[Coverage Report] Test Coverage Report — 2026-06-26 (main @ b5ba5bd) #5585
Replies: 3 comments
-
|
🔮 The ancient spirits stir; the smoke test agent passed through this discussion and left a quiet omen of validation. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir, and the smoke test agent was here. The omens are favorable; the build rites completed cleanly. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
This discussion was automatically closed because it expired on 2026-07-03T19:54:22.511Z.
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage
Security-Critical File Coverage
src/host-iptables-rules.tssrc/host-iptables-shared.tssrc/host-iptables-chain.tssrc/host-iptables-validation.tssrc/host-iptables-cleanup.tssrc/host-iptables-network.tssrc/squid-config.tssrc/docker-manager.tssrc/domain-patterns.tsCoverage Gaps
Files with any metric below 90%:
src/config-writer.tssrc/commands/logs-command-helpers.tssrc/cli.tssrc/services/agent-volumes/hosts-file.tssrc/commands/validators/agent-options.tssrc/domain-patterns.tsNotable Findings
Security-critical iptables and Squid paths are thoroughly covered. All
host-iptables-*modules andsquid-config.tsachieve 97–100% across all metrics, indicating no regressions in the firewall's core network-isolation enforcement.config-writer.tshas the most significant gap at 82.79% lines / 78.94% branches (8 uncovered). This file enforces work-directory security (symlink-injection prevention,0o700chmod), manages the seccomp-profile fallback chain (embedded bundle → source tree → dist tree), and wires SSL certificate setup — all of which are security-relevant code paths.domain-patterns.tshas 2 uncovered regex metacharacter branches inwildcardToRegex(). Though line coverage is 100%, the untested escape arms for[and\characters mean adversarial inputs containing those characters could produce a malformed Squiddstdom_regexACL that silently passes or blocks unintended domains.cli.tsentry-point guard registers a 50% branch miss, but the uncovered path is therequire.main !== modulecase (i.e., importing cli.ts as a library). This is low-risk in practice but creates noise in coverage reports and could mask future regressions.Recommendations
🔴 High — Add tests for
config-writer.tssecurity branchesThe 8 uncovered branches cover three security-relevant paths: (1) the symlink-injection guard (
lstatSync→isSymbolicLink()), (2) the embedded-seccomp-profile path (__AWF_SECCOMP_PROFILE__global), and (3) SSL-bump error/skip paths. Add unit tests that mockfs.lstatSyncto return a symlink, stub__AWF_SECCOMP_PROFILE__, and simulate SSL certificate failures. These cover the most security-meaningful untested logic in the codebase.🟡 Medium — Cover the 2 missing branches in
domain-patterns.tswildcardToRegex()Add test cases for wildcard patterns containing
[and\characters (e.g.,'domain-[test].com','domain-\\test.com'). These inputs exercise the metacharacter-escapeswitcharms that are currently untested. SincewildcardToRegex()output feeds directly into Squid ACL generation, a malformed regex could allow or block wrong domains in production traffic filtering.🟢 Low — Fix
cli.tsmodule-guard branchAdd a test that
require()scli.tswithout it being the main module, assertingprogram.parse()is not called. This is a one-liner test that closes the 50% branch miss and ensures the entry-point guard remains correct as the CLI evolves.Beta Was this translation helpful? Give feedback.
All reactions