[Coverage Report] Test Coverage Report — 2026-06-02

[github-actions[bot]]

Overall Coverage

Metric	Coverage
Statements	96.32% (4510/4682)
Branches	90.48% (2406/2659)
Functions	98.12% (522/532)
Lines	96.46% (4368/4528)

Overall health is excellent. No files fall below 50% statement coverage.

---

🔴 Critical Gaps (< 50% statement coverage)

None. All 149 source files exceed 50% statement coverage.

---

🟡 Low Coverage (50–79% statement coverage)

File	Statements	Branches	Functions
src/commands/validators/network-options.ts	66.7%	50.0%	100%

---

🛡️ Security-Critical Path Status

File	Statements	Branches	Functions
src/host-iptables.ts	✅ 100%	✅ 100%	✅ 100%
src/squid-config.ts	✅ 100%	✅ 100%	✅ 100%
src/docker-manager.ts	✅ 100%	✅ 100%	✅ 100%
src/domain-patterns.ts	✅ 97.7%	✅ 95.4%	✅ 100%
src/cli.ts	🟡 85.7%	🟡 50.0%	✅ 100%
src/host-iptables-rules.ts	✅ 97.7%	✅ 96.8%	✅ 100%

All four primary security-critical files are at or near 100%. The only concern in this group is src/cli.ts with 50% branch coverage.

---

📋 Notable Findings

1. src/cli.ts — branch coverage at 50%

The CLI entry point has full statement/function coverage but only 50% branch coverage. This suggests that error-handling branches and conditional paths (e.g., exception handling in the top-level orchestration, signal-interrupt edge cases) aren't being exercised. Since cli.ts is the main entry point that calls writeConfigs(), startContainers(), runAgentCommand(), and stopContainers(), covering failure branches here provides end-to-end confidence.

Suggested tests: Simulate container-start failures, command execution errors, and SIGINT during startup to cover branches currently missed.

2. src/commands/validators/network-options.ts — 66.7% statements, 50% branches

This validator handles network option parsing and validation — a security-relevant path. With only half the branches covered, some input combinations (likely invalid or edge-case domain/DNS configurations) go untested.

Suggested tests: Test with invalid domain formats, conflicting network options, edge-case DNS server lists, and --upstream-proxy combinations.

3. src/logs/log-parser.ts — 86.9% statements, 67.1% branches

The log parser processes firewall access logs for the awf logs commands. Uncovered branches likely include malformed log line handling and edge-case timestamp parsing. While not directly security-critical, incorrect parsing could mask blocked traffic in reports.

Suggested tests: Feed malformed Squid log lines, lines with missing fields, and boundary timestamp values.

4. src/services/agent-volumes/etc-mounts.ts — 82.5% statements, 67.9% branches

This file controls which /etc paths are bind-mounted into the agent container. Uncovered branches may relate to conditional mount logic (e.g., when certain files don't exist on the host). Incorrect /etc mount decisions could expose shadow or other sensitive files.

Suggested tests: Test with missing host files and non-standard host configurations to verify the deny-by-default behavior holds.

---

📈 Recommendations

1. High — src/cli.ts branch coverage (50%): Add tests for the top-level exception and signal-handling paths. A test that simulates startContainers() throwing an error would immediately improve branch coverage and validate that cleanup still runs.

2. High — src/commands/validators/network-options.ts (66.7% stmt / 50% branch): Add negative validation tests: invalid --allow-domains formats, conflicting --upstream-proxy + --enable-api-proxy scenarios, and edge-case DNS IP inputs.

3. Medium — src/logs/log-parser.ts (67.1% branch): Add fuzz-style tests with malformed log lines. This also validates that the awf logs summary GitHub Actions integration doesn't silently drop blocked-traffic events.

4. Low — src/services/agent-volumes/etc-mounts.ts (67.9% branch): Cover the "file not found on host" conditional paths to verify that missing system files don't silently change the mount set in unexpected ways.

---

📊 Full Coverage Table

Per-file breakdown (all 149 source files)

File	Stmts	Branches	Fns	Lines
src/api-proxy-config.ts	100%	100%	100%	100%
src/artifact-preservation.ts	85.4%	95.3%	100%	85.4%
src/cli-options.ts	93.0%	60.0%	25.0%	93.0%
src/cli-workflow.ts	100%	100%	100%	100%
src/cli.ts	85.7%	50.0%	100%	85.7%
src/commands/build-config.ts	100%	97.7%	100%	100%
src/commands/logs-audit.ts	100%	95.7%	100%	100%
src/commands/logs-command-helpers.ts	88.5%	83.3%	100%	88.3%
src/commands/logs-stats.ts	100%	100%	100%	100%
src/commands/logs-summary.ts	100%	100%	100%	100%
src/commands/logs.ts	100%	100%	100%	100%
src/commands/main-action.ts	95.5%	88.6%	100%	95.4%
src/commands/network-setup.ts	100%	87.0%	100%	100%
src/commands/predownload.ts	100%	100%	100%	100%
src/commands/preflight.ts	100%	83.8%	100%	100%
src/commands/signal-handler.ts	100%	87.5%	100%	100%
src/commands/subcommands.ts	100%	100%	100%	100%
src/commands/validate-options.ts	100%	100%	100%	100%
src/commands/validators/agent-options.ts	93.0%	88.6%	100%	93.0%
src/commands/validators/config-assembly.ts	96.5%	92.8%	100%	97.6%
src/commands/validators/log-and-limits.ts	88.5%	72.7%	100%	88.5%
src/commands/validators/network-options.ts	🟡 66.7%	🟡 50.0%	100%	🟡 66.7%
src/compose-generator.ts	98.4%	90.0%	100%	98.4%
src/compose-sanitizer.ts	97.1%	93.3%	100%	97.1%
src/config-file.ts	98.1%	97.1%	87.5%	100%
src/config-writer.ts	90.9%	83.0%	100%	90.9%
src/container-cleanup.ts	96.4%	100%	80.0%	95.8%
src/container-lifecycle-state.ts	100%	100%	100%	100%
src/container-lifecycle.ts	95.9%	88.2%	100%	95.7%
src/container-stop.ts	100%	100%	100%	100%
src/copilot-api-resolver.ts	100%	100%	100%	100%
src/diagnostic-collector.ts	92.5%	100%	100%	92.5%
src/dind-probe.ts	100%	93.8%	100%	100%
src/dlp.ts	100%	100%	100%	100%
src/dns-resolver.ts	100%	91.7%	100%	100%
src/docker-host.ts	100%	100%	100%	100%
src/docker-manager.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/domain-patterns.ts	97.7%	95.4%	100%	97.6%
src/domain-utils.ts	100%	100%	100%	100%
src/env-utils.ts	100%	100%	100%	100%
src/github-env.ts	100%	100%	100%	100%
src/host-env.ts	94.1%	80.0%	100%	95.9%
src/host-identity.ts	100%	96.9%	100%	100%
src/host-iptables-cleanup.ts	100%	100%	100%	100%
src/host-iptables-network.ts	100%	100%	100%	100%
src/host-iptables-rules.ts	97.7%	96.8%	100%	97.6%
src/host-iptables-shared.ts	100%	95.0%	100%	100%
src/host-iptables.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/image-tag.ts	100%	100%	100%	100%
src/log-paths.ts	100%	100%	100%	100%
src/logger.ts	100%	90.9%	100%	100%
src/logs/audit-enricher.ts	83.6%	74.1%	100%	89.4%
src/logs/log-aggregator.ts	94.7%	87.5%	100%	94.7%
src/logs/log-discovery.ts	100%	90.0%	100%	100%
src/logs/log-formatter.ts	97.4%	92.9%	100%	97.3%
src/logs/log-parser.ts	86.9%	67.1%	100%	87.8%
src/logs/log-streamer.ts	92.2%	77.8%	88.9%	92.1%
src/logs/stats-formatter.ts	100%	93.5%	100%	100%
src/option-parsers.ts	98.9%	95.6%	100%	98.8%
src/pid-tracker.ts	96.3%	76.9%	100%	97.4%
src/redact-secrets.ts	100%	100%	100%	100%
