[Coverage Report] Test Coverage Report — 2026-06-11 #4729
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-18T06:12:06.892Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage
Test suite: 2,476 / 2,477 passing (1 environment-dependent failure in
agent-volumes-mounts.test.ts— DNS pre-resolution test expects specific IPs that differ by runner host).🔴 Critical Gaps (< 50% statement coverage)
None. All files are above 50% statement coverage.
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.tsThis is the only file below 80%. The uncovered statements are the warning-logging branches for external Docker host detection and DinD path-prefix hints (lines 47–74).
🛡️ Security-Critical Path Status
src/host-iptables.tssrc/squid-config.tssrc/docker-manager.tssrc/domain-patterns.tssrc/cli.tssrc/cli.tshas only 7 statements — the 50% branch gap is therequire.main === moduleguard's "not-main" branch, which is structurally uncoverable by Jest in the normal test path.📋 Files with Notable Coverage Gaps (sorted by statement %)
src/commands/validators/network-options.tssrc/squid-log-reader.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/audit-enricher.tssrc/services/agent-volumes/hosts-file.tssrc/artifact-preservation.tssrc/logs/log-parser.tssrc/squid/policy-manifest.tssrc/commands/validators/log-and-limits.ts🔍 Notable Findings
1.
src/commands/validators/network-options.ts— 66.7% stmt, 50% branch (DinD warning paths)The uncovered paths are
logger.warn(...)calls for three conditions: externalDOCKER_HOSTdetected, external host without--docker-host-path-prefix, anddindHintwithout a prefix. These are security-relevant infrastructure checks — a developer could accidentally break them without any test catching it. Tests should mockcheckDockerHost()returningvalid: falseandresolveDockerHostPathPrefix()returningdindHint: trueto exercise all warning branches.2.
src/logs/log-parser.ts— 86.9% stmt, 68.6% branch (audit trail integrity)Log parsing is critical to audit-trail correctness. The 31 uncovered branches likely cover malformed Squid log lines, edge-case field formats (missing timestamps, unexpected status codes, empty Host headers). Untested parsing branches could silently mis-classify traffic as allowed/denied. Tests with deliberately malformed log entries would raise this coverage significantly.
3.
src/services/agent-volumes/etc-mounts.ts— 82.5% stmt, 67.9% branch (agent/etcexposure)This file controls which
/etcfiles are selectively bind-mounted into the agent container. The 10 uncovered branches likely guard optional file inclusions. Silently broken logic here could either over-expose host system files or fail to provide required files (e.g., SSL certificates,nsswitch.conf).4.
src/logs/audit-enricher.ts— 83.6% stmt, 74.1% branch (new code, PR #4678)artifact-preservation.ts(85.4%) andaudit-enricher.ts(83.6%) were both introduced or heavily modified in the recent "Add opt-in diagnostics artifact for blocked LLM request bodies" commit (102c422). Both have coverage gaps in the 14–17% range, suggesting the new diagnostics path has incomplete test coverage at this stage.📈 Recommendations
High —
network-options.tsDinD warning branches: Add unit tests that mockcheckDockerHost()returning{ valid: false }andresolveDockerHostPathPrefix()returning{ dindHint: true, dockerHostPathPrefix: undefined }. This would bring the file from 66.7% to ~95%+ and protect security-critical DinD detection logic.Medium —
logs/log-parser.tsbranch coverage (68.6%): Add a test fixture with malformed Squid log lines (truncated entries, unknown result codes, IPv6 addresses, domains with ports). Robust parsing is essential for audit integrity — misclassified log entries could mask blocked traffic in reports.Medium —
services/agent-volumes/etc-mounts.tsbranch coverage (67.9%): Parameterize existing tests to cover all combinations of optional/etcmount flags. Untested paths here could silently break SSL certificate availability or expose unintended host files in the agent environment.Low —
squid/policy-manifest.tsfunction coverage (70%): Three functions are completely uncovered. Identify them from the coverage report and add targeted unit tests, especially for any error-handling or fallback logic in policy manifest construction.Generated by test-coverage-reporter workflow. Trigger:
scheduleBeta Was this translation helpful? Give feedback.
All reactions