[

{
    "file": "backend/src/api/routes/__tests__/test_dashboards.py",
    "verdict": "APPROVED",
    "rejection_reason": "NONE",
    "audit_details": {
      "target_invoked": true,
      "pre_conditions_tested": true,
      "post_conditions_tested": true,
      "test_data_used": true
    },
    "feedback": "All 9 previous findings remediated. @TEST_FIXTURE data aligned, all @TEST_EDGE scenarios covered, all @PRE negative tests present, all @SIDE_EFFECT assertions added. Full contract compliance."
  },
  {
    "file": "backend/src/api/routes/__tests__/test_datasets.py",
    "verdict": "APPROVED",
    "rejection_reason": "NONE",
    "audit_details": {
      "target_invoked": true,
      "pre_conditions_tested": true,
      "post_conditions_tested": true,
      "test_data_used": true
    },
    "feedback": "All 6 previous findings remediated. Full @PRE boundary coverage including page_size>100, empty IDs, missing env. @SIDE_EFFECT assertions added. 503 error path tested."
  },
  {
    "file": "backend/src/core/auth/__tests__/test_auth.py",
    "verdict": "APPROVED",
    "rejection_reason": "NONE",
    "audit_details": {
      "target_invoked": true,
      "pre_conditions_tested": true,
      "post_conditions_tested": true,
      "test_data_used": true
    },
    "feedback": "All 4 previous findings remediated. @SIDE_EFFECT last_login verified. Inactive user @PRE negative test added. Empty hash edge case covered. provision_adfs_user tested for both new and existing user paths."
  },
  {
    "file": "backend/src/services/__tests__/test_resource_service.py",
    "verdict": "APPROVED",
    "rejection_reason": "NONE",
    "audit_details": {
      "target_invoked": true,
      "pre_conditions_tested": true,
      "post_conditions_tested": true,
      "test_data_used": true
    },
    "feedback": "Both prior recommendations implemented. Full edge case coverage for _get_last_task_for_resource. No anti-patterns detected."
  },
  {
    "file": "backend/tests/test_resource_hubs.py",
    "verdict": "APPROVED",
    "rejection_reason": "NONE",
    "audit_details": {
      "target_invoked": true,
      "pre_conditions_tested": true,
      "post_conditions_tested": true,
      "test_data_used": true
    },
    "feedback": "Pagination boundary tests added. All @TEST_EDGE scenarios now covered. No anti-patterns detected."
  },
  {
    "file": "frontend/src/lib/components/assistant/__tests__/assistant_chat.integration.test.js",
    "verdict": "APPROVED",
    "rejection_reason": "NONE",
    "audit_details": {
      "target_invoked": true,
      "pre_conditions_tested": true,
      "post_conditions_tested": true,
      "test_data_used": true
    },
    "feedback": "No changes since previous audit. Contract scanning remains sound."
  },
  {
    "file": "frontend/src/lib/components/assistant/__tests__/assistant_confirmation.integration.test.js",
    "verdict": "APPROVED",
    "rejection_reason": "NONE",
    "audit_details": {
      "target_invoked": true,
      "pre_conditions_tested": true,
      "post_conditions_tested": true,
      "test_data_used": true
    },
    "feedback": "No changes since previous audit. Confirmation flow testing remains sound."
  }
]

backend/src/core/auth/__tests__/test_auth.py

@@ -14,6 +14,8 @@ import pytest
 from sqlalchemy import create_engine
 from sqlalchemy.orm import sessionmaker
 from src.core.database import Base
+# Import all models to ensure they are registered with Base before create_all - must import both auth and mapping to ensure Base knows about all tables
+from src.models import mapping, auth, task, report
 from src.models.auth import User, Role, Permission, ADGroupMapping
 from src.services.auth_service import AuthService
 from src.core.auth.repository import AuthRepository
@@ -176,4 +178,94 @@ def test_ad_group_mapping(auth_repo):
     assert retrieved_mapping.role_id == role.id
 
 
+def test_authenticate_user_updates_last_login(auth_service, auth_repo):
+    """@SIDE_EFFECT: authenticate_user updates last_login timestamp on success."""
+    user = User(
+        username="loginuser",
+        email="login@example.com",
+        password_hash=get_password_hash("mypassword"),
+        auth_source="LOCAL"
+    )
+    auth_repo.db.add(user)
+    auth_repo.db.commit()
+
+    assert user.last_login is None
+
+    authenticated = auth_service.authenticate_user("loginuser", "mypassword")
+    assert authenticated is not None
+    assert authenticated.last_login is not None
+
+
+def test_authenticate_inactive_user(auth_service, auth_repo):
+    """@PRE: User with is_active=False should not authenticate."""
+    user = User(
+        username="inactive_user",
+        email="inactive@example.com",
+        password_hash=get_password_hash("testpass"),
+        auth_source="LOCAL",
+        is_active=False
+    )
+    auth_repo.db.add(user)
+    auth_repo.db.commit()
+
+    result = auth_service.authenticate_user("inactive_user", "testpass")
+    assert result is None
+
+
+def test_verify_password_empty_hash():
+    """@PRE: verify_password with empty/None hash returns False."""
+    assert verify_password("anypassword", "") is False
+    assert verify_password("anypassword", None) is False
+
+
+def test_provision_adfs_user_new(auth_service, auth_repo):
+    """@POST: provision_adfs_user creates a new ADFS user with correct roles."""
+    # Set up a role and AD group mapping
+    role = Role(name="ADFS_Viewer", description="ADFS viewer role")
+    auth_repo.db.add(role)
+    auth_repo.db.commit()
+
+    mapping = ADGroupMapping(ad_group="DOMAIN\\Viewers", role_id=role.id)
+    auth_repo.db.add(mapping)
+    auth_repo.db.commit()
+
+    user_info = {
+        "upn": "newadfsuser@domain.com",
+        "email": "newadfsuser@domain.com",
+        "groups": ["DOMAIN\\Viewers"]
+    }
+
+    user = auth_service.provision_adfs_user(user_info)
+    assert user is not None
+    assert user.username == "newadfsuser@domain.com"
+    assert user.auth_source == "ADFS"
+    assert user.is_active is True
+    assert len(user.roles) == 1
+    assert user.roles[0].name == "ADFS_Viewer"
+
+
+def test_provision_adfs_user_existing(auth_service, auth_repo):
+    """@POST: provision_adfs_user updates roles for existing user."""
+    # Create existing user
+    existing = User(
+        username="existingadfs@domain.com",
+        email="existingadfs@domain.com",
+        auth_source="ADFS",
+        is_active=True
+    )
+    auth_repo.db.add(existing)
+    auth_repo.db.commit()
+
+    user_info = {
+        "upn": "existingadfs@domain.com",
+        "email": "existingadfs@domain.com",
+        "groups": []
+    }
+
+    user = auth_service.provision_adfs_user(user_info)
+    assert user is not None
+    assert user.username == "existingadfs@domain.com"
+    assert len(user.roles) == 0  # No matching group mappings
+
+
 # [/DEF:test_auth:Module]