[quality] Add handler test helper and health/status endpoint tests by clubanderson · Pull Request #17148 · kubestellar/console

clubanderson · 2026-06-06T15:18:15Z

Test Improvement

Introduces newHandlerTestServer() — a lightweight Server constructor for HTTP handler unit tests that requires no external dependencies (no kubeconfig, no k8s cluster, no AI providers).

Test Helper (`newHandlerTestServer`)

Functional options pattern: withHandlerToken, withHandlerRegistry, withHandlerOrigins
Creates minimal Server with safe defaults for all fields
Enables httptest-based handler testing without full server setup
Distinct from newTestServer (server_federation_test.go) which requires real kubeconfig

Tests included (9 test cases)

handleHealth (4 tests):

GET returns 200 with status=ok and version
CORS headers set for allowed origins
OPTIONS preflight returns 204
Disallowed origins get no ACAO header

handleStatus (5 tests):

Missing token returns 401
Valid Bearer token returns 200 with status payload
OPTIONS preflight returns 204
No token configured = endpoint accessible without auth

Impact

This test infrastructure enables future handler tests for the 31 currently untested server_*.go files identified in #17147.

Fixes #17147

Filed by quality agent (ACMM L3/L5 — hold-gated mode). Hold-gated: human review required.

…16463) pollBackendHealth, and ensureTLSCert covering the key risk areas identified in the coverage gap analysis. Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Add tests for client_pods, client_nodes, client_rbac, and client_watch using fake clientset pattern already established in the package. Signed-off-by: kubestellar-hive <hive-bot@kubestellar.io> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Add test coverage for the highest-priority untested handlers: - auth_oauth_test.go: OAuth redirect, callback, token exchange - sse_handler_test.go: SSE connection lifecycle and event streaming Part of the broader handler coverage effort (#16429). Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

* 🌱 Extract Stellar domain types to pkg/stellar Moves Stellar domain types from pkg/store to pkg/stellar/types.go, establishing correct package ownership. The store package now uses type aliases for backwards compatibility, avoiding the need to update all call sites immediately. This is the first step toward separating Stellar business logic from persistence, addressing the architectural issue where pkg/stellar cannot be tested in isolation and domain types are defined in the wrong package. Changes: - Created pkg/stellar/types.go with 13 Stellar domain types - Updated pkg/store/store.go to use type aliases referencing stellar package - Maintains full backwards compatibility — no breaking changes - All tests pass Related to separation of concerns and preparing for future extraction of Stellar to a standalone service. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Add minimal tests for pkg/stellar types Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…6504) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Add an RFC that defines plugin scope, extension points, security constraints, and a phased implementation plan for evolving console-marketplace toward installable extensions. Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* 🔒 Restrict agent token endpoint to admin users only Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Add unit tests for agent token admin authorization Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* 🔒 Restrict agent auto-update proxy to admin users Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Add unit tests for auto-update proxy admin authorization Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

#16489) * 🐛 Fix predictable /tmp paths in cmd/watcher to prevent symlink attacks Replace hardcoded /tmp paths with os.MkdirTemp/os.CreateTemp for unpredictable temporary file paths. Set restrictive permissions (0600/0700) and ensure proper cleanup. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com> * 🌱 Add unit tests for secure temp directory creation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

- Rename pkg/kagenti_provider → pkg/kagentiprovider (Go naming convention) - Add README.md to pkg/agent, pkg/kagent, pkg/kagentiprovider documenting boundaries - Update all imports and type references - Addresses issue #16430: agent package fragmentation The rename follows Go package naming conventions (no underscores). README files clarify the three-package architecture: - pkg/agent: Primary agent orchestration and provider abstraction - pkg/kagent: Client for standalone kc-agent binary (local process) - pkg/kagentiprovider: Client for in-cluster kagenti deployments (K8s-native) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…6566) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- Use sandboxed iframe with sandbox="" attribute instead of opening blob URL - Fetch circuit HTML server-side in modal instead of exposing blob URL in same origin - Add CSP and X-Content-Type-Options headers to quantum proxy - Prevents CWE-79 XSS vulnerability from malicious upstream quantum services Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

