moderation Integrity ────────────────────────────────────────────
+	describe("moderation integrity", () => {
+		it("approve sets status to approved and updates timestamp", async () => {
+			const review = await seedReview();
+			const approved = await controller.updateReviewStatus(
+				review.id,
+				"approved",
+			);
+			expect(approved?.status).toBe("approved");
+			expect(approved?.updatedAt.getTime()).toBeGreaterThanOrEqual(
+				review.updatedAt.getTime(),
+			);
+		});
+		it("reject sets status to rejected", async () => {
+			const review = await seedReview();
+			const rejected = await controller.updateReviewStatus(
+				review.id,
+				"rejected",
+			);
+			expect(rejected?.status).toBe("rejected");
+		});
+		it("reject with moderation note preserves the note", async () => {
+			const review = await seedReview();
+			const rejected = await controller.updateReviewStatus(
+				review.id,
+				"rejected",
+				"Spam content detected",
+			);
+			expect(rejected?.moderationNote).toBe("Spam content detected");
+		});
+		it("re-approving a rejected review changes status back", async () => {
+			const review = await seedReview();
+			await controller.updateReviewStatus(review.id, "rejected");
+			const reapproved = await controller.updateReviewStatus(
+				review.id,
+				"approved",
+			);
+			expect(reapproved?.status).toBe("approved");
+		});
+		it("delete removes the review permanently", async () => {
+			const review = await seedReview();
+			const deleted = await controller.deleteReview(review.id);
+			expect(deleted).toBe(true);
+			const found = await controller.getReview(review.id);
+			expect(found).toBeNull();
+		});
+		it("merchant response sets response text and timestamp", async () => {
+			const review = await seedReview();
+			const responded = await controller.addMerchantResponse(
+				review.id,
+				"Thank you for your feedback!",
+			);
+			expect(responded?.merchantResponse).toBe("Thank you for your feedback!");
+			expect(responded?.merchantResponseAt).toBeDefined();
+		});
+		it("merchant response can be overwritten", async () => {
+			const review = await seedReview();
+			await controller.addMerchantResponse(review.id, "First response");
+			const updated = await controller.addMerchantResponse(
+				review.id,
+				"Updated response",
+			);
+			expect(updated?.merchantResponse).toBe("Updated response");
+		});
+	});
+	// ── Helpful Count Integrity ─────────────────────────────────────────
+	describe("helpful count integrity", () => {
+		it("markHelpful increments count by exactly one", async () => {
+			const review = await seedReview();
+			const after = await controller.markHelpful(review.id);
+			expect(after?.helpfulCount).toBe(1);
+		});
+		it("multiple markHelpful calls accumulate correctly", async () => {
+			const review = await seedReview();
+			await controller.markHelpful(review.id);
+			await controller.markHelpful(review.id);
+			const after = await controller.markHelpful(review.id);
+			expect(after?.helpfulCount).toBe(3);
+		});
+		it("markHelpful on one review does not affect another", async () => {
+			const r1 = await seedReview({ productId: "p1" });
+			const r2 = await seedReview({
+				productId: "p2",
+				authorEmail: "other@test.com",
+			});
+			await controller.markHelpful(r1.id);
+			await controller.markHelpful(r1.id);
+			const r2Updated = await controller.getReview(r2.id);
+			expect(r2Updated?.helpfulCount).toBe(0);
+		});
+	});
+	// ── Review Request Deduplication ────────────────────────────────────
+	describe("review request deduplication", () => {
+		it("createReviewRequest succeeds for new orderId", async () => {
+			const request = await controller.createReviewRequest({
+				orderId: "order_1",
+				orderNumber: "ORD-001",
+				email: "customer@example.com",
+				customerName: "John",
+				items: [{ productId: "prod_1", name: "Widget" }],
+			});
+			expect(request.id).toBeDefined();
+			expect(request.orderId).toBe("order_1");
+		});
+		it("getReviewRequest finds existing request by orderId", async () => {
+			await controller.createReviewRequest({
+				orderId: "order_dup",
+				orderNumber: "ORD-002",
+				email: "dup@example.com",
+				customerName: "Jane",
+				items: [{ productId: "prod_1", name: "Gadget" }],
+			});
+			const found = await controller.getReviewRequest("order_dup");
+			expect(found).not.toBeNull();
+			expect(found?.orderId).toBe("order_dup");
+		});
+		it("getReviewRequest returns null for unknown orderId", async () => {
+			const found = await controller.getReviewRequest("no_such_order");
+			expect(found).toBeNull();
+		});
+	});
+	// ── Analytics Accuracy ──────────────────────────────────────────────
+	describe("analytics accuracy", () => {
+		it("empty store returns zeroed analytics", async () => {
+			const analytics = await controller.getReviewAnalytics();
+			expect(analytics.totalReviews).toBe(0);
+			expect(analytics.pendingCount).toBe(0);
+			expect(analytics.approvedCount).toBe(0);
+			expect(analytics.rejectedCount).toBe(0);
+			expect(analytics.averageRating).toBe(0);
+			expect(analytics.withMerchantResponse).toBe(0);
+		});
+		it("counts reflect correct status distribution after moderation", async () => {
+			const r1 = await seedReview({ rating: 5 });
+			const r2 = await seedReview({
+				rating: 3,
+				authorEmail: "a@test.com",
