[Coverage Report] Test Coverage Report — 2026-06-22

[github-actions[bot]]

Overall Coverage

Metric	Coverage	Covered / Total
Statements	97.82% ✅	5,041 / 5,153
Lines	97.89% ✅	4,872 / 4,977
Functions	99.50% ✅	609 / 612
Branches	93.58% ⚠️	2,831 / 3,025

146 source files instrumented. Branches are the primary coverage gap.

---

Security-Critical File Coverage

File	Statements	Branches	Functions	Status
host-iptables.ts	100%	100%	100%	✅
host-iptables-rules.ts	98.66%	98.66%	100%	✅
host-iptables-shared.ts	100%	100%	100%	✅
host-iptables-cleanup.ts	100%	100%	100%	✅
squid-config.ts	100%	100%	100%	✅
squid/config-generator.ts	100%	100%	100%	✅
squid/config-sections.ts	100%	82.75% (24/29)	100%	⚠️
docker-manager.ts	100%	100%	100%	✅
domain-patterns.ts	100%	89.47% (17/19)	100%	⚠️
domain-matchers.ts	98.14%	95.00% (19/20)	100%	✅
domain-validation.ts	100%	100%	100%	✅
cli.ts	85.71%	50.00% (1/2)	100%	❌

---

Top Branch Coverage Gaps

File	Branch Coverage	Uncovered	Security Impact
cli.ts	50% (1/2)	1 branch	Entry-point error path
services/agent-volumes/etc-mounts.ts	67.85% (19/28)	9 branches	/etc isolation boundary
workdir-setup.ts	79.62% (43/54)	11 branches	—
squid-log-reader.ts	80.00% (20/25)	5 branches	—
config-writer.ts	80.55% (29/36)	7 branches	—
pid-tracker.ts	80.76% (21/26)	5 branches	—
squid/config-sections.ts	82.75% (24/29)	5 branches	Squid ACL generation
logs/log-parser.ts	84.28% (59/70)	11 branches	—
domain-patterns.ts	89.47% (17/19)	2 branches	Domain ACL matching

---

Notable Findings

• Overall health is strong: 97.82% statement coverage and 99.5% function coverage across 146 files indicates a mature, well-tested codebase. All high-level security-critical modules (host-iptables-*, docker-manager.ts, domain-validation.ts) are fully covered.
• Branch coverage is the system-wide gap: 194 branches remain uncovered globally (6.42%). These are concentrated in a handful of files, not spread across the codebase — making them tractable to fix.
• cli.ts entry-point has a 50% branch gap: Only 1 of 2 conditional branches in the main entry point is exercised. The uncovered branch most likely represents an unhandled startup error path — a risk if the firewall silently fails to initialize.
• etc-mounts.ts is the highest-risk gap: This file governs which /etc files are selectively bind-mounted into the agent container (the /etc isolation boundary). With 9/28 branches uncovered (67.85%), there are untested code paths in filesystem access control logic that could allow unintended file exposure.

---

Recommendations

🔴 High — cli.ts entry-point branch

The main entry point (src/cli.ts) covers only 1 of 2 branches (50%). Add a test that exercises the uncovered conditional — likely an error or early-exit path during CLI initialisation. This is the top orchestration layer; an untested failure path could cause the firewall to exit silently without blocking network traffic.

🔴 High — etc-mounts.ts /etc isolation coverage

src/services/agent-volumes/etc-mounts.ts has 67.85% branch coverage (9 uncovered branches). This file determines which host /etc files are exposed inside the agent container. Missing branch coverage here means untested conditions around file selection, which directly affects the confidentiality of host system files (e.g., /etc/shadow must never be mounted). Target ≥90% branch coverage.

🟡 Medium — squid/config-sections.ts ACL generation branches

src/squid/config-sections.ts has 82.75% branch coverage (5 uncovered branches) despite 100% line coverage. The uncovered branches in the Squid config generator could produce subtly malformed ACL rules under edge-case inputs (e.g., empty domain lists, unusual upstream-proxy combinations). Add parameterised tests for boundary conditions in config section assembly.

Generated by Test Coverage Reporter · 68.3 AIC · ⊞ 4.6K · ◷

• expires on Jun 29, 2026, 3:26 AM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-29T03:26:04.189Z.

Closed by Workflow