test(coverage): slack/policies-id/webhooks-id/scan-GET routes + repo-bundle/policy-service lib#87
Merged
Conversation
… repo-bundle/policy-service lib Closes residual HIGH route-handler + MED lib gaps after #86: 36 tests across 6 targets, each asserting success + every failure/edge branch (12 security/ validation guard mutations killed). Per-file coverage thresholds added. Refs: tc-audit-2026-06-27 (depsight test-coverage umbrella) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
5 tasks
LanNguyenSi
added a commit
that referenced
this pull request
Jun 30, 2026
…p gates (#88) * test(coverage): cover remaining 18 API route handlers + per-file gates Adds unit tests for every previously-untested app/api route handler, closing the depsight route-handler HIGH/MED surface after #86/#87: dependabot trio, ci/sync, repos/sync, pr-scan, export, sbom, me, health, deps, license, ci/analytics/[repoId], ci/analytics/cross-repo, history, overview, policies/evaluate, repos. 117 new tests (411 -> 528 suite). Each route covers all auth/ownership/IDOR/validation/error branches with value-level assertions (exact prisma where clauses incl userId, exact status + body). Per-file coverage thresholds added (S/F/L 95, branch floors ~5-8 below measured), negative-control verified. Refs: tc-audit-2026-06-27 * test(coverage): fold reviewer findings: assert ownership/IDOR boundaries Adversarial mutation-verify (34 mutations, 30 killed, 4 survived) found inert ownership assertions; this folds the fixes (each re-mutation-killed independently): - dependabot/check: assert prisma.repo.findMany is scoped to { userId, tracked:true }; removing userId was a cross-tenant IDOR that 100% line coverage masked (HIGH). - export: assert the primary loadRepoExportData(userId, repoId) call on the happy path (MED). - ci/analytics/[repoId]: mock owned repo.id distinct from the path param and assert analytics keyed on the ownership-verified id, not the raw param (LOW). Refs: tc-audit-2026-06-27 --------- Co-authored-by: Lan Nguyen Si <nguyen-si@publicplan.de>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Closes the highest-risk residual test-coverage gaps in depsight after #86 (which covered safe-fetch, the tokens routes, webhooks/policies route exemplars, and the CI coverage ratchet). Adds 36 vitest tests across 6 previously-untested targets, plus per-file coverage thresholds.
Covered
Each target asserts the success path AND every failure/edge branch; the guard mutations were independently killed by a reviewer.
Verification
npm run test:coverageis green with the new per-file thresholds enforced, negative-control verified (each floor raised above measured produced a hard build failure, then restored).tsc --noEmit: clean.Deferred to follow-up
This batch is the high-security-density subset. Still untested, tracked by the depsight test-coverage umbrella and a follow-up task: dependabot/* routes, ci/analytics routes and lib modules, the export/route 5-branch flow, ci/sync and ci/ingest, the pr-scan/repos-sync/deps/license/sbom/history/me/overview routes, lib/cron/auto-scan, lib/pr/pr-scanner, lib/github, the mcp tool handlers, the mint-api-token CLI, and the prisma DB layer in lib/export/repo-bundle.ts (loadRepoExportData IDOR plus the scan loaders, out of this PR's pure-function scope).
Refs: tc-audit-2026-06-27 (depsight test-coverage umbrella)