Skip to content

Add CLI proxy regression coverage for gh api array responses under approved integrity #3850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lpcox merged 3 commits into from
May 26, 2026
Merged

Add CLI proxy regression coverage for gh api array responses under approved integrity #3850

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
bdb16c2
Initial plan
Copilot May 26, 2026
d209adb
test: add gh api comments DIFC regression coverage
Copilot May 26, 2026
fb0bd43
test: fix cli proxy regression pipeline handling
Copilot May 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 14 additions & 3 deletions tests/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ TypeScript-based integration tests for the awf (Agentic Workflow Firewall) CLI.

## Overview

This directory contains comprehensive integration tests that verify firewall behavior across multiple scenarios. Currently includes **17 integration test files** covering:
This directory contains comprehensive integration tests that verify firewall behavior across multiple scenarios, including:

### Core Functionality
- **Basic Firewall Functionality** (`basic-firewall.test.ts`) - Domain whitelisting, subdomain matching, exit code propagation
Expand Down Expand Up @@ -33,6 +33,7 @@ This directory contains comprehensive integration tests that verify firewall beh
- **Log Commands** (`log-commands.test.ts`) - Log parsing and analysis

### Integration Testing
- **CLI Proxy** (`cli-proxy.test.ts`) - gh wrapper routing, token isolation, and opt-in approved-integrity live regression coverage
- **Claude Code** (`claude-code.test.ts`) - Claude Code CLI integration
- **No Docker** (`no-docker.test.ts`) - Docker-in-Docker removal verification
- **Docker Warning** (`docker-warning.test.ts`) - Docker command warning messages
Expand All @@ -54,9 +55,10 @@ These smoke tests use the locally built firewall and validate:

```
tests/
├── integration/ # Integration test suites (17 files)
├── integration/ # Integration test suites
│ ├── basic-firewall.test.ts
│ ├── blocked-domains.test.ts
│ ├── cli-proxy.test.ts
│ ├── claude-code.test.ts
│ ├── container-workdir.test.ts
│ ├── dns-servers.test.ts
Expand Down Expand Up @@ -125,6 +127,14 @@ npm test:unit
npm run test:integration
```

### Run the CLI proxy approved-integrity live regression

This opt-in regression requires a running external DIFC proxy plus a GitHub token supplied via `GITHUB_TOKEN` or `GH_TOKEN`.

```bash
AWF_RUN_APPROVED_DIFC_PROXY_TESTS=1 sudo -E npm run test:integration -- cli-proxy
```

### Run Specific Test Suite

```bash
Expand Down Expand Up @@ -267,7 +277,7 @@ Key considerations:

The project uses TypeScript-based integration tests that run in CI via `.github/workflows/test-coverage.yml`:

**Integration test files (17 total):**
**Selected integration test files:**
| Category | Test File | Description |
|----------|-----------|-------------|
| Core | `basic-firewall.test.ts` | Domain whitelisting, connectivity |
Expand All @@ -277,6 +287,7 @@ The project uses TypeScript-based integration tests that run in CI via `.github/
| Domains | `wildcard-patterns.test.ts` | Wildcard matching |
| Security | `network-security.test.ts` | Capability restrictions, SSRF |
| Security | `robustness.test.ts` | Edge cases, bypass prevention |
| Integration | `cli-proxy.test.ts` | CLI proxy sidecar coverage, including opt-in approved-integrity gh api array regression |
| Config | `dns-servers.test.ts` | DNS configuration |
| Config | `environment-variables.test.ts` | Environment variables |
| Config | `volume-mounts.test.ts` | Volume mounts |
Expand Down
24 changes: 24 additions & 0 deletions tests/integration/cli-proxy.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,11 @@ const cliProxyDefaults = {
},
};

const approvedIntegrityToken = process.env.GITHUB_TOKEN || process.env.GH_TOKEN;
const approvedIntegrityLiveTest = process.env.AWF_RUN_APPROVED_DIFC_PROXY_TESTS === '1' && approvedIntegrityToken
? test
: test.skip;

describe('CLI Proxy Sidecar', () => {
let runner: AwfRunner;

Expand Down Expand Up @@ -116,6 +121,25 @@ describe('CLI Proxy Sidecar', () => {
// Should NOT get "command not found" — the wrapper must be installed
expect(output + stderr).not.toContain('command not found');
}, 180000);

approvedIntegrityLiveTest(
'should preserve array JSON responses for gh api issue comment endpoints under approved integrity',
async () => {
const result = await runner.runWithSudo(
'bash -o pipefail -c \'gh api "repos/github/gh-aw-firewall/issues/1/comments?per_page=1" | jq -er type\'',
{
...cliProxyDefaults,
env: {
GITHUB_TOKEN: approvedIntegrityToken!,
},
},
);

expect(result).toSucceed();
expect(extractCommandOutput(result.stdout).trim()).toBe('array');
},
180000
);
});

describe('Meta-command Denial', () => {
Expand Down
Loading