[Coverage Report] 📊 Test Coverage Report — 2026-06-09

[github-actions[bot]]

Overall Coverage

Metric	Coverage	Covered / Total
Statements	96.38%	4720 / 4897
Branches	90.77%	2587 / 2850
Functions	98.74%	552 / 559
Lines	96.47%	4566 / 4733

Overall coverage is strong. All 108 test files exercise 155 source files with no critical (< 50%) gaps.

---

🔴 Critical Gaps (< 50% statement coverage)

None. All source files are above 50% statement coverage.

---

🟡 Low Coverage (50–79% statement coverage)

File	Stmt	Branch	Func	Lines
src/commands/validators/network-options.ts	66.7% 🟡	50.0%	100%	66.7%

Only one file falls in this range. It validates Docker host and DinD path-prefix options; the uncovered branches (5/10) correspond to DinD-specific error paths that are difficult to trigger in unit tests without a real DinD environment.

---

🛡️ Security-Critical Path Status

File	Stmt	Branch	Func	Status
src/host-iptables.ts	100%	100%	100%	✅ Full
src/squid-config.ts	100%	100%	100%	✅ Full
src/docker-manager.ts	100%	100%	100%	✅ Full
src/domain-patterns.ts	97.7%	95.4%	100%	✅ Excellent
src/cli.ts	85.7%	50.0%	100%	⚠️ Branch gap

src/cli.ts is the only security-relevant file with a branch concern — it has 1 of 2 top-level branches uncovered (likely a fatal-error exit path in command initialization).

Sub-modules are fully covered:

• src/host-iptables-rules.ts — 100% / 98.4% branch
• src/host-iptables-cleanup.ts — 100% all metrics
• src/squid/domain-acl.ts — 100% all metrics
• src/squid/access-rules.ts — 100% all metrics

---

📋 Coverage Table (files < 95% stmt, sorted by stmt%)

File	Stmt	Branch	Func	Lines
src/commands/validators/network-options.ts	66.7% 🟡	50.0%	100%	66.7%
src/squid-log-reader.ts	82.2%	80.0%	100%	82.2%
src/services/agent-volumes/etc-mounts.ts	82.5%	67.8%	100%	82.5%
src/logs/audit-enricher.ts	83.6%	74.1%	100%	89.4%
src/artifact-preservation.ts	85.4%	95.3%	100%	85.4%
src/cli.ts	85.7%	50.0%	100%	85.7%
src/logs/log-parser.ts	86.9%	68.6%	100%	87.8%
src/squid/policy-manifest.ts	87.2%	88.2%	70.0%	87.0%
src/services/agent-volumes/docker-host-staging.ts	87.8%	72.4%	100%	87.2%
src/dind-bootstrap.ts	88.9%	66.7%	100%	88.5%
src/commands/logs-command-helpers.ts	88.5%	83.3%	100%	88.3%
src/services/doh-proxy-service.ts	90.0%	75.0%	100%	90.0%
src/commands/validators/log-and-limits.ts	90.3%	77.6%	100%	90.3%
src/services/host-path-prefix.ts	90.3%	81.6%	100%	88.9%
src/config-writer.ts	90.9%	83.0%	100%	90.9%
src/services/api-proxy-service.ts	91.7%	50.0%	100%	91.7%
src/logs/log-streamer.ts	92.2%	77.8%	88.9%	92.1%
src/commands/build-config.ts	92.8%	92.2%	100%	92.8%
src/commands/main-action.ts	95.6%	88.6%	100%	95.6%

---

🔍 Notable Findings

1. src/cli.ts — branch coverage 50% (1/2 branches)
The main entry point has one uncovered branch. Given 263 files were changed in the recent large refactoring commit (#4584 — "Refactor container lifecycle into focused Squid log and startup diagnostics modules"), this branch gap likely corresponds to a top-level error-exit path (e.g., process.exit on commander parse failure) that is hard to invoke through unit tests. Worth adding a dedicated test for the fatal-initialization path.

2. src/logs/log-parser.ts — branch coverage 68.6% (48/70 branches)
22 uncovered branches in the Squid log parser. This is the component that reads the security audit trail. Edge cases such as malformed timestamps, unexpected field counts, or non-standard Access Log entries are likely not tested. Gaps here could silently drop log lines, masking blocked-traffic events.

3. src/services/agent-volumes/etc-mounts.ts — 67.8% branch (19/28)
This file controls which /etc files are selectively bind-mounted into the agent container (SSL certs, passwd, group, etc., while explicitly excluding /etc/shadow). 9 uncovered branches may represent edge cases in the file-existence checks or conditional mount logic. Testing the "file not found" and "alternative paths" code paths would add confidence to the security boundary.

4. src/dind-bootstrap.ts — 66.7% branch (22/33)
DinD bootstrap has notable branch gaps. As DinD support is a relatively newer feature, some initialization and error-recovery paths may not be exercised by the current test suite. The recent refactoring touched this code path significantly.

---

📈 Recommendations

1. High — src/cli.ts branch coverage: Add a test that exercises the fatal-initialization error path (e.g., commander parse failure or missing required args) to close the 50% branch gap in the security-critical main entry point.

2. High — src/logs/log-parser.ts branches: Add unit tests for malformed Squid access-log lines: missing fields, truncated lines, unexpected HTTP method tokens, and non-standard timestamps. These gaps could silently drop audit trail entries.

3. Medium — src/services/agent-volumes/etc-mounts.ts branches: Test edge cases in /etc selective-mount logic — specifically the paths where expected host files are absent or have unexpected permissions. This validates the security boundary between host and container /etc.

4. Low — src/commands/validators/network-options.ts: Improve to ≥ 80% by mocking checkDockerHost() to return invalid states and exercising the DinD-hint-without-prefix error branch. Not security-critical but improves overall quality signal.

---

Generated by test-coverage-reporter workflow. Trigger: push · Run: 27229459658

Generated by Test Coverage Reporter · 105 AIC · ⊞ 30.7K · ◷

• expires on Jun 16, 2026, 7:16 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke-test agent has passed through this discussion. May the whitelists remain true and the proxy wards hold.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke-test agent has passed through this thread and left the oracle mark.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent passed through and left this omen in the thread.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir in the archive. A smoke test agent passed through, left this omen, and departed in linted silence.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke-test agent has passed through this discussion. The omens were logged, the veil was observed, and the runtime remains under watch.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir... the smoke test agent was here, and the omens read PASS.

🔮 The oracle has spoken through Smoke Codex