forked from molecule-ai/molecule-core
f536768d02
First run of the gate found 14 security-critical files at 0% coverage — exactly the debt the user's audit flagged. Rather than block this PR on fixing all 14 (scope creep), acknowledge them in .coverage-allowlist.txt with 30-day expiry + #1823 reference. Regex bug: `go tool cover -func` emits `file.go:LINE:TAB...` (single colon after line, no column on some Go versions). My original `:[0-9]+\..*` required a period after the line number, which never matched, so file names kept their `:LINE:` suffix. Fixed to `:[0-9][0-9.]*:.*` which accepts both `:LINE:` and `:LINE.COL:` formats. Allowlist pattern: paths in `.coverage-allowlist.txt` warn (not fail), new critical-path files at <10% coverage fail. This makes the gate land cleanly AND keeps the teeth for regressions. Allowlisted files (all tracked under #1823, expire 2026-05-23): Tight-match critical paths: - internal/handlers/a2a_proxy.go - internal/handlers/a2a_proxy_helpers.go - internal/handlers/registry.go - internal/handlers/secrets.go - internal/handlers/tokens.go - internal/handlers/workspace_provision.go - internal/middleware/wsauth_middleware.go Looser substring matches (flagged because my CRITICAL_PATHS entries use contains-match; follow-up PR to use exact prefix match): - internal/channels/registry.go - internal/crypto/aes.go - internal/registry/*.go (access, healthsweep, hibernation, provisiontimeout) - internal/wsauth/tokens.go Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| auto-promote-staging.yml | ||
| canary-staging.yml | ||
| canary-verify.yml | ||
| ci.yml | ||
| codeql.yml | ||
| e2e-api.yml | ||
| e2e-staging-canvas.yml | ||
| e2e-staging-saas.yml | ||
| e2e-staging-sanity.yml | ||
| promote-latest.yml | ||
| publish-canvas-image.yml | ||
| publish-workspace-server-image.yml | ||