enhancement: dialog polish, share link password policy, and review field fixes (#228)

* enhancement: dialog polish, share link password policy, and review field fixes

- Static height for tabbed dialogs (ShareDialog, EditProject)
- CreateProjectWizard template step uses full height, removed
  Selected/Use Default buttons
- Share link passwords now validate against admin password policy
  with PasswordStrengthIndicator on create and edit dialogs
- Generate wizard review hides fields with null/empty values
- Updated hardcoded '4 characters' strings to policy-aware messages
- Updated E2E tests for new password validation messages

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: strip HTML from upgrade notification plain text message

The upgrade notification message field contained raw HTML tags from
the notification definitions. When rendered in the daily digest email
via Handlebars (which escapes HTML by default), the tags appeared as
literal text. Strip HTML for the plain text message field; the rich
HTML is preserved separately in data.htmlContent for in-app display.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* test: add plain text stripping tests for upgrade notification messages

Verify that HTML tags are properly stripped from notification messages
to prevent raw HTML appearing in digest emails. Tests confirm all
notification messages produce clean plain text after stripping.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* style: fix prettier formatting on 4 files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: multi-pass HTML stripping for CodeQL compliance and lint fixes

Loop stripHtml until no tags remain to handle nested/malformed tags
(CodeQL CWE-20). Fix unused variable and eslint-disable directive.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: therealbrad

testplanit/app/[locale]/admin/projects/CreateProjectWizard.tsx

@@ -1251,7 +1251,7 @@ export function CreateProjectWizard({
 
       case WizardStep.TEMPLATES:
         return (
-          <div className="space-y-4">
+          <div className="space-y-4 flex flex-col h-full">
             <Alert>
               <AlertDescription className="flex items-center gap-1">
                 <AlertCircle className="h-4 w-4" />
@@ -1268,7 +1268,7 @@ export function CreateProjectWizard({
               </Alert>
             )}
 
-            <ScrollArea className="h-[400px] border rounded-lg">
+            <ScrollArea className="flex-1 border rounded-lg">
               <div className="p-4 space-y-4">
                 {templates?.map((template) => {
                   const isSelected = localSelectedTemplates.includes(
@@ -1343,26 +1343,6 @@ export function CreateProjectWizard({
                 })}
               </div>
             </ScrollArea>
-
-            <div className="flex items-center justify-between text-sm text-muted-foreground">
-              <span>
-                {t("admin.projects.wizard.labels.selected")}:{" "}
-                {localSelectedTemplates.length}
-              </span>
-              <Button
-                variant="outline"
-                size="sm"
-                onClick={() => {
-                  const defaultTemplate = templates?.find((t) => t.isDefault);
-                  if (defaultTemplate) {
-                    setLocalSelectedTemplates([defaultTemplate.id]);
-                    setValue("selectedTemplates", [defaultTemplate.id]);
-                  }
-                }}
-              >
-                {t("admin.projects.wizard.actions.selectDefault")}
-              </Button>
-            </div>
           </div>
         );
 

testplanit/app/[locale]/admin/projects/EditProject.tsx

@@ -767,7 +767,7 @@ export function EditProjectModal({
         }
       }}
     >
-      <DialogContent className="sm:max-w-[600px] lg:max-w-[1000px]">
+      <DialogContent className="sm:max-w-[600px] lg:max-w-[1000px] h-[90vh] flex flex-col overflow-hidden">
         <Form {...form}>
           <form onSubmit={handleSubmit(onSubmit)} className="space-y-4 mt-4">
             <DialogHeader>

testplanit/app/[locale]/projects/repository/[projectId]/GenerateTestCasesWizard.tsx

