refactor(tests): split security-module-coverage.test.ts into per-module test files#5928
Conversation
There was a problem hiding this comment.
Pull request overview
This PR refactors the security-module test coverage by removing the single omnibus src/security-module-coverage.test.ts file and replacing it with per-module, co-located test files, improving discoverability and making it clearer where new tests should live.
Changes:
- Split security-critical module coverage into dedicated
*.test.tsfiles next to each module undersrc/squid/andsrc/services/credentials/. - Expanded
src/squid/validation.test.tsto include the comprehensive validation suites previously housed in the omnibus file. - Removed
src/security-module-coverage.test.tsafter migrating its coverage.
Show a summary per file
| File | Description |
|---|---|
| src/security-module-coverage.test.ts | Deleted the omnibus security coverage test file after migrating tests into per-module files. |
| src/squid/validation.test.ts | Extended validation helper tests with the comprehensive suites migrated from the omnibus file. |
| src/squid/ssl-bump.test.ts | Added dedicated tests for generateSslBumpSection behavior and injection hardening. |
| src/squid/upstream-proxy.test.ts | Added dedicated tests for generateUpstreamProxySection, including noProxy bypass behavior and injection hardening. |
| src/services/credentials/anthropic-credential-env.test.ts | Added dedicated tests for Anthropic credential-isolation env construction, including GitHub OIDC gating. |
| src/services/credentials/copilot-credential-env.test.ts | Added dedicated tests for Copilot credential-isolation env construction, placeholder handling, and model-based wire API selection. |
| src/services/credentials/gemini-credential-env.test.ts | Added dedicated tests for Gemini credential-isolation env construction and base-url var compatibility behavior. |
| src/services/credentials/openai-credential-env.test.ts | Added dedicated tests for OpenAI credential-isolation env construction, including Codex WebSocket auth placeholders. |
| src/services/credentials/vertex-credential-env.test.ts | Added dedicated tests for Vertex credential-isolation env construction and routing to the Vertex sidecar port. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 9/9 changed files
- Comments generated: 2
- Review effort level: Low
|
|
||
| describe('validateApiProxyIp', () => { | ||
| it('passes when apiProxyIp is undefined', () => { |
|
@copilot address review feedback |
Both issues addressed in the latest commit:
|
|
✅ Copilot review passed with no inline comments. @copilot Add the |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
|
🚀 Security Guard has started processing this pull request |
|
✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓 |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
|
✅ Build Test Suite completed successfully! |
|
Chroot tests failed Smoke Chroot failed - See logs for details. |
|
✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓 |
|
✅ Smoke Claude passed |
|
✅ Smoke Gemini completed. All facets verified. 💎 |
|
✅ Contribution Check completed successfully! PR #5928 follows the applicable CONTRIBUTING.md guidelines; no review comment needed. |
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
Smoke Test: Claude Engine ValidationOverall result: ✅ PASS
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
🤖 Smoke Test Results
Author: Overall: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test Results
Overall: FAIL — Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Copilot BYOK (Direct) Mode ✅ PASS
Mode: Direct BYOK (COPILOT_PROVIDER_API_KEY) via api-proxy sidecar All smoke tests passed successfully on direct BYOK inference path. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
Smoke test results:\n- [Test Coverage] branch coverage: log-parser, workdir-setup, network-setup, preflight ✅\n- refactor(api-proxy): centralize auth-header construction in shared helpers ✅\n- GitHub title check ✅\n- Temp file verification ✅\n- Discussion comment ✅\n- Build ✅\nOverall status: PASS Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
🔍 Smoke Test: API Proxy OpenTelemetry Tracing
All 5 scenarios passed. ✅ Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Copilot PAT Auth
Overall: PASS (core smoke tests passed) Auth mode: PAT (COPILOT_GITHUB_TOKEN) | Author:
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
Merged PRs:
✅ GitHub MCP connectivity Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
GitHub MCP Testing: ✅ Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Gemini Smoke Test Results
Overall Status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
src/security-module-coverage.test.tswas a 639-line omnibus file housing tests for 9 distinct security-critical modules, none of which had their own dedicated test file. This made it hard to locate failures, unclear where to add new tests, and prevented side-by-side review of a module and its tests.Changes
src/security-module-coverage.test.tssrc/squid/ssl-bump.test.tssrc/squid/upstream-proxy.test.tssrc/services/credentials/anthropic-credential-env.test.tssrc/services/credentials/copilot-credential-env.test.tssrc/services/credentials/gemini-credential-env.test.tssrc/services/credentials/openai-credential-env.test.tssrc/services/credentials/vertex-credential-env.test.tssrc/squid/validation.test.tswith the comprehensivevalidateApiProxyIp/validateAndSanitizeHostAccessPort/validateApiProxyPortdescribe blocks from the omnibus filejest.mock('../../logger')/jest.mock('../../env-utils')setup (Jest hoists mocks per-file);copilot-credential-env.test.tsimportsCOPILOT_PLACEHOLDER_TOKENfrom constants rather than hardcoding it