[Coverage Report] Test Coverage Report — 2026-05-09

[github-actions[bot]]

📊 Overall Coverage

Metric	Coverage	Status
Statements	87.51%	🟢 Good
Branches	79.69%	🟢 Good
Functions	82.66%	🟢 Good
Lines	87.55%	🟢 Good

Total: 3,527 / 4,030 statements covered across 51 source files, 49 test files, 135+ tests.

---

🔴 Critical Gaps (< 50% statement coverage)

File	Stmts	Branches	Funcs
src/cli.ts	28.6%	5.28%	11.59%

cli.ts is the main entry point and orchestrates the entire firewall lifecycle. With only 5.28% branch coverage, argument parsing, signal handling, error paths, and the main startup/shutdown flow are almost entirely untested.

---

🟡 Low Coverage (50–79%)

File	Stmts	Branches	Funcs
src/container-cleanup.ts	77.07%	79.24%	100%

Cleanup error paths (partial cleanup, network teardown failures) are the likely uncovered branches.

---

🛡️ Security-Critical Path Status

File	Stmts	Branches	Funcs	Status
src/host-iptables.ts	88.46%	81%	100%	🟢 Good
src/squid-config.ts	96.98%	94.18%	88%	🟢 Excellent
src/docker-manager.ts	100%	100%	96.55%	🟢 Excellent
src/domain-patterns.ts	97.67%	95.38%	100%	🟢 Excellent
src/cli.ts	28.6%	5.28%	11.59%	🔴 Critical

All security-critical firewall modules (host-iptables, squid-config, docker-manager, domain-patterns) are well-covered. The only critical gap is cli.ts — the entry point that wires them all together.

---

📋 Full Coverage Table

File	Stmts	Branches	Funcs	Lines
🔴 src/cli.ts	28.6%	5.28%	11.59%	28.63%
🟡 src/container-cleanup.ts	77.07%	79.24%	100%	77.45%
🟢 src/logs/audit-enricher.ts	83.6%	74.13%	100%	89.36%
🟢 src/logs/log-parser.ts	86.9%	68.57%	100%	87.8%
🟢 src/host-iptables.ts	88.46%	81%	100%	88.71%
🟢 src/commands/logs-command-helpers.ts	88.52%	83.33%	100%	88.33%
🟢 src/container-lifecycle.ts	88.56%	77.19%	100%	88.21%
🟢 src/cli-workflow.ts	88.88%	85.71%	100%	88.88%
🟢 src/services/doh-proxy-service.ts	88.88%	75%	100%	88.88%
🟢 src/services/agent-volumes.ts	91.81%	73.17%	100%	91.58%
🟢 src/logs/log-streamer.ts	92.18%	77.77%	88.88%	92.06%
🟢 src/ssl-bump.ts	94.06%	88.46%	100%	94.78%
🟢 src/logs/log-aggregator.ts	94.73%	87.5%	100%	94.66%
🟢 src/services/cli-proxy-service.ts	94.73%	93.33%	100%	94.73%
🟢 src/upstream-proxy.ts	94.93%	94.73%	100%	94.52%
🟢 src/squid-config.ts	96.98%	94.18%	88%	96.92%
🟢 src/pid-tracker.ts	97.27%	66.66%	100%	99.03%
🟢 src/logs/log-formatter.ts	97.43%	92.85%	100%	97.29%
🟢 src/services/agent-service.ts	97.61%	94.64%	100%	97.5%
🟢 src/domain-patterns.ts	97.67%	95.38%	100%	97.61%
🟢 src/services/agent-environment.ts	97.85%	92.24%	100%	98.54%
🟢 src/config-file.ts	98.03%	96.77%	87.5%	100%
🟢 src/rules.ts	98.27%	91.89%	100%	98.21%
🟢 src/host-env.ts	98.38%	93.18%	100%	98.88%
🟢 src/services/api-proxy-service.ts	98.46%	93.58%	100%	98.46%
🟢 src/compose-generator.ts	98.48%	91.66%	100%	98.48%
🟢 src/option-parsers.ts	99.44%	99.24%	100%	99.42%
🟢 src/api-proxy-config.ts	100%	100%	100%	100%
🟢 src/copilot-api-resolver.ts	100%	86.95%	100%	100%
🟢 src/dlp.ts	100%	100%	100%	100%
🟢 src/dns-resolver.ts	100%	93.75%	100%	100%
🟢 src/docker-manager.ts	100%	100%	96.55%	100%
🟢 src/domain-utils.ts	100%	100%	100%	100%
🟢 src/env-utils.ts	100%	100%	100%	100%
🟢 src/image-tag.ts	100%	100%	100%	100%
🟢 src/logger.ts	100%	90.9%	100%	100%
🟢 src/redact-secrets.ts	100%	100%	100%	100%
🟢 src/schema-validator.ts	100%	100%	100%	100%
🟢 src/commands/logs-audit.ts	100%	95.65%	100%	100%
🟢 src/commands/logs-stats.ts	100%	100%	100%	100%
🟢 src/commands/logs-summary.ts	100%	100%	100%	100%
🟢 src/commands/logs.ts	100%	100%	100%	100%
🟢 src/commands/predownload.ts	100%	100%	100%	100%
🟢 src/logs/index.ts	100%	100%	21.42%	100%
🟢 src/logs/log-discovery.ts	100%	90%	100%	100%
🟢 src/logs/stats-formatter.ts	100%	93.47%	100%	100%
🟢 src/services/squid-service.ts	100%	100%	100%	100%

---

🔍 Notable Findings

1. src/cli.ts — near-zero branch coverage (5.28%): This 426-line file exports 69 functions, only 8 of which are covered. Uncovered areas include CLI argument parsing edge cases, --enable-api-proxy, --build-local, signal handlers (SIGINT/SIGTERM), and the main run() orchestration flow. A failure here wouldn't be caught by the test suite.

2. src/host-iptables.ts — 19% uncovered branches: The setupHostIptables() function has 18 conditional branches, 10 covered. The gaps likely include IPv6-specific paths, error handling in ensureFirewallNetwork(), and the cleanupHostIptables() / cleanupFirewallNetwork() teardown paths.

3. src/logs/log-parser.ts — branch coverage 68.57%: Parser error paths and edge-case log line formats are likely uncovered. These paths would be exercised if Squid emits malformed or unexpected log entries.

4. src/container-cleanup.ts — 22.93% uncovered statements: Cleanup runs after every awf execution. Uncovered branches likely include partial-cleanup scenarios, timeout handling, and Docker daemon error paths that only manifest under failure conditions.

---

📈 Recommendations

1. High — src/cli.ts branch coverage: Add tests for --enable-api-proxy, --build-local, invalid flag combinations, and SIGINT/SIGTERM signal handling. Even minimal integration-style tests that mock docker-manager would dramatically raise branch coverage from 5.28%.

2. Medium — src/host-iptables.ts error paths: Add tests for cleanupHostIptables() and cleanupFirewallNetwork() failure cases (e.g., iptables command failure, network already removed). These run on every awf exit.

3. Low — src/container-cleanup.ts error branches: Test partial cleanup scenarios where some containers have already exited or volumes are already removed before cleanup runs.

---

Generated by test-coverage-reporter workflow · Trigger: push · Run: 25586536240

Generated by Test Coverage Reporter · ● 328.4K · ◷

• expires on May 16, 2026, 12:43 AM UTC

[github-actions[bot]]

🔮 The ancient spirits stir... the Codex smoke test agent was here, leaving a brief shimmer in the workflow ether.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-05-16T00:43:28.667Z.

Closed by Workflow