Skip to content

refactor(tests): split security-module-coverage.test.ts into per-module test files#5928

Merged
lpcox merged 3 commits into
mainfrom
copilot/refactor-security-module-tests
Jul 5, 2026
Merged

refactor(tests): split security-module-coverage.test.ts into per-module test files#5928
lpcox merged 3 commits into
mainfrom
copilot/refactor-security-module-tests

Conversation

Copilot AI commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

src/security-module-coverage.test.ts was a 639-line omnibus file housing tests for 9 distinct security-critical modules, none of which had their own dedicated test file. This made it hard to locate failures, unclear where to add new tests, and prevented side-by-side review of a module and its tests.

Changes

  • Deleted src/security-module-coverage.test.ts
  • Created co-located test files for each covered module:
    • src/squid/ssl-bump.test.ts
    • src/squid/upstream-proxy.test.ts
    • src/services/credentials/anthropic-credential-env.test.ts
    • src/services/credentials/copilot-credential-env.test.ts
    • src/services/credentials/gemini-credential-env.test.ts
    • src/services/credentials/openai-credential-env.test.ts
    • src/services/credentials/vertex-credential-env.test.ts
  • Extended src/squid/validation.test.ts with the comprehensive validateApiProxyIp / validateAndSanitizeHostAccessPort / validateApiProxyPort describe blocks from the omnibus file
  • Each credential test file carries its own jest.mock('../../logger') / jest.mock('../../env-utils') setup (Jest hoists mocks per-file); copilot-credential-env.test.ts imports COPILOT_PLACEHOLDER_TOKEN from constants rather than hardcoding it

Copilot AI changed the title [WIP] Refactor security module coverage tests into separate files refactor(tests): split security-module-coverage.test.ts into per-module test files Jul 5, 2026
Copilot AI requested a review from lpcox July 5, 2026 13:06
Copilot finished work on behalf of lpcox July 5, 2026 13:06
@lpcox lpcox marked this pull request as ready for review July 5, 2026 13:15
@lpcox lpcox requested review from Copilot July 5, 2026 13:15

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the security-module test coverage by removing the single omnibus src/security-module-coverage.test.ts file and replacing it with per-module, co-located test files, improving discoverability and making it clearer where new tests should live.

Changes:

  • Split security-critical module coverage into dedicated *.test.ts files next to each module under src/squid/ and src/services/credentials/.
  • Expanded src/squid/validation.test.ts to include the comprehensive validation suites previously housed in the omnibus file.
  • Removed src/security-module-coverage.test.ts after migrating its coverage.
Show a summary per file
File Description
src/security-module-coverage.test.ts Deleted the omnibus security coverage test file after migrating tests into per-module files.
src/squid/validation.test.ts Extended validation helper tests with the comprehensive suites migrated from the omnibus file.
src/squid/ssl-bump.test.ts Added dedicated tests for generateSslBumpSection behavior and injection hardening.
src/squid/upstream-proxy.test.ts Added dedicated tests for generateUpstreamProxySection, including noProxy bypass behavior and injection hardening.
src/services/credentials/anthropic-credential-env.test.ts Added dedicated tests for Anthropic credential-isolation env construction, including GitHub OIDC gating.
src/services/credentials/copilot-credential-env.test.ts Added dedicated tests for Copilot credential-isolation env construction, placeholder handling, and model-based wire API selection.
src/services/credentials/gemini-credential-env.test.ts Added dedicated tests for Gemini credential-isolation env construction and base-url var compatibility behavior.
src/services/credentials/openai-credential-env.test.ts Added dedicated tests for OpenAI credential-isolation env construction, including Codex WebSocket auth placeholders.
src/services/credentials/vertex-credential-env.test.ts Added dedicated tests for Vertex credential-isolation env construction and routing to the Vertex sidecar port.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 9/9 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment thread src/squid/validation.test.ts Outdated
Comment on lines +42 to +44

describe('validateApiProxyIp', () => {
it('passes when apiProxyIp is undefined', () => {
Comment thread src/squid/upstream-proxy.test.ts
@lpcox

lpcox commented Jul 5, 2026

Copy link
Copy Markdown
Collaborator

@copilot address review feedback

Copilot AI commented Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

@copilot address review feedback

Both issues addressed in the latest commit:

  • validation.test.ts: Removed the describe('squid validation helpers') wrapper and its duplicate shallower cases. Migrated the unique 2\n2 newline-injection test into the comprehensive top-level validateAndSanitizeHostAccessPort describe so no coverage is lost.
  • upstream-proxy.test.ts: Removed the trailing \n from exactMatchLine so the not.toContain assertion will correctly catch the forbidden exact-match line if it ever appears in the output.

