[Test Coverage] Add test coverage for subcommands and main-action

[github-actions]

Summary

Adds unit tests for two low-coverage modules:

File	Before	After (est.)
src/commands/subcommands.ts	47.2% stmts / 41.7% funcs / 21.4% branches	~80%+
src/commands/main-action.ts	19.0% stmts / 16.7% funcs / 0% branches	~70%+

New Test Files

src/commands/subcommands.test.ts (~30 tests)

Tests the registerSubcommands function and the inline validateFormat helper:

• Command registration: verifies predownload, logs, logs stats, logs summary, logs audit are all registered
• Predownload defaults: imageRegistry, imageTag, agentImage, enableApiProxy default values
• Format validation (security): validateFormat rejects invalid strings with process.exit(1) across all subcommands
• Valid formats: confirms raw, pretty, json, markdown are accepted
• Decision filter validation (security): logs audit --decision rejects values other than allowed/denied
• --with-pid warning: logs warning when used without -f
• Predownload error handling: exitCode propagation from errors thrown by predownloadCommand

src/commands/main-action.test.ts (~18 tests)

Tests the createMainAction factory and the returned mainAction function:

• Empty args: exits with code 1 and prints usage error
• Single arg: passed as-is (critical for shell variable preservation — $HOME must expand in container, not host)
• Multiple args: joined via joinShellArgs
• Config flow: applyConfigFilePrecedence → validateOptions → setAwfDockerHost
• Signal handlers: registerSignalHandlers is called
• Exit code propagation: non-zero exit codes from runMainWorkflow are propagated
• Fatal error handling: logger.error + performCleanup + process.exit(1) on thrown errors
• API key redaction (security): verifies openaiApiKey, anthropicApiKey, copilotGithubToken, copilotApiKey, geminiApiKey are excluded from debug logs

Security-Critical Paths Covered

• ✅ Format injection prevention (validateFormat edge cases)
• ✅ Decision filter validation in audit subcommand
• ✅ API key redaction in debug logging
• ✅ Shell argument handling (single vs multi-arg command injection scenarios)

Test Design

• All external dependencies mocked (no Docker, no iptables, no filesystem I/O)
• Uses jest.mock() for dynamic imports inside action handlers
• process.exit mocked to prevent test runner termination
• Follows existing test patterns from the codebase

Generated by Test Coverage Improver · ● 39.4M · ◷

[Copilot]

Pull request overview

Adds new Jest unit tests to raise coverage for the CLI command registration layer (registerSubcommands) and the main CLI action handler (createMainAction), improving confidence in argument handling and security-related validation paths.

Changes:

• Add subcommands.test.ts covering subcommand registration plus format/decision validation and predownload error exit-code behavior.
• Add main-action.test.ts covering command argument handling, config flow wiring, exit-code propagation, and config logging redaction.

Show a summary per file

File	Description
src/commands/subcommands.test.ts	New tests for subcommand registration, format/decision validation, and predownload error exit-code handling.
src/commands/main-action.test.ts	New tests for createMainAction covering args handling, workflow orchestration calls, exit behavior, and redaction checks.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 4

[lpcox]

@copilot address review feedback

[Copilot]

@copilot address review feedback

Addressed in commit 36ea17d.

Updated the tests to:

• parse predownload before asserting default options
• make process.exit(1) throw in main-action tests so early-exit paths stop execution
• assert cleanup behavior via dockerManager.cleanup in fatal-error flow
• require the configuration debug log call before asserting API key redaction
• harden nested invalid-format checks for logs stats|summary|audit by parsing each nested command directly

Validated with:

• npm test -- src/commands/subcommands.test.ts src/commands/main-action.test.ts --runInBand
• npm run lint
• npm run build

[github-actions]

Smoke Test Results

❌ GitHub API — gh CLI authentication failed (HTTP 401)
✅ Playwright — GitHub.com loaded successfully, title verified
✅ File verify — Smoke test marker file present

Overall: FAIL (1 of 3 tests failed)

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔥 Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	❌ 401 unauthorized
GitHub.com HTTP connectivity	❌ template vars not resolved
File write/read	❌ template vars not resolved
BYOK inference (api-proxy → api.githubcopilot.com)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

Overall: FAIL — pre-step smoke data (steps.smoke-data.outputs.*) was not substituted; workflow steps may not have run or outputs were not exported correctly.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	❌ (401 Bad credentials)
GitHub.com HTTP connectivity	⚠️ (template vars not expanded)
File write/read (smoke-test-copilot-25997520557.txt)	✅

Overall: FAIL — GitHub MCP returned 401 and workflow template variables were not substituted before agent execution.

File content confirmed: Smoke test passed for Copilot at Sun May 17 17:24:46 UTC 2026

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

PRs reviewed: chore: recompile test-coverage-improver lock file; chore: run test coverage improver twice daily
GitHub PR review: ✅
Safe Inputs GH CLI: ❌
Playwright title: ✅
Tavily search: ❌
File + bash: ✅
Discussion interaction: ❌
Build AWF: ✅
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.15.0	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Result: FAILED — Python and Node.js versions differ between host and chroot environment.

Tested by Smoke Chroot

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3288 · ● 5.8M · ◷

[github-actions]

Smoke Test Results — Services Connectivity

Check	Result
Redis PING (host.docker.internal:6379)	❌ Timeout — no service listening
PostgreSQL pg_isready (host.docker.internal:5432)	❌ No response
PostgreSQL SELECT 1	❌ Timeout

host.docker.internal resolves to 172.17.0.1 but ports 6379 and 5432 have no listeners.

Overall: FAIL — Service containers appear not to be running in this workflow environment.

🔌 Service connectivity validated by Smoke Services

[github-actions]

Smoke Test Results: MCP: ❌ (401), Connectivity: ❌ (000), File: ✅, Bash: ✅. Overall: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini