[Coverage Report] Test Coverage Report — 2026-05-29

[github-actions[bot]]

Overall Coverage

Metric	Coverage	Covered / Total
Statements	96.49%	4,404 / 4,564
Branches	90.81%	2,352 / 2,590
Functions	98.24%	505 / 514
Lines	96.62%	4,264 / 4,413

Overall coverage is excellent. 92 test files cover 138 source files.

---

🔴 Critical Gaps (< 50% statement coverage)

None. All files are above 50% statement coverage.

---

🟡 Low Coverage (50–79% statement coverage)

File	Stmts	Branch	Funcs
src/commands/validators/network-options.ts	66.66%	50%	100%

This is the only file below 80%. It validates network-related CLI options and has uncovered error-handling branches.

---

🛡️ Security-Critical Path Status

File	Stmts	Branch	Funcs	Status
src/host-iptables.ts	100%	100%	100%	✅
src/host-iptables-rules.ts	97.67%	96.82%	100%	✅
src/host-iptables-shared.ts	100%	95%	100%	✅
src/host-iptables-cleanup.ts	100%	100%	100%	✅
src/host-iptables-network.ts	100%	100%	100%	✅
src/squid-config.ts	100%	100%	100%	✅
src/squid/config-generator.ts	100%	100%	100%	✅
src/squid/domain-acl.ts	100%	100%	100%	✅
src/squid/acl-generator.ts	100%	100%	100%	✅
src/squid/access-rules.ts	100%	100%	100%	✅
src/docker-manager.ts	100%	100%	100%	✅
src/domain-patterns.ts	97.67%	95.38%	100%	✅
src/cli.ts	85.71%	50%	100%	⚠️

All security-critical network isolation and domain filtering paths are extremely well tested. src/cli.ts has a branch coverage gap (50%), but this file is a thin entry point (7 lines total).

---

📋 Full Coverage Table

Click to expand — all 113 files sorted by statement coverage

File	Stmts	Branch	Funcs
🟡 src/commands/validators/network-options.ts	66.66%	50%	100%
🟢 src/logs/audit-enricher.ts	83.6%	74.13%	100%
🟢 src/cli.ts	85.71%	50%	100%
🟢 src/logs/log-parser.ts	86.9%	67.14%	100%
🟢 src/squid/policy-manifest.ts	87.23%	88.23%	70%
🟢 src/services/agent-volumes/docker-host-staging.ts	87.75%	72.41%	100%
🟢 src/commands/logs-command-helpers.ts	88.52%	83.33%	100%
🟢 src/services/doh-proxy-service.ts	90%	75%	100%
🟢 src/container-cleanup.ts	90.28%	96.84%	100%
🟢 src/services/host-path-prefix.ts	90.62%	81.57%	100%
🟢 src/config-writer.ts	90.9%	82.97%	100%
🟢 src/services/agent-volumes/docker-socket.ts	91.66%	93.33%	100%
🟢 src/logs/log-streamer.ts	92.18%	77.77%	88.88%
🟢 src/commands/validators/agent-options.ts	92.98%	88.57%	100%
🟢 src/cli-options.ts	93.02%	60%	25%
🟢 src/services/agent-volumes/hosts-file.ts	93.22%	90.32%	100%
🟢 src/services/agent-environment/environment-builder.ts	93.54%	66.66%	100%
🟢 src/squid/ssl-bump.ts	93.75%	91.66%	100%
🟢 src/ssl-bump.ts	93.96%	84.61%	100%
🟢 src/host-env.ts	94.11%	80%	100%
🟢 src/container-lifecycle.ts	94.25%	84.21%	100%
🟢 src/logs/log-aggregator.ts	94.73%	87.5%	100%
🟢 src/upstream-proxy.ts	94.93%	94.73%	100%
🟢 src/commands/validators/log-and-limits.ts	95.23%	86.66%	100%
🟢 src/commands/main-action.ts	95.45%	88.57%	100%
🟢 src/services/cli-proxy-service.ts	95.45%	93.33%	100%
🟢 src/parsers/volume-parsers.ts	95.83%	100%	100%
🟢 src/services/agent-volumes/workspace-mounts.ts	96.29%	75%	100%
🟢 src/pid-tracker.ts	96.34%	76.92%	100%
🟢 src/commands/validators/config-assembly.ts	96.51%	92.75%	100%
🟢 src/services/agent-environment/env-passthrough.ts	96.77%	92%	100%
🟢 src/services/agent-volumes/home-strategy.ts	97.36%	75%	100%
🟢 src/logs/log-formatter.ts	97.43%	92.85%	100%
🟢 src/domain-patterns.ts	97.67%	95.38%	100%
🟢 src/host-iptables-rules.ts	97.67%	96.82%	100%
🟢 src/services/agent-service.ts	97.77%	94.64%	100%
🟢 src/config-file.ts	98.11%	97.14%	87.5%
🟢 src/rules.ts	98.18%	91.89%	100%
🟢 src/compose-generator.ts	98.43%	90%	100%
🟢 src/option-parsers.ts	98.9%	95.55%	100%
🟢 src/services/api-proxy-service.ts	98.96%	91.26%	100%
🟢 (70+ files at 100%)	100%	≥80%	100%

---

🔍 Notable Findings

1. src/commands/validators/network-options.ts (66.7% stmts, 50% branch) — The only file below 80%. As a validator for network CLI options (e.g., --allow-domains, --dns-servers), uncovered branches here could silently accept invalid input. Worth prioritizing.

2. src/logs/log-parser.ts (86.9% stmts, 67.1% branch) — Log parsing has several uncovered branches. Malformed log lines could cause silent failures in awf logs stats/summary output.

3. src/cli-options.ts (93%, 60% branch, 25% functions) — Only 1 of 4 functions is covered. This file parses CLI option defaults; uncovered functions likely represent edge-case option combinations that could bypass validation.

4. src/services/agent-environment/environment-builder.ts (93.5% stmts, 66.7% branch) — The environment builder assembles the agent container's env vars. Uncovered branches could result in missing proxy settings or unexpected credential exposure.

---

📈 Recommendations

1. High — network-options.ts validator branches: Add tests for invalid --allow-domains input (empty string, malformed entries, IPv6 addresses) and invalid --dns-servers combinations. This is a security input-validation path.

2. Medium — log-parser.ts branch coverage (67%): Add tests for malformed Squid log lines, truncated entries, and non-standard timestamp formats. Robust parsing matters for audit-trail reliability.

3. Medium — cli-options.ts uncovered functions: The 3 untested functions likely handle edge cases in option defaulting. Add tests for --enable-api-proxy combined with other flags, and for config-file-vs-flag precedence scenarios.

4. Low — environment-builder.ts branch gaps (67%): Add tests for the DinD code path and for cases where GITHUB_ACTIONS env is set vs. unset to ensure proxy vars are always correctly propagated.

---

Generated by test-coverage-reporter workflow. Trigger: push

Generated by Test Coverage Reporter · sonnet46 991K · ◷

• expires on Jun 5, 2026, 2:51 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent passed through this discussion and left its omen.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke test agent has passed through this discussion. The omens are logged, the path is verified, and the watch continues.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-05T14:51:25.216Z.

Closed by Workflow