[Coverage Report] Test Coverage Report — 2026-06-25

[github-actions[bot]]

Overall Coverage

Metric	Coverage	Covered / Total
Statements	🟢 98.21%	5,277 / 5,373
Branches	🟡 94.29%	2,924 / 3,101
Functions	🟢 99.53%	643 / 646
Lines	🟢 98.28%	5,107 / 5,196

Test suite: 156 test files · 183 source files instrumented

---

Security-Critical Files

File	Statements	Branches	Functions	Status
host-iptables-rules.ts	100%	100% (34/34)	100%	✅
host-iptables-chain.ts	97.61%	90% (9/10)	100%	⚠️
host-iptables-cleanup.ts	100%	100% (7/7)	100%	✅
host-iptables-network.ts	100%	100% (2/2)	100%	✅
squid/access-rules.ts	100%	100% (42/42)	100%	✅
squid/acl-generator.ts	100%	100% (20/20)	100%	✅
squid/config-sections.ts	100%	82.75% (24/29)	100%	⚠️
squid/domain-acl.ts	100%	100% (12/12)	100%	✅
squid/config-generator.ts	100%	100% (10/10)	100%	✅
domain-patterns.ts	100%	89.47% (17/19)	100%	⚠️
docker-manager.ts	100%	100%	100%	✅
cli.ts (entry point)	85.71%	50% (1/2)	100%	❌

---

Coverage Gaps by File

All files with branch coverage < 90%

File	Statements	Branches	Gap (branches)
cli.ts	85.71%	50.00%	1 uncovered
config-writer.ts	82.79%	78.94%	8 uncovered
squid/config-sections.ts	100%	82.75%	5 uncovered
ssl-bump.ts	93.26%	83.33%	4 uncovered
squid/ssl-bump.ts	93.75%	91.66%	1 uncovered
host-iptables-chain.ts	97.61%	90.00%	1 uncovered
domain-patterns.ts	100%	89.47%	2 uncovered
compose-generator.ts	98.66%	91.66%	4 uncovered
api-proxy-config-domains.ts	98.85%	93.10%	4 uncovered

---

Notable Findings

• Excellent overall coverage — at 98.21% statement coverage across 183 source files, the test suite is comprehensive and significantly exceeds the 80% threshold. Only 3 functions and 177 branches remain untested globally.
• squid/config-sections.ts has 5 uncovered branches (82.75%) — this file controls Squid proxy policy generation including SSL bump mode, API proxy port routing, and DLP sections. The uncovered branches correspond to partial-configuration paths (e.g., sslBump=true without CA files, or empty apiProxyPorts arrays) that could silently misconfigure network isolation.
• domain-patterns.ts has 2 uncovered branches (89.47%) — the wildcardToRegex function leaves some metacharacter escape cases untested. Since incorrect regex generation could allow unintended domain access, these edge cases are security-relevant.
• config-writer.ts is the lowest-covered substantial file — at 82.79% statements and 78.94% branches (8 uncovered), error-handling paths during config file writes are not exercised. This matters because a failed write could leave the firewall starting with a stale or incomplete configuration.

---

Recommendations

Priority	Recommendation
🔴 High	Cover the 5 uncovered branches in squid/config-sections.ts — add unit tests for: SSL bump enabled without CA files or DB path (partial SSL config), apiProxyPorts as an empty array vs undefined, and the regex-domain vs plain-domain ternary in port ACL generation. These paths control core proxy policy and a misconfiguration would silently weaken network isolation.
🟡 Medium	Improve config-writer.ts branch coverage from 78.94% — add tests for file write failures, directory creation errors, and cleanup on partial writes. If AWF can't write its config, it should fail loudly rather than proceed with stale settings; these error paths need to be verified.
🟢 Low	Close the remaining small gaps in domain-patterns.ts (2 branches), host-iptables-chain.ts (1 branch), and cli.ts (1 branch) — test all metacharacter escape cases in wildcardToRegex (e.g., ^, [, \), the iptables chain error path, and the CLI entry-point error branch. These are low-effort additions that complete coverage of security-adjacent code paths.

Generated by Test Coverage Reporter · 110.7 AIC · ⊞ 4.7K · ◷

• expires on Jul 3, 2026, 12:02 AM UTC

[github-actions[bot]]

🔮 The ancient spirits stir: the smoke test agent was here, and the omens point toward green skies.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex