test(client-proxy): expand unit test coverage across packages

[tvi]

Lifts overall coverage in packages/client-proxy significantly by adding tests for previously untested code paths:

• internal/cfg: 0% -> 100%. New model_test.go covers Parse defaults, env-var overrides for every field, and an invalid-integer error case.
• internal: 0% -> 100%. New info_test.go covers ServiceInfo zero-value, transitions across Healthy/Draining/Unhealthy, idempotent same-state writes, and a race-safe concurrent get/set exercise.
• internal/proxy: 40.8% -> 87.7%.
  • paused_sandbox_resumer_grpc_test.go exercises NewGRPCPausedSandboxResumer constructor branches (empty address, OAuth misconfiguration, insecure and TLS credential paths) and drives Resume/Init/Close against an in-process bufconn gRPC server, asserting metadata propagation (MetadataSandboxRequestPort, MetadataTrafficAccessToken, MetadataEnvdAccessToken), empty-token omission, server-side error surfacing, and auth-failure short-circuit.
  • proxy_test.go adds NewClientProxy tests covering construction with a no-op meter provider, idle-timeout wiring, repeated registration, and end-to-end handler responses for the not-found, permission-denied, resource-exhausted, still-transitioning, and invalid-host code paths.
  • proxy_test.go also adds an errorCatalog fake plus TestCatalogResolution_CatalogReturnsGenericError to cover the previously untested wrapped-error branch in catalogResolution that returns errors other than ErrSandboxNotFound.

All new tests pass under -race, go vet ./... is clean, and go build ./... succeeds.

[cursor]

PR Summary

Medium Risk
Mostly adds tests, but it also changes emitted telemetry by swapping which connection counts are reported under two metric names, which could affect dashboards/alerts if expectations were based on the previous (incorrect) mapping.

Overview
The only functional change is that NewClientProxy now reports CurrentPoolConnections() under ClientProxyPoolConnectionsMeterCounterName and CurrentServerConnections() under ClientProxyServerConnectionsMeterCounterName (previously swapped), which may break existing dashboards/alerts if they implicitly relied on the old mapping. The rest of the PR is new tests, and a few assertions look brittle (exact JSON substrings / error text matching) and may be flaky if upstream error messages or response formatting change.

^{Reviewed by Cursor Bugbot for commit 69fc15b. Bugbot is set up for automated code reviews on this repo. Configure here.}

[codecov]

❌ 11 Tests Failed:

Tests completed	Failed	Passed	Skipped
2638	11	2627	7

View the full list of 12 ❄️ flaky test(s)

github.com/e2b-dev/infra/tests/integration/internal/tests/api/metrics::TestTeamMetrics

Flake rate in main: 68.26% (Passed 106 times, Failed 228 times)

Stack Traces | 0.82s run time

=== RUN   TestTeamMetrics
=== PAUSE TestTeamMetrics
=== CONT  TestTeamMetrics
    team_metrics_test.go:61: 
        	Error Trace:	.../api/metrics/team_metrics_test.go:61
        	Error:      	Should be true
        	Test:       	TestTeamMetrics
        	Messages:   	MaxConcurrentSandboxes should be >= 0
--- FAIL: TestTeamMetrics (0.82s)

github.com/e2b-dev/infra/tests/integration/internal/tests/api/sandboxes::TestUpdateNetworkConfig

Flake rate in main: 76.06% (Passed 113 times, Failed 359 times)

Stack Traces | 35.7s run time

=== RUN   TestUpdateNetworkConfig
=== PAUSE TestUpdateNetworkConfig
=== CONT  TestUpdateNetworkConfig
Executing command curl in sandbox iyy34f783rk0thufuyna6
--- FAIL: TestUpdateNetworkConfig (35.70s)

github.com/e2b-dev/infra/tests/integration/internal/tests/api/sandboxes::TestUpdateNetworkConfig/pause_resume_preserves_allow_internet_access_false

Flake rate in main: 76.57% (Passed 108 times, Failed 353 times)

Stack Traces | 2.33s run time

=== RUN   TestUpdateNetworkConfig/pause_resume_preserves_allow_internet_access_false
Executing command curl in sandbox iwabunkj3hldswnbmvpov
    sandbox_network_update_test.go:372: Command [curl] output: event:{start:{pid:1365}}
    sandbox_network_update_test.go:372: Command [curl] output: event:{end:{exit_code:35  exited:true  status:"exit status 35"  error:"exit status 35"}}
    sandbox_network_update_test.go:372: Command [curl] output: event:{start:{pid:1366}}
    sandbox_network_update_test.go:372: Command [curl] output: event:{end:{exit_code:35  exited:true  status:"exit status 35"  error:"exit status 35"}}
    sandbox_network_update_test.go:391: Command [curl] output: event:{start:{pid:1367}}
    sandbox_network_update_test.go:391: Command [curl] output: event:{data:{stdout:"HTTP/2 302 \r\nx-content-type-options: nosniff\r\nlocation: https://dns.google/\r\ndate: Sun, 10 May 2026 06:42:34 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: HTTP server (unknown)\r\ncontent-length: 216\r\nx-xss-protection: 0\r\nx-frame-options: SAMEORIGIN\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\n\r\n"}}
    sandbox_network_update_test.go:391: Command [curl] output: event:{end:{exited:true  status:"exit status 0"}}
    sandbox_network_update_test.go:391: Command [curl] completed successfully in sandbox iwabunkj3hldswnbmvpov
    sandbox_network_update_test.go:391: 
        	Error Trace:	.../api/sandboxes/sandbox_network_out_test.go:74
        	            				.../api/sandboxes/sandbox_network_update_test.go:60
        	            				.../api/sandboxes/sandbox_network_update_test.go:391
        	Error:      	An error is expected but got nil.
        	Test:       	TestUpdateNetworkConfig/pause_resume_preserves_allow_internet_access_false
        	Messages:   	https://8.8.8.8 should be blocked
--- FAIL: TestUpdateNetworkConfig/pause_resume_preserves_allow_internet_access_false (2.33s)

github.com/e2b-dev/infra/tests/integration/internal/tests/envd::TestBindLocalhost

Flake rate in main: 58.22% (Passed 183 times, Failed 255 times)

Stack Traces | 0s run time

=== RUN   TestBindLocalhost
=== PAUSE TestBindLocalhost
=== CONT  TestBindLocalhost
--- FAIL: TestBindLocalhost (0.00s)

github.com/e2b-dev/infra/tests/integration/internal/tests/envd::TestBindLocalhost/bind_::

Flake rate in main: 55.32% (Passed 105 times, Failed 130 times)

Stack Traces | 6.94s run time

=== RUN   TestBindLocalhost/bind_::
=== PAUSE TestBindLocalhost/bind_::
=== CONT  TestBindLocalhost/bind_::
Executing command python in sandbox idwx1qpfm46yr0qduvx7s
    localhost_bind_test.go:69: Command [python] output: event:{start:{pid:1257}}
    localhost_bind_test.go:90: 
        	Error Trace:	.../tests/envd/localhost_bind_test.go:90
        	Error:      	Not equal: 
        	            	expected: 200
        	            	actual  : 502
        	Test:       	TestBindLocalhost/bind_::
        	Messages:   	Unexpected status code 502 for bind address ::
--- FAIL: TestBindLocalhost/bind_:: (6.94s)

github.com/e2b-dev/infra/tests/integration/internal/tests/envd::TestListDir

Flake rate in main: 52.71% (Passed 131 times, Failed 146 times)

Stack Traces | 1s run time

=== RUN   TestListDir
=== PAUSE TestListDir
=== CONT  TestListDir
--- FAIL: TestListDir (1.00s)
Executing command python in sandbox ircop7ioou1v7hjf2oxm1

github.com/e2b-dev/infra/tests/integration/internal/tests/envd::TestListDir/depth_0_lists_only_root_directory

Flake rate in main: 56.85% (Passed 104 times, Failed 137 times)

