[Coverage Report] Test Coverage Report — 2026-06-05 #4385
Replies: 3 comments
-
|
🔮 The ancient spirits stir around discussion 4385. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
This discussion was automatically closed because it expired on 2026-06-12T15:52:58.446Z.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir over this archive: the smoke test agent has passed through, left a trace in the ether, and departed in good standing. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Test Coverage Report — 2026-06-05
Overall Coverage
🔴 Critical Gaps (< 50% statement coverage)
None. All files are above 50% statement coverage.
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.ts🛡️ Security-Critical Path Status
src/host-iptables.tssrc/squid-config.tssrc/docker-manager.tssrc/domain-patterns.tssrc/cli.tssrc/cli.tsis a 13-line entry-point shim (if (require.main === module)). The uncovered branch is the module-import path (not invoked directly), so this is expected rather than a real gap. All substantive orchestration logic lives insrc/cli-workflow.tsat 100%.📋 Coverage by File (bottom 20 by statement coverage)
src/commands/validators/network-options.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/audit-enricher.tssrc/artifact-preservation.tssrc/cli.tssrc/logs/log-parser.tssrc/squid/policy-manifest.tssrc/services/agent-volumes/docker-host-staging.tssrc/commands/logs-command-helpers.tssrc/commands/validators/log-and-limits.tssrc/services/doh-proxy-service.tssrc/services/host-path-prefix.tssrc/config-writer.tssrc/services/api-proxy-service.tssrc/services/agent-environment/environment-builder.tssrc/squid/ssl-bump.tssrc/host-env.tssrc/logs/log-aggregator.tssrc/upstream-proxy.tssrc/commands/main-action.ts🔍 Notable Findings
1.
src/commands/validators/network-options.ts— new file with 33% uncovered statementsAdded in commit
4c46947(api-proxy: Copilot session_id opt-in), this validator checks Docker host socket validity and DinD path-prefix resolution. Two conditional branches are untested:!dockerHostCheck.valid && !dockerHostPathPrefixResolution.dockerHostPathPrefix(line 59) — error path when Docker host is invalid and no DinD prefix provideddockerHostPathPrefixResolution.dindHint && !dockerHostPathPrefixResolution.dockerHostPathPrefix(line 64) — DinD hint detected but no prefix resolvedThis function validates the security boundary between runner and Docker daemon (ARC/DinD). Missing branch coverage here means the error paths that guard misconfigured network isolation are untested.
2.
src/logs/log-parser.ts— 67.1% branch coverageComplex IPv6 parsing logic (
[::1]:portbracket notation,lastColonfallbacks,\d+port validation, malformed destination strings) has many untested branches. While not security-critical, malformed log entries could silently producenulland drop audit records.3.
src/services/agent-volumes/etc-mounts.ts— 67.8% branch coverageThe
/etc/passwdand/etc/groupstaging paths (lines 82–113) handlenullreturns from staged file reads, UID/GID presence checks, and error recovery. These branches are untested. The/etcstaging logic determines which credential files the agent can see — uncovered branches here are worth addressing.4.
src/artifact-preservation.ts— 85.4% stmt (new file)Newly introduced in the last 7 days. The
preserveIptablesAuditfunction preserves iptables audit dumps beforedocker compose down -vdestroys the init-signal volume. The copy-failure error handling path is not covered.📈 Recommendations
High — Add unit tests for
src/commands/validators/network-options.ts: cover the two error branches (invalid Docker host without DinD prefix; DinD hint present but prefix unresolved). New code validating a security-critical boundary, shipped without complete branch coverage.Medium — Improve branch coverage in
src/logs/log-parser.ts: add test cases for IPv6[::1]:portformat, missing port separator, non-numeric port strings, and malformedrawDestvalues. Ensures audit logs are never silently dropped.Medium — Cover staging error paths in
src/services/agent-volumes/etc-mounts.ts: test whenstagedPasswdContentisnull(file read failure) and when the UID/GID is absent from the staged file. Error-recovery paths in credential file staging.Low — Add a test for the
preserveIptablesAuditcopy-failure path insrc/artifact-preservation.ts(mockfs.copyFileSyncto throw and assert graceful degradation).Generated by test-coverage-reporter workflow · Trigger:
push· Commit:4c46947Beta Was this translation helpful? Give feedback.
All reactions