f536768d02
First run of the gate found 14 security-critical files at 0% coverage — exactly the debt the user's audit flagged. Rather than block this PR on fixing all 14 (scope creep), acknowledge them in .coverage-allowlist.txt with 30-day expiry + #1823 reference. Regex bug: `go tool cover -func` emits `file.go:LINE:TAB...` (single colon after line, no column on some Go versions). My original `:[0-9]+\..*` required a period after the line number, which never matched, so file names kept their `:LINE:` suffix. Fixed to `:[0-9][0-9.]*:.*` which accepts both `:LINE:` and `:LINE.COL:` formats. Allowlist pattern: paths in `.coverage-allowlist.txt` warn (not fail), new critical-path files at <10% coverage fail. This makes the gate land cleanly AND keeps the teeth for regressions. Allowlisted files (all tracked under #1823, expire 2026-05-23): Tight-match critical paths: - internal/handlers/a2a_proxy.go - internal/handlers/a2a_proxy_helpers.go - internal/handlers/registry.go - internal/handlers/secrets.go - internal/handlers/tokens.go - internal/handlers/workspace_provision.go - internal/middleware/wsauth_middleware.go Looser substring matches (flagged because my CRITICAL_PATHS entries use contains-match; follow-up PR to use exact prefix match): - internal/channels/registry.go - internal/crypto/aes.go - internal/registry/*.go (access, healthsweep, hibernation, provisiontimeout) - internal/wsauth/tokens.go Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
42 lines
1.6 KiB
Plaintext
42 lines
1.6 KiB
Plaintext
# Coverage allowlist — security-critical files that are currently below
|
|
# the 10% per-file floor and are being tracked for remediation.
|
|
#
|
|
# Format: one path per line, relative to workspace-server/.
|
|
# Lines starting with # and blank lines are ignored.
|
|
#
|
|
# Process:
|
|
# - A path in this list is WARNED on each CI run, not failed.
|
|
# - Each entry must reference a tracking issue and expiry date.
|
|
# - On expiry, either the coverage is fixed OR the path graduates to
|
|
# hard-fail (revert the allowlist entry).
|
|
#
|
|
# See #1823 for the gate design and ratchet plan.
|
|
|
|
# ============== Active exceptions ==============
|
|
|
|
# Filed 2026-04-23 — expiry 2026-05-23 (30 days). Tracking: #1823.
|
|
# These are the files flagged by the first run of the critical-path gate.
|
|
# QA team + platform team share ownership of test coverage remediation.
|
|
|
|
internal/handlers/a2a_proxy.go
|
|
internal/handlers/a2a_proxy_helpers.go
|
|
internal/handlers/registry.go
|
|
internal/handlers/secrets.go
|
|
internal/handlers/tokens.go
|
|
internal/handlers/workspace_provision.go
|
|
internal/middleware/wsauth_middleware.go
|
|
|
|
# The following paths matched via looser CRITICAL_PATH substrings
|
|
# (e.g. "registry" matched both internal/registry/ and internal/channels/registry.go).
|
|
# Adding them here so the gate can land without blocking staging merges;
|
|
# a follow-up PR will tighten CRITICAL_PATHS to exact prefixes so these
|
|
# graduate to hard-fail precisely where security-critical.
|
|
|
|
internal/channels/registry.go
|
|
internal/crypto/aes.go
|
|
internal/registry/access.go
|
|
internal/registry/healthsweep.go
|
|
internal/registry/hibernation.go
|
|
internal/registry/provisiontimeout.go
|
|
internal/wsauth/tokens.go
|