@@ -820,40 +820,57 @@ const GeneratedTestCaseCard = memo(function GeneratedTestCaseCard({
 
   const renderFieldList = (isEdit: boolean) => (
     <div className="mt-3 border-t pt-3 space-y-4">
-      {selectedTemplateFields.map((field: any) => {
-        const displayName = field.caseField.displayName;
-        const fieldId = field.caseField.id.toString();
-        const fieldType = field.caseField.type.type;
-
-        const commonProps = {
-          fieldType,
-          caseId: `generated-${testCase.id}`,
-          template,
-          fieldId: field.caseField.id,
-          session,
-          projectId,
-          previousFieldValue: undefined,
-          fieldValue: testCase.fieldValues[displayName],
-          stepsForDisplay: fieldType === "Steps" ? stepsForDisplay : undefined,
-          explicitFieldNameForSteps:
-            fieldType === "Steps" ? fieldId : undefined,
-        } as const;
-
-        return (
-          <div key={`field-${field.caseField.id}`} className="space-y-2">
-            <div className="font-medium text-sm text-primary border-b border-muted-foreground/50 pb-1">
-              {displayName}
+      {selectedTemplateFields
+        .filter((field: any) => {
+          // In read-only mode, skip fields with no value
+          if (!isEdit) {
+            const val =
+              field.caseField.type.type === "Steps"
+                ? getTestCaseSteps(testCase, selectedTemplateFields)
+                : testCase.fieldValues[field.caseField.displayName];
+            return (
+              val != null &&
+              val !== "" &&
+              !(Array.isArray(val) && val.length === 0)
+            );
+          }
+          return true;
+        })
+        .map((field: any) => {
+          const displayName = field.caseField.displayName;
+          const fieldId = field.caseField.id.toString();
+          const fieldType = field.caseField.type.type;
+
+          const commonProps = {
+            fieldType,
+            caseId: `generated-${testCase.id}`,
+            template,
+            fieldId: field.caseField.id,
+            session,
+            projectId,
+            previousFieldValue: undefined,
+            fieldValue: testCase.fieldValues[displayName],
+            stepsForDisplay:
+              fieldType === "Steps" ? stepsForDisplay : undefined,
+            explicitFieldNameForSteps:
+              fieldType === "Steps" ? fieldId : undefined,
+          } as const;
+
+          return (
+            <div key={`field-${field.caseField.id}`} className="space-y-2">
+              <div className="font-medium text-sm text-primary border-b border-muted-foreground/50 pb-1">
+                {displayName}
+              </div>
+              <FieldValueRenderer
+                {...commonProps}
+                isEditMode={isEdit}
+                isSubmitting={false}
+                control={control}
+                errors={errors}
+              />
             </div>
-            <FieldValueRenderer
-              {...commonProps}
-              isEditMode={isEdit}
-              isSubmitting={false}
-              control={control}
-              errors={errors}
-            />
-          </div>
-        );
-      })}
+          );
+        })}
     </div>
   );
 

testplanit/app/actions/upgrade-notifications.ts

@@ -90,15 +90,27 @@ export async function checkUpgradeNotifications(): Promise<{
         ? pendingNotifications[0].notification.title
         : `What's New in TestPlanIt`;
 
+    // Strip HTML tags for the plain text message field
+    // Loop until no tags remain to handle nested/malformed tags (CodeQL CWE-20)
+    const stripHtml = (html: string) => {
+      let result = html;
+      let prev;
+      do {
+        prev = result;
+        result = result.replace(/<[^>]*>/g, "");
+      } while (result !== prev);
+      return result.replace(/\s+/g, " ").trim();
+    };
+
     let message: string;
     if (pendingNotifications.length === 1) {
-      message = pendingNotifications[0].notification.message;
+      message = stripHtml(pendingNotifications[0].notification.message);
     } else {
       // Combine multiple notifications into a single message
       message = pendingNotifications
         .map(
           ({ version, notification }) =>
-            `**${notification.title}** (v${version})\n${notification.message}`
+            `**${notification.title}** (v${version})\n${stripHtml(notification.message)}`
         )
         .join("\n\n");
     }

testplanit/components/reports/ShareDialog.tsx

@@ -33,8 +33,15 @@ import { Asterisk, Calendar as CalendarIcon, Loader2 } from "lucide-react";
 import { useSession } from "next-auth/react";
 import { useTranslations } from "next-intl";
 import { useMemo, useState } from "react";
-import { useCreateShareLink } from "~/lib/hooks";
+import {
+  useCreateShareLink,
+  useFindFirstRegistrationSettings,
+} from "~/lib/hooks";
 import { cn } from "~/utils";
+import {
+  PasswordStrengthIndicator,
+  type PasswordPolicy,
+} from "@/components/PasswordStrengthIndicator";
 
