>>> [!note] Migrated issue <!-- Drupal.org comment --> <!-- Migrated from issue #3591693. --> Reported by: [rajab natshah](https://www.drupal.org/user/1414312) >>> <h3 id="summary-problem-motivation">Problem/Motivation</h3> <p>The Web Security module ships a Drupal recipe that installs and pre-configures seven contrib modules &mdash; Antibot, Flood control, Honeypot, Klaro, reCAPTCHA v3, Security Kit, Security Review &mdash; but has no functional test coverage. A regression in any upstream module (a renamed admin path, a removed form key, a tightened permission) would land silently.</p> <h3 id="summary-proposed-resolution">Proposed resolution</h3> <p>Add a webship-js (Playwright + Cucumber-js) BDD test suite that exercises the module end-to-end against a fresh<br> <code>standard</code> profile install.</p> <p><strong>19 feature files, 42 scenarios, 154 steps</strong> covering:</p> <ul> <li>User login + role provisioning (Webmaster, Content editor, Authenticated user)</li> <li>Every recipe module appears as enabled on <code>/admin/modules</code></li> <li>Admin landing page + recipe defaults for Honeypot, Antibot, Security Kit, Security Review, Flood control, reCAPTCHA v3,<br> Klaro</li> <li>Front-end Antibot <code>noscript</code> block on <code>/user/login</code></li> <li>Front-end Honeypot trap field on <code>/user/password</code></li> <li>Access-control: anonymous + authenticated users get <em>Access denied</em> on every security admin path</li> <li>Flood-control thresholds shipped by the recipe surface in the admin UI</li> <li>Bad-password attempts return the standard rejection message</li> <li>Password reset form is reachable and Honeypot-protected</li> <li>Front-end response, <code>robots.txt</code>, and Security Review report reachable</li> </ul> <p><strong>Step definitions</strong> &mdash; multi-user login + admin user provisioning that satisfies the Antibot mouse-event<br> requirement and the Honeypot <code>time_limit</code> together. Field, button, element, and text assertions delegate to webship-js<br> built-ins. Smart waits use <code>smartSettle</code>, <code>gotoUrl</code>, <code>fillField</code>.</p> <p><strong>Selectors</strong> &mdash; Claro and Gin registries so the suite works on either admin theme.</p> <h3 id="summary-remaining-tasks">Remaining tasks</h3> <ul> <li>&#9989; File an issue</li> <li>&#9989; Addition/Change/Update/Fix</li> <li>&#9989; Merge request, Patch, or Commit</li> <li>&#9989; Testing to ensure no regression</li> <li>&#9989; Automated unit testing coverage</li> <li>&#9989; Automated functional testing coverage</li> <li>&#10134; UX/UI designer responsibilities</li> <li>&#10134; Readability</li> <li>&#10134; Accessibility</li> <li>&#10134; Performance</li> <li>&#10134; Security</li> <li>&#10134; Documentation</li> <li>&#9989; Code review by maintainers</li> <li>&#9989; Full testing and approval</li> <li>&#9989; Credit contributors</li> <li>&#9989; Review with the product owner</li> <li>&#9989; Release notes snippet</li> <li>&#9989; Release <a href="https://www.drupal.org/project/websecurity/releases/11.0.1">websecurity-11.0.1</a></li> </ul> <h3 id="summary-ui-changes">User interface changes</h3> <ul> <li>N/A</li> </ul> <h3 id="summary-api-changes">API changes</h3> <ul> <li>N/A</li> </ul> <h3 id="summary-data-model-changes">Data model changes</h3> <ul> <li>N/A</li> </ul> <h3 id="summary-release-notes">Release notes snippet</h3> <ul> <li>ci: <a href="https://www.drupal.org/i/3591693">#3591693</a> Add automated functional acceptance testing for Web Security with webship-js (Playwright + Cucumber-js)</li> </ul>