Merge pull request #982 from mnfst/full-coverage

test: achieve 100% line coverage across all packages

Author: brunobuddy

.changeset/full-coverage.md

@@ -0,0 +1,5 @@
+---
+"manifest": patch
+---
+
+Achieve 100% line coverage across backend, frontend, and plugin test suites

CLAUDE.md

@@ -1,6 +1,6 @@
 # Manifest Development Guidelines
 
-Last updated: 2026-03-02
+Last updated: 2026-03-05
 
 ## IMPORTANT: Local Mode First
 
@@ -429,11 +429,21 @@ Codecov runs on every PR via the `codecov/patch` and `codecov/project` checks. C
 ### Thresholds
 
 - **Project coverage** (`codecov/project`): Must not drop more than **1%** below the base branch (`target: auto`, `threshold: 1%`).
-- **Patch coverage** (`codecov/patch`): New/changed lines must have at least **auto - 5%** coverage (`target: auto`, `threshold: 5%`). In practice, aim for **>90%** patch coverage.
+- **Patch coverage** (`codecov/patch`): New/changed lines must have at least **auto - 5%** coverage (`target: auto`, `threshold: 5%`).
 
-### CRITICAL: Write Tests for New Code
+### CRITICAL: 100% Line Coverage Required
 
-**Every new source file or modified function must have corresponding tests.** Codecov will fail the PR if changed lines are not covered. This applies to:
+**Every PR must maintain 100% line coverage across all three packages.** The codebase currently has full line coverage and every PR must preserve it. This means:
+
+- All new source files must have corresponding tests with 100% line coverage
+- All modified functions must have tests covering every line, including error paths
+- **Patch coverage must be 100%** — no new uncovered lines allowed
+- Run coverage locally before creating a PR:
+  - `cd packages/backend && npx jest --coverage`
+  - `cd packages/frontend && npx vitest run --coverage`
+  - `cd packages/openclaw-plugin && npx jest --coverage`
+
+This applies to:
 
 - New services, guards, controllers, or utilities in `packages/backend/src/`
 - New components or functions in `packages/frontend/src/`

packages/backend/src/auth/auth.instance.ts

@@ -4,6 +4,7 @@ import { VerifyEmailEmail } from '../notifications/emails/verify-email';
 import { ResetPasswordEmail } from '../notifications/emails/reset-password';
 import { sendEmail } from '../notifications/services/email-providers/send-email';
 import { trackCloudEvent } from '../common/utils/product-telemetry';
+import { getLocalAuthSecret } from '../common/constants/local-mode.constants';
 
 const isLocalMode = process.env['MANIFEST_MODE'] === 'local';
 const port = process.env['PORT'] ?? '3001';

packages/backend/src/common/guards/api-key.guard.spec.ts

@@ -132,6 +132,15 @@ describe('ApiKeyGuard', () => {
     expect(mockUpdate).toHaveBeenCalled();
   });
 
+  it('returns true immediately when route is marked @Public()', async () => {
+    (reflector.getAllAndOverride as jest.Mock).mockReturnValueOnce(true);
+    const ctx = makeContext({});
+
+    const result = await guard.canActivate(ctx);
+    expect(result).toBe(true);
+    expect(mockFindOne).not.toHaveBeenCalled();
+  });
+
   it('skips API key validation when request.user is already set', async () => {
     const ctx = {
       switchToHttp: () => ({

packages/backend/src/common/services/cache-invalidation.service.spec.ts

@@ -136,6 +136,24 @@ describe('CacheInvalidationService', () => {
     });
   });
 
+  describe('periodic cleanup timer', () => {
+    it('should clear all tracked keys when cleanup interval fires', () => {
+      service.onModuleInit();
+
+      service.trackKey('user-1', 'key-a');
+      service.trackKey('user-2', 'key-b');
+
+      // Advance past the 60s cleanup interval
+      jest.advanceTimersByTime(60_000);
+
+      // After cleanup, emitting should not trigger any deletions
+      eventBus.emit('user-1');
+      jest.advanceTimersByTime(1000);
+
+      expect(mockDel).not.toHaveBeenCalled();
+    });
+  });
+
   describe('onModuleDestroy', () => {
     it('should unsubscribe from event bus on destroy', () => {
       service.onModuleInit();

packages/backend/src/common/utils/crypto.util.spec.ts

@@ -118,4 +118,21 @@ describe('isEncrypted', () => {
   it('returns false when parts are not valid base64', () => {
     expect(isEncrypted('not!base64:not!base64:not!base64:not!base64')).toBe(false);
   });
+
+  it('returns false when Buffer.from throws (catch branch)', () => {
+    const originalFrom = Buffer.from.bind(Buffer);
+    const mockFrom = jest.fn().mockImplementation(
+      (value: unknown, encoding?: string) => {
+        if (encoding === 'base64') throw new Error('mocked');
+        return originalFrom(value as string, encoding as BufferEncoding);
+      },
+    );
+    Buffer.from = mockFrom as unknown as typeof Buffer.from;
+
+    try {
+      expect(isEncrypted('a:b:c:d')).toBe(false);
+    } finally {
+      Buffer.from = originalFrom as unknown as typeof Buffer.from;
+    }
+  });
 });

packages/backend/src/common/utils/period.util.spec.ts

@@ -106,6 +106,22 @@ describe('computePeriodResetDate', () => {
     expect(reset.getUTCMonth()).toBe(expectedMonth);
   });
 
+  it('week on a Monday: daysUntilMonday falls back to 7', () => {
+    // 2026-03-02 is a Monday (UTC day = 1)
+    const monday = new Date(Date.UTC(2026, 2, 2, 12, 0, 0));
+    jest.useFakeTimers();
+    jest.setSystemTime(monday);
+
+    const result = computePeriodResetDate('week');
+    const reset = new Date(result.replace(' ', 'T') + 'Z');
+
+    // Should be next Monday, exactly 7 days later
+    expect(reset.getUTCDay()).toBe(1);
+    expect(reset.getUTCDate()).toBe(monday.getUTCDate() + 7);
+
+    jest.useRealTimers();
+  });
+
   it('unknown period: defaults to hour-like behavior', () => {
     const result = computePeriodResetDate('unknown');
     expect(result).toMatch(/^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}$/);

packages/backend/src/config/app.config.spec.ts

@@ -65,4 +65,16 @@ describe('appConfig', () => {
     expect(config.throttleTtl).toBe(60000);
     expect(config.throttleLimit).toBe(100);
   });
+
+  it('defaults nodeEnv to development when NODE_ENV is not set', async () => {
+    delete process.env['NODE_ENV'];
+    const config = await loadConfig();
+    expect(config.nodeEnv).toBe('development');
+  });
+
+  it('reads NODE_ENV from env', async () => {
+    process.env['NODE_ENV'] = 'production';
+    const config = await loadConfig();
+    expect(config.nodeEnv).toBe('production');
+  });
 });

packages/backend/src/database/database-seeder.service.spec.ts

@@ -86,6 +86,17 @@ describe('DatabaseSeederService', () => {
   });
 
   describe('onModuleInit', () => {
+    it('should skip everything in local mode', async () => {
+      process.env['MANIFEST_MODE'] = 'local';
+
+      await service.onModuleInit();
+
+      // Nothing should be called — early return on line 41
+      expect(mockPricingRepo.upsert).not.toHaveBeenCalled();
+      expect(mockApiKeyRepo.count).not.toHaveBeenCalled();
+      expect(mockTenantRepo.count).not.toHaveBeenCalled();
+    });
+
     it('should run Better Auth migrations', async () => {
       const ctx = await auth.$context;
       await service.onModuleInit();
@@ -499,5 +510,31 @@ describe('DatabaseSeederService', () => {
 
       expect(mockApiKeyRepo.insert).not.toHaveBeenCalled();
     });
+
+    it('should handle getAdminUserId query failure with Error and return null', async () => {
+      // checkBetterAuthUser: user exists (skip signUpEmail)
+      mockDataSource.query.mockResolvedValueOnce([{ id: 'x' }]);
+      // getAdminUserId in seedApiKey: throws Error
+      mockDataSource.query.mockRejectedValueOnce(new Error('connection lost'));
+      mockApiKeyRepo.count.mockResolvedValue(0);
+
+      await service.onModuleInit();
+
+      // seedApiKey should skip insert because getAdminUserId returned null
+      expect(mockApiKeyRepo.insert).not.toHaveBeenCalled();
+    });
+
+    it('should handle getAdminUserId query failure with non-Error and return null', async () => {
+      // checkBetterAuthUser: user exists (skip signUpEmail)
+      mockDataSource.query.mockResolvedValueOnce([{ id: 'x' }]);
+      // getAdminUserId in seedApiKey: throws non-Error value
+      mockDataSource.query.mockRejectedValueOnce('string rejection');
+      mockApiKeyRepo.count.mockResolvedValue(0);
+
+      await service.onModuleInit();
+
+      // seedApiKey should skip insert because getAdminUserId returned null
+      expect(mockApiKeyRepo.insert).not.toHaveBeenCalled();
+    });
   });
 });

packages/backend/src/database/local-bootstrap.service.spec.ts

@@ -161,6 +161,20 @@ describe('LocalBootstrapService', () => {
       expect(mockAgentKeyRepo.insert).not.toHaveBeenCalled();
     });
 
+    it('returns null when readFileSync throws (catches error in readApiKeyFromConfig)', async () => {
+      // eslint-disable-next-line @typescript-eslint/no-require-imports
+      const { existsSync, readFileSync } = require('fs');
+      (existsSync as jest.Mock).mockReturnValue(true);
+      (readFileSync as jest.Mock).mockImplementation(() => {
+        throw new Error('EACCES: permission denied');
+      });
+
+      await service.onModuleInit();
+
+      // readApiKeyFromConfig returns null on error, so no key registration
+      expect(mockAgentKeyRepo.insert).not.toHaveBeenCalled();
+    });
+
     it('registers API key when config file exists with apiKey', async () => {
       // eslint-disable-next-line @typescript-eslint/no-require-imports
       const { existsSync, readFileSync } = require('fs');