[Coverage Report] Test Coverage Report — 2026-06-01

[github-actions[bot]]

📊 Overall Coverage

Metric	Coverage	Covered / Total
Statements	96.25%	4452 / 4625
Branches	90.48%	2378 / 2628
Functions	98.27%	512 / 521
Lines	96.40%	4314 / 4475

95 test files · 142 source files

---

🔴 Critical Gaps (< 50% statement coverage)

File	Stmt%	Branch%	Fn%
🔴 src/commands/validators/network-options.ts	66.7%	50.0%	100.0%

---

🟡 Low Coverage (50–79% statement coverage)

No files in this range — network-options.ts at 66.7% is the only file below 80%.

---

🛡️ Security-Critical Path Status

File	Stmt%	Branch%	Fn%	Status
src/host-iptables.ts	100.0%	100.0%	100.0%	✅
src/host-iptables-rules.ts	97.7%	96.8%	100.0%	✅
src/host-iptables-shared.ts	100.0%	95.0%	100.0%	✅
src/host-iptables-cleanup.ts	100.0%	100.0%	100.0%	✅
src/host-iptables-network.ts	100.0%	100.0%	100.0%	✅
src/squid-config.ts	100.0%	100.0%	100.0%	✅
src/squid/acl-generator.ts	100.0%	100.0%	100.0%	✅
src/squid/domain-acl.ts	100.0%	100.0%	100.0%	✅
src/squid/access-rules.ts	100.0%	100.0%	100.0%	✅
src/domain-patterns.ts	97.7%	95.4%	100.0%	✅
src/docker-manager.ts	100.0%	100.0%	100.0%	✅
src/cli.ts	85.7%	50.0%	100.0%	⚠️

All primary security-critical files are well covered. src/cli.ts has a branch gap (50%) — the uncovered branch is the top-level entry guard (e.g., if (require.main === module)), which is not exercisable in unit tests.

---

📋 Full Coverage Table

All files sorted by statement coverage (ascending)

File	Stmt%	Branch%	Fn%
🔴 src/commands/validators/network-options.ts	66.7%	50.0%	100.0%
🟢 src/services/agent-volumes/etc-mounts.ts	82.5%	67.8%	100.0%
🟢 src/logs/audit-enricher.ts	83.6%	74.1%	100.0%
🟢 src/cli.ts	85.7%	50.0%	100.0%
🟢 src/logs/log-parser.ts	86.9%	67.1%	100.0%
🟢 src/squid/policy-manifest.ts	87.2%	88.2%	70.0%
🟢 src/services/agent-volumes/docker-host-staging.ts	87.8%	72.4%	100.0%
🟢 src/commands/logs-command-helpers.ts	88.5%	83.3%	100.0%
🟢 src/services/doh-proxy-service.ts	90.0%	75.0%	100.0%
🟢 src/container-cleanup.ts	90.3%	96.8%	100.0%
🟢 src/services/host-path-prefix.ts	90.3%	81.6%	100.0%
🟢 src/config-writer.ts	90.9%	83.0%	100.0%
🟢 src/commands/validators/log-and-limits.ts	91.5%	78.4%	100.0%
🟢 src/services/agent-volumes/docker-socket.ts	91.7%	93.3%	100.0%
🟢 src/logs/log-streamer.ts	92.2%	77.8%	88.9%
🟢 src/commands/validators/agent-options.ts	93.0%	88.6%	100.0%
🟢 src/cli-options.ts	93.0%	60.0%	25.0%
🟢 src/services/agent-volumes/hosts-file.ts	93.2%	90.3%	100.0%
🟢 src/services/agent-environment/environment-builder.ts	93.5%	66.7%	100.0%
🟢 src/squid/ssl-bump.ts	93.8%	91.7%	100.0%
🟢 src/ssl-bump.ts	94.0%	84.6%	100.0%
🟢 src/host-env.ts	94.1%	80.0%	100.0%
🟢 src/container-lifecycle.ts	94.2%	84.2%	100.0%
🟢 src/logs/log-aggregator.ts	94.7%	87.5%	100.0%
🟢 src/upstream-proxy.ts	94.9%	94.7%	100.0%
🟢 src/commands/main-action.ts	95.5%	88.6%	100.0%
🟢 src/services/cli-proxy-service.ts	95.5%	93.3%	100.0%
🟢 src/parsers/volume-parsers.ts	95.8%	100.0%	100.0%
🟢 src/services/agent-volumes/workspace-mounts.ts	96.3%	75.0%	100.0%
🟢 src/pid-tracker.ts	96.3%	76.9%	100.0%
🟢 src/commands/validators/config-assembly.ts	96.5%	92.8%	100.0%
🟢 src/services/agent-environment/env-passthrough.ts	96.8%	92.0%	100.0%
🟢 src/services/agent-volumes/home-strategy.ts	97.4%	75.0%	100.0%
🟢 src/logs/log-formatter.ts	97.4%	92.8%	100.0%
🟢 src/domain-patterns.ts	97.7%	95.4%	100.0%
🟢 src/host-iptables-rules.ts	97.7%	96.8%	100.0%
🟢 src/services/agent-service.ts	97.8%	94.6%	100.0%
🟢 src/services/api-proxy-service.ts	98.0%	91.1%	100.0%
🟢 src/config-file.ts	98.1%	97.1%	87.5%
🟢 src/rules.ts	98.2%	91.9%	100.0%
🟢 src/compose-generator.ts	98.4%	90.0%	100.0%
🟢 src/option-parsers.ts	98.9%	95.5%	100.0%
🟢 100%+ files (69 files)	100.0%	≥87%	100.0%

