test: comprehensive E2E and API test suite for full KanzlAI stack

Backend (Go): - Expanded integration_test.go: health, auth middleware (expired/invalid/wrong-secret JWT), tenant CRUD, case CRUD (create/list/get/update/delete + filters + validation), deadline CRUD (create/list/update/complete/delete), appointment CRUD, dashboard (verifies all sections), deadline calculator (valid/invalid/unknown type), proceeding types & rules, document endpoints, AI extraction (no-key path), and full critical path E2E (auth -> case -> deadline -> appointment -> dashboard -> complete) - New handler unit tests: case (10), appointment (11), dashboard (1), calculate (5), document (10), AI (4) — all testing validation, auth guards, and error paths without DB - Total: ~80 backend tests (unit + integration) Frontend (TypeScript/Vitest): - Installed vitest 2.x, @testing-library/react, @testing-library/jest-dom, jsdom 24, msw - vitest.config.ts with jsdom env, esbuild JSX automatic, path aliases - API client tests (13): URL construction, no double /api/, auth header, tenant header, POST/PUT/PATCH/DELETE methods, error handling, 204 responses - DeadlineTrafficLights tests (5): renders cards, correct counts, zero state, onFilter callback - CaseOverviewGrid tests (4): renders categories, counts, header, zero state - LoginPage tests (8): form rendering, mode toggle, password login, redirect, error display, magic link, registration link - Total: 30 frontend tests Makefile: test-frontend target now runs vitest instead of placeholder echo.
2026-03-25 16:19:00 +01:00
parent 19bea8d058
commit 325fbeb5de
16 changed files with 2492 additions and 30 deletions
--- a/backend/internal/handlers/ai_handler_test.go
+++ b/backend/internal/handlers/ai_handler_test.go
@@ -0,0 +1,74 @@
+package handlers
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestAIExtractDeadlines_EmptyInput(t *testing.T) {
+	h := &AIHandler{}
+
+	body := `{"text":""}`
+	r := httptest.NewRequest("POST", "/api/ai/extract-deadlines", bytes.NewBufferString(body))
+	r.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+
+	h.ExtractDeadlines(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+	var resp map[string]string
+	json.NewDecoder(w.Body).Decode(&resp)
+	if resp["error"] != "provide either a PDF file or text" {
+		t.Errorf("unexpected error: %s", resp["error"])
+	}
+}
+
+func TestAIExtractDeadlines_InvalidJSON(t *testing.T) {
+	h := &AIHandler{}
+
+	r := httptest.NewRequest("POST", "/api/ai/extract-deadlines", bytes.NewBufferString(`{broken`))
+	r.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+
+	h.ExtractDeadlines(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestAISummarizeCase_MissingCaseID(t *testing.T) {
+	h := &AIHandler{}
+
+	body := `{"case_id":""}`
+	r := httptest.NewRequest("POST", "/api/ai/summarize-case", bytes.NewBufferString(body))
+	r.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+
+	h.SummarizeCase(w, r)
+
+	// Without auth context, the resolveTenant will fail first
+	if w.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", w.Code)
+	}
+}
+
+func TestAISummarizeCase_InvalidJSON(t *testing.T) {
+	h := &AIHandler{}
+
+	r := httptest.NewRequest("POST", "/api/ai/summarize-case", bytes.NewBufferString(`not-json`))
+	r.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+
+	h.SummarizeCase(w, r)
+
+	// Without auth context, the resolveTenant will fail first
+	if w.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", w.Code)
+	}
+}
--- a/backend/internal/handlers/appointment_handler_test.go
+++ b/backend/internal/handlers/appointment_handler_test.go
@@ -0,0 +1,196 @@
+package handlers
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/google/uuid"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+)
+
+func TestAppointmentCreate_NoTenant(t *testing.T) {
+	h := &AppointmentHandler{}
+	r := httptest.NewRequest("POST", "/api/appointments", bytes.NewBufferString(`{}`))
+	w := httptest.NewRecorder()
+
+	h.Create(w, r)
+
+	if w.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", w.Code)
+	}
+}
+
+func TestAppointmentCreate_MissingTitle(t *testing.T) {
+	h := &AppointmentHandler{}
+	body := `{"start_at":"2026-04-01T10:00:00Z"}`
+	r := httptest.NewRequest("POST", "/api/appointments", bytes.NewBufferString(body))
