[Coverage Report] Test Coverage Report — 2026-05-27

[github-actions[bot]]

Overall Coverage

Metric	Coverage
Statements	96.48%
Branches	90.70%
Functions	98.23%
Lines	96.62%

Overall coverage is strong across all metrics. No files fall below 50% statement coverage.

---

🔴 Critical Gaps (< 50% statement coverage)

None. All files exceed 50% statement coverage.

---

🟡 Low Coverage (50–79% statement coverage)

All files are above 80% — no files fall in this range.

---

🛡️ Security-Critical Path Status

File	Statements	Branches	Functions
src/host-iptables.ts	✅ 100%	✅ 100%	✅ 100%
src/squid-config.ts	✅ 100%	✅ 100%	✅ 100%
src/docker-manager.ts	✅ 100%	✅ 100%	✅ 100%
src/domain-patterns.ts	✅ 97.67%	✅ 95.38%	✅ 100%
src/cli.ts	🟡 85.71%	⚠️ 50%	✅ 100%

All core security enforcement modules (host-iptables, squid-config, docker-manager) are at 100% coverage. The only security-critical file with lower branch coverage is src/cli.ts at 50%.

---

📋 Files Needing Attention (80–90% range)

File	Stmts	Branches	Funcs
src/commands/validators/network-options.ts	81.25%	⚠️ 50%	100%
src/logs/audit-enricher.ts	83.60%	74.13%	100%
src/cli.ts	85.71%	⚠️ 50%	100%
src/logs/log-parser.ts	86.90%	67.14%	100%
src/squid/policy-manifest.ts	87.23%	88.23%	🟡 70%
src/services/agent-volumes/docker-host-staging.ts	87.75%	72.41%	100%
src/commands/logs-command-helpers.ts	88.52%	83.33%	100%
src/cli-workflow.ts	88.88%	85.71%	100%

---

🔍 Notable Findings

1. src/cli.ts — 50% branch coverage: As the main entry point and orchestration layer, uncovered branches likely include error-handling paths (e.g., --keep-containers edge cases, signal handling when containers fail to start). Given this file's role coordinating the entire AWF lifecycle, improving its branch coverage would increase confidence in failure scenarios.

2. src/commands/validators/network-options.ts — 50% branch coverage: Network validation is security-relevant — uncovered branches may include edge cases in --allow-domains parsing or DNS server validation. These could mask silent misconfigurations.

3. src/logs/log-parser.ts — 67% branch coverage: Squid log parsing has uncovered branches. If the parser silently skips malformed log entries, security audits could produce incomplete data. Tests for malformed or truncated log lines would be valuable.

4. src/squid/policy-manifest.ts — 70% function coverage: Three functions in this module have zero test coverage. Policy manifests drive domain whitelisting decisions, so uncovered functions here could represent blind spots in the ACL enforcement pipeline.

---

📈 Recommendations

1. High — src/cli.ts branch coverage (50%): Add tests for the error paths in the main orchestration flow: container startup failures, signal interrupts mid-run, and --keep-containers behavior. This is the most impactful gap given its role as the security perimeter entry point.

2. High — src/commands/validators/network-options.ts branch coverage (50%): Cover the uncovered validation branches with unit tests for invalid domain formats, empty allow-lists, and edge-case DNS server inputs.

3. Medium — src/squid/policy-manifest.ts function coverage (70%): Identify and test the three uncovered functions; since policy manifests feed the domain ACL, any uncovered logic here is a potential gap in firewall rule validation.

4. Low — src/logs/log-parser.ts / src/logs/audit-enricher.ts: Add tests for malformed Squid log entries, truncated lines, and unusual timestamp formats to harden the audit trail pipeline.

---

Generated by test-coverage-reporter workflow. Trigger: push · Run: 26483218375

Generated by Test Coverage Reporter · sonnet46 631K · ◷

• expires on Jun 3, 2026, 12:36 AM UTC

[github-actions[bot]]

🔮 The ancient spirits stir and mark this smoke test as witnessed.
The oracle speaks: the validation path held, and the run completed cleanly.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex