Parent umbrella issue: #408
Source audit: Weekly tech debt audit: dispatch - 2026-06-17
Source audit date: 2026-06-17
Original recommendation
P2 — Add co-located route.test.ts for the 17 routes currently uncovered, prioritized by data-leak risk (/api/audit, /api/automation/*, /api/issues/untriaged).
Matched top finding
Roughly a third of API routes (mostly older ones) have no co-located route.test.ts. Several of the unauthenticated list/read routes (/api/audit, /api/repos, /api/automation/events, /api/automation/workflows, /api/issues/untriaged) leak data without auth and would benefit from regression coverage. The PR-fix-queue and PR-followup ingestion routes have route-level coverage gaps too.
Evidence:
find src/app/api -name 'route.test.ts' | wc -l → 31find src/app/api -name 'route.ts' | wc -l → 48- Routes without co-located tests (selected):
/api/audit/route.ts (unauthenticated, returns all AuditLog rows)/api/repos/route.ts (unauthenticated GET)/api/automation/events/route.ts (unauthenticated GET)/api/automation/workflows/route.ts (unauthenticated GET)/api/automation/workflows/[id]/route.ts (unauthenticated GET)/api/pr-fix-queue/mark/route.ts (mutating, has auth)/api/pr-fix-queue/queued/route.ts (auth)/api/pr-fix-queue/enqueue/route.ts (auth)/api/pr-followup/sync/route.ts (auth)/api/pr-followup/webhook/route.ts (auth, has signature verification)/api/issues/reconcile/route.ts (auth)/api/issues/untriaged/route.ts (unauthenticated GET)/api/issues/[issueId]/pr-health/refresh/route.ts (auth)/api/agent-runs/route.ts (auth)/api/health/route.ts (unauthenticated)/api/auth/logout/route.ts (intentionally no auth)/api/auth/[...nextauth]/route.ts (NextAuth-managed)
Parent umbrella issue: #408
Source audit: Weekly tech debt audit: dispatch - 2026-06-17
Source audit date: 2026-06-17
Original recommendation
P2 — Add co-located
route.test.tsfor the 17 routes currently uncovered, prioritized by data-leak risk (/api/audit,/api/automation/*,/api/issues/untriaged).Matched top finding
Roughly a third of API routes (mostly older ones) have no co-located
route.test.ts. Several of the unauthenticated list/read routes (/api/audit,/api/repos,/api/automation/events,/api/automation/workflows,/api/issues/untriaged) leak data without auth and would benefit from regression coverage. The PR-fix-queue and PR-followup ingestion routes have route-level coverage gaps too.Evidence:
find src/app/api -name 'route.test.ts' | wc -l→ 31find src/app/api -name 'route.ts' | wc -l→ 48/api/audit/route.ts(unauthenticated, returns allAuditLogrows)/api/repos/route.ts(unauthenticated GET)/api/automation/events/route.ts(unauthenticated GET)/api/automation/workflows/route.ts(unauthenticated GET)/api/automation/workflows/[id]/route.ts(unauthenticated GET)/api/pr-fix-queue/mark/route.ts(mutating, has auth)/api/pr-fix-queue/queued/route.ts(auth)/api/pr-fix-queue/enqueue/route.ts(auth)/api/pr-followup/sync/route.ts(auth)/api/pr-followup/webhook/route.ts(auth, has signature verification)/api/issues/reconcile/route.ts(auth)/api/issues/untriaged/route.ts(unauthenticated GET)/api/issues/[issueId]/pr-health/refresh/route.ts(auth)/api/agent-runs/route.ts(auth)/api/health/route.ts(unauthenticated)/api/auth/logout/route.ts(intentionally no auth)/api/auth/[...nextauth]/route.ts(NextAuth-managed)