[Coverage Report] Test Coverage Report — 2026-06-09

[github-actions[bot]]

📊 Overall Coverage

Metric	Coverage	Covered / Total
Statements	96.39%	4,758 / 4,936
Branches	90.75%	2,621 / 2,888
Functions	98.76%	562 / 569
Lines	96.47%	4,604 / 4,772

108 test files · 155 source files · ~29,558 test lines

---

🔴 Critical Gaps (< 50% statement coverage)

None. All 155 source files are above 50% statement coverage.

---

🟡 Low Coverage (50–79% statement coverage)

File	Stmt%	Branch%	Fn%
src/commands/validators/network-options.ts	66.7%	50.0%	100%

Only 1 file falls in this range. It covers Docker host detection and domain resolution validation — worth improving.

---

🛡️ Security-Critical Path Status

File	Stmt%	Branch%	Fn%	Status
src/host-iptables.ts	100%	100%	100%	✅ Perfect
src/squid-config.ts	100%	100%	100%	✅ Perfect
src/docker-manager.ts	100%	100%	100%	✅ Perfect
src/domain-patterns.ts	97.7%	95.4%	100%	✅ Excellent
src/cli.ts	85.7%	50.0%	100%	⚠️ Branch gap

src/cli.ts's 50% branch coverage (1/2 branches) is the require.main === module guard — a module-boundary check that unit tests inherently skip. Acceptable.

---

📋 Files with Branch Coverage < 70%

File	Branch%	Stmt%	Uncovered Branches
src/cli.ts	50.0%	85.7%	1/2 (entry-point guard)
src/commands/validators/network-options.ts	50.0%	66.7%	5/10
src/services/api-proxy-service.ts	50.0%	91.7%	1/2
src/dind-bootstrap.ts	66.7%	88.9%	11/33
src/services/agent-environment/environment-builder.ts	66.7%	93.5%	—
src/services/agent-volumes/etc-mounts.ts	67.8%	82.5%	9/28
src/logs/log-parser.ts	68.6%	86.9%	22/70

---

🔍 Notable Findings

1. src/commands/validators/network-options.ts — 50% branch, 66.7% stmt

The validator for Docker host resolution has 3 conditional warning paths (lines 47, 59, 64) around dockerHostCheck.valid and DinD hint detection. The warning branches for "external Docker host detected" and "DinD hint without path prefix" are not covered. These code paths are part of the DinD support feature added in recent commits.

2. src/logs/log-parser.ts — 68.6% branch (22 uncovered out of 70)

The log parser has extensive branching for Squid access log format variations, null-field handling, and partial-line edge cases. With 22 uncovered branches, there are likely edge cases in malformed-log recovery and timestamp parsing that lack test coverage. This is medium-risk since it affects audit integrity.

3. src/services/agent-volumes/etc-mounts.ts — 67.8% branch (9 uncovered out of 28)

The /etc file mounting logic determines which host files are selectively exposed to the agent container. Uncovered branches likely include conditional paths for files that may or may not exist on the host (e.g., /etc/alternatives, /etc/ld.so.cache). These missing-file fallback paths are security-sensitive.

4. src/dind-bootstrap.ts — 66.7% branch (11 uncovered out of 33)

The Docker-in-Docker bootstrap has 11 uncovered branches. Given that DinD support is an advanced configuration path, error handling and early-exit branches may lack test scenarios.

---

📈 Recommendations

1. High — src/commands/validators/network-options.ts: Add tests for the 3 warning branches triggered by external Docker host (dockerHostCheck.valid === false) and DinD hint with missing --docker-host-path-prefix. These are validation paths users hit when misconfiguring DinD.

2. Medium — src/logs/log-parser.ts: Add tests for malformed Squid log lines (missing fields, truncated entries, non-standard timestamps). The 22 uncovered branches suggest the "happy path" is well-tested but edge cases in the audit log pipeline are not.

3. Medium — src/services/agent-volumes/etc-mounts.ts: Add tests simulating missing host /etc files (e.g., when /etc/ld.so.cache does not exist). These code paths determine which files are mounted into the agent sandbox — missed branches risk incorrect security posture.

4. Low — src/dind-bootstrap.ts: Cover error handling branches for failed Docker socket detection and probe timeouts. Lower priority since DinD is an optional advanced feature.

---

Generated by test-coverage-reporter workflow. Trigger: push · Run: 27241154861

Generated by Test Coverage Reporter · 120.5 AIC · ⊞ 32.2K · ◷

• expires on Jun 16, 2026, 11:02 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir above the coverage veil.
The smoke test agent was here, and the run remained in harmony.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex