ci: enhance test and security workflows with coverage enforcement

Improve GitHub Actions workflows for comprehensive test coverage reporting
and security file coverage threshold enforcement.

## test.yml Enhancements

### Workflow Improvements
- Rename to "Test Pipeline" for clarity
- Add CI and NODE_ENV environment variables
- Add 10-minute timeout for test job
- Expand Node.js matrix to include v18.x and v20.x

### Coverage Integration
- Run coverage only on Node.js 20.x to avoid duplicates
- Add coverage threshold checking (80% minimum)
- Parse coverage-summary.json for metrics validation
- Coverage PR comments using lcov-reporter-action
- Improved GitHub step summary with jq formatting
- 30-day retention for coverage artifacts

### New Code Quality Job
- Separate lint job with 5-minute timeout
- Placeholder lint and format:check commands
- continue-on-error for gradual adoption

### Build Job Updates
- Add 5-minute timeout
- Upload build artifacts with 7-day retention

## security-tests.yml Enhancements

### Test Execution
- Include PairingFlow.test.jsx in security test suite
- Update test commands to use npm run test

### Coverage Enforcement (95% Threshold)
- Parse coverage-summary.json for security files
- Check lines, functions, branches, and statements
- Security files monitored:
  - src/services/crypto.js
  - src/services/pairing-code.js
  - src/services/key-storage.js
  - src/components/pairing/PairingFlow.jsx
- Detailed per-file coverage report
- Fail workflow if any metric below 95%

### Reporting
- Console output with ✅/❌ status indicators
- Clear threshold violation messages
- Continue uploading artifacts on failure

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: pheuberger

.github/workflows/security-tests.yml

@@ -44,15 +44,85 @@ jobs:
         run: npm ci
 
       - name: Run security tests
-        run: npm run test:security
+        run: |
+          echo "Running security-critical tests..."
+          npm run test -- --run \
+            src/services/crypto.test.js \
+            src/services/pairing-code.test.js \
+            src/services/key-storage.test.js \
+            src/components/pairing/PairingFlow.test.jsx
 
       - name: Run security tests with coverage
         run: |
-          npx vitest run \
+          echo "Generating coverage for security-critical files..."
+          npm run test -- --run --coverage \
             src/services/crypto.test.js \
             src/services/pairing-code.test.js \
             src/services/key-storage.test.js \
-            --coverage
+            src/components/pairing/PairingFlow.test.jsx
+
+      - name: Check security coverage requirements
+        run: |
+          echo "Checking security file coverage requirements (95% minimum)..."
+          node -e "
+            try {
+              const fs = require('fs');
+              const coverage = JSON.parse(fs.readFileSync('coverage/coverage-summary.json', 'utf8'));
+
+              const securityFiles = [
+                'src/services/crypto.js',
+                'src/services/pairing-code.js',
+                'src/services/key-storage.js',
+                'src/components/pairing/PairingFlow.jsx'
+              ];
+
+              let allPassed = true;
+              const minSecurityCoverage = 95;
+
+              console.log('Security File Coverage Report:');
+              console.log('=====================================');
+
+              securityFiles.forEach(file => {
+                const fileKey = file.replace(/\\\\/g, '/');
+                const fileCoverage = coverage[fileKey];
+
+                if (fileCoverage) {
+                  const lineCoverage = fileCoverage.lines.pct;
+                  const funcCoverage = fileCoverage.functions.pct;
+                  const branchCoverage = fileCoverage.branches.pct;
+                  const stmtCoverage = fileCoverage.statements.pct;
+
+                  console.log(file + ':');
+                  console.log('  Lines: ' + lineCoverage + '%');
+                  console.log('  Functions: ' + funcCoverage + '%');
+                  console.log('  Branches: ' + branchCoverage + '%');
+                  console.log('  Statements: ' + stmtCoverage + '%');
+
+                  if (lineCoverage < minSecurityCoverage || funcCoverage < minSecurityCoverage ||
+                      branchCoverage < minSecurityCoverage || stmtCoverage < minSecurityCoverage) {
+                    console.log('  ❌ BELOW SECURITY THRESHOLD (' + minSecurityCoverage + '%)');
+                    allPassed = false;
+                  } else {
+                    console.log('  ✅ Meets security requirements');
+                  }
+                  console.log('');
+                } else {
+                  console.log(file + ': No coverage data found');
+                }
+              });
+
+              if (!allPassed) {
+                console.log('❌ Security coverage requirements not met!');
+                console.log('Security-critical files must have >= ' + minSecurityCoverage + '% coverage');
+                process.exit(1);
+              } else {
+                console.log('✅ All security files meet coverage requirements');
+              }
+            } catch (err) {
+              console.log('Security coverage check failed:', err.message);
+              process.exit(1);
+            }
+          "
 