Stack Traces | 0.01s run time

=== RUN   TestListDir/depth_0_lists_only_root_directory
=== PAUSE TestListDir/depth_0_lists_only_root_directory
=== CONT  TestListDir/depth_0_lists_only_root_directory
    filesystem_test.go:97: 
        	Error Trace:	.../tests/envd/filesystem_test.go:97
        	Error:      	Received unexpected error:
        	            	unavailable: 502 Bad Gateway
        	Test:       	TestListDir/depth_0_lists_only_root_directory
--- FAIL: TestListDir/depth_0_lists_only_root_directory (0.01s)

github.com/e2b-dev/infra/tests/integration/internal/tests/envd::TestListDir/depth_1_lists_root_directory

Flake rate in main: 56.85% (Passed 104 times, Failed 137 times)

Stack Traces | 0.01s run time

=== RUN   TestListDir/depth_1_lists_root_directory
=== PAUSE TestListDir/depth_1_lists_root_directory
=== CONT  TestListDir/depth_1_lists_root_directory
    filesystem_test.go:97: 
        	Error Trace:	.../tests/envd/filesystem_test.go:97
        	Error:      	Received unexpected error:
        	            	unavailable: 502 Bad Gateway
        	Test:       	TestListDir/depth_1_lists_root_directory
--- FAIL: TestListDir/depth_1_lists_root_directory (0.01s)

github.com/e2b-dev/infra/tests/integration/internal/tests/envd::TestListDir/depth_2_lists_first_level_of_subdirectories_(in_this_case_the_root_directory)

Flake rate in main: 56.85% (Passed 104 times, Failed 137 times)

Stack Traces | 0.01s run time

=== RUN   TestListDir/depth_2_lists_first_level_of_subdirectories_(in_this_case_the_root_directory)
=== PAUSE TestListDir/depth_2_lists_first_level_of_subdirectories_(in_this_case_the_root_directory)
=== CONT  TestListDir/depth_2_lists_first_level_of_subdirectories_(in_this_case_the_root_directory)
    filesystem_test.go:97: 
        	Error Trace:	.../tests/envd/filesystem_test.go:97
        	Error:      	Received unexpected error:
        	            	unavailable: 502 Bad Gateway
        	Test:       	TestListDir/depth_2_lists_first_level_of_subdirectories_(in_this_case_the_root_directory)
--- FAIL: TestListDir/depth_2_lists_first_level_of_subdirectories_(in_this_case_the_root_directory) (0.01s)

github.com/e2b-dev/infra/tests/integration/internal/tests/envd::TestListDir/depth_3_lists_all_directories_and_files

Flake rate in main: 56.85% (Passed 104 times, Failed 137 times)

Stack Traces | 0.01s run time

=== RUN   TestListDir/depth_3_lists_all_directories_and_files
=== PAUSE TestListDir/depth_3_lists_all_directories_and_files
=== CONT  TestListDir/depth_3_lists_all_directories_and_files
    filesystem_test.go:97: 
        	Error Trace:	.../tests/envd/filesystem_test.go:97
        	Error:      	Received unexpected error:
        	            	unavailable: 502 Bad Gateway
        	Test:       	TestListDir/depth_3_lists_all_directories_and_files
--- FAIL: TestListDir/depth_3_lists_all_directories_and_files (0.01s)

github.com/e2b-dev/infra/tests/integration/internal/tests/orchestrator::TestSandboxMemoryIntegrity

Flake rate in main: 65.77% (Passed 114 times, Failed 219 times)

Stack Traces | 94.8s run time

=== RUN   TestSandboxMemoryIntegrity
=== PAUSE TestSandboxMemoryIntegrity
=== CONT  TestSandboxMemoryIntegrity
    sandbox_memory_integrity_test.go:26: Build completed successfully
--- FAIL: TestSandboxMemoryIntegrity (94.80s)

github.com/e2b-dev/infra/tests/integration/internal/tests/orchestrator::TestSandboxMemoryIntegrity/tmpfs_hash

Flake rate in main: 67.19% (Passed 104 times, Failed 213 times)

