[Coverage Report] Test Coverage Report — 2026-06-13 #4886
Closed
Replies: 2 comments
-
|
🔮 The ancient spirits stir; the smoke test agent has passed through and left a brief oracle-mark upon this discussion.
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
This discussion was automatically closed because it expired on 2026-06-20T16:18:21.570Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Test Coverage Report — 2026-06-13
Overall Coverage
Overall health is excellent. No files fall below the 50% threshold.
🔴 Critical Gaps (< 50% statement coverage)
None. All 142 source files exceed 50% statement coverage.
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.tsThis file was recently modified and validates Docker host, domain resolution, and network configuration options. The uncovered branches correspond to warning paths for external
DOCKER_HOSTdetection and DinD hint scenarios.🛡️ Security-Critical Path Status
📋 Full Coverage Table
Expand full per-file breakdown (sorted by branch coverage, ascending)
src/commands/validators/network-options.tssrc/services/agent-environment/environment-builder.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/log-parser.tssrc/services/agent-volumes/docker-host-staging.tssrc/logs/audit-enricher.tssrc/services/agent-volumes/system-mounts.tssrc/services/agent-volumes/workspace-mounts.tssrc/services/doh-proxy-service.tssrc/commands/validators/log-and-limits.tssrc/logs/log-streamer.tssrc/host-env.tssrc/pid-tracker.tssrc/squid-log-reader.tssrc/config-writer.tssrc/services/host-path-prefix.tssrc/squid/config-sections.tssrc/commands/preflight.tssrc/ssl-bump.tssrc/squid/policy-manifest.tssrc/commands/validators/agent-options.tssrc/commands/main-action.tssrc/commands/network-setup.tssrc/commands/signal-handler.tssrc/commands/logs-command-helpers.tssrc/artifact-preservation.tssrc/logs/log-aggregator.tssrc/commands/validators/config-assembly.tssrc/logs/log-discovery.tssrc/domain-patterns.tssrc/api-proxy-config.tssrc/services/api-proxy-service-config.tssrc/option-parsers.ts🔍 Notable Findings
1.
src/services/agent-volumes/etc-mounts.ts— 67.9% branch coverageControls which
/etcfiles (passwd, group, SSL certs) are bind-mounted into the agent container — a key security isolation surface. Uncovered branches include: thesynthesizeIdentityFilecatch/failure path,resolveUniqueNamecounter loop (when both preferred name andname-idare already taken), and the case where DinD staging returnsundefinedand falls back to/etc/passwd. These are reachable via minimal ARC containers.2.
src/logs/log-parser.ts— 68.6% branch coverageThe
parseAuditJsonlLinefunction has 22 uncovered branches, including: bracketed IPv6 address parsing (e.g.[2001:db8::1]:443), thecloseBracket === -1edge case, thetimestampfallback from an invalid ISO string to the legacytsepoch field, and IPv4lastIndexOf(':')when the port candidate fails the/^\d+$/test. Gaps here risk silently dropping or misclassifying audit log entries.3.
src/squid/policy-manifest.ts— 70% function coverage (7/10)Three functions generating protocol-specific allow rules are not exercised:
allow-http-only-regex,allow-https-only-regex, andallow-both-regexbranches. These fire only when callers pass domain patterns (regex-style entries) with protocol qualifiers. Missing coverage means the policy manifest output for regex-whitelisted domains is untested.4.
src/commands/validators/network-options.ts— 50% branch coverage (recently changed)Both warning branches (
!dockerHostCheck.validanddindHint && !dockerHostPathPrefix) have no test coverage. Since this validator recently landed, adding tests for the DinD/ARC warning paths would prevent silent regressions in split-filesystem setups.📈 Recommendations
High —
src/services/agent-volumes/etc-mounts.ts: Add unit tests for DinD mode with: (a) missing/etc/passwdtriggering synthesis, (b)synthesizeIdentityFilefs failure returningundefined, and (c)resolveUniqueNamecollision loop. This file directly governs identity file isolation in agent containers.Medium —
src/logs/log-parser.ts: Add test cases forparseAuditJsonlLinewith bracketed IPv6 destinations, invalid ISO timestamps falling back tots, and malformeddeststrings. Ensures audit trail integrity under non-standard log formats.Medium —
src/squid/policy-manifest.ts: TestgeneratePolicyManifestwith configs containing regex-style domain patterns (e.g.*.example.com) split by HTTP-only and HTTPS-only protocol qualifiers to exercise the three uncovered protocol-specific rule generators.Low —
src/commands/validators/network-options.ts: Add tests simulatingDOCKER_HOST=(192.168.1.1/redacted) (external host, no path prefix) andAWF_DIND=1` with a non-standard socket path to cover the warning-branch paths and prevent regressions in the newly refactored network options validator.Generated by test-coverage-reporter workflow · Trigger:
push· 2026-06-13T16:14ZBeta Was this translation helpful? Give feedback.
All reactions