[Coverage Report] Test Coverage Report — 2026-06-02

[github-actions[bot]]

📊 Overall Coverage

Metric	Coverage	Covered / Total
Statements	96.3%	4,488 / 4,660
Branches	90.4%	2,391 / 2,644
Functions	98.1%	519 / 529
Lines	96.4%	4,346 / 4,506

Overall coverage is excellent. 96 test files covering 147 source files.

---

🔴 Critical Gaps (< 50% statement coverage)

None. All files are above 50% statement coverage.

---

🟡 Low Coverage (50–79% statement coverage)

File	Statements	Branches	Functions
src/commands/validators/network-options.ts	66.7%	50.0%	100.0%

This file validates Docker-host, domain-resolution, and network-configuration options. The uncovered branches are likely the logger.warn() paths triggered when an external DOCKER_HOST is detected but no --docker-host-path-prefix is set — an edge case that requires mocking DOCKER_HOST in tests.

---

🛡️ Security-Critical Path Status

File	Statements	Branches	Functions	Status
src/host-iptables.ts	100.0%	100.0%	100.0%	✅ Full
src/squid-config.ts	100.0%	100.0%	100.0%	✅ Full
src/docker-manager.ts	100.0%	100.0%	100.0%	✅ Full
src/domain-patterns.ts	97.7%	95.4%	100.0%	✅ Excellent
src/cli.ts	85.7%	50.0%	100.0%	⚠️ Branch gap
src/host-iptables-rules.ts	97.7%	96.8%	100.0%	✅ Excellent

All primary security-critical files meet the 70% branch coverage threshold. The src/cli.ts branch gap is low-risk: the uncovered branch is the require.main === module guard (the entry point conditional), which is expected to be uncovered when the module is imported by tests rather than run directly.

---

📋 Full Coverage Table

All files (sorted by statement coverage)

Status	File	Stmt%	Branch%	Fn%
🟡	src/commands/validators/network-options.ts	66.7%	50.0%	100.0%
🟢	src/services/agent-volumes/etc-mounts.ts	82.5%	67.8%	100.0%
🟢	src/logs/audit-enricher.ts	83.6%	74.1%	100.0%
🟢	src/artifact-preservation.ts	85.4%	95.3%	100.0%
🟢	src/cli.ts	85.7%	50.0%	100.0%
🟢	src/logs/log-parser.ts	86.9%	67.1%	100.0%
🟢	src/squid/policy-manifest.ts	87.2%	88.2%	70.0%
🟢	src/services/agent-volumes/docker-host-staging.ts	87.8%	72.4%	100.0%
🟢	src/commands/validators/log-and-limits.ts	88.5%	72.7%	100.0%
🟢	src/commands/logs-command-helpers.ts	88.5%	83.3%	100.0%
🟢	src/services/doh-proxy-service.ts	90.0%	75.0%	100.0%
🟢	src/services/host-path-prefix.ts	90.3%	81.6%	100.0%
🟢	src/config-writer.ts	90.9%	83.0%	100.0%
🟢	src/services/agent-volumes/docker-socket.ts	91.7%	93.3%	100.0%
🟢	src/logs/log-streamer.ts	92.2%	77.8%	88.9%
🟢	src/diagnostic-collector.ts	92.5%	100.0%	100.0%
🟢	src/commands/validators/agent-options.ts	93.0%	88.6%	100.0%
🟢	src/cli-options.ts	93.0%	60.0%	25.0%
🟢	src/services/agent-volumes/hosts-file.ts	93.2%	90.3%	100.0%
🟢	src/services/agent-environment/environment-builder.ts	93.5%	66.7%	100.0%
🟢	src/squid/ssl-bump.ts	93.8%	91.7%	100.0%
🟢	src/ssl-bump.ts	94.0%	84.6%	100.0%
🟢	src/host-env.ts	94.1%	80.0%	100.0%
🟢	src/logs/log-aggregator.ts	94.7%	87.5%	100.0%
🟢	src/upstream-proxy.ts	94.9%	94.7%	100.0%
🟢	src/commands/main-action.ts	95.5%	88.6%	100.0%
🟢	src/services/cli-proxy-service.ts	95.5%	93.3%	100.0%
🟢	src/parsers/volume-parsers.ts	95.8%	100.0%	100.0%
🟢	src/container-lifecycle.ts	95.9%	88.2%	100.0%
🟢	src/pid-tracker.ts	96.3%	76.9%	100.0%
🟢	src/container-cleanup.ts	96.4%	100.0%	80.0%
🟢	src/commands/validators/config-assembly.ts	96.5%	92.8%	100.0%
🟢	src/services/agent-environment/env-passthrough.ts	96.8%	92.0%	100.0%
🟢	src/compose-sanitizer.ts	97.1%	93.3%	100.0%
🟢	src/services/agent-volumes/home-strategy.ts	97.4%	75.0%	100.0%
🟢	src/logs/log-formatter.ts	97.4%	92.8%	100.0%
🟢	src/domain-patterns.ts	97.7%	95.4%	100.0%
🟢	src/host-iptables-rules.ts	97.7%	96.8%	100.0%
🟢	src/services/agent-service.ts	97.8%	94.6%	100.0%
🟢	src/services/api-proxy-service.ts	98.0%	90.5%	100.0%
🟢	src/config-file.ts	98.1%	97.1%	87.5%
🟢	src/rules.ts	98.2%	91.9%	100.0%
🟢	src/compose-generator.ts	98.4%	90.0%	100.0%
🟢	src/option-parsers.ts	98.9%	95.5%	100.0%
🟢	src/host-iptables.ts	100.0%	100.0%	100.0%
🟢	src/squid-config.ts	100.0%	100.0%	100.0%
🟢	src/docker-manager.ts	100.0%	100.0%	100.0%
🟢	src/domain-patterns.ts (see above)	—	—	—
🟢	src/cli-workflow.ts	100.0%	100.0%	100.0%
🟢	src/commands/build-config.ts	100.0%	97.7%	100.0%
🟢	src/commands/logs-audit.ts	100.0%	95.7%	100.0%
🟢	src/commands/logs-stats.ts	100.0%	100.0%	100.0%
🟢	src/commands/logs-summary.ts	100.0%	100.0%	100.0%

