Skip to content

Add tests for 7 coverage audit priorities#75

Merged
alari76 merged 1 commit intomainfrom
test/coverage-audit-improvements
Mar 9, 2026
Merged

Add tests for 7 coverage audit priorities#75
alari76 merged 1 commit intomainfrom
test/coverage-audit-improvements

Conversation

@alari76
Copy link
Copy Markdown
Contributor

@alari76 alari76 commented Mar 9, 2026

Summary

  • Addresses the top 7 findings from the 2026-03-09 test coverage audit
  • Adds 78 new tests across 3 new and 4 extended test files (855 → 933 total)
  • New: crypto-utils.test.ts (18), config.test.ts (12), session-naming.test.ts (14)
  • Extended: stepflow-handler.test.ts (+16), session-manager.test.ts (+5), ccApi.test.ts (+9), useSettings.test.ts (+3)

Coverage targets addressed

Priority File Area Tests
1 server/crypto-utils.ts verifySessionToken length-check short-circuit (lines 55–68) 18
2 server/stepflow-handler.ts postCallback SSRF protection (lines 392–438) 16
3 server/session-manager.ts setModel restart path (lines 964–1004) 5
4 server/config.ts Environment variable edge cases (lines 25–47) 12
5 server/session-naming.ts No-API-key and no-context early exits (lines 113–120) 14
7 src/lib/ccApi.ts getSupportProvider, webhook config/events (lines 309–350) 9
10 src/hooks/useSettings.ts localStorage round-trip persistence (lines 33–38) 3

Notable finding

The SSRF tests uncovered a known gap: new URL('http://[::ffff:127.0.0.1]/...') normalizes the hostname to ::ffff:7f00:1, bypassing the regex that checks for the literal ::ffff:127.0.0.1. Documented in the test; fix can follow separately.

Test plan

  • npm test — 933 tests pass, 0 failures
  • CI pipeline confirms all tests pass

🤖 Generated with Claude Code

@alari76 @claude
Add tests for 7 coverage audit priorities (855 → 933 tests)
d4d7656 
Address the top findings from the 2026-03-09 coverage audit:

- crypto-utils: verifySessionToken length-check short-circuit, deriveSessionToken,
  verifyHmacSignature edge cases, redactSecrets patterns (18 tests)
- stepflow-handler: postCallback SSRF protection — private IPs, IPv6, protocol
  validation, allowlist enforcement, HMAC signing (16 tests)
- session-manager: setModel restart path with alive/dead process (5 tests)
- config: PORT fallback, AUTH_TOKEN file loading, GH_ORGS parsing,
  production CORS exit (12 tests)
- session-naming: no-API-key early exit, no-context retry, scheduling,
  name validation, provider selection (14 tests)
- ccApi: getSupportProvider, getWebhookConfig, getWebhookEvents,
  setSupportProvider success/error paths (9 tests)
- useSettings: theme defaults, round-trip localStorage persistence,
  URL token parameter handling (3 tests)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@alari76 alari76 merged commit 663e7f1 into main Mar 9, 2026
2 checks passed
@alari76 alari76 deleted the test/coverage-audit-improvements branch March 10, 2026 05:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alari76