+			});
+			await seedReview({ rating: 4, authorEmail: "b@test.com" });
+			await controller.updateReviewStatus(r1.id, "approved");
+			await controller.updateReviewStatus(r2.id, "rejected");
+			const analytics = await controller.getReviewAnalytics();
+			expect(analytics.totalReviews).toBe(3);
+			expect(analytics.approvedCount).toBe(1);
+			expect(analytics.rejectedCount).toBe(1);
+			expect(analytics.pendingCount).toBe(1);
+		});
+		it("average rating computed correctly", async () => {
+			await seedReview({ rating: 5, authorEmail: "a@test.com" });
+			await seedReview({ rating: 3, authorEmail: "b@test.com" });
+			await seedReview({ rating: 4, authorEmail: "c@test.com" });
+			const analytics = await controller.getReviewAnalytics();
+			expect(analytics.averageRating).toBe(4); // (5+3+4)/3 = 4.0
+		});
+		it("ratings distribution tracks per-star counts", async () => {
+			await seedReview({ rating: 5, authorEmail: "a@test.com" });
+			await seedReview({ rating: 5, authorEmail: "b@test.com" });
+			await seedReview({ rating: 3, authorEmail: "c@test.com" });
+			await seedReview({ rating: 1, authorEmail: "d@test.com" });
+			const analytics = await controller.getReviewAnalytics();
+			expect(analytics.ratingsDistribution["5"]).toBe(2);
+			expect(analytics.ratingsDistribution["3"]).toBe(1);
+			expect(analytics.ratingsDistribution["1"]).toBe(1);
+			expect(analytics.ratingsDistribution["2"]).toBe(0);
+			expect(analytics.ratingsDistribution["4"]).toBe(0);
+		});
+		it("withMerchantResponse counts reviews that have responses", async () => {
+			const r1 = await seedReview({ authorEmail: "a@test.com" });
+			await seedReview({ authorEmail: "b@test.com" });
+			await controller.addMerchantResponse(r1.id, "Thanks!");
+			const analytics = await controller.getReviewAnalytics();
+			expect(analytics.withMerchantResponse).toBe(1);
+		});
+		it("deleted reviews excluded from analytics", async () => {
+			const r1 = await seedReview({ authorEmail: "a@test.com" });
+			await seedReview({ authorEmail: "b@test.com" });
+			await controller.deleteReview(r1.id);
+			const analytics = await controller.getReviewAnalytics();
+			expect(analytics.totalReviews).toBe(1);
+		});
+	});
+	// ── Review Request Stats ────────────────────────────────────────────
+	describe("review request stats", () => {
+		it("empty stats returns zeroes", async () => {
+			const stats = await controller.getReviewRequestStats();
+			expect(stats.totalSent).toBe(0);
+			expect(stats.uniqueOrders).toBe(0);
+		});
+		it("counts unique orders correctly", async () => {
+			await controller.createReviewRequest({
+				orderId: "o1",
+				orderNumber: "ORD-1",
+				email: "a@test.com",
+				customerName: "A",
+				items: [{ productId: "p1", name: "Item 1" }],
+			});
+			await controller.createReviewRequest({
+				orderId: "o2",
+				orderNumber: "ORD-2",
+				email: "b@test.com",
+				customerName: "B",
+				items: [{ productId: "p2", name: "Item 2" }],
+			});
+			const stats = await controller.getReviewRequestStats();
+			expect(stats.totalSent).toBe(2);
+			expect(stats.uniqueOrders).toBe(2);
+		});
+	});
+	// ── Product Rating Summary Edge Cases ───────────────────────────────
+	describe("product rating summary edge cases", () => {
+		it("empty product returns zero summary", async () => {
+			const summary =
+				await controller.getProductRatingSummary("no_reviews_product");
+			expect(summary.average).toBe(0);
+			expect(summary.count).toBe(0);
+		});
+		it("single approved review produces correct summary", async () => {
+			const r = await seedReview({ productId: "single_p", rating: 3 });
+			await controller.updateReviewStatus(r.id, "approved");
+			const summary = await controller.getProductRatingSummary("single_p");
+			expect(summary.average).toBe(3);
+			expect(summary.count).toBe(1);
+			expect(summary.distribution["3"]).toBe(1);
+		});
+		it("only approved reviews counted in summary", async () => {
+			const r1 = await seedReview({
+				productId: "mixed_p",
+				rating: 5,
+				authorEmail: "a@test.com",
+			});
+			await seedReview({
+				productId: "mixed_p",
+				rating: 1,
+				authorEmail: "b@test.com",
+			});
+			await controller.updateReviewStatus(r1.id, "approved");
+			const summary = await controller.getProductRatingSummary("mixed_p");
+			expect(summary.count).toBe(1);
+			expect(summary.average).toBe(5);
+			expect(summary.distribution["1"]).toBe(0);
+		});
+	});
+	// ── Pagination ──────────────────────────────────────────────────────
+	describe("pagination bounds", () => {
+		it("listReviewsByCustomer respects take and skip", async () => {
+			for (let i = 0; i < 5; i++) {
+				await seedReview({
+					customerId: "paginated_cust",
+					authorEmail: `u${i}@test.com`,
+					productId: `p${i}`,
+				});
+			}
+			const { reviews, total } = await controller.listReviewsByCustomer(
+				"paginated_cust",
+				{ take: 2, skip: 1 },
+			);
+			expect(total).toBe(5);
+			expect(reviews).toHaveLength(2);
+		});
+		it("listReviews respects take parameter", async () => {
+			for (let i = 0; i < 5; i++) {
+				await seedReview({
+					authorEmail: `list${i}@test.com`,
+					productId: `lp${i}`,
+				});
+			}
+			const reviews = await controller.listReviews({ take: 3 });
+			expect(reviews.length).toBeLessThanOrEqual(3);
+		});
+	});
+});