[Coverage Report] Test Coverage Report — 2026-06-26

[github-actions[bot]]

📊 Coverage Overview

Metric	Coverage	Covered / Total	Status
Lines	98.28%	5,107 / 5,196	✅
Statements	98.21%	5,277 / 5,373	✅
Functions	99.53%	643 / 646	✅
Branches	94.00%	2,980 / 3,170	✅

---

🛡️ Security-Critical Files

File	Lines	Branches	Functions	Notes
host-iptables-rules.ts	100%	100%	100%	✅ Fully covered
host-iptables-shared.ts	100%	100%	100%	✅ Fully covered
host-iptables-chain.ts	97.6%	90.0%	100%	✅ 1 branch missed
host-iptables-validation.ts	100%	96.9%	100%	✅
squid/acl-generator.ts	100%	100%	100%	✅ Fully covered
squid/access-rules.ts	100%	100%	100%	✅ Fully covered
squid/config-generator.ts	100%	100%	100%	✅ Fully covered
squid/config-sections.ts	100%	82.8%	100%	⚠️ 5 branches uncovered
domain-patterns.ts	100%	89.5%	100%	⚠️ 2 branches uncovered
cli.ts	85.7%	50.0%	100%	❌ Entry point gap
config-writer.ts	82.8%	78.9%	100%	❌ Config write paths

---

🔍 Notable Findings

• cli.ts entry point has 50% branch coverage. Only 1 of 2 branches at the top-level entry point is exercised. The uncovered branch likely covers the error/signal path at startup, which is a security-relevant gap since mishandled startup errors could leave iptables rules or containers in a partial state.

• squid/config-sections.ts has 82.75% branch coverage despite 100% line coverage. Five decision branches in Squid config assembly are untested — these branches control how the proxy policy is rendered, and a missed case could generate a silently permissive squid.conf.

• domain-patterns.ts branch coverage is 89.5%. Two of 19 branches in domain pattern matching are uncovered. Since domain matching is the core ACL enforcement mechanism, edge cases (e.g., patterns with no subdomain component or empty input) should be tested explicitly.

• config-writer.ts has the largest absolute gap: 16 lines and 8 branches uncovered. This file writes security configurations to disk and its untested paths include error handling and conditional logic around file write failures.

---

✅ Recommendations

🔴 High — Cover cli.ts entry branch

The cli.ts entry point has only 50% branch coverage. Add a test (or integration test fixture) that exercises the else/error path at startup — e.g., what happens when the CLI is invoked with a missing required argument or when the process receives SIGINT before containers are running. This directly affects firewall teardown integrity.

🟡 Medium — Test uncovered branches in squid/config-sections.ts and domain-patterns.ts

Both files have 100% line coverage but meaningful branch gaps in security-enforcement code. Add unit tests for:

• squid/config-sections.ts: sections rendered when optional features (SSL bump, upstream proxy) are disabled/enabled in all combinations
• domain-patterns.ts: patterns with no TLD, wildcard-only inputs, and domains that are already subdomain-prefixed (.example.com vs example.com)

🟢 Low — Improve config-writer.ts branch coverage

Add tests for the error paths in config writing — disk full scenarios, permission errors, and partial-write conditions. These are lower priority than the above but important for correctness under adversarial or constrained environments.

---

📋 All files with branch coverage below 90%

File	Line %	Branch %	Gap
cli.ts	85.7%	50.0%	1/2 branches
config-writer.ts	82.8%	78.9%	8/38 branches
workdir-setup.ts	94.5%	79.6%	11/54 branches
host-env.ts	95.9%	80.0%	4/20 branches
pid-tracker.ts	98.7%	80.8%	5/26 branches
logs/log-parser.ts	100%	84.3%	11/70 branches
squid/config-sections.ts	100%	82.8%	5/29 branches
commands/logs-command-helpers.ts	88.3%	83.3%	5/30 branches
ssl-bump.ts	94.1%	83.3%	4/24 branches
logs/log-aggregator.ts	94.7%	87.5%	4/32 branches
services/agent-volumes/hosts-file.ts	92.9%	87.1%	4/31 branches
domain-patterns.ts	100%	89.5%	2/19 branches

---

Generated from coverage/coverage-summary.json — 160 source files measured across 5,196 lines.

Generated by Test Coverage Reporter · 63.7 AIC · ⊞ 4.7K · ◷

• expires on Jul 3, 2026, 7:44 PM UTC