diff --git a/.github/agents/Backend_Dev.agent.md b/.github/agents/Backend_Dev.agent.md index c5cb252d..15385c1c 100644 --- a/.github/agents/Backend_Dev.agent.md +++ b/.github/agents/Backend_Dev.agent.md @@ -49,6 +49,9 @@ Your priority is writing code that is clean, tested, and secure by default. - Run `go mod tidy`. - Run `go fmt ./...`. - Run `go test ./...` to ensure no regressions. + - **Local Patch Coverage Preflight (MANDATORY)**: Run VS Code task `Test: Local Patch Report` or `bash scripts/local-patch-report.sh` before backend coverage runs. + - Ensure artifacts exist: `test-results/local-patch-report.md` and `test-results/local-patch-report.json`. + - Use the file-level coverage gap list to target tests before final coverage validation. - **Coverage (MANDATORY)**: Run the coverage task/script explicitly and confirm Codecov Patch view is green for modified lines. - **MANDATORY**: Patch coverage must cover 100% of new/modified code. This prevents CodeCov Report failing CI. - **VS Code Task**: Use "Test: Backend with Coverage" (recommended) diff --git a/.github/agents/Frontend_Dev.agent.md b/.github/agents/Frontend_Dev.agent.md index d20dd09d..1d381828 100644 --- a/.github/agents/Frontend_Dev.agent.md +++ b/.github/agents/Frontend_Dev.agent.md @@ -40,6 +40,9 @@ You are a SENIOR REACT/TYPESCRIPT ENGINEER with deep expertise in: - Add proper error boundaries and loading states 3. **Testing**: + - **Run local patch preflight first**: Execute VS Code task `Test: Local Patch Report` or `bash scripts/local-patch-report.sh` before unit/coverage test runs. + - Confirm artifacts exist: `test-results/local-patch-report.md` and `test-results/local-patch-report.json`. + - Use the report's file-level uncovered list to prioritize frontend test additions. - Write unit tests with Vitest and Testing Library - Cover edge cases and error states - Run tests with `npm test` in `frontend/` directory diff --git a/.github/agents/Management.agent.md b/.github/agents/Management.agent.md index 620bacb7..11120e57 100644 --- a/.github/agents/Management.agent.md +++ b/.github/agents/Management.agent.md @@ -144,20 +144,25 @@ The task is not complete until ALL of the following pass with zero issues: - **Base URL**: Uses `PLAYWRIGHT_BASE_URL` or default from `playwright.config.js` - All E2E tests must pass before proceeding to unit tests -2. **Coverage Tests (MANDATORY - Verify Explicitly)**: +2. **Local Patch Coverage Preflight (MANDATORY - Before Unit/Coverage Tests)**: + - Ensure the local patch report is run first via VS Code task `Test: Local Patch Report` or `bash scripts/local-patch-report.sh`. + - Verify both artifacts exist: `test-results/local-patch-report.md` and `test-results/local-patch-report.json`. + - Use this report to identify changed files needing coverage before running backend/frontend coverage suites. + +3. **Coverage Tests (MANDATORY - Verify Explicitly)**: - **Backend**: Ensure `Backend_Dev` ran VS Code task "Test: Backend with Coverage" or `scripts/go-test-coverage.sh` - **Frontend**: Ensure `Frontend_Dev` ran VS Code task "Test: Frontend with Coverage" or `scripts/frontend-test-coverage.sh` - **Why**: These are in manual stage of pre-commit for performance. Subagents MUST run them via VS Code tasks or scripts. - Minimum coverage: 85% for both backend and frontend. - All tests must pass with zero failures. -3. **Type Safety (Frontend)**: +4. **Type Safety (Frontend)**: - Ensure `Frontend_Dev` ran VS Code task "Lint: TypeScript Check" or `npm run type-check` - **Why**: This check is in manual stage of pre-commit for performance. Subagents MUST run it explicitly. -4. **Pre-commit Hooks**: Ensure `QA_Security` ran `pre-commit run --all-files` (fast hooks only; coverage was verified in step 2) +5. **Pre-commit Hooks**: Ensure `QA_Security` ran `pre-commit run --all-files` (fast hooks only; coverage was verified in step 3) -5. **Security Scans**: Ensure `QA_Security` ran the following with zero Critical or High severity issues: +6. **Security Scans**: Ensure `QA_Security` ran the following with zero Critical or High severity issues: - **Trivy Filesystem Scan**: Fast scan of source code and dependencies - **Docker Image Scan (MANDATORY)**: Comprehensive scan of built Docker image - **Critical Gap**: This scan catches vulnerabilities that Trivy misses: @@ -171,9 +176,9 @@ The task is not complete until ALL of the following pass with zero issues: - **CodeQL Scans**: Static analysis for Go and JavaScript - **QA_Security Requirements**: Must run BOTH Trivy and Docker Image