[Coverage Report] Test Coverage Report — 2026-06-16

[github-actions[bot]]

Overall Coverage Summary

Metric	Coverage	Covered / Total
Lines	96.93% ✅	4,771 / 4,922
Statements	96.79% ✅	4,928 / 5,091
Functions	98.81% ✅	586 / 593
Branches	91.28% ⚠️	2,734 / 2,995

Note: The COVERAGE_SUMMARY.md in the repo reflects an older baseline (~38%). The coverage/coverage-summary.json is the authoritative source — it shows coverage has grown dramatically since that file was last updated.

---

Security-Critical File Status

File	Lines	Functions	Branches	Status
host-iptables-rules.ts	100%	100%	100%	✅ Excellent
host-iptables-shared.ts	100%	100%	100%	✅ Excellent
host-iptables-cleanup.ts	100%	100%	100%	✅ Excellent
squid/access-rules.ts	100%	100%	100%	✅ Excellent
squid/acl-generator.ts	100%	100%	100%	✅ Excellent
squid/domain-acl.ts	100%	100%	100%	✅ Excellent
squid/validation.ts	100%	100%	100%	✅ Excellent
domain-validation.ts	100%	100%	100%	✅ Excellent
domain-patterns.ts	100%	100%	89.47%	⚠️ 2 branches uncovered
squid/policy-manifest.ts	87.23%	70%	88.23%	⚠️ 3 functions uncovered
commands/validators/network-options.ts	66.66%	100%	50%	❌ Needs attention
services/agent-volumes/etc-mounts.ts	82.45%	100%	67.85%	❌ Needs attention

---

File-by-File Breakdown (files with < 90% branch coverage)

File	Lines	Branches	Uncovered branches
commands/validators/network-options.ts	66.66%	50% (5/10)	External Docker host warning paths
services/agent-volumes/etc-mounts.ts	82.45%	67.85% (19/28)	UID/GID synthesis edge cases
logs/log-parser.ts	87.80%	68.57% (48/70)	Unusual Squid decision codes, domain extraction
services/agent-volumes/docker-host-staging.ts	87.23%	72.41% (21/29)	Staging path edge cases
logs/audit-enricher.ts	89.36%	74.13% (43/58)	Rule matching edge cases
services/agent-volumes/workspace-mounts.ts	96.29%	75.00% (30/40)	Mount condition branches
services/agent-volumes/system-mounts.ts	92.30%	75.00% (9/12)	Conditional system mount paths
logs/log-streamer.ts	92.06%	77.77% (28/36)	Error handling in stream ops
commands/validators/log-and-limits.ts	90.32%	77.58% (45/58)	Limit validation edge cases
workdir-setup.ts	94.44%	79.62% (43/54)	Workdir creation error paths
services/host-path-prefix.ts	88.88%	81.57% (31/38)	Prefix normalization branches
squid/config-sections.ts	100%	82.75% (24/29)	Optional config sections

---

🔍 Notable Findings

1. logs/log-parser.ts — 68.57% branch coverage (22 branches uncovered)

This is the parser that powers awf logs stats and awf logs summary. Uncovered branches include unusual Squid decision codes (e.g., TCP_HIT, TCP_REFRESH_*, TCP_MEM_HIT), empty user-agent fields, and domain extraction edge cases where the host header and url field diverge. A parsing failure silently returns null and drops the log entry, creating gaps in security audit output that could mask blocked access attempts from the aggregated report.

2. commands/validators/network-options.ts — 50% branch coverage (5/10)

validateNetworkOptions is called for every awf invocation and controls how domain whitelists, DNS servers, and upstream proxies are resolved. The 5 uncovered branches are the warning paths for external Docker hosts and DinD split-filesystem hints. These paths are only triggered in production ARC/DinD deployments — not exercised by current unit tests — meaning misconfiguration warnings could regress silently.

3. services/agent-volumes/etc-mounts.ts — 67.85% branch coverage (9/28 uncovered)

This module controls which /etc files (passwd, group, nsswitch.conf, SSL certs, etc.) are bind-mounted into the agent container. The uncovered branches include the synthesizeIdentityFile failure path and UID/GID synthesis fallback logic. Regressions here could result in either credential files being excluded (breaking the agent) or over-permissive mounts being added without a test catching it.

4. domain-patterns.ts — 89.47% branch coverage (2/19 uncovered)

Two branches in domain pattern normalization and validation are not tested. Since this module drives the Squid ACL and determines whether a domain is allowed or blocked, any edge case here has a direct security impact. The uncovered branches likely involve unusual domain formats (e.g., bare IPs, trailing dots, or wildcard patterns).

---

📈 Recommendations

🔴 High — Add log-parser.ts branch coverage

Target: Bring logs/log-parser.ts from 68.57% to ≥95% branch coverage.

Add test cases for:

• Squid decision codes beyond TCP_TUNNEL and TCP_DENIED: TCP_HIT, TCP_MEM_HIT, TCP_REFRESH_MODIFIED, NONE, etc.
• Log lines with "-" in the user-agent field
• Lines where host header is - and domain must be extracted from the URL
• Empty lines, whitespace-only lines, and truncated/partial log lines

Why it matters: Silent null returns from parseLogLine mean blocked connections can disappear from awf logs stats output, undermining the primary security audit mechanism.

🔴 High — Cover etc-mounts.ts error and fallback branches

Target: Bring services/agent-volumes/etc-mounts.ts branches from 67.85% to ≥90%.

Add test cases for:

• synthesizeIdentityFile when mkdirSync or writeFileSync fails (should return undefined gracefully)
• readFileContent when the file does not exist
• UID/GID synthesis when the preferred name collides and a counter suffix is needed
• Cases where the host /etc/passwd is missing the runner's UID entry

Why it matters: This code controls credential file exposure into the agent. Untested error paths could create security regressions that are hard to detect in integration testing.

🟡 Medium — Cover network-options.ts and domain-patterns.ts warning/edge branches

Target: Bring commands/validators/network-options.ts from 50% to ≥90% branch coverage; domain-patterns.ts from 89% to 100%.

For network-options.ts:

• Mock checkDockerHost() to return valid: false with and without a dindHint set
• Verify logger warning messages are emitted for each condition

For domain-patterns.ts:

• Add test cases for patterns with trailing dots, bare IPv4 addresses, and double-wildcard inputs to confirm normalization handles them or rejects them explicitly

Why it matters: network-options.ts warning paths guard against misconfigured ARC/DinD deployments that could break sandbox isolation. domain-patterns.ts edge cases directly affect whether untested domain formats leak through the ACL.

Generated by Test Coverage Reporter · ◷

• expires on Jun 23, 2026, 2:10 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent has passed through the veil and left this omen in the discussion.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex