@wopr-network/platform-ui-core 1.27.7 → 1.27.9

package/src/__tests__/layout-snapshots.test.tsx

@@ -1,4 +1,4 @@
-import { render } from "@testing-library/react";
+import { render, screen } from "@testing-library/react";
 import { describe, expect, it, vi } from "vitest";
 
 // --- Mocks ---
@@ -15,7 +15,11 @@ vi.mock("next/font/google", () => ({
 
 vi.mock("better-auth/react", () => ({
   createAuthClient: () => ({
-    useSession: () => ({ data: null, isPending: false, error: null }),
+    useSession: () => ({
+      data: { user: { id: "u1", email: "test@test.com" }, session: { id: "s1" } },
+      isPending: false,
+      error: null,
+    }),
     signIn: { email: vi.fn(), social: vi.fn() },
     signUp: { email: vi.fn() },
     signOut: vi.fn(),
@@ -23,10 +27,30 @@ vi.mock("better-auth/react", () => ({
 }));
 
 vi.mock("@/lib/auth-client", () => ({
-  useSession: () => ({ data: null, isPending: false, error: null }),
+  useSession: () => ({
+    data: { user: { id: "u1", email: "test@test.com" }, session: { id: "s1" } },
+    isPending: false,
+    error: null,
+  }),
   signOut: vi.fn(),
 }));
 
+vi.mock("@/lib/require-auth", () => ({
+  useRequireAuth: () => ({
+    user: { id: "u1", email: "test@test.com" },
+    session: { id: "s1" },
+    isPending: false,
+    isAuthed: true,
+  }),
+  useRequireAdmin: () => ({
+    user: { id: "u1", email: "test@test.com", role: "platform_admin" },
+    session: { id: "s1" },
+    isPending: false,
+    isAuthed: true,
+    isAdmin: true,
+  }),
+}));
+
 vi.mock("@/components/sidebar", () => ({
   Sidebar: () => <div data-testid="sidebar">Sidebar</div>,
   SidebarContent: ({ onNavigate: _o }: { onNavigate?: () => void }) => (
@@ -62,6 +86,22 @@ vi.mock("@/lib/api", () => ({
 vi.mock("@/lib/api-config", () => ({
   SITE_URL: "https://localhost",
   PLATFORM_BASE_URL: "https://localhost",
+  API_BASE_URL: "https://localhost/api",
+}));
+
+vi.mock("@/lib/brand-config", () => ({
+  getBrandConfig: () => ({
+    chatEnabled: true,
+    tenantCookieName: "platform_tenant_id",
+    homePath: "/marketplace",
+    productName: "Platform",
+    brandName: "Platform",
+    domain: "localhost",
+    navItems: [],
+  }),
+  productName: () => "Platform",
+  brandName: () => "Platform",
+  setBrandConfig: vi.fn(),
 }));
 
 vi.mock("@/components/auth/email-verification-banner", () => ({
@@ -102,7 +142,8 @@ describe("Layout snapshots", () => {
         <div>auth child</div>
       </AuthLayout>,
     );
-    expect(container).toMatchSnapshot();
+    expect(container.querySelector(".min-h-screen")).not.toBeNull();
+    expect(container.textContent).toContain("auth child");
   });
 
   it("DashboardLayout renders sidebar + main with mobile sheet", async () => {
@@ -112,7 +153,12 @@ describe("Layout snapshots", () => {
         <div>dashboard child</div>
       </DashboardLayout>,
     );
-    expect(container).toMatchSnapshot();
+    expect(screen.getByTestId("sidebar")).not.toBeNull();
+    expect(container.textContent).toContain("dashboard child");
+    // Desktop layout
+    expect(container.querySelector(".hidden.lg\\:flex")).not.toBeNull();
+    // Mobile layout
+    expect(container.querySelector(".lg\\:hidden")).not.toBeNull();
   });
 
