molecule-core

History

rabbitblood f536768d02 ci: fix regex + add coverage allowlist (14 known 0% critical paths) First run of the gate found 14 security-critical files at 0% coverage — exactly the debt the user's audit flagged. Rather than block this PR on fixing all 14 (scope creep), acknowledge them in .coverage-allowlist.txt with 30-day expiry + #1823 reference. Regex bug: `go tool cover -func` emits `file.go:LINE:TAB...` (single colon after line, no column on some Go versions). My original `:[0-9]+\..` required a period after the line number, which never matched, so file names kept their `:LINE:` suffix. Fixed to `:[0-9][0-9.]:.` which accepts both `:LINE:` and `:LINE.COL:` formats. Allowlist pattern: paths in `.coverage-allowlist.txt` warn (not fail), new critical-path files at <10% coverage fail. This makes the gate land cleanly AND keeps the teeth for regressions. Allowlisted files (all tracked under #1823, expire 2026-05-23): Tight-match critical paths: - internal/handlers/a2a_proxy.go - internal/handlers/a2a_proxy_helpers.go - internal/handlers/registry.go - internal/handlers/secrets.go - internal/handlers/tokens.go - internal/handlers/workspace_provision.go - internal/middleware/wsauth_middleware.go Looser substring matches (flagged because my CRITICAL_PATHS entries use contains-match; follow-up PR to use exact prefix match): - internal/channels/registry.go - internal/crypto/aes.go - internal/registry/.go (access, healthsweep, hibernation, provisiontimeout) - internal/wsauth/tokens.go Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-23 11:20:36 -07:00
..
workflows	ci: fix regex + add coverage allowlist (14 known 0% critical paths)	2026-04-23 11:20:36 -07:00

rabbitblood f536768d02 ci: fix regex + add coverage allowlist (14 known 0% critical paths)

First run of the gate found 14 security-critical files at 0% coverage —
exactly the debt the user's audit flagged. Rather than block this PR on
fixing all 14 (scope creep), acknowledge them in .coverage-allowlist.txt
with 30-day expiry + #1823 reference.

Regex bug: `go tool cover -func` emits `file.go:LINE:TAB...` (single colon
after line, no column on some Go versions). My original `:[0-9]+\..*`
required a period after the line number, which never matched, so file
names kept their `:LINE:` suffix. Fixed to `:[0-9][0-9.]*:.*` which
accepts both `:LINE:` and `:LINE.COL:` formats.

Allowlist pattern: paths in `.coverage-allowlist.txt` warn (not fail),
new critical-path files at <10% coverage fail. This makes the gate land
cleanly AND keeps the teeth for regressions.

Allowlisted files (all tracked under #1823, expire 2026-05-23):

  Tight-match critical paths:
    - internal/handlers/a2a_proxy.go
    - internal/handlers/a2a_proxy_helpers.go
    - internal/handlers/registry.go
    - internal/handlers/secrets.go
    - internal/handlers/tokens.go
    - internal/handlers/workspace_provision.go
    - internal/middleware/wsauth_middleware.go

  Looser substring matches (flagged because my CRITICAL_PATHS entries use
  contains-match; follow-up PR to use exact prefix match):
    - internal/channels/registry.go
    - internal/crypto/aes.go
    - internal/registry/*.go (access, healthsweep, hibernation, provisiontimeout)
    - internal/wsauth/tokens.go

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-23 11:20:36 -07:00

workflows

ci: fix regex + add coverage allowlist (14 known 0% critical paths)

2026-04-23 11:20:36 -07:00