[Test Coverage] Improve config-writer.ts branch coverage with edge case tests

[github-actions]

Summary

This PR improves test coverage for src/config-writer.ts, focusing on security-critical edge cases and branch coverage. The module currently has 85.48% line coverage but only 69.09% branch coverage — this PR specifically targets the uncovered branches.

Coverage Improvements

Before

• Lines: 85.48% (106/124)
• Branches: 69.09% (38/55) ⚠️
• Functions: 100% (8/8)
• Statements: 85.48% (106/124)

Target After

• Branches: >85% (aiming to add ~10 branch coverage points)
• Focus on uncovered conditional paths and error handling

Tests Added

1. Directory Validation Edge Cases (Security-Critical)

// Line 34-36: Validates that workDir is actually a directory
it('throws when workDir path exists but is not a directory')

This tests the security check that prevents using a file as a directory, which could bypass permission checks.

2. Chroot Home Directory Lifecycle

// Lines 171-175: Chroot home directory creation
it('creates chroot home directory when it does not exist')
it('uses existing chroot home directory if already present')

Tests both paths in the if (!fs.existsSync(emptyHomeDir)) condition (lines 171-173).

3. Home Subdirectory Creation (Credential Isolation)

// Lines 185-189: Creates .copilot, .cache, .config, etc.
it('creates missing home subdirectories with correct ownership')

Ensures whitelisted home directories are created with correct ownership before Docker bind-mounts them.

4. Conditional Feature Enablement

// Line 181: .gemini directory conditional on geminiApiKey
it('creates .gemini directory when geminiApiKey is provided')
it('does not create .gemini directory when geminiApiKey is not provided')

Tests both branches of the ternary operator in line 181.

5. URL Pattern Parsing

// Lines 254-257: Parse allowedUrls only when provided
it('parses URL patterns when allowedUrls is provided')
it('does not parse URL patterns when allowedUrls is empty')

Tests SSL Bump URL filtering configuration paths.

6. API Proxy Configuration

// Lines 277-280: Conditional API proxy IP/port config
it('includes API proxy configuration when enableApiProxy is true')
it('does not include API proxy configuration when enableApiProxy is false')

Tests the conditional spread operator that adds apiProxyIp and apiProxyPorts to Squid config.

7. Audit Directory Creation

// Lines 301-302: Audit directory for forensics artifacts
it('creates audit directory when it does not exist')

Tests directory creation for post-run forensics (squid.conf, policy-manifest.json).

Security Focus

These tests specifically cover:

1. Directory Validation - Preventing symlink/file injection attacks
2. Permission Handling - Ensuring correct ownership for chroot directories
3. Conditional Feature Security - Proper API proxy and SSL Bump configuration
4. Audit Trail - Forensics artifact generation

Testing Approach

• All tests use mocked dependencies (fs, ssl-bump, squid-config, compose-generator)
• No Docker containers required
• Fast, deterministic execution
• Follows existing test patterns in the codebase

Validation

Due to security restrictions in the agentic workflow environment, tests cannot be executed during PR creation. However, the tests:

• Follow existing patterns from config-writer.test.ts
• Use the same mocking structure as current tests
• Are syntactically valid TypeScript
• Target specific uncovered lines identified in the HTML coverage report

What's Not Covered (Intentional)

The one test case I did NOT add is for the embedded seccomp profile path (line 209-211) because:

• Requires compile-time esbuild global (__AWF_SECCOMP_PROFILE__)
• Would need significant test infrastructure changes
• The fallback paths (lines 214-227) are already implicitly tested

Files Changed

• src/config-writer.test.ts - Added 11 new test cases (193 → 492 lines, +299 lines)

Next Steps

After this PR, remaining coverage gaps are in:

• cli.ts - 0% coverage (entry point, command-line parsing)
• Other docker-manager submodules with <90% coverage

Generated by Test Coverage Improver · ● 12.3M · ◷

[Copilot]

Pull request overview

This PR expands src/config-writer.test.ts to increase branch coverage in writeConfigs() by adding tests for security-relevant edge cases (directory validation, chroot/home directory lifecycle, conditional feature configuration, and audit artifact creation).

