test: add overlay debounce tests

- Added 10-minute debounce timer to showOverlay()
- Subsequent escalations log event but don't re-show overlay
- Manual crisis resources bypass debounce via force=true
- User can still open crisis resources anytime via panel buttons

Fixes #100

GENOME.md

@@ -1,75 +0,0 @@
-# GENOME.md — the-door
-
-**Generated:** 2026-04-14
-**Repo:** Timmy_Foundation/the-door
-**Description:** Crisis Front Door — a single URL where a man at 3am can talk to Timmy. No login, no signup. 988 always visible.
-
----
-
-## Project Overview
-
-The-door is a crisis intervention web application — the most sacred surface in the Timmy Foundation. When a man at 3am reaches the end of his road, this is where he lands. No login, no signup, no barriers. 988 Suicide and Crisis Lifeline always visible. The "When a Man Is Dying" protocol active on every page.
-
-## Architecture
-
-```
-the-door/
-├── index.html              # Main crisis page (PWA-capable)
-├── crisis-offline.html     # Offline fallback (service worker cached)
-├── about.html              # About page
-├── testimony.html          # Testimony/stories page
-├── sw.js                   # Service worker (offline-first)
-├── manifest.json           # PWA manifest
-├── crisis/                 # Core crisis detection + response
-│   ├── detect.py           # Keyword/pattern detection (4 tiers)
-│   ├── gateway.py          # API endpoints, prompt injection
-│   ├── response.py         # Response generation, 988 routing
-│   ├── compassion_router.py # Profile-based response routing
-│   ├── profiles.py         # Compassion profiles
-│   └── PROTOCOL.md         # The protocol (SOUL.md reference)
-├── crisis_detector.py      # Legacy shim → crisis/detect.py
-├── crisis_responder.py     # Legacy responder
-├── dying_detection/        # Deprecated module
-├── evolution/              # Crisis synthesizer (creative)
-├── tests/                  # Safety-critical tests
-│   ├── test_crisis_overlay_focus_trap.py
-│   ├── test_dying_detection_deprecation.py
-│   └── test_false_positive_fixes.py
-└── deploy/                 # Deployment docs
-```
-
-## Key Abstractions
-
-| Module | Purpose |
-|---|---|
-| `crisis/detect.py` | 4-tier detection: LOW/MEDIUM/HIGH/CRITICAL via regex patterns |
-| `crisis/gateway.py` | HTTP API, Sovereign Heart prompt injection |
-| `crisis/response.py` | Response generation, 988 integration, escalation |
-| `crisis/compassion_router.py` | Profile-based routing (different crisis types) |
-| `sw.js` | Service worker for offline-first PWA |
-
-## Safety Constraints
-
-- **The-door never auto-closes PRs** (in fleet-ops exempt list)
-- **988 always visible** on every page, even offline
-- **When a Man Is Dying protocol** active on every interaction
-- **No login/signup** — zero barriers to crisis support
-- **Offline-first** — service worker caches critical pages
-
-## Test Coverage
-
-| Test | Coverage |
-|---|---|
-| Crisis overlay focus trap | ✅ |
-| Dying detection deprecation | ✅ |
-| False positive fixes | ✅ |
-| Crisis detection tiers | ❌ (in crisis/tests.py) |
-| Response generation | ❌ |
-| Offline service worker | ❌ |
-
-## Security
-
-- No user data stored (crisis intervention is stateless by design)
-- No cookies, no tracking, no analytics
-- Service worker only caches static assets
-- Crisis detection runs client-side where possible

index.html

@@ -825,6 +825,8 @@ Sovereignty and service always.`;
   var isStreaming = false;
   var overlayTimer = null;
   var crisisPanelShown = false;
+  var _lastOverlayShownTime = 0; // timestamp of last crisis overlay show
+  var OVERLAY_DEBOUNCE_MS = 10 * 60 * 1000; // 10 minutes
 
   // ===== SERVICE WORKER =====
   if ('serviceWorker' in navigator) {
@@ -1019,7 +1021,15 @@ Sovereignty and service always.`;
   // Store the element that had focus before the overlay opened
   var _preOverlayFocusElement = null;
 
-  function showOverlay() {
+  function showOverlay(force) {
+    // Rate-limit: max once per 10 minutes (unless forced)
+    var now = Date.now();
+    if (!force && (now - _lastOverlayShownTime) < OVERLAY_DEBOUNCE_MS) {
+      console.log('[crisis] overlay suppressed — shown ' + Math.round((now - _lastOverlayShownTime) / 1000) + 's ago');
+      return;
+    }
+    _lastOverlayShownTime = now;
+
     // Save current focus for restoration on dismiss
     _preOverlayFocusElement = document.activeElement;
 

tests/test_crisis_overlay_focus_trap.py

@@ -53,5 +53,36 @@ class TestCrisisOverlayFocusTrap(unittest.TestCase):
         )
 
 
+    def test_overlay_debounce_rate_limiting(self):
+        """Crisis overlay has 10-minute debounce to prevent spam."""
+        self.assertRegex(
+            self.html,
+            r"_lastOverlayShownTime",
+            'Expected overlay debounce timestamp variable.',
+        )
+        self.assertRegex(
+            self.html,
+            r"OVERLAY_DEBOUNCE_MS\s*=\s*10\s*\*\s*60\s*\*\s*1000",
+            'Expected 10-minute debounce window (600000ms).',
+        )
+        self.assertRegex(
+            self.html,
+            r"Date\.now\(\)\s*-\s*_lastOverlayShownTime.*OVERLAY_DEBOUNCE_MS",
+            'Expected showOverlay to check time since last shown.',
+        )
+
+    def test_overlay_force_bypasses_debounce(self):
+        """showOverlay(force) bypasses rate limiting for manual access."""
+        self.assertRegex(
+            self.html,
+            r"function\s+showOverlay\s*\(\s*force\s*\)",
+            'Expected showOverlay to accept force parameter.',
+        )
+        self.assertRegex(
+            self.html,
+            r"!force\s*&&",
+            'Expected force flag to bypass debounce check.',
+        )
+
 if __name__ == '__main__':
     unittest.main()