refactor: deduplicate SSL-Bump fixture in squid-config-security tests

[Copilot]

The SSL-Bump generateSquidConfig fixture (sslBump: true, caFiles, sslDbPath) was copy-pasted verbatim 3 times in the defense-in-depth describe block, differing only in urlPatterns. A rename of any SSL-bump field would require edits in all copies with no compile-time signal if one was missed.

Changes

• src/squid-config-security.test.ts: Extract a shared sslBumpBase constant at the top of the defense-in-depth describe block; replace the three duplicate fixture objects with { ...sslBumpBase, urlPatterns: [...] } spreads.

const sslBumpBase = {
  domains: ['evil.com'],
  port: defaultPort,
  sslBump: true as const,
  caFiles: { certPath: '/tmp/cert.pem', keyPath: '/tmp/key.pem' },
  sslDbPath: '/tmp/ssl_db',
} satisfies Partial<Parameters<typeof generateSquidConfig>[0]>;

// Each injection test becomes:
generateSquidConfig({ ...sslBumpBase, urlPatterns: [maliciousPattern] });

The satisfies constraint ensures TypeScript will surface any schema mismatch at the single declaration site rather than silently at runtime.

[Copilot]

Pull request overview

Refactors squid-config-security tests to deduplicate the repeated SSL-Bump configuration fixture used in the URL-pattern injection guard tests, reducing copy/paste drift risk when the generateSquidConfig input schema changes.

Changes:

• Extracted a shared sslBumpBase object in the “defense-in-depth” test block.
• Replaced three repeated generateSquidConfig({...}) fixtures with { ...sslBumpBase, urlPatterns: [...] }.
• Added a satisfies Partial<Parameters<typeof generateSquidConfig>[0]> constraint to ensure fixture fields stay aligned with the config type.

Show a summary per file

File	Description
src/squid-config-security.test.ts	Deduplicates SSL-Bump test fixture setup for URL-pattern injection tests while keeping type-checked alignment with generateSquidConfig input.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 0

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	95.73%	95.80%	📈 +0.07%
Statements	95.56%	95.63%	📈 +0.07%
Functions	96.86%	96.86%	➡️ +0.00%
Branches	89.30%	89.34%	📈 +0.04%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/config-writer.ts	83.0% → 85.6% (+2.54%)	83.0% → 85.6% (+2.54%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke Test Results

✅ GitHub API - 2 PR entries confirmed in recent-prs.json
✅ Playwright - GitHub page title contains "GitHub"
✅ File verify - smoke-test-claude-26195426021.txt exists and is readable

Result: PASS — All smoke tests passed

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔬 Smoke Test Results

Test	Result
GitHub MCP connectivity	✅ PR #3480 fetched successfully
GitHub.com HTTP	⚠️ Pre-step data not expanded
File write/read	⚠️ Pre-step data not expanded

PR: refactor: deduplicate SSL-Bump fixture in squid-config-security tests
Author: @Copilot | Assignees: @lpcox, @Copilot

Overall: PARTIAL — MCP ✅, pre-step variables were not substituted (workflow template issue)

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP (latest merged PR: "fix: align OTEL attributes with gen_ai semconv spec")	✅
GitHub.com connectivity	⚠️ template not expanded
File write/read	⚠️ template not expanded
BYOK inference (agent → api-proxy → api.githubcopilot.com)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

PR by @Copilot, assignees: @lpcox, @Copilot

Overall: PARTIAL (pre-step template variables not substituted; BYOK + MCP confirmed working)

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Gemini Smoke Test: FAIL (MCP/Net ❌, File/Bash ✅)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Smoke Test Results

• Redis PING: ❌ (timeout/no response)
• PostgreSQL pg_isready: ❌ (no response)
• PostgreSQL SELECT 1: ❌ (not attempted — pg_isready failed)

Overall: FAIL — host.docker.internal is not reachable from this runner. Service containers may not be configured for this workflow.

🔌 Service connectivity validated by Smoke Services

[github-actions]

✅ Merged PRs: fix: align OTEL attributes with gen_ai semconv spec; fix: Use --build-local in smoke-otel-tracing for latest api-proxy code
❌ SafeInputs GH: refactor(tests): extract makeMockExecaProcess helper in log-streamer.test.ts; refactor: extract useCleanupTestDir to eliminate repeated test boilerplate
✅ Playwright title: GitHub
❌ Tavily search: no Tavily tools available
✅ File/bash and build: passed
❌ Discussion query: safe-input tool missing; oracle comment posted via fallback
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.15.0	v20.20.2	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3480 · ● 5M · ◷