   it("FleetLayout renders sidebar + main", async () => {
@@ -122,7 +168,8 @@ describe("Layout snapshots", () => {
         <div>fleet child</div>
       </FleetLayout>,
     );
-    expect(container).toMatchSnapshot();
+    expect(screen.getByTestId("sidebar")).not.toBeNull();
+    expect(container.textContent).toContain("fleet child");
   });
 
   it("PluginsLayout renders sidebar + main", async () => {
@@ -132,7 +179,8 @@ describe("Layout snapshots", () => {
         <div>plugins child</div>
       </PluginsLayout>,
     );
-    expect(container).toMatchSnapshot();
+    expect(screen.getByTestId("sidebar")).not.toBeNull();
+    expect(container.textContent).toContain("plugins child");
   });
 
   it("AdminLayout renders desktop sidebar + admin nav + mobile fallback", async () => {
@@ -142,7 +190,9 @@ describe("Layout snapshots", () => {
         <div>admin child</div>
       </AdminLayout>,
     );
-    expect(container).toMatchSnapshot();
+    expect(screen.getByTestId("sidebar")).not.toBeNull();
+    expect(screen.getByTestId("admin-nav")).not.toBeNull();
+    expect(container.textContent).toContain("admin child");
   });
 
   it("SettingsLayout renders desktop nav + mobile sheet", async () => {
@@ -152,16 +202,19 @@ describe("Layout snapshots", () => {
         <div>settings child</div>
       </SettingsLayout>,
     );
-    expect(container).toMatchSnapshot();
+    expect(container.textContent).toContain("settings child");
+    expect(container.textContent).toContain("Settings");
   });
 
-  it("BillingLayout renders billing nav sidebar + content area", async () => {
+  it("BillingLayout renders content area + footer", async () => {
     const { default: BillingLayout } = await import("@/app/(dashboard)/billing/layout");
     const { container } = render(
       <BillingLayout>
         <div>billing child</div>
       </BillingLayout>,
     );
-    expect(container).toMatchSnapshot();
+    expect(container.textContent).toContain("billing child");
+    expect(container.textContent).toContain("Terms of Service");
+    expect(container.textContent).toContain("Privacy Policy");
   });
 });

package/src/__tests__/marketplace-admin.test.tsx

@@ -113,9 +113,7 @@ describe("admin-marketplace-api", () => {
       const { updatePlugin } = await import("../lib/admin-marketplace-api");
       mockUpdatePlugin.mockRejectedValue(new Error("tRPC unavailable"));
 
-      await expect(updatePlugin({ id: "discord", notes: "fallback note" })).rejects.toThrow(
-        "tRPC unavailable",
-      );
+      await expect(updatePlugin({ id: "discord", notes: "fallback note" })).rejects.toThrow("tRPC unavailable");
     });
   });
 
@@ -143,9 +141,7 @@ describe("admin-marketplace-api", () => {
       const { addPluginByNpm } = await import("../lib/admin-marketplace-api");
       mockAddPlugin.mockRejectedValue(new Error("tRPC unavailable"));
 
-      await expect(addPluginByNpm({ npm_package: "@wopr-network/plugin-test" })).rejects.toThrow(
-        "tRPC unavailable",
-      );
+      await expect(addPluginByNpm({ npm_package: "@wopr-network/plugin-test" })).rejects.toThrow("tRPC unavailable");
     });
   });
 });

package/src/__tests__/marketplace.test.tsx

@@ -33,11 +33,7 @@ vi.mock("next/navigation", () => ({
 
 // --- Mock next/link ---
 vi.mock("next/link", () => ({
-  default: ({
-    children,
-    href,
-    ...props
-  }: { children: React.ReactNode; href: string } & Record<string, unknown>) => (
+  default: ({ children, href, ...props }: { children: React.ReactNode; href: string } & Record<string, unknown>) => (
     <a href={href} {...props}>
       {children}
     </a>
@@ -307,9 +303,7 @@ describe("PluginDetailPage", () => {
 
   it("renders plugin detail page with manifest info", async () => {
     mockParams.plugin = "discord";
-    const { default: PluginDetailPage } = await import(
-      "../app/(dashboard)/marketplace/[plugin]/page"
-    );
+    const { default: PluginDetailPage } = await import("../app/(dashboard)/marketplace/[plugin]/page");
     renderWithQueryClient(<PluginDetailPage />);
 
