[Coverage Report] Test Coverage Report — 2026-06-09 #4622
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-16T19:58:17.153Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Test Coverage Report — 2026-06-09
Overall Coverage
🔴 Critical Gaps (< 50% statement coverage)
None. All 136 files exceed 50% statement coverage. ✅
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.ts🛡️ Security-Critical Path Status
src/host-iptables.tssrc/squid-config.tssrc/docker-manager.tssrc/domain-patterns.tssrc/cli.tsAll five security-critical files meet or exceed the 80% statement threshold. The
host-iptables.*,squid-config.ts, anddocker-manager.tsmodules are at 100% across all metrics — a strong result for the firewall's core enforcement layer.📋 Files with Branch Coverage < 70%
These files have sufficient statement coverage but untested conditional logic:
src/cli.tssrc/commands/validators/network-options.tssrc/services/api-proxy-service.tssrc/dind-bootstrap.tssrc/services/agent-environment/environment-builder.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/log-parser.ts📋 Full Coverage Table (136 files, sorted by statement coverage)
src/commands/validators/network-options.tssrc/squid-log-reader.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/audit-enricher.tssrc/artifact-preservation.tssrc/cli.tssrc/logs/log-parser.tssrc/squid/policy-manifest.tssrc/services/agent-volumes/docker-host-staging.tssrc/commands/logs-command-helpers.tssrc/dind-bootstrap.tssrc/services/doh-proxy-service.tssrc/commands/validators/log-and-limits.tssrc/services/host-path-prefix.tssrc/config-writer.tssrc/services/api-proxy-service.tssrc/services/agent-volumes/docker-socket.tssrc/logs/log-streamer.tssrc/diagnostic-collector.tssrc/commands/build-config.tssrc/commands/validators/agent-options.tssrc/services/agent-volumes/hosts-file.tssrc/services/agent-environment/environment-builder.tssrc/squid/ssl-bump.tssrc/ssl-bump.tssrc/host-env.tssrc/logs/log-aggregator.tssrc/upstream-proxy.tssrc/services/cli-proxy-service.tssrc/commands/main-action.tssrc/parsers/volume-parsers.tssrc/container-startup-diagnostics.tssrc/services/agent-volumes/workspace-mounts.tssrc/container-cleanup.tssrc/container-lifecycle.tssrc/services/agent-environment/env-passthrough.tssrc/commands/validators/config-assembly.tssrc/compose-sanitizer.tssrc/logs/log-formatter.tssrc/domain-patterns.tssrc/services/agent-service.tssrc/services/agent-volumes/home-strategy.tssrc/config-file.tssrc/rules.tssrc/compose-generator.tssrc/pid-tracker.tssrc/option-parsers.tssrc/api-proxy-config.tssrc/cli-options.tssrc/cli-workflow.tssrc/host-iptables.tssrc/host-iptables-rules.tssrc/host-iptables-shared.tssrc/squid-config.tssrc/docker-manager.tssrc/domain-patterns.tssrc/redact-secrets.tssrc/dlp.tssrc/copilot-api-resolver.tssrc/services/agent-volumes/credential-hiding.tssrc/services/service-security.tssrc/squid/access-rules.tssrc/squid/domain-acl.tssrc/squid/validation.ts🔍 Notable Findings
src/cli.ts— 50% branch coverage (1/2branches).The entry-point module has its happy path covered, but the error/rejection branch in the top-level
main()call is untested. This is the orchestration entrypoint for the entire firewall — an unhandled-rejection scenario here could silently swallow startup errors.src/commands/validators/network-options.ts— 67% stmt / 50% branch (lowest in the codebase).Only 14 of 21 statements are covered. The
validateNetworkOptions()function handles Docker-host detection and DinD path-prefix warnings — specifically the threelogger.warn()paths triggered whenDOCKER_HOSTis external or whendindHintis set but no prefix is configured. These are real operational paths in ARC/DinD environments.src/services/api-proxy-service.ts— 50% branch coverage (91.7% stmt).The API proxy is the credential-injection layer — keys are never exposed to the agent. Half of its conditional logic is untested. The uncovered branches likely include credential-absent or BYOK fallback paths that are critical for the security model.
src/services/agent-volumes/etc-mounts.ts— 68% branch coverage.This file controls which
/etcfiles are bind-mounted into the agent container. Uncovered branches here could mean untested paths in credential-exclusion logic (e.g., ensuring/etc/shadowis never mounted even under edge-case inputs).📈 Recommendations
High —
src/commands/validators/network-options.ts: Add tests for the!dockerHostCheck.validwarning path and thedindHint && !dockerHostPathPrefixpath invalidateNetworkOptions(). These require mockingcheckDockerHost()to return{ valid: false }and settingAWF_DIND=1.High —
src/cli.ts: Cover the rejected-promise branch inmain(). A test that mocksrunMainWorkflow()to throw should verify the process exits with a non-zero code rather than silently continuing.Medium —
src/services/api-proxy-service.ts: Add tests for the uncovered 50% of branches. Focus on: cases where credentials are absent, BYOK fallback logic, and the split-proxy configuration paths — these are the branches most relevant to the credential-isolation security guarantee.Low —
src/services/agent-volumes/etc-mounts.ts: Add edge-case tests covering scenarios where the host/etcdirectory contains unexpected files, verifying that the allowlist logic correctly filters them out and never mounts sensitive files like/etc/shadow.Generated by test-coverage-reporter workflow. Trigger:
push· Run: 27231690555Beta Was this translation helpful? Give feedback.
All reactions