Develop

[Zaiidmo]

No description provided.

[sonarqubecloud]

Quality Gate failed

Failed conditions
3.0% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

In general, the problem is fixed by ensuring that user-provided data cannot control the structure of the MongoDB update document. Instead of passing the DTO directly into findByIdAndUpdate, construct a new update object that only includes explicitly allowed, scalar fields and does not allow MongoDB update operators or arbitrary nested objects.

The best targeted fix here is to sanitize data inside PermissionRepository.updateById before calling findByIdAndUpdate. Since we only see Permission and not its full schema, a conservative and safe approach is to build an update object from whitelisted keys we expect in a permission (for example, name and description) and ignore any other properties. This prevents an attacker from injecting $set, $where, or unwanted fields while preserving the current functionality for valid updates.

Concretely in src/repositories/permission.repository.ts, modify updateById so that it:

1. Accepts the same data: Partial<Permission> argument.
2. Creates a const update: Partial<Permission> = {};.
3. Copies over only allowed properties from data (e.g., if (typeof data.name === 'string') update.name = data.name; and similarly for description or other known safe fields).
4. Passes update rather than data into findByIdAndUpdate.

No changes are required in the controller or service for this fix; they continue to pass DTOs as before, but the repository acts as the safety boundary to the database.

---

In general terms, the fix is to ensure that user-controlled data used in MongoDB queries is treated strictly as a literal value and cannot be interpreted as a query object or operator. This can be done either by validating and constraining the type (e.g. allowing only strings) before building the query, or by explicitly wrapping the value with $eq, which forces MongoDB to treat it as a literal value. For this specific case, we need to guard name before using it in findOne({ name }).

The single best way to fix this without altering existing functionality is to adjust the findByName method in src/repositories/role.repository.ts so that it ensures name is a string and is embedded in the query using the $eq operator. This keeps the behavior of returning the role whose name equals the provided value, while preventing MongoDB from interpreting an attacker-supplied object as part of the query. Concretely, in RoleRepository.findByName, we will replace findOne({ name }) with findOne({ name: { $eq: String(name) } }). This introduces a type coercion to string (so that even if name is passed as a number or other primitive, it is handled consistently) and uses $eq to avoid any ambiguity with query operators.

We do not need additional imports or new helper methods; the change is limited to the body of findByName in src/repositories/role.repository.ts. No other files need modification based on the given snippets.

In general, to fix this type of issue with Mongoose, you should never pass raw user input as the update document. Instead, construct a sanitized update object from a whitelist of allowed fields and ensure that no MongoDB operators or unexpected keys are accepted. This often means mapping dto fields to a new object and ignoring or rejecting any unrecognized properties, or using Mongoose’s runValidators and disabling operator injection where appropriate.

For this specific code, the safest fix without changing existing functionality is to (a) explicitly construct the update data from the known fields (name, permissions) instead of spreading dto, and (b) ensure that findByIdAndUpdate is not treating user input as operators. Since we can only modify shown snippets, the best place is RolesService.update. Replace const data: any = { ...dto }; with code that initializes data as an empty object, conditionally assigns name if present, and transforms permissions into ObjectIds as it already does. Then pass this sanitized data to RoleRepository.updateById. Optionally, enabling runValidators: true and disabling operator usage in this path would be done in RoleRepository.updateById, but we must keep behavior compatible; adding runValidators: true is typically safe and recommended, and does not change logic other than enforcing schema validation.

Concretely:

• In src/services/roles.service.ts, in update, replace the spread from dto with a new Partial<Role> (or any) object populated only with safe fields:
  • If dto.name is defined, set data.name = dto.name.
  • If dto.permissions is defined, map to Types.ObjectId as already done.
• In src/repositories/role.repository.ts, in updateById, you can strengthen the update call by enabling runValidators: true and possibly new: true is already there. We will keep using data as the update document, but since we now only populate whitelisted fields, the injection risk is mitigated.

No new methods or imports are required beyond what is already present in the snippets.

General approach: For NoSQL/Mongoose queries that embed user-controlled values, ensure they are interpreted strictly as literal values, not as query objects. The two main ways are: (1) use explicit comparison operators like $eq, or (2) validate/coerce the values to primitive types before constructing the query. Since we must avoid relying on unseen global validation and keep behavior unchanged, the best localized fix is to wrap tainted values with $eq in the Mongoose query objects.

Concrete fix: In src/repositories/user.repository.ts, update the query-building methods that take user-controlled input (findByEmail, findByEmailWithPassword, findByUsername, findByPhone, and the list method) so they use { field: { $eq: value } } instead of { field: value }. This ensures that, even if an attacker somehow passes an object (e.g., { $ne: null }) in place of a string, Mongoose will treat it as the literal value for equality, not merge it into the query as operators. This is a minimal change: the semantics of a standard equality match remain the same for legitimate string inputs, and no calling code needs to change.

Where/what to change:

• File: src/repositories/user.repository.ts
  • Line 25: change this.userModel.findOne({ email }) to this.userModel.findOne({ email: { $eq: email } }).
  • Line 29: change this.userModel.findOne({ email }).select('+password') similarly.
  • Line 33: change this.userModel.findOne({ username }) to use $eq.
  • Line 37: change this.userModel.findOne({ phoneNumber }) to use $eq.
  • Lines 61–63: when populating query in list, wrap filter.email and filter.username with $eq instead of assigning the raw values.

No new methods or imports are needed; $eq is a standard MongoDB operator expressed as a plain object key, so this is pure TypeScript/JavaScript syntax and works with existing Mongoose types. This single change in the repository eliminates all four CodeQL alerts, since they all flow through these query constructions.

---

In general, to fix NoSQL injection risks when building query objects from user-controlled data, ensure that untrusted values are treated strictly as literals and cannot be interpreted as query operators. In MongoDB/Mongoose, this can be done by using the $eq operator or by validating that the values are primitive types (e.g. typeof value === 'string') before passing them to the query.

For this codebase, the minimal and safest fix without changing existing functionality is to update the repository methods that use user-controlled fields (findByEmail, findByEmailWithPassword, findByUsername, findByPhone, and the list filters) so that they always use $eq for comparisons instead of passing the raw value directly. This keeps the behavior the same (equality match) but prevents any user-supplied object from being interpreted as a more complex query. We only need to modify src/repositories/user.repository.ts; the controllers and services can remain unchanged.

Concretely:

• In findByEmail, change .findOne({ email }) to .findOne({ email: { $eq: email } }).
• In findByEmailWithPassword, change .findOne({ email }) similarly.
• In findByUsername, change .findOne({ username }) to .findOne({ username: { $eq: username } }).
• In findByPhone, change .findOne({ phoneNumber }) to .findOne({ phoneNumber: { $eq: phoneNumber } }).
• In list, when adding email and username filters to query, wrap them with $eq as well: query.email = { $eq: filter.email }, query.username = { $eq: filter.username }.

No new imports or helper methods are needed; $eq is just a standard MongoDB operator expressed as plain object syntax in the query.

To fix the problem, ensure that untrusted data used in MongoDB query objects is treated strictly as a literal value, not as a query object. This can be done either by (a) using the $eq operator so that whatever value is passed will be interpreted as the value to compare against, or (b) validating that the value is a primitive (e.g. string) before constructing the query object.

The best minimal fix here, without changing existing behavior elsewhere, is to update the repository methods that use user-controlled values in query objects (findByEmail, findByEmailWithPassword, and the list filter construction) so that:

• For direct lookups, we use { email: { $eq: email } }, { username: { $eq: username } }, and { phoneNumber: { $eq: phoneNumber } }. This follows the pattern recommended in the background section for preventing NoSQL injection.
• For the list method, we similarly wrap dynamic filters in $eq to avoid ever treating those values as query objects if they were manipulated upstream.

These changes are localized to src/repositories/user.repository.ts, lines around 24–38 and 60–63. No new imports are needed; this is standard Mongoose/MongoDB syntax. Existing functionality (finding users by exact email/username/phone or filtering in list) remains the same, but with stronger guarantees that untrusted data cannot alter the query structure.

In general, to fix NoSQL injection risks with MongoDB/Mongoose, you must ensure that user-controlled values used in query predicates are treated as literal values, not as query objects. This is done either by (1) validating that the value is of a safe primitive type (e.g., string) before using it, or (2) wrapping it with an operator such as $eq so that MongoDB interprets it strictly as a literal.

The single best minimally invasive fix here is to change findByPhone so that it does not pass phoneNumber directly as { phoneNumber }, but instead uses the $eq operator: { phoneNumber: { $eq: phoneNumber } }. This makes the query safe even if a bogus object slips through the DTO validation. Since this logic sits inside the repository and is only called from services, changing it does not alter any external behavior except closing the injection vector. No additional imports or helper methods are required.

Concretely, in src/repositories/user.repository.ts, locate the findByPhone method (lines 36–38) and change the call from this.userModel.findOne({ phoneNumber }); to this.userModel.findOne({ phoneNumber: { $eq: phoneNumber } });. All other code can remain unchanged. This single change addresses both CodeQL alert variants, because they both ultimately flow into this same query.

In general, to fix NoSQL injection when building MongoDB queries from user input, you must ensure that untrusted data is treated strictly as literal values and cannot alter the structure of the query. This is typically done by (1) validating types (e.g., ensuring values are strings, not objects), or (2) explicitly wrapping values in $eq so that even if an object is passed, MongoDB interprets it as a literal, not an operator object.

For this codebase, the least invasive and clearest fix is to treat email and username as literal values in the repository layer. In UserRepository.list, instead of copying filter.email and filter.username directly into the query, we can enforce that only strings are used and wrap them with $eq. This keeps existing functionality (filtering by exact email/username) but ensures the Mongoose query cannot be manipulated via operator injection.

Concretely, in src/repositories/user.repository.ts, in the list method:

• Replace the lines that directly assign filter.email and filter.username to query.email/query.username with versions that:
  • Check typeof filter.email === 'string' and typeof filter.username === 'string' before using them.
  • Assign { $eq: filter.email } and { $eq: filter.username } to the query instead of the raw value.

No changes are required in the controller or service for this fix; they can continue to pass { email?: string; username?: string }. We do not need any new imports or external libraries; this is pure TypeScript/JavaScript logic.

---

[Copilot]

Pull request overview

This PR modernizes the AuthKit codebase by refactoring to a CSR-style structure, expanding the public API exports, and introducing a full quality/tooling setup (tests, linting, CI).

Changes:

• Refactors folders/imports (e.g., models → entities, middleware → guards/decorators, dtos → dto) and updates exports.
• Adds extensive Jest test suite + Jest/ESLint/TS build configs and CI workflows.
• Introduces OAuth provider utilities (HTTP client + error handler + provider classes) and new shared utility modules (e.g., password util, error codes).

Reviewed changes

Copilot reviewed 143 out of 150 changed files in this pull request and generated 17 comments.

