[Coverage Report] Test Coverage Report — 2026-06-11

[github-actions[bot]]

📊 Test Coverage Report — 2026-06-11

Overall Coverage

Metric	Coverage
Statements	96.38%
Branches	90.78%
Functions	98.77%
Lines	96.46%

108 test files covering 155 source files (47 test-utils/helpers excluded from counts).

---

🔴 Critical Gaps (< 50% statement coverage)

None. All files are above 50% statement coverage.

---

🟡 Low Coverage (50–79% statement coverage)

File	Stmts	Branch	Funcs	Lines
🟡 src/commands/validators/network-options.ts	66.66%	50%	100%	66.66%

---

🛡️ Security-Critical Path Status

File	Stmts	Branch	Funcs	Status
src/host-iptables.ts	100%	100%	100%	✅ Full
src/host-iptables-rules.ts	100%	97.01%	100%	✅ Full
src/host-iptables-network.ts	100%	100%	100%	✅ Full
src/host-iptables-cleanup.ts	100%	100%	100%	✅ Full
src/host-iptables-shared.ts	100%	95%	100%	✅ Full
src/squid-config.ts	100%	100%	100%	✅ Full
src/squid/access-rules.ts	100%	100%	100%	✅ Full
src/squid/acl-generator.ts	100%	100%	100%	✅ Full
src/squid/domain-acl.ts	100%	100%	100%	✅ Full
src/docker-manager.ts	100%	100%	100%	✅ Full
src/domain-patterns.ts	97.67%	95.38%	100%	✅ Strong
src/rules.ts	98.18%	91.89%	100%	✅ Strong
src/squid/ssl-bump.ts	93.75%	91.66%	100%	✅ Good
src/squid/policy-manifest.ts	87.23%	88.23%	70%	✅ Good
src/cli.ts	85.71%	50%	100%	✅ Adequate

---

📋 Notable Files with Incomplete Coverage

Files below 100% that warrant attention (security-critical or low branch coverage):

File	Stmts	Branch	Funcs	Lines
🟡 src/commands/validators/network-options.ts	66.66%	50%	100%	66.66%
src/services/api-proxy-service.ts	91.66%	50%	100%	91.66%
src/services/agent-environment/environment-builder.ts	93.54%	66.66%	100%	93.54%
src/dind-bootstrap.ts	88.88%	66.66%	100%	88.46%
src/services/agent-volumes/etc-mounts.ts	82.45%	67.85%	100%	82.45%
src/logs/log-parser.ts	86.9%	68.57%	100%	87.8%
src/artifact-preservation.ts	85.36%	95.34%	100%	85.36%
src/squid/policy-manifest.ts	87.23%	88.23%	70%	86.95%
src/cli.ts	85.71%	50%	100%	85.71%

📋 Full Coverage Table (all files with imperfect coverage)

File	Stmts	Branch	Funcs	Lines
🟡 src/commands/validators/network-options.ts	66.66%	50%	100%	66.66%
src/squid-log-reader.ts	82.22%	80%	100%	82.22%
src/services/agent-volumes/etc-mounts.ts	82.45%	67.85%	100%	82.45%
src/logs/audit-enricher.ts	83.6%	74.13%	100%	89.36%
src/artifact-preservation.ts	85.36%	95.34%	100%	85.36%
src/cli.ts	85.71%	50%	100%	85.71%
src/logs/log-parser.ts	86.9%	68.57%	100%	87.8%
src/squid/policy-manifest.ts	87.23%	88.23%	70%	86.95%
src/services/agent-volumes/docker-host-staging.ts	87.75%	72.41%	100%	87.23%
src/commands/logs-command-helpers.ts	88.52%	83.33%	100%	88.33%
src/dind-bootstrap.ts	88.88%	66.66%	100%	88.46%
src/services/doh-proxy-service.ts	90%	75%	100%	90%
src/commands/validators/log-and-limits.ts	90.32%	77.58%	100%	90.32%
src/services/host-path-prefix.ts	90.32%	81.57%	100%	88.88%
src/config-writer.ts	90.9%	82.97%	100%	90.9%
src/services/agent-volumes/docker-socket.ts	91.66%	93.33%	100%	91.66%
src/services/api-proxy-service.ts	91.66%	50%	100%	91.66%
src/logs/log-streamer.ts	92.18%	77.77%	88.88%	92.06%
src/services/agent-volumes/system-mounts.ts	92.3%	75%	100%	92.3%
src/diagnostic-collector.ts	92.5%	100%	100%	92.5%
src/commands/build-config.ts	92.85%	92.2%	100%	92.85%
src/commands/validators/agent-options.ts	92.98%	88.57%	100%	92.98%
src/services/agent-volumes/hosts-file.ts	93.22%	90.32%	100%	92.85%
src/services/agent-environment/environment-builder.ts	93.54%	66.66%	100%	93.54%
src/squid/ssl-bump.ts	93.75%	91.66%	100%	93.75%
src/ssl-bump.ts	93.96%	84.61%	100%	94.69%
src/host-env.ts	94.11%	80%	100%	95.91%
src/logs/log-aggregator.ts	94.73%	87.5%	100%	94.66%
src/commands/main-action.ts	94.8%	89.18%	100%	94.8%
src/upstream-proxy.ts	94.93%	94.73%	100%	94.52%
src/services/cli-proxy-service.ts	95.45%	93.33%	100%	95.45%
src/parsers/volume-parsers.ts	95.83%	100%	100%	95.83%
src/container-startup-diagnostics.ts	96.15%	93.87%	100%	96%
src/services/agent-volumes/workspace-mounts.ts	96.29%	75%	100%	96.29%
src/container-cleanup.ts	96.42%	100%	80%	95.83%
src/container-lifecycle.ts	96.77%	86.84%	100%	96.59%
src/services/agent-environment/env-passthrough.ts	96.77%	92.3%	100%	96.77%
src/compose-sanitizer.ts	97.14%	93.33%	100%	97.05%
src/commands/validators/config-assembly.ts	97.39%	92.07%	100%	98.23%
src/logs/log-formatter.ts	97.43%	92.85%	100%	97.29%
src/domain-patterns.ts	97.67%	95.38%	100%	97.61%
src/services/agent-service.ts	97.77%	94.64%	100%	97.67%
src/services/agent-volumes/home-strategy.ts	97.77%	83.33%	100%	97.72%
src/config-file.ts	98.11%	97.29%	87.5%	100%
src/rules.ts	98.18%	91.89%	100%	98.11%
src/compose-generator.ts	98.43%	92.5%	100%	98.43%
src/pid-tracker.ts	98.78%	80.76%	100%	98.7%
src/option-parsers.ts	98.88%	95.55%	100%	98.82%

