Sanity tests: dynamic setup, report context, fixes, security cleanup

- Dynamic stack/token setup; Expected vs Actual + cURL in Mochawesome reports
- ContentstackClient: use instrumented client by default, new client when authtoken passed
- Fix token validation assertions, audit log expected status, MEMBER_EMAIL usage
- Security: replace blt UIDs and testcs@contentstack.com with placeholders
- Update .talismanrc checksums for modified sanity test files

Author: AniketDev7

.talismanrc

@@ -42,7 +42,7 @@ fileignoreconfig:
   - filename: test/sanity-check/mock/global-fields.js
     checksum: fb89a4a5028066689de774ca2f990c25c8a3acc46c0c6b97fee410f491853cc1
   - filename: test/sanity-check/utility/ContentstackClient.js
-    checksum: 24d00c8994e7a9986a83e7caafd80c55138ea9d582dc31c7bb7c650fa712bfc0
+    checksum: 8ad5bf958e40cb65181dec35842e2e292f51cca0f7ca1e87c67cb58cd16f139d
   - filename: test/sanity-check/api/variantGroup-test.js
     checksum: 3fc26eca704bc9ce4650056c81be45f3586d3c947a18dfec58fee4447de56360
   - filename: test/sanity-check/api/workflow-test.js
@@ -52,7 +52,7 @@ fileignoreconfig:
   - filename: test/sanity-check/mock/content-types/index.js
     checksum: ff47f74037e22f791e2d7c6afbaccf7857b26b51dd2e2361b5b4b70d36057b7f
   - filename: test/sanity-check/sanity.js
-    checksum: c64975a9058c2d780ba725a1e40c037440f830a537849d3a6324ad934454b2ab
+    checksum: 94fc68fc78e00b8b268f6e86b5ed55dbfe48fbde45f780629afa1c75c968f438
   - filename: test/sanity-check/api/user-test.js
     checksum: 5f1284561725f99980a800c87d80d2f7b6f56e1efa618adb10bbf87312b0deec
   - filename: test/sanity-check/api/locale-test.js
@@ -78,7 +78,7 @@ fileignoreconfig:
   - filename: test/sanity-check/api/branchAlias-test.js
     checksum: 0b6cacee74d7636e84ce095198f0234d491b79ea20d3978a742a5495692bd61d
   - filename: test/sanity-check/utility/testSetup.js
-    checksum: 23841aa0365dc059e84311887b2a086e7e8b44c457a98b362649aae61a806a5f
+    checksum: caa1fa9867a49bb8a458bab5bbc3cdeaf2f4a44d0f1a21e997db237553ea33ab
   - filename: test/sanity-check/api/branch-test.js
     checksum: 49c8fd18c59d45e4335f766591711849722206bce34860efa8eced7172f44efa
   - filename: test/sanity-check/api/stack-test.js

lib/organization/teams/index.js

@@ -38,7 +38,7 @@ export function Teams (http, data) {
      *          email: 'abc@abc.com'
      *      }
      *    ],
-     *    organizationRole: 'blt09e5dfced326aaea',
+     *    organizationRole: 'blt0000000000000000',
      *    stackRoleMapping: []
      *   }
      * client.organization('organizationUid').teams('teamUid').update(updateData)

test/sanity-check/api/auditlog-test.js

@@ -123,8 +123,9 @@ describe('Audit Log API Tests', () => {
         await stack.auditLog('nonexistent_log_12345').fetch()
         expect.fail('Should have thrown an error')
       } catch (error) {
-        // 422 is also a valid response for invalid UID format
-        expect(error.status).to.be.oneOf([400, 404, 422])
+        // API may return 401 (unauthorized), 404 (not found), 422 (invalid UID), or 400
+        const status = error.status ?? error.response?.status
+        expect(status, 'Expected 400/401/404/422 for non-existent audit log').to.be.oneOf([400, 401, 404, 422])
       }
     })
 

test/sanity-check/api/stack-test.js

@@ -244,11 +244,10 @@ describe('Stack API Tests', () => {
   describe('Stack Share Operations', () => {
 
     it('should share stack with user (requires valid email)', async () => {
-      // Use SHARE_EMAIL or MEMBER_EMAIL from env
-      const shareEmail = process.env.SHARE_EMAIL || process.env.MEMBER_EMAIL
+      const shareEmail = process.env.MEMBER_EMAIL
 
       if (!shareEmail) {
-        console.log('Skipping stack share - no SHARE_EMAIL or MEMBER_EMAIL provided')
+        console.log('Skipping stack share - no MEMBER_EMAIL provided')
         return
       }
 

test/sanity-check/api/user-test.js

@@ -210,7 +210,8 @@ describe('User & Authentication API Tests', () => {
         expect.fail('Should have thrown an error')
       } catch (error) {
         expect(error).to.exist
-        expect(error.status).to.be.oneOf([401, 403])
+        const status = error.status ?? error.response?.status
+        expect(status, 'Expected 401/403 in error.status or error.response.status').to.be.oneOf([401, 403])
       }
     })
 
@@ -225,7 +226,8 @@ describe('User & Authentication API Tests', () => {
         expect.fail('Should have thrown an error')
       } catch (error) {
         expect(error).to.exist
-        expect(error.status).to.be.oneOf([401, 403])
+        const status = error.status ?? error.response?.status
+        expect(status, 'Expected 401/403 in error.status or error.response.status').to.be.oneOf([401, 403])
       }
     })
   })
@@ -320,7 +322,8 @@ describe('User & Authentication API Tests', () => {
         // Some APIs might not error on unauthenticated logout
       } catch (error) {
         expect(error).to.exist
-        expect(error.status).to.be.oneOf([401, 403])
+        const status = error.status ?? error.response?.status
+        expect(status).to.be.oneOf([401, 403])
       }
     })
 

test/sanity-check/sanity.js

@@ -3,32 +3,44 @@
  * 
  * This file orchestrates all API test suites for the CMA JavaScript SDK.
  * 
- * The test suite:
+ * The test suite is FULLY SELF-CONTAINED and dynamically creates:
  * 1. Logs in using EMAIL/PASSWORD to get authtoken
- * 2. Uses existing test stack from API_KEY
- * 3. Runs all API tests against the stack
- * 4. Cleans up all created resources (keeps stack empty for next run)
- * 5. Logs out
+ * 2. Creates a NEW test stack (no pre-existing stack required)
+ * 3. Creates a Management Token for the stack
+ * 4. Creates a Personalize Project linked to the stack
+ * 5. Runs all API tests against the stack
+ * 6. Cleans up all created resources within the stack
+ * 7. Conditionally deletes stack and personalize project (based on env flag)
+ * 8. Logs out
  * 
  * Environment Variables Required:
  * - EMAIL: User email for login
  * - PASSWORD: User password for login
  * - HOST: API host URL (e.g., api.contentstack.io, eu-api.contentstack.com)
- * - API_KEY: Existing test stack API key
- * - ORGANIZATION: Organization UID (for Teams tests)
+ * - ORGANIZATION: Organization UID (for stack creation and personalize)
  * 
  * Optional:
- * - PERSONALIZE_PROJECT_UID: For Variants/Personalize tests
+ * - PERSONALIZE_HOST: Personalize API host (default: personalize-api.contentstack.com)
+ * - DELETE_DYNAMIC_RESOURCES: Toggle for deleting stack/personalize (default: true)
+ *   Set to 'false' to preserve resources for debugging
  * - MEMBER_EMAIL: For team member operations
  * - CLIENT_ID: OAuth client ID
  * - APP_ID: OAuth app ID
  * - REDIRECT_URI: OAuth redirect URI
  * 
+ * NO LONGER REQUIRED (dynamically created):
+ * - API_KEY: Generated when test stack is created
+ * - MANAGEMENT_TOKEN: Generated for the test stack
+ * - PERSONALIZE_PROJECT_UID: Generated when personalize project is created
+ * 
  * Usage:
  *   npm run test:sanity
  *   
  * Or run individual test files:
  *   npm run test -- --grep "Content Type API Tests"
+ * 
+ * To preserve resources for debugging:
+ *   DELETE_DYNAMIC_RESOURCES=false npm run test:sanity
  */
 
 import dotenv from 'dotenv'
@@ -76,8 +88,12 @@ before(async function () {
     console.error('  EMAIL=your-email@example.com')
     console.error('  PASSWORD=your-password')
     console.error('  HOST=api.contentstack.io')
-    console.error('  API_KEY=your-stack-api-key')
     console.error('  ORGANIZATION=your-org-uid')
+    console.error('\nOptional settings:')
+    console.error('  PERSONALIZE_HOST=personalize-api.contentstack.com')
+    console.error('  DELETE_DYNAMIC_RESOURCES=true (set to false to preserve for debugging)')
+    console.error('\nNote: API_KEY, MANAGEMENT_TOKEN, and PERSONALIZE_PROJECT_UID')
+    console.error('are now dynamically created and no longer required in .env')
     throw error
   }
 })
@@ -88,6 +104,9 @@ before(async function () {
 
 // Clear request log and assertion tracker before each test
 beforeEach(function() {
+  // Clear SDK plugin request capture
+  testSetup.clearCapturedRequests()
+  
   try {
     requestLogger.clearRequestLog()
   } catch (e) {
@@ -136,12 +155,14 @@ afterEach(function() {
     }
   }
 
-  // For passed tests, try to get the last request from the request logger
-  let lastRequest = null
-  try {
-    lastRequest = requestLogger.getLastRequest()
-  } catch (e) {
-    // Request logger might not be active
+  // Get the last request from SDK plugin capture or fallback to request logger
+  let lastRequest = testSetup.getLastCapturedRequest()
+  if (!lastRequest) {
+    try {
+      lastRequest = requestLogger.getLastRequest()
+    } catch (e) {
+      // Request logger might not be active
+    }
   }
 
   // Add context to Mochawesome report
@@ -156,14 +177,26 @@ afterEach(function() {
         value: 'PASSED'
       })
 
-      // Add assertion details for passed tests (if any tracked via trackedExpect)
+      // Add assertion details for passed tests (trackedExpect or API result)
       if (trackedAssertions.length > 0) {
         addContext(this, {
           title: '📊 Assertions Verified (Expected vs Actual)',
           value: trackedAssertions.map(a => 
             `✓ ${a.description}\n   Expected: ${a.expected}\n   Actual: ${a.actual}`
           ).join('\n\n')
         })
+      } else if (lastRequest) {
+        // Fallback: show API result for tests that use expect() not trackedExpect
+        addContext(this, {
+          title: '📊 Result (Expected vs Actual)',
+          value: `Expected: Successful API response\nActual: ${lastRequest.status || 'OK'} - ${lastRequest.method} ${lastRequest.url}`
+        })
+      } else {
+        // Final fallback: test passed but no request/assertion captured
+        addContext(this, {
+          title: '📊 Result (Expected vs Actual)',
+          value: 'Expected: Success\nActual: Test passed (no SDK request captured for this test)'
+        })
       }
 
       // For passed tests, add the last request curl if available
@@ -204,7 +237,35 @@ afterEach(function() {
         value: 'FAILED'
       })
 
-      // Add assertion details for failed tests
+      // Add Expected vs Actual for failed tests
+      if (error) {
+        if (error.expected !== undefined || error.actual !== undefined) {
+          // Chai assertion error
+          addContext(this, {
+            title: '❌ Expected vs Actual',
+            value: `Expected: ${JSON.stringify(error.expected)}\nActual: ${JSON.stringify(error.actual)}`
+          })
+        } else if (error.status || error.errorMessage || apiInfo) {
+          // API/SDK error (e.g. 422 from API)
+          const status = error.status ?? apiInfo?.status ?? error.response?.status
+          const msg = error.errorMessage ?? apiInfo?.errorMessage ?? error.message ?? 'Error'
+          const errDetails = error.errors || apiInfo?.errors || {}
+          const detailsStr = Object.keys(errDetails).length ? `\nDetails: ${JSON.stringify(errDetails)}` : ''
+          addContext(this, {
+            title: '❌ Expected vs Actual',
+            value: `Expected: Success\nActual: ${status} - ${msg}${detailsStr}`
+          })
+        } else {
+          // Fallback: any other error (e.g. thrown Error, assertion in test code)
+          const msg = error.message || String(error)
+          addContext(this, {
+            title: '❌ Expected vs Actual',
+            value: `Expected: Success\nActual: ${msg}`
+          })
+        }
+      }
+      
+      // Add assertion details for failed tests (from trackedExpect)
       if (trackedAssertions.length > 0) {
         const passedAssertions = trackedAssertions.filter(a => a.passed)
         const failedAssertion = trackedAssertions.find(a => !a.passed)
@@ -225,37 +286,43 @@ afterEach(function() {
           })
         }
       }
+      
+      // Add cURL from captured request (for ALL failed tests - from SDK plugin)
+      if (lastRequest && lastRequest.curl) {
+        addContext(this, {
+          title: '📋 cURL Command (copy-paste ready)',
+          value: lastRequest.curl
+        })
+        addContext(this, {
+          title: '📡 API Request',
+          value: `${lastRequest.method} ${lastRequest.url} [${lastRequest.status || 'N/A'}]`
+        })
+        if (lastRequest.sdkMethod && !lastRequest.sdkMethod.startsWith('Unknown')) {
+          addContext(this, {
+            title: '📦 SDK Method Tested',
+            value: lastRequest.sdkMethod
+          })
+        }
+      }
     }
 
-    // Add API details if available (for failed tests)
+    // Add API error details if available (for failed tests with API error in response)
     if (apiInfo) {
       const curl = errorToCurl(apiInfo)
 
-      // Try to get SDK method from the last request
-      const failedSdkMethod = lastRequest?.sdkMethod
-      
-      // Store for final report
       testCurls.push({
         test: testTitle,
         state: testState,
-        curl: curl,
-        sdkMethod: failedSdkMethod,
+        curl: curl || (lastRequest?.curl),
+        sdkMethod: lastRequest?.sdkMethod,
         details: {
           status: apiInfo.status,
           message: apiInfo.errorMessage || apiInfo.message,
           errors: apiInfo.errors
         }
       })
 
-      // Add SDK Method being tested (for failed tests)
-      if (failedSdkMethod && !failedSdkMethod.startsWith('Unknown')) {
-        addContext(this, {
-          title: '📦 SDK Method Tested',
-          value: failedSdkMethod
-        })
-      }
-      
-      // Add error/response details
+      // Add error/response details (skip cURL if already added from lastRequest)
       addContext(this, {
         title: '❌ API Error Details',
         value: {
@@ -267,13 +334,14 @@ afterEach(function() {
         }
       })
 
-      // Add cURL command
-      addContext(this, {
-        title: '📋 cURL Command (copy-paste ready)',
-        value: curl
-      })
+      // Add cURL from apiInfo only if we didn't already add from lastRequest
+      if (!lastRequest?.curl && curl) {
+        addContext(this, {
+          title: '📋 cURL Command (copy-paste ready)',
+          value: curl
+        })
+      }
 
-      // Add request URL for quick reference
       if (apiInfo.request && apiInfo.request.url) {
         addContext(this, {
           title: '🔗 Request',

test/sanity-check/utility/ContentstackClient.js

@@ -23,32 +23,33 @@ import { testContext } from './testSetup.js'
 
 /**
  * Create a Contentstack client instance
+ * Uses testSetup's instrumented client (with request capture plugin) when available.
  * 
  * @param {string|null} authtoken - Optional authtoken (uses testSetup context if not provided)
  * @returns {Object} Contentstack client instance
  */
 export function contentstackClient(authtoken = null) {
-  const host = process.env.HOST || 'api.contentstack.io'
-  
-  // If testContext is available and initialized, use its context
-  if (testContext && testContext.authtoken && !authtoken) {
-    return contentstack.client({
-      host: host,
-      authtoken: testContext.authtoken,
-      timeout: 60000
-    })
+  // When explicit authtoken is passed (e.g. for error testing), create new client - don't use shared
+  if (authtoken != null) {
+    const host = process.env.HOST || 'api.contentstack.io'
+    return contentstack.client({ host, authtoken, timeout: 60000 })
+  }
+  // Use testSetup's client when available - it has the request capture plugin for cURL in reports
+  if (testContext && testContext.client) {
+    return testContext.client
   }
 
-  // Standalone mode with provided authtoken
+  // Fallback when testSetup not initialized (e.g. unit tests)
+  const host = process.env.HOST || 'api.contentstack.io'
   const params = {
     host: host,
     timeout: 60000
   }
-  
-  if (authtoken) {
+  if (testContext?.authtoken && !authtoken) {
+    params.authtoken = testContext.authtoken
+  } else if (authtoken) {
     params.authtoken = authtoken
   }
-  
   return contentstack.client(params)
 }