Health: 68/100 | Confidence: 90/100
PR #867 introduces a high-severity race condition in the worker-bundle test that can destroy real build artifacts via a non-atomic recursive deletion of ../web/dist. It also degrades the platform-billing e2e test into a service-layer test, bypassing HTTP auth, validation, and middleware coverage that a security audit depends on. Finally, a missing null guard on a harness return value weakens error diagnosability. The CI workflow addition is benign.
File: products/sandbox/api/tests/worker-bundle.test.ts
The test creates a placeholder inside the real web build output directory and then unconditionally runs rmSync(webDistDir, { recursive: true, force: true }) in afterAll. If a concurrent build populates that directory, the test will destroy those artifacts (TOCTOU). Additionally, if writeFileSync throws, createdWebDistPlaceholder stays false and the empty directory leaks.
File: products/sandbox/api/tests/platform-billing-e2e.test.ts
The PR replaces HTTP fetch setup calls with direct harness.* service calls for teams, members, and keys. This collapses the e2e test into a service-layer integration test, skipping authentication, authorization, request validation, DTO mapping, rate limiting, logging, and error-contract coverage. A regression in any of those security-critical layers would go undetected.
File: products/sandbox/api/tests/platform-billing-e2e.test.ts
The diff adds if (!team) throw new Error(...) for harness.teams.create but does not apply the same guard to harness.keys.create. If the harness returns null/undefined, the test will throw an unhelpful TypeError: Cannot read properties of undefined when interpolating createdKey.key.