[Coverage Report] Test Coverage Report — 2026-06-20

[github-actions[bot]]

Overall Coverage Summary

Metric	Coverage	Covered / Total
Statements	97.60% ✅	5,017 / 5,140
Branches	93.27% ✅	2,816 / 3,019
Functions	98.85% ✅	602 / 609
Lines	97.66% ✅	4,848 / 4,964

Test suite: 116 test files (67 in src/, 5 in src/squid/, 9 in src/logs/, 35 in tests/)

---

Security-Critical File Coverage

File	Statements	Branches	Functions	Lines	Status
squid-config.ts	100%	100%	100%	100%	✅
host-iptables.ts	100%	100%	100%	100%	✅
host-iptables-rules.ts	98.68% (150/152)	96.05% (73/76)	100%	98.66%	✅
host-iptables-shared.ts	100%	100%	100%	100%	✅
host-iptables-cleanup.ts	100%	100%	100%	100%	✅
host-iptables-network.ts	100%	100%	100%	100%	✅
docker-manager.ts	100%	100%	100%	100%	✅
domain-patterns.ts	100%	89.47% (17/19)	100%	100%	✅
squid/policy-manifest.ts	87.5% (42/48)	88.23% (30/34)	70% (7/10)	87.23%	⚠️
cli.ts	85.71% (6/7)	50% (1/2)	100%	85.71%	⚠️
logs/log-streamer.ts	92.18% (59/64)	77.77% (28/36)	88.88% (8/9)	92.06%	⚠️

---

Notable Findings

• Excellent security-core coverage: All primary enforcement paths — squid-config.ts, host-iptables-rules.ts, host-iptables-shared.ts, host-iptables-cleanup.ts, docker-manager.ts — are at 96–100% across all metrics. Domain ACL filtering, iptables rule generation, and container lifecycle are robustly tested.

• squid/policy-manifest.ts has 3 untested functions (70% function coverage): This module validates policy rules and dangerous-port configurations passed to Squid. Missing coverage for 3 of 10 functions leaves validation edge-cases untested in a security-gating component.

• logs/log-streamer.ts branch coverage is 77.77% (8/36 uncovered branches): Error-handling and fallback paths in log streaming are under-tested. While not on the firewall enforcement path, log omissions can hide security-relevant traffic in post-incident analysis.

• cli.ts entry-point has 50% branch coverage (1/2 branches): The top-level entrypoint is a 7-statement file — one conditional branch (likely a process-env guard or error path) is never exercised by the test suite.

---

Recommendations

🔴 High — Add tests for uncovered functions in squid/policy-manifest.ts

Three functions in policy-manifest.ts have no test coverage. Because this module controls which domains and ports Squid is allowed to forward, gaps here are security-relevant. Action: Identify the 3 uncovered functions (e.g., via coverage/src/squid/policy-manifest.ts.html) and add unit tests for port-blocking validation and edge-case domain rules.

🟡 Medium — Improve logs/log-streamer.ts branch coverage from 77.77% → 90%+

Eight uncovered branches in log-streamer.ts are likely in error-handling paths (file-not-found, parse failures, empty log files). Gaps here mean post-incident forensics could silently fail. Action: Add tests that simulate missing log files, malformed Squid access-log lines, and log-stream EOF conditions.

🟢 Low — Close the single open branch in cli.ts

The entrypoint has one untested branch (1/2 branches, 85.71% statement coverage). This is a cosmetic gap in a tiny file, but 100% entry-point coverage is a low-effort baseline. Action: Inspect coverage/src/cli.ts.html, identify the uncovered branch (likely an if (require.main === module) or error guard), and add a targeted test or mock.

Generated by Test Coverage Reporter · 76.5 AIC · ⊞ 4.6K · ◷

• expires on Jun 27, 2026, 3:43 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-27T15:43:50.720Z.

Closed by Workflow

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke test agent has passed through this discussion. The omens are recorded, and the firewall remains watched.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex