[Test Coverage] Cover regex rules in policy-manifest and signals in log-streamer

[github-actions]

Improves test coverage for two files that had uncovered branches.

Changes

src/squid/policy-manifest.test.ts (new file)

Adds 14 tests covering the three previously-uncovered branch groups in generatePolicyManifest:

Uncovered lines	Trigger condition	Rule ID
148–154	blockedDomains with wildcard patterns (e.g. *.evil.com)	deny-blocked-regex
173–179	(redacted) prefixed wildcard domains (e.g. (redacted)	allow-http-only-regex
196–202	https:// prefixed wildcard domains (e.g. https://*.secure.com)	allow-https-only-regex

Each section verifies the rule is emitted, its action/protocol/aclName are correct, and that it does not appear when the condition isn't met.

src/logs/log-streamer.test.ts (updated)

Adds 5 tests and imports PassThrough to cover:

• Lines 85–88 – SIGTERM error caught gracefully: makes the mock process a rejecting thenable with { signal: 'SIGTERM' }, asserts the function resolves (not throws).
• Line 88 – Non-SIGTERM errors are re-thrown (companion negative test).
• Line 66 – proc.kill('SIGTERM') called from cleanup: uses a PassThrough stdout that stays open, emits SIGINT via process.emit after setup, verifies kill is called.
• Line 189 – enrichWithPid early-return for invalid port: exercises both port 0 (≤ 0) and port 99999 (> 65535), asserts trackPidForPortSync is not called.

Coverage delta

File	Before	After
src/squid/policy-manifest.ts	87.5 % stmts / 70 % fn	100 %
src/logs/log-streamer.ts	92.18 % stmts / 88.88 % fn	100 % stmts/fn/lines

Generated by Test Coverage Improver · 132.9 AIC · ⊞ 5.9K · ◷

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	97.62%	97.89%	📈 +0.27%
Statements	97.56%	97.82%	📈 +0.26%
Functions	98.85%	99.50%	📈 +0.65%
Branches	93.24%	93.58%	📈 +0.34%

📁 Per-file Coverage Changes (3 files)

File	Lines (Before → After)	Statements (Before → After)
src/workdir-setup.ts	92.7% → 94.5% (+1.82%)	92.7% → 94.5% (+1.82%)
src/logs/log-streamer.ts	92.1% → 100.0% (+7.94%)	92.2% → 100.0% (+7.82%)
src/squid/policy-manifest.ts	87.2% → 100.0% (+12.77%)	87.5% → 100.0% (+12.50%)

✨ New Files (1 files)

• src/test-helpers/startup-retry.test-utils.ts: 100.0% lines

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Adds targeted Jest tests to bring uncovered branches in Squid policy-manifest generation and log streaming/signal handling up to full coverage, improving confidence in wildcard-regex rule emission and edge-case runtime behavior.

Changes:

• Add a new policy-manifest test suite covering wildcard-domain regex rule variants across allow/deny cases.
• Extend log-streamer tests to cover SIGTERM vs non-SIGTERM error handling, SIGINT cleanup behavior, and invalid-port PID enrichment guards.

Show a summary per file

File	Description
src/squid/policy-manifest.test.ts	New unit tests validating regex-rule emission and ordering in generatePolicyManifest for wildcard domain inputs.
src/logs/log-streamer.test.ts	Additional tests for signal handling paths and PID-enrichment invalid-port guard behavior in streamLogs.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 1

[github-actions]

✅ Copilot review passed with no inline comments.

@github-actions[bot] Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

[lpcox]

@copilot fix this failing ci check https://github.com/github/gh-aw-firewall/actions/runs/27877833519/job/82500217956?pr=5317

[Copilot]

@copilot fix this failing ci check https://github.com/github/gh-aw-firewall/actions/runs/27877833519/job/82500217956?pr=5317

Fixed in commit fix: close runWithSignalHandling describe block to fix lint parse error. The runWithSignalHandling describe block (line 393) was missing its closing });, causing the file to end at brace depth 2 instead of 0. ESLint reported this as a parsing error ('}' expected at EOF). Added the missing close so enrichWithPid is correctly a sibling describe group rather than nested inside runWithSignalHandling.

