[Coverage Report] 📊 Test Coverage Report — 2026-06-11 #4724
Closed
Replies: 2 comments
-
|
🔮 The ancient spirits stir, and the smoke test agent has passed through this thread. May the build winds remain favorable and the whitelist hold fast. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
This discussion was automatically closed because it expired on 2026-06-18T01:27:19.467Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage
108 test files · 155 source files
🔴 Critical Gaps (< 50% statement coverage)
None — all files are above 50%.
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.ts🛡️ Security-Critical Path Status
src/host-iptables.tssrc/squid-config.tssrc/docker-manager.tssrc/domain-patterns.tssrc/cli.ts📋 Full Coverage Table
All files (sorted by statement coverage)
src/commands/validators/network-options.tssrc/squid-log-reader.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/audit-enricher.tssrc/artifact-preservation.tssrc/cli.tssrc/logs/log-parser.tssrc/squid/policy-manifest.tssrc/services/agent-volumes/docker-host-staging.tssrc/commands/logs-command-helpers.tssrc/dind-bootstrap.tssrc/services/doh-proxy-service.tssrc/commands/validators/log-and-limits.tssrc/services/host-path-prefix.tssrc/config-writer.tssrc/services/agent-volumes/docker-socket.tssrc/services/api-proxy-service.tssrc/logs/log-streamer.tssrc/services/agent-volumes/system-mounts.tssrc/diagnostic-collector.tssrc/commands/build-config.tssrc/commands/validators/agent-options.tssrc/services/agent-volumes/hosts-file.tssrc/services/agent-environment/environment-builder.tssrc/squid/ssl-bump.tssrc/ssl-bump.tssrc/host-env.tssrc/logs/log-aggregator.tssrc/commands/main-action.tssrc/upstream-proxy.tssrc/services/cli-proxy-service.tssrc/parsers/volume-parsers.tssrc/container-startup-diagnostics.tssrc/services/agent-volumes/workspace-mounts.tssrc/container-cleanup.tssrc/container-lifecycle.tssrc/services/agent-environment/env-passthrough.tssrc/compose-sanitizer.tssrc/commands/validators/config-assembly.tssrc/logs/log-formatter.tssrc/domain-patterns.tssrc/services/agent-service.tssrc/services/agent-volumes/home-strategy.tssrc/config-file.tssrc/rules.tssrc/compose-generator.tssrc/pid-tracker.tssrc/option-parsers.tssrc/api-proxy-config.tssrc/cli-options.tssrc/cli-workflow.tssrc/commands/logs-audit.tssrc/commands/logs-stats.tssrc/commands/logs-summary.tssrc/commands/logs.tssrc/commands/network-setup.tssrc/commands/predownload.tssrc/commands/preflight.tssrc/commands/signal-handler.tssrc/commands/subcommands.tssrc/commands/validate-options.tssrc/constants.tssrc/host-iptables.tssrc/host-iptables-rules.tssrc/host-iptables-cleanup.tssrc/host-iptables-network.tssrc/host-iptables-shared.tssrc/squid-config.tssrc/docker-manager.tssrc/domain-patterns.ts🔍 Notable Findings
src/commands/validators/network-options.ts— branch coverage 50% (only file below 80% stmt)The
validateNetworkOptions()function has three warning branches for Docker/DinD host edge cases (!dockerHostCheck.valid,dindHint && !dockerHostPathPrefix). These paths are security-relevant: they guard against misconfigured DinD setups that could allow unintended filesystem access. Tests currently cover only the "happy path"; the warning branches are untested.src/cli.ts— branch coverage 50% (entry point; 7 total statements)The only uncovered branch is the
if (require.main === module)guard, which preventsprogram.parse()from being called when the file is imported. While the file is tiny, adding a test that mocksrequire.mainwould reach 100% branch coverage.src/services/api-proxy-service.ts— branch coverage 50%Credential-isolation branches in the API proxy sidecar builder are only half covered. Missing branch paths likely include the case where the optional
api-proxyservice is configured with non-default credential or routing settings, which is directly relevant to the key-injection security boundary.Recent commit
6c1f2b6(last 7 days) touchedaction.ymland added several new exported functions (createMainAction,buildConfig,validateApiProxyConfig,preserveIptablesAudit). Most of these are already covered per the JSON report, butpreserveIptablesAudit(insrc/artifact-preservation.tsat 85.4% stmt / 95.3% branch) has some uncovered statements worth verifying.📈 Recommendations
High —
src/commands/validators/network-options.ts: Add tests for the three Docker-host warning branches invalidateNetworkOptions(): (a) external DOCKER_HOST with no path prefix, (b)dindHintset but nodockerHostPathPrefix. These guard DinD configuration warnings and are the only file below 80%.Medium —
src/services/api-proxy-service.ts: Cover the uncovered credential-routing branches inbuildApiProxyService(). Target: bring branch coverage from 50% → 80%+ by exercising the non-default API proxy configuration paths.Low —
src/cli.ts: Add a single Jest test that stubsrequire.main !== moduleto exercise the guard branch aroundprogram.parse(), reaching 100% branch coverage on the entry point.Generated by test-coverage-reporter workflow · Trigger:
push· Run: 27317331309Beta Was this translation helpful? Give feedback.
All reactions