[Coverage Report] Test Coverage Report — 2026-06-09 #4645
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-16T22:48:14.867Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Test Coverage Report — 2026-06-09
Overall Coverage
🔴 Critical Gaps (< 50% statement coverage)
None. All files are above 50% statement coverage. ✅
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.ts🛡️ Security-Critical Path Status
src/host-iptables.tssrc/squid-config.tssrc/docker-manager.tssrc/domain-patterns.tssrc/cli.tsThe four core security modules (
host-iptables,squid-config,docker-manager,domain-patterns) are all at or near 100% coverage.src/cli.ts(the orchestration entry point) has notably low branch coverage (50.0%), meaning roughly half of its conditional logic paths are untested.📋 Files With Coverage Gaps
Files below 95% in any metric (test-utils excluded from recommendations):
src/commands/validators/network-options.tssrc/squid-log-reader.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/audit-enricher.tssrc/artifact-preservation.tssrc/cli.tssrc/logs/log-parser.tssrc/squid/policy-manifest.tssrc/services/agent-volumes/docker-host-staging.tssrc/dind-bootstrap.tssrc/services/doh-proxy-service.tssrc/services/api-proxy-service.tssrc/services/agent-environment/environment-builder.ts🔍 Notable Findings
src/cli.ts— 50% branch coverage (entry point / orchestration). The CLI's main orchestration logic has half its branches untested. Missing coverage likely includes signal-interrupt edge cases (SIGINT/SIGTERM mid-startup), the--keep-containersflag path, and error-handling branches when container startup fails. Any regression here could silently bypass the security sandbox setup.src/commands/validators/network-options.ts— 66.7% statements, 50% branches. This validator enforces Docker-host checking, DinD path-prefix resolution, and upstream-proxy setup — all gating logic for whether network isolation is applied correctly. The threeifbranches on lines 47, 59, and 64 (external Docker host detection, missing path prefix, DinD hint without prefix) have no corresponding test cases.src/services/api-proxy-service.ts— 50% branch coverage. The API proxy service mediates all credential injection. The untested branches (50%) likely cover failure-mode paths in credential forwarding and sidecar health-check failure handling, leaving credential-leak edge cases unexplored.src/squid/policy-manifest.ts— 70% function coverage. Three of ten exported functions are not exercised by any test. This module manages the Squid policy manifest (domain ACL rules); uncovered functions may include error paths in manifest validation or serialization that could produce a silently-malformed policy.Recent churn (last 7 days): 30+ files touched. Significant changes landed in
src/commands/,src/squid/, andsrc/types/(new type modules). Many of these files are well-covered, but newly introduced files likesrc/squid/policy-manifest.tsandsrc/commands/validators/network-options.tshave below-average coverage, suggesting tests were not shipped alongside the new code.📈 Recommendations
High — Add branch tests for
src/cli.ts: Cover signal-interrupt paths (SIGINT/SIGTERMduring startup), the--keep-containerscleanup bypass, and the container-startup-failure error branch. Use the existingsrc/cli.test.tstest file (recently updated) as the base.High — Cover
src/commands/validators/network-options.ts: Write unit tests for the three conditional blocks: (a)!dockerHostCheck.validwarning path, (b) external Docker host without a path prefix, and (c) DinD hint withoutdockerHostPathPrefix. These guard whether network isolation is applied correctly.Medium — Cover
src/services/api-proxy-service.tsfailure branches: The credential-injection sidecar must handle failures gracefully. Test the unhappy-path branches in sidecar startup/healthcheck failure to prevent credential leaks going undetected.Medium — Cover missing functions in
src/squid/policy-manifest.ts: Identify and exercise the 3 uncovered functions (out of 10). Given this module affects domain ACL policy generation, untested functions are a security-relevant coverage gap.Low — Improve
src/services/agent-volumes/etc-mounts.tsbranches (67.8%): This module controls which/etcfiles are bind-mounted into the agent (excluding/etc/shadow). The uncovered branches may include edge cases around file availability and platform detection.Generated by test-coverage-reporter workflow. Trigger:
push· Run ID: 27240486200Beta Was this translation helpful? Give feedback.
All reactions