Add integration tests for executables approval gate#1785
Merged
danielmeppiel merged 1 commit intoJun 15, 2026
Conversation
Boost integration coverage for security/executables.py (15% -> 84%), install/exec_gate.py (-> 93%), and commands/approve.py (10% -> 90%). 71 tests covering: - Real filesystem scanning (hooks, bin, MCP, symlinks) - Approval checking logic - parse/write_allow_executables roundtrip - check_executable_approval pipeline helper - resolve_package_key with dep-ref and fallback - log_bin_status message variants - approve/deny CLI commands via CliRunner - Non-interactive CI mode (SystemExit on unapproved) - trust_all / no_executables flags Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new integration test suite to exercise the executable approval gate end-to-end at the helper/CLI level (filesystem scanning, allowExecutables parsing/writing, approval resolution, non-interactive CI behavior, and apm approve/apm deny Click commands), aiming to raise integration coverage for the gate modules introduced in #1723.
Changes:
- Introduces
tests/integration/test_executables_gate_integration.pywith broad coverage across scanning, key resolution, approval checks, prompt behavior, and approve/deny CLI flows. - Exercises real filesystem layouts (
.apm/hooks,hooks/,bin/,.apm/skills/*/bin/) and manifest roundtrips forallowExecutables. - Adds integration assertions around install-pipeline helpers (
check_executable_approval,resolve_package_key,log_bin_status).
| pkg_info = MagicMock() | ||
| dep_ref = MagicMock() | ||
| dep_ref.canonical_string.return_value = "" | ||
| dep_ref.__str__ = lambda self: "./local/path" |
danielmeppiel
deleted the
sergio-sisternes-epam/boost-executables-coverage
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #1723. Adds 71 integration tests covering the executable approval gate modules, boosting integration coverage:
security/executables.py: 15% -> 84%install/exec_gate.py: -> 93%commands/approve.py: 10% -> 90%Tests cover
parse_allow_executables/write_allow_executablesroundtripcheck_executable_approvalpipeline helper with context trackingresolve_package_keywith dep-ref and name#version fallbacklog_bin_statusmessage variantsapm approve/apm denyCLI commands via CliRunner--trust-all/--no-executablesflagsContext
The merge queue
fail-under=70gate is a repo-wide issue (PRs #1772, #1689, #1766, #1767 also affected). This PR contributes +0.25% to the total, addressing the modules introduced by #1723.