[Coverage Report] Test Coverage Report — 2026-06-26

[github-actions[bot]]

Summary

Overall test coverage is strong — 98%+ across statements, lines, and functions. Branch coverage at 94.29% is the primary area for improvement, with 177 uncovered branch points across 3,101 total.

Overall Coverage

Metric	Coverage	Covered / Total
Statements	98.21%	5,277 / 5,373
Branches	94.29%	2,924 / 3,101
Functions	99.53%	643 / 646
Lines	98.28%	5,107 / 5,196

---

Security-Critical Paths

File	Lines	Branches	Functions	Notes
host-iptables-rules.ts	✅ 100%	✅ 100% (34 pts)	✅ 100%	iptables rule generation
host-iptables-shared.ts	✅ 100%	✅ 100% (20 pts)	✅ 100%	iptables shared utilities
host-iptables-validation.ts	✅ 100%	✅ 96.87% (31/32)	✅ 100%	validation logic
host-iptables-chain.ts	✅ 97.61%	⚠️ 90% (9/10)	✅ 100%	chain setup
squid/acl-generator.ts	✅ 100%	✅ 100% (20 pts)	✅ 100%	domain ACL generation
squid/access-rules.ts	✅ 100%	✅ 100% (42 pts)	✅ 100%	access rule logic
squid/config-generator.ts	✅ 100%	✅ 100% (10 pts)	✅ 100%	config assembly
squid/config-sections.ts	✅ 100%	⚠️ 82.75% (24/29)	✅ 100%	SSL/cache config sections
squid/validation.ts	✅ 100%	✅ 100% (34 pts)	✅ 100%	config validation
squid/domain-acl.ts	✅ 100%	✅ 100% (12 pts)	✅ 100%	per-domain ACL entries
domain-patterns.ts	✅ 100%	⚠️ 89.47% (17/19)	✅ 100%	domain pattern matching
cli.ts	⚠️ 85.71%	⚠️ 50% (1/2)	✅ 100%	process entrypoint

---

Coverage Gaps (Branch Coverage < 85%)

File	Branch Coverage	Uncovered	Category
cli.ts	50% (1/2)	require.main === module guard	Entrypoint
config-writer.ts	78.94% (30/38)	Error paths in config writing	Infrastructure
workdir-setup.ts	79.62% (43/54)	Workspace teardown edge cases	Infrastructure
host-env.ts	80% (16/20)	Host environment edge cases	Infrastructure
pid-tracker.ts	80.76% (21/26)	PID lifecycle edge cases	Infrastructure
squid/config-sections.ts	82.75% (24/29)	SSL config conditional paths	Security-adjacent
ssl-bump.ts	83.33% (20/24)	SSL bump edge cases	Security-adjacent
commands/preflight.ts	83.78% (31/37)	Preflight check conditions	Infrastructure
logs/log-parser.ts	84.28% (59/70)	Log format edge cases	Observability

---

Notable Findings

• 🟢 Core security paths are at 100% coverage — host-iptables-rules.ts, squid/acl-generator.ts, squid/access-rules.ts, squid/domain-acl.ts, and squid/validation.ts are fully covered, including all branch points. The highest-risk attack surface has comprehensive test coverage.
• 🟡 squid/config-sections.ts has the only security-adjacent branch gap — at 82.75% branch coverage (5 uncovered of 29), the missing branches likely cover SSL certificate error handling and optional cache configuration sections that are only activated by specific CLI flags.
• 🟡 domain-patterns.ts has 2 uncovered branch points — at 89.47% branch coverage, the gaps are in domain matching edge cases (e.g., empty input or unusual TLD formats). These patterns govern the domain allowlist, making any gaps worth addressing.
• 🔵 cli.ts 50% branch coverage is a measurement artifact — the file is 7 lines and the single uncovered branch is the require.main === module guard, which cannot be exercised within the Jest test runner by design.

---

Recommendations

🔴 High — Add tests for squid/config-sections.ts branch gaps
The 5 uncovered branches in squid/config-sections.ts control conditional SSL certificate configuration and proxy connection settings. A test that exercises SSL-bump mode with and without upstream proxy configuration would cover these paths. This is the only security-adjacent file below 85% branch coverage.

🟡 Medium — Cover the 2 missing domain-patterns.ts branches
The domain allowlist is a primary security control. Adding test cases for edge-case inputs (empty string, numeric-only labels, very long domains) to domain-patterns.test.ts would bring this file to 100% and harden the allowlist against unexpected inputs.

🟢 Low — Address branch gaps in infrastructure helpers (config-writer.ts, workdir-setup.ts)
At 78–80% branch coverage, these files have error-path branches (file write failures, temp directory cleanup failures) that are untested. While not directly security-critical, covering them would prevent silent failures during container setup. Use Jest's fs mocks to simulate write errors and verify the error is propagated correctly.

Generated by Test Coverage Reporter · 79.1 AIC · ⊞ 4.7K · ◷

• expires on Jul 3, 2026, 3:47 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent has passed through the archive.
A valid discussion number was found and blessed with this omen.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex