[Coverage Report] Test Coverage Report — 2026-06-09

[github-actions[bot]]

📊 Test Coverage Report — 2026-06-09

Overall Coverage

Metric	Coverage	Covered / Total
Statements	96.39%	4758 / 4936
Branches	90.75%	2621 / 2888
Functions	98.76%	562 / 569
Lines	96.47%	4604 / 4772

135 of 136 measured files are at ≥80% statement coverage.

---

🔴 Critical Gaps (< 50% statement coverage)

None.

---

🟡 Low Coverage (50–79% statement coverage)

File	Stmts	Branches	Functions
src/commands/validators/network-options.ts	66.66%	50%	100%

---

🛡️ Security-Critical Path Status

File	Stmts	Branches	Functions	Status
src/host-iptables.ts	100%	100%	100%	✅ Full coverage
src/squid-config.ts	100%	100%	100%	✅ Full coverage
src/docker-manager.ts	100%	100%	100%	✅ Full coverage
src/domain-patterns.ts	97.67%	95.38%	100%	✅ Near-complete
src/cli.ts	85.71%	50%	100%	⚠️ Branch gaps

The four highest-risk security modules (host-iptables, squid-config, docker-manager, domain-patterns) are all at ≥95%. src/cli.ts is the only security-adjacent file with a notable gap — 50% branch coverage leaves several orchestration paths (signal handling, flag combinations, cleanup failures) untested.

---

📋 Files With Branch Coverage < 80%

File	Stmts	Branches
src/cli.ts	85.71%	50%
src/commands/validators/network-options.ts	66.66%	50%
src/services/api-proxy-service.ts	91.66%	50%
src/services/service-test-setup.test-utils.ts	93.33%	50%
src/services/agent-environment/environment-builder.ts	93.54%	66.66%
src/dind-bootstrap.ts	88.88%	66.66%
src/services/agent-volumes/etc-mounts.ts	82.45%	67.85%
src/logs/log-parser.ts	86.90%	68.57%
src/services/agent-volumes/docker-host-staging.ts	87.75%	72.41%
src/logs/audit-enricher.ts	83.60%	74.13%
src/services/agent-volumes/workspace-mounts.ts	96.29%	75%
src/services/doh-proxy-service.ts	90%	75%

---

🔍 Notable Findings

1. src/cli.ts — 50% branch coverage (main orchestrator). Likely uncovered: --enable-api-proxy + --enable-dind interaction paths, SIGTERM mid-startup handling, and --keep-containers cleanup fallback.

2. src/commands/validators/network-options.ts — 66.66% stmt / 50% branch. This validator guards security-critical CLI options (DNS servers, allowed-domain lists). The uncovered branches are likely invalid-input rejection paths that should be tested to confirm the firewall refuses malformed configurations.

3. src/services/api-proxy-service.ts — 50% branch coverage. The API proxy sidecar injects credentials; half its branches are untested. Likely missing: startup-failure and unhealthy-sidecar paths that are critical to credential-isolation guarantees.

4. 149 source files changed in the past 7 days — including a full logs command suite and new exports (runMainWorkflow, buildConfig, auditCommand, createMainAction). Overall coverage held steady, suggesting tests were added alongside new code.

---

📈 Recommendations

1. High — Branch-cover src/cli.ts error and flag-interaction paths (--enable-api-proxy+--enable-dind, SIGTERM mid-startup, cleanup-failure with --keep-containers).

2. High — Complete src/commands/validators/network-options.ts — add tests for malformed DNS IPs, invalid upstream proxy URLs, and domain list edge cases. Pure-function unit tests, trivial to add.

3. Medium — Cover src/services/api-proxy-service.ts failure paths (sidecar start failure, mid-run unhealthy) to validate credential isolation.

4. Low — Raise branch coverage in src/logs/log-parser.ts (68.57%) and src/logs/audit-enricher.ts (74.13%) with malformed-log-line fixture tests.

---

Generated by test-coverage-reporter · Trigger: push · 108 test files / 155 source files · Run: 27240750261

Generated by Test Coverage Reporter · 151.8 AIC · ⊞ 32.2K · ◷

• expires on Jun 16, 2026, 10:55 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir: the smoke test agent was here, and the omens are favorable.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex