[Coverage Report] Test Coverage Report — 2026-06-09

[github-actions[bot]]

📊 Test Coverage Report — 2026-06-09

Overall Coverage

Metric	Coverage	Covered / Total
Statements	96.39%	4,758 / 4,936
Branches	90.75%	2,621 / 2,888
Functions	98.76%	562 / 569
Lines	96.47%	4,604 / 4,772

📈 Significant improvement since baseline COVERAGE_SUMMARY.md (38.39% → 96.39% statements). Test infrastructure is now comprehensive.

---

🔴 Critical Gaps (< 50% statement coverage)

None. All 141 source files exceed 50% statement coverage.

---

🟡 Low Statement Coverage (50–79%)

File	Statements	Branches	Notes
src/commands/validators/network-options.ts	66.66%	50%	DinD/Docker-host validation paths

---

🛡️ Security-Critical Path Status

File	Statements	Branches	Functions	Status
src/host-iptables.ts	100%	100%	100%	✅ Perfect
src/host-iptables-rules.ts	100%	97.01%	100%	✅ Excellent
src/host-iptables-shared.ts	100%	95%	100%	✅ Excellent
src/squid-config.ts	100%	100%	100%	✅ Perfect
src/squid/access-rules.ts	100%	100%	100%	✅ Perfect
src/squid/acl-generator.ts	100%	100%	100%	✅ Perfect
src/squid/domain-acl.ts	100%	100%	100%	✅ Perfect
src/domain-patterns.ts	97.67%	95.38%	100%	✅ Excellent
src/docker-manager.ts	100%	100%	100%	✅ Perfect

All security-critical paths meet or exceed the ≥ 90% branch coverage threshold.

---

🔍 Branch Coverage Gaps (< 80%)

The following files have branch coverage below 80% — no statement gaps, but some conditional paths are untested:

File	Stmt	Branch	Uncovered Branches
src/cli.ts	85.71%	50%	1/2 branches
src/commands/validators/network-options.ts	66.66%	50%	5/10 branches — DinD detection logic
src/services/api-proxy-service.ts	91.66%	50%	1/2 branches
src/dind-bootstrap.ts	88.88%	66.66%	11/33 branches — DinD setup edge cases
src/services/agent-environment/environment-builder.ts	93.54%	66.66%	2/6 branches
src/services/agent-volumes/etc-mounts.ts	82.45%	67.85%	9/28 branches — /etc file staging
src/logs/log-parser.ts	86.9%	68.57%	22/70 branches — IPv6/complex URL parsing
src/services/agent-volumes/docker-host-staging.ts	87.75%	72.41%	8/29 branches
src/logs/audit-enricher.ts	83.6%	74.13%	15/58 branches
src/commands/validators/log-and-limits.ts	90.32%	77.58%	13/58 branches

---

🔍 Notable Findings

1. etc-mounts.ts — partial branch coverage on security-sensitive path (67.85%)
This file controls which /etc files (passwd, group, nsswitch.conf, SSL certs) are bind-mounted into the agent container. Missing branches include the paths where stagedPasswdContent already has the UID entry, and the group file has the GID. Adding tests for "already-present" vs "needs-append" paths would improve both security confidence and branch coverage.

2. network-options.ts — 50% branch coverage on DinD validation logic
Three conditional checks for --docker-host / --docker-host-path-prefix conflict detection have uncovered branches. These guard against misconfigured DinD setups that could silently bypass isolation. Tests for the "valid DinD config" success paths are missing.

3. log-parser.ts — 22 uncovered branches in IPv6 and complex URL parsing (68.57%)
The Squid log parser handles IPv6 addresses ([::1]:port) with multiple nested branches. Malformed or edge-case log entries with unusual dest IP formats are largely untested. Since log parsing feeds the audit and stats commands, errors here could silently drop security events.

4. dind-bootstrap.ts — 11 uncovered branches in DinD setup (66.66%)
Branch gaps are concentrated in cleanup/rollback paths during DinD filesystem staging. If the bootstrap fails mid-way, cleanup paths are not exercised by tests, which could leave the DinD environment in a partial state.

---

📈 Recommendations

1. High — etc-mounts.ts branch gaps (src/services/agent-volumes/etc-mounts.ts): Add test cases covering "UID/GID already present in staged file" vs "needs appending" branches in addUidToPasswdFile / addGidToGroupFile. Security-relevant; currently at 67.85% branch.

2. High — network-options.ts DinD validation (src/commands/validators/network-options.ts): Add tests for the dockerHostCheck.valid = true path and the dindHint && dockerHostPathPrefix success scenario. Currently at 50% branch — only the error paths are covered.

3. Medium — log-parser.ts IPv6 edge cases (src/logs/log-parser.ts): Add fixture-based tests with IPv6 destination addresses, malformed lines, and the ts vs timestamp field disambiguation paths. 22 uncovered branches at 68.57%.

4. Low — dind-bootstrap.ts cleanup paths (src/dind-bootstrap.ts): Add tests that simulate mid-bootstrap failures to exercise the rollback/cleanup branches. Currently at 66.66% branch.

---

📋 Test Suite Statistics

• Test files: 108 (vs 141 source files)
• Test lines: ~29,558
• Recent changes (last 7 days): 1 commit — CI workflow update only (no new source files without tests)

---

Generated by test-coverage-reporter workflow. Trigger: push | Run: 27239490064

Generated by Test Coverage Reporter · 123.3 AIC · ⊞ 30.7K · ◷

• expires on Jun 16, 2026, 10:24 PM UTC