[Coverage Report] Test Coverage Report — 2026-06-07

[github-actions[bot]]

📊 Test Coverage Report — 2026-06-07

105 test files · 139 source files · Data from coverage/coverage-summary.json (2026-06-07T17:53 UTC)

---

Overall Coverage

Metric	Coverage	Covered / Total
Statements	96.46%	4669 / 4840
Branches	90.73%	2546 / 2806
Functions	98.72%	542 / 549
Lines	96.55%	4515 / 4676

---

🔴 Critical Gaps (< 50% statement coverage)

None. All 139 source files are above 50% statement coverage.

---

🟡 Low Coverage (50–79% statement coverage)

File	Stmt%	Branch%	Notes
src/commands/validators/network-options.ts	66.66%	50%	Warning paths for invalid DOCKER_HOST never triggered in tests

Only 1 file is in the low-coverage range.

---

🛡️ Security-Critical Path Status

File	Stmt%	Branch%	Fn%	Status
src/host-iptables.ts	100%	100%	100%	✅ Fully covered
src/squid-config.ts	100%	100%	100%	✅ Fully covered
src/docker-manager.ts	100%	100%	100%	✅ Fully covered
src/domain-patterns.ts	97.67%	95.38%	100%	✅ Near-perfect
src/cli.ts	85.71%	50%	100%	⚠️ Uncovered branch: require.main === module guard (structural)

The four core enforcement modules collectively have 99.3% statement coverage.

---

🔍 Notable Findings

1. network-options.ts — DinD warning paths untested (66.66% stmt, 50% branch)
   Lines 48–74 are uncovered — the three logger.warn() blocks emitted when dockerHostCheck.valid === false. All require tests that set DOCKER_HOST to a non-standard socket. The happy path is exercised 37×; no test triggers an invalid host.

2. squid/policy-manifest.ts — HTTP-only / HTTPS-only protocol rule branches untested (70% fn)
   Three anonymous rule-builder functions (lines 139, 164, 187) for allow-http-only-regex, allow-https-only-regex, and allow-https-only-plain are never called. These activate only when domains carry (redacted) or https://` prefixes. All current tests use protocol-agnostic domain lists.

3. services/agent-volumes/etc-mounts.ts — Error catch blocks untested (82.45% stmt, 67.85% branch)
   The try/catch in synthesizeIdentityFile and readFileContent (silent undefined fallback on fs failure) is never exercised. Degraded behaviour under minimal ARC runners (no /etc/passwd) is unverified.

4. logs/audit-enricher.ts — Protocol-matching branches (74.13% branch)
   The isHttps === false path in protocolMatches and the regex-rule path in domainMatchesRule are uncovered. These affect rule-attribution accuracy in awf logs audit output.

Recent changes (last 7 days): 200+ files touched in a large refactor — all with companion test files. No new source code was added without tests.

---

📈 Recommendations

1. Medium — network-options.ts: Add 3 tests with DOCKER_HOST set to `(redacted) or a non-standard socket to exercise the three DinD/split-filesystem warning branches.
2. Medium — policy-manifest.ts: Add tests calling generatePolicyManifest with (redacted) and https://`-prefixed domains to cover protocol-specific ACL rule generation (security-relevant).
3. Low — etc-mounts.ts: Mock fs.mkdirSync/fs.readFileSync to throw; verify synthesizeIdentityFile and readFileContent return undefined gracefully.
4. Low — audit-enricher.ts: Add test fixtures with HTTP (non-TLS) log entries and regex-pattern rules to cover protocolMatches and domainMatchesRule branches.

---

Generated by test-coverage-reporter workflow · Trigger: push · Run: 27100216990

Generated by Test Coverage Reporter · sonnet46 1.9M · ◷

• expires on Jun 14, 2026, 5:59 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-14T17:59:46.980Z.

Closed by Workflow