[plan] Implement Test Coverage Improver workflow

[github-actions]

Objective

Create a weekly workflow that analyzes test coverage, identifies under-tested code paths (especially security-critical areas), and creates PRs with additional tests.

Context

Current test coverage is 75-80% (per COVERAGE_SUMMARY.md). As a security-critical firewall tool, untested code paths represent potential security vulnerabilities. We need comprehensive test coverage, especially for:

• iptables manipulation (NET_ADMIN capability usage)
• Squid ACL rule generation and domain pattern validation
• Container security (capability dropping, seccomp profiles)
• Domain validation and pattern matching

Approach

1. Create workflow file: .github/workflows/test-coverage-improver.md
2. Configure triggers:
   • Weekly schedule
   • Manual workflow_dispatch
3. Analyze current coverage:
   • Run npm run test:coverage to generate coverage report
   • Parse coverage data to identify under-tested files
   • Focus on security-critical modules (see priority areas below)
4. Identify test gaps:
   • Functions with <80% branch coverage
   • Error handling paths not covered
   • Edge cases in domain pattern validation
   • iptables rule failure scenarios
5. Create PR with tests:
   • ONE PR per week (max: 1)
   • Focus on highest-impact security-critical code
   • Include unit tests and integration tests as appropriate
   • Ensure new tests pass in CI

Files to Create/Modify

• Create: .github/workflows/test-coverage-improver.md
• Reference: daily-test-improver.md template

Priority Areas (Security-Critical)

1. iptables management

   • src/host-iptables.ts - Host iptables rule manipulation
   • containers/agent/setup-iptables.sh - Container iptables setup
   • Focus: Rule validation, error handling, cleanup

2. Squid configuration

   • src/squid-config.ts - ACL rules, domain patterns
   • Focus: Domain pattern edge cases, wildcard handling, malicious input

3. Container security

   • src/docker-manager.ts - Capability dropping, seccomp
   • Focus: Capability verification, privilege escalation prevention

4. Domain validation

   • src/domain-patterns.ts - Wildcard patterns, protocol handling
   • Focus: Pattern matching edge cases, injection prevention

Test Requirements

• Unit tests for security-critical functions (isolation)
• Integration tests for Docker/networking interactions
• Edge cases: empty inputs, malformed data, injection attempts
• Error handling: iptables failures, network conflicts, container crashes
• Security verification: capability dropping, privilege checks

Acceptance Criteria

• Workflow runs weekly at scheduled time
• Generates coverage report and identifies gaps
• Prioritizes security-critical code paths
• Creates ONE PR per run with additional tests
• All new tests pass in CI
• Coverage improvement: +2-5% per PR
• Completes within 20 minutes timeout

Success Metrics

• Overall coverage: 75-80% → 85%+ within 3 months
• Security-critical path coverage: >95%
• Test addition rate: +5-10 tests per week
• Zero uncovered error handling paths in security code
  Related to [plan] Enhance agentic workflow maturity to Level 4 (Optimized) #332

AI generated by Plan Command for discussion #328