* 🔒 Restrict rate-limit status endpoint to admin users Adds admin authorization check to GetRateLimitStatus handler to prevent information disclosure of user IDs and IP addresses to non-admin users. Fixes #16481 (CWE-862: Missing Authorization) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * chore: retrigger CI after Docker registry timeout Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * fix(admin): update test for NewAdminHandler store.Store parameter Signed-off-by: kubestellar-hive <hive-bot@kubestellar.io> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Signed-off-by: kubestellar-hive <hive-bot@kubestellar.io> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: kubestellar-hive <hive-bot@kubestellar.io>

…6524) * 🔒 Restrict NPS endpoint to prevent unauthorized feedback exposure - Removes user feedback comments from public GET /api/nps endpoint - Feedback field no longer exposed in recent responses array - Maintains aggregate NPS metrics for dashboard functionality - Feedback comments may contain PII (emails, incident details, internal URLs) - Admin endpoint with proper authorization required to access raw feedback Fixes #16486 Security Impact: - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - CWE-862: Missing Authorization - Prevents unauthorized access to user-submitted feedback with potential PII Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * chore: retrigger CI after Docker registry timeout Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

…16535) * 🔒 Require editor-or-admin role on stellar actions execute endpoint Add requireEditorOrAdmin check to ExecuteAction handler so that viewer-role users can no longer invoke destructive K8s operations (DeletePod, ScaleDeployment, RestartDeployment, CordonNode). Also removes a duplicate RequireAdmin declaration in auth_helpers.go that was introduced by a recent commit and broke compilation. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Add RBAC tests for stellar actions execute endpoint Tests verify that viewer role is rejected (403) and editor/admin roles are permitted on POST /api/stellar/actions/execute. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* 🌱 Extract cmd/watcher business logic into pkg/watcher Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🐛 Fix Kagenti provider import alias Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Fix service exports handler test expectations Reset the test kubeconfig before injecting ServiceExport clusters so\nListServiceExports only probes the fake clusters configured by the\ntest. This avoids the placeholder test-cluster triggering a real\ndynamic client lookup and Fiber test timeout.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…#16551) * 🔒 Fix percent-encoded path traversal bypass in missions-file function Harden hasInvalidPathInput and hasInvalidRefInput to iteratively decode percent-encoded values before checking for traversal patterns. Previously, payloads like %252e%252e would bypass the literal '..' check after a single URL decode pass. Matches the defense-in-depth pattern already used in the Go backend's sanitizePath function (pkg/api/handlers/missions_cache.go). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Fix duplicate RequireAdmin declaration Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Add unit test for percent-encoded path traversal fix Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…6529) * 🔒 Restrict admin bootstrap to prevent unauthorized auto-promotion Fixes #16485 Removes the privilege escalation vulnerability where any authenticated user could be silently promoted to admin if all admins were deleted or if the admin count reached zero. ## Security Changes - **Removed auto-bootstrap from requireAdmin()**: The admin role check no longer automatically promotes users even when admin count is zero. This prevents privilege escalation if all admins are removed (manually, via bug, or via DB corruption). - **Bootstrap now controlled via environment variable**: Added BOOTSTRAP_ADMIN_ALLOWED environment variable (defaults to false) to explicitly control whether bootstrap promotion is allowed at all. - **Bootstrap only during initial OAuth setup**: Bootstrap promotion now only occurs during the initial user creation in auth_handler.go during OAuth login flow, not on every admin endpoint check. ## Impact - Self-hosted consoles must set BOOTSTRAP_ADMIN_ALLOWED=true to enable first-user admin bootstrap during initial setup. - Once an admin is created, the bootstrap mechanism is effectively disabled unless BOOTSTRAP_ADMIN_ALLOWED is explicitly set. - If all admins are removed, no new admins can be auto-promoted. ## CWE CWE-269: Improper Privilege Management Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * chore: retrigger CI after Docker registry timeout Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Fix auth_helpers test expectations for restricted bootstrap Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * � Fix admin bootstrap to allow first-user promotion while restricting subsequent Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* 🌱 Split Store interface into focused sub-interfaces (ISP) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🐛 Fix interface signatures to match SQLiteStore implementation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🐛 Fix interface compliance after Store ISP split Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

) * 🔒 Sanitize nightly E2E image parsing against prototype pollution Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * chore: retrigger CI after Docker registry timeout Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Add test for nightly E2E image sanitization Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🐛 Fix prototype pollution rejection in nested image parsing Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Add requireEditorOrAdmin check to Chat and CallTool handlers so viewer-role users can no longer invoke arbitrary kagent agents/tools that may execute privileged Kubernetes operations. Also removes the duplicate RequireAdmin declaration that broke build. Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- Add Owner field (uuid.UUID) to OrbitMission struct - Set mission owner to current user on creation via middleware.GetUserID - Filter ListMissions by owner (admins see all missions) - Restrict RunMission to mission owner or admin - Pass store.Store to OrbitHandler for role checks - Update NewOrbitHandler signature and all callers Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

* 🐛 Fix useJobs test race: wait for error instead of isLoading The test 'handles non-Error thrown values from SSE' failed because module-level jobsCache persists between tests. When cached data exists, isLoading starts as false, so waitFor(isLoading===false) resolves immediately before refetch completes. Fix by waiting directly for the error assertion. Signed-off-by: Test User <test@example.com> * 🐛 Fix test failure in useJobs non-Error thrown values from SSE Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Test User <test@example.com> --------- Signed-off-by: Test User <test@example.com> Co-authored-by: Test User <test@example.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

) * ✨ Add user feedback dialogs and loading states for async actions - Disable send button while mission is running/cancelling to prevent double-submission - Show spinner icon on send/retry buttons during async operations - Disable input fields while async operations are in progress - Improves UX by preventing accidental duplicate submissions and providing visual feedback Fixes #17108 #17109 Signed-off-by: Test User <test@example.com> * fix: correct JSX ternary structure in MissionChatInput Signed-off-by: Test User <test@example.com> * 🐛 Remove redundant status checks in narrowed TypeScript branches The ternary chain already handles 'running' and 'cancelling' status at the top, so within subsequent branches TypeScript correctly narrows the type. Remove impossible comparisons that cause TS2367 build errors. Signed-off-by: Test User <test@example.com> --------- Signed-off-by: Test User <test@example.com> Co-authored-by: Test User <test@example.com>

* 🐛 Document intentional first-cluster selection patterns Add safety documentation for clusters[0] access in card components. All flagged locations already have proper guards (length checks, conditionals). The [0] access is intentional for auto-selection fallback behavior. - NamespaceOverview: Auto-select first cluster when none selected - ResourceMarshall: Demo mode auto-selection - NamespaceRBAC: Demo data fallback - OverlayComparison: Demo mode initialization - Kubectl: Fallback after preferring current-context Other flagged locations verified as correct: - NetworkGlobe: Intentional pair selection for animation paths - useFailoverTimeline: Primary cluster is semantically first in failover - InstallCTAFlow: Handles single/multi cluster with conditionals - GitOps: Uses [0] only when length === 1 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Test User <test@example.com> * 🐛 Avoid implicit first-cluster defaults Stop silently selecting the first visible cluster in multicluster cards and show all failover target clusters instead of attributing them to the first entry. Add multicluster regression coverage for the affected cards and failover timeline hook. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Test User <test@example.com> --------- Signed-off-by: Test User <test@example.com> Co-authored-by: Test User <test@example.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* ✨ Add health indicators to dashboard components Add visual health status indicators to compliance dashboards and dashboard card context to show cluster connectivity status, degraded/ healthy state, and alerts for unhealthy resources. Changes: - Add DashboardHealthIndicator to RBACAuditDashboard and SBOMDashboard - Add system health status cards showing: - RBAC: over-privileged/unused bindings with critical/warning/healthy state - SBOM: vulnerability counts with critical/warning/healthy state - Add health status tracking types to DashboardCardActionsContext - Update tests to verify health indicators are displayed - Add cluster health indicator test for NamespaceOverview Fixes #17112 Signed-off-by: Test User <test@example.com> * 🐛 add missing dashboard health indicators Add header health badges to the RBAC and SBOM dashboards, and surface namespace overview health status so dashboard views expose clear health indicators. Update the related tests and namespaceOverview translations to cover the new indicators. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Test User <test@example.com> * 🐛 Add missing ClusterStatusBadge and getClusterState imports Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Test User <test@example.com> --------- Signed-off-by: Test User <test@example.com> Co-authored-by: Test User <test@example.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* 🐛 Fix test failure in Coverage Suite run #3627 Normalize cached failover timeline binding reschedule events so multi-cluster targets are surfaced consistently in the cluster field. Signed-off-by: Test User <test@example.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * 🌱 update multicluster useFailoverTimeline test for multi-cluster binding fix Add test case verifying non-reschedule events preserve their cluster field, ensuring the normalize path only activates for binding_reschedule events. Signed-off-by: Test User <test@example.com> --------- Signed-off-by: Test User <test@example.com> Co-authored-by: Test User <test@example.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Align the test i18n mock with the NamespaceOverview health badge translation so the multi-cluster selector assertion matches component behavior. Signed-off-by: Test User <test@example.com> Co-authored-by: Test User <test@example.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Passed: 31/32 Failed: 1 [skip ci]

