[Coverage Report] π Test Coverage Report β 2026-06-13 #4916
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-20T21:54:33.231Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage
138 source files tracked in
src/. Coverage thresholds (min): 38% stmt / 30% branch / 35% func β all comfortably exceeded.π΄ Critical Gaps (< 50% statement coverage)
None β every file exceeds 50% statement coverage.
π‘ Low Coverage (50β79% statement coverage)
src/commands/validators/network-options.tsπ‘οΈ Security-Critical Path Status
src/host-iptables.tssrc/host-iptables-rules.tssrc/host-iptables-shared.tssrc/host-iptables-cleanup.tssrc/host-iptables-network.tssrc/squid-config.tssrc/squid/acl-generator.tssrc/squid/access-rules.tssrc/squid/validation.tssrc/domain-patterns.tssrc/docker-manager.tssrc/cli.tsπ Full Coverage Table
All files with statement coverage < 100% (39 files, sorted ascending)
src/commands/validators/network-options.tssrc/squid-log-reader.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/audit-enricher.tssrc/config-writer.tssrc/artifact-preservation.tssrc/cli.tssrc/logs/log-parser.tssrc/squid/policy-manifest.tssrc/services/agent-volumes/docker-host-staging.tssrc/commands/logs-command-helpers.tssrc/services/doh-proxy-service.tssrc/commands/validators/log-and-limits.tssrc/services/host-path-prefix.tssrc/services/api-proxy-service.tssrc/services/agent-volumes/docker-socket.tssrc/logs/log-streamer.tssrc/services/agent-volumes/system-mounts.tssrc/diagnostic-collector.tssrc/commands/build-config.tssrc/commands/validators/agent-options.tssrc/services/agent-volumes/hosts-file.tssrc/services/agent-environment/environment-builder.tssrc/squid/ssl-bump.tssrc/ssl-bump.tssrc/host-env.tssrc/workdir-setup.tssrc/logs/log-aggregator.tssrc/commands/main-action.tssrc/upstream-proxy.tssrc/services/agent-volumes/workspace-mounts.tssrc/parsers/env-parsers.tssrc/option-parsers.tssrc/domain-patterns.tssrc/config-file.tssrc/commands/validators/config-assembly.tssrc/rules.tssrc/compose-generator.tssrc/pid-tracker.tsBold values indicate branch coverage < 70%.
π Notable Findings
src/commands/validators/network-options.ts(66.7% stmt, 50% branch β 14/21 statements, 5/10 branches covered): Network option validation is the most under-tested file. Uncovered paths likely include error handling for invalid upstream proxy URLs, out-of-range port numbers, and malformed DNS server IPs. A misconfigured validator could silently accept invalid settings and pass them through to the firewall.src/logs/log-parser.ts(86.9% stmt, 68.6% branch β 22/70 branches uncovered): Squid log parsing covers most common paths but leaves many conditionals untested. Edge cases for malformed log entries, missingHostheaders, non-standard HTTP status codes, and truncated lines may cause silent parse failures β meaning security events could go unrecorded in audit logs.src/services/agent-volumes/etc-mounts.ts(82.5% stmt, 67.9% branch β 9/28 branches uncovered): Controls which host/etcfiles are bind-mounted into the agent container β a key isolation boundary. Uncovered branches likely include fallback behavior when expected host files are absent, plus conditional platform-specific logic that could expose unintended paths.src/services/agent-environment/environment-builder.ts(93.5% stmt, 66.7% branch β 2/6 branches uncovered): Assembles the environment variables injected into the sandboxed agent. The 2 uncovered branches may govern conditional API-proxy credential injection; untested combinations could lead to credentials being silently omitted or, conversely, leaking into the agent environment.π Recommendations
High: Add tests for
src/commands/validators/network-options.tsβ test invalid upstream proxy URLs, out-of-range port numbers, conflicting--dns-servers+--enable-dohflags, and empty string edge cases. Goal: β₯ 80% branch coverage on this security-relevant network validator.Medium: Expand
src/logs/log-parser.tswith adversarial inputs β malformed Squid log lines, entries missing theHostfield, boundary Unix timestamps, andTCP_DENIEDvsTCP_TUNNELvariations. Target: push branch coverage from 68.6% β 85%.Medium: Cover
src/services/agent-volumes/etc-mounts.tsbranches β specifically test behavior when/etc/passwd,/etc/group, SSL cert bundles, ornsswitch.confare absent on the host. This directly affects what an agent can see inside its isolation boundary.Low: Address
src/squid/policy-manifest.tsfunction coverage (70% β 3/10 functions untested). These functions generate Squid policy configuration; gaps here can mask misconfiguration bugs that would only surface at runtime.Generated by test-coverage-reporter workflow. Trigger:
pushΒ· 2026-06-13Beta Was this translation helpful? Give feedback.
All reactions