long-agent/user-system
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: update admin flows and review report

Browse Source
This commit is contained in:
long-agent
2026-04-10 08:09:48 +08:00
parent f1bbba48c3
commit dbff591039
7 changed files with 610 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
docs/status/REAL_PROJECT_STATUS.md
View File

@@ -1,5 +1,48 @@
# REAL PROJECT STATUS
## 2026-04-10 Review Update
This section supersedes older status summaries when they conflict with the
fresh 2026-04-10 review evidence in
`docs/code-review/PROJECT_REAL_COMPLETION_REVIEW_2026-04-10.md`.
### Fresh verification snapshot
| Command | Result | Note |
|------|------|------|
| `go test ./... -short -count=1` | `PASS` | backend short-path matrix is green |
| `go vet ./...` | `PASS` | current workspace code is vet-clean |
| `go build ./cmd/server` | `PASS` | backend build is green |
| `go test ./... -count=1` | `FAIL` | blocked by `internal/service.TestScale_LL_001_180DayLoginLogRetention`, observed `P99=2.2259254s > 2s` |
| `cd frontend/admin && npm.cmd run lint` | `PASS` | prior lint blocker is resolved |
| `cd frontend/admin && npm.cmd run build` | `PASS` | frontend build is green |
| `cd frontend/admin && npm.cmd run test:run` | `PASS` | `59` files / `325` tests, but still prints jsdom `window.alert` noise after success |
| `cd frontend/admin && npm.cmd run test:coverage` | `PASS` | coverage green at `88.96 / 78.35 / 86.01 / 89.55`, but same jsdom native-dialog noise remains |
| `go run golang.org/x/vuln/cmd/govulncheck@latest ./...` | `PASS` | `No vulnerabilities found.` |
| `cd frontend/admin && npm.cmd audit --omit=dev --json --registry=https://registry.npmjs.org/` | `PASS` | production vulnerabilities `0` |
| `cd frontend/admin && npm.cmd run e2e:full:win` | `FAIL` | browser E2E wrapper still fails in the backend build/bootstrap stage |
### Current real blockers
- Full backend release-style verification is still red because of the `LL_001` login-log pagination SLA gate.
- Browser-level E2E cannot yet be honestly claimed re-verified in the current review environment.
- The newly implemented role/admin-management path still has hardening gaps:
- `GET /api/v1/users/:id/roles` is now live without permission gating.
- `DeleteAdmin` still allows self-demotion / last-admin removal.
- `AssignRoles` and `CreateAdmin` are still non-transactional.
- `CreateAdmin` still hardcodes admin role ID `1` and skips the stronger validation pattern already used by admin bootstrap.
- Avatar upload remains a visible stub on the backend.
### Current honest external statement
The project now has a mostly green routine verification baseline, but it still
cannot be presented as fully release-closed. The correct statement is:
- backend short-path checks, frontend lint/build/tests, dependency audit, and local vuln scan are green
- one full backend SLA gate is still red
- browser-level E2E is still not freshly closed in this review
- RBAC/admin-management hardening and avatar upload remain open items
## 2026-04-09 二次复核更新(与审查报告对齐)
本节基于 2026-04-09 当轮重新执行的本地命令与代码抽查,和