[Coverage Report] Test Coverage Report — 2026-06-02

[github-actions[bot]]

Overall Coverage

Metric	Coverage
Statements	96.10%
Branches	90.34%
Functions	98.27%
Lines	96.24%

Overall coverage is strong. No files fall below 50% statement coverage.

---

🔴 Critical Gaps (< 50% statement coverage)

None — all files are above 50%.

---

🟡 Low Coverage (50–79% statement coverage)

File	Stmts	Branch	Funcs	Uncovered Lines
src/commands/validators/network-options.ts	66.66%	50%	100%	48-51, 60, 65-74

---

🛡️ Security-Critical Path Status

File	Stmts	Branch	Funcs	Lines
src/host-iptables.ts	100%	100%	100%	100% ✅
src/host-iptables-rules.ts	97.67%	96.82%	100%	97.63% ✅
src/host-iptables-shared.ts	100%	95%	100%	100% ✅
src/squid-config.ts	100%	100%	100%	100% ✅
src/docker-manager.ts	100%	100%	100%	100% ✅
src/domain-patterns.ts	97.67%	95.38%	100%	97.61% ✅
src/cli.ts	85.71%	50%	100%	85.71% ⚠️

---

📋 Notable Findings

1. src/cli.ts — branch coverage at 50% (line 12 uncovered). This is the main orchestration entry point. The uncovered branch likely guards an early-exit or import-time condition that is hard to exercise in unit tests. Worth reviewing whether the branch can be covered with an integration-style test or if it is dead code.

2. src/commands/validators/network-options.ts — lowest coverage in the codebase (66.7% stmts, 50% branch, lines 48–74). This validator is invoked at startup to check user-supplied network options. Uncovered branches here could allow malformed input to bypass validation silently.

3. src/logs/log-parser.ts — 86.9% stmts, 67.1% branch (lines 180–202 uncovered). Log parsing is used for the awf logs commands. Uncovered paths suggest certain malformed or edge-case log line formats are not tested, which could cause silent parse failures during audit/reporting.

4. src/logs/audit-enricher.ts — 83.6% stmts, 74.1% branch (lines 67, 103, 116, 144, 177 uncovered). Used by awf logs audit to enrich log entries. Multiple scattered uncovered lines suggest error-handling paths for unexpected log shapes are missing.

5. One failing test: src/services/agent-volumes-mounts.test.ts — test should pre-resolve allowed domains into chroot-hosts file fails because the DNS resolution in CI returns different IPs than the hardcoded expected values (140.82.121.4 for github.com, 104.16.22.35 for npmjs.org). This test is brittle against DNS changes and should mock DNS resolution instead of relying on live lookups.

---

📈 Recommendations

1. High — Fix brittle DNS test in agent-volumes-mounts.test.ts: The failing test hardcodes real IP addresses for github.com and npmjs.org. Mock the DNS resolver to return stable values. This is a CI reliability issue that will recur whenever IPs rotate.

2. High — Improve src/commands/validators/network-options.ts branch coverage (50%): Add tests for the validation paths on lines 48–74 covering invalid/edge-case network option values. A validator with 50% branch coverage in a security tool is a gap worth closing.

3. Medium — Cover uncovered log-parsing paths in src/logs/log-parser.ts (lines 180–202): Add unit tests for malformed or truncated Squid log lines. These paths are triggered by real-world log corruption and currently have no test coverage.

4. Low — Address src/cli.ts line 12: Investigate whether the uncovered line is reachable or dead code. If reachable, add a test; if dead, remove it to keep coverage metrics meaningful.

---

📋 Full Coverage Table

Click to expand per-file coverage

-------------------------------------------|---------|----------|---------|---------|
File                                       | % Stmts | % Branch | % Funcs | % Lines |
-------------------------------------------|---------|----------|---------|---------|
All files                                  |    96.1 |    90.34 |   98.27 |   96.24 |
 src                                       |   96.63 |    93.33 |    98.3 |   96.72 |
  api-proxy-config.ts                      |     100 |      100 |     100 |     100 |
  cli-options.ts                           |   93.02 |       60 |      25 |   93.02 |
  cli-workflow.ts                          |     100 |      100 |     100 |     100 |
  cli.ts                                   |   85.71 |       50 |     100 |   85.71 |
  compose-generator.ts                     |   98.43 |       90 |     100 |   98.43 |
  config-file.ts                           |   98.11 |    97.14 |    87.5 |     100 |
  config-writer.ts                         |   89.25 |    80.85 |     100 |   89.25 |
  constants.ts                             |     100 |      100 |     100 |     100 |
  container-cleanup.ts                     |   90.28 |    96.84 |     100 |   90.22 |
  container-lifecycle.ts                   |   94.15 |    84.21 |     100 |   93.86 |
  domain-patterns.ts                       |   97.67 |    95.38 |     100 |   97.61 |
  host-iptables-rules.ts                   |   97.67 |    96.82 |     100 |   97.63 |
  host-iptables-shared.ts                  |     100 |       95 |     100 |     100 |
  host-iptables.ts                         |     100 |      100 |     100 |     100 |
  squid-config.ts                          |     100 |      100 |     100 |     100 |
  docker-manager.ts                        |     100 |      100 |     100 |     100 |
  ssl-bump.ts                              |   93.96 |    84.61 |     100 |   94.69 |
  upstream-proxy.ts                        |   94.93 |    94.73 |     100 |   94.52 |
  pid-tracker.ts                           |   96.34 |    76.92 |     100 |    97.4 |
 src/commands                              |   98.13 |    90.83 |     100 |   98.08 |
  network-setup.ts                         |     100 |    78.26 |     100 |     100 |
  preflight.ts                             |     100 |    83.78 |     100 |     100 |
  logs-command-helpers.ts                  |   88.52 |    83.33 |     100 |   88.33 |
 src/commands/validators                   |   91.46 |    85.43 |     100 |   91.86 |
  network-options.ts                       |   66.66 |       50 |     100 |   66.66 |
  log-and-limits.ts                        |   91.48 |    78.37 |     100 |   91.48 |
 src/logs                                  |   94.04 |    81.48 |    98.3 |   94.89 |
  audit-enricher.ts                        |    83.6 |    74.13 |     100 |   89.36 |
  log-parser.ts                            |    86.9 |    67.14 |     100 |    87.8 |
  log-aggregator.ts                        |   94.73 |     87.5 |     100 |   94.66 |
  log-streamer.ts                          |   92.18 |    77.77 |   88.88 |   92.06 |
 src/services                              |   96.82 |    90.37 |     100 |   97.02 |
  host-path-prefix.ts                      |   90.32 |    81.57 |     100 |   88.88 |
  doh-proxy-service.ts                     |      90 |       75 |     100 |      90 |
-------------------------------------------|---------|----------|---------|---------|

---

Generated by test-coverage-reporter workflow. Trigger: push. Test suite: 2315 tests (2314 passed, 1 failed), 108 suites.

Generated by Test Coverage Reporter · sonnet46 711.5K · ◷

• expires on Jun 9, 2026, 12:57 AM UTC