You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file has no test file (network-options.test.ts does not exist). The untested branches cover Docker-host detection warnings: the !dockerHostCheck.valid, dindHint, and path-prefix-missing warning paths.
🛡️ Security-Critical Path Status
File
Stmt%
Branch%
Fn%
Status
src/host-iptables.ts
100%
100%
100%
✅ Fully covered
src/squid-config.ts
100%
100%
100%
✅ Fully covered
src/docker-manager.ts
100%
100%
100%
✅ Fully covered
src/domain-patterns.ts
97.67%
95.38%
100%
✅ Excellent
src/cli.ts
85.71%
50.0%
100%
⚠️ 1 branch uncovered
src/cli.ts is a thin 12-line entry point — the sole uncovered branch is the require.main === module guard (the "module imported" path is never exercised by tests, which is generally acceptable).
1. src/commands/validators/network-options.ts — No test file (66.7% stmt, 50% branch)
The Docker-host detection warning paths (external TCP socket detected, DinD hint with no path-prefix set) are completely untested. These warnings directly affect DinD/ARC runner setups where misconfiguration causes silent bind-mount failures. A new network-options.test.ts with mocked checkDockerHost() / resolveDockerHostPathPrefix() returns would close this gap.
2. src/logs/log-parser.ts — 22 uncovered branches (86.9% stmt, 68.6% branch)
The Squid log parser has significant branch coverage gaps. Given that log parsing feeds audit trails and the awf logs commands, malformed or edge-case log lines (empty fields, unusual status codes, IPv6 addresses) likely hit uncovered paths. These are particularly important now that awf logs audit is new functionality added in the last 7 days.
3. src/logs/audit-enricher.ts — 15 uncovered branches (83.6% stmt, 74.1% branch)
The ACL-matching logic in domainMatchesRule() and protocolMatchesRule() has 15 uncovered branches. This is the code that determines whether a log entry is "allowed" or "blocked" in audit output — incorrect enrichment would produce misleading security reports.
4. src/dind-bootstrap.ts — 11 uncovered branches (88.9% stmt, 66.7% branch)
The DinD bootstrap error paths (container start failures, network setup failures) are not covered. These code paths only execute in DinD environments, making them harder to test, but they protect against silent misconfiguration in ARC/DinD setups.
📈 Recommendations
High — Add network-options.test.ts: This is the only file with no test coverage at all. The Docker-host detection warnings are user-visible and affect DinD users. Mock checkDockerHost() to return invalid/DinD states and assert the logger warning calls. Estimated: ~50 lines of tests.
High — Expand log-parser.test.ts branch coverage: The 22 uncovered branches in log-parser.ts represent log format variations. Add test cases for: IPv6 client addresses, missing/dash-placeholder fields, NONE hierarchy codes, and entries with unusual Squid status codes. This also validates the awf logs audit pipeline end-to-end.
Medium — Cover audit-enricher.ts protocol-matching branches: Add cases where entry.protocol is http (not https) and where ACL domains use the . prefix wildcard form. The all ACL rule path (lines 101–106) also appears uncovered.
Low — dind-bootstrap.ts error paths: Add tests with mocked execa that simulate container start failures and network setup errors. These paths are hard to trigger in a standard test environment but important for DinD reliability.
Generated by test-coverage-reporter workflow · Trigger: push · Commit: c2c9340 (refactor: split model-resolver.js into focused modules)
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Test Coverage Report — 2026-06-09
Overall Coverage
🔴 Critical Gaps (< 50% statement coverage)
None. All files are above 50% statement coverage.
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.ts🛡️ Security-Critical Path Status
src/host-iptables.tssrc/squid-config.tssrc/docker-manager.tssrc/domain-patterns.tssrc/cli.tssrc/cli.tsis a thin 12-line entry point — the sole uncovered branch is therequire.main === moduleguard (the "module imported" path is never exercised by tests, which is generally acceptable).📋 Files with Branch Coverage < 75% (all above 80% statements)
src/commands/validators/network-options.tssrc/dind-bootstrap.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/log-parser.tssrc/services/agent-environment/environment-builder.tssrc/logs/audit-enricher.tssrc/services/agent-volumes/docker-host-staging.ts🔍 Notable Findings
1.
src/commands/validators/network-options.ts— No test file (66.7% stmt, 50% branch)The Docker-host detection warning paths (external TCP socket detected, DinD hint with no path-prefix set) are completely untested. These warnings directly affect DinD/ARC runner setups where misconfiguration causes silent bind-mount failures. A new
network-options.test.tswith mockedcheckDockerHost()/resolveDockerHostPathPrefix()returns would close this gap.2.
src/logs/log-parser.ts— 22 uncovered branches (86.9% stmt, 68.6% branch)The Squid log parser has significant branch coverage gaps. Given that log parsing feeds audit trails and the
awf logscommands, malformed or edge-case log lines (empty fields, unusual status codes, IPv6 addresses) likely hit uncovered paths. These are particularly important now thatawf logs auditis new functionality added in the last 7 days.3.
src/logs/audit-enricher.ts— 15 uncovered branches (83.6% stmt, 74.1% branch)The ACL-matching logic in
domainMatchesRule()andprotocolMatchesRule()has 15 uncovered branches. This is the code that determines whether a log entry is "allowed" or "blocked" in audit output — incorrect enrichment would produce misleading security reports.4.
src/dind-bootstrap.ts— 11 uncovered branches (88.9% stmt, 66.7% branch)The DinD bootstrap error paths (container start failures, network setup failures) are not covered. These code paths only execute in DinD environments, making them harder to test, but they protect against silent misconfiguration in ARC/DinD setups.
📈 Recommendations
High — Add
network-options.test.ts: This is the only file with no test coverage at all. The Docker-host detection warnings are user-visible and affect DinD users. MockcheckDockerHost()to return invalid/DinD states and assert the logger warning calls. Estimated: ~50 lines of tests.High — Expand
log-parser.test.tsbranch coverage: The 22 uncovered branches inlog-parser.tsrepresent log format variations. Add test cases for: IPv6 client addresses, missing/dash-placeholder fields,NONEhierarchy codes, and entries with unusual Squid status codes. This also validates theawf logs auditpipeline end-to-end.Medium — Cover
audit-enricher.tsprotocol-matching branches: Add cases whereentry.protocolishttp(nothttps) and where ACL domains use the.prefix wildcard form. TheallACL rule path (lines 101–106) also appears uncovered.Low —
dind-bootstrap.tserror paths: Add tests with mockedexecathat simulate container start failures and network setup errors. These paths are hard to trigger in a standard test environment but important for DinD reliability.Generated by test-coverage-reporter workflow · Trigger:
push· Commit:c2c9340(refactor: split model-resolver.js into focused modules)Beta Was this translation helpful? Give feedback.
All reactions