[Coverage Report] Test Coverage Report — 2026-06-09

[github-actions[bot]]

📊 Test Coverage Report — 2026-06-09

Overall Coverage

Metric	Coverage	Covered / Total
Statements	96.39% 🟢	4,758 / 4,936
Branches	90.75% 🟢	2,621 / 2,888
Functions	98.76% 🟢	562 / 569
Lines	96.47% 🟢	4,604 / 4,772

108 test files covering 155 source files.

---

🔴 Critical Gaps (< 50% statement coverage)

None. All files are above 50% statement coverage.

---

🟡 Low Coverage (50–79% statement coverage)

File	Stmts	Branches
src/commands/validators/network-options.ts	🟡 67%	🟡 50%

---

🛡️ Security-Critical Path Status

File	Stmts	Branches	Funcs	Status
src/host-iptables.ts	✅ 100%	✅ 100%	✅ 100%	✅ Fully covered
src/squid-config.ts	✅ 100%	✅ 100%	✅ 100%	✅ Fully covered
src/docker-manager.ts	✅ 100%	✅ 100%	✅ 100%	✅ Fully covered
src/domain-patterns.ts	🟢 98%	🟢 95%	✅ 100%	✅ Well covered
src/cli.ts	🟢 86%	🟡 50%	✅ 100%	⚠️ Branch gap

All primary security modules (host-iptables, squid-config, docker-manager) have 100% coverage. The cli.ts entry point has a branch gap (1 of 2 branches covered) but the file is only 13 lines — it's the top-level main() export/invocation split.

---

📋 Full Coverage Table

View all 130+ files (click to expand)

File	Stmts	Branch	Funcs	Lines
src/commands/validators/network-options.ts	🟡 67%	🟡 50%	✅ 100%	🟡 67%
src/squid-log-reader.ts	🟢 82%	🟢 80%	✅ 100%	🟢 82%
src/services/agent-volumes/etc-mounts.ts	🟢 82%	🟡 68%	✅ 100%	🟢 82%
src/logs/audit-enricher.ts	🟢 84%	🟡 74%	✅ 100%	🟢 89%
src/artifact-preservation.ts	🟢 85%	🟢 95%	✅ 100%	🟢 85%
src/cli.ts	🟢 86%	🟡 50%	✅ 100%	🟢 86%
src/logs/log-parser.ts	🟢 87%	🟡 69%	✅ 100%	🟢 88%
src/squid/policy-manifest.ts	🟢 87%	🟢 88%	🟡 70%	🟢 87%
src/services/agent-volumes/docker-host-staging.ts	🟢 88%	🟡 72%	✅ 100%	🟢 87%
src/commands/logs-command-helpers.ts	🟢 89%	🟢 83%	✅ 100%	🟢 88%
src/dind-bootstrap.ts	🟢 89%	🟡 67%	✅ 100%	🟢 88%
src/services/doh-proxy-service.ts	🟢 90%	🟡 75%	✅ 100%	🟢 90%
src/commands/validators/log-and-limits.ts	🟢 90%	🟡 78%	✅ 100%	🟢 90%
src/services/host-path-prefix.ts	🟢 90%	🟢 82%	✅ 100%	🟢 89%
src/config-writer.ts	🟢 91%	🟢 83%	✅ 100%	🟢 91%
src/services/api-proxy-service.ts	🟢 92%	🟡 50%	✅ 100%	🟢 92%
src/services/agent-volumes/docker-socket.ts	🟢 92%	🟢 93%	✅ 100%	🟢 92%
src/logs/log-streamer.ts	🟢 92%	🟡 78%	🟢 89%	🟢 92%
src/services/agent-volumes/system-mounts.ts	🟢 92%	🟡 75%	✅ 100%	🟢 92%
src/diagnostic-collector.ts	🟢 92%	✅ 100%	✅ 100%	🟢 92%
src/commands/build-config.ts	🟢 93%	🟢 92%	✅ 100%	🟢 93%
src/commands/validators/agent-options.ts	🟢 93%	🟢 89%	✅ 100%	🟢 93%
src/services/agent-volumes/hosts-file.ts	🟢 93%	🟢 90%	✅ 100%	🟢 93%
src/services/agent-environment/environment-builder.ts	🟢 94%	🟡 67%	✅ 100%	🟢 94%
src/squid/ssl-bump.ts	🟢 94%	🟢 92%	✅ 100%	🟢 94%
src/ssl-bump.ts	🟢 94%	🟢 85%	✅ 100%	🟢 95%
src/host-env.ts	🟢 94%	🟢 80%	✅ 100%	🟢 96%
src/logs/log-aggregator.ts	🟢 95%	🟢 88%	✅ 100%	🟢 95%
src/upstream-proxy.ts	🟢 95%	🟢 95%	✅ 100%	🟢 95%
src/services/cli-proxy-service.ts	🟢 95%	🟢 93%	✅ 100%	🟢 95%
src/commands/main-action.ts	🟢 96%	🟢 89%	✅ 100%	🟢 96%
src/container-startup-diagnostics.ts	🟢 96%	🟢 94%	✅ 100%	🟢 96%
src/services/agent-volumes/workspace-mounts.ts	🟢 96%	🟡 75%	✅ 100%	🟢 96%
src/container-cleanup.ts	🟢 96%	✅ 100%	🟢 80%	🟢 96%
src/container-lifecycle.ts	🟢 97%	🟢 87%	✅ 100%	🟢 97%
src/compose-sanitizer.ts	🟢 97%	🟢 93%	✅ 100%	🟢 97%
src/commands/validators/config-assembly.ts	🟢 97%	🟢 91%	✅ 100%	🟢 98%
src/logs/log-formatter.ts	🟢 97%	🟢 93%	✅ 100%	🟢 97%
src/domain-patterns.ts	🟢 98%	🟢 95%	✅ 100%	🟢 98%
src/services/agent-service.ts	🟢 98%	🟢 95%	✅ 100%	🟢 98%
src/config-file.ts	🟢 98%	🟢 97%	🟢 88%	✅ 100%
src/rules.ts	🟢 98%	🟢 92%	✅ 100%	🟢 98%
src/compose-generator.ts	🟢 98%	🟢 92%	✅ 100%	🟢 98%
src/option-parsers.ts	🟢 99%	🟢 96%	✅ 100%	🟢 99%
src/host-iptables.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/squid-config.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/docker-manager.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/host-iptables-cleanup.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/host-iptables-network.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/host-iptables-rules.ts	✅ 100%	🟢 97%	✅ 100%	✅ 100%
src/host-iptables-shared.ts	✅ 100%	🟢 95%	✅ 100%	✅ 100%
src/api-proxy-config.ts	✅ 100%	🟢 98%	✅ 100%	✅ 100%
src/cli-options.ts	✅ 100%	🟢 93%	✅ 100%	✅ 100%
src/cli-workflow.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/dlp.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/dns-resolver.ts	✅ 100%	🟢 92%	✅ 100%	✅ 100%
src/copilot-api-resolver.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/redact-secrets.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/squid/access-rules.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/squid/acl-generator.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/squid/config-generator.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/squid/domain-acl.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/squid/upstream-proxy.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/squid/validation.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/services/agent-volumes/credential-hiding.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
src/services/squid-service.ts	✅ 100%	✅ 100%	✅ 100%	✅ 100%
(remaining files at 100% omitted for brevity)	—	—	—	—

---

🔍 Notable Findings

1. src/commands/validators/network-options.ts — 50% branch coverage (5/10)
The uncovered branches are the DinD/ARC-related warning paths inside validateNetworkOptions: the !dockerHostCheck.valid warning block and the dindHint && !dockerHostPathPrefix multi-line warning. These branches guard important user-facing warnings for split-filesystem setups. Tests should simulate an external/non-standard DOCKER_HOST to exercise these paths.

2. src/logs/log-parser.ts — 69% branch coverage (48/70)
22 uncovered branches in log parsing logic suggest missing tests for malformed or unusual Squid log entries — truncated lines, missing fields, non-standard status codes, and edge-case timestamp formats. These gaps won't affect security directly but could produce silent parse failures in awf logs commands.

3. src/dind-bootstrap.ts — 67% branch coverage (22/33)
The DinD bootstrap has 11 uncovered branches. Likely untested: failure paths when bootstrap probes time out, when the Docker socket is unreachable, or when pre-checks fail. Given the DinD flow is critical for ARC runners, these should be covered.

4. src/services/api-proxy-service.ts — 50% branch coverage (1/2)
Only 1 of 2 branches covered in this 43-line file. The recent commit (#4592) refactored collectRequestBody/transformRequestBody into separate functions; the extracted helpers appear well-tested in dedicated test files, but the top-level buildApiProxyService conditional path may have a gap.

---

📈 Recommendations

1. High: Cover the DinD warning branches in src/commands/validators/network-options.ts — mock DOCKER_HOST to a TCP/non-standard socket in validateNetworkOptions tests to hit the !valid and dindHint warning paths.

2. Medium: Add edge-case tests for src/logs/log-parser.ts — focus on malformed log lines (missing host header, truncated entries, IPv6 addresses) to close the 22 uncovered branches.

3. Medium: Expand src/dind-bootstrap.ts tests to cover failure/timeout paths — simulate a Docker socket that is unreachable or responds with an error.

4. Low: Add a test for the error branch in src/services/api-proxy-service.ts to bring it from 50% to full branch coverage.

---

Generated by test-coverage-reporter workflow. Trigger: push · Run: 27231888984

Generated by Test Coverage Reporter · 179.9 AIC · ⊞ 30.7K · ◷

• expires on Jun 16, 2026, 8:07 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke-test agent has passed through this discussion. The omens are clear: the validation rites were observed, the build held, and the run left only a quiet echo in its wake.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke test agent has passed through this discussion. The omens were read, the path was traced, and the visit is now sealed.

🔮 The oracle has spoken through Smoke Codex