Add integration tests for executables approval gate#1785
Merged
danielmeppiel merged 1 commit intoJun 15, 2026
Conversation
Boost integration coverage for security/executables.py (15% -> 84%), install/exec_gate.py (-> 93%), and commands/approve.py (10% -> 90%). 71 tests covering: - Real filesystem scanning (hooks, bin, MCP, symlinks) - Approval checking logic - parse/write_allow_executables roundtrip - check_executable_approval pipeline helper - resolve_package_key with dep-ref and fallback - log_bin_status message variants - approve/deny CLI commands via CliRunner - Non-interactive CI mode (SystemExit on unapproved) - trust_all / no_executables flags Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new integration test suite to exercise the executable approval gate end-to-end at the helper/CLI level (filesystem scanning, allowExecutables parsing/writing, approval resolution, non-interactive CI behavior, and apm approve/apm deny Click commands), aiming to raise integration coverage for the gate modules introduced in #1723.
Changes:
- Introduces
tests/integration/test_executables_gate_integration.pywith broad coverage across scanning, key resolution, approval checks, prompt behavior, and approve/deny CLI flows. - Exercises real filesystem layouts (
.apm/hooks,hooks/,bin/,.apm/skills/*/bin/) and manifest roundtrips forallowExecutables. - Adds integration assertions around install-pipeline helpers (
check_executable_approval,resolve_package_key,log_bin_status).
| pkg_info = MagicMock() | ||
| dep_ref = MagicMock() | ||
| dep_ref.canonical_string.return_value = "" | ||
| dep_ref.__str__ = lambda self: "./local/path" |
sergio-sisternes-epam
pushed a commit
that referenced
this pull request
Jun 16, 2026
Sync the v0.20.0->main delta into the Stage-2 install refactor: exec-approval gate (#1785/#1723), canvas-trust (#1689), and marketplace publish removal (#1766). Fold main's feature delta into the branch's refactor and re-extract main's newly-merged oversized functions/files so they satisfy this branch's tightened complexity and 800-line file-length thresholds: - install-cluster feature fold: services.py, services_integrate.py, skill_integrator.py, skill_deploy.py, commands/install.py (exec gate, skip_bin threading, trust_canvas flag, canvas field). - ruff complexity: extract unpacker._resolve_bundle_source / _plan_and_validate_bundle and canvas_integrator._copy_deployed_files. - file-length <800: extract _services_helpers, _validation_rules, _skill_finders, _drift_render sibling modules. - R0801 dedupe: add IntegratorBundle.from_mapping classmethod and route the three mapping-based construction sites through it. - restore the validation dispatch patch contract (drop the local re-import in _dispatch_package_validation) and re-export _sanitize_cache_name from marketplace.client for main's new coverage tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #1723. Adds 71 integration tests covering the executable approval gate modules, boosting integration coverage:
security/executables.py: 15% -> 84%install/exec_gate.py: -> 93%commands/approve.py: 10% -> 90%Tests cover
parse_allow_executables/write_allow_executablesroundtripcheck_executable_approvalpipeline helper with context trackingresolve_package_keywith dep-ref and name#version fallbacklog_bin_statusmessage variantsapm approve/apm denyCLI commands via CliRunner--trust-all/--no-executablesflagsContext
The merge queue
fail-under=70gate is a repo-wide issue (PRs #1772, #1689, #1766, #1767 also affected). This PR contributes +0.25% to the total, addressing the modules introduced by #1723.