Copilot finished work on behalf of lpcox July 5, 2026 13:22
@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Chroot tests failed Smoke Chroot failed - See logs for details.

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

PR #5928 follows the applicable CONTRIBUTING.md guidelines; no review comment needed.

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 98.72% 98.76% 📈 +0.04%
Statements 98.64% 98.68% 📈 +0.04%
Functions 99.58% 99.58% ➡️ +0.00%
Branches 94.69% 94.69% ➡️ +0.00%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/workdir-setup.ts 93.2% → 94.9% (+1.69%) 93.2% → 94.9% (+1.69%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Overall result: ✅ PASS

Check Status
API ✅ PASS
GH ✅ PASS
File ✅ PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #5928 · 35.5 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

🤖 Smoke Test Results

Test Status
GitHub MCP connectivity
GitHub.com HTTP ✅ 200
File write/read

Author: @lpcox

Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • Redis PING: ❌ Network unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network unreachable

Overall: FAILhost.docker.internal (172.17.0.1) is not reachable from this runner. Service containers are not accessible.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode ✅ PASS

Test Result
GitHub.com Connectivity ✅ HTTP 200
File Write/Read ✅ File exists
BYOK Mode Active ✅ Dummy key set
Inference Path ✅ api-proxy → api.githubcopilot.com

Mode: Direct BYOK (COPILOT_PROVIDER_API_KEY) via api-proxy sidecar

All smoke tests passed successfully on direct BYOK inference path.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Smoke test results:\n- [Test Coverage] branch coverage: log-parser, workdir-setup, network-setup, preflight ✅\n- refactor(api-proxy): centralize auth-header construction in shared helpers ✅\n- GitHub title check ✅\n- Temp file verification ✅\n- Discussion comment ✅\n- Build ✅\nOverall status: PASS

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

🔍 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Result Detail
1. Module Loading ✅ Pass otel.js loads successfully; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + test helpers
2. Test Suite ✅ Pass 59/59 tests passed across otel.test.js and otel-fanout.test.js
3. Env Var Forwarding ✅ Pass src/services/api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
4. Token Tracker Integration ✅ Pass onUsage callback exists in token-tracker-http.js (line 283); onSpanEnd also present as span completion hook
5. OTEL Diagnostics ✅ Pass Defaults to file exporter at /var/log/api-proxy/otel.jsonl when no OTLP endpoint configured; graceful degradation confirmed (isEnabled() returns true with file fallback)

All 5 scenarios passed.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot PAT Auth

Test Result
GitHub.com connectivity (HTTP) ✅ 200
File write/read ✅ Exists
GitHub MCP ⚠️ N/A in agent context

Overall: PASS (core smoke tests passed)

Auth mode: PAT (COPILOT_GITHUB_TOKEN) | Author: @lpcox

⚠️ Template vars (steps.smoke-data.outputs.*) were unresolved — pre-step outputs may not have been set.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

@lpcox

Merged PRs:

  • ${{ steps.smoke-data.outputs.SMOKE_PR_DATA }}

✅ GitHub MCP connectivity
✅ GitHub.com connectivity
✅ File write/read test
✅ BYOK inference test

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

@lpcox

GitHub MCP Testing: ✅
GitHub.com Connectivity: ✅
File Write/Read Test: ✅
BYOK Inference Test: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)
Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Gemini Smoke Test Results

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx all passed ✅ PASS
Node.js execa all passed ✅ PASS
Node.js p-limit all passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #5928 · 49.2 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@lpcox lpcox merged commit 609acad into main Jul 5, 2026
85 of 88 checks passed
@lpcox lpcox deleted the copilot/refactor-security-module-tests branch July 5, 2026 15:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Refactoring] Split security-module-coverage.test.ts into per-module test files

3 participants