Phantom Tollbooth

trigger

"expect([400, 401, 402, 403, 404]).toContain(response.status) — a security test that accepts 5 error codes."

what it is

An error-path test with an assertion so loose it cannot distinguish between the intended error and several unrelated failure modes. If the ownership check were removed entirely, the test would still pass.

what it signals

instead

Pin to the exact expected code and error message. `expect(response.status).toBe(403)`.

refs

• wake:tests/integration/security/auth-bypass.test.ts