[Coverage Report] Test Coverage Report — 2026-06-21

[github-actions[bot]]

Summary

Metric	Coverage	Covered / Total
Statements	97.82%	5,041 / 5,153
Branches	93.58%	2,831 / 3,025
Functions	99.50%	609 / 612
Lines	97.89%	4,872 / 4,977

Overall health is strong. Branch coverage (93.58%) is the main gap area to watch.

---

Security-Critical File Coverage

File	Statements	Branches	Functions	Status
host-iptables-rules.ts	98.68%	96.05%	100%	✅
host-iptables-shared.ts	100%	100%	100%	✅
host-iptables-cleanup.ts	100%	100%	100%	✅
host-iptables-network.ts	100%	100%	100%	✅
squid-config.ts	100%	100%	100%	✅
domain-patterns.ts	100%	89.47%	100%	✅
domain-matchers.ts	98.14%	95%	100%	✅
domain-validation.ts	100%	100%	100%	✅
cli.ts	85.71%	50%	100%	⚠️

---

Coverage Gaps (Branch Coverage < 80%)

File	Statements	Branches	Security Relevance
services/agent-volumes/etc-mounts.ts	82.45%	67.85%	🔴 High — controls which /etc files bind-mount into agent
services/api-proxy-service.ts	91.66%	50%	🔴 High — credential injection into agent container
cli.ts	85.71%	50%	🟡 Medium — main entry point, signal handling
services/agent-volumes/system-mounts.ts	92.30%	75%	🟡 Medium — controls which system paths mount read-only
services/doh-proxy-service.ts	90%	75%	🟡 Medium — DNS-over-HTTPS proxy setup

Also notable: squid-log-reader.ts at 82.22% statement coverage — the only file with statements below 85%.

---

Notable Findings

• Security-critical enforcement paths are well-tested. The host iptables rules (host-iptables-rules.ts, 96% branch), Squid config generation, and all domain validation/matching modules are at or above 95% across all metrics — the network isolation and ACL filtering logic is thoroughly exercised by the test suite.

• etc-mounts.ts branch gap is the highest-risk gap. At 67.85% branch coverage, this file controls which /etc files are bind-mounted into the agent container (including SSL certs, passwd, group, and nsswitch.conf). Untested branches here could allow unintended file exposure or miss failure-mode handling that prevents sandbox escapes.

• API proxy credential injection has untested branches. api-proxy-service.ts sits at 50% branch coverage — only 1 of 2 branches is covered. The API proxy is the path through which real API keys are injected; any missed error or fallback branch here could leak credentials or silently fail credential substitution.

• cli.ts entry-point branches are largely untested (50%). While the file is small (7 statements), the uncovered branch likely covers error paths or environment guards. As the top-level orchestrator, any uncaught failure at this layer silently bypasses all downstream security controls.

---

Recommendations

🔴 High — etc-mounts.ts: Cover missing /etc mount branches

File: src/services/agent-volumes/etc-mounts.ts (67.85% branch coverage)

Add unit tests for the mount-selection logic covering edge cases: missing source files, DinD path-prefix translation on /etc entries, and the readOnly flag enforcement for each explicitly whitelisted /etc file. These branches directly determine what host filesystem state the agent can read — missed branches represent untested access-control decisions.

🔴 High — api-proxy-service.ts: Cover credential-injection failure path

File: src/services/api-proxy-service.ts (50% branch coverage)

The uncovered branch is likely the case where api-proxy is disabled or the sidecar health check fails. Add a test for the disabled/skipped path and any error handling in credential injection to ensure credentials cannot leak silently. This is a high-value target: credential-handling code with untested branches is a common source of security regressions.

🟡 Medium — cli.ts + squid-log-reader.ts: Entry-point and log-reader resilience

Files: src/cli.ts (50% branches), src/squid-log-reader.ts (82.22% statements / 80% branches)

For cli.ts, add a test that simulates the uncovered branch (likely require.main !== module guard or an unhandled rejection path). For squid-log-reader.ts, focus on malformed log line inputs and truncated reads — these paths are exercised in production when Squid restarts mid-run and could silently drop audit data if not handled correctly.

🟢 Low — Sustain 99.5% function coverage

The suite covers 609 of 612 functions. Identify the 3 uncovered functions (likely in config-file.ts, container-cleanup.ts, or edge utilities) and add minimal smoke tests to push function coverage to 100%. This prevents future silent dead-code accumulation.

Generated by Test Coverage Reporter · 46.5 AIC · ⊞ 4.6K · ◷

• expires on Jun 28, 2026, 6:01 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-28T18:01:54.781Z.

Closed by Workflow