[Coverage Report] Test Coverage Report — 2026-06-13 #4887
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-20T16:29:07.939Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage
137 source files tracked · 100+ test files · thresholds enforced in CI.
🔴 Critical Gaps (< 50% statement coverage)
None — all files exceed 50% statement coverage.
🟡 Low Coverage (50–89% statement coverage)
src/commands/validators/network-options.tssrc/squid-log-reader.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/audit-enricher.tssrc/logs/log-parser.tssrc/squid/policy-manifest.tssrc/artifact-preservation.ts🛡️ Security-Critical Path Status
📋 Files with Branch Coverage < 85%
src/commands/validators/network-options.tssrc/services/agent-environment/environment-builder.tssrc/logs/log-parser.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/audit-enricher.tssrc/services/agent-volumes/docker-host-staging.tssrc/services/agent-volumes/workspace-mounts.tssrc/services/agent-volumes/system-mounts.tssrc/services/doh-proxy-service.tssrc/commands/validators/log-and-limits.tssrc/logs/log-streamer.tssrc/commands/logs-command-helpers.tssrc/cli.ts🔍 Notable Findings
1.
network-options.ts— 5/10 branches uncovered (added in #4832)The three Docker-host warning paths (
valid: false,!valid && !pathPrefix,dindHint && !pathPrefix) are not tested. These emit security-relevant warnings when an external or non-standard Docker socket is detected.2.
etc-mounts.ts— 9/28 branches uncovered (modified in #4831)ARC/DinD identity synthesis has gaps: the
synthesizeIdentityFilecatch branch, theresolveUniqueNamecounter loop, and augmentation fallbacks (|| passwdPath) are untested. These handle edge cases in minimal ARC containers without/etc/passwd— a security-sensitive path.3.
log-parser.ts— 22/70 branches uncoveredSquid log parser has large branch gaps. Decision codes like
NONE/200,TCP_MISS,TCP_HIT,TCP_MEM_HITandextractDomainfallback paths (no Host header, raw URL) are not covered — affects correctness ofawf logs auditoutput.4.
squid/policy-manifest.ts— 3 functions uncoveredProtocol-specific allow-rule branches for
(redacted) andhttps://`-prefixed domains are not exercised. Since this manifest drives the audit log enricher, gaps here can produce silent misclassification in audit reports.📈 Recommendations
network-options.ts: Add unit tests mockingcheckDockerHost()returningvalid: falseanddindHint: true. ~3 test cases.etc-mounts.ts: TestbuildEtcMountsin DinD mode wherestageHostFilereturnsnulland where staged file lacks the runner UID; also testsynthesizeIdentityFileerror path. ~4–5 test cases.log-parser.ts: Add fixtures forTCP_MISS,TCP_HIT,TCP_MEM_HIT,NONE/200decisions plusextractDomainfallback. ~6 test cases.policy-manifest.ts: CallgeneratePolicyManifestwith(redacted) andhttps://` prefixed domains to trigger protocol-specific rule branches. ~2 test cases.Generated by test-coverage-reporter workflow. Trigger:
pushBeta Was this translation helpful? Give feedback.
All reactions