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Create(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+	var resp map[string]string
+	json.NewDecoder(w.Body).Decode(&resp)
+	if resp["error"] != "title is required" {
+		t.Errorf("unexpected error: %s", resp["error"])
+	}
+}
+
+func TestAppointmentCreate_MissingStartAt(t *testing.T) {
+	h := &AppointmentHandler{}
+	body := `{"title":"Test Appointment"}`
+	r := httptest.NewRequest("POST", "/api/appointments", bytes.NewBufferString(body))
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Create(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+	var resp map[string]string
+	json.NewDecoder(w.Body).Decode(&resp)
+	if resp["error"] != "start_at is required" {
+		t.Errorf("unexpected error: %s", resp["error"])
+	}
+}
+
+func TestAppointmentCreate_InvalidJSON(t *testing.T) {
+	h := &AppointmentHandler{}
+	r := httptest.NewRequest("POST", "/api/appointments", bytes.NewBufferString(`{broken`))
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Create(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestAppointmentList_NoTenant(t *testing.T) {
+	h := &AppointmentHandler{}
+	r := httptest.NewRequest("GET", "/api/appointments", nil)
+	w := httptest.NewRecorder()
+
+	h.List(w, r)
+
+	if w.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", w.Code)
+	}
+}
+
+func TestAppointmentUpdate_NoTenant(t *testing.T) {
+	h := &AppointmentHandler{}
+	r := httptest.NewRequest("PUT", "/api/appointments/"+uuid.New().String(), bytes.NewBufferString(`{}`))
+	r.SetPathValue("id", uuid.New().String())
+	w := httptest.NewRecorder()
+
+	h.Update(w, r)
+
+	if w.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", w.Code)
+	}
+}
+
+func TestAppointmentUpdate_InvalidID(t *testing.T) {
+	h := &AppointmentHandler{}
+	r := httptest.NewRequest("PUT", "/api/appointments/not-uuid", bytes.NewBufferString(`{}`))
+	r.SetPathValue("id", "not-uuid")
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Update(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestAppointmentDelete_NoTenant(t *testing.T) {
+	h := &AppointmentHandler{}
+	r := httptest.NewRequest("DELETE", "/api/appointments/"+uuid.New().String(), nil)
+	r.SetPathValue("id", uuid.New().String())
+	w := httptest.NewRecorder()
+
+	h.Delete(w, r)
+
+	if w.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", w.Code)
+	}
+}
+
+func TestAppointmentDelete_InvalidID(t *testing.T) {
+	h := &AppointmentHandler{}
+	r := httptest.NewRequest("DELETE", "/api/appointments/bad", nil)
+	r.SetPathValue("id", "bad")
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Delete(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestAppointmentList_InvalidCaseID(t *testing.T) {
+	h := &AppointmentHandler{}
+	r := httptest.NewRequest("GET", "/api/appointments?case_id=bad", nil)
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.List(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestAppointmentList_InvalidStartFrom(t *testing.T) {
+	h := &AppointmentHandler{}
+	r := httptest.NewRequest("GET", "/api/appointments?start_from=not-a-date", nil)
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.List(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
--- a/backend/internal/handlers/calculate_handler_test.go
+++ b/backend/internal/handlers/calculate_handler_test.go
@@ -0,0 +1,83 @@
+package handlers
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestCalculate_MissingFields(t *testing.T) {
+	h := &CalculateHandlers{}
+
+	tests := []struct {
+		name string
+		body string
+		want string
+	}{
+		{
+			name: "empty body",
+			body: `{}`,
+			want: "proceeding_type and trigger_event_date are required",
+		},
+		{
+			name: "missing trigger_event_date",
+			body: `{"proceeding_type":"INF"}`,
+			want: "proceeding_type and trigger_event_date are required",
+		},
+		{
+			name: "missing proceeding_type",
+			body: `{"trigger_event_date":"2026-06-01"}`,
+			want: "proceeding_type and trigger_event_date are required",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			r := httptest.NewRequest("POST", "/api/deadlines/calculate", bytes.NewBufferString(tt.body))
+			w := httptest.NewRecorder()
+
+			h.Calculate(w, r)
+
+			if w.Code != http.StatusBadRequest {
+				t.Errorf("expected 400, got %d", w.Code)
+			}
+			var resp map[string]string
+			json.NewDecoder(w.Body).Decode(&resp)
+			if resp["error"] != tt.want {
+				t.Errorf("expected error %q, got %q", tt.want, resp["error"])
+			}
+		})
+	}
+}
+
+func TestCalculate_InvalidDateFormat(t *testing.T) {
+	h := &CalculateHandlers{}
+	body := `{"proceeding_type":"INF","trigger_event_date":"01-06-2026"}`
+	r := httptest.NewRequest("POST", "/api/deadlines/calculate", bytes.NewBufferString(body))
+	w := httptest.NewRecorder()
+
+	h.Calculate(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+	var resp map[string]string
+	json.NewDecoder(w.Body).Decode(&resp)
+	if resp["error"] != "invalid trigger_event_date format, expected YYYY-MM-DD" {
+		t.Errorf("unexpected error: %s", resp["error"])
+	}
+}
+
+func TestCalculate_InvalidJSON(t *testing.T) {
+	h := &CalculateHandlers{}
+	r := httptest.NewRequest("POST", "/api/deadlines/calculate", bytes.NewBufferString(`not-json`))
+	w := httptest.NewRecorder()
+
+	h.Calculate(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
--- a/backend/internal/handlers/case_handler_test.go
+++ b/backend/internal/handlers/case_handler_test.go
@@ -0,0 +1,177 @@
+package handlers
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/google/uuid"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+)
+
+func TestCaseCreate_NoAuth(t *testing.T) {
+	h := &CaseHandler{}
+	r := httptest.NewRequest("POST", "/api/cases", bytes.NewBufferString(`{}`))
+	w := httptest.NewRecorder()
+
+	h.Create(w, r)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("expected 403, got %d", w.Code)
+	}
+}
+
+func TestCaseCreate_MissingFields(t *testing.T) {
+	h := &CaseHandler{}
+	body := `{"case_number":"","title":""}`
+	r := httptest.NewRequest("POST", "/api/cases", bytes.NewBufferString(body))
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Create(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+	var resp map[string]string
+	json.NewDecoder(w.Body).Decode(&resp)
+	if resp["error"] != "case_number and title are required" {
+		t.Errorf("unexpected error: %s", resp["error"])
+	}
+}
+
+func TestCaseCreate_InvalidJSON(t *testing.T) {
+	h := &CaseHandler{}
+	r := httptest.NewRequest("POST", "/api/cases", bytes.NewBufferString(`not-json`))
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Create(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestCaseGet_InvalidID(t *testing.T) {
+	h := &CaseHandler{}
+	r := httptest.NewRequest("GET", "/api/cases/not-a-uuid", nil)
+	r.SetPathValue("id", "not-a-uuid")
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Get(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestCaseGet_NoTenant(t *testing.T) {
+	h := &CaseHandler{}
+	r := httptest.NewRequest("GET", "/api/cases/"+uuid.New().String(), nil)
+	r.SetPathValue("id", uuid.New().String())
+	w := httptest.NewRecorder()
+
+	h.Get(w, r)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("expected 403, got %d", w.Code)
+	}
+}
+
+func TestCaseList_NoTenant(t *testing.T) {
+	h := &CaseHandler{}
+	r := httptest.NewRequest("GET", "/api/cases", nil)
+	w := httptest.NewRecorder()
+
+	h.List(w, r)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("expected 403, got %d", w.Code)
+	}
+}
+
+func TestCaseUpdate_InvalidID(t *testing.T) {
+	h := &CaseHandler{}
+	body := `{"title":"Updated"}`
+	r := httptest.NewRequest("PUT", "/api/cases/bad-id", bytes.NewBufferString(body))
+	r.SetPathValue("id", "bad-id")
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Update(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestCaseUpdate_InvalidJSON(t *testing.T) {
+	h := &CaseHandler{}
+	caseID := uuid.New().String()
+	r := httptest.NewRequest("PUT", "/api/cases/"+caseID, bytes.NewBufferString(`{bad`))
+	r.SetPathValue("id", caseID)
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Update(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestCaseDelete_NoTenant(t *testing.T) {
+	h := &CaseHandler{}
+	r := httptest.NewRequest("DELETE", "/api/cases/"+uuid.New().String(), nil)
+	r.SetPathValue("id", uuid.New().String())
+	w := httptest.NewRecorder()
+
+	h.Delete(w, r)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("expected 403, got %d", w.Code)
+	}
+}
+
+func TestCaseDelete_InvalidID(t *testing.T) {
+	h := &CaseHandler{}
+	r := httptest.NewRequest("DELETE", "/api/cases/bad-id", nil)
+	r.SetPathValue("id", "bad-id")
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Delete(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
--- a/backend/internal/handlers/dashboard_handler_test.go
+++ b/backend/internal/handlers/dashboard_handler_test.go
@@ -0,0 +1,19 @@
+package handlers
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestDashboardGet_NoTenant(t *testing.T) {
+	h := &DashboardHandler{}
+	r := httptest.NewRequest("GET", "/api/dashboard", nil)
+	w := httptest.NewRecorder()
+
+	h.Get(w, r)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("expected 403, got %d", w.Code)
+	}
+}
--- a/backend/internal/handlers/document_handler_test.go
+++ b/backend/internal/handlers/document_handler_test.go
@@ -0,0 +1,166 @@
+package handlers
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/google/uuid"
+
+	"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
+)
+
+func TestDocumentListByCase_NoTenant(t *testing.T) {
+	h := &DocumentHandler{}
+	r := httptest.NewRequest("GET", "/api/cases/"+uuid.New().String()+"/documents", nil)
+	r.SetPathValue("id", uuid.New().String())
+	w := httptest.NewRecorder()
+
+	h.ListByCase(w, r)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("expected 403, got %d", w.Code)
+	}
+}
+
+func TestDocumentListByCase_InvalidCaseID(t *testing.T) {
+	h := &DocumentHandler{}
+	r := httptest.NewRequest("GET", "/api/cases/bad-id/documents", nil)
+	r.SetPathValue("id", "bad-id")
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.ListByCase(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestDocumentUpload_NoTenant(t *testing.T) {
+	h := &DocumentHandler{}
+	r := httptest.NewRequest("POST", "/api/cases/"+uuid.New().String()+"/documents", nil)
+	r.SetPathValue("id", uuid.New().String())
+	w := httptest.NewRecorder()
+
+	h.Upload(w, r)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("expected 403, got %d", w.Code)
+	}
+}
+
+func TestDocumentUpload_InvalidCaseID(t *testing.T) {
+	h := &DocumentHandler{}
+	r := httptest.NewRequest("POST", "/api/cases/bad-id/documents", nil)
+	r.SetPathValue("id", "bad-id")
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Upload(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestDocumentDownload_NoTenant(t *testing.T) {
+	h := &DocumentHandler{}
+	r := httptest.NewRequest("GET", "/api/documents/"+uuid.New().String(), nil)
+	r.SetPathValue("docId", uuid.New().String())
+	w := httptest.NewRecorder()
+
+	h.Download(w, r)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("expected 403, got %d", w.Code)
+	}
+}
+
+func TestDocumentDownload_InvalidID(t *testing.T) {
+	h := &DocumentHandler{}
+	r := httptest.NewRequest("GET", "/api/documents/bad-id", nil)
+	r.SetPathValue("docId", "bad-id")
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Download(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestDocumentGetMeta_NoTenant(t *testing.T) {
+	h := &DocumentHandler{}
+	r := httptest.NewRequest("GET", "/api/documents/"+uuid.New().String()+"/meta", nil)
+	r.SetPathValue("docId", uuid.New().String())
+	w := httptest.NewRecorder()
+
+	h.GetMeta(w, r)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("expected 403, got %d", w.Code)
+	}
+}
+
+func TestDocumentGetMeta_InvalidID(t *testing.T) {
+	h := &DocumentHandler{}
+	r := httptest.NewRequest("GET", "/api/documents/bad-id/meta", nil)
+	r.SetPathValue("docId", "bad-id")
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.GetMeta(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestDocumentDelete_NoTenant(t *testing.T) {
+	h := &DocumentHandler{}
+	r := httptest.NewRequest("DELETE", "/api/documents/"+uuid.New().String(), nil)
+	r.SetPathValue("docId", uuid.New().String())
+	w := httptest.NewRecorder()
+
+	h.Delete(w, r)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("expected 403, got %d", w.Code)
+	}
+}
+
+func TestDocumentDelete_InvalidID(t *testing.T) {
+	h := &DocumentHandler{}
+	r := httptest.NewRequest("DELETE", "/api/documents/bad-id", nil)
+	r.SetPathValue("docId", "bad-id")
+	ctx := auth.ContextWithTenantID(
+		auth.ContextWithUserID(r.Context(), uuid.New()),
+		uuid.New(),
+	)
+	r = r.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Delete(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}