[Coverage Report] Test Coverage Report — 2026-06-12 #4838
Closed
Replies: 2 comments
-
|
🔮 The ancient spirits stir, and the smoke test agent was here. May this discussion remember the brief passing of the oracle. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
This discussion was automatically closed because it expired on 2026-06-19T21:45:46.158Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage
137 files measured.
🔴 Critical Gaps (< 50% statement coverage)
None — all files exceed 50% statement coverage.
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.tsOnly one file falls below 80%. It validates network-related CLI options (7 uncovered statements, 5 uncovered branches out of 21 statements / 10 branches).
🛡️ Security-Critical Path Status
All iptables rule generators, Squid config, and domain matching are fully covered.
cli.tshas one uncovered branch in the 7-statement entry-point shim.📋 Full Coverage Table
Files with < 100% coverage (47 of 137 files; remaining 90 files are at 100%):
src/commands/validators/network-options.tssrc/squid-log-reader.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/audit-enricher.tssrc/artifact-preservation.tssrc/cli.tssrc/logs/log-parser.tssrc/squid/policy-manifest.tssrc/services/agent-volumes/docker-host-staging.tssrc/commands/logs-command-helpers.tssrc/services/doh-proxy-service.tssrc/commands/validators/log-and-limits.tssrc/services/host-path-prefix.tssrc/config-writer.tssrc/services/api-proxy-service.tssrc/services/agent-volumes/docker-socket.tssrc/logs/log-streamer.tssrc/services/agent-volumes/system-mounts.tssrc/diagnostic-collector.tssrc/commands/build-config.tssrc/commands/validators/agent-options.tssrc/services/agent-volumes/hosts-file.tssrc/services/agent-environment/environment-builder.tssrc/squid/ssl-bump.tssrc/ssl-bump.tssrc/host-env.tssrc/logs/log-aggregator.tssrc/services/cli-proxy-service.tssrc/commands/main-action.tssrc/upstream-proxy.tssrc/parsers/volume-parsers.tssrc/container-startup-diagnostics.tssrc/services/agent-volumes/workspace-mounts.tssrc/container-cleanup.tssrc/services/agent-environment/env-passthrough.tssrc/compose-sanitizer.tssrc/logs/log-formatter.tssrc/commands/validators/config-assembly.tssrc/domain-patterns.tssrc/services/agent-service.tssrc/config-file.tssrc/rules.tssrc/compose-generator.tssrc/pid-tracker.tssrc/option-parsers.tssrc/config-file.tssrc/domain-patterns.ts🔍 Notable Findings
1.
src/logs/log-parser.ts— 22 uncovered branches (68.57%)The log parser has 70 branches with 22 uncovered. This component parses Squid access logs for the audit/reporting pipeline. Uncovered branches likely include malformed-line handling, optional-field fallbacks, and edge-case timestamp formats. A handful of fixture-driven parse tests for invalid/truncated log lines would meaningfully close this gap.
2.
src/services/agent-volumes/etc-mounts.ts— 9 uncovered branches (67.85%)This file controls which
/etcfiles are bind-mounted into the agent container (SSL certs,passwd,group, etc.). With 28 branches and 9 uncovered, unexercised logic may hide paths where sensitive files could be inadvertently exposed. Missing: tests for DinD path-prefix translation, conditional logic when optional host paths are absent, and non-standard/etclayout scenarios.3.
src/commands/validators/network-options.ts— 7 uncovered statements, 5 uncovered branches (66.66%/50%)The only file below 80% statement coverage. This validator checks network-related CLI flags before the firewall starts. Uncovered paths likely include invalid-combination error branches and edge cases in
--dns-servers/--allow-domainsparsing. Small-scale unit tests for invalid inputs would bring this to 100%.4.
src/squid/policy-manifest.ts— 3 uncovered functions (70% fn coverage)Touched in the Jun 11 WIF/OIDC Anthropic auth regression fix (#4748). While statement and branch coverage are good (87.5%/88.23%), three functions remain untested. This file generates the Squid policy manifest used for domain ACL decisions — worth verifying the untested function paths post-refactor.
📈 Recommendations
High — Add tests for the uncovered input-validation paths in
src/commands/validators/network-options.ts: invalid--dns-serverscombinations, conflicting network flags, and malformed domain lists. Small surface, high confidence impact.Medium — Improve branch coverage in
src/logs/log-parser.tsfrom 68.57% → ≥80%: add fixture tests with malformed Squid access log lines (truncated entries, missing fields, non-standard timestamps). This is the audit trail for all firewall decisions.Medium — Cover the 9 uncovered branches in
src/services/agent-volumes/etc-mounts.ts: test DinD path-prefix scenarios and cases where optional host paths (/etc/alternatives,/etc/ld.so.cache) are absent.Low — Resolve the single uncovered branch in
src/cli.ts(the top-level entry-point shim) to reach full coverage on the main orchestration entry point.Generated by test-coverage-reporter workflow. Trigger:
pushBeta Was this translation helpful? Give feedback.
All reactions