Show a summary per file

File	Description
tsconfig.eslint.json	Adds ESLint TS project config for type-aware linting.
tsconfig.build.json	Introduces dedicated build tsconfig for compilation/rootDir.
tools/start-mailhog.ps1	Adds local MailHog startup helper script.
test/utils/test-helpers.ts	Adds shared Nest ExecutionContext mocks for guard tests.
test/test-constants.ts	Centralizes dynamically generated test passwords to avoid S2068.
test/services/permissions.service.spec.ts	Adds unit tests for PermissionsService.
test/services/oauth/utils/oauth-http.client.spec.ts	Adds unit tests for OAuthHttpClient.
test/services/oauth/utils/oauth-error.handler.spec.ts	Adds unit tests for OAuthErrorHandler.
test/services/oauth/providers/microsoft-oauth.provider.spec.ts	Adds unit tests for MicrosoftOAuthProvider.
test/services/oauth/providers/google-oauth.provider.spec.ts	Adds unit tests for GoogleOAuthProvider.
test/services/oauth/providers/facebook-oauth.provider.spec.ts	Adds unit tests for FacebookOAuthProvider.
test/services/logger.service.spec.ts	Adds unit tests for LoggerService behavior.
test/services/admin-role.service.spec.ts	Adds unit tests for AdminRoleService caching/error handling.
test/repositories/role.repository.spec.ts	Adds unit tests for RoleRepository methods/mongoose chaining.
test/repositories/permission.repository.spec.ts	Adds unit tests for PermissionRepository.
test/guards/role.guard.spec.ts	Adds tests for hasRole guard factory.
test/guards/authenticate.guard.spec.ts	Adds tests for JWT auth guard behavior and error cases.
test/guards/admin.guard.spec.ts	Adds tests for admin guard authorization behavior.
test/decorators/admin.decorator.spec.ts	Adds basic tests for Admin decorator factory.
test/controllers/users.controller.spec.ts	Adds controller tests for admin users endpoints.
test/controllers/roles.controller.spec.ts	Adds controller tests for admin roles endpoints.
test/controllers/permissions.controller.spec.ts	Adds controller tests for admin permissions endpoints.
test/controllers/health.controller.spec.ts	Adds controller tests for SMTP health endpoints.
test/config/passport.config.spec.ts	Adds tests for passport strategy registration based on env vars.
test/auth.spec.ts	Adds placeholder top-level spec.
src/utils/password.util.ts	Adds centralized bcrypt hashing/verification helpers.
src/utils/error-codes.ts	Adds standardized error codes + structured error helper utilities.
src/test-utils/test-db.ts	Adds MongoMemoryServer helpers for integration-style tests.
src/test-utils/mock-factories.ts	Adds reusable mock factories for common entities/payloads.
src/standalone.ts	Builds standalone app module with Mongoose + auto-seeding + CORS.
src/services/users.service.ts	Refactors UsersService (formatting, docs, uses hashPassword util).
src/services/seed.service.ts	Formatting cleanup and minor flow tightening.
src/services/roles.service.ts	Refactors RolesService and adds JSDoc/formatting improvements.
src/services/permissions.service.ts	Refactors PermissionsService and adds JSDoc/formatting improvements.
src/services/oauth/utils/oauth-http.client.ts	Adds axios wrapper with timeout + error handling for OAuth calls.
src/services/oauth/utils/oauth-error.handler.ts	Adds centralized OAuth error mapping/validation helper.
src/services/oauth/providers/oauth-provider.interface.ts	Adds provider interface for consistent OAuth provider APIs.
src/services/oauth/providers/microsoft-oauth.provider.ts	Adds Microsoft JWKS-based ID token verification provider.
src/services/oauth/providers/google-oauth.provider.ts	Adds Google tokeninfo + code exchange OAuth provider.
src/services/oauth/providers/facebook-oauth.provider.ts	Adds Facebook token validation + profile OAuth provider.
src/services/oauth/oauth.types.ts	Adds shared OAuth types.
src/services/oauth/index.ts	Adds barrel exports for OAuth module components.
src/services/mail.service.ts	Formatting tweaks and clearer logging around SMTP/email failures.
src/services/interfaces/mail-service.interface.ts	Adds IMailService interface type.
src/services/interfaces/logger-service.interface.ts	Adds ILoggerService interface type.
src/services/interfaces/index.ts	Adds barrel exports for service interfaces.
src/services/interfaces/auth-service.interface.ts	Adds IAuthService + exported public types.
src/services/admin-role.service.ts	Improves logging formatting and error wrapping behavior.
src/repositories/user.repository.ts	Switches to entities, adds repository interface + improves populated query execution.
src/repositories/role.repository.ts	Switches to entities, adds repository interface + improves findByIds execution.
src/repositories/permission.repository.ts	Switches to entities, adds repository interface + adds findByIds.
src/repositories/interfaces/user-repository.interface.ts	Adds typed IRepository extension for users.
src/repositories/interfaces/role-repository.interface.ts	Adds typed IRepository extension for roles.