     // Wait for loading
@@ -321,9 +315,7 @@ describe("PluginDetailPage", () => {
 
   it("shows not found for invalid plugin id", async () => {
     mockParams.plugin = "nonexistent-plugin";
-    const { default: PluginDetailPage } = await import(
-      "../app/(dashboard)/marketplace/[plugin]/page"
-    );
+    const { default: PluginDetailPage } = await import("../app/(dashboard)/marketplace/[plugin]/page");
     renderWithQueryClient(<PluginDetailPage />);
 
     expect(await screen.findByText("Plugin not found.")).toBeInTheDocument();
@@ -331,9 +323,7 @@ describe("PluginDetailPage", () => {
 
   it("shows hosted adapter info for eligible plugins", async () => {
     mockParams.plugin = "semantic-memory";
-    const { default: PluginDetailPage } = await import(
-      "../app/(dashboard)/marketplace/[plugin]/page"
-    );
+    const { default: PluginDetailPage } = await import("../app/(dashboard)/marketplace/[plugin]/page");
     renderWithQueryClient(<PluginDetailPage />);
 
     await screen.findByText("A Bot That Never Forgets");
@@ -344,9 +334,7 @@ describe("PluginDetailPage", () => {
 
   it("shows requirements for plugins with dependencies", async () => {
     mockParams.plugin = "meeting-transcriber";
-    const { default: PluginDetailPage } = await import(
-      "../app/(dashboard)/marketplace/[plugin]/page"
-    );
+    const { default: PluginDetailPage } = await import("../app/(dashboard)/marketplace/[plugin]/page");
     renderWithQueryClient(<PluginDetailPage />);
 
     await screen.findByText("Fire Your Secretary");
@@ -356,9 +344,7 @@ describe("PluginDetailPage", () => {
   it("opens install wizard when Install button is clicked", async () => {
     const user = userEvent.setup();
     mockParams.plugin = "webhooks";
-    const { default: PluginDetailPage } = await import(
-      "../app/(dashboard)/marketplace/[plugin]/page"
-    );
+    const { default: PluginDetailPage } = await import("../app/(dashboard)/marketplace/[plugin]/page");
     renderWithQueryClient(<PluginDetailPage />);
 
     await screen.findByText("Webhooks");
@@ -371,9 +357,7 @@ describe("PluginDetailPage", () => {
 
   it("shows changelog entries", async () => {
     mockParams.plugin = "discord";
-    const { default: PluginDetailPage } = await import(
-      "../app/(dashboard)/marketplace/[plugin]/page"
-    );
+    const { default: PluginDetailPage } = await import("../app/(dashboard)/marketplace/[plugin]/page");
     renderWithQueryClient(<PluginDetailPage />);
 
     await screen.findByText("Discord");
@@ -389,9 +373,7 @@ describe("PluginDetailPage", () => {
 
   it("shows configuration schema", async () => {
     mockParams.plugin = "discord";
-    const { default: PluginDetailPage } = await import(
-      "../app/(dashboard)/marketplace/[plugin]/page"
-    );
+    const { default: PluginDetailPage } = await import("../app/(dashboard)/marketplace/[plugin]/page");
     renderWithQueryClient(<PluginDetailPage />);
 
     await screen.findByText("Discord");
@@ -405,9 +387,7 @@ describe("PluginDetailPage", () => {
 });
 
 describe("InstallWizard", () => {
-  const mockBots = [
-    { id: "00000000-0000-4000-8000-000000000001", name: "My Bot", state: "running" },
-  ];
+  const mockBots = [{ id: "00000000-0000-4000-8000-000000000001", name: "My Bot", state: "running" }];
 
   beforeEach(() => {
     // Mock fetch for listBots so the wizard doesn't hang on network calls
@@ -458,9 +438,7 @@ describe("InstallWizard", () => {
 
     // First phase is bot-select — wait for bots to load and select one
     const user = userEvent.setup();
-    expect(
-      await screen.findByText("Select which bot to install this plugin on"),
-    ).toBeInTheDocument();
+    expect(await screen.findByText("Select which bot to install this plugin on")).toBeInTheDocument();
 
     // Wait for bots to load
     const botButton = await screen.findByText("My Bot");
@@ -477,9 +455,7 @@ describe("InstallWizard", () => {
 
     // Should now show provider selector
     expect(
-      screen.getByText(
-        "Some capabilities can be provided by Platform Hosted services. Choose for each:",
-      ),
+      screen.getByText("Some capabilities can be provided by Platform Hosted services. Choose for each:"),
     ).toBeInTheDocument();
     expect(screen.getByText("LLM")).toBeInTheDocument();
     expect(screen.getByText("STT")).toBeInTheDocument();

package/src/__tests__/merge-api-rates.test.ts

@@ -21,12 +21,7 @@ describe("mergeApiRates", () => {
       tts: [{ name: "TTS", unit: "1K chars", price: 0.2 }],
     });
 
-    expect(result.map((c) => c.category)).toEqual([
-      "Text Generation",
-      "Voice",
-      "Image Generation",
-      "Messaging",
-    ]);
+    expect(result.map((c) => c.category)).toEqual(["Text Generation", "Voice", "Image Generation", "Messaging"]);
   });
 
   it("handles unknown capability keys with fallback", () => {

package/src/__tests__/middleware.test.ts

@@ -1,5 +1,5 @@
 import { NextRequest } from "next/server";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { afterEach, describe, expect, it, vi } from "vitest";
 import middleware, { config, validateCsrfOrigin } from "../proxy";
 
 /**
@@ -38,118 +38,36 @@ function buildRequest(
   return req;
 }
 
-function isRedirect(res: Response): boolean {
-  return res.status >= 300 && res.status < 400;
-}
-
-function redirectPath(res: Response): string {
-  const loc = res.headers.get("location");
-  if (!loc) return "";
-  try {
-    const u = new URL(loc);
-    return u.pathname + (u.search ? u.search : "");
-  } catch {
-    // Non-URL location string (e.g. relative path) — return as-is
-    return loc;
-  }
-}
-
 function isPassThrough(res: Response): boolean {
   return res.headers.get("x-middleware-next") === "1";
 }
 
 describe("middleware", () => {
-  beforeEach(() => {
-    // Reset to a safe no-session mock by default.
-    // Tests that need fetch (admin routes) stub it themselves.
-    vi.stubGlobal("fetch", vi.fn().mockResolvedValue({ ok: false }));
-    delete process.env.NEXT_PUBLIC_APP_DOMAIN;
-  });
-
   afterEach(() => {
     vi.unstubAllGlobals();
-    delete process.env.NEXT_PUBLIC_APP_DOMAIN;
   });
 
   // ---------------------------------------------------------------------------
-  // Unauthenticated redirects
+  // Pass-through with CSP (middleware no longer does auth — useRequireAuth handles it)
   // ---------------------------------------------------------------------------
-  describe("unauthenticated redirects", () => {
-    it("redirects /dashboard to /login with callbackUrl", async () => {
+  describe("pass-through with CSP", () => {
+    it("passes /dashboard through without session cookie", async () => {
       const req = buildRequest("/dashboard");
       const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      const loc = redirectPath(res);
-      expect(loc).toContain("/login");
-      expect(loc).toContain("callbackUrl=%2Fdashboard");
+      expect(isPassThrough(res)).toBe(true);
+      expect(res.headers.get("content-security-policy")).not.toBeNull();
     });
 
