[Test Coverage] test: improve pid-tracker branch coverage for edge cases

[github-actions]

Summary

Adds 7 new unit tests to src/pid-tracker.test.ts to cover previously uncovered branches in the pid-tracker.ts module.

Coverage Improvement

Before:

• Statements: 95.79%
• Branches: 71.42%
• Functions: 100%

After:

• Statements: 98.31% (+2.52%)
• Branches: 85.71% (+14.29%)
• Functions: 100%

Overall project branch coverage: 78.43% → 78.85% (+0.42%)

Security-Critical Paths Now Covered

The pid-tracker.ts module is used to track which process is making outbound network connections by scanning the /proc filesystem. Reliable edge-case handling is important for accurate audit logs in the firewall.

New Tests

1. parseNetTcp - skip empty lines in the middle of TCP table content (defensive against malformed /proc/net/tcp entries)
2. parseNetTcp - skip lines with fewer than 10 fields (defensive against truncated kernel output)
3. getProcessInfo - returns 'unknown' for cmdline when the cmdline file is missing (process race condition)
4. getProcessInfo - returns 'unknown' for comm when the comm file is missing (process race condition)
5. findProcessByInode - returns null when the proc directory doesn't exist (defensive, catch block)
6. findProcessByInode - returns 'unknown' cmdline when process owns socket but has no cmdline file
7. findProcessByInode - returns 'unknown' comm when process owns socket but has no comm file

Remaining Uncovered Lines

Lines 354 and 420 (outer catch blocks in trackPidForPort and trackPidForPortSync) are defensive code that's only reachable via unexpected runtime errors. These would require mocking pure functions to trigger and are deferred.

AI generated by Weekly Test Coverage Improver

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	86.05%	86.20%	📈 +0.15%
Statements	85.97%	86.20%	📈 +0.23%
Functions	86.13%	86.13%	➡️ +0.00%
Branches	79.21%	79.70%	📈 +0.49%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	87.4% → 87.9% (+0.49%)	86.8% → 87.2% (+0.46%)
src/pid-tracker.ts	97.3% → 98.2% (+0.89%)	95.8% → 98.3% (+2.52%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This pull request strengthens the unit-test suite for pid-tracker by adding coverage for additional edge cases encountered when parsing /proc/net/tcp and reading process metadata from a mocked /proc filesystem.

Changes:

• Add parseNetTcp tests to ensure empty lines and malformed rows are skipped safely.
• Add getProcessInfo tests for scenarios where cmdline or comm files are missing.
• Add findProcessByInode tests for missing /proc directories and missing cmdline/comm files on otherwise matching processes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Smoke test results for run 23208183337:

✅ GitHub MCP — PR #1332: "fix: fix awf-runner timeout detection and no-docker test timeouts" | PR #1331: "fix: route GHEC Copilot proxy to copilot-api subdomain"
✅ Playwright — github.com title contains "GitHub"
✅ File write — /tmp/gh-aw/agent/smoke-test-copilot-23208183337.txt created and verified
✅ Bash — file read back successfully

Overall: PASS — @Mossaka (assignees: @lpcox, @Copilot)

📰 BREAKING: Report filed by Smoke Copilot for issue #1334

[github-actions]

Smoke Test Results

• ✅ GitHub MCP: [Deps] Safe dependency updates (2026-03-14) / [Deps] Safe dependency updates (2026-03-15)
• ✅ Playwright: github.com title contains "GitHub"
• ✅ File Write: /tmp/gh-aw/agent/smoke-test-claude-23208183265.txt created
• ✅ Bash Tool: File contents verified

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1334

[github-actions]

🔮 The ancient spirits stir; the smoke sigils are read.
PR titles:

• fix: route GHEC Copilot proxy to copilot-api subdomain
• fix: fix awf-runner timeout detection and no-docker test timeouts

1. GitHub MCP merged PR review: ✅
2. safeinputs-gh PR query (required tool): ❌
3. Playwright title contains "GitHub": ✅ | 4) Tavily search: ❌
4. File write: ✅ | 6) Bash cat verify: ✅
5. Discussion interaction via github-discussion-query: ❌ | 8) npm ci && npm run build: ✅
   Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

Warning

⚠️ Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "registry.npmjs.org"

See Network Configuration for more information.

[github-actions]

🏗️ Build Test Suite Results

⚠️ ALL_CLONES_FAILED: gh CLI is not authenticated in this environment (GH_TOKEN not set). Unable to clone any test repositories.

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	❌ CLONE_FAILED	N/A	❌ FAIL
Bun	hono	❌ CLONE_FAILED	N/A	❌ FAIL
C++	fmt	❌ CLONE_FAILED	N/A	❌ FAIL
C++	json	❌ CLONE_FAILED	N/A	❌ FAIL
Deno	oak	❌ CLONE_FAILED	N/A	❌ FAIL
Deno	std	❌ CLONE_FAILED	N/A	❌ FAIL
.NET	hello-world	❌ CLONE_FAILED	N/A	❌ FAIL
.NET	json-parse	❌ CLONE_FAILED	N/A	❌ FAIL
Go	color	❌ CLONE_FAILED	N/A	❌ FAIL
Go	env	❌ CLONE_FAILED	N/A	❌ FAIL
Go	uuid	❌ CLONE_FAILED	N/A	❌ FAIL
Java	gson	❌ CLONE_FAILED	N/A	❌ FAIL
Java	caffeine	❌ CLONE_FAILED	N/A	❌ FAIL
Node.js	clsx	❌ CLONE_FAILED	N/A	❌ FAIL
Node.js	execa	❌ CLONE_FAILED	N/A	❌ FAIL
Node.js	p-limit	❌ CLONE_FAILED	N/A	❌ FAIL
Rust	fd	❌ CLONE_FAILED	N/A	❌ FAIL
Rust	zoxide	❌ CLONE_FAILED	N/A	❌ FAIL

Overall: 0/8 ecosystems passed — ❌ FAIL

Error Details

All repository clones failed with:

gh: To use GitHub CLI in a GitHub Actions workflow, set the GH_TOKEN environment variable.

The GH_TOKEN environment variable is not available in this workflow run. All 8 test repositories (gh-aw-firewall-test-{bun,cpp,deno,dotnet,go,java,node,rust}) could not be cloned.

Generated by Build Test Suite for issue #1334 · ◷

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.14.0	v20.20.1	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Result: ⚠️ Not all versions match. Go matches, but Python and Node.js differ between host and chroot environments.

Tested by Smoke Chroot for issue #1334