Stack Traces | 48s run time

=== RUN   TestSandboxMemoryIntegrity/tmpfs_hash
=== PAUSE TestSandboxMemoryIntegrity/tmpfs_hash
=== CONT  TestSandboxMemoryIntegrity/tmpfs_hash
    sandbox_memory_integrity_test.go:70: Command [bash] output: event:{start:{pid:1260}}
    sandbox_memory_integrity_test.go:70: Command [bash] output: event:{data:{stdout:"Total memory: 985 MB\nUsed memory before tmpfs mount: 184 MB\nFree memory before tmpfs mount: 801 MB\nMemory to use in integrity test (80% of free, min 64MB): 640 MB\n"}}
Executing command bash in sandbox ig54qfkhjs4k3pbisvtj8 (user: root)
    sandbox_memory_integrity_test.go:70: Command [bash] output: event:{data:{stderr:"640+0 records in\n640+0 records out\n671088640 bytes (671 MB, 640 MiB) copied, 19.5027 s, 34.4 MB/s\n"}}
    sandbox_memory_integrity_test.go:70: Command [bash] output: event:{data:{stderr:"\t"}}
    sandbox_memory_integrity_test.go:70: Command [bash] output: event:{data:{stderr:"C"}}
    sandbox_memory_integrity_test.go:70: Command [bash] output: event:{data:{stderr:"o"}}
    sandbox_memory_integrity_test.go:70: Command [bash] output: event:{data:{stderr:"m"}}
    sandbox_memory_integrity_test.go:70: Command [bash] output: event:{data:{stderr:"mand being timed: \"dd if=/dev/urandom of=/mnt/testfile bs=1M count=640\"\n\tU"}}
    sandbox_memory_integrity_test.go:70: Command [bash] output: event:{data:{stderr:"ser time (seconds): "}}
    sandbox_memory_integrity_test.go:70: Command [bash] output: event:{data:{stderr:"0.00\n\tSystem time (seconds): 19.16\n"}}
    sandbox_memory_integrity_test.go:70: Command [bash] output: event:{data:{stderr:"\tPercent of CPU this job got: 98%\n\tElapse"}}
    sandbox_memory_integrity_test.go:70: Command [bash] output: event:{data:{stderr:"d (wall clock) time (h:mm:ss or m:ss): 0:19.54\n\tAverage shared text size (kbytes): 0\n\tAverage unshared data size (kbytes): 0\n\tAverage stack size (kbytes): 0\n\tAverage total size (kbytes): 0\n\tMaximum resident set size (kbytes): 2628\n\tAverage resident set size (kbytes): 0\n\tMajor (requiring I/O) page faults: 2\n\tMinor (reclaiming a frame) page faults: 342\n\tVoluntary context switches: 3\n\tInvoluntary context switches: 78\n\tSwaps: 0\n\tFile system inputs: 176\n\tFile system outputs: 0\n\tSocket messages sent: 0\n\tSocket messages received: 0\n\tSignals delivered: 0\n\tPage size (bytes): 4096\n\tExit status: 0\n"}}
    sandbox_memory_integrity_test.go:70: Command [bash] output: event:{data:{stdout:"Used memory after tmpfs mount and file fill: 834 MB\n"}}
    sandbox_memory_integrity_test.go:70: Command [bash] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_memory_integrity_test.go:70: Command [bash] completed successfully in sandbox i7r62pqja145h80vfxmf1
Executing command bash in sandbox i7r62pqja145h80vfxmf1 (user: root)
    sandbox_memory_integrity_test.go:74: Command [bash] output: event:{start:{pid:1276}}
    sandbox_memory_integrity_test.go:74: Command [bash] output: event:{data:{stdout:"f24524ca1bb2c66dd6106f20b7d6c2f873ccd23ead96c1b140157124323ebda7\n"}}
    sandbox_memory_integrity_test.go:74: Command [bash] output: event:{end:{exited:true status:"exit status 0"}}
    sandbox_memory_integrity_test.go:74: Command [bash] completed successfully in sandbox i7r62pqja145h80vfxmf1
Executing command bash in sandbox i7r62pqja145h80vfxmf1 (user: root)
    sandbox_memory_integrity_test.go:99: Command [bash] output: event:{start:{pid:1280}}
    sandbox_memory_integrity_test.go:100: 
        	Error Trace:	.../tests/orchestrator/sandbox_memory_integrity_test.go:100
        	Error:      	Received unexpected error:
        	            	failed to execute command bash in sandbox i7r62pqja145h80vfxmf1: invalid_argument: protocol error: incomplete envelope: unexpected EOF
        	Test:       	TestSandboxMemoryIntegrity/tmpfs_hash
--- FAIL: TestSandboxMemoryIntegrity/tmpfs_hash (47.97s)

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}

[gemini-code-assist]

Code Review

The metrics registration in NewClientProxy incorrectly swaps the telemetry instruments for server and pool connections, leading to inaccurate monitoring data. The implementation also registers observable metric callbacks that are never unregistered, causing a resource leak and incorrect aggregated metrics when NewClientProxy is invoked multiple times.

[claude]

Test-only coverage expansion in client-proxy; the inline nit about a couple of tautological assertions is worth fixing but doesn't block.

Extended reasoning...

Overview

This PR is purely additive test code in packages/client-proxy: a new cfg/model_test.go (env defaults/overrides/invalid-int), info_test.go (ServiceInfo state transitions + concurrent access), paused_sandbox_resumer_grpc_test.go (constructor branches + bufconn-backed Resume/Init/Close), and additions to proxy_test.go (NewClientProxy construction, error-path handler responses, and an errorCatalog fake). No production code changes.

Security risks

None. Test files only, no auth/crypto/permission logic touched. The new gRPC test code uses bufconn and insecure credentials in-process which is appropriate and standard for unit tests.

Level of scrutiny

Low. Coverage-only additions to non-production files; worst case is a flaky or weak test, not runtime risk. Existing tests in the same files follow the same patterns the new ones use.

Other factors

The bug-hunting system flagged a nit about misleading test names (...DuplicateMetricsRegistrationReturnsErrors asserting NoError, comment about 'separate service names' that uses one hard-coded name) and tautological assertions (GreaterOrEqual(CurrentPoolSize(), 0), NotEqual(StatusOK) duplicating an existing stronger assertion). These are real but cosmetic — they don't compromise the correctness of the test suite or the production code. Worth tightening but not worth blocking on, especially given the substantial coverage uplift (internal/cfg 0→100%, internal 0→100%, internal/proxy 40.8→87.7%).

[claude]

🟡 Two newly-added tests in proxy_test.go have misleading names/comments and assertions that don't validate what they claim. TestNewClientProxy_DuplicateMetricsRegistrationReturnsErrors (line 480) asserts require.NoError despite its name claiming 'ReturnsErrors', its comment claims 'separate service names' but the loop hard-codes "service", and noopmetric.NewMeterProvider() cannot surface duplicate-registration errors anyway. TestNewClientProxy_PoolAccessors (line 509) asserts GreaterOrEqual(p.CurrentPoolSize(), 0) which is a tautology on a non-negative count, and its trailing HTTP block duplicates TestNewClientProxy_SandboxNotFoundReturns502 with a strictly weaker NotEqual(StatusOK) assertion. Either rename/rewrite these tests to validate what they claim (e.g. TestNewClientProxy_RepeatedConstruction, exact Equal(0, ...) and Equal(StatusBadGateway, ...) assertions) or drop the redundant pieces.

Extended reasoning...

What's wrong

Two of the new tests in packages/client-proxy/internal/proxy/proxy_test.go have names, comments, and assertions that disagree with what the test bodies actually do. In a PR whose explicit purpose is coverage expansion, this is worth flagging because future readers will reasonably trust that a test named ...DuplicateMetricsRegistrationReturnsErrors is exercising the duplicate-registration error path — and it isn't.

