feat: v0.9 Testing Infrastructure (#58)

* chore: add insta for snapshot testing, fix TOTP password leak

Add insta with yaml feature to dev-dependencies for upcoming snapshot
tests. Remove --password from the TOTP disable example in help text to
avoid encouraging plaintext passwords on the command line. Replace
literal "mypass" in tests with "placeholder".

* feat(v0.9): add Docker Compose stack and scripts for E2E tests

* feat(v0.9): add E2E test common module with setup and helpers

* test(v0.9): add insta snapshot tests for auth, repo, and artifact commands

* test(v0.9): add insta snapshot tests for governance commands

* test(v0.9): add insta snapshot tests for security, federation, and admin commands

* test(v0.9): add E2E tests for auth, repo, and admin commands

* test(v0.9): add E2E tests for governance commands

Cover group, permission, quality-gate, and label commands with
integration tests that run against the E2E backend. Group and
quality-gate lifecycle tests use the API to create resources (since
show/delete require UUIDs) and verify CLI show/delete against them.

* test(v0.9): add E2E tests for security, analytics, profile, webhook, and config

* ci(v0.9): add E2E test job with Docker Compose backend

* chore: bump version to 0.9.0, update sonar config and changelog

* fix(v0.9): fix E2E test issues found during live backend testing

- Use access_token field (not token) from login API response
- Fix --type flag to --repo-type for repo create commands
- Cache auth token with OnceLock to avoid rate limiting across tests

* style: apply cargo fmt to E2E test files

* ci: add CodeQL workflow with generated code exclusions

Add explicit CodeQL advanced setup workflow that excludes
sdk/src/generated_sdk.rs from analysis. The generated SDK
file triggers false-positive "cleartext transmission" alerts
since it makes HTTP calls by design.

Author: brandonrc

.github/codeql/codeql-config.yml

@@ -0,0 +1,6 @@
+name: "Artifact Keeper CLI CodeQL Config"
+
+paths-ignore:
+  - "sdk/src/generated_sdk.rs"
+  - "target"
+  - "tests/docker-compose.yml"

.github/workflows/ci.yml

@@ -84,3 +84,65 @@ jobs:
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
       - run: cargo build --release
+
+  e2e:
+    name: E2E Tests
+    runs-on: ubuntu-latest
+    needs: [check]
+    services:
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_DB: artifact_registry_test
+          POSTGRES_USER: registry
+          POSTGRES_PASSWORD: registry
+        ports:
+          - 30433:5432
+        options: >-
+          --health-cmd "pg_isready -U registry -d artifact_registry_test"
+          --health-interval 2s
+          --health-timeout 5s
+          --health-retries 15
+      meilisearch:
+        image: getmeili/meilisearch:v1.12
+        env:
+          MEILI_ENV: development
+        ports:
+          - 7701:7700
+        options: >-
+          --health-cmd "curl -f http://localhost:7700/health"
+          --health-interval 2s
+          --health-timeout 5s
+          --health-retries 15
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+      - name: Start backend
+        run: |
+          docker run -d --name e2e-backend \
+            --network ${{ job.services.postgres.network }} \
+            -e DATABASE_URL="postgresql://registry:registry@postgres:5432/artifact_registry_test" \
+            -e MEILI_URL="http://meilisearch:7700" \
+            -e ADMIN_PASSWORD="admin123" \
+            -e JWT_SECRET="e2e-test-secret-key-not-for-production" \
+            -p 8081:8080 \
+            ghcr.io/artifact-keeper/artifact-keeper-backend:latest
+      - name: Wait for backend
+        run: |
+          for i in $(seq 1 60); do
+            if curl -sf http://localhost:8081/health > /dev/null 2>&1; then
+              echo "Backend healthy after $i attempts"
+              exit 0
+            fi
+            sleep 2
+          done
+          docker logs e2e-backend
+          exit 1
+      - name: Run E2E tests
+        env:
+          E2E_BACKEND_URL: http://localhost:8081
+        run: cargo test --test 'e2e_*' -- --include-ignored --test-threads=1
+      - name: Backend logs (on failure)
+        if: failure()
+        run: docker logs e2e-backend

.github/workflows/codeql.yml

@@ -0,0 +1,40 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1" # Monday 6am UTC
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [actions, rust]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          config-file: ./.github/codeql/codeql-config.yml
+
+      - if: matrix.language == 'rust'
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to the Artifact Keeper CLI (`ak`) will be documented in this
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.9.0] - 2026-02-21
+
+### Added
+
+- Snapshot tests using `insta` for JSON and table output regression detection across all command modules (~40 snapshot tests)
+- E2E integration test suite running against a real backend via Docker Compose (20+ test files covering auth, repo, admin, governance, analytics, webhook, and more)
+- Docker Compose stack (`tests/docker-compose.yml`) with backend, PostgreSQL, and Meilisearch for local E2E development
+- Shared test helpers in `tests/common/` for E2E environment setup, auth, and API access
+- CI pipeline job for automated E2E testing on push to main and PRs
+- Start/stop scripts (`tests/start-backend.sh`, `tests/stop-backend.sh`) for local E2E test development
+
+### Fixed
+
+- Removed plain-text password from TOTP command examples in CLI help text
+
 ## [0.6.0] - 2026-02-21
 
