You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Test suite: ~150 unit test files + 35 integration test files
Security-Critical File Coverage
File
Lines
Branches
Functions
Notes
host-iptables.ts (barrel)
100%
100%
100%
✅
host-iptables-rules.ts
100%
100%
100%
✅
host-iptables-shared.ts
100%
100%
100%
✅
host-iptables-chain.ts
97.61%
90% (9/10)
100%
✅ 1 branch gap
host-iptables-validation.ts
100%
96.87% (31/32)
100%
✅
host-iptables-cleanup.ts
100%
100%
100%
✅
squid-config.ts (barrel)
100%
100%
100%
✅
domain-patterns.ts
100%
89.47% (17/19)
100%
⚠️ 2 branch gaps
docker-manager.ts
100%
100%
100%
✅
Files With Branch Coverage Below 90%
File
Lines
Branches
Uncovered Branches
config-writer.ts
82.79%
78.94%
8 / 38
workdir-setup.ts
94.54%
79.62%
11 / 54
pid-tracker.ts
98.70%
80.76%
5 / 26
host-env.ts
95.91%
80.00%
4 / 20
ssl-bump.ts
94.05%
83.33%
4 / 24
logs/log-parser.ts
100%
84.28%
11 / 70
commands/preflight.ts
100%
83.78%
6 / 37
commands/network-setup.ts
100%
86.95%
3 / 23
domain-patterns.ts
100%
89.47%
2 / 19
Notable Findings
Excellent overall health: Line and function coverage are both above 98%, with 99.53% function coverage — nearly every callable path is exercised by the test suite.
Security-critical paths are well-protected: All host-iptables-* modules and docker-manager.ts have 97–100% coverage on both lines and branches, giving strong confidence in network isolation logic.
Branch coverage is the primary gap: The global branch coverage of 94.29% is solid, but config-writer.ts (78.94%) and workdir-setup.ts (79.62%) both fall below the 80% threshold — these are the only files that do.
domain-patterns.ts has 2 uncovered branches: This security-critical file handles domain ACL pattern matching; the two missing branches (89.47%) represent edge cases in pattern validation that should be covered given the security implications.
Recommendations
🔴 High — Cover missing branches in config-writer.ts (78.94% branch)
config-writer.ts is the only non-trivial file below the 80% branch threshold. Add tests targeting the 8 uncovered branches: focus on error paths during config file generation, filesystem write failures, and edge-case option combinations. Bringing this to ≥90% will close the last significant line-coverage gap (82.79%) as well.
🟡 Medium — Harden workdir-setup.ts branch coverage (79.62%)
workdir-setup.ts orchestrates workspace preparation before containers start. Its 11 uncovered branches (out of 54) likely involve error/cleanup scenarios and optional-flag paths. Adding tests for failed directory creation, missing workspace paths, and cleanup-on-error flows would push branch coverage above 90% and improve resilience guarantees.
🟢 Low — Close the 2 uncovered branches in domain-patterns.ts (89.47%)
domain-patterns.ts is security-critical — it governs domain ACL pattern matching and validation. The 2 uncovered branches represent edge cases (e.g., malformed domain inputs or boundary wildcard conditions). Given the security implications, adding targeted tests for these two cases is low-effort but high-value.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage
Test suite: ~150 unit test files + 35 integration test files
Security-Critical File Coverage
host-iptables.ts(barrel)host-iptables-rules.tshost-iptables-shared.tshost-iptables-chain.tshost-iptables-validation.tshost-iptables-cleanup.tssquid-config.ts(barrel)domain-patterns.tsdocker-manager.tsFiles With Branch Coverage Below 90%
config-writer.tsworkdir-setup.tspid-tracker.tshost-env.tsssl-bump.tslogs/log-parser.tscommands/preflight.tscommands/network-setup.tsdomain-patterns.tsNotable Findings
host-iptables-*modules anddocker-manager.tshave 97–100% coverage on both lines and branches, giving strong confidence in network isolation logic.config-writer.ts(78.94%) andworkdir-setup.ts(79.62%) both fall below the 80% threshold — these are the only files that do.domain-patterns.tshas 2 uncovered branches: This security-critical file handles domain ACL pattern matching; the two missing branches (89.47%) represent edge cases in pattern validation that should be covered given the security implications.Recommendations
🔴 High — Cover missing branches in
config-writer.ts(78.94% branch)config-writer.tsis the only non-trivial file below the 80% branch threshold. Add tests targeting the 8 uncovered branches: focus on error paths during config file generation, filesystem write failures, and edge-case option combinations. Bringing this to ≥90% will close the last significant line-coverage gap (82.79%) as well.🟡 Medium — Harden
workdir-setup.tsbranch coverage (79.62%)workdir-setup.tsorchestrates workspace preparation before containers start. Its 11 uncovered branches (out of 54) likely involve error/cleanup scenarios and optional-flag paths. Adding tests for failed directory creation, missing workspace paths, and cleanup-on-error flows would push branch coverage above 90% and improve resilience guarantees.🟢 Low — Close the 2 uncovered branches in
domain-patterns.ts(89.47%)domain-patterns.tsis security-critical — it governs domain ACL pattern matching and validation. The 2 uncovered branches represent edge cases (e.g., malformed domain inputs or boundary wildcard conditions). Given the security implications, adding targeted tests for these two cases is low-effort but high-value.Beta Was this translation helpful? Give feedback.
All reactions