[Coverage Report] Test Coverage Report — 2026-06-26 #5583
Closed
Replies: 2 comments
-
|
🔮 The ancient spirits stir, and the smoke test agent was here. The run’s omens were read, the build held, and the path remained clear. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
This discussion was automatically closed because it expired on 2026-07-03T19:10:59.284Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage
158 source files instrumented across 184+ test files. Thresholds (stmts 38%, branches 30%, funcs 35%, lines 38%) — all passing with wide margin.
Security-Critical File Coverage
host-iptables-rules.tshost-iptables-shared.tshost-iptables-cleanup.tshost-iptables-network.tshost-iptables-validation.tshost-iptables-chain.tssquid-config.tsdomain-patterns.tsdocker-manager.tscli-workflow.tscli.tsTop Coverage Gaps
config-writer.tsworkdir-setup.tshost-env.tscli.tshost-iptables-chain.tsdomain-patterns.tsNotable Findings
host-iptables-rules.ts,host-iptables-shared.ts,host-iptables-cleanup.ts, andsquid-config.tsare all at 100% — the firewall's core enforcement logic is thoroughly tested.config-writer.tsis the largest absolute gap with 16 uncovered statements and 8 uncovered branches (78.94%). This module writes generated configs (Squid, Docker Compose) to disk; untested error-handling paths (permission errors, disk full) could cause the firewall to start silently misconfigured.domain-patterns.tshas 2 uncovered branches (89.47%) in the domain ACL matching logic. While statements are at 100%, incomplete branch coverage in the allowlist engine is a security-relevant gap — a missed edge case could permit unintended traffic.Recommendations
🔴 High —
config-writer.tserror paths (16 stmts, 8 branches uncovered)Add unit tests for
config-writer.tscovering:squid.conf/docker-compose.ymlWhy: Silent config-write failures would cause the firewall to start with a stale or default Squid config, allowing unauthorized traffic. This is the lowest-coverage non-trivial file at 78.94% branches.
🟡 Medium —
workdir-setup.tsandhost-env.tsbranch coverage (79–80%)Add tests for edge cases in temp-directory lifecycle:
workdir-setup.ts: concurrent creation races, cleanup-on-error paths (11 uncovered branches)host-env.ts: credential-path resolution fallbacks, missing$HOMEsub-directory scenarios (4 uncovered branches)Why: Temp-directory leaks or incorrect home-directory resolution could persist sensitive files beyond the firewall's lifecycle or expose unexpected paths inside the agent container.
🟢 Low — Close single-branch gaps in
cli.ts,domain-patterns.ts,host-iptables-chain.tscli.ts: Cover the uncoveredrequire.mainbranch (1 branch — startup guard)domain-patterns.ts: Add tests for the 2 uncovered edge-case branches in ACL pattern normalization (e.g., bare IP or wildcard inputs)host-iptables-chain.ts: Cover the 1 remaining iptables chain-creation branch (likely a "chain already exists" guard)Why: These are small gaps but in security-sensitive modules. 100% branch coverage in domain matching and iptables chain management eliminates the risk of subtle rule-bypasses from untested input shapes.
Report generated: 2026-06-26 · Commit:
b1bd32e8· Source:coverage/coverage-summary.jsonBeta Was this translation helpful? Give feedback.
All reactions