[Coverage Report] Test Coverage Report — 2026-06-27

[github-actions[bot]]

📊 Test Coverage Report — 2026-06-27

Overall Coverage

Metric	Coverage
Statements	98.21%
Branches	94%
Functions	99.53%
Lines	98.28%

---

🛡️ Security-Critical Path Status

🟢 OK src/docker-manager.ts: stmts=100% branch=100% funcs=100%
🟢 OK src/host-iptables.ts:  stmts=100% branch=100% funcs=100%
🟢 OK src/squid-config.ts:   stmts=100% branch=100% funcs=100%
🟢 OK src/cli.ts:            stmts=85.71% branch=50%  funcs=100%
🟢 OK src/domain-patterns.ts: stmts=100% branch=89.47% funcs=100%

---

📋 Coverage Table (Security-Critical Files + Files < 80% Statements)

File	Stmts	Branch	Funcs	Lines	Status
src/cli.ts	85.71%	50%	100%	85.71%	✅
src/cli-options.ts	100%	93.33%	100%	100%	✅
src/cli-workflow.ts	100%	100%	100%	100%	✅
src/docker-manager.ts	100%	100%	100%	100%	✅
src/domain-patterns.ts	100%	89.47%	100%	100%	✅
src/host-iptables.ts	100%	100%	100%	100%	✅
src/host-iptables-chain.ts	97.61%	90%	100%	97.61%	✅
src/host-iptables-cleanup.ts	100%	100%	100%	100%	✅
src/host-iptables-network.ts	100%	100%	100%	100%	✅
src/host-iptables-rules.ts	100%	100%	100%	100%	✅
src/host-iptables-shared.ts	100%	100%	100%	100%	✅
src/host-iptables-validation.ts	100%	96.87%	100%	100%	✅
src/squid-config.ts	100%	100%	100%	100%	✅
TOTAL	98.21%	94%	99.53%	98.28%

---

🔧 Function Audit

=== host-iptables.ts ===
Barrel file — re-exports: setupHostIptables, ensureFirewallNetwork, cleanupHostIptables

=== squid-config.ts ===
Barrel file — re-exports: generateSquidConfig, generatePolicyManifest

=== domain-patterns.ts branch count ===
if-branches: 2
switch-branches: 0

Test files: 171 / Source files: 186

---

📅 Recent Source Changes

Recently modified files include:

src/config-precedence.ts
src/compose-sanitizer.ts
src/constants/placeholders.ts
src/commands/preflight.ts
src/commands/logs.ts
src/commands/logs-command-helpers.ts
src/commands/logs-summary.ts
src/commands/logs-audit.ts
src/commands/network-setup.ts
src/commands/validators/agent-options.ts

---

🔍 Notable Findings

• src/cli.ts entry-point has only 50% branch coverage: the require.main === module guard that invokes program.parse() is never exercised by the test suite, meaning the real CLI bootstrap path is completely untested.
• Branches are the weakest metric overall (94% vs. 99.53% functions / 98.28% lines): the largest gaps are in src/config-writer.ts (branches 78.94%), src/workdir-setup.ts (79.62%), src/ssl-bump.ts (83.33%), and src/commands/logs-command-helpers.ts (83.33%) — all covering error and defensive-guard paths.
• Security-critical host-iptables-chain.ts has one uncovered error branch (90%): the isMissingIptablesError throw path is never tested, leaving the "fail-closed vs. fail-open" behavior of the firewall unverified in the error case.
• domain-patterns.ts has 2 uncovered branches (89.47%): these lie in the domain validation/matching logic that drives Squid ACL decisions; any regression here could silently allow unintended egress.

---

📌 Recommendations

[High] Cover the CLI bootstrap path in src/cli.ts
The require.main === module guard and the program.parse() call are never executed during tests (branch coverage 50%). Add a test that spawns the CLI as a child process (or mocks require.main) to exercise the real entry path. This is the first line of defense for argument handling and security flag wiring.

[High] Add defensive-branch tests for src/config-writer.ts and src/workdir-setup.ts
Both files guard against symlink attacks (isSymbolicLink() → throw) and non-directory paths (isDirectory() → throw), and config-writer.ts also has the seccomp-profile embedded-write path entirely untested. These guards protect against filesystem manipulation; bringing both files from ~79% to ≥90% branch coverage would close the largest remaining gaps.

[Medium] Test iptables error propagation in src/host-iptables-chain.ts
The isMissingIptablesError throw branch (the one that converts a low-level error into a user-friendly "iptables is required" message) is not covered. A single unit test that injects a mock iptables-missing error would cover this path and verify the firewall fails safely rather than silently.

---

Generated by test-coverage-reporter workflow. Trigger: schedule

Generated by Test Coverage Reporter · 161.6 AIC · ⊞ 4.7K · ◷

• expires on Jul 4, 2026, 4:46 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir: the smoke-test agent has passed through, leaving a brief omen of success in these halls.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke-test agent has passed through this discussion and leaves a verified omen of success.

🔮 The oracle has spoken through Smoke Codex