       - name: Upload security coverage report
         uses: actions/upload-artifact@v4

.github/workflows/test.yml

@@ -1,19 +1,24 @@
-name: Test
+name: Test Pipeline
 
 on:
   push:
     branches: [main]
   pull_request:
     branches: [main]
 
+env:
+  CI: true
+  NODE_ENV: test
+
 jobs:
   test:
     name: Run Tests
     runs-on: ubuntu-latest
+    timeout-minutes: 10
 
     strategy:
       matrix:
-        node-version: [20.x]
+        node-version: [18.x, 20.x]
 
     steps:
       - name: Checkout repository
@@ -29,28 +34,96 @@ jobs:
         run: npm ci
 
       - name: Run tests
-        run: npm run test:run
+        run: npm run test -- --run
 
       - name: Run tests with coverage
-        run: npm run test:coverage
+        run: npm run test -- --run --coverage
+        if: matrix.node-version == '20.x'
+
+      - name: Check coverage thresholds
+        run: |
+          echo "Checking coverage thresholds..."
+          npm run test -- --run --coverage --reporter=json > coverage-report.json 2>/dev/null || true
+          node -e "
+            try {
+              const fs = require('fs');
+              const coverage = JSON.parse(fs.readFileSync('coverage/coverage-summary.json', 'utf8'));
+              const total = coverage.total;
+              console.log('Coverage Summary:');
+              console.log('Lines:', total.lines.pct + '%');
+              console.log('Functions:', total.functions.pct + '%');
+              console.log('Branches:', total.branches.pct + '%');
+              console.log('Statements:', total.statements.pct + '%');
+
+              const minCoverage = 80;
+              if (total.lines.pct < minCoverage || total.functions.pct < minCoverage ||
+                  total.branches.pct < minCoverage || total.statements.pct < minCoverage) {
+                console.log('❌ Coverage below threshold (' + minCoverage + '%)');
+                process.exit(1);
+              } else {
+                console.log('✅ Coverage meets threshold requirements');
+              }
+            } catch (err) {
+              console.log('Coverage check skipped - no coverage data available');
+            }
+          "
+        if: matrix.node-version == '20.x'
 
       - name: Upload coverage report
         uses: actions/upload-artifact@v4
+        if: matrix.node-version == '20.x'
         with:
           name: coverage-report
           path: coverage/
-          retention-days: 7
+          retention-days: 30
+
+      - name: Comment coverage on PR
+        uses: romeovs/lcov-reporter-action@v0.3.1
+        if: github.event_name == 'pull_request' && matrix.node-version == '20.x'
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          lcov-file: ./coverage/lcov.info
+          delete-old-comments: true
+        continue-on-error: true
 
       - name: Coverage summary
         run: |
           echo "## Coverage Summary" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
-          cat coverage/coverage-summary.json 2>/dev/null | head -50 || echo "Coverage summary not available"
+          cat coverage/coverage-summary.json 2>/dev/null | jq '.' || echo "Coverage summary not available"
           echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+        if: matrix.node-version == '20.x'
+
+  lint:
+    name: Code Quality
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run linting
+        run: npm run lint
+        continue-on-error: true
+
+      - name: Check formatting
+        run: npm run format:check
+        continue-on-error: true
 
   build:
     name: Build Check
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     needs: test
 
     steps:
@@ -68,3 +141,10 @@ jobs:
 
       - name: Build
         run: npm run build
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-output
+          path: dist/
+          retention-days: 7