Skip to content

[Refactoring] Split security-module-coverage.test.ts into per-module test files #5916

Description

@github-actions

Refactoring Opportunity

Summary

  • File: src/security-module-coverage.test.ts
  • Current size: 639 lines
  • Responsibilities identified: 9 distinct security-critical modules bundled into one omnibus test file

Evidence

The file explicitly declares its own purpose as a catch-all:

/**
 * Coverage for security-critical low-coverage modules:
 *   - src/squid/ssl-bump.ts          (generateSslBumpSection)
 *   - src/squid/upstream-proxy.ts    (generateUpstreamProxySection)
 *   - src/squid/validation.ts        (validateApiProxyIp, validateAndSanitizeHostAccessPort, validateApiProxyPort)
 *   - src/services/credentials/anthropic-credential-env.ts
 *   - src/services/credentials/copilot-credential-env.ts
 *   - src/services/credentials/gemini-credential-env.ts
 *   - src/services/credentials/openai-credential-env.ts
 *   - src/services/credentials/vertex-credential-env.ts
 */

None of the covered modules have their own dedicated .test.ts file (verified, except src/squid/validation.ts which has a separate test):

Module Lines Dedicated test?
src/squid/ssl-bump.ts 88 No
src/squid/upstream-proxy.ts 43 No
src/services/credentials/anthropic-credential-env.ts 43 No
src/services/credentials/copilot-credential-env.ts 105 No
src/services/credentials/gemini-credential-env.ts 34 No
src/services/credentials/openai-credential-env.ts 33 No
src/services/credentials/vertex-credential-env.ts 29 No

The omnibus file contains 10 top-level describe blocks spread across 639 lines, making it difficult to:

  • Find tests for a specific module when debugging a failure
  • Add tests when extending a module (which file do you add to?)
  • Review security logic changes against their tests in isolation

Proposed Split

src/security-module-coverage.test.ts (639 lines) should be disbanded and its tests moved to co-located test files:

  • src/squid/ssl-bump.test.ts — moves describe(generateSslBumpSection) block (~90 lines)
  • src/squid/upstream-proxy.test.ts — moves describe(generateUpstreamProxySection) block (~85 lines)
  • src/services/credentials/anthropic-credential-env.test.ts — moves describe(buildAnthropicCredentialEnv) block (~70 lines)
  • src/services/credentials/copilot-credential-env.test.ts — moves describe(buildCopilotCredentialEnv) block (~100 lines)
  • src/services/credentials/gemini-credential-env.test.ts — moves describe(buildGeminiCredentialEnv) block (~36 lines)
  • src/services/credentials/openai-credential-env.test.ts — moves describe(buildOpenAiCredentialEnv) block (~35 lines)
  • src/services/credentials/vertex-credential-env.test.ts — moves describe(buildVertexCredentialEnv) block (~35 lines)
  • The validateApiProxyIp/validateAndSanitizeHostAccessPort/validateApiProxyPort describes can merge into src/squid/validation.test.ts (which already exists)

After the split, the original src/security-module-coverage.test.ts can be deleted entirely.

Affected Callers

No production code is affected — test-only change. The mock setup at the top of the omnibus file will need to be replicated in each new test file (each uses the same jest.mock(./logger) and jest.mock(./env-utils) pattern).

Effort Estimate

Low — mechanical migration of describe blocks to new files with copy-paste of shared mock setup.

Benefits

  • Tests are co-located with their modules, consistent with the rest of the codebase
  • Failures point immediately to the specific security module, not a 639-line omnibus
  • New credential providers or Squid config features have an obvious test file to extend
  • Security reviewers can audit a module and its tests side-by-side
  • Removes the perpetual temptation to add unrelated security tests to this catch-all

Detected by Refactoring Scanner workflow. Run date: 2026-07-05

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Refactoring Opportunity Scanner · 163.7 AIC · ⊞ 6.6K ·

  • expires on Sep 3, 2026, 5:42 AM UTC

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions