[Coverage Report] Test Coverage Report — 2026-06-09

[github-actions[bot]]

📊 Test Coverage Report — 2026-06-09

Overall Coverage

Metric	Coverage	Covered / Total
Statements	96.4%	4,720 / 4,897
Branches	90.8%	2,587 / 2,850
Functions	98.7%	552 / 559
Lines	96.5%	4,566 / 4,733

136 source files instrumented · 108 test files · 155 total TypeScript source files

---

🔴 Critical Gaps (< 50% statement coverage)

None. All 136 files exceed 50% statement coverage. ✅

---

🟡 Low Coverage (50–79% statement coverage)

File	Stmts	Branches	Notes
src/commands/validators/network-options.ts	🟡 67%	50% ⚠️	Only 14/21 statements covered; Docker-host warning paths untested

---

🛡️ Security-Critical Path Status

File	Stmts	Branches	Functions	Lines	Status
src/host-iptables.ts	100%	100%	100%	100%	✅ Full coverage
src/squid-config.ts	100%	100%	100%	100%	✅ Full coverage
src/docker-manager.ts	100%	100%	100%	100%	✅ Full coverage
src/domain-patterns.ts	98%	95%	100%	98%	✅ Excellent
src/cli.ts	86%	50%	100%	86%	⚠️ Branch gaps

All five security-critical files meet or exceed the 80% statement threshold. The host-iptables.*, squid-config.ts, and docker-manager.ts modules are at 100% across all metrics — a strong result for the firewall's core enforcement layer.

---

📋 Files with Branch Coverage < 70%

These files have sufficient statement coverage but untested conditional logic:

File	Stmts	Branches
src/cli.ts	86%	50%
src/commands/validators/network-options.ts	67%	50%
src/services/api-proxy-service.ts	92%	50%
src/dind-bootstrap.ts	89%	67%
src/services/agent-environment/environment-builder.ts	94%	67%
src/services/agent-volumes/etc-mounts.ts	83%	68%
src/logs/log-parser.ts	87%	69%

📋 Full Coverage Table (136 files, sorted by statement coverage)

File	Stmts	Branches	Functions	Lines
src/commands/validators/network-options.ts	🟡 67%	50% ⚠️	100%	67%
src/squid-log-reader.ts	🟢 82%	80%	100%	82%
src/services/agent-volumes/etc-mounts.ts	🟢 82%	68% ⚠️	100%	82%
src/logs/audit-enricher.ts	🟢 84%	74%	100%	89%
src/artifact-preservation.ts	🟢 85%	95%	100%	85%
src/cli.ts	🟢 86%	50% ⚠️	100%	86%
src/logs/log-parser.ts	🟢 87%	69% ⚠️	100%	88%
src/squid/policy-manifest.ts	🟢 87%	88%	70%	87%
src/services/agent-volumes/docker-host-staging.ts	🟢 88%	72%	100%	87%
src/commands/logs-command-helpers.ts	🟢 89%	83%	100%	88%
src/dind-bootstrap.ts	🟢 89%	67% ⚠️	100%	88%
src/services/doh-proxy-service.ts	🟢 90%	75%	100%	90%
src/commands/validators/log-and-limits.ts	🟢 90%	78%	100%	90%
src/services/host-path-prefix.ts	🟢 90%	82%	100%	89%
src/config-writer.ts	🟢 91%	83%	100%	91%
src/services/api-proxy-service.ts	🟢 92%	50% ⚠️	100%	92%
src/services/agent-volumes/docker-socket.ts	🟢 92%	93%	100%	92%
src/logs/log-streamer.ts	🟢 92%	78%	89%	92%
src/diagnostic-collector.ts	🟢 92%	100%	100%	92%
src/commands/build-config.ts	🟢 93%	92%	100%	93%
src/commands/validators/agent-options.ts	🟢 93%	89%	100%	93%
src/services/agent-volumes/hosts-file.ts	🟢 93%	90%	100%	93%
src/services/agent-environment/environment-builder.ts	🟢 94%	67% ⚠️	100%	94%
src/squid/ssl-bump.ts	🟢 94%	92%	100%	94%
src/ssl-bump.ts	🟢 94%	85%	100%	95%
src/host-env.ts	🟢 94%	80%	100%	96%
src/logs/log-aggregator.ts	🟢 95%	88%	100%	95%
src/upstream-proxy.ts	🟢 95%	95%	100%	95%
src/services/cli-proxy-service.ts	🟢 95%	93%	100%	95%
src/commands/main-action.ts	🟢 96%	89%	100%	96%
src/parsers/volume-parsers.ts	🟢 96%	100%	100%	96%
src/container-startup-diagnostics.ts	🟢 96%	94%	100%	96%
src/services/agent-volumes/workspace-mounts.ts	🟢 96%	75%	100%	96%
src/container-cleanup.ts	🟢 96%	100%	80%	96%
src/container-lifecycle.ts	🟢 97%	87%	100%	97%
src/services/agent-environment/env-passthrough.ts	🟢 97%	92%	100%	97%
src/commands/validators/config-assembly.ts	🟢 97%	90%	100%	98%
src/compose-sanitizer.ts	🟢 97%	93%	100%	97%
src/logs/log-formatter.ts	🟢 97%	93%	100%	97%
src/domain-patterns.ts	🟢 98%	95%	100%	98%
src/services/agent-service.ts	🟢 98%	95%	100%	98%
src/services/agent-volumes/home-strategy.ts	🟢 98%	83%	100%	98%
src/config-file.ts	🟢 98%	97%	88%	100%
src/rules.ts	🟢 98%	92%	100%	98%
src/compose-generator.ts	🟢 98%	92%	100%	98%
src/pid-tracker.ts	🟢 99%	81%	100%	99%
src/option-parsers.ts	🟢 99%	96%	100%	99%
src/api-proxy-config.ts	🟢 100%	98%	100%	100%
src/cli-options.ts	🟢 100%	93%	100%	100%
src/cli-workflow.ts	🟢 100%	100%	100%	100%
src/host-iptables.ts	🟢 100%	100%	100%	100%
src/host-iptables-rules.ts	🟢 100%	98%	100%	100%
src/host-iptables-shared.ts	🟢 100%	95%	100%	100%
src/squid-config.ts	🟢 100%	100%	100%	100%
src/docker-manager.ts	🟢 100%	100%	100%	100%
src/domain-patterns.ts	🟢 98%	95%	100%	98%
src/redact-secrets.ts	🟢 100%	100%	100%	100%
src/dlp.ts	🟢 100%	100%	100%	100%
src/copilot-api-resolver.ts	🟢 100%	100%	100%	100%
src/services/agent-volumes/credential-hiding.ts	🟢 100%	100%	100%	100%
src/services/service-security.ts	🟢 100%	100%	100%	100%
src/squid/access-rules.ts	🟢 100%	100%	100%	100%
src/squid/domain-acl.ts	🟢 100%	100%	100%	100%
src/squid/validation.ts	🟢 100%	100%	100%	100%
(87 more files all at 100% stmt)	🟢 100%	≥83%	≥80%	100%

