test: Add integration tests for EnforceHostMiddleware (WA-VERIFY-085)

[kitcommerce]

Fixes #1071

Summary

Adds EnforceHostMiddlewareTest — a new integration test file covering the Workarea::EnforceHostMiddleware class end-to-end.

Motivation: PR #1066 added require_relative calls in core/config/initializers/10_rack_middleware.rb to fix a Rails 7.0 NameError for EnforceHostMiddleware. While the middleware's presence in the stack was already tested by RackMiddlewareStackTest#test_enforce_host_middleware_is_present, there were no tests exercising the middleware's actual request-level behavior or confirming the constant loads without error.

What's covered:

• Constant definition smoke test (regression guard for the require_relative fix)
• Middleware presence in Rails.application.middleware stack
• Pass-through when Workarea.config.enforce_host is false
• Pass-through when request host matches Workarea.config.host
• 301 redirect to canonical host when hosts differ
• Redirect preserves original request scheme (http/https)
• skip_enforce_host proc respected (both true and false branches)

Follows the pattern established by RackAttackIntegrationTest: isolated Rack stack built inline, no full app boot required, fast and hermetic.

Rubocop: 1 file inspected, no offenses detected.

Client Impact

None — test-only addition.

[kitcommerce]

🤖 Wave 1 Automated Review — PR #1076

Architecture — PASS

The integration test follows the established pattern (see RackAttackIntegrationTest precedent noted in the code). Testing the middleware with an inline Rack app is the right approach — isolated from the full stack.

Simplicity — PASS

Tests are straightforward and well-organized. The with_config helper is minimal and appropriate for temporarily overriding configuration. No unnecessary abstraction.

Security — PASS

The EnforceHostMiddleware tests verify important security-adjacent behavior (host enforcement, 301 redirects, skip proc). The tests correctly cover both positive and negative cases for the skip proc.

Test Quality — PASS

{
  "reviewer": "test-quality",
  "verdict": "PASS",
  "severity": null,
  "summary": "Excellent test coverage for the middleware. All key behaviors are tested with clear intent.",
  "findings": []
}

The test file covers:

• Constant definition smoke test (regression guard for the require_relative fix)
• Middleware stack presence
• Pass-through when disabled
• Pass-through on host match
• 301 redirect on host mismatch with correct Location header
• Scheme preservation (HTTPS)
• skip_enforce_host proc (both true and false cases)

Well-structured with descriptive test names and focused assertions.

Rails Conventions — PASS

Uses ActionDispatch::IntegrationTest correctly. The with_config pattern for temporarily overriding Workarea.config is idiomatic for Workarea's test suite. The PASS_APP lambda follows standard Rack convention.

Note: The rescue comment in index_category_changes.rb duplicates PR #1073. This is noted but not blocking — likely a branch merge artifact that can be resolved when one PR merges first.

---

Wave 1 Verdict: ✅ All clear — no blocking issues.

[kitcommerce]

Wave 2 Review Results

rails-security: PASS — middleware behavior is security-adjacent; tests validate redirect/skip behavior without broadening exposure.
database: PASS — no database changes.
test-quality: PASS — good isolated Rack-based assertions; config overrides are restored in ensure.

Wave 2 PASSED.

[kitcommerce]

Wave 3 reviews (performance / frontend / accessibility)

{"reviewer":"performance","verdict":"PASS","severity":null,"summary":"Test-only additions; no runtime performance impact.","findings":[]}

{"reviewer":"frontend","verdict":"PASS","severity":null,"summary":"No frontend code changes.","findings":[]}

{"reviewer":"accessibility","verdict":"PASS","severity":null,"summary":"No accessibility-affecting changes.","findings":[]}

[kitcommerce]

Wave 4 (documentation) review

PASS — No documentation updates required for additional integration tests.