[Coverage Report] Test Coverage Report — 2026-06-14 #4921
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-21T06:11:49.114Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Test Coverage Report — 2026-06-14
Overall Coverage
Overall health is excellent — all four metrics are above the 80% threshold. No files fall below 50% statement coverage.
🔴 Critical Gaps (< 50% statement coverage)
None. All source files are above 50% statement coverage.
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.tsOnly one file falls in this range. Notably its branch coverage (50%) is the lowest in the entire codebase — relevant because this module validates Docker host configuration and network options before firewall rules are applied.
🛡️ Security-Critical Path Status
📋 Full Coverage Table (files with ≥ 10 statements, sorted by branch coverage asc)
commands/validators/network-options.tsservices/agent-volumes/etc-mounts.tsservices/agent-environment/environment-builder.tslogs/log-parser.tsservices/agent-volumes/docker-host-staging.tsservices/agent-volumes/workspace-mounts.tsservices/agent-volumes/system-mounts.tsservices/doh-proxy-service.tsworkdir-setup.tslogs/log-streamer.tscommands/validators/log-and-limits.tssquid/config-sections.tspid-tracker.tscommands/preflight.tslogs/audit-enricher.tssquid-log-reader.tsconfig-writer.tscli.tssquid/policy-manifest.tsartifact-preservation.tsssl-bump.tshost-env.ts🔍 Notable Findings
1.
src/commands/validators/network-options.ts— 50% branch coverageOnly 5 of 10 branches are exercised. The uncovered branches include the warning paths for
!dockerHostCheck.valid && !dockerHostPathPrefixResolution.dockerHostPathPrefixand thedindHintwarning path. These are executed when AWF detects a non-standard Docker host — an important code path for DinD/ARC runners. Tests should cover: (a) valid docker host, (b) invalid docker host with path prefix, (c) invalid docker host without path prefix, (d) dindHint with and without prefix.2.
src/services/agent-volumes/etc-mounts.ts— 67.9% branch coverageThis module controls which
/etcidentity files (passwd,group) are mounted into the agent container. Uncovered branches include: theresolveUniqueNamecounter loop (when both the base name and${name}-${id}are taken), and the fallback|| passwdPath/|| groupPathbranches whensynthesizeIdentityFilereturnsundefined. These are error-recovery paths for minimal ARC containers.3.
src/logs/log-parser.ts— 68.6% branch coverageThe log parser has 22 uncovered branches out of 70. The coverage gap is in the field-extraction and protocol-parsing logic — specifically the handling of malformed log lines where individual fields are
"-"or absent. Incomplete parsing coverage means that unusual Squid log entries (e.g., from blocked UDP or ICP traffic) may silently returnnullwithout being auditable.4.
src/squid/policy-manifest.ts— 70% function coverage3 of 10 functions are not covered by tests.
policy-manifest.tsgenerates the structured policy document that the audit enricher uses to attribute blocked connections to specific rules. Uncovered functions likely include edge cases forblockedDomainswith regex patterns andallowHostPorts. Since the enricher depends on this manifest for correct attribution, gaps here reduce the accuracy of the audit log.📈 Recommendations
High —
network-options.tsbranch coverage: Add tests for the four Docker-host warning scenarios. The 50% branch coverage on a security-gating validator is the highest-priority gap. Target: ≥ 90% branches. Relevant test file:src/commands/validators/config-assembly.test.tsor a newnetwork-options.test.ts.High —
etc-mounts.tsDinD error paths: Add tests simulating: (a)synthesizeIdentityFilereturningundefined(disk full / permission denied in staging), (b) duplicate username collision triggering thecounterloop inresolveUniqueName. These are silent fallback paths that determine what identity files land in the container.Medium —
log-parser.tsmalformed-line branches: Add test cases for partially-formed Squid log lines: timestamp only, missing user-agent field,"-"dest IP/port, and protocol version variants. Target: ≥ 80% branches.Low —
squid/policy-manifest.tsfunction gaps: EnsuregeneratePolicyManifestis called with:blockedDomainscontaining regex patterns,allowHostPortsset, andenableDlp: true. This would cover the 3 missing functions and improve audit attribution reliability.Test file count: ~120 test files across
src/andtests/integration/. Source files covered: ~100 TypeScript modules.Generated by test-coverage-reporter workflow. Trigger:
scheduleBeta Was this translation helpful? Give feedback.
All reactions