more updates

server/router/static_assets_test.go

@@ -162,3 +162,105 @@ func TestSwaggerJSONDefaultsToHTTPWhenTLSDisabled(t *testing.T) {
 		t.Fatalf("unexpected schemes: got %v want %v", spec.Schemes, []string{"http"})
 	}
 }
+
+func TestSharedStylesExposeThemeTokensAndResponsiveAccessibilityRules(t *testing.T) {
+	app := testRouter(t, testRouterSettings(t, false))
+	req := httptest.NewRequest(http.MethodGet, "/assets/css/web3.css", nil)
+	rr := httptest.NewRecorder()
+	app.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("expected status %d, got %d", http.StatusOK, rr.Code)
+	}
+	css := rr.Body.String()
+
+	assertContainsAll(t, css, []string{
+		":root {",
+		"--theme_text_primary:",
+		"--theme_accent_blue:",
+		"--theme_focus_outline:",
+		".web2-shell-wide {",
+		".web2-page-title {",
+		"font-size: clamp(",
+		".web2-table-shell {",
+		"overflow-x: auto;",
+		".web2-input:focus-visible {",
+		"a:focus-visible,",
+		"@media (max-width: 900px)",
+		".web2-actions .web2-button {",
+		"min-width: 520px;",
+		"@media (min-width: 1500px)",
+		"@media (min-width: 780px)",
+		"@media (min-width: 1024px)",
+	})
+}
+
+func TestDashboardAuthGuidanceMatchesRouteProtection(t *testing.T) {
+	app := testRouter(t, testRouterSettings(t, false))
+
+	homeReq := httptest.NewRequest(http.MethodGet, "/", nil)
+	homeRR := httptest.NewRecorder()
+	app.ServeHTTP(homeRR, homeReq)
+	if homeRR.Code != http.StatusOK {
+		t.Fatalf("expected status %d, got %d", http.StatusOK, homeRR.Code)
+	}
+	homeBody := homeRR.Body.String()
+	assertContainsAll(t, homeBody, []string{
+		"POST /api/auth/login",
+		"Authorization: Bearer <token>",
+		"viewer",
+		"admin",
+		"UI pages and <code class=\"web2-code\">/metrics</code> remain public.",
+	})
+
+	for _, path := range []string{"/swagger/", "/metrics", "/vm/trace"} {
+		t.Run("public "+path, func(t *testing.T) {
+			req := httptest.NewRequest(http.MethodGet, path, nil)
+			rr := httptest.NewRecorder()
+			app.ServeHTTP(rr, req)
+			if rr.Code != http.StatusOK {
+				t.Fatalf("expected status %d for %s, got %d", http.StatusOK, path, rr.Code)
+			}
+		})
+	}
+
+	protectedReq := httptest.NewRequest(http.MethodGet, "/api/report/snapshot", nil)
+	protectedRR := httptest.NewRecorder()
+	app.ServeHTTP(protectedRR, protectedReq)
+	if protectedRR.Code != http.StatusUnauthorized {
+		t.Fatalf("expected status %d for protected route, got %d", http.StatusUnauthorized, protectedRR.Code)
+	}
+}
+
+func TestVmTraceFormUsesLabelledInputsAndKeyboardFriendlyControls(t *testing.T) {
+	app := testRouter(t, testRouterSettings(t, false))
+	req := httptest.NewRequest(http.MethodGet, "/vm/trace", nil)
+	rr := httptest.NewRecorder()
+	app.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("expected status %d, got %d", http.StatusOK, rr.Code)
+	}
+	body := rr.Body.String()
+
+	assertContainsAll(t, body, []string{
+		`<form method="get" action="/vm/trace" class="web2-form-grid">`,
+		`<label class="web2-label" for="vm_id">VM ID</label>`,
+		`<input class="web2-input" type="text" id="vm_id" name="vm_id"`,
+		`<label class="web2-label" for="vm_uuid">VM UUID</label>`,
+		`<input class="web2-input" type="text" id="vm_uuid" name="vm_uuid"`,
+		`<label class="web2-label" for="name">Name</label>`,
+		`<input class="web2-input" type="text" id="name" name="name"`,
+		`<button class="web3-button active" type="submit">Load VM Trace</button>`,
+		`<a class="web3-button" href="/vm/trace">Clear</a>`,
+	})
+}
+
+func assertContainsAll(t *testing.T, body string, snippets []string) {
+	t.Helper()
+	for _, snippet := range snippets {
+		if !strings.Contains(body, snippet) {
+			t.Fatalf("expected response body to contain %q", snippet)
+		}
+	}
+}