 interface ShareDialogProps {
   open: boolean;
@@ -55,6 +62,16 @@ export function ShareDialog({
   const tCommon = useTranslations("common");
   const tAuth = useTranslations("auth.signup.errors");
   const { data: session } = useSession();
+  const { data: registrationSettings } = useFindFirstRegistrationSettings();
+  const policy: PasswordPolicy | null = registrationSettings
+    ? {
+        minPasswordLength: registrationSettings.minPasswordLength ?? 8,
+        requireUppercase: registrationSettings.requireUppercase ?? false,
+        requireLowercase: registrationSettings.requireLowercase ?? false,
+        requireNumbers: registrationSettings.requireNumbers ?? false,
+        requiredSpecialChars: registrationSettings.requiredSpecialChars ?? null,
+      }
+    : null;
   const [activeTab, setActiveTab] = useState<"create" | "list">("create");
 
   // Form state
@@ -91,10 +108,24 @@ export function ShareDialog({
         return;
       }
 
-      // Validate password for PASSWORD_PROTECTED mode
-      if (mode === "PASSWORD_PROTECTED" && (!password || password.length < 4)) {
-        setPasswordError(tAuth("passwordRequired"));
-        return;
+      // Validate password for PASSWORD_PROTECTED mode against admin policy
+      if (mode === "PASSWORD_PROTECTED") {
+        if (!password) {
+          setPasswordError(tAuth("passwordRequired"));
+          return;
+        }
+        const minLen = policy?.minPasswordLength ?? 8;
+        const meetsPolicy =
+          password.length >= minLen &&
+          (!policy?.requireUppercase || /[A-Z]/.test(password)) &&
+          (!policy?.requireLowercase || /[a-z]/.test(password)) &&
+          (!policy?.requireNumbers || /\d/.test(password)) &&
+          (!policy?.requiredSpecialChars ||
+            [...policy.requiredSpecialChars].some((c) => password.includes(c)));
+        if (!meetsPolicy) {
+          setPasswordError(tCommon("errors.passwordDoesNotMeetPolicy"));
+          return;
+        }
       }
 
       if (mode === "PASSWORD_PROTECTED" && password !== confirmPassword) {
@@ -194,7 +225,7 @@ export function ShareDialog({
 
   return (
     <Dialog open={open} onOpenChange={onOpenChange}>
-      <DialogContent className="max-w-4xl max-h-[90vh] overflow-y-auto">
+      <DialogContent className="max-w-4xl h-[90vh] flex flex-col overflow-hidden">
         <DialogHeader>
           <DialogTitle>{t("dialogTitle")}</DialogTitle>
           <DialogDescription>{t("dialogDescription")}</DialogDescription>
@@ -203,8 +234,9 @@ export function ShareDialog({
         <Tabs
           value={activeTab}
           onValueChange={(v) => setActiveTab(v as "create" | "list")}
+          className="flex-1 flex flex-col min-h-0"
         >
-          <TabsList className="grid w-full grid-cols-2">
+          <TabsList className="grid w-full grid-cols-2 shrink-0">
             <TabsTrigger data-testid="share-tab-create" value="create">
               {t("tabs.create")}
             </TabsTrigger>
@@ -213,7 +245,10 @@ export function ShareDialog({
             </TabsTrigger>
           </TabsList>
 
-          <TabsContent value="create" className="space-y-4 mt-4">
+          <TabsContent
+            value="create"
+            className="space-y-4 mt-4 flex-1 min-h-0 overflow-y-auto"
+          >
             {error && (
               <Alert variant="destructive">
                 <AlertDescription>{error}</AlertDescription>
@@ -321,6 +356,10 @@ export function ShareDialog({
                     required
                     className={passwordError ? "border-destructive" : ""}
                   />
+                  <PasswordStrengthIndicator
+                    password={password}
+                    policy={policy}
+                  />
                   {passwordError && (
                     <p className="text-sm text-destructive">{passwordError}</p>
                   )}

