You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Security-critical statement coverage is excellent. All five key modules — host-iptables.ts, squid-config.ts, docker-manager.ts, domain-patterns.ts, and domain-validation.ts — are at 100% statement and function coverage. No regressions detected in the firewall core.
squid/config-sections.ts has 5 uncovered branches (82.75%). This file generates the domain ACL sections that drive Squid's allow/deny decisions. Untested branches here can silently mis-generate ACL rules, allowing or blocking traffic incorrectly.
config-writer.ts has 8 uncovered branches (78.94%). This module writes squid.conf and docker-compose.yml to disk. The uncovered branches likely include error-handling paths for permission failures and disk-full conditions — exactly the scenarios that matter in a sandboxed environment.
cli.ts has 50% branch coverage — one of its two branches is untested. The file is small (7 statements), but the entry point is where --enable-api-proxy and similar security flags are toggled; missed branches here can mask misconfiguration.
Recommendations
🔴 High Priority
Cover error paths in config-writer.ts (78.94% branches, 8 gaps).
Add tests that simulate EACCES/ENOSPC errors during squid.conf and docker-compose.yml writes. These are the last mile before containers start; silent failures here leave the agent unprotected.
Close branch gaps in squid/config-sections.ts (82.75%, 5 gaps).
The missing branches are in the domain-ACL generation logic — the exact code path that translates --allow-domains into Squid acl / http_access directives. Add tests for edge cases: empty domain list, wildcard-only list, and domains with/without leading dot.
🟡 Medium Priority
Improve workdir-setup.ts branch coverage (79.62%, 11 gaps).
This file manages the lifecycle of /tmp/awf-<ts>/ work directories. Untested branches likely cover cleanup-on-failure and concurrent-run scenarios. Add tests for pre-existing workdir, cleanup after signal interruption, and DinD path-prefix translation.
🟢 Low Priority
Close the 2-branch gap in domain-patterns.ts (89.47%).
Domain-pattern matching is security-critical, but statement and function coverage are already at 100%. Target the 2 uncovered branches (likely edge cases in subdomain vs. exact-match logic) to reach 100% branch coverage on this module.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage (2026-06-27)
171 test files — latest commit:
50a0d584(refactor artifact cleanup, extract OIDC auth helpers)Security-Critical File Coverage
host-iptables.tshost-iptables-rules.tshost-iptables-shared.tshost-iptables-validation.tshost-iptables-chain.tssquid-config.tssquid/config-sections.tsdocker-manager.tsdomain-patterns.tsdomain-validation.tsdomain-matchers.tscli.tsTop Coverage Gaps (by uncovered branches)
config-writer.tssquid.conf+docker-compose.ymlworkdir-setup.tslogs/log-parser.tssquid/config-sections.tsssl-bump.tshost-env.tspid-tracker.tsdomain-patterns.tshost-iptables-chain.tscli.tsNotable Findings
host-iptables.ts,squid-config.ts,docker-manager.ts,domain-patterns.ts, anddomain-validation.ts— are at 100% statement and function coverage. No regressions detected in the firewall core.squid/config-sections.tshas 5 uncovered branches (82.75%). This file generates the domain ACL sections that drive Squid's allow/deny decisions. Untested branches here can silently mis-generate ACL rules, allowing or blocking traffic incorrectly.config-writer.tshas 8 uncovered branches (78.94%). This module writessquid.confanddocker-compose.ymlto disk. The uncovered branches likely include error-handling paths for permission failures and disk-full conditions — exactly the scenarios that matter in a sandboxed environment.cli.tshas 50% branch coverage — one of its two branches is untested. The file is small (7 statements), but the entry point is where--enable-api-proxyand similar security flags are toggled; missed branches here can mask misconfiguration.Recommendations
🔴 High Priority
Cover error paths in
config-writer.ts(78.94% branches, 8 gaps).Add tests that simulate
EACCES/ENOSPCerrors duringsquid.confanddocker-compose.ymlwrites. These are the last mile before containers start; silent failures here leave the agent unprotected.Close branch gaps in
squid/config-sections.ts(82.75%, 5 gaps).The missing branches are in the domain-ACL generation logic — the exact code path that translates
--allow-domainsinto Squidacl/http_accessdirectives. Add tests for edge cases: empty domain list, wildcard-only list, and domains with/without leading dot.🟡 Medium Priority
workdir-setup.tsbranch coverage (79.62%, 11 gaps).This file manages the lifecycle of
/tmp/awf-<ts>/work directories. Untested branches likely cover cleanup-on-failure and concurrent-run scenarios. Add tests for pre-existing workdir, cleanup after signal interruption, and DinD path-prefix translation.🟢 Low Priority
domain-patterns.ts(89.47%).Domain-pattern matching is security-critical, but statement and function coverage are already at 100%. Target the 2 uncovered branches (likely edge cases in subdomain vs. exact-match logic) to reach 100% branch coverage on this module.
All files with branch coverage < 95%
cli.tsconfig-writer.tsworkdir-setup.tshost-env.tspid-tracker.tssquid/config-sections.tsssl-bump.tscommands/logs-command-helpers.tscommands/preflight.tslogs/log-parser.tsservices/agent-volumes/workspace-mounts.tscommands/network-setup.tsdomain-patterns.tscommands/main-action.tshost-iptables-chain.tslogger.tscompose-generator.tsdns-resolver.tsapi-proxy-config-domains.tscli-options.tscompose-sanitizer.tshost-iptables-validation.tsBeta Was this translation helpful? Give feedback.
All reactions