[Coverage Report] Test Coverage Report — 2026-06-08

[github-actions[bot]]

Overall Coverage

Metric	Coverage	Covered / Total
Statements	96.43%	4,683 / 4,856
Branches	90.67%	2,568 / 2,832
Functions	98.72%	544 / 551
Lines	96.52%	4,529 / 4,692

105 test files covering 153 source files (4,856 statements, 2,832 branches).

---

🔴 Critical Gaps (< 50% statement coverage)

None. All 134 tracked files exceed 50% statement coverage.

---

🟡 Low Coverage (50–79% statement coverage)

File	Stmts	Branch	Funcs
src/commands/validators/network-options.ts	66.7%	50.0%	100%

Only one file in the low-coverage band. The five uncovered branches cover the !dockerHostCheck.valid warning path, the dindHint detection, and a compound guard — all require a live TCP DOCKER_HOST to exercise.

---

🛡️ Security-Critical Path Status

File	Stmts	Branch	Funcs	Status
src/host-iptables.ts	100%	100%	100%	✅
src/host-iptables-rules.ts	100%	98.4%	100%	✅
src/host-iptables-cleanup.ts	100%	100%	100%	✅
src/host-iptables-network.ts	100%	100%	100%	✅
src/host-iptables-shared.ts	100%	95.0%	100%	✅
src/squid-config.ts	100%	100%	100%	✅
src/squid/access-rules.ts	100%	100%	100%	✅
src/squid/acl-generator.ts	100%	100%	100%	✅
src/squid/config-generator.ts	100%	100%	100%	✅
src/squid/domain-acl.ts	100%	100%	100%	✅
src/squid/policy-manifest.ts	87.2%	88.2%	70.0%	🟡
src/docker-manager.ts	100%	100%	100%	✅
src/domain-patterns.ts	97.7%	95.4%	100%	✅
src/cli.ts	85.7%	50.0%	100%	⚠️
src/services/agent-volumes/etc-mounts.ts	82.5%	67.8%	100%	⚠️
src/services/agent-volumes/workspace-mounts.ts	96.3%	75.0%	100%	🟡
src/services/agent-volumes/credential-hiding.ts	100%	100%	100%	✅

All iptables rule generation and Squid ACL modules are at 100% branch coverage. Two files need attention:

• src/cli.ts — 1 missed branch: the require.main === module guard (structurally untestable via import).
• src/services/agent-volumes/etc-mounts.ts — 9 missed branches controlling which host /etc files are bind-mounted into the agent sandbox.

---

🔍 Notable Findings

1. src/services/agent-volumes/etc-mounts.ts — 67.8% branch (9 missed): This file decides which host /etc entries (SSL certs, passwd, group, nsswitch.conf, etc.) are exposed in the sandbox. Missing branches cover absent-source-path fallbacks and non-standard distro layouts. Security-relevant: affects what host files the agent can read.

2. src/logs/log-parser.ts — 67.1% branch (23 missed): IPv6 peer address parsing ([::1]:443 format) and the JSON-format fallback path are both uncovered. Important for reliable post-incident log analysis.

3. src/dind-bootstrap.ts — 66.7% branch (11 missed): ARC/DinD bootstrap guards against missing socket paths and failed probes. Gaps here could hide silent setup failures on ARC runners.

4. Recent change: src/env-utils.ts (commit bd11bbc) — normalizeEnvValue narrowed to module-local; coverage remains 100%. No regression.

---

📈 Recommendations

1. High — src/services/agent-volumes/etc-mounts.ts: Add unit tests mocking the filesystem for missing/non-existent /etc source paths. Directly affects what host files are exposed in the sandbox.

2. Medium — src/logs/log-parser.ts: Add test cases for IPv6 peer addresses (e.g., [::1]:443) and malformed JSON fallback entries to ensure reliable audit-log parsing.

3. Medium — src/commands/validators/network-options.ts: Inject `DOCKER_HOST=(1.2.3.4/redacted) in a unit test to exercise the external-Docker-host warning branches without Docker.

4. Low — src/squid/policy-manifest.ts (fn=70%): Three helper functions at 0% coverage; exercise through the manifest-loading code path.

---

Generated by test-coverage-reporter workflow. Trigger: push. Run ID: 27154011732.

Generated by Test Coverage Reporter · sonnet46 2.2M · ◷

• expires on Jun 15, 2026, 5:15 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-15T17:15:10.347Z.

Closed by Workflow