feat(ci): add test-coverage-improver agentic workflow

[Copilot]

• Understand the issue requirements
• Create .github/workflows/test-coverage-improver.md workflow file
• Address code review feedback (use cron syntax for schedule)
• Address additional code review feedback (simplify commands, add concrete examples)
• Run code review - all issues addressed
• Run security check (CodeQL) - no code changes to analyze
• Allow all bash tools per reviewer request
• Generate GitHub Actions YAML lock file

Summary

Created agentic workflow that:

• Runs weekly on Monday 9AM UTC (0 9 * * 1) and manual trigger
• Runs test suite with coverage reporting (npm run test:coverage)
• Identifies files/modules with <80% coverage
• Prioritizes security-critical code (iptables, domain validation, Squid config)
• Creates a PR with new tests to improve coverage
• Uses safe-outputs.create-pull-request with labels: [testing, ai-generated]
• Allows all bash commands via bash: ["*"]

Files

• .github/workflows/test-coverage-improver.md - Agentic workflow specification
• .github/workflows/test-coverage-improver.lock.yml - Compiled GitHub Actions workflow

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Create test coverage improver workflow</issue_title>
<issue_description>## Objective

Implement a daily/weekly workflow that identifies under-tested code areas and creates PRs with additional test coverage, prioritizing security-critical paths.

Context

Security tools require comprehensive test coverage. Untested code paths in a firewall represent security risks. This workflow systematically improves coverage by generating targeted tests for under-covered areas.

Approach

Create .github/workflows-agentic/test-coverage-improver.md workflow with:

Triggers:

• Weekly schedule (to avoid noise)
• Manual workflow_dispatch

Workflow should:

1. Run test suite with coverage reporting (npm test -- --coverage)
2. Identify files/modules with <80% coverage
3. Analyze uncovered code branches and paths
4. Generate specific test cases for uncovered scenarios
5. Create PR with new tests (one PR per run, focused on highest-priority gaps)

Priority Focus:

1. Security-critical code: iptables rules, domain validation, Squid config generation
2. Container entrypoints and setup scripts
3. CLI argument parsing and validation
4. Error handling paths

Files to Create/Modify

• Create: .github/workflows-agentic/test-coverage-improver.md
• May need: Coverage analysis script in scripts/ci/analyze-coverage.ts
• Reference: Existing test files in tests/ for patterns

Acceptance Criteria

• Workflow file created with weekly schedule
• Successfully runs test suite with coverage
• Identifies files below coverage threshold
• Prioritizes security-critical code
• Generates appropriate test cases
• Creates PR with working tests that increase coverage
• Safe-outputs configured (max 1 PR per run)
• At least one successful PR created and reviewed

Example Workflow Structure

---
description: Improve test coverage by adding tests to under-tested areas
on:
  schedule: weekly
  workflow_dispatch:
permissions:
  contents: read
  pull-requests: write
tools:
  bash:
    - "npm test*"
    - "npm run coverage*"
  github:
    toolsets: [default, pull_requests]
safe-outputs:
  create-pull-request:
    labels: [testing, ai-generated]
    max: 1
timeout-minutes: 20
---

Implementation Notes

• Focus on increasing coverage incrementally (target: +5-10% per PR)
• Ensure generated tests are meaningful, not just coverage-chasing
• Security code takes priority over convenience code
  Related to [plan] Implement P0 agentic workflow improvements #313

AI generated by Plan Command for discussion #304

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Create test coverage improver workflow #316

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Mossaka]

@copilot please generate the github action yamls and push

[Mossaka]

@copilot please allow all bash tools

[Copilot]

Updated bash tools to allow all commands with ["*"] in commit 14abcd7.

[Copilot]

@copilot please generate the github action yamls and push

Generated .github/workflows/test-coverage-improver.lock.yml by running gh aw compile test-coverage-improver in commit 14abcd7.