Harden test-coverage-improver prompt injection and trim unused tool surface

[Copilot]

test-coverage-improver was paying avoidable token cost because pre-step outputs were rendering as empty strings in the prompt, forcing the agent to rediscover and reread the target file. This change makes injection failures explicit, removes unused GitHub tool surface, and tightens the prompt so reruns stay targeted.

• Fail fast on broken prompt injection

  • Added a Verify injected context step after target/content selection.
  • Validates TARGET_FILE, TARGET_TEST_FILE, SOURCE_CONTENT, TEST_CONTENT, COVERAGE_MD, and LOW_COVERAGE before the agent runs.
  • Surfaces empty-output regressions in workflow logs instead of silently sending an empty prompt.

• Reduce loaded tool surface

  • Removed the unused GitHub pull_requests toolset from the workflow.
  • Kept the workflow on the narrower repos toolset, which matches actual usage.

• Constrain test-reading and rerun behavior

  • Added TARGET_TEST_FILE as an explicit step output for the selected module’s test path.
  • Updated prompt guidance to reference the selected test file for style instead of encouraging broad src/*.test.ts reads.
  • Added explicit targeted Jest rerun guidance and capped full npm run test to final verification only.

• Recompiled workflow artifacts

  • Regenerated the compiled test-coverage-improver.lock.yml to carry the new outputs, verification step, and prompt updates.
  • Updated workflow coverage assertions to pin the intended source/lock behavior.

- name: Verify injected context
  env:
    TARGET_FILE: ${{ steps.target.outputs.TARGET_FILE }}
    TARGET_TEST_FILE: ${{ steps.target.outputs.TARGET_TEST_FILE }}
    SOURCE_CONTENT: ${{ steps.target.outputs.SOURCE_CONTENT }}
  run: |
    [ -n "$TARGET_FILE" ] || { echo "::error::TARGET_FILE empty"; exit 1; }
    [ -n "$TARGET_TEST_FILE" ] || { echo "::error::TARGET_TEST_FILE empty"; exit 1; }
    [ -n "$SOURCE_CONTENT" ] || { echo "::error::SOURCE_CONTENT empty"; exit 1; }

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	96.35%	96.46%	📈 +0.11%
Statements	96.21%	96.32%	📈 +0.11%
Functions	98.27%	98.27%	➡️ +0.00%
Branches	90.42%	90.57%	📈 +0.15%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/config-writer.ts	89.3% → 90.9% (+1.65%)	89.3% → 90.9% (+1.65%)
src/container-lifecycle.ts	93.9% → 95.7% (+1.84%)	94.2% → 95.9% (+1.75%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR tightens the test-coverage-improver agentic workflow to reduce wasted tokens and make prompt-context injection failures visible in logs, while also narrowing the GitHub MCP tool surface to what the workflow actually uses.

Changes:

• Remove the GitHub MCP pull_requests toolset usage and assert the reduced tool surface via workflow tests.
• Add TARGET_TEST_FILE output and a “Verify injected context” step to fail fast when injected outputs are unexpectedly empty.
• Update the workflow prompt to discourage broad test-file glob reads and guide targeted Jest reruns.

Show a summary per file

File	Description
scripts/ci/test-coverage-improver-workflow.test.ts	Updates assertions to lock in the reduced toolsets, new injected outputs, verification step, and prompt guidance.
.github/workflows/test-coverage-improver.md	Removes pull_requests toolset, adds TARGET_TEST_FILE, adds injected-context verification, and tightens prompt instructions to keep reruns targeted.
.github/workflows/test-coverage-improver.lock.yml	Regenerated compiled workflow carrying new outputs/verification step/toolset changes (plus compiler/version-driven regeneration changes).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 2

[lpcox]

@copilot address review feedback

[Copilot]

@copilot address review feedback

Addressed the review feedback in commit f5b2f59 by pinning github/gh-aw-actions/setup to its v0.77.5 commit SHA and pinning ghcr.io/github/github-mcp-server:v1.1.0 to an immutable digest in both the image download list and MCP container config (plus lock-workflow assertions to prevent regression).

[github-actions]

Smoke Test Results (Claude)

• ✅ GitHub API: 2 PR entries found
• ✅ GitHub check: playwright_check=PASS
• ✅ File verify: smoke-test file present

Total: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔥 Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP (list merged PRs)	✅ PR #4207 "refactor(api-proxy): extract duplicate collectLogOutput() into shared test helper"
GitHub.com HTTP connectivity	⚠️ Pre-step output not injected (SMOKE_HTTP_CODE unexpanded)
File write/read	⚠️ Pre-step output not injected (SMOKE_FILE_PATH unexpanded)
BYOK inference (this response)	✅

Note: Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

PR author: @Copilot · Assignees: @lpcox, @Copilot

Overall: PARTIAL — BYOK inference and MCP ✅; pre-step output injection broken for tests 2 & 3.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🧪 Smoke Test Results

• ✅ GitHub MCP: PR listed — refactor(api-proxy): extract duplicate collectLogOutput() into shared test helper
• ✅ GitHub.com Connectivity: HTTP 200/301
• ✅ File Write/Read: smoke-test-copilot-26834271272.txt verified

Overall: PASS

PR by @Copilot, assigned to @lpcox and @Copilot.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Merged PRs:\n- refactor(api-proxy): extract duplicate collectLogOutput() into shared test helper\n- [Test Coverage] container-lifecycle.ts branch coverage\nChecks:\n- GitHub title check: ✅\n- Smoke file: ✅\n- Build: ✅\n- Discussion note: ✅\nOverall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Gemini Engine Smoke Test Results

• PR Titles: fix: recompile red-team-benchmark lock file (fix: recompile red-team-benchmark lock file #4191), [Unable to fetch]
• GitHub MCP: ❌ (Tools missing/unreachable)
• GitHub.com Connectivity: ❌ (SSL Error 35/Squid)
• File Writing Testing: ✅
• Bash Tool Testing: ✅

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #4204 · sonnet46 1.1M · ◷

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

• Redis PING: ❌ (timeout — no response on host.docker.internal:6379)
• PostgreSQL pg_isready: ❌ (no response on host.docker.internal:5432)
• PostgreSQL SELECT 1: ❌ (skipped — pg_isready failed)

Overall: FAIL — service containers are not reachable from this environment.

🔌 Service connectivity validated by Smoke Services