---

🔍 Notable Findings

1. src/cli.ts — 50% branch coverage (1/2 branches).
   The entry-point module has its happy path covered, but the error/rejection branch in the top-level main() call is untested. This is the orchestration entrypoint for the entire firewall — an unhandled-rejection scenario here could silently swallow startup errors.

2. src/commands/validators/network-options.ts — 67% stmt / 50% branch (lowest in the codebase).
   Only 14 of 21 statements are covered. The validateNetworkOptions() function handles Docker-host detection and DinD path-prefix warnings — specifically the three logger.warn() paths triggered when DOCKER_HOST is external or when dindHint is set but no prefix is configured. These are real operational paths in ARC/DinD environments.

3. src/services/api-proxy-service.ts — 50% branch coverage (91.7% stmt).
   The API proxy is the credential-injection layer — keys are never exposed to the agent. Half of its conditional logic is untested. The uncovered branches likely include credential-absent or BYOK fallback paths that are critical for the security model.

4. src/services/agent-volumes/etc-mounts.ts — 68% branch coverage.
   This file controls which /etc files are bind-mounted into the agent container. Uncovered branches here could mean untested paths in credential-exclusion logic (e.g., ensuring /etc/shadow is never mounted even under edge-case inputs).

---

📈 Recommendations

1. High — src/commands/validators/network-options.ts: Add tests for the !dockerHostCheck.valid warning path and the dindHint && !dockerHostPathPrefix path in validateNetworkOptions(). These require mocking checkDockerHost() to return { valid: false } and setting AWF_DIND=1.

2. High — src/cli.ts: Cover the rejected-promise branch in main(). A test that mocks runMainWorkflow() to throw should verify the process exits with a non-zero code rather than silently continuing.

3. Medium — src/services/api-proxy-service.ts: Add tests for the uncovered 50% of branches. Focus on: cases where credentials are absent, BYOK fallback logic, and the split-proxy configuration paths — these are the branches most relevant to the credential-isolation security guarantee.

4. Low — src/services/agent-volumes/etc-mounts.ts: Add edge-case tests covering scenarios where the host /etc directory contains unexpected files, verifying that the allowlist logic correctly filters them out and never mounts sensitive files like /etc/shadow.

---

Generated by test-coverage-reporter workflow. Trigger: push · Run: 27231690555

Generated by Test Coverage Reporter · 183.3 AIC · ⊞ 30.7K · ◷

• expires on Jun 16, 2026, 7:58 PM UTC