From 4139fa1fa9380c179af396168cec613c69c6bebf Mon Sep 17 00:00:00 2001 From: "Molecule AI Dev Engineer A (Kimi)" Date: Fri, 19 Jun 2026 00:35:40 +0000 Subject: [PATCH 1/2] test(secrets): cover compileAll and ScanBytes compile-error paths MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Issue #1269. PR #1255 left two unreachable code paths uncovered: - compileAll error when a pattern regex is invalid. - ScanBytes returning the compile error instead of a Match. Add TestCompileError and TestScanBytes_CompileErr. Both mutate the package-level Patterns slice to inject an invalid regex, reset compiledOnce/compileErr, and restore the original state after the test so later tests see the canonical pattern set. Fixes #1269 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- .../internal/secrets/patterns_test.go | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/workspace-server/internal/secrets/patterns_test.go b/workspace-server/internal/secrets/patterns_test.go index 47a6bd0b..023ee53e 100644 --- a/workspace-server/internal/secrets/patterns_test.go +++ b/workspace-server/internal/secrets/patterns_test.go @@ -2,6 +2,7 @@ package secrets import ( "strings" + "sync" "testing" ) @@ -187,3 +188,73 @@ func TestMatch_NoRoundtrip(t *testing.T) { // The two-field shape is part of the public contract; new fields // require deliberation about whether they leak the secret value. } + +// resetPatternState snapshots the package-level pattern state and returns a +// cleanup function that restores it. Tests that intentionally corrupt +// Patterns to exercise compile-failure paths must restore the canonical state +// so later tests don't see the corrupted slice / stuck compileErr. +func resetPatternState(t *testing.T) (cleanup func()) { + t.Helper() + origPatterns := make([]Pattern, len(Patterns)) + copy(origPatterns, Patterns) + origCompiledPatterns := compiledPatterns + origCompileErr := compileErr + return func() { + Patterns = origPatterns + compiledPatterns = origCompiledPatterns + compileErr = origCompileErr + compiledOnce = sync.Once{} + } +} + +// TestCompileError exercises the compileAll error path when a pattern regex +// is invalid. This is intentionally unreachable in production (a build bug), +// but the error path must be covered. +func TestCompileError(t *testing.T) { + cleanup := resetPatternState(t) + defer cleanup() + + Patterns = []Pattern{{ + Name: "bad-pattern", + Description: "invalid regex for testing", + regexSource: `(`, // unbalanced paren + }} + compiledOnce = sync.Once{} + compiledPatterns = nil + compileErr = nil + + compileAll() + if compileErr == nil { + t.Fatal("compileAll expected compile error for invalid regex, got nil") + } + if !strings.Contains(compileErr.Error(), "bad-pattern") { + t.Errorf("compileErr should mention pattern name, got: %v", compileErr) + } +} + +// TestScanBytes_CompileErr exercises ScanBytes returning the compile error +// when Patterns contains an invalid regex. +func TestScanBytes_CompileErr(t *testing.T) { + cleanup := resetPatternState(t) + defer cleanup() + + Patterns = []Pattern{{ + Name: "another-bad-pattern", + Description: "invalid regex for testing", + regexSource: `[`, // unclosed character class + }} + compiledOnce = sync.Once{} + compiledPatterns = nil + compileErr = nil + + m, err := ScanBytes([]byte("anything")) + if err == nil { + t.Fatal("ScanBytes expected compile error, got nil") + } + if m != nil { + t.Errorf("ScanBytes should return nil Match on compile error, got %+v", m) + } + if !strings.Contains(err.Error(), "another-bad-pattern") { + t.Errorf("error should mention pattern name, got: %v", err) + } +} -- 2.52.0 From d6a1423e5e88e4801b409dcfe03dc77611e9d71b Mon Sep 17 00:00:00 2001 From: "Molecule AI Dev Engineer A (Kimi)" Date: Fri, 19 Jun 2026 00:46:12 +0000 Subject: [PATCH 2/2] test(secrets): cover ScanString compile-error path --- .../internal/secrets/patterns_test.go | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/workspace-server/internal/secrets/patterns_test.go b/workspace-server/internal/secrets/patterns_test.go index 023ee53e..0cc0a20f 100644 --- a/workspace-server/internal/secrets/patterns_test.go +++ b/workspace-server/internal/secrets/patterns_test.go @@ -258,3 +258,31 @@ func TestScanBytes_CompileErr(t *testing.T) { t.Errorf("error should mention pattern name, got: %v", err) } } + +// TestScanString_CompileErr exercises ScanString returning the compile error +// when Patterns contains an invalid regex. ScanString is the zero-copy wrapper +// around ScanBytes, so this confirms the error path propagates through it. +func TestScanString_CompileErr(t *testing.T) { + cleanup := resetPatternState(t) + defer cleanup() + + Patterns = []Pattern{{ + Name: "string-bad-pattern", + Description: "invalid regex for testing", + regexSource: `(?`, // invalid regex syntax + }} + compiledOnce = sync.Once{} + compiledPatterns = nil + compileErr = nil + + m, err := ScanString("anything") + if err == nil { + t.Fatal("ScanString expected compile error, got nil") + } + if m != nil { + t.Errorf("ScanString should return nil Match on compile error, got %+v", m) + } + if !strings.Contains(err.Error(), "string-bad-pattern") { + t.Errorf("error should mention pattern name, got: %v", err) + } +} -- 2.52.0