[Coverage Report] Test Coverage Report — 2026-06-09

[github-actions[bot]]

📊 Overall Coverage

Metric	Coverage	Covered / Total
Statements	96.39%	4,758 / 4,936
Branches	90.75%	2,621 / 2,888
Functions	98.76%	562 / 569
Lines	96.47%	4,604 / 4,772

Overall coverage is strong. The codebase has 108 test files covering 155 source files.

---

🔴 Critical Gaps (< 50% statement coverage)

None. All files are at or above 50% statement coverage.

---

🟡 Low Coverage (50–79% statement coverage)

File	Statements	Branches	Functions
src/commands/validators/network-options.ts	66.66%	50%	100%

This file validates Docker host options, domain resolution, and network configuration. The 3 uncovered warning branches correspond to ARC/DinD deployment paths (external DOCKER_HOST, missing path prefix with external host, DinD-hint detection). Tests in config-assembly.test.ts only exercise the valid: true / no-DinD path.

---

🛡️ Security-Critical Path Status

src/host-iptables.ts         stmt=100%  branch=100%  fn=100%  ✅
src/host-iptables-rules.ts   stmt=100%  branch=97%   fn=100%  ✅
src/squid-config.ts          stmt=100%  branch=100%  fn=100%  ✅
src/squid/config-generator.ts stmt=100% branch=100%  fn=100%  ✅
src/squid/domain-acl.ts      stmt=100%  branch=100%  fn=100%  ✅
src/squid/access-rules.ts    stmt=100%  branch=100%  fn=100%  ✅
src/domain-patterns.ts       stmt=97.7% branch=95.4% fn=100%  ✅
src/docker-manager.ts        stmt=100%  branch=100%  fn=100%  ✅
src/cli.ts                   stmt=85.7% branch=50%   fn=100%  🟡

src/cli.ts's 50% branch figure is the if (require.main === module) bootstrap guard — this branch is structurally untestable via import and is not a security gap.

---

📋 Full Coverage Table

All files (sorted by statement coverage)

File	Stmt%	Branch%	Fn%
src/commands/validators/network-options.ts	66.7%	50.0%	100%
src/squid-log-reader.ts	82.2%	80.0%	100%
src/services/agent-volumes/etc-mounts.ts	82.5%	67.9%	100%
src/logs/audit-enricher.ts	83.6%	74.1%	100%
src/artifact-preservation.ts	85.4%	95.3%	100%
src/cli.ts	85.7%	50.0%	100%
src/logs/log-parser.ts	86.9%	68.6%	100%
src/squid/policy-manifest.ts	87.2%	88.2%	70%
src/services/agent-volumes/docker-host-staging.ts	87.8%	72.4%	100%
src/commands/logs-command-helpers.ts	88.5%	83.3%	100%
src/dind-bootstrap.ts	88.9%	66.7%	100%
src/services/doh-proxy-service.ts	90.0%	75.0%	100%
src/commands/validators/log-and-limits.ts	90.3%	77.6%	100%
src/services/host-path-prefix.ts	90.3%	81.6%	100%
src/config-writer.ts	90.9%	83.0%	100%
src/services/agent-volumes/docker-socket.ts	91.7%	93.3%	100%
src/services/api-proxy-service.ts	91.7%	50.0%	100%
src/logs/log-streamer.ts	92.2%	77.8%	88.9%
src/services/agent-volumes/system-mounts.ts	92.3%	75.0%	100%
src/diagnostic-collector.ts	92.5%	100%	100%
src/commands/build-config.ts	92.9%	92.2%	100%
src/commands/validators/agent-options.ts	93.0%	88.6%	100%
src/services/agent-volumes/hosts-file.ts	93.2%	90.3%	100%
src/services/agent-environment/environment-builder.ts	93.5%	66.7%	100%
src/squid/ssl-bump.ts	93.8%	91.7%	100%
src/ssl-bump.ts	94.0%	84.6%	100%
src/host-env.ts	94.1%	80.0%	100%
src/logs/log-aggregator.ts	94.7%	87.5%	100%
src/upstream-proxy.ts	94.9%	94.7%	100%
src/services/cli-proxy-service.ts	95.5%	93.3%	100%
src/commands/main-action.ts	95.6%	88.6%	100%
src/container-startup-diagnostics.ts	96.2%	93.9%	100%
src/container-lifecycle.ts	96.8%	86.8%	100%
src/domain-patterns.ts	97.7%	95.4%	100%
src/squid-config.ts	100%	100%	100%
src/host-iptables.ts	100%	100%	100%
src/docker-manager.ts	100%	100%	100%

Files at 100% statement coverage omitted for brevity.

---

🔍 Notable Findings

1. network-options.ts — uncovered ARC/DinD warning branches (branch: 50%)
The file has 3 conditional logger.warn() blocks for DinD/external-Docker scenarios. The tests currently supply valid: true / dindHint: false only. Covering these paths would exercise the --docker-host-path-prefix advisory warnings that ARC runners depend on.

2. services/api-proxy-service.ts — unguarded error path (branch: 50%)
The if (!networkConfig.proxyIp) guard throws an error but is never tested. This is the entry point for the API credential-isolation sidecar. A test for the missing-IP error case would close this gap.

3. squid/config-sections.ts — 5 uncovered branches (branch: 82.75%)
All 45 statements are covered but 5 branches are not. These are likely optional-field conditionals in the Squid config-section generator (e.g., upstream proxy, SSL-bump, DoH). Worth auditing to confirm no security-relevant configuration path is skipped.

4. Recent active area — no regressions detected
The most recent commit (af24ecc) removed the dind-ubuntu image from the release workflow. All files changed in the past 7 days (cli.ts, api-proxy-config.ts, logs-*.ts, artifact-preservation.ts, upstream-proxy.ts, and the full src/types/ refactor) have corresponding test files and show no new gaps beyond the existing items above.

---

📈 Recommendations

1. High — Add tests to network-options.test.ts (doesn't exist yet) or config-assembly.test.ts for validateNetworkOptions() with checkDockerHost() returning valid: false and dindHint: true. These cover real ARC deployment paths and will bring network-options.ts branch coverage from 50% → ~100%.

2. Medium — Add a test for buildApiProxyService() called with networkConfig.proxyIp absent (i.e., undefined) to cover the error-guard branch in services/api-proxy-service.ts.

3. Low — Audit the 5 uncovered branches in squid/config-sections.ts to determine whether any map to security-relevant config combinations (e.g., upstream proxy + SSL-bump), and add targeted tests if so.

---

Generated by test-coverage-reporter workflow. Trigger: push · Run: 27242623399

Generated by Test Coverage Reporter · 179.5 AIC · ⊞ 30.7K · ◷

• expires on Jun 16, 2026, 11:39 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke-test agent passed through and left this brief rune of verification.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke test agent has passed through this discussion. The omens are clear: build, browser, file, and GitHub queries all aligned.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir over this thread. The smoke test agent was here, the omens were read, and the build rites are underway.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex