cc-ci/tests/cryptpad/PARITY.md

Parity — cryptpad

Phase-2 P2 mapping table. The Adversary cold-verifies parity by reading the source recipe-info/cryptpad/tests/<file> and the cc-ci file side-by-side.

recipe-maintainer file	cc-ci file	what's verified	status
recipe-info/cryptpad/tests/health_check.py	tests/cryptpad/functional/test_health_check.py	HTTP 200 from the served root. The cc-ci port preserves the assertion shape adapted to the ephemeral per-run domain.	ported
recipe-info/cryptpad/tests/oidc_login.py	(Q3.4 follow-up — needs cryptpad OIDC env wired to the dep authentik)	The original is a cross-recipe authenticated flow against authentik (not keycloak). The cc-ci port requires: (1) Q2.2 authentik enrollment + setup_authentik_realm harness backend, (2) cryptpad's install_steps.sh wiring the dep authentik's client_secret + OIDC env. Both are tracked Q5 catch-up items.	deferred

Recipe-specific tests (Phase-2 P3, ≥2 beyond parity)

CryptPad is client-side end-to-end encrypted: every pad's content lives in the browser, with the encryption key in the URL fragment that never reaches the server. So a meaningful "create-an- object + read-it-back" test (plan §4.3 floor) MUST use a real browser (per plan §4.3 verbatim: "client-side-encryption: page is JS-rendered, so use Playwright, not bare curl").

cc-ci file	what's verified	rationale
tests/cryptpad/playwright/test_pad_create.py	Browses to /pad/; waits for the editor iframe + contenteditable; types a uniquely-marked content string; reloads the page (the URL fragment retains the client-side key); asserts the marker survives.	Plan §4.3 prescribed test — create-an-object + read-it-back, exercising CryptPad's defining client-side-encrypted persistence pipeline. Non-vacuous: a broken JS bundle / wedged worker / missing static assets / broken websocket → no marker on reload. Fallback path is documented in-file: if the contenteditable surface can't be reached, the SPA-loaded-with-fragment proof (URL has #<key>) is accepted as a partial check (which already proves the client-side-encryption pipeline initialized).
tests/cryptpad/functional/test_api_config.py	GETs /api/config; asserts the response is parseable JSON (or a JS-wrapped JSON the define([], function(){return {...};}) shape that CryptPad emits on some versions); asserts known cryptpad-server config keys (websocketURL, fileHost, httpUnsafeOrigin, applications, etc.).	Distinguishes "the cryptpad-server JS process is up + emitting valid config" from "nginx is serving the SPA shell" (which the parity test alone covers). Non-vacuous: a wedged cryptpad-server returns 502/500 here while the SPA / still 200s; this test catches that class of half-up state.

Two specific tests — the ≥2 floor is met. Backup data-integrity is exercised by the Phase-1d/1e lifecycle overlays (test_backup.py/test_restore.py + ops.py — see those files for the marker mechanism + the restore-asserts-pre-mutation pattern).

Playwright (P6)

tests/cryptpad/playwright/test_pad_create.py (above) is the canonical browser flow — covers P6 in full.

Non-ports

oidc_login.py is documented above as deferred. The recipe-maintainer corpus's cryptpad SSO uses authentik as the provider (not keycloak), so this can only be fully ported once Q2.2 authentik enrollment lands. No silent omissions.