Found in smoke #13
The comprehensive-bench fixture properly enforces auth on 22 of 29 routes via `RequireAuth` HOC. BugHunter's config supports `auth.kind: "none"` and `auth.kind: "bearer"` (token-based for SurfaceMCP API calls), but not browser-login for crawling.
Result: BugHunter walked 29 pages all showing a 4-element unauthenticated skeleton. ~60 UI-dependent kinds were unreachable: nav-state, perf, race, multi-context, axe a11y on authenticated pages, etc. This single issue accounts for the bulk of the smoke #13 recall gap.
What's needed
BugHunter's discovery + crawl phases need to:
- Accept `auth.kind: "cookie"` or `auth.kind: "form"` config that specifies a login URL, form-field selectors (or cookie name), and credentials per role
- Before crawling, perform browser login: navigate to the login URL, fill the form, submit, wait for redirect/success indicator
- Maintain the resulting cookie / session across the crawl
- For multi-role testing (cross-user IDOR, etc.), perform multiple logins in separate browser contexts
The bones likely exist somewhere — `packages/cli/src/phases/auth-flow.ts` and `browser-login.ts` were referenced in earlier audits. The wiring may just need to be threaded into the multi-surface pipeline (V53.1) and the comprehensive-bench config.
Spec
This deserves a small architecture spec because the auth model is shared across:
- BugHunter config schema
- The bound-surface adapter (auth per surface, per V53.2)
- Discovery (login before crawl)
- cross-user runner (multi-role login for IDOR)
- Self-test config (comprehensive-bench needs login wired in its `.bughunter/config.json`)
Priority
HIGHEST — single issue blocking ~60 kinds. Must be fixed before any meaningful recall measurement on a real-shaped fixture or production app like Aspectv3.
Related
Found in smoke #13
The comprehensive-bench fixture properly enforces auth on 22 of 29 routes via `RequireAuth` HOC. BugHunter's config supports `auth.kind: "none"` and `auth.kind: "bearer"` (token-based for SurfaceMCP API calls), but not browser-login for crawling.
Result: BugHunter walked 29 pages all showing a 4-element unauthenticated skeleton. ~60 UI-dependent kinds were unreachable: nav-state, perf, race, multi-context, axe a11y on authenticated pages, etc. This single issue accounts for the bulk of the smoke #13 recall gap.
What's needed
BugHunter's discovery + crawl phases need to:
The bones likely exist somewhere — `packages/cli/src/phases/auth-flow.ts` and `browser-login.ts` were referenced in earlier audits. The wiring may just need to be threaded into the multi-surface pipeline (V53.1) and the comprehensive-bench config.
Spec
This deserves a small architecture spec because the auth model is shared across:
Priority
HIGHEST — single issue blocking ~60 kinds. Must be fixed before any meaningful recall measurement on a real-shaped fixture or production app like Aspectv3.
Related