src/rules.ts	98.2%	91.9%	100%	98.1%
src/schema-validator.ts	100%	100%	100%	100%
src/services/agent-environment/api-proxy-environment.ts	100%	92.9%	100%	100%
src/services/agent-environment/core-environment.ts	100%	100%	100%	100%
src/services/agent-environment/env-passthrough.ts	96.8%	92.0%	100%	96.8%
src/services/agent-environment/environment-builder.ts	93.5%	66.7%	100%	93.5%
src/services/agent-environment/github-actions-environment.ts	100%	95.0%	100%	100%
src/services/agent-environment/host-path-recovery.ts	100%	90.0%	100%	100%
src/services/agent-environment/observability-environment.ts	100%	100%	100%	100%
src/services/agent-environment/proxy-environment.ts	100%	100%	100%	100%
src/services/agent-environment/tool-specific-environment.ts	100%	95.2%	100%	100%
src/services/agent-service.ts	97.8%	94.6%	100%	97.7%
src/services/agent-volumes.ts	100%	100%	100%	100%
src/services/agent-volumes/credential-hiding.ts	100%	100%	100%	100%
src/services/agent-volumes/docker-host-staging.ts	87.8%	72.4%	100%	87.2%
src/services/agent-volumes/docker-socket.ts	91.7%	93.3%	100%	91.7%
src/services/agent-volumes/etc-mounts.ts	82.5%	67.9%	100%	82.5%
src/services/agent-volumes/home-strategy.ts	97.4%	75.0%	100%	97.4%
src/services/agent-volumes/hosts-file.ts	93.2%	90.3%	100%	92.9%
src/services/agent-volumes/ssl-mounts.ts	100%	100%	100%	100%
src/services/agent-volumes/system-mounts.ts	100%	100%	100%	100%
src/services/agent-volumes/volume-builder.ts	100%	100%	100%	100%
src/services/agent-volumes/workspace-mounts.ts	96.3%	75.0%	100%	96.3%
src/services/api-proxy-credential-env.ts	100%	100%	100%	100%
src/services/api-proxy-service-config.ts	97.7%	87.7%	100%	100%
src/services/api-proxy-service.ts	91.7%	50.0%	100%	91.7%
src/services/cli-proxy-service.ts	95.5%	93.3%	100%	95.5%
src/services/doh-proxy-service.ts	90.0%	75.0%	100%	90.0%
src/services/host-path-prefix.ts	90.3%	81.6%	100%	88.9%
src/services/service-security.ts	100%	100%	100%	100%
src/services/squid-service.ts	100%	100%	100%	100%
src/squid-config.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/squid/access-rules.ts	100%	100%	100%	100%
src/squid/acl-generator.ts	100%	100%	100%	100%
src/squid/config-generator.ts	100%	100%	100%	100%
src/squid/config-sections.ts	100%	82.8%	100%	100%
src/squid/domain-acl.ts	100%	100%	100%	100%
src/squid/policy-manifest.ts	87.2%	88.2%	70.0%	87.0%
src/squid/ssl-bump.ts	93.8%	91.7%	100%	93.8%
src/squid/upstream-proxy.ts	100%	100%	100%	100%
src/squid/validation.ts	100%	100%	100%	100%
src/ssl-bump.ts	94.0%	84.6%	100%	94.7%
src/upstream-proxy.ts	94.9%	94.7%	100%	94.5%

---

Generated by test-coverage-reporter workflow. Trigger: push · Run: 26854267200

Generated by Test Coverage Reporter · sonnet46 871.2K · ◷

• expires on Jun 9, 2026, 11:37 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir: the smoke test agent has passed through this thread, and the run remains aligned with the warding sigils.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-09T23:37:13.518Z.

Closed by Workflow