-    it("redirects /marketplace to /login with callbackUrl", async () => {
+    it("passes /marketplace through without session cookie", async () => {
       const req = buildRequest("/marketplace");
       const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      expect(redirectPath(res)).toContain("/login");
-      expect(redirectPath(res)).toContain("callbackUrl=%2Fmarketplace");
+      expect(isPassThrough(res)).toBe(true);
     });
 
-    it("redirects /settings to /login", async () => {
+    it("passes /settings through without session cookie", async () => {
       const req = buildRequest("/settings");
       const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      expect(redirectPath(res)).toContain("/login");
-    });
-
-    it("does not treat an empty session cookie as authenticated", async () => {
-      const req = buildRequest("/dashboard", {
-        cookies: { "better-auth.session_token": "" },
-      });
-      const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      expect(redirectPath(res)).toContain("/login");
-    });
-
-    it("does not treat a whitespace-only session cookie as authenticated", async () => {
-      const req = buildRequest("/dashboard", {
-        cookies: { "better-auth.session_token": "   " },
-      });
-      const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      expect(redirectPath(res)).toContain("/login");
-    });
-  });
-
-  // ---------------------------------------------------------------------------
-  // Open redirect prevention — callbackUrl sanitization
-  // ---------------------------------------------------------------------------
-  describe("callbackUrl sanitization (open redirect prevention)", () => {
-    it("sanitizes percent-encoded protocol-relative pathname in callbackUrl", async () => {
-      // /%2F%2Fevil-redirect decodes to //evil-redirect — must be rejected.
-      // Path has no dot so it reaches the session check (not static-file bypass).
-      const req = buildRequest("/%2F%2Fevil-redirect");
-      const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      const loc = redirectPath(res);
-      expect(loc).toContain("/login");
-      // callbackUrl must be "/" (sanitized), not the malicious path
-      expect(loc).toContain("callbackUrl=%2F");
-      expect(loc).not.toContain("evil-redirect");
-    });
-
-    it("preserves legitimate callbackUrl for normal paths", async () => {
-      const req = buildRequest("/settings/profile");
-      const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      const loc = redirectPath(res);
-      expect(loc).toContain("callbackUrl=%2Fsettings%2Fprofile");
-    });
-
-    it("sanitizes mixed-case percent-encoded bypass attempts", async () => {
-      // /%2f%2Fevil-redirect also decodes to //evil-redirect — path has no dot.
-      const req = buildRequest("/%2f%2Fevil-redirect");
-      const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      const loc = redirectPath(res);
-      expect(loc).not.toContain("evil-redirect");
+      expect(isPassThrough(res)).toBe(true);
     });
   });
 
@@ -277,68 +195,42 @@ describe("middleware", () => {
       expect(isPassThrough(res)).toBe(true);
     });
 
-    it("does NOT allow /terms/extra (exact match only, no prefix)", async () => {
+    it("passes /terms/extra through (auth handled client-side)", async () => {
       const req = buildRequest("/terms/extra");
       const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      expect(redirectPath(res)).toContain("/login");
+      expect(isPassThrough(res)).toBe(true);
     });
 
-    it("does NOT allow /pricing/enterprise (exact match only)", async () => {
+    it("passes /pricing/enterprise through (auth handled client-side)", async () => {
       const req = buildRequest("/pricing/enterprise");
       const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      expect(redirectPath(res)).toContain("/login");
+      expect(isPassThrough(res)).toBe(true);
     });
 
-    it("does NOT allow /privacy/policy (exact match only)", async () => {
+    it("passes /privacy/policy through (auth handled client-side)", async () => {
       const req = buildRequest("/privacy/policy");
       const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      expect(redirectPath(res)).toContain("/login");
+      expect(isPassThrough(res)).toBe(true);
     });
   });
 
