[Coverage Report] Test Coverage Report — 2026-06-20

[github-actions[bot]]

📊 Overall Coverage — 2026-06-20

Metric	Coverage	Threshold	Status
Lines	97.89% (4,872 / 4,977)	38%	✅
Statements	97.82% (5,041 / 5,153)	38%	✅
Functions	99.50% (609 / 612)	35%	✅
Branches	93.58% (2,831 / 3,025)	30%	✅

---

🔐 Security-Critical File Coverage

File	Lines	Statements	Functions	Branches	Status
host-iptables-rules.ts	98.66% (148/150)	98.68%	100%	96.05%	✅
host-iptables-shared.ts	100%	100%	100%	100%	✅
host-iptables-cleanup.ts	100%	100%	100%	100%	✅
squid/acl-generator.ts	100%	100%	100%	100%	✅
squid/access-rules.ts	100%	100%	100%	100%	✅
squid/config-sections.ts	100%	100%	100%	82.75%	⚠️
domain-patterns.ts	100%	100%	100%	89.47%	⚠️
cli.ts	85.71% (6/7)	85.71%	100%	50.00%	⚠️

---

📂 All Files with Coverage Below 90%

File	Lines	Branches	Notes
services/agent-volumes/etc-mounts.ts	82.45% (47/57)	67.85% (19/28)	Controls /etc bind-mount selection — security-relevant
squid-log-reader.ts	82.22% (37/45)	80.00% (20/25)	Log parsing; affects audit reliability
config-writer.ts	85.71% (66/77)	80.55% (29/36)	Writes runtime config files
cli.ts	85.71% (6/7)	50.00% (1/2)	Entry-point bootstrap (7 lines)
services/agent-volumes/system-mounts.ts	92.30% (12/13)	75.00% (9/12)	System path mount logic
workdir-setup.ts	94.54% (104/110)	79.62% (43/54)	Workspace setup/cleanup
ssl-bump.ts	94.05% (95/101)	83.33% (20/24)	TLS interception config

---

💡 Notable Findings

• Outstanding overall coverage — 97.89% line coverage and 99.5% function coverage across 148 source files, far exceeding the configured thresholds (38% lines / 30% branches). The major security modules are well-tested.
• etc-mounts.ts is the sharpest coverage gap — at 67.85% branch coverage, this file controls which /etc files are bind-mounted into the agent container (including the logic that excludes /etc/shadow). Any uncovered branch here is a potential path where sensitive host files could be inadvertently exposed.
• domain-patterns.ts and squid/config-sections.ts have minor branch gaps — both have 100% line coverage but unconditional execution paths aren't fully exercised. For domain-patterns.ts this likely involves edge-case wildcard patterns; for config-sections.ts it likely involves SSL-bump/upstream-proxy option combinations.
• Configured thresholds are outdated — jest.config.js still enforces 30%/38% thresholds, which are ~55–60 percentage points below actual coverage. This means a severe regression would not be caught by CI until coverage dropped catastrophically.

---

✅ Recommendations

🔴 High — Add coverage for etc-mounts.ts branch paths

File: src/services/agent-volumes/etc-mounts.ts

Branch coverage is 67.85% (9 of 28 branches uncovered). This module decides which /etc files are selectively mounted — the logic that excludes /etc/shadow and other sensitive files. Each uncovered branch represents a conditional decision that hasn't been exercised in tests.

Action: Add test cases in etc-mounts.test.ts that cover the edge cases: what happens when an expected source path doesn't exist, when the DinD path prefix is set, and when the /etc/ld.so.cache or /etc/alternatives paths are absent.

---

🟡 Medium — Raise coverage thresholds to reflect actual state

File: jest.config.js

Current thresholds (branches: 30, functions: 35, lines: 38, statements: 38) are vestigial from the project's early state. Actual coverage is 93.58% branches and 97.89% lines. A future refactor that accidentally drops coverage to 85% would still pass CI silently.

Action: Update thresholds to branches: 90, functions: 98, lines: 95, statements: 95 to prevent regressions without blocking normal development.

---

🟢 Low — Cover remaining branch gaps in squid-log-reader.ts and workdir-setup.ts

Files: src/squid-log-reader.ts (80% branches), src/workdir-setup.ts (79.62% branches)

Both files have high line coverage but uncovered conditional paths. For squid-log-reader.ts, this likely involves malformed log lines and edge-case timestamps. For workdir-setup.ts, it likely involves cleanup error handling and directory-creation race conditions.

Action: Add negative-path unit tests (e.g., malformed input, filesystem errors) to bring both files above 90% branch coverage.

Generated by Test Coverage Reporter · 86.3 AIC · ⊞ 4.6K · ◷

• expires on Jun 27, 2026, 10:37 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir: the smoke test agent was here, and the run holds steady in the lantern light.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-27T22:37:23.822Z.

Closed by Workflow