[Coverage Report] Test Coverage Report — 2026-06-20

[github-actions[bot]]

Overall Coverage

Metric	Coverage	Covered / Total
Statements	97.61%	5,030 / 5,153
Branches	93.25%	2,821 / 3,025
Functions	98.85%	605 / 612
Lines	97.66%	4,861 / 4,977

146 source files tracked · All global thresholds (38% stmt / 30% branch / 35% fn) passed

---

Security-Critical File Coverage

File	Stmt%	Branch%	Fn%	Status
host-iptables.ts (re-export)	100%	100%	100%	✅
host-iptables-rules.ts	98.68%	96.05%	100%	✅
host-iptables-shared.ts	100%	100%	100%	✅
host-iptables-cleanup.ts	100%	100%	100%	✅
squid-config.ts (re-export)	100%	100%	100%	✅
domain-patterns.ts	100%	89.47%	100%	⚠️ 2 branches
domain-matchers.ts	98.14%	95%	100%	✅
domain-validation.ts	100%	100%	100%	✅
cli.ts	85.71%	50%	100%	⚠️ 1/2 branches
docker-manager.ts (re-export)	100%	100%	100%	✅

---

Top Branch Coverage Gaps

Files sorted by branch coverage ascending (statement coverage ≥ 80% for all):

File	Stmt%	Branch%	Uncovered branches
services/agent-volumes/etc-mounts.ts	82.45%	67.85%	9 / 28
services/agent-volumes/system-mounts.ts	92.3%	75%	3 / 12
services/doh-proxy-service.ts	90%	75%	1 / 4
logs/log-streamer.ts	92.18%	77.77%	8 / 36
workdir-setup.ts	94.54%	79.62%	11 / 54
squid-log-reader.ts	82.22%	80%	5 / 25
pid-tracker.ts	98.78%	80.76%	5 / 26
config-writer.ts	85.71%	80.55%	7 / 36

---

Notable Findings

• Excellent overall health. Statement coverage is 97.61% and function coverage is 98.85%, both well above the 80% quality bar. All five named security-critical modules (host-iptables-*, squid-config, domain-patterns, domain-matchers, docker-manager) meet or exceed 95% statement coverage.

• etc-mounts.ts is the most significant security gap. At 67.85% branch coverage (9 of 28 branches untested), this module controls which /etc files are bind-mounted into the agent container — including the logic that deliberately excludes /etc/shadow and unwhitelisted paths. Untested branches here carry the highest risk of a security regression slipping in undetected.

• system-mounts.ts and doh-proxy-service.ts have 75% branch coverage. system-mounts.ts governs kernel VFS passthrough (the special-casing of /dev, /sys, /proc during DinD path translation). Its 3 uncovered branches likely include the path where prefix translation is skipped for those special paths — important for correctness under ARC/DinD deployments.

• Minor gaps in domain-patterns.ts and cli.ts. Both files are small (25 and 7 statements respectively) but are explicitly listed as security-critical. domain-patterns.ts has 2 uncovered branches (89.47%) and cli.ts has 1 of 2 branches uncovered (50%). These are quick wins that would achieve 100% branch coverage on named security-critical paths.

---

Recommendations

🔴 High — services/agent-volumes/etc-mounts.ts branch coverage (67.85% → 95%+)

Add unit tests covering the 9 untested branches in etc-mounts.ts. Focus on:

• The conditional that excludes /etc/shadow and other sensitive files from the bind-mount list
• Edge cases where the host path prefix is set vs. absent (DinD mode)
• Error paths when a required /etc file is missing on the host

This is the only file in the codebase where uncovered branches sit directly on a security exclusion decision.

🟡 Medium — system-mounts.ts VFS passthrough and logs/log-streamer.ts error paths

• system-mounts.ts (75% branch): Write tests that exercise the kernel VFS exclusion logic with and without --docker-host-path-prefix. A regression here can silently break ARC runners or expose /proc entries that should be hidden.
• logs/log-streamer.ts (77.77% branch): Cover the 8 untested branches — likely stream-close, error-emission, and backpressure paths. Log streaming failures are silent and can cause audit gaps in production.

🟢 Low — Close named security-critical branch gaps (domain-patterns.ts, cli.ts)

Both files need ≤ 2 additional branch-covering test cases each:

• domain-patterns.ts: Add a test for the 2 uncovered branch conditions in the domain normalization/matching logic (e.g., input that triggers the alternate branch in the pattern check).
• cli.ts: Cover the untested branch in the entry-point error-handling or environment check at startup.

Resolving these brings all five explicitly security-critical files to ≥ 95% branch coverage.

Generated by Test Coverage Reporter · 46.9 AIC · ⊞ 4.6K · ◷

• expires on Jun 27, 2026, 3:51 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir, and this smoke-test agent has passed through the archive. The omens are green; may the discussion remember this visit.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir...

Smoke test agent was here, and the omen reads clean.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-27T15:51:18.569Z.

Closed by Workflow