[github-actions]

🚀 Security Guard has started processing this pull request

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

[github-actions]

✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

[github-actions]

✅ Smoke Claude passed

[github-actions]

✅ Build Test Suite completed successfully!

[github-actions]

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

[github-actions]

🔌 Smoke Services — All services reachable! ✅

[github-actions]

✅ Smoke Gemini completed. All facets verified. 💎

Checking safeoutputs availability

[github-actions]

Smoke Claude Result: PASS

Check	Status
API	PASS
gh CLI	PASS
File access	PASS

Overall: PASS

Generated by Smoke Claude for issue #5317 · 61 AIC · ⊞ 3.1K · ◷

[github-actions]

🔬 Smoke Test Results

PR: [Test Coverage] Cover regex rules in policy-manifest and signals in log-streamer
Author: @github-actions[bot] | Reviewer: @lpcox

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	✅
File write/read	✅

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

✅ Smoke Test: Copilot BYOK — PASS

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com

Test Results:

• GitHub MCP connectivity ✅
• GitHub.com connectivity ✅
• File I/O ✅
• BYOK inference path ✅

Tested by @lpcox

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔥 Smoke Test — Copilot PAT Auth

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	✅
File write/read	✅

Overall: PASS

Auth mode: PAT (COPILOT_GITHUB_TOKEN)
PR author: @github-actions[bot] · Reviewer: @lpcox

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

Smoke Test Results

• GitHub MCP listing PRs: ✅
• GitHub.com HTTP: ✅
• File write/read: ✅
• BYOK inference path: ✅

Running in direct BYOK mode via api-proxy → Azure OpenAI (Foundry, o4-mini-aw).

Overall: PASS

@lpcox

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)

[github-actions]

Merged PRs:\n- perf(security-guard): prioritize security-relevant files in PR diff\n- fix(smoke-claude): raise turn budget to 8 and fix add_comment usage\n- GitHub page title: ✅\n- File write/read: ✅\n- Build: ✅\n- Discussion comment: ✅\n- PR comment: ✅\n- Label: ✅\nOverall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test: Gemini Engine Validation

• GitHub MCP Testing: ❌ (Tools missing)
• GitHub.com Connectivity: ❌ (SSL Error 35)
• File Writing Testing: ✅
• Bash Tool Testing: ✅

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

@github-actions[bot] @lpcox

• MCP PR listing: ✅
• GitHub.com HTTP: ✅
• File I/O: ✅
• BYOK inference: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)

[github-actions]

Smoke Test: API Proxy OpenTelemetry Tracing

Scenario	Result	Notes
1. Module Loading	✅	otel.js loads; isEnabled() → true; exports startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown + internals
2. Test Suite	✅	59/59 passed across otel.test.js + otel-fanout.test.js
3. Env Var Forwarding	✅	api-proxy-service-config.ts forwards OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
4. Token Tracker Integration	✅	onUsage callback present in token-tracker-http.js (lines 283, 324, 374)
5. OTEL Diagnostics	i️	No api-proxy container run in smoke context; FileSpanExporter would write to /var/log/api-proxy/otel.jsonl — graceful degradation confirmed by test suite

All scenarios pass. OTEL tracing integration is healthy.

📡 OTel tracing validated by Smoke OTel Tracing

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.16.0	v22.22.3	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	ok	✅ PASS
Go	env	✅	ok	✅ PASS
Go	uuid	✅	ok	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Note (Java): Initial Maven run failed with LocalRepositoryNotAccessibleException because ~/.m2/ was owned by root. Resolved by using -Dmaven.repo.local=/tmp/gh-aw/agent/m2-repo (writable temp path). Both gson and caffeine compiled and tested successfully on retry.

Generated by Build Test Suite for issue #5317 · 64.9 AIC · ⊞ 7.7K · ◷

[github-actions]

Smoke Test Results

• Redis PING: ❌ (connection timed out to host.docker.internal:6379)
• PostgreSQL pg_isready: ❌ (no response on host.docker.internal:5432)
• PostgreSQL SELECT 1: ❌ (not attempted — pg_isready failed)

DNS resolves host.docker.internal → 172.17.0.1, but TCP connections to both ports 6379 and 5432 timed out. Service containers appear unreachable.

Overall: FAIL

🔌 Service connectivity validated by Smoke Services