[Coverage Report] Test Coverage Report — 2026-06-22

[github-actions[bot]]

📊 Coverage Overview

Metric	Coverage	Covered / Total
Statements	97.83%	5,054 / 5,166
Branches	93.58%	2,831 / 3,025
Functions	99.50%	609 / 612
Lines	97.89%	4,885 / 4,990

Test suite: ~2,847 test cases across 147 test files

---

🔒 Security-Critical Path Coverage

File	Statements	Branches	Functions	Status
src/host-iptables.ts	100%	100%	100%	✅
src/squid-config.ts	100%	100%	100%	✅
src/docker-manager.ts	100%	100%	100%	✅
src/domain-patterns.ts	100%	89.47%	100%	⚠️
src/cli.ts	85.71%	50%1	100%	⚠️

1 The cli.ts 50% branch gap is a false positive — the sole uncovered branch is if (require.main === module), an intentional top-level execution guard.

---

⚠️ Coverage Gaps by Area

File	Statements	Branches	Notes
services/agent-volumes/etc-mounts.ts	82.45%	67.85%	Controls /etc bind-mounts into agent
src/domain-patterns.ts	100%	89.47%	Pattern validation for Squid ACL rules
src/config-writer.ts	85.71%	80.55%	Config file serialization
commands/network-setup.ts	86.95%	—	Network isolation setup
commands/preflight.ts	83.78%	—	Pre-run validation
logs/log-parser.ts	84.28%	—	Squid access log parsing

---

💡 Notable Findings

• Security-critical network isolation code is well-covered. host-iptables.ts, squid-config.ts, and docker-manager.ts all reach 100% across all metrics — the rules that enforce egress control have no untested paths.

• etc-mounts.ts has a meaningful security gap at 67.85% branch coverage. Three branches are untested: the else path of hasEntryWithName(), and the if (!passwdPath) / if (!groupPath) error branches. These govern how the agent container's /etc/passwd and /etc/group are constructed; unexpected inputs on a host could silently produce a malformed container environment.

• domain-patterns.ts has 2 untested branches (89.47%). This file generates the Squid ACL domain allowlist. A latent edge case here could permit an unexpected domain to pass the filter, making coverage improvement here a priority even though the file reads 100% on statements.

• Overall project health is strong. At 97.83% statement coverage across 5,166 statements, this codebase has a robust test foundation with only targeted gaps remaining.

---

✅ Recommendations

🔴 High — Add error-path tests for etc-mounts.ts
Cover the three missing branches in the /etc bind-mount logic:

• if (!passwdPath) / if (!groupPath) (missing host file paths)
• !hasEntryWithName() else branch (host entry not found in content)

These paths determine what the agent container sees as system identity files. Untested failure modes here could produce containers with missing or malformed /etc/passwd, silently bypassing UID/GID mapping.

🟡 Medium — Close branch gap in domain-patterns.ts
Raise branch coverage from 89.47% to 100% by adding tests for the 2 remaining edge cases in domain pattern validation. Since this module drives Squid's ACL allowlist, every uncovered branch is a potential domain-bypass vector that has never been exercised by the test suite.

🟢 Low — Suppress false-positive in cli.ts
Add /* istanbul ignore next */ before the if (require.main === module) guard. This removes the misleading 50% branch reading and keeps the coverage dashboard signal clean for real gaps.

Generated by Test Coverage Reporter · 70.5 AIC · ⊞ 4.6K · ◷

• expires on Jun 29, 2026, 3:16 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-29T15:16:18.812Z.

Closed by Workflow