{
  "rule_id": "test-layer-boundaries",
  "category": "testing_architecture",
  "text": "Tests must verify behavior at the layer where it is implemented. Do not test middleware concerns (auth, rate limiting, logging) through raw routers - use the full HTTP server stack. Do not test router CRUD logic through the middleware layer. Each architectural layer has its own test file.",
  "scope": {
    "environment": "github-copilot",
    "context_tags": ["testing", "architecture"]
  },
  "examples": [
    {
      "violation": "Testing auth rejection in frames.test.ts by calling createFramesRouter directly (router has no auth)",
      "correct": "Auth tests belong in auth-middleware.test.ts or http-server.test.ts which use full server stack"
    },
    {
      "violation": "Testing frame CRUD logic through http-server.test.ts with mocked auth",
      "correct": "Frame CRUD tests belong in frames.test.ts which tests the router in isolation"
    }
  ],
  "layer_mapping": {
    "auth-middleware.test.ts": ["JWT validation", "API key validation", "user isolation", "auth headers"],
    "http-server.test.ts": ["rate limiting", "security headers", "request size limits", "full auth integration"],
    "frames.test.ts": ["frame creation", "frame validation", "deduplication", "content hashing"],
    "oauth.test.ts": ["OAuth flow", "token refresh", "token revocation", "state management"]
  },
  "alpha": 3,
  "beta": 1,
  "reinforcements": 1,
  "counter_examples": 1,
  "confidence": 0.75,
  "severity": "must",
  "first_seen": "2025-11-25T00:00:00Z",
  "last_correction": "2025-11-25T00:00:00Z"
}