Changes:

• Added tests for directory setup edge cases, including non-directory workDir and chroot home directory creation/reuse paths.
• Added tests for conditional home subdirectory creation (including .gemini) and audit artifact output.
• Added tests for allowedUrls parsing behavior and conditional API proxy configuration in generated Squid/policy inputs.

Show a summary per file

File	Description
src/config-writer.test.ts	Adds multiple new unit tests to cover previously-uncovered branches in writeConfigs() (directory validation, chroot/home lifecycle, URL patterns, API proxy config, audit outputs, seccomp error path).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 2

[github-actions]

Smoke Test Results ✅ PASS

• ✅ GitHub API: 2 recent PRs verified (3704, 3703)
• ✅ GitHub check: playwright_check PASS
• ✅ File verify: smoke-test file exists

Overall: PASS — Claude engine validation complete.

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test Results ✅

Author: @github-actions • Assignees: @lpcox, @Copilot

1. GitHub MCP: ✅ — PR Reduce Documentation Maintainer workflow prompt/tool overhead #3704: "Reduce Documentation Maintainer workflow prompt/tool overhead"
2. GitHub.com Connectivity: ✅ — HTTP 200
3. File Write/Read: ⚠️ — Pre-step file not accessible in agent environment

Overall Status: PASS

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Copilot BYOK Smoke Test Results

Mode: BYOK offline (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

• ✅ GitHub MCP: Retrieved PR refactor: remove unused exports (AgentEnvironmentParams barrel, AgentVolumesParams, EMPTY_STATS) #3750 (refactor: remove unused exports)
• ❌ File Write/Read: /tmp/smoke-test-marker.txt not found (pre-step may have failed)
• ✅ BYOK Inference: Successfully processing this prompt via api-proxy sidecar
• i️ GitHub.com Connectivity: Pre-step data not provided in template variables

Overall: PARTIAL PASS (3/4 verifiable tests passed)

PR #3739 Details:

• Author: @github-actions[bot]
• Title: [Test Coverage] Improve config-writer.ts branch coverage with edge case tests
• Labels: smoke-claude, build-test

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test Codex

✅ Merged PRs reviewed: Reduce Documentation Maintainer workflow prompt/tool overhead; refactor(api-proxy): extract nested callbacks from proxyRequest into focused module-level functions
❌ safeinputs-gh unavailable; used gh fallback for PR query
✅ Playwright GitHub title check; ✅ file write/read; ✅ npm ci && npm run build
❌ Tavily search unavailable; ❌ github-discussion-query unavailable
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Services Connectivity Test Results

❌ Redis: Connection timeout
❌ PostgreSQL pg_isready: No response
❌ PostgreSQL SELECT 1: Not tested (pg_isready failed)

Overall: FAIL — Cannot reach GitHub Actions services at host.docker.internal

🔌 Service connectivity validated by Smoke Services

[github-actions]

Smoke Test Result: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Chroot Runtime Version Test Results

Comparison between host and chroot environments:

Runtime	Host Version	Chroot Version	Match?
Python	3.12.13	3.12.3	❌ NO
Node.js	v24.15.0	v22.22.3	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall Result: ❌ Tests did not pass

The chroot environment has different versions of Python and Node.js compared to the host. Only Go versions match. This indicates that the chroot selective bind mount strategy does not fully inherit the host runtime versions.

Tested by Smoke Chroot

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	All passed	✅ PASS
Go	env	✅	All passed	✅ PASS
Go	uuid	✅	All passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

All build and test operations completed successfully across all ecosystems.

Generated by Build Test Suite for issue #3739 · ● 11.2M · ◷