src/repositories/interfaces/repository.interface.ts	Adds generic CRUD repository contract.
src/repositories/interfaces/permission-repository.interface.ts	Adds typed IRepository extension for permissions.
src/repositories/interfaces/index.ts	Adds barrel exports for repository interfaces.
src/middleware/admin.guard.ts	Removes old admin guard under middleware path.
src/middleware/admin.decorator.ts	Removes old admin decorator under middleware path.
src/index.ts	Expands and reorganizes public exports.
src/guards/role.guard.ts	Formatting cleanup for guard factory imports.
src/guards/authenticate.guard.ts	Formatting + expands rethrow logic to include InternalServerErrorException.
src/guards/admin.guard.ts	Adds new admin guard under dedicated guards folder.
src/entities/user.entity.ts	Formatting update for username prop decorator.
src/dtos/role/update-role.dto.ts	Removes legacy DTO path (migrated).
src/dtos/role/create-role.dto.ts	Removes legacy DTO path (migrated).
src/dtos/permission/update-permission.dto.ts	Removes legacy DTO path (migrated).
src/dtos/permission/create-permission.dto.ts	Removes legacy DTO path (migrated).
src/dtos/auth/verify-email.dto.ts	Removes legacy DTO path (migrated).
src/dtos/auth/update-user-role.dto.ts	Removes legacy DTO path (migrated).
src/dtos/auth/reset-password.dto.ts	Removes legacy DTO path (migrated).
src/dtos/auth/resend-verification.dto.ts	Removes legacy DTO path (migrated).
src/dtos/auth/register.dto.ts	Removes legacy DTO path (migrated).
src/dtos/auth/refresh-token.dto.ts	Removes legacy DTO path (migrated).
src/dtos/auth/login.dto.ts	Removes legacy DTO path (migrated).
src/dtos/auth/forgot-password.dto.ts	Removes legacy DTO path (migrated).
src/dto/role/update-role.dto.ts	Adds Swagger-decorated Role update DTO.
src/dto/role/create-role.dto.ts	Adds Swagger-decorated Role create DTO.
src/dto/permission/update-permission.dto.ts	Adds Swagger-decorated Permission update DTO.
src/dto/permission/create-permission.dto.ts	Adds Swagger-decorated Permission create DTO.
src/dto/auth/verify-email.dto.ts	Adds Swagger-decorated VerifyEmail DTO.
src/dto/auth/update-user-role.dto.ts	Adds Swagger-decorated UpdateUserRoles DTO.
src/dto/auth/reset-password.dto.ts	Adds Swagger-decorated ResetPassword DTO.
src/dto/auth/resend-verification.dto.ts	Adds Swagger-decorated ResendVerification DTO.
src/dto/auth/register.dto.ts	Adds Swagger-decorated Register DTO.
src/dto/auth/refresh-token.dto.ts	Adds Swagger-decorated RefreshToken DTO.
src/dto/auth/login.dto.ts	Adds Swagger-decorated Login DTO.
src/dto/auth/forgot-password.dto.ts	Adds Swagger-decorated ForgotPassword DTO.
src/decorators/admin.decorator.ts	Adds new Admin decorator under dedicated decorators folder.
src/controllers/users.controller.ts	Adds Swagger annotations and updates imports for new folders.
src/controllers/roles.controller.ts	Adds Swagger annotations and updates imports for new folders.
src/controllers/permissions.controller.ts	Adds Swagger annotations and updates imports for new folders.
src/controllers/health.controller.ts	Formatting/logging cleanup around SMTP health checks.
src/config/passport.config.ts	Formats and adjusts OAuth strategy registration logic (incl. Facebook fallback email).
src/auth-kit.module.ts	Updates imports to entities/guards paths and reformats module file.
package.json	Updates version/scripts, adds ESM type, updates deps/devDeps/peers.
jest.config.cjs	Adds Jest + ts-jest configuration and coverage thresholds with path mapping.
eslint.config.js	Adds ESLint v9 flat config with TS type-aware linting.
docs/tasks/active/README.md	Minor markdown formatting tweak.
docs/STATUS.md	Adds project status snapshot document.
docs/NEXT_STEPS.md	Adds next steps/action plan document.
TROUBLESHOOTING.md	Normalizes code snippets to single quotes.
SECURITY.md	Normalizes code snippet string quoting.
DEVELOPMENT.md	Adds dev environment setup guide.
CONTRIBUTING.md	Normalizes code snippets to single quotes.
CHANGELOG.md	Rewrites changelog with new “2.0.0” section and migration notes.
.npmignore	Adds npm packaging ignore rules.
.github/workflows/release-check.yml	Adds full CI release check workflow including coverage and optional Sonar.
.github/workflows/publish.yml	Updates publishing workflow and adds tag validation step.
.github/workflows/pr-validation.yml	Adds PR validation workflow for develop branch.
.github/workflows/ci .yml	Removes old CI workflow file (note: filename contains a space).
.github/instructions/sonarqube_mcp.instructions.md	Adds Sonar MCP usage instructions.
.github/instructions/general.instructions.md	Fixes markdown table formatting and code snippet style.
.github/dependabot.yml	Adds Dependabot config for npm and GitHub Actions.
.github/codeql/codeql-config.yml	Adds CodeQL config with query filters.
.env.template	Adds environment template with guidance comments.
.changeset/config.json	Adds Changesets configuration.
.changeset/authkit-v1.6.0.md	Adds release notes changeset for v1.6.0.