testplanit/components/share/EditShareLinkDialog.tsx

@@ -26,8 +26,15 @@ import { format } from "date-fns";
 import { Asterisk, Calendar as CalendarIcon, Loader2 } from "lucide-react";
 import { useTranslations } from "next-intl";
 import { useEffect, useState } from "react";
-import { useUpdateShareLink } from "~/lib/hooks";
+import {
+  useUpdateShareLink,
+  useFindFirstRegistrationSettings,
+} from "~/lib/hooks";
 import { cn } from "~/utils";
+import {
+  PasswordStrengthIndicator,
+  type PasswordPolicy,
+} from "@/components/PasswordStrengthIndicator";
 
 interface EditShareLinkDialogProps {
   open: boolean;
@@ -44,6 +51,16 @@ export function EditShareLinkDialog({
 }: EditShareLinkDialogProps) {
   const t = useTranslations("reports.shareDialog");
   const tCommon = useTranslations("common");
+  const { data: registrationSettings } = useFindFirstRegistrationSettings();
+  const policy: PasswordPolicy | null = registrationSettings
+    ? {
+        minPasswordLength: registrationSettings.minPasswordLength ?? 8,
+        requireUppercase: registrationSettings.requireUppercase ?? false,
+        requireLowercase: registrationSettings.requireLowercase ?? false,
+        requireNumbers: registrationSettings.requireNumbers ?? false,
+        requiredSpecialChars: registrationSettings.requiredSpecialChars ?? null,
+      }
+    : null;
 
   // Form state
   const [mode, setMode] = useState<ShareLinkMode>(shareLink.mode);
@@ -94,13 +111,24 @@ export function EditShareLinkDialog({
         mode === "PASSWORD_PROTECTED" &&
         (modeChanged || !shareLink.passwordHash)
       ) {
-        if (!password || password.length < 4) {
-          setPasswordError("Password must be at least 4 characters long.");
+        if (!password) {
+          setPasswordError(tCommon("errors.passwordRequired"));
+          return;
+        }
+        const minLen = policy?.minPasswordLength ?? 8;
+        const meetsPolicy =
+          password.length >= minLen &&
+          (!policy?.requireUppercase || /[A-Z]/.test(password)) &&
+          (!policy?.requireLowercase || /[a-z]/.test(password)) &&
+          (!policy?.requireNumbers || /\d/.test(password)) &&
+          (!policy?.requiredSpecialChars ||
+            [...policy.requiredSpecialChars].some((c) => password.includes(c)));
+        if (!meetsPolicy) {
+          setPasswordError(tCommon("errors.passwordDoesNotMeetPolicy"));
           return;
         }
-
         if (password !== confirmPassword) {
-          setPasswordError("Passwords do not match.");
+          setPasswordError(tCommon("errors.passwordsDoNotMatch"));
           return;
         }
       }
@@ -294,6 +322,10 @@ export function EditShareLinkDialog({
                   required={modeChanged || !shareLink.passwordHash}
                   className={passwordError ? "border-destructive" : ""}
                 />
+                <PasswordStrengthIndicator
+                  password={password}
+                  policy={policy}
+                />
                 {passwordError && (
                   <p className="text-sm text-destructive">{passwordError}</p>
                 )}

testplanit/components/share/ShareDialog.test.tsx

@@ -27,6 +27,15 @@ vi.mock("~/lib/hooks", () => ({
     mutateAsync: mockMutateAsync,
     isPending: false,
   }),
+  useFindFirstRegistrationSettings: () => ({
+    data: {
+      minPasswordLength: 8,
+      requireUppercase: false,
+      requireLowercase: false,
+      requireNumbers: false,
+      requiredSpecialChars: null,
+    },
+  }),
 }));
 
 // Mock server actions

testplanit/e2e/tests/auth/signup.spec.ts

@@ -123,9 +123,9 @@ test.describe("User Signup", () => {
 
     await page.getByRole("button", { name: /sign up/i }).click();
 
-    // Should show password length error - look for the actual message (using first() since both fields show the error)
+    // Should show password policy error
     await expect(
-      page.getByText(/password must be at least \d+ characters/i).first()
+      page.getByText(/password.*does not meet|security requirements/i).first()
     ).toBeVisible({ timeout: 5000 });
   });