test: use exact hostname matching in mock fetch handlers

[ital0]

Replace loose url.includes(...) / url.startsWith(...) in backend test mock fetch handlers with proper hostname parsing via new URL(url).hostname. Fixes 10 CodeQL js/incomplete-url-substring-sanitization alerts (#21–#30).

Test plan

• bun tsc --noEmit (backend) clean
• bun test --rerun-each 5 on modified files: 170/170 pass
• prettier + eslint clean on modified files

---

Note

Low Risk
Low risk: changes are limited to test-only mock fetch URL matching logic and should not affect production behavior beyond making mocks stricter.

Overview
Updates backend tests to stop using loose url.includes(...)/startsWith(...) checks in mocked fetch handlers.

Mocks now parse URLs with new URL(url).hostname and match exact hostnames (including a shared isPosthogRequest helper for PostHog), tightening request classification and addressing CodeQL incomplete URL substring sanitization alerts.

^{Reviewed by Cursor Bugbot for commit 09589fb. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Semgrep Security Scan

No security issues found.

[github-actions]

PR Metrics

Metric	Value
Lines changed (prod code)	+0 / -0
JS bundle size (gzipped)	🟢 1.02 MB → 1.01 MB (-4.4 KB, -0.4%)
Test coverage	🟢 70.64% → 70.64% (+0.0%)
Performance (preview)	Preview not ready — Render deploy may have timed out
Accessibility	—
Best Practices	—
SEO	—

Updated Fri, 24 Apr 2026 20:37:31 GMT · run #1200