cve-dashboard/.kiro/specs/ivanti-queue-clear-completed-fix/tasks.md

Implementation Plan

• 1. Write bug condition exploration test

  • Property 1: Bug Condition - FK Violation on Clear Completed With Junction Table Links
  • CRITICAL: This test MUST FAIL on unfixed code — failure confirms the bug exists
  • DO NOT attempt to fix the test or the code when it fails
  • NOTE: This test encodes the expected behavior — it will validate the fix when it passes after implementation
  • GOAL: Surface counterexamples that demonstrate the FK violation bug exists
  • Scoped PBT Approach: Scope the property to the concrete failing case — completed queue items that have associated jira_ticket_queue_items rows
  • Bug condition from design: isBugCondition(input) returns true when linkedItems.length > 0 (completed items have junction table references)
  • Test file: backend/__tests__/ivanti-queue-clear-completed-fix.property.test.js
  • Mock pool.query to simulate FK constraint violation when DELETE is issued against ivanti_todo_queue while child rows exist in jira_ticket_queue_items
  • Assert that the current (unfixed) handler returns 500 and deletes zero items
  • Run test on UNFIXED code
  • EXPECTED OUTCOME: Test FAILS (confirms the bug — the handler crashes with FK violation instead of succeeding)
  • Document counterexamples: "DELETE FROM ivanti_todo_queue fails with FK violation when junction rows reference completed items"
  • Mark task complete when test is written, run, and failure is documented
  • Requirements: 1.1

• 2. Write preservation property tests (BEFORE implementing fix)

  • Property 2: Preservation - Clear Completed Without Junction Table Links
  • IMPORTANT: Follow observation-first methodology
  • GOAL: Verify that the unfixed code already handles the non-bug-condition cases correctly, establishing a baseline to preserve
  • Test file: backend/__tests__/ivanti-queue-clear-completed-fix.property.test.js
  • Observe: When no completed items have junction table links, the simple DELETE succeeds and returns correct count
  • Observe: When no completed items exist, the endpoint returns { message: 'Completed items cleared.', deleted: 0 }
  • Observe: Pending/in-progress items are never touched by the DELETE
  • Write property-based tests generating random sets of completed items WITHOUT junction table links and verify:
    • All completed items for the user are deleted
    • Response is { message: 'Completed items cleared.', deleted: N } where N matches count
    • Non-complete items remain untouched
    • Other users' items remain untouched
  • Run tests on UNFIXED code
  • EXPECTED OUTCOME: Tests PASS (confirms baseline behavior to preserve)
  • Mark task complete when tests are written, run, and passing on unfixed code
  • Requirements: 3.1, 3.2, 3.3

• 3. Fix for FK violation on clear completed queue items

  • 3.1 Implement the fix

    • File: backend/routes/ivantiTodoQueue.js
    • Replace the simple pool.query(DELETE...) in the router.delete('/completed', ...) handler with a transaction-based approach:
    • 1. Acquire a dedicated client via pool.connect()
    • 2. Issue BEGIN
    • 3. Select completed item IDs: SELECT id FROM ivanti_todo_queue WHERE user_id = $1 AND status = 'complete'
    • 4. If no IDs found, COMMIT and return { deleted: 0 } early
    • 5. Delete junction table references: DELETE FROM jira_ticket_queue_items WHERE queue_item_id = ANY($1::int[])
    • 6. Delete queue items: DELETE FROM ivanti_todo_queue WHERE id = ANY($1::int[])
    • 7. COMMIT on success
    • 8. ROLLBACK on any error, then return 500
    • 9. Always release client in finally block
    • Bug_Condition: isBugCondition(input) where completedItems have rows in jira_ticket_queue_items
    • Expected_Behavior: All completed items and their junction references deleted atomically, returns success with correct count
    • Preservation: Items without junction links still deleted; empty sets return deleted: 0; pending items untouched
    • Requirements: 2.1, 2.2, 3.1, 3.2, 3.3

  • 3.2 Verify bug condition exploration test now passes

    • Property 1: Expected Behavior - FK Violation on Clear Completed With Junction Table Links
    • IMPORTANT: Re-run the SAME test from task 1 — do NOT write a new test
    • The test from task 1 encodes the expected behavior (successful deletion with junction cleanup)
    • When this test passes, it confirms the expected behavior is satisfied
    • Run: npx jest backend/__tests__/ivanti-queue-clear-completed-fix.property.test.js --run
    • EXPECTED OUTCOME: Test PASSES (confirms bug is fixed — transaction deletes junction rows then queue items)
    • Requirements: 2.1, 2.2

  • 3.3 Verify preservation tests still pass

    • Property 2: Preservation - Clear Completed Without Junction Table Links
    • IMPORTANT: Re-run the SAME tests from task 2 — do NOT write new tests
    • Run preservation property tests from step 2
    • Run: npx jest backend/__tests__/ivanti-queue-clear-completed-fix.property.test.js --run
    • EXPECTED OUTCOME: Tests PASS (confirms no regressions — non-linked items still deleted correctly)
    • Confirm all tests still pass after fix (no regressions)

• 4. Write unit tests for transaction logic

  • Test file: backend/__tests__/ivanti-queue-clear-completed-fix.test.js
  • Mock pool.connect() and verify correct query sequence: BEGIN → SELECT IDs → DELETE junction → DELETE queue → COMMIT
  • Verify ROLLBACK is called when any query in the transaction fails
  • Verify client is always released in the finally block (even on error)
  • Test edge case: empty completed set triggers early COMMIT and returns { deleted: 0 }
  • Test that response shape remains { message: 'Completed items cleared.', deleted: N }
  • Requirements: 2.1, 2.2, 3.1, 3.2

• 5. Checkpoint — Ensure all tests pass

  • Run full test suite: npx jest backend/__tests__/ivanti-queue-clear-completed-fix --run
  • Ensure all property tests and unit tests pass
  • Ask the user if questions arise