[Coverage Report] Test Coverage Report — 2026-06-27 #5612
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-07-04T16:33:41.453Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage (2026-06-27)
171 test files — latest commit:
50a0d584(refactor artifact cleanup, extract OIDC auth helpers)Security-Critical File Coverage
host-iptables.tshost-iptables-rules.tshost-iptables-shared.tshost-iptables-validation.tshost-iptables-chain.tssquid-config.tssquid/config-sections.tsdocker-manager.tsdomain-patterns.tsdomain-validation.tsdomain-matchers.tscli.tsTop Coverage Gaps (by uncovered branches)
config-writer.tssquid.conf+docker-compose.ymlworkdir-setup.tslogs/log-parser.tssquid/config-sections.tsssl-bump.tshost-env.tspid-tracker.tsdomain-patterns.tshost-iptables-chain.tscli.tsNotable Findings
host-iptables.ts,squid-config.ts,docker-manager.ts,domain-patterns.ts, anddomain-validation.ts— are at 100% statement and function coverage. No regressions detected in the firewall core.squid/config-sections.tshas 5 uncovered branches (82.75%). This file generates the domain ACL sections that drive Squid's allow/deny decisions. Untested branches here can silently mis-generate ACL rules, allowing or blocking traffic incorrectly.config-writer.tshas 8 uncovered branches (78.94%). This module writessquid.confanddocker-compose.ymlto disk. The uncovered branches likely include error-handling paths for permission failures and disk-full conditions — exactly the scenarios that matter in a sandboxed environment.cli.tshas 50% branch coverage — one of its two branches is untested. The file is small (7 statements), but the entry point is where--enable-api-proxyand similar security flags are toggled; missed branches here can mask misconfiguration.Recommendations
🔴 High Priority
Cover error paths in
config-writer.ts(78.94% branches, 8 gaps).Add tests that simulate
EACCES/ENOSPCerrors duringsquid.confanddocker-compose.ymlwrites. These are the last mile before containers start; silent failures here leave the agent unprotected.Close branch gaps in
squid/config-sections.ts(82.75%, 5 gaps).The missing branches are in the domain-ACL generation logic — the exact code path that translates
--allow-domainsinto Squidacl/http_accessdirectives. Add tests for edge cases: empty domain list, wildcard-only list, and domains with/without leading dot.🟡 Medium Priority
workdir-setup.tsbranch coverage (79.62%, 11 gaps).This file manages the lifecycle of
/tmp/awf-<ts>/work directories. Untested branches likely cover cleanup-on-failure and concurrent-run scenarios. Add tests for pre-existing workdir, cleanup after signal interruption, and DinD path-prefix translation.🟢 Low Priority
domain-patterns.ts(89.47%).Domain-pattern matching is security-critical, but statement and function coverage are already at 100%. Target the 2 uncovered branches (likely edge cases in subdomain vs. exact-match logic) to reach 100% branch coverage on this module.
All files with branch coverage < 95%
cli.tsconfig-writer.tsworkdir-setup.tshost-env.tspid-tracker.tssquid/config-sections.tsssl-bump.tscommands/logs-command-helpers.tscommands/preflight.tslogs/log-parser.tsservices/agent-volumes/workspace-mounts.tscommands/network-setup.tsdomain-patterns.tscommands/main-action.tshost-iptables-chain.tslogger.tscompose-generator.tsdns-resolver.tsapi-proxy-config-domains.tscli-options.tscompose-sanitizer.tshost-iptables-validation.tsBeta Was this translation helpful? Give feedback.
All reactions