scans, compare results, and block approval if image scan reveals additional vulnerabilities not caught by Trivy -6. **Linting**: All language-specific linters must pass +7. **Linting**: All language-specific linters must pass -7: **Provide Detailed Commit Message**: Write a comprehensive commit message following the format and rules outlined in `.github/instructions/commit-message.instructions.md`. The message must be meaningful without viewing the diff and should explain the behavior changes, reasons for the change, and any important side effects or considerations. +8: **Provide Detailed Commit Message**: Write a comprehensive commit message following the format and rules outlined in `.github/instructions/commit-message.instructions.md`. The message must be meaningful without viewing the diff and should explain the behavior changes, reasons for the change, and any important side effects or considerations. **Your Role**: You delegate implementation to subagents, but YOU are responsible for verifying they completed the Definition of Done. Do not accept "DONE" from a subagent until you have confirmed they ran coverage tests, type checks, and security scans explicitly. diff --git a/.github/agents/QA_Security.agent.md b/.github/agents/QA_Security.agent.md index a442b234..b62379c4 100644 --- a/.github/agents/QA_Security.agent.md +++ b/.github/agents/QA_Security.agent.md @@ -29,24 +29,29 @@ You are a QA AND SECURITY ENGINEER responsible for testing and vulnerability ass 1. **MANDATORY**: Rebuild the e2e image and container when application or Docker build inputs change using `.github/skills/scripts/skill-runner.sh docker-rebuild-e2e`. Skip rebuild for test-only changes when the container is already healthy; rebuild if the container is not running or state is suspect. -2. **Test Analysis**: +2. **Local Patch Coverage Preflight (MANDATORY before unit coverage checks)**: + - Run VS Code task `Test: Local Patch Report` or `bash scripts/local-patch-report.sh` from repo root. + - Verify both artifacts exist: `test-results/local-patch-report.md` and `test-results/local-patch-report.json`. + - Use file-level uncovered changed-line output to drive targeted unit-test recommendations. + +3. **Test Analysis**: - Review existing test coverage - Identify gaps in test coverage - Review test failure outputs with `test_failure` tool -3. **Security Scanning**: +4. **Security Scanning**: - Run Trivy scans on filesystem and container images - Analyze vulnerabilities with `mcp_trivy_mcp_findings_list` - Prioritize by severity (CRITICAL > HIGH > MEDIUM > LOW) - Document remediation steps -4. **Test Implementation**: +5. **Test Implementation**: - Write unit tests for uncovered code paths - Write integration tests for API endpoints - Write E2E tests for user workflows - Ensure tests are deterministic and isolated -5. **Reporting**: +6. **Reporting**: - Document findings in clear, actionable format - Provide severity ratings and remediation guidance - Track security issues in `docs/security/` diff --git a/.github/instructions/copilot-instructions.md b/.github/instructions/copilot-instructions.md index 467ff807..e73a4653 100644 --- a/.github/instructions/copilot-instructions.md +++ b/.github/instructions/copilot-instructions.md @@ -135,7 +135,13 @@ Before marking an implementation task as complete, perform the following in orde - **Base URL**: Uses `PLAYWRIGHT_BASE_URL` or default from `playwright.config.js` - All E2E tests must pass before proceeding to unit tests -2. **Security Scans** (MANDATORY - Zero Tolerance): +2. **Local Patch Coverage Preflight** (MANDATORY - Run Before Unit/Coverage Tests): + - **Run**: VS Code task `Test: Local Patch Report` or `bash scripts/local-patch-report.sh` from repo root. + - **Purpose**: Surface exact changed files and uncovered changed lines before adding/refining unit tests. + - **Required Artifacts**: `test-results/local-patch-report.md` and `test-results/local-patch-report.json`. + - **Expected Behavior**: Report may warn (non-blocking rollout), but artifact generation is mandatory. + +3. **Security Scans** (MANDATORY - Zero Tolerance): - **CodeQL Go Scan**: Run VS Code task "Security: CodeQL Go Scan (CI-Aligned)" OR `pre-commit run codeql-go-scan --all-files` - Must use `security-and-quality` suite (CI-aligned) - **Zero high/critical (error-level) findings allowed** @@ -157,12 +163,12 @@ Before marking an implementation task as complete, perform the following in orde - Database creation: `--threads=0 --overwrite` - Analysis: `--sarif-add-baseline-file-info` -3. **Pre-Commit Triage**: Run `pre-commit run --all-files`. +4. **Pre-Commit Triage**: Run `pre-commit run --all-files`. - If errors occur, **fix them immediately**. - If logic errors occur, analyze and propose a fix. - Do not output code that violates pre-commit standards. -4. **Staticcheck BLOCKING Validation**: Pre-commit hooks automatically run fast linters including staticcheck. +5. **Staticcheck BLOCKING Validation**: Pre-commit hooks automatically run fast linters including staticcheck. - **CRITICAL:** Staticcheck errors are BLOCKING - you MUST fix them before commit succeeds. - Manual verification: Run VS Code task "Lint: Staticcheck (Fast)" or `make lint-fast` - To check only staticcheck: `make lint-staticcheck-only` @@ -170,7 +176,7 @@ Before marking an implementation task as complete, perform the following in orde - If pre-commit fails: Fix the reported issues, then retry commit - **Do NOT** use `--no-verify` to bypass this check unless emergency hotfix -5. **Coverage Testing** (MANDATORY - Non-negotiable): +6. **Coverage Testing** (MANDATORY - Non-negotiable): - **Overall Coverage**: Minimum 85% coverage is MANDATORY and will fail the PR if not met. - **Patch Coverage**: Developers should aim for 100% coverage of modified lines (Codecov Patch view). If patch coverage is incomplete, add targeted tests. However, patch coverage is a suggestion and will not block PR approval. - **Backend Changes**: Run the VS Code task "Test: Backend with Coverage" or execute `scripts/go-test-coverage.sh`. @@ -184,21 +190,21 @@ Before marking an implementation task as complete, perform the following in orde - **Critical**: Coverage tests are NOT run by default pre-commit hooks (they are in manual stage for performance). You MUST run them explicitly via VS Code tasks or scripts before completing any task. - **Why**: CI enforces coverage in GitHub Actions. Local verification prevents CI failures and maintains code quality. -6. **Type Safety** (Frontend only): +7. **Type Safety** (Frontend only): - Run the VS Code task "Lint: TypeScript Check" or execute `cd frontend && npm run type-check`. - Fix all type errors immediately. This is non-negotiable. - This check is also in manual stage for performance but MUST be run before completion. -7. **Verify Build**: Ensure the backend compiles and the frontend builds without errors. +8. **Verify Build**: Ensure the backend compiles and the frontend builds without errors. - Backend: `cd backend && go build ./...` - Frontend: `cd frontend && npm run build` -8. **Fixed and New Code Testing**: +9. **Fixed and New Code Testing**: - Ensure all existing and new unit tests pass with zero failures. - When failures and errors are found, deep-dive into root causes. Using the correct `subAgent`, update the working plan, review the implementation, and fix the issues. - No issue is out of scope for investigation and resolution. All issues must be addressed before task completion. -9. **Clean Up**: Ensure no debug print statements or commented-out blocks remain. +10. **Clean Up**: Ensure no debug print statements or commented-out blocks remain. - Remove `console.log`, `fmt.Println`, and similar debugging statements. - Delete commented-out code blocks. - Remove unused imports. diff --git a/.github/instructions/testing.instructions.md b/.github/instructions/testing.instructions.md index 2b265da1..cd26d938 100644 --- a/.github/instructions/testing.instructions.md +++ b/.github/instructions/testing.instructions.md @@ -8,6 +8,26 @@ description: 'Strict protocols for test execution, debugging, and coverage valid **MANDATORY**: Before running unit tests, verify the application UI/UX functions correctly end-to-end. +## 0.5 Local Patch Coverage Preflight (Before Unit Tests) + +**MANDATORY**: After E2E and before backend/frontend unit coverage runs, generate a local patch report so uncovered changed lines are visible early. + +Run one of the following from `/projects/Charon`: + +```bash +# Preferred (task) +Test: Local Patch Report + +# Script +bash scripts/local-patch-report.sh +``` + +Required artifacts: +- `test-results/local-patch-report.md` +- `test-results/local-patch-report.json` + +This preflight is advisory for thresholds during rollout, but artifact generation is required in DoD. + ### PREREQUISITE: Start E2E Environment **CRITICAL**: Rebuild the E2E container when application or Docker build inputs change. If changes are test-only and the container is already healthy, reuse it. If the container is not running or state is suspect, rebuild.