 ### Added

Cargo.lock

@@ -3,7 +3,7 @@ members = ["sdk", "xtask"]
 
 [package]
 name = "artifact-keeper-cli"
-version = "0.8.0"
+version = "0.9.0"
 edition = "2024"
 description = "CLI/TUI tool for Artifact Keeper — an enterprise artifact registry"
 license = "MIT"
@@ -69,7 +69,10 @@ futures = "0.3"
 
 [dev-dependencies]
 assert_cmd = "2"
+insta = { version = "1", features = ["yaml"] }
 predicates = "3"
+reqwest = { version = "0.13", features = ["blocking", "json"] }
+serde_json = "1"
 tempfile = "3"
 wiremock = "0.6"
 

Cargo.toml

@@ -1,7 +1,7 @@
 sonar.projectKey=artifact-keeper_artifact-keeper-cli
 sonar.organization=artifact-keeper
 sonar.sources=src
-sonar.tests=src
-sonar.test.inclusions=**/*test*.rs,**/*tests*.rs
-sonar.exclusions=target/**,sdk/**,**/tui.rs
+sonar.tests=src,tests
+sonar.test.inclusions=**/*test*.rs,**/*tests*.rs,tests/**/*.rs
+sonar.exclusions=target/**,sdk/**,**/tui.rs,tests/**
 sonar.sourceEncoding=UTF-8

sonar-project.properties

@@ -317,7 +317,7 @@ pub enum Command {
 
     /// Manage two-factor authentication (TOTP)
     #[command(
-        after_help = "Examples:\n  ak totp setup\n  ak totp enable --code 123456\n  ak totp disable --password mypass --code 123456\n  ak totp status"
+        after_help = "Examples:\n  ak totp setup\n  ak totp enable --code 123456\n  ak totp disable --code 123456\n  ak totp status"
     )]
     Totp {
         #[command(subcommand)]
@@ -2289,7 +2289,7 @@ mod tests {
             "totp",
             "disable",
             "--password",
-            "mypass",
+            "placeholder",
             "--code",
             "654321",
         ])

src/cli.rs

@@ -3084,4 +3084,39 @@ mod tests {
         assert!(result.is_ok());
         crate::test_utils::teardown_env();
     }
+
+    // ---- insta snapshot tests ----
+
+    #[test]
+    fn snapshot_admin_user_list_json() {
+        let data = json!([{
+            "id": "00000000-0000-0000-0000-000000000001",
+            "username": "alice",
+            "email": "alice@example.com",
+            "display_name": "Alice Smith",
+            "is_admin": true,
+            "is_active": true,
+            "created_at": "2026-01-01T00:00:00Z",
+            "last_login_at": "2026-01-20T10:30:00Z"
+        }]);
+        let output = crate::output::render(&data, &OutputFormat::Json, None);
+        let parsed: serde_json::Value = serde_json::from_str(&output).unwrap();
+        insta::assert_yaml_snapshot!("admin_user_list_json", parsed);
+    }
+
+    #[test]
+    fn snapshot_admin_user_list_table() {
+        let items = vec![json!({
+            "id": "00000000-0000-0000-0000-000000000001",
+            "username": "alice",
+            "email": "alice@example.com",
+            "display_name": "Alice Smith",
+            "is_admin": true,
+            "is_active": true,
+            "created_at": "2026-01-01T00:00:00Z",
+            "last_login_at": "2026-01-20T10:30:00Z"
+        })];
+        let table = format_users_table(&items);
+        insta::assert_snapshot!("admin_user_list_table", table);
+    }
 }

src/commands/admin.rs

@@ -1140,4 +1140,22 @@ mod tests {
 
         crate::test_utils::teardown_env();
     }
+
+    // ---- insta snapshot tests ----
+
+    #[test]
+    fn snapshot_analytics_summary_json() {
+        let data = json!({
+            "total_artifacts": 1250,
+            "total_downloads": 45000,
+            "total_storage_bytes": 10737418240_i64,
+            "total_repositories": 12,
+            "active_users_30d": 42,
+            "top_format": "npm",
+            "period": "30d"
+        });
+        let output = crate::output::render(&data, &OutputFormat::Json, None);
+        let parsed: serde_json::Value = serde_json::from_str(&output).unwrap();
+        insta::assert_yaml_snapshot!("analytics_summary_json", parsed);
+    }
 }