[Coverage Report] Test Coverage Report — 2026-05-25

[github-actions[bot]]

Overall Coverage

Metric	Coverage
Statements	96.29%
Branches	90.74%
Functions	97.99%
Lines	96.44%

Test suite: 2183 tests across 98 suites (1 test failure — DNS pre-resolution IP address mismatch in environment, not a coverage gap)

---

🔴 Critical Gaps (< 50% statement coverage)

File	Statements	Branches	Functions	Lines
src/services/agent-environment.ts	0%	100%	0%	0%

Note: This file is a re-export barrel (export { buildAgentEnvironment } from './agent-environment/environment-builder'). Its 0% statement/function coverage is a Jest instrumentation artifact — the actual implementation in environment-builder.ts has 93.54% statement coverage. No action needed.

---

🟡 Low Coverage (50–79% statement coverage)

File	Statements	Branches	Functions	Lines
src/services/agent-volumes/hosts-file.ts	69.04%	61.90%	100%	66.66%

---

🛡️ Security-Critical Path Status

File	Statements	Branches	Functions	Status
src/host-iptables.ts	100%	100%	100%	✅ Full
src/squid-config.ts	100%	100%	100%	✅ Full
src/docker-manager.ts	100%	100%	100%	✅ Full
src/domain-patterns.ts	97.67%	95.38%	100%	✅ Excellent
src/cli.ts	85.71%	50.00%	100%	🟡 Branch gaps
src/host-iptables-rules.ts	97.05%	94.02%	100%	✅ Excellent
src/squid/domain-acl.ts	100%	100%	100%	✅ Full
src/squid/access-rules.ts	100%	100%	100%	✅ Full

---

📋 Coverage Summary by Category

🟢 100% coverage (fully tested): 47 files including all squid subsystem modules, all iptables modules, docker-manager, domain-utils, redact-secrets, schema-validator, all parsers, and all agent-environment sub-modules.

🟢 80–99% coverage (well tested): 20 files including cli.ts (85.7%), cli-workflow.ts (88.9%), config-writer.ts (89.3%), log-parser.ts (87.1%), and audit-enricher.ts (83.6%).

🟡 Low coverage (50–79%): 1 file — hosts-file.ts (69%)

🔴 0% coverage: 1 file — agent-environment.ts (barrel re-export, not a real gap)

---

🔍 Notable Findings

1. src/services/agent-volumes/hosts-file.ts — Branch coverage at 61.9%

The generateHostsFileMount() function has three main uncovered paths:

• The config.localhostDetected branch (inside the enableHostAccess block) that rewrites 127.0.0.1 localhost to the Docker bridge gateway IP — a security-relevant behavior.
• The execa.sync('docker', ...) failure path when Docker bridge inspection fails.
• The fallback when ipv4Regex.test(hostGatewayIp) returns false (malformed gateway IP).

These are error-handling and security branches — the localhost rewrite especially matters since it changes how the agent resolves localhost inside the chroot.

2. src/cli.ts — Branch coverage at 50%

The CLI entry point has only 50% branch coverage despite 85.7% statement coverage. Uncovered branches likely include error-path handling and conditional flag combinations not exercised in unit tests (integration paths).

3. src/commands/validators/network-options.ts — Branch coverage at 50%

Network option validators are security-relevant (they validate domain allowlists, DNS servers, and proxy settings). Half the decision branches lack test coverage.

4. No gaps in core security paths

All four highest-priority security modules (host-iptables.ts, squid-config.ts, docker-manager.ts, domain-patterns.ts) are at ≥97% coverage. This is the most important finding.

---

📈 Recommendations

1. High — Add tests for hosts-file.ts enableHostAccess + localhostDetected branch: This is a security-relevant path that rewrites how localhost resolves inside the sandbox. Mock execa.sync('docker', ...) to return a valid gateway IP, then assert the localhost rewrite behavior. Also cover the failure path (bad IP format, docker command throws).

2. Medium — Improve branch coverage in src/cli.ts: Add tests for the remaining 50% of branches. Focus on error-handling paths: what happens when container startup fails, when signal handlers fire during different phases, and when --keep-containers is combined with failure modes.

3. Medium — Cover src/commands/validators/network-options.ts branches: Network validation logic is security-sensitive. Add tests for edge cases: empty domain list, invalid DNS server IPs, conflicting proxy settings.

4. Low — Suppress or exclude agent-environment.ts barrel file from coverage: The 0% coverage on this barrel re-export creates noise. Add it to Jest's coveragePathIgnorePatterns or exclude pure re-export files to keep the report signal-to-noise ratio high.

---

Generated by test-coverage-reporter workflow · Trigger: push · Commit: a445bd9

Generated by Test Coverage Reporter · sonnet46 898.1K · ◷

• expires on Jun 1, 2026, 10:53 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-01T22:53:30.113Z.

Closed by Workflow