[Test Coverage] test: improve config-file.ts coverage from 55% to 99%

[github-actions]

Summary

Comprehensive test coverage improvements for src/config-file.ts, a security-relevant module that handles loading and validating AWF configuration files.

Coverage Improvement

Metric	Before	After	Change
config-file.ts statements	55.44%	99.48%	+43.94%
config-file.ts branches	47.75%	99.59%	+51.84%
Overall statements	83.45%	85.65%	+2.20%
Overall branches	74.72%	79.91%	+5.19%

Security-Critical Paths Now Covered

Input Validation (validateAwfFileConfig)

• Non-object config root rejection (null, arrays, primitives)
• All invalid field types across every section:
  • network: non-string upstreamProxy, non-array blockDomains/dnsServers
  • apiProxy: non-boolean enabled, non-object targets, non-object/non-string provider fields
  • security: all boolean fields, allowHostPorts/allowHostServicePorts string-or-array validation, difcProxy object validation — critical for DIFC proxy injection prevention
  • container: all type checks including agentTimeout positive-integer validation (0, negative, float, string all rejected)
  • environment: excludeEnv string-array validation
  • logging: invalid logLevel values (only debug/info/warn/error accepted)
  • rateLimiting: all numeric field positive-integer validation
• Unknown key detection at all nesting levels

Config Loading (loadAwfFileConfig)

• YAML file loading (.yml extension)
• stdin YAML fallback when JSON parse fails
• Extensionless file: JSON first, YAML fallback
• Parse error messages include file path or "stdin"
• Validation error messages include file path or "stdin"

CLI Option Mapping (mapAwfFileConfigToCliOptions)

• All fields including security, container, environment, logging, rateLimiting
• Empty array returns undefined (prevents overriding defaults with empty string)
• allowHostPorts array → comma-joined string

Precedence Logic (applyConfigOptionsInPlaceWithCliPrecedence)

• All-apply when no CLI flags provided
• undefined values in config are skipped (don't null out existing options)
• Overwrite when key exists but CLI didn't provide it explicitly

Tests Added

79 new test cases in src/config-file.test.ts.

No Existing Tests Modified

All 1611 previously passing tests continue to pass. The 2 pre-existing failures in src/docker-manager.test.ts are unrelated network/permission issues in the test environment.

Generated by Weekly Test Coverage Improver · ● 1.6M · ◷

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	84.31%	85.83%	📈 +1.52%
Statements	83.55%	85.84%	📈 +2.29%
Functions	87.46%	88.04%	📈 +0.58%
Branches	74.72%	79.95%	📈 +5.23%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	86.8% → 87.1% (+0.30%)	86.4% → 86.7% (+0.29%)
src/config-file.ts	65.3% → 100.0% (+34.65%)	55.4% → 99.5% (+44.04%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR significantly increases automated test coverage for the security-relevant AWF config loader/validator (src/config-file.ts) by adding many new unit tests covering validation, parsing, mapping, and precedence behavior.

Changes:

• Expand validateAwfFileConfig test coverage across all sections (network/apiProxy/security/container/environment/logging/rateLimiting), including unknown-key and type-validation paths.
• Add loadAwfFileConfig tests for .yml support, stdin YAML fallback, extensionless JSON→YAML fallback, and parse/validation error messaging.
• Add broader mapAwfFileConfigToCliOptions and applyConfigOptionsInPlaceWithCliPrecedence tests to cover optional-field behavior and CLI precedence rules.

Show a summary per file

File	Description
src/config-file.test.ts	Adds comprehensive unit tests to drive coverage of config validation, loading/parsing, CLI mapping, and precedence logic.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 1

[github-actions]

🔥 Smoke Test Results

Test	Result
GitHub MCP (list merged PRs)	✅
GitHub.com connectivity (HTTP 200)	✅
File write/read	✅

Overall: PASS

PR by @app/github-actions · No assignees.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

🔥 Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP (list PRs)	✅ "Allow chatgpt.com in Codex smoke workflow AWF domain allowlist"
GitHub.com connectivity	✅ HTTP 200/301
File write/read	✅ smoke-test-copilot-byok-24672401865.txt confirmed
BYOK inference	✅ Response received

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Overall: PASS · PR by @app/github-actions · No assignees

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test Results ✅

Last 2 merged PRs:

• Allow chatgpt.com in Codex smoke workflow AWF domain allowlist #2102: Allow chatgpt.com in Codex smoke workflow AWF domain allowlist
• [docs] docs: update --image-tag CLI reference for digest-aware format #2095: [docs] docs: update --image-tag CLI reference for digest-aware format

Test Results:

• ✅ GitHub MCP: Merged PR list retrieved
• ✅ Playwright: GitHub page navigated, title verified
• ✅ File Write: Smoke test file created successfully
• ✅ Bash: File read and verified

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.14.1	v20.20.2	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Result: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

Smoke Test: GitHub Actions Services Connectivity ✅

All checks passed:

Check	Result
Redis PING at host.docker.internal:6379	✅ PONG
PostgreSQL pg_isready at host.docker.internal:5432	✅ accepting connections
PostgreSQL SELECT 1 on smoketest DB as postgres	✅ returned 1

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	❌	N/A	❌ FAIL
Java	caffeine	❌	N/A	❌ FAIL
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 7/8 ecosystems passed — ❌ FAIL

---

❌ Failure Details

Java — gson & caffeine: Maven failed to download plugins from Maven Central. The network is unreachable from within this environment for Maven dependency resolution.

[ERROR] Plugin org.apache.maven.plugins:maven-resources-plugin:3.4.0 or one of its dependencies could not be resolved:
[ERROR]   Could not transfer artifact ... from/to central (https://repo.maven.apache.org/maven2): Network is unreachable

Note: The /home/runner/.m2 directory is owned by root, preventing creation of a local repository under the default path. Even after redirecting to /tmp/gh-aw/agent/m2-repo, the Maven Central network was unreachable, blocking all Maven compilation.

Generated by Build Test Suite for issue #2108 · ● 519.4K · ◷