Skip to content

tests: push coverage 92.4% -> 99.4%, pin audit findings#1

Merged
TeoSlayer merged 1 commit into
mainfrom
add-test-coverage
May 28, 2026
Merged

tests: push coverage 92.4% -> 99.4%, pin audit findings#1
TeoSlayer merged 1 commit into
mainfrom
add-test-coverage

Conversation

@TeoSlayer
Copy link
Copy Markdown
Contributor

@TeoSlayer TeoSlayer commented May 28, 2026

Summary

  • New zz_coverage_ceiling_test.go adds 13 tests that cover the remaining defensive branches the existing suite missed (urlPath HOME-error, MkdirAll failure, non-IsNotExist Remove error, startClientLocked nil-Events / nil-Identity / NodeID-call / nil-Events, SetURL SavePersistedURL warn-path, post() cooldown==0 fallback).
  • Three regression pins for the iter-1 audit findings: per-event backoff (no carry-over fingerprint leak), response-body closed on every status (HTTP keep-alive reuse), and response-body closed frees goroutines (secondary leak guard).
  • Coverage: 92.4% -> 99.4%. Two lines remain uncovered, both intrinsically unreachable (see notes below).

Honest ceiling — what's left and why

Location Why uncovered
service.go:132-134 (if s.client == nil { return } after NewClient) Dead defensive code. NewClient only returns nil for empty URL, but startClientLocked already short-circuits at line 122 for that case. Reaching this branch requires NewClient to return nil for a non-empty URL, which it never does.
webhook.go:183 (case <-wc.closed: in Emit's second select) Race-only branch. Needs Close to fire in the narrow window between the first <-wc.closed check and the channel send. An attempt to force it (16 concurrent emitters + slow server + race-during-close) generated enough socket pressure to flake unrelated tests in the same go test process, so the test was removed. TestWebhookConcurrentEmitClose already drives this path under -race.

Audit note

The iter-1 audit also flagged an HMAC timing-attack vector. The webhook plugin POSTs raw JSON with no shared secret or signature header — there is no HMAC verification path in this code. No test was added for that finding because there is no surface to defend.

Test plan

  • go test -race -count=1 -timeout 180s ./... passes 3/3 runs
  • go tool cover -func reports 99.4% total
  • No collisions with existing test symbols (zz_more_test.go's fakeEventBus / fakeIdentity are distinct from new localBus / localIdent)
  • All 13 new tests pass under -race

@teovl
tests: push coverage 92.4% → 99.4%, pin audit findings
5549b5a 
New zz_coverage_ceiling_test.go targets the remaining defensive
branches (urlPath HOME-error, MkdirAll error, non-IsNotExist Remove
error, startClientLocked nil-Events / nil-Identity / NodeID-call,
SetURL SavePersistedURL warn-path, post() cooldown==0 fallback).

Plus three regression pins for the iter-1 audit:

- TestAudit_BackoffIsPerEvent_NoCarryover — verifies a fresh Emit
  starts at initialBackoff, NOT 4*initialBackoff where the previous
  event's exponential doubling left off. Closes the timing-leak
  fingerprint vector.
- TestAudit_ResponseBodyClosedOnEveryStatus — hammers a single
  httptest.Server and asserts unique remote-port count stays tiny.
  If resp.Body.Close() ever regresses on the 2xx/4xx paths, the
  HTTP/1.1 pool stops reusing connections and the count explodes.
- TestAudit_ResponseBodyClosedFreesGoroutines — secondary guard;
  asserts goroutine count returns to baseline after a 200-event
  burst. A body-close leak would scale goroutines with request count.

Honest ceiling at 99.4%. Two lines remain uncovered:
- service.go:132-134 (`if s.client == nil { return }`): dead
  defensive code — NewClient only returns nil for empty URL, but
  startClientLocked already returns at line 122 for that case.
- webhook.go:183 (Emit's second `case <-wc.closed:`): race-only
  branch that needs Close to fire in the gap between the first
  closed-check and the channel send. Attempts to force it (16
  concurrent emitters + slow server + race-during-close) destabilized
  unrelated tests in the same `go test` process via socket
  pressure; TestWebhookConcurrentEmitClose already drives this path
  under the race detector.

Note: the audit also flagged an HMAC timing-attack vector. The
webhook plugin does not sign payloads (POSTs raw JSON, no shared
secret), so that finding doesn't apply to this code surface; no
test was added.

`go test -race -count=1 -timeout 180s ./...` green 3/3 runs.
@TeoSlayer TeoSlayer merged commit 740c6c0 into main May 28, 2026
1 check passed
@TeoSlayer TeoSlayer deleted the add-test-coverage branch May 28, 2026 00:55
@codecov
Copy link
Copy Markdown

codecov Bot commented May 28, 2026

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TeoSlayer @teovl