[Coverage Report] Test Coverage Report — 2026-05-07

[github-actions[bot]]

Overall Coverage

Metric	Coverage	Covered / Total
Statements	87.51%	3,527 / 4,030
Branches	79.69%	1,841 / 2,310
Functions	82.66%	372 / 450
Lines	87.55%	3,420 / 3,906

49 test files covering 56 source files.

---

🔴 Critical Gaps (< 50% statement coverage)

File	Statements	Branches	Functions
src/cli.ts	28.6%	5.28%	11.59%

cli.ts is the main entry point and orchestration layer. Only ~2 of ~10 functions are exercised, and virtually none of the branch logic (argument parsing, signal handling, error propagation) is covered.

---

🟡 Low Coverage (50–79% statement coverage)

File	Statements	Branches	Functions
src/container-cleanup.ts	77.07%	79.24%	100%

---

🛡️ Security-Critical Path Status

File	Statements	Branches	Functions	Status
src/host-iptables.ts	88.46%	81%	100%	🟡 Branch gaps
src/squid-config.ts	96.98%	94.18%	88%	✅ Good
src/docker-manager.ts	100%	100%	96.55%	✅ Excellent
src/domain-patterns.ts	97.67%	95.38%	100%	✅ Excellent
src/cli.ts	28.6%	5.28%	11.59%	🔴 Critical

---

📋 Full Coverage Table

Click to expand all files

File	Statements	Branches	Functions	Lines
src/api-proxy-config.ts	100%	100%	100%	100%
src/cli-workflow.ts	88.88%	85.71%	100%	88.88%
src/cli.ts	28.6%	5.28%	11.59%	28.63%
src/commands/logs-audit.ts	100%	95.65%	100%	100%
src/commands/logs-command-helpers.ts	88.52%	83.33%	100%	88.33%
src/commands/logs-stats.ts	100%	100%	100%	100%
src/commands/logs-summary.ts	100%	100%	100%	100%
src/commands/logs.ts	100%	100%	100%	100%
src/commands/predownload.ts	100%	100%	100%	100%
src/compose-generator.ts	98.48%	91.66%	100%	98.48%
src/config-file.ts	98.03%	96.77%	87.5%	100%
src/container-cleanup.ts	77.07%	79.24%	100%	77.45%
src/container-lifecycle.ts	88.56%	77.19%	100%	88.21%
src/copilot-api-resolver.ts	100%	86.95%	100%	100%
src/dlp.ts	100%	100%	100%	100%
src/dns-resolver.ts	100%	93.75%	100%	100%
src/docker-manager.ts	100%	100%	96.55%	100%
src/domain-patterns.ts	97.67%	95.38%	100%	97.61%
src/domain-utils.ts	100%	100%	100%	100%
src/env-utils.ts	100%	100%	100%	100%
src/host-env.ts	98.38%	93.18%	100%	98.88%
src/host-iptables.ts	88.46%	81%	100%	88.71%
src/image-tag.ts	100%	100%	100%	100%
src/logger.ts	100%	90.9%	100%	100%
src/logs/audit-enricher.ts	83.6%	74.13%	100%	89.36%
src/logs/index.ts	100%	100%	21.42%	100%
src/logs/log-aggregator.ts	94.73%	87.5%	100%	94.66%
src/logs/log-discovery.ts	100%	90%	100%	100%
src/logs/log-formatter.ts	97.43%	92.85%	100%	97.29%
src/logs/log-parser.ts	86.9%	68.57%	100%	87.8%
src/logs/log-streamer.ts	92.18%	77.77%	88.88%	92.06%
src/logs/stats-formatter.ts	100%	93.47%	100%	100%
src/option-parsers.ts	99.44%	99.24%	100%	99.42%
src/pid-tracker.ts	97.27%	66.66%	100%	99.03%
src/redact-secrets.ts	100%	100%	100%	100%
src/rules.ts	98.27%	91.89%	100%	98.21%
src/schema-validator.ts	100%	100%	100%	100%
src/services/agent-environment.ts	97.85%	92.24%	100%	98.54%
src/services/agent-service.ts	97.61%	94.64%	100%	97.5%
src/services/agent-volumes.ts	91.81%	73.17%	100%	91.58%
src/services/api-proxy-service.ts	98.46%	93.58%	100%	98.46%
src/services/cli-proxy-service.ts	94.73%	93.33%	100%	94.73%
src/services/doh-proxy-service.ts	88.88%	75%	100%	88.88%
src/services/squid-service.ts	100%	100%	100%	100%
src/squid-config.ts	96.98%	94.18%	88%	96.92%
src/ssl-bump.ts	94.06%	88.46%	100%	94.78%
src/upstream-proxy.ts	94.93%	94.73%	100%	94.52%

---

🔍 Notable Findings

1. src/cli.ts — entry-point almost untested (28.6% stmts, 5.28% branches)
   The main CLI orchestration — argument parsing, signal handling (SIGINT/SIGTERM), error propagation, and the main() lifecycle — is essentially a black box to the test suite. Because this file coordinates startup and shutdown of all containers, regressions here can affect the entire firewall lifecycle.

2. src/host-iptables.ts — branch coverage at 81%
   All exported functions are called, but ~19% of branches remain untested. The uncovered branches likely include error conditions and edge cases in iptables rule generation. Since this module is responsible for host-level network isolation, untested branches could allow rules to be silently skipped.

3. src/logs/log-parser.ts — branch coverage at 68.57%
   Log parsing logic has significant uncovered branches. Malformed or unexpected log entries may not be handled correctly in production, leading to silent data loss in audit trails.

4. src/container-cleanup.ts — 77% statement, 79% branch coverage
   Cleanup paths (container teardown, volume removal, error recovery) are partially tested. Failures here could leave orphaned containers or expose residual network state after a firewall session ends.

---

📈 Recommendations

1. High — src/cli.ts signal handling and lifecycle tests: Add tests for SIGINT/SIGTERM handling, the main() startup/teardown sequence, and invalid argument combinations. This alone would close the biggest single coverage gap and guard the most critical orchestration path.

2. Medium — src/host-iptables.ts error and edge-case branches: Add tests for the ~19% uncovered branches — particularly error returns from iptables execution and edge cases in IPv6 rule generation. Target branch coverage ≥ 90% for this security-critical file.

3. Medium — src/logs/log-parser.ts malformed input paths: Add tests for truncated, malformed, and unexpected log line formats to bring branch coverage above 80%, ensuring audit logs are always parsed reliably.

4. Low — src/container-cleanup.ts failure paths: Add tests for cleanup failures (e.g., Docker daemon unavailable) to bring coverage above 85% and ensure residual state is handled gracefully.

---

Generated by test-coverage-reporter workflow. Trigger: push · Run: 25527661113

Generated by Test Coverage Reporter · ● 415.8K · ◷

• expires on May 14, 2026, 11:30 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir: the Codex smoke test agent was here. The firewall runes have been read, the browser mirror opened, and the build flame is being watched.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir in the smoke and stars: the Codex smoke test agent was here, traced the runes, and left this mark in the oracle ledger.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-05-14T23:30:42.517Z.

Closed by Workflow