Severity: Info
File: src/Servy.Core/Security/ProtectedKeyProvider.cs
Lines: 18-19
Code snippet:
[ExcludeFromCodeCoverage]
public class ProtectedKeyProvider : IProtectedKeyProvider
Explanation:
The entire class is marked [ExcludeFromCodeCoverage]. This is the security-critical surface for DPAPI key/IV protection, ACL-restricted file persistence, automatic v7.8 → v7.9 entropy migration, and Event Log escalation. Excluding all of it from coverage means any coverage gate (codecov.yml is in repo root) cannot enforce that new code paths through these branches are exercised by tests.
Defensible reasons exist (DPAPI cannot easily be mocked end-to-end), but the exclusion is currently class-wide. Pure logic branches inside this class — the failure-count escalation (lines 240-281), the path canonicalization in the constructor (lines 73-85), the inheritance decision in SaveProtected (lines 343-353) — are unit-testable without DPAPI and should still be measured.
Suggested fix:
Move [ExcludeFromCodeCoverage] from the class declaration onto only the methods that genuinely cannot be covered (GetMachineEntropy due to registry dependency, SaveProtected due to FileSecurity ACLs requiring elevation in CI). Leave the constructor, GetOrGenerate orchestration, and the migration-failure-counter logic measurable.
🤖 Generated with Claude Code
Severity: Info
File:
src/Servy.Core/Security/ProtectedKeyProvider.csLines: 18-19
Code snippet:
Explanation:
The entire class is marked
[ExcludeFromCodeCoverage]. This is the security-critical surface for DPAPI key/IV protection, ACL-restricted file persistence, automatic v7.8 → v7.9 entropy migration, and Event Log escalation. Excluding all of it from coverage means any coverage gate (codecov.yml is in repo root) cannot enforce that new code paths through these branches are exercised by tests.Defensible reasons exist (DPAPI cannot easily be mocked end-to-end), but the exclusion is currently class-wide. Pure logic branches inside this class — the failure-count escalation (lines 240-281), the path canonicalization in the constructor (lines 73-85), the inheritance decision in
SaveProtected(lines 343-353) — are unit-testable without DPAPI and should still be measured.Suggested fix:
Move
[ExcludeFromCodeCoverage]from the class declaration onto only the methods that genuinely cannot be covered (GetMachineEntropydue to registry dependency,SaveProtecteddue to FileSecurity ACLs requiring elevation in CI). Leave the constructor,GetOrGenerateorchestration, and the migration-failure-counter logic measurable.🤖 Generated with Claude Code