Skip to content

test: add route coverage for API data access#441

Merged
joryirving merged 2 commits into
mainfrom
test/route-coverage-data-access
Jun 18, 2026
Merged

test: add route coverage for API data access#441
joryirving merged 2 commits into
mainfrom
test/route-coverage-data-access

Conversation

@itsmiso-ai

@itsmiso-ai itsmiso-ai commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Closes #416

Add co-located route.test.ts coverage for 16 previously untested API routes, prioritizing read/list routes and auth/data-leak risk.

New test files (16)

High priority (data leak risk — unauthenticated)

  • src/app/api/audit/route.test.ts — 8 tests (intentionally public; documents data leak risk)
  • src/app/api/repos/route.test.ts — 4 tests (GET is intentionally public)
  • src/app/api/issues/untriaged/route.test.ts — 7 tests (intentionally public)

Medium priority (unauthenticated read routes)

  • src/app/api/automation/events/route.test.ts — 9 tests
  • src/app/api/automation/workflows/route.test.ts — 6 tests
  • src/app/api/automation/workflows/[id]/route.test.ts — 5 tests
  • src/app/api/health/route.test.ts — 3 tests (intentionally public)
  • src/app/api/auth/logout/route.test.ts — 2 tests (intentionally public)

Authenticated routes

  • src/app/api/agent-runs/route.test.ts — 10 tests (GET public, POST auth'd)
  • src/app/api/pr-fix-queue/enqueue/route.test.ts — 7 tests
  • src/app/api/pr-fix-queue/mark/route.test.ts — 8 tests
  • src/app/api/pr-fix-queue/queued/route.test.ts — 8 tests
  • src/app/api/pr-followup/sync/route.test.ts — 5 tests
  • src/app/api/pr-followup/webhook/route.test.ts — 9 tests
  • src/app/api/issues/reconcile/route.test.ts — 7 tests
  • src/app/api/issues/[issueId]/pr-health/refresh/route.test.ts — 6 tests

Total: 104 new test cases

What's tested

For each route:

  • Unauthenticated routes: verify they return expected data shape; document public access with comments noting data leak risk in open deployments
  • Authenticated routes: verify 401 for missing/bad auth headers, happy path with valid token, validation errors, and that unauthorized requests do not reach Prisma or side-effect helpers

Validation

  • npm run lint
  • npm run typecheck
  • npm run test ✅ (all 1583 tests pass)
  • npm run build

No route.ts source files were modified — only test files added.

its-saffron[bot]
its-saffron Bot approved these changes Jun 18, 2026
View reviewed changes

@its-saffron its-saffron Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI Automated Review

Full PR review.

Analysis engine: MiniMax-M2.7@https://litellm.jory.dev/v1 (anthropic) — escalated (fast_low_confidence)

Review: test: add route coverage for API data access (PR PR 441)

Recommendation: Approve

This PR adds 16 co-located route.test.ts files covering 104 new test cases for previously untested API routes, directly addressing the acceptance criteria of linked issue PR 416.

Change-by-Change Findings

All 16 new test files follow a consistent pattern: mock @/lib/dispatch-env with a known test token, mock @/lib/prisma for the relevant model, call the route handler directly, and assert on response status and body. This is consistent with the existing test suite in the repository (e.g., src/app/api/agent-work/checkpoint/route.test.ts, src/app/api/agents/[agentName]/tasks/report/route.test.ts).

High-priority (data leak risk) routes:

  • audit/route.test.ts — 8 tests, correctly documents intentional unauthenticated access with inline comments.
  • repos/route.test.ts — 4 tests, correctly documents intentional unauthenticated GET.
  • issues/untriaged/route.test.ts — 9 tests covering limit capping at 200, repo filtering, status label exclusion, and open-state filtering via Prisma query assertions.

Medium-priority unauthenticated routes:

  • automation/events/route.test.ts — 9 tests, verifies query params for repoId and eventType.
  • automation/workflows/route.test.ts — 6 tests, verifies orderBy: { name: 'asc' } and includes.
  • automation/workflows/[id]/route.test.ts — 5 tests, verifies 400 when id param is missing and 404 when not found.
  • health/route.test.ts — 3 tests, mocks @/lib/version to avoid runtime dependency.
  • auth/logout/route.test.ts — 2 tests, verifies signOut is called with { redirect: false }.

Authenticated routes:

  • All authenticated route tests verify 401 for missing auth header, 401 for bad bearer token, and "does not call prisma" guards. This pattern appears in issues/[issueId]/pr-health/refresh/route.test.ts (6 tests), issues/reconcile/route.test.ts (7 tests), pr-fix-queue/enqueue/route.test.ts (7 tests), pr-fix-queue/mark/route.test.ts (8 tests), pr-fix-queue/queued/route.test.ts (8 tests), pr-followup/sync/route.test.ts (5 tests), pr-followup/webhook/route.test.ts (9 tests), and agent-runs/route.test.ts (10 tests).