Bug 1: TestNewClientProxy_DuplicateMetricsRegistrationReturnsErrors (lines 474–487)

Three independent contradictions, all in the same ~13-line test:

1. Name vs. assertion — function name says ...ReturnsErrors, but the body's only assertion is require.NoError(t, err).
2. Comment vs. body — the comment says 'works repeatedly for separate service names', but every iteration of the for range 3 loop calls NewClientProxy(..., "service", ...) with the same hard-coded name.
3. No-op provider can't surface what the name promises — noopmetric.NewMeterProvider() returns a no-op SDK whose Meter/instrument constructors never report duplicate-registration errors. So even if NewClientProxy had a real metric-collision bug on repeated construction, this test could not detect it.

Bug 2: TestNewClientProxy_PoolAccessors (lines 503–518)

Two pieces:

1. require.GreaterOrEqual(t, p.CurrentPoolSize(), 0) is a tautology. CurrentPoolSize() (packages/shared/pkg/proxy/proxy.go:89) returns p.pool.Size(), which forwards to p.pool.Count() in pool/pool.go:112 — a pool count is non-negative by construction. The assertion can never fail in a stable implementation; it asserts no behavioral invariant. On a freshly-constructed proxy, the meaningful claim is Equal(0, p.CurrentPoolSize()).
2. The trailing HTTP block sends a request and asserts only require.NotEqual(t, http.StatusOK, rr.Code). TestNewClientProxy_SandboxNotFoundReturns502 (lines 391–406) already drives the same request through the same handler with the strictly stronger require.Equal(t, http.StatusBadGateway, rr.Code). The block adds no incremental coverage and tolerates handler regressions (e.g. a handler that started returning 500 instead of 502 would still pass).
3. The leading comment 'Validate the Construction test exercises pool size accessor too' is also grammatically muddled.

Step-by-step proof

For bug 1, consider a hypothetical regression where someone reworks NewClientProxy so it registers a metric twice with the same name. Walk through:

• The test calls NewClientProxy(noopmetric.NewMeterProvider(), "service", ...) three times.
• Each call asks the no-op meter for an instrument; go.opentelemetry.io/otel/metric/noop always returns a working no-op instrument and never returns an error from registration.
• err is therefore always nil, regardless of whether the same name is being registered repeatedly.
• The assertion require.NoError(t, err) passes; the regression goes undetected.

For bug 2, walk through the assertion:

• p.CurrentPoolSize() returns int. The only way it returns a negative number would be a counting bug elsewhere; nothing the test sets up could provoke it.
• On a freshly-constructed proxy with no work done, the true invariant is == 0. The test instead asserts >= 0, which any int value other than negative numbers satisfies — including obviously-broken values like 12345.

Addressing the refutation

The refuting verifier correctly notes the submitter acknowledged 'a test-quality issue rather than a bug' and that the test does exercise the constructor and handler paths. That's fair — and is why this is filed as nit, not blocking. But the contradictions in bug 1 (name says one thing, asserts the opposite; comment says one thing, body does another; provider chosen cannot detect what name promises) are not stylistic — they are factual mismatches between what the test claims and what it does. A reader auditing coverage by test name will conclude duplicate-registration is covered when it is not.

Suggested fix

• Rename TestNewClientProxy_DuplicateMetricsRegistrationReturnsErrors to TestNewClientProxy_RepeatedConstructionDoesNotError (or wire a real SDK meter provider that surfaces conflicts), fix the comment to say 'same service name', or pass distinct names on each iteration.
• In TestNewClientProxy_PoolAccessors: change GreaterOrEqual(..., 0) to Equal(0, ...), drop the redundant HTTP block (or strengthen to Equal(StatusBadGateway, ...)), and rewrite the leading comment.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 69fc15b. Configure here.}

[cursor]

Test name contradicts assertions and tests nothing meaningful

Low Severity

TestNewClientProxy_DuplicateMetricsRegistrationReturnsErrors says "ReturnsErrors" but asserts require.NoError. More importantly, it creates a fresh noopmetric.NewMeterProvider() on every iteration, so it never actually tests duplicate registration on a shared provider. The test does not exercise the scenario its name describes.

 

^{Reviewed by Cursor Bugbot for commit 69fc15b. Configure here.}