[Coverage Report] Test Coverage Report — 2026-06-05 #4408
Closed
Replies: 2 comments
-
|
🔮 The ancient spirits stir; the smoke test agent was here, and the winds of validation speak PASS. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
This discussion was automatically closed because it expired on 2026-06-12T19:40:41.107Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Test Coverage Report — 2026-06-05
Overall Coverage
🔴 Critical Gaps (< 50% statement coverage)
None. All 152 source files exceed 50% statement coverage.
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.ts🛡️ Security-Critical Path Status
src/host-iptables.tssrc/squid-config.tssrc/docker-manager.tssrc/domain-patterns.tssrc/cli.tssrc/host-iptables-rules.tssrc/squid/acl-generator.tssrc/squid/access-rules.tssrc/squid/domain-acl.tssrc/squid/config-generator.tssrc/squid/policy-manifest.tsAll primary firewall enforcement paths (iptables rule generation, Squid config, domain ACLs) are at 100% statement and branch coverage.
📋 Full Coverage Table
Click to expand — all source files (excluding test-utils)
src/commands/validators/network-options.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/audit-enricher.tssrc/artifact-preservation.tssrc/cli.tssrc/logs/log-parser.tssrc/squid/policy-manifest.tssrc/services/agent-volumes/docker-host-staging.tssrc/commands/logs-command-helpers.tssrc/services/doh-proxy-service.tssrc/commands/validators/log-and-limits.tssrc/services/host-path-prefix.tssrc/config-writer.tssrc/services/api-proxy-service.tssrc/services/agent-volumes/docker-socket.tssrc/logs/log-streamer.tssrc/diagnostic-collector.tssrc/commands/validators/agent-options.tssrc/services/agent-volumes/hosts-file.tssrc/services/agent-environment/environment-builder.tssrc/squid/ssl-bump.tssrc/ssl-bump.tssrc/host-env.tssrc/logs/log-aggregator.tssrc/upstream-proxy.tssrc/commands/main-action.tssrc/services/cli-proxy-service.tssrc/parsers/volume-parsers.tssrc/container-lifecycle.tssrc/services/agent-volumes/workspace-mounts.tssrc/container-cleanup.tssrc/services/agent-environment/env-passthrough.tssrc/commands/validators/config-assembly.tssrc/compose-sanitizer.tssrc/logs/log-formatter.tssrc/domain-patterns.tssrc/services/agent-service.tssrc/services/agent-volumes/home-strategy.tssrc/config-file.tssrc/rules.tssrc/compose-generator.tssrc/pid-tracker.tssrc/option-parsers.tssrc/api-proxy-config.tssrc/cli-options.tssrc/cli-workflow.tssrc/docker-manager.tssrc/host-iptables.tssrc/squid-config.tssrc/redact-secrets.tssrc/services/agent-volumes/credential-hiding.tssrc/services/service-security.tssrc/services/squid-service.ts(~40 additional files at 100% omitted for brevity)
🔍 Notable Findings
src/commands/validators/network-options.ts— branch coverage 50% (only file below 80% stmts): The untested branches cover ARC/DinD warning paths — specifically the three distinctlogger.warn()code paths triggered whenDOCKER_HOSTis external (!dockerHostCheck.valid) combined with missing--docker-host-path-prefix. These are tested via integration but not unit-tested; adding tests for the three warning combinations in a newnetwork-options.test.tswould bring this file to ~90%+.src/cli.ts— branch coverage 50%: The sole uncovered branch is the top-levelif (require.main === module)guard (line 11). This is an inherent limitation of Jest's module loading model — the module is alwaysrequire()'d during tests, so the guard never evaluates totrue. No action needed; statement coverage is 85.7% and all real logic paths are covered.src/services/agent-volumes/etc-mounts.ts— branch coverage 67.8%: This file handles passwd/group file injection for UID/GID remapping in the agent container. Uncovered branches are thestagedPasswdContent/stagedGroupContentnull-guard paths (lines 91, 113). These are security-relevant — a missing uid/gid in staged files could affect credential isolation. Tests forfileHasPasswdUid/fileHasGroupGidwhen staged content isnullwould address this.src/services/agent-environment/environment-builder.ts— branch coverage 66.7%: Uncovered branches are theif (!envAll)null guard and theENV_SIZE_WARNING_THRESHOLDexceeded path. Adding a test whereenvAllis empty/undefined and one where total env bytes exceed the threshold would cover both remaining branches in this agent bootstrap path.📈 Recommendations
High — Add
src/commands/validators/network-options.test.ts: Unit testvalidateNetworkOptions()with a mockedcheckDockerHost()returning{ valid: false }, covering the three distinct warning branches: (a) invalid host + no prefix, (b) dindHint + no prefix, (c) valid host. This is the only file below 80% statement coverage.Medium — Extend
etc-mountstests for null staged-content paths: In the existingetc-mounts.tstest suite, add cases where the Docker-host staging returnsnullfor passwd/group content, ensuringinjectHostPasswd/injectHostGroupfall back cleanly without inserting uid/gid entries — directly tests a security-adjacent code path.Low — Cover
environment-builder.tsenv-size threshold branch: Add a test that builds a large environment object (exceedingENV_SIZE_WARNING_THRESHOLDbytes) to triggerlogger.warn(), and one that passesundefinedasenvAll. Low-risk but completes branch coverage for the agent container bootstrap.Generated by test-coverage-reporter workflow · Trigger:
push· Run: 27035903916Beta Was this translation helpful? Give feedback.
All reactions