Dashboard health indicators (#17114) add rendering overhead to compliance cards during warm-return, increasing cache miss likelihood on CI shared runners under contention. Bump the tolerance from 8→10 to absorb nightly flakiness while remaining meaningful. Fixes #17120 Signed-off-by: Test User <test@example.com> Co-authored-by: Test User <test@example.com>

Introduces newTestServer() with functional options pattern to enable unit testing of HTTP handlers without requiring full server setup. Includes tests for: - handleHealth: GET, CORS, OPTIONS preflight, disallowed origins - handleStatus: unauthorized, authorized, OPTIONS, no-token-configured This test infrastructure enables future handler tests for 31 currently untested files that require a Server instance. Fixes #17147 Signed-off-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Signed-off-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Avoids redeclaration error with existing newTestServer in server_federation_test.go. All helper names now use 'Handler' prefix to differentiate from the federation test helpers. Signed-off-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

kubestellar-prow · 2026-06-06T15:18:19Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign clubanderson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

netlify · 2026-06-06T15:18:20Z

✅ Deploy Preview for kubestellarconsole canceled.

Name	Link
🔨 Latest commit	`ce5212c`
🔍 Latest deploy log	https://app.netlify.com/projects/kubestellarconsole/deploys/6a243a3ac537bb000857086f

github-actions · 2026-06-06T15:18:22Z

👋 Hey @clubanderson — thanks for opening this PR!

🤖 This project is developed exclusively using AI coding assistants.

Please do not attempt to code anything for this project manually.
All contributions should be authored using an AI coding tool such as:

Claude Code (Opus 4.5 / 4.6) — recommended

GitHub Copilot

Cursor

Other AI coding assistants

This ensures consistency in code style, architecture patterns, test coverage,
and commit quality across the entire codebase.

This is an automated message.

Copilot

Pull request overview

Adds a new unit-test helper for constructing a minimal *agent.Server and introduces focused httptest-based coverage for the /health and /status HTTP handlers, intended to unblock broader handler testing in pkg/agent.

Changes:

Introduces newHandlerTestServer() with functional options to configure minimal Server instances for handler tests.
Adds 9 unit tests covering handleHealth (CORS + preflight + payload) and handleStatus (auth + preflight + no-token mode).

+func withHandlerToken(token string) handlerTestOption {
+	return func(s *Server) {
+		s.agentToken = token
+	}


+func newHandlerTestServer(t *testing.T, opts ...handlerTestOption) *Server {
+	t.Helper()
+	s := &Server{
+		config:             Config{Port: 0},
+		clients:            make(map[*websocket.Conn]*wsClient),
+		allowedOrigins:     []string{"http://localhost", "https://localhost"},
+		activeChatCtxs:     make(map[string]activeChatEntry),
+		dryRunSessions:     make(map[string]bool),
+		resourceRetryState: make(map[string]clusterResourceRetryState),
+		stopCh:             make(chan struct{}),
+		sessionStart:       time.Now(),
+		todayDate:          time.Now().Format("2006-01-02"),
+		stellarForwardSem:  make(chan struct{}, 4),
+	}
+	for _, opt := range opts {
+		opt(s)
+	}
+	return s
+}


github-actions · 2026-06-06T20:37:46Z

Status Check

This hold-gated quality PR has had no activity for ~5 hours and was missing the ai-needs-human label (now added).

Check state:

❌ post-directions — FAILING since 15:18 UTC — this is a systemic failure affecting multiple hold-gated AI-generated PRs; not specific to this PR's content and does not block review
✅ All other checks passing (builds linux/amd64 + arm64, go test ./..., Verify console starts, CodeQL, Copilot reviewer, ts-null-safety, pr-check)

Current state: PR carries the hold label (hold-gated mode — human review required). No new commits or activity since 15:21 UTC (~5 hours ago).

Recommended next steps for a human maintainer:

Review the 9 httptest-based unit tests covering handleHealth (CORS, preflight, payload) and handleStatus (auth, preflight, no-token mode)
If the test coverage and implementation are correct, remove the hold label to unblock merge
The post-directions failure is a known systemic issue on hold-gated AI PRs — it should not influence the review decision

Generated by Stuck Detection Workflow · sonnet46 2.8M · ◷

github-actions · 2026-06-07T17:43:21Z

Status Check (Follow-up — ~21h since last escalation)

PR: #17148 — [quality] Add handler test helper and health/status endpoint tests
Stuck since: opened 2026-06-06T15:18Z · no human action in ~26h

Current State

Check	Status
`post-directions`	❌ FAILING (systemic issue on hold-gated AI PRs — does not affect review)
All other checks (builds, `go test ./...`, CodeQL, Verify console starts, ts-null-safety, pr-check)	✅ PASSING
`hold` label	blocking merge
Human review	none

Summary

This PR introduces newHandlerTestServer() — a lightweight test constructor — and 9 httptest-based tests covering handleHealth (CORS, preflight, payload) and handleStatus (auth, preflight, no-token mode). No external dependencies or cluster access required.

Recommended Next Steps

Review the 9 unit tests and test helper implementation
The post-directions failure is a known systemic issue on hold-gated AI PRs and should not influence the review decision
If the implementation is correct, remove hold and provide /lgtm + /approve

Generated by Stuck Detection Workflow · sonnet46 4.2M · ◷

kubestellar-hive Bot and others added 30 commits June 2, 2026 16:41

✨ Split Config struct into sub-configs by concern (#16468)

2843663

Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

🔒 Validate Bearer tokens in quantum proxy (#16521)

efb3338

Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

kubestellar-hive Bot and others added 12 commits June 5, 2026 17:59

chore: update auto-qa tuning config (daily feedback)

9a023cd

chore: nightly test results for 2026-06-06

581a2f0

Passed: 31/32 Failed: 1 [skip ci]

[quality] Fix missing gorilla/websocket import in test helper

341a284

Signed-off-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI review requested due to automatic review settings June 6, 2026 15:18

kubestellar-prow Bot added the dco-signoff: yes Indicates the PR's author has signed the DCO. label Jun 6, 2026

clubanderson added hold Blocked — do not touch quality testing and removed dco-signoff: yes Indicates the PR's author has signed the DCO. labels Jun 6, 2026

github-actions Bot added ai-generated Pull request generated by AI tier/1-lightweight labels Jun 6, 2026

kubestellar-prow Bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jun 6, 2026

Copilot started reviewing on behalf of clubanderson June 6, 2026 15:18 View session

Copilot AI reviewed Jun 6, 2026

View reviewed changes

github-actions Bot added the ai-needs-human AI automation unavailable - needs human intervention label Jun 6, 2026

clubanderson force-pushed the main branch from 94cb658 to b33f176 Compare June 8, 2026 14:43

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[quality] Add handler test helper and health/status endpoint tests#17148

[quality] Add handler test helper and health/status endpoint tests#17148
clubanderson wants to merge 7675 commits into
mainfrom
quality/test-server-helpers

clubanderson commented Jun 6, 2026

Uh oh!

kubestellar-prow Bot commented Jun 6, 2026

Uh oh!

netlify Bot commented Jun 6, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Jun 6, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

github-actions Bot commented Jun 6, 2026

Uh oh!

github-actions Bot commented Jun 7, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

clubanderson commented Jun 6, 2026

Test Improvement

Test Helper (newHandlerTestServer)

Tests included (9 test cases)

Impact

Uh oh!

kubestellar-prow Bot commented Jun 6, 2026

Uh oh!

netlify Bot commented Jun 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for kubestellarconsole canceled.

Uh oh!

github-actions Bot commented Jun 6, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

github-actions Bot commented Jun 6, 2026

Status Check

Uh oh!

github-actions Bot commented Jun 7, 2026

Status Check (Follow-up — ~21h since last escalation)

Current State

Summary

Recommended Next Steps

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Test Helper (`newHandlerTestServer`)

netlify Bot commented Jun 6, 2026 •

edited

Loading