---

🔍 Notable Findings

1. src/commands/validators/network-options.ts — branch coverage 50%
   The warning paths for !dockerHostCheck.valid && !dockerHostPathPrefixResolution.dockerHostPathPrefix are untested. This file was recently added and validates external Docker host detection — worth adding a test that sets DOCKER_HOST to a TCP address without providing --docker-host-path-prefix.

2. src/logs/log-parser.ts — branch coverage 67.1%
   Log parsing has many conditional branches for malformed/unexpected log formats. Missing tests likely cover edge cases like truncated lines, unexpected field counts, or non-standard Squid log formats.

3. src/services/agent-volumes/etc-mounts.ts — branch coverage 67.8%
   The /etc selective bind-mount logic has several conditional paths (e.g., handling missing files, alternative path resolution). Missed branches here could silently expose unintended host paths.

4. src/services/agent-environment/environment-builder.ts — branch coverage 66.7%
   Environment variable construction for the agent container has uncovered conditional paths. These could affect credential isolation if edge cases in env var resolution are not exercised.

---

📈 Recommendations

1. High — Add tests for network-options.ts external Docker host branch: mock checkDockerHost() to return { valid: false } and assert the two warning log lines are emitted. Raises branch coverage from 50% → ~100%.

2. Medium — Improve log-parser.ts branch coverage (67.1%): add tests with malformed Squid access log lines (too few fields, non-numeric timestamps, unknown decision codes) to cover error-handling paths.

3. Medium — Cover etc-mounts.ts missing branches (67.8%): test the paths where optional /etc source files don't exist on the host, ensuring the mount list is constructed correctly without throwing.

4. Low — Cover environment-builder.ts missing branches (66.7%): add tests for edge cases where optional env vars are absent or set to empty strings.

---

Generated by test-coverage-reporter workflow. Trigger: push · Run: 26853126443

Generated by Test Coverage Reporter · sonnet46 739.2K · ◷

• expires on Jun 9, 2026, 11:10 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke test agent has passed through this discussion. The run is sealed in oracle light.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke test agent has passed through this chamber. The omens are favorable; the firewall remains steady.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-09T23:10:55.807Z.

Closed by Workflow