Test infrastructure slice: Vitest suites, CI workflow, and broad backend coverage

@hoogvliets isolated the test additions from the backend source changes they exercise, making this the easiest slice to evaluate for test quality. It's also the most useful reference if you're standing up a test suite for your own Mike fork from scratch.

infrastructurecompliance

The infrastructure adds Vitest configurations for several distinct suites, each with its own package script: a no-database tier, DOCX round-trips, golden-log/SSE behavior, auth hardening, saga flows, and broader integration. Supertest handles HTTP-level tests; a GitHub Actions workflow runs the DOCX suite in CI.

Coverage spans most of the backend. Auth hardening tests address cache behavior, failure modes, OR filters, empty-email handling, people lookup, and random-UUID imports - plus a cross-tenant access matrix and shared-user scenarios. DOCX tests exercise insertion, deletion, replacement, tables, bullets, headings, Unicode, smart quotes, and nonbreaking spaces. Golden-log tests pin down citation, reasoning, and tool-call event streams. Integration tests reach API keys, audit logs, deleted-auth handling, chat-stream failures, crypto round trips, account deletion and restore, document version concurrency, upload validation, downloads, generated titles, model endpoints, tabular flows, workers, and built-in workflows. Saga tests cover edit resolution, fan-out bounds, reuse-version behavior, and unique version handling.

The author notes that some tests depend on backend changes in the sibling PR (#131) and won't pass against upstream main in isolation - an expected consequence of splitting for reviewability rather than independent landability.

So what Worth a look if you want a reference test architecture for a Mike backend fork, especially the auth hardening matrix and DOCX round-trip coverage. Don't expect the suite to pass cleanly against unmodified upstream - it was written against the hardened backend in #131.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?