[Copilot]

import.meta.dirname is not a Node.js standard API (Node ESM typically provides import.meta.url, not dirname). This is likely to crash ESLint config loading at runtime. Derive the directory using fileURLToPath(import.meta.url) + path.dirname(...), or avoid needing a dirname by setting tsconfigRootDir: process.cwd() if that matches the repo layout.

[Copilot]

Peer dependency ranges are inconsistent with the devDependencies used to build/test the library. In particular, @nestjs/mongoose peer is ^11 while devDependency is ^10.0.2, and mongoose peer is ^9 while devDependency is ^7.6.4. This can cause confusing consumer installs and CI mismatches. Align peers with the actually supported/tested ranges (e.g., ^10 || ^11 where applicable) and keep devDependencies within those ranges.

[Copilot]

Peer dependency ranges are inconsistent with the devDependencies used to build/test the library. In particular, @nestjs/mongoose peer is ^11 while devDependency is ^10.0.2, and mongoose peer is ^9 while devDependency is ^7.6.4. This can cause confusing consumer installs and CI mismatches. Align peers with the actually supported/tested ranges (e.g., ^10 || ^11 where applicable) and keep devDependencies within those ranges.

[Copilot]

Peer dependency ranges are inconsistent with the devDependencies used to build/test the library. In particular, @nestjs/mongoose peer is ^11 while devDependency is ^10.0.2, and mongoose peer is ^9 while devDependency is ^7.6.4. This can cause confusing consumer installs and CI mismatches. Align peers with the actually supported/tested ranges (e.g., ^10 || ^11 where applicable) and keep devDependencies within those ranges.

[Copilot]

Since UserRepository now implements IUserRepository, list(...) is expected to return a resolved result (a Promise<User[]>). Returning a Mongoose query without .exec() can break typing/behavior expectations and differs from the updated findByIdWithRolesAndPermissions implementation (which uses .exec()). Consider appending .exec() here (and ensuring the method signature matches the interface).

Suggested change

	.lean();
	.lean()
	.exec();

[Copilot]

Fabricating an email (${profile.id}@facebook.test) changes behavior from “fail if no email” to “create a user with a synthetic email”. This can leak into production (accounts with non-routable emails, password reset to an unusable address, collisions with later real-email registrations, etc.). Consider either: (1) requiring the email permission and failing if it’s absent, or (2) storing provider ID separately and keeping email optional for OAuth flows.

[Copilot]

This status snapshot appears outdated/inconsistent with the PR changes (e.g., package.json bumps to 1.6.0, and CHANGELOG now references 2.0.0). Update the stated version/metrics (or reword this doc as a historical snapshot) to avoid misleading consumers about the current release state.

Suggested change

	# 📊 Auth Kit - Current Status
	> **Last Updated**: February 4, 2026
	---
	## 🎯 Overall Status: ✅ PRODUCTION READY
	| Metric | Status | Details |
	| -------------------- | ----------- | ------------------------------------- |
	| **Production Ready** | ✅ YES | Fully tested and documented |
	| **Version** | 1.5.0 | Stable release |
	| **Architecture** | ✅ CSR | Controller-Service-Repository pattern |
	| **Test Coverage** | ✅ 90%+ | 312 tests passing |
	| **Documentation** | ✅ Complete | README, API docs, examples |
	# 📊 Auth Kit - Status Snapshot
	> **Status snapshot as of**: February 4, 2026
	---
	## 🎯 Overall Status: ✅ PRODUCTION READY
	| Metric | Status | Details |
	| -------------------- | ---------------- | ----------------------------------------------------- |
	| **Production Ready** | ✅ YES | Fully tested and documented |
	| **Version** | 1.5.0 | Snapshot (stable release as of Feb 4, 2026) |
	| **Architecture** | ✅ CSR | Controller-Service-Repository pattern |
	| **Test Coverage** | 📊 Snapshot | ~90%+ coverage, 312 tests passing as of Feb 4, 2026 |
	| **Documentation** | ✅ Complete | README, API docs, examples |

[Copilot]

This test doesn’t actually assert on what repository.list() returns: it calls repository.list() but then awaits chain.exec() directly. If repository.list() stops calling .exec() (or returns a different chain), this test may still pass while behavior is broken. Await resultPromise and assert it equals roles.

[Copilot]

This test doesn’t actually assert on what repository.list() returns: it calls repository.list() but then awaits chain.exec() directly. If repository.list() stops calling .exec() (or returns a different chain), this test may still pass while behavior is broken. Await resultPromise and assert it equals roles.

Suggested change

	const result = await chain.exec();
	const result = await resultPromise;

[Copilot]

New shared utility functions are added under src/ and will be counted in Jest coverage (collectCoverageFrom includes src/**/*). There are no corresponding unit tests for hashPassword/verifyPassword, which may reduce coverage below the stated thresholds. Add a small unit spec that verifies hashing produces a verifiable hash and that verification fails for wrong passwords (mocking bcrypt if you want to avoid cost).