   // ---------------------------------------------------------------------------
   // Root path (/) — special handling
   // ---------------------------------------------------------------------------
-  describe("root path special handling", () => {
-    it("allows unauthenticated GET / (public exact path)", async () => {
+  describe("root path", () => {
+    it("passes GET / through with CSP (auth handled client-side)", async () => {
       const req = buildRequest("/");
       const res = await middleware(req);
       expect(isPassThrough(res)).toBe(true);
+      expect(res.headers.get("content-security-policy")).not.toBeNull();
     });
 
-    it("redirects authenticated GET / to /marketplace (no app domain configured)", async () => {
-      const req = buildRequest("/", {
-        cookies: { "better-auth.session_token": "valid-token" },
-      });
-      const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      expect(redirectPath(res)).toBe("/marketplace");
-    });
-
-    it("redirects authenticated GET / to app domain when NEXT_PUBLIC_APP_DOMAIN is set and host is the marketing domain", async () => {
-      process.env.NEXT_PUBLIC_APP_DOMAIN = "app.localhost";
-      const req = buildRequest("/", {
-        cookies: { "better-auth.session_token": "valid-token" },
-        host: "localhost",
-      });
-      const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      const loc = res.headers.get("location");
-      expect(loc).toBe("https://app.localhost/marketplace");
-    });
-
-    it("redirects authenticated GET / to /marketplace when already on app subdomain", async () => {
-      process.env.NEXT_PUBLIC_APP_DOMAIN = "app.localhost";
+    it("passes authenticated GET / through with CSP", async () => {
       const req = buildRequest("/", {
         cookies: { "better-auth.session_token": "valid-token" },
-        host: "app.localhost",
       });
       const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      expect(redirectPath(res)).toBe("/marketplace");
+      expect(isPassThrough(res)).toBe(true);
     });
   });
 
@@ -370,11 +262,10 @@ describe("middleware", () => {
       expect(isPassThrough(res)).toBe(true);
     });
 
-    it("redirects unauthenticated GET /api/something to /login", async () => {
+    it("passes /api/something through (auth handled client-side)", async () => {
       const req = buildRequest("/api/something");
       const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      expect(redirectPath(res)).toContain("/login");
+      expect(isPassThrough(res)).toBe(true);
     });
 
     it("passes /api/something through with a valid session cookie", async () => {
@@ -393,81 +284,20 @@ describe("middleware", () => {
   });
 
   // ---------------------------------------------------------------------------
-  // Admin route authorization — combined with session check
+  // All routes pass through (auth is handled client-side by useRequireAuth)
   // ---------------------------------------------------------------------------
-  describe("admin route authorization", () => {
-    it("redirects unauthenticated /admin to /login (not /marketplace)", async () => {
+  describe("all routes pass through with CSP", () => {
+    it("passes /admin through (auth handled client-side)", async () => {
       const req = buildRequest("/admin");
       const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      expect(redirectPath(res)).toContain("/login");
-    });
-
-    it("redirects authenticated non-admin to /marketplace when accessing /admin", async () => {
-      vi.stubGlobal(
-        "fetch",
-        vi.fn().mockResolvedValue({
-          ok: true,
-          json: async () => ({ user: { role: "user" } }),
-        }),
-      );
-      const req = buildRequest("/admin", {
-        cookies: { "better-auth.session_token": "valid-token" },
-      });
-      const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      expect(redirectPath(res)).toBe("/marketplace");
-    });
-
-    it("allows platform_admin through to /admin", async () => {
-      vi.stubGlobal(
-        "fetch",
-        vi.fn().mockResolvedValue({
-          ok: true,
-          json: async () => ({ user: { role: "platform_admin" } }),
-        }),
-      );
-      const req = buildRequest("/admin", {
-        cookies: { "better-auth.session_token": "valid-token" },
-      });
-      const res = await middleware(req);
       expect(isPassThrough(res)).toBe(true);
+      expect(res.headers.get("content-security-policy")).not.toBeNull();
     });
 
-    it("redirects non-admin from /admin/users to /marketplace", async () => {
-      vi.stubGlobal(
-        "fetch",
-        vi.fn().mockResolvedValue({
-          ok: true,
-          json: async () => ({ user: { role: "user" } }),
-        }),
-      );
-      const req = buildRequest("/admin/users", {
-        cookies: { "better-auth.session_token": "valid-token" },
-      });
-      const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      expect(redirectPath(res)).toBe("/marketplace");
-    });
-
-    it("redirects to /marketplace when session fetch fails (fail closed)", async () => {
-      vi.stubGlobal("fetch", vi.fn().mockRejectedValue(new Error("network error")));
-      const req = buildRequest("/admin", {
-        cookies: { "better-auth.session_token": "valid-token" },
-      });
+    it("passes /admin/users through", async () => {
+      const req = buildRequest("/admin/users");
       const res = await middleware(req);
-      expect(isRedirect(res)).toBe(true);
-      expect(redirectPath(res)).toBe("/marketplace");
-    });
-
-    it("does not call fetch for non-admin routes", async () => {
-      const fetchSpy = vi.fn().mockResolvedValue({ ok: false });
-      vi.stubGlobal("fetch", fetchSpy);
-      const req = buildRequest("/marketplace", {
-        cookies: { "better-auth.session_token": "valid-token" },
-      });
-      await middleware(req);
-      expect(fetchSpy).not.toHaveBeenCalled();
+      expect(isPassThrough(res)).toBe(true);
     });
   });
 
@@ -660,8 +490,8 @@ describe("CSP nonce in middleware", () => {
     expect(csp).toContain("default-src 'self'");
     expect(csp).toMatch(/style-src-elem 'self' 'unsafe-inline' 'nonce-[A-Za-z0-9+/=_-]+'/);
 
-    expect(csp).toContain("img-src 'self' data: blob:");
-    expect(csp).toContain("frame-src https://js.stripe.com");
+    expect(csp).toContain("img-src 'self' data: blob: https:");
+    expect(csp).toContain("frame-src 'self' https://js.stripe.com");
     expect(csp).toContain("frame-ancestors 'none'");
     expect(csp).toContain("object-src 'none'");
   });
@@ -677,23 +507,6 @@ describe("CSP nonce in middleware", () => {
     const res = await middleware(req);
     expect(res.headers.get("vary")).toBe("*");
   });
-
-  it("does not overwrite stricter Cache-Control on admin routes", async () => {
-    vi.stubGlobal(
-      "fetch",
-      vi
-        .fn()
-        .mockResolvedValue(
-          new Response(JSON.stringify({ user: { role: "platform_admin" } }), { status: 200 }),
-        ),
-    );
-    const req = buildRequest("/admin/dashboard", {
-      cookies: { "better-auth.session_token": "valid-token" },
-    });
-    const res = await middleware(req);
-    // Admin route sets stricter cache headers; withCsp should not overwrite
-    expect(res.headers.get("cache-control")).toBe("no-store, no-cache, must-revalidate");
-  });
 });
 
 // ---------------------------------------------------------------------------

package/src/__tests__/next-config-headers.test.ts

@@ -11,9 +11,7 @@ describe("next.config headers", () => {
     expect(headers).toHaveLength(1);
     expect(headers[0].source).toBe("/:path*");
 
-    const headerMap = new Map(
-      headers[0].headers.map((h: { key: string; value: string }) => [h.key, h.value]),
-    );
+    const headerMap = new Map(headers[0].headers.map((h: { key: string; value: string }) => [h.key, h.value]));
     expect(headerMap.get("X-Frame-Options")).toBe("DENY");
     expect(headerMap.get("X-Content-Type-Options")).toBe("nosniff");
     // CSP is now set exclusively by middleware (nonce-based), not next.config.ts