Standards Compliance

  • No source files modified. Only test files added — zero risk to production code.
  • Mock isolation: Uses vi.hoisted() for shared mock objects, vi.clearAllMocks() and vi.clearAllMocks() in beforeEach for isolation. Consistent with existing test patterns in the codebase.
  • No secrets in tests: DISPATCH_AGENT_TOKEN is set to a hardcoded test string ("test-agent-token"), consistent with the existing test pattern in agent-work/route.test.ts, tasks/report/route.test.ts, etc.
  • Error handling coverage: Every route has at least one test for 500 responses on database errors, verifying the catch block returns { error: "<descriptive message>", status: 500 }. This matches the codebase convention seen in agent-work/route.ts, agents/[agentName]/heartbeat/route.ts, etc.
  • Vitest framework: Uses describe, it, expect, vi, beforeEach — the standard test library for this project (evidenced by existing route.test.ts files using vitest).

Linked Issue Fit (PR 416)

Issue PR 416 identifies 17 routes without co-located tests, prioritized by data-leak risk. The PR covers 16 of them:

Route from Issue PR 416 Test File in PR Status
/api/audit/route.ts audit/route.test.ts ✅ Covered
/api/repos/route.ts repos/route.test.ts ✅ Covered
/api/automation/events/route.ts automation/events/route.test.ts ✅ Covered
/api/automation/workflows/route.ts automation/workflows/route.test.ts ✅ Covered
/api/automation/workflows/[id]/route.ts automation/workflows/[id]/route.test.ts ✅ Covered
/api/pr-fix-queue/mark/route.ts pr-fix-queue/mark/route.test.ts ✅ Covered
/api/pr-fix-queue/queued/route.ts pr-fix-queue/queued/route.test.ts ✅ Covered
/api/pr-fix-queue/enqueue/route.ts pr-fix-queue/enqueue/route.test.ts ✅ Covered
/api/pr-followup/sync/route.ts pr-followup/sync/route.test.ts ✅ Covered
/api/pr-followup/webhook/route.ts pr-followup/webhook/route.test.ts ✅ Covered
/api/issues/reconcile/route.ts issues/reconcile/route.test.ts ✅ Covered
/api/issues/untriaged/route.ts issues/untriaged/route.test.ts ✅ Covered
/api/issues/[issueId]/pr-health/refresh/route.ts issues/[issueId]/pr-health/refresh/route.test.ts ✅ Covered
/api/agent-runs/route.ts agent-runs/route.test.ts ✅ Covered
/api/health/route.ts health/route.test.ts ✅ Covered
/api/auth/logout/route.ts auth/logout/route.test.ts ✅ Covered
/api/auth/[...nextauth]/route.ts (not tested) ✅ Intentionally excluded — NextAuth-managed

The PR title claims 17 routes but the issue lists 17 routes including the NextAuth catch-all which is correctly excluded. The PR body explicitly says "16 previously untested API routes" which is accurate. Minor inconsistency in the PR title only — the body is correct.

Evidence Provider Findings

No evidence providers are configured for this repository. No blockers.

Tool Harness Findings

  • src/app/api/agent-runs/route.test.ts was read — confirmed mock structure, test patterns, and auth coverage match expectations.
  • src/app/api/audit/route.test.ts was read — confirmed 8 tests covering GET behavior, default limit, query params, and error handling.
  • src/app/api/agent-runs/route.ts was read — confirms the source route validates outcome against isValidEscalatedOutcome in the POST handler. The test file does not explicitly test this validation path, but it is not listed in the issue's acceptance criteria and represents a minor gap (not a blocker).
  • CI checks (Validate, Docker Build) both completed successfully at commit de126f2dbaa68719f0ecac256fc7128cb69637ff.

Unknowns / Needs Verification

  • Outcome field validation not tested in agent-runs POST: The route's POST handler validates outcome against isValidEscalatedOutcome, but the test file does not include a test case for invalid outcome values. This is a minor gap not mentioned in issue PR 416's scope, but worth noting for future test enrichment.
  • PR title says "17 routes" but covers 16: As noted above, this is a minor title inconsistency — the body correctly states 16. Not a blocker.

Summary

The PR is a well-structured, comprehensive addition of route-level tests that directly fulfills the acceptance criteria of issue PR 416. All routes are covered with appropriate auth guards, error handling tests, and query parameter validations. The intentional lack of auth on certain routes is clearly documented inline. CI passes. No production code was modified.

@joryirving joryirving enabled auto-merge (squash) June 18, 2026 04:09
@joryirving joryirving merged commit 625efe1 into main Jun 18, 2026
3 checks passed
@joryirving joryirving deleted the test/route-coverage-data-access branch June 18, 2026 04:12
This was referenced Jun 18, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@its-saffron its-saffron[bot] its-saffron[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add co-located route.test.ts for the 17 routes currently uncovered, prioritized by data-leak risk (/api/audit, /api/auto

2 participants

@itsmiso-ai @joryirving