fix: harden dashboard canary and IOC coverage (#1917)

fix: harden dashboard canary and IOC coverage

tests/ci/scan-supply-chain-iocs.test.js

@@ -68,6 +68,38 @@ function run() {
     });
   })) passed++; else failed++;
 
+  if (test('rejects expanded Mini Shai-Hulud campaign package versions', () => {
+    withFixture({
+      'package-lock.json': JSON.stringify({
+        packages: {
+          'node_modules/@opensearch-project/opensearch': {
+            version: '3.5.3',
+          },
+          'node_modules/@squawk/mcp': {
+            version: '0.9.5',
+          },
+          'node_modules/@mistralai/mistralai': {
+            version: '2.2.2',
+          },
+        },
+      }, null, 2),
+      'requirements.txt': [
+        'mistralai==2.4.6',
+        'guardrails-ai==0.10.1',
+        'lightning==2.6.3',
+      ].join('\n'),
+    }, rootDir => {
+      const result = scanSupplyChainIocs({ rootDir });
+      const indicators = result.findings.map(finding => finding.indicator);
+      assert.ok(indicators.includes('@opensearch-project/opensearch@3.5.3'));
+      assert.ok(indicators.includes('@squawk/mcp@0.9.5'));
+      assert.ok(indicators.includes('@mistralai/mistralai@2.2.2'));
+      assert.ok(indicators.includes('mistralai@2.4.6'));
+      assert.ok(indicators.includes('guardrails-ai@0.10.1'));
+      assert.ok(indicators.includes('lightning@2.6.3'));
+    });
+  })) passed++; else failed++;
+
   if (test('passes clean versions of watched packages', () => {
     withFixture({
       'package-lock.json': JSON.stringify({
@@ -116,6 +148,26 @@ function run() {
     });
   })) passed++; else failed++;
 
+  if (test('rejects current dead-drop and import-time payload markers', () => {
+    withFixture({
+      '.vscode/tasks.json': JSON.stringify({
+        tasks: [{
+          label: 'watch',
+          command: 'python3 /tmp/transformers.pyz && node execution.js',
+          runOptions: { runOn: 'folderOpen' },
+        }],
+      }, null, 2),
+      'package.json': JSON.stringify({
+        description: 'Shai-Hulud: Here We Go Again',
+      }, null, 2),
+    }, rootDir => {
+      const result = scanSupplyChainIocs({ rootDir });
+      assert.ok(result.findings.some(finding => finding.indicator === 'transformers.pyz'));
+      assert.ok(result.findings.some(finding => finding.indicator === 'execution.js'));
+      assert.ok(result.findings.some(finding => finding.indicator === 'Shai-Hulud: Here We Go Again'));
+    });
+  })) passed++; else failed++;
+
   if (test('rejects installed payload filenames in node_modules', () => {
     withFixture({
       'node_modules/@tanstack/react-router/router_init.js': '/* payload */',

tests/docs/canary-watch.test.js

@@ -0,0 +1,45 @@
+const assert = require('assert');
+const fs = require('fs');
+const path = require('path');
+
+const SKILL_PATH = path.join(__dirname, '..', '..', 'skills', 'canary-watch', 'SKILL.md');
+
+function test(name, fn) {
+  try {
+    fn();
+    console.log(`  \u2713 ${name}`);
+    return true;
+  } catch (error) {
+    console.log(`  \u2717 ${name}`);
+    console.log(`    Error: ${error.message}`);
+    return false;
+  }
+}
+
+function runTests() {
+  console.log('\n=== Testing canary-watch skill docs ===\n');
+
+  let passed = 0;
+  let failed = 0;
+  const body = fs.readFileSync(SKILL_PATH, 'utf8');
+
+  if (test('description monitoring claims are backed by watch sections', () => {
+    for (const phrase of [
+      'HTTP endpoints',
+      'SSE streams',
+      'static assets',
+      'console errors',
+      'performance regressions',
+    ]) {
+      assert.ok(body.toLowerCase().includes(phrase.toLowerCase()), `missing phrase: ${phrase}`);
+    }
+    assert.ok(body.includes('Static Assets'), 'watch list should include static assets');
+    assert.ok(body.includes('SSE Streams'), 'watch list should include SSE streams');
+    assert.ok(body.includes('SSE endpoint cannot connect'), 'critical thresholds should cover SSE failures');
+  })) passed++; else failed++;
+
+  console.log(`\nResults: Passed: ${passed}, Failed: ${failed}`);
+  process.exit(failed > 0 ? 1 : 0);
+}
+
+runTests();