---

🔍 Notable Findings

1. src/commands/validators/network-options.ts — DinD/Docker host warning paths untested (lines 48–77)
The function validateNetworkOptions has branches for external DOCKER_HOST detection and ARC/DinD split-filesystem hints (lines 47–77). These emit logger.warn() calls that require an external Docker socket to trigger. No test covers the !dockerHostCheck.valid or dindHint branches, leaving two out of four network-option validation branches uncovered.

2. src/cli.ts — 50% branch coverage on module guard (line 11–12)
The only uncovered lines are the top-level if (require.main === module) guard. This is a structural limitation of unit tests that import the module rather than invoke it as a process entry point. The execution path itself is indirectly exercised by integration-style tests in cli-workflow.test.ts.

3. src/logs/log-parser.ts — IPv6 destination parsing uncovered (lines 178–203)
The bracketed-IPv6 parser branch (rawDest.startsWith('[')) is not exercised by any test. Since Squid access logs can contain IPv6 destination addresses, this path could silently produce incorrect destIp/destPort values for IPv6 upstreams. Added as part of the structured log parsing refactor.

4. src/artifact-preservation.ts — New file from recent commit, 85% statement coverage
Commit e99d0a8 (2026-06-10) introduced src/artifact-preservation.ts to persist a redacted resolved-config audit artifact at startup. Uncovered lines are in error-handling catch blocks for filesystem failures. The happy path is well tested; the failure paths (permissions errors, disk-full scenarios) are not.

---

📈 Recommendations

1. High — src/logs/log-parser.ts IPv6 parsing (lines 178–203): Add a unit test that passes a Squid log line with a bracketed-IPv6 destination (e.g., [2001:db8::1]:443). This is a latent correctness bug in a security-relevant log path — incorrect dest IP/port would silently corrupt audit records.

2. Medium — src/commands/validators/network-options.ts DinD warning branches (lines 47–77): Mock checkDockerHost() to return { valid: false } and resolveDockerHostPathPrefix() to return { dindHint: true, dockerHostPathPrefix: undefined } to cover the two missing branch pairs.

3. Medium — src/artifact-preservation.ts error paths: Add tests that mock fs.writeFileSync to throw, confirming that filesystem errors during config persistence are handled gracefully and don't abort the main workflow.

4. Low — src/squid/policy-manifest.ts anonymous functions (3 uncovered, 70% fn coverage): The three uncovered anonymous functions appear to be lazy-eval accessors. Add tests exercising findPolicyManifestForSource() with source inputs that trigger the lazy paths.

---

Generated by test-coverage-reporter workflow on 2026-06-11. Trigger: push. Commit: e99d0a8 (feat: persist redacted resolved config as audit artifact).

Generated by Test Coverage Reporter · 119.6 AIC · ⊞ 30.7K · ◷

• expires on Jun 18, 2026, 12:39 AM UTC

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent passed through the veil and left this rune behind.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-18T00:39:29.646Z.

Closed by Workflow

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke-test agent has passed through this discussion. The omens are clear: the build held, the browser bore GitHub’s name, and the workflow remained intact.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex