feat: add test-coverage-improver agentic workflow

[Copilot]

Weekly agentic workflow to analyze test coverage and create PRs with tests for under-tested security-critical code paths (iptables, Squid ACL, container security, domain validation).

Changes

• Workflow configuration (.github/workflows/test-coverage-improver.md)

  • Weekly schedule + manual workflow_dispatch trigger
  • skip-if-match to prevent duplicate PRs when one is already open
  • Read-only permissions with safe-outputs for draft PR creation
  • Explicit bash command patterns for security (npm, cat, ls, head, tail)

• Phased approach in prompt

  • Phase 0: Check for existing open PRs
  • Phase 1: Run npm run test:coverage, analyze gaps
  • Phase 2: Prioritize security-critical modules (docker-manager, cli, host-iptables)
  • Phase 3: Write tests following existing patterns with mocks
  • Phase 4: Validate all tests pass, submit PR with before/after metrics

Key Files

File	Coverage	Priority
src/docker-manager.ts	<20%	High
src/cli.ts	0%	High
src/host-iptables.ts	~84%	Medium

Target: +2-5% coverage per weekly PR, reaching 85%+ overall within 3 months.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Implement Test Coverage Improver workflow</issue_title>
<issue_description>## Objective

Create a weekly workflow that analyzes test coverage, identifies under-tested code paths (especially security-critical areas), and creates PRs with additional tests.

Context

Current test coverage is 75-80% (per COVERAGE_SUMMARY.md). As a security-critical firewall tool, untested code paths represent potential security vulnerabilities. We need comprehensive test coverage, especially for:

• iptables manipulation (NET_ADMIN capability usage)
• Squid ACL rule generation and domain pattern validation
• Container security (capability dropping, seccomp profiles)
• Domain validation and pattern matching

Approach

1. Create workflow file: .github/workflows/test-coverage-improver.md
2. Configure triggers:
   • Weekly schedule
   • Manual workflow_dispatch
3. Analyze current coverage:
   • Run npm run test:coverage to generate coverage report
   • Parse coverage data to identify under-tested files
   • Focus on security-critical modules (see priority areas below)
4. Identify test gaps:
   • Functions with <80% branch coverage
   • Error handling paths not covered
   • Edge cases in domain pattern validation
   • iptables rule failure scenarios
5. Create PR with tests:
   • ONE PR per week (max: 1)
   • Focus on highest-impact security-critical code
   • Include unit tests and integration tests as appropriate
   • Ensure new tests pass in CI

Files to Create/Modify

• Create: .github/workflows/test-coverage-improver.md
• Reference: daily-test-improver.md template

Priority Areas (Security-Critical)

1. iptables management

   • src/host-iptables.ts - Host iptables rule manipulation
   • containers/agent/setup-iptables.sh - Container iptables setup
   • Focus: Rule validation, error handling, cleanup

2. Squid configuration

   • src/squid-config.ts - ACL rules, domain patterns
   • Focus: Domain pattern edge cases, wildcard handling, malicious input

3. Container security

   • src/docker-manager.ts - Capability dropping, seccomp
   • Focus: Capability verification, privilege escalation prevention

4. Domain validation

   • src/domain-patterns.ts - Wildcard patterns, protocol handling
   • Focus: Pattern matching edge cases, injection prevention

Test Requirements

• Unit tests for security-critical functions (isolation)
• Integration tests for Docker/networking interactions
• Edge cases: empty inputs, malformed data, injection attempts
• Error handling: iptables failures, network conflicts, container crashes
• Security verification: capability dropping, privilege checks

Acceptance Criteria

• Workflow runs weekly at scheduled time
• Generates coverage report and identifies gaps
• Prioritizes security-critical code paths
• Creates ONE PR per run with additional tests
• All new tests pass in CI
• Coverage improvement: +2-5% per PR
• Completes within 20 minutes timeout

Success Metrics

• Overall coverage: 75-80% → 85%+ within 3 months
• Security-critical path coverage: >95%
• Test addition rate: +5-10 tests per week
• Zero uncovered error handling paths in security code
  Related to [plan] Enhance agentic workflow maturity to Level 4 (Optimized) #332

AI generated by Plan Command for discussion #328

Comments on the Issue (you are @copilot in this section)

Custom agent used: create-agentic-workflow
Design agentic workflows using GitHub Agentic Workflows (gh-aw) extension with interactive guidance on triggers, tools, and security best practices.

• Fixes [plan] Implement Test Coverage Improver workflow #335

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	77.88%	77.88%	➡️ +0.00%
Statements	77.94%	77.94%	➡️ +0.00%
Functions	77.29%	77.29%	➡️ +0.00%
Branches	71.00%	71.00%	➡️ +0.00%

---

Coverage comparison generated by scripts/ci/compare-coverage.ts