Ratchet egress_addon coverage to >=90% (ADR 0004) #295

Open

didericis-claude wants to merge 1 commits from ratchet-egress-addon-90 into cover-global-90

pull from: ratchet-egress-addon-90

merge into: didericis:cover-global-90

didericis:main

didericis:core-coverage-badge

didericis:ratchet-supervise-90

didericis:ratchet-manifest-90

didericis:ratchet-git-gate-90

didericis:ratchet-egress-core-90

didericis:ratchet-yaml-subset-90

didericis:cover-global-90

didericis:table-drive-dlp-tests

didericis:flatten-deep-nesting

didericis:decompose-egress-dlp-config

didericis:cover-egress-addon-adapter

didericis:prd-egress-control-plane

didericis:prd-smolmachines-linux

didericis:fix-integration-test-failures

didericis:fix/macos-container-relative-dockerfile

didericis:prd-0054-install-script

didericis:commit-bottle-state

didericis:pr-211

didericis:move-codex-auth-to-contrib

didericis:feat/pipelock-skip-scan-extensions

didericis:prd-0049-named-labelled-agents

didericis:harden-git-gate-shell-rendering

Conversation 0 Commits 1 Files Changed 1

+218 -1

didericis-claude commented 2026-06-25 21:54:53 -04:00

Collaborator

Copy Link

Copy Source

Stacked on #294 (base = cover-global-90). First per-module ratchet under ADR 0004.

Summary

Extends the egress adapter flow suite to close the remaining behavioural gaps in egress_addon.py:

• Inbound response DLP — injection block (403), warn (logged + forwarded), and LOG_FULL response logging.
• WebSocket inbound (server→client) — injection kills the connection; warn does not; no-websocket is a no-op.
• Redaction — scrubs a token in a request header and the path, not just the body.
• Supervise queue-write OSError — fails closed (403).
• _token_allow_timeout_from_env — unset / valid / non-numeric / non-positive.
• SIGHUP — handler reloads routes; a reload failure keeps the last good config.
• LOG_FULL logs the forwarded request.

Coverage

Module	Before	After
egress_addon.py	76%	94%
Critical core (aggregate)	87%	88%
Global (combined unit+integration)	83%	84%

The remaining egress_addon.py misses are the low-value edges flagged in #290 (no-SIGHUP platform, hostname-redaction-fails-closed). Full unit suite (1344 tests) passes; pyright clean; pylint 9.63.

Next ratchet candidates: git_gate (80%), yaml_subset (83%), manifest_agent (84%).

Stacked on #294 (base = `cover-global-90`). First per-module ratchet under ADR 0004. ## Summary Extends the egress adapter flow suite to close the remaining behavioural gaps in `egress_addon.py`: - **Inbound response DLP** — injection block (403), warn (logged + forwarded), and `LOG_FULL` response logging. - **WebSocket inbound** (server→client) — injection kills the connection; warn does not; no-websocket is a no-op. - **Redaction** — scrubs a token in a request header and the path, not just the body. - **Supervise queue-write `OSError`** — fails closed (403). - **`_token_allow_timeout_from_env`** — unset / valid / non-numeric / non-positive. - **SIGHUP** — handler reloads routes; a reload failure keeps the last good config. - **`LOG_FULL`** logs the forwarded request. ## Coverage | Module | Before | After | |---|---|---| | `egress_addon.py` | 76% | **94%** | | Critical core (aggregate) | 87% | 88% | | Global (combined unit+integration) | 83% | 84% | The remaining `egress_addon.py` misses are the low-value edges flagged in #290 (no-SIGHUP platform, hostname-redaction-fails-closed). Full unit suite (1344 tests) passes; pyright clean; pylint 9.63. Next ratchet candidates: `git_gate` (80%), `yaml_subset` (83%), `manifest_agent` (84%).

didericis-claude added 1 commit 2026-06-25 21:54:55 -04:00

test(egress): ratchet egress_addon coverage to >=90% ... 18059f2a78

First per-module ratchet under ADR 0004. Extend the adapter flow suite
to cover the remaining behavioural gaps:

- inbound response DLP: injection block (403), warn (logged, forwarded),
  and LOG_FULL response logging
- WebSocket inbound (server->client) scanning: injection kills the
  connection; warn does not; no-websocket is a no-op
- redaction scrubs the token in a header and the request path, not just
  the body
- supervise queue-write OSError fails closed (403)
- _token_allow_timeout_from_env: unset/valid/non-numeric/non-positive
- SIGHUP handler reloads routes; a reload failure keeps the last good
  config
- LOG_FULL logs the forwarded request

egress_addon.py: 76% -> 94%. The remaining misses are the low-value
edges (no-SIGHUP platform, hostname-redaction-fails-closed) called out
in the egress adapter PR.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01NkwFXLFff9PYPy4wgVBJp9

didericis-claude referenced this pull request 2026-06-25 22:00:35 -04:00

Ratchet yaml_subset coverage to >=90% (ADR 0004) #296

Some checks are pending

Hide all checks

lint / lint (push) Successful in 1m52s

Details

test / unit (pull_request) Successful in 44s

Details

test / integration (pull_request) Successful in 16s

Details

test / coverage (pull_request) Successful in 58s

Details

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin ratchet-egress-addon-90:ratchet-egress-addon-90

git checkout ratchet-egress-addon-90

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

Compat/Breaking

Breaking change that won't be backward compatible

Kind/Bug

Something is not working

Kind/Documentation

Documentation changes

Kind/Enhancement

Improve existing functionality

Kind/Feature

New functionality

Kind/Security

This is security issue

Kind/Testing

Issue or pull request related to testing

Priority

Critical

1

The priority is critical

Priority

High

2

The priority is high

Priority

Low

4

The priority is low

Priority

Medium

3

The priority is medium

Reviewed

Confirmed

1

Issue has been confirmed

Reviewed

Duplicate

2

This issue or pull request already exists

Reviewed

Invalid

3

Invalid issue

Reviewed

Won't Fix

3

This issue won't be fixed

Status

Abandoned

3

Somebody has started to work on this but abandoned work

Status

Blocked

1

Something is blocking this issue or pull request

Status

Need More Info

2

Feedback is required to reproduce issue or to continue work

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: didericis/bot-bottle#295