feat: wire convex data foundations

tests/convex-domain.test.ts

@@ -0,0 +1,71 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+
+import {
+  RUN_STATUSES,
+  SCREENSHOT_VIEWPORTS,
+  filterSafeSettingsRows,
+  isSafeSettingsKey,
+  normalizeListLimit,
+} from "../convex/domain";
+
+test("settings metadata rejects secret-like keys", () => {
+  const unsafeKeys = [
+    "OPENROUTER_API_KEY",
+    "smtp.password",
+    "googlePlacesToken",
+    "provider_secret",
+    "convex credential",
+  ];
+
+  for (const key of unsafeKeys) {
+    assert.equal(isSafeSettingsKey(key), false, key);
+  }
+});
+
+test("settings metadata allows public operational keys", () => {
+  const safeKeys = [
+    "defaultCampaignRadiusKm",
+    "audit.retentionDays",
+    "dashboard-visible-columns",
+  ];
+
+  for (const key of safeKeys) {
+    assert.equal(isSafeSettingsKey(key), true, key);
+  }
+});
+
+test("screenshot viewports are desktop and mobile only", () => {
+  assert.deepEqual(SCREENSHOT_VIEWPORTS, ["desktop", "mobile"]);
+});
+
+test("run statuses expose observable job lifecycle states", () => {
+  assert.deepEqual(RUN_STATUSES, [
+    "pending",
+    "running",
+    "succeeded",
+    "failed",
+    "canceled",
+  ]);
+});
+
+test("list limits are clamped to a positive integer range", () => {
+  assert.equal(normalizeListLimit(undefined), 50);
+  assert.equal(normalizeListLimit(-10), 1);
+  assert.equal(normalizeListLimit(0), 1);
+  assert.equal(normalizeListLimit(2.8), 2);
+  assert.equal(normalizeListLimit(250), 100);
+});
+
+test("settings rows are filtered to safe metadata keys", () => {
+  const rows = [
+    { key: "dashboardColumns", value: "lead,stage" },
+    { key: "SMTP_PASSWORD", value: "secret" },
+    { key: "audit.retentionDays", value: 60 },
+  ];
+
+  assert.deepEqual(filterSafeSettingsRows(rows), [
+    { key: "dashboardColumns", value: "lead,stage" },
+    { key: "audit.retentionDays", value: 60 },
+  ]);
+});