---

🔍 Notable Findings

1. src/commands/validators/network-options.ts — 66.7% stmt, 50.0% branch (🔴)

This validator handles network-related CLI options (DNS servers, domain allowlists, etc.). The uncovered branches likely include edge-case validation errors. Given its role in configuring the firewall's domain policy, these paths should be tested.

2. src/cli-options.ts — 93.0% stmt, 60.0% branch, 25.0% fn

Recently modified (last 7 days). Only 25% function coverage despite 93% statement coverage suggests some exported functions (program, option-accessor helpers) are defined but not directly exercised in tests — possibly because they are tested indirectly through cli-workflow.ts. However, the 60% branch coverage leaves gap in option-combination logic.

3. src/services/agent-volumes/etc-mounts.ts — 82.5% stmt, 67.8% branch

Handles selective /etc bind mounts — a security-sensitive path (determines which host files are exposed inside the sandbox). The 32% uncovered branches likely include conditional logic for different OS configurations or fallback paths.

4. src/logs/audit-enricher.ts & src/logs/log-parser.ts — ~84–87% stmt, ~67–74% branch

Recently active log subsystem files with moderate branch gaps. Uncovered branches likely include error-handling paths (malformed log lines, missing fields). Log parsing feeds the security audit trail — robust error handling matters.

---

📈 Recommendations

1. High — src/commands/validators/network-options.ts: Add tests for invalid DNS server formats, malformed domain patterns, and boundary conditions. This is the entry gate for firewall policy configuration.

2. Medium — src/services/agent-volumes/etc-mounts.ts: Cover the uncovered branch paths — likely the if (fs.existsSync(...)) guards and OS-variant conditionals that determine which /etc files get bind-mounted into the sandbox.

3. Medium — src/cli-options.ts: Export functions that are currently tested only through integration paths. Add direct unit tests for the uncovered option-accessor functions to bring function coverage from 25% to 100%.

4. Low — src/logs/log-parser.ts + src/logs/audit-enricher.ts: Add malformed-input tests (truncated lines, unexpected field counts, encoding edge cases) to cover the remaining ~13–16% of uncovered branches.

---

Generated by test-coverage-reporter workflow. Trigger: push · Run: 26774857851

Generated by Test Coverage Reporter · sonnet46 887.8K · ◷

• expires on Jun 8, 2026, 6:51 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent passed through the veil and left this omen in the latest discussion.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex