You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thresholds are passing, but coverage is low overall — especially for security-critical orchestration code.
🔴 Critical Gaps (< 50% statement coverage)
File
Statements
Branches
Functions
Lines
src/cli.ts
0% (0/69)
0% (0/17)
0% (0/10)
0% (0/69)
src/docker-manager.ts
18% (45/250)
22% (18/81)
4% (1/25)
17% (41/239)
These two files represent the core orchestration pipeline — CLI argument handling and container lifecycle — and are almost entirely untested.
🟡 Low Coverage (50–79%)
File
Statements
Branches
Notes
src/host-iptables.ts
83.63%
55.55%
Branch coverage is the gap
🛡️ Security-Critical Path Status
File
Statements
Branches
Functions
Assessment
src/squid-config.ts
✅ 100%
✅ 100%
✅ 100%
Fully covered
src/host-iptables.ts
✅ 83.6%
⚠️ 55.6%
✅ 100%
Branch gaps remain
src/docker-manager.ts
🔴 18%
🔴 22%
🔴 4%
Critical — barely tested
src/cli.ts
🔴 0%
🔴 0%
🔴 0%
Zero coverage
📋 Full Coverage Table
File
Statements
Branches
Functions
Lines
Tests
logger.ts
100% (16/16)
100% (6/6)
100% (8/8)
100%
33
squid-config.ts
100% (13/13)
100% (5/5)
100% (5/5)
100%
41
cli-workflow.ts
100% (16/16)
100% (2/2)
100% (1/1)
100%
2
host-iptables.ts
83.6% (92/110)
55.6% (10/18)
100% (5/5)
83.6%
12
docker-manager.ts
18% (45/250)
22% (18/81)
4% (1/25)
17%
23
cli.ts
0% (0/69)
0% (0/17)
0% (0/10)
0%
24
Test suite: 6 suites · 135 tests · ~4.4s
Files with no test file at all:src/commands/logs-command-helpers.ts, src/logs/index.ts, src/redact-secrets.ts, src/types.ts
🔍 Notable Findings
1. src/cli.ts — 0% coverage despite 24 test cases
cli.test.ts exists with 24 tests, but records 0% coverage. This suggests tests may be mocking the entry point entirely rather than exercising the actual code paths. The 10 exported functions (including runMainWorkflow, argument validators, domain parsers) are untested at the statement level.
2. src/docker-manager.ts — 4% function coverage (1/25)
Only 1 of 25 exported functions is covered. The file contains generateDockerCompose, writeConfigs, and all container lifecycle management — these are the paths that enforce network isolation. 24 uncovered functions in a 250-statement file is a significant gap.
3. src/host-iptables.ts — branch coverage at 55.5%
All 5 functions are called by tests, but 8 of 18 branches are untested. The likely gaps are error-handling paths inside setupHostIptables (IPv6 fallback, firewall network overlap detection) and cleanup edge cases in cleanupHostIptables/cleanupFirewallNetwork.
4. New functions added in the last 7 days with 0% coverage
PR #2435 added ~20 new exported functions to src/cli.ts/src/docker-manager.ts — including parseDomains, validateApiProxyConfig, validateRateLimitFlags, validateEnableOpenCodeFlag, and resolveApiTargetsToAllowedDomains. None are covered at the statement level.
📈 Recommendations
High — Cover cli.ts validation functions (validateApiProxyConfig, validateRateLimitFlags, validateEnableOpenCodeFlag, resolveApiTargetsToAllowedDomains). These were added in the last 7 days and contain security-relevant validation logic. Unit tests are straightforward since they are pure functions.
High — Add docker-manager.ts function coverage for generateDockerCompose and writeConfigs. These produce the Docker Compose config that controls network isolation. Even snapshot tests would dramatically improve the 4% function coverage.
Medium — Cover host-iptables.ts error branches — specifically the IPv6 detection fallback in getDockerBridgeGateway and cleanup failure paths in cleanupFirewallNetwork. These branches are reachable with mocked execa rejection.
Low — Add tests for src/redact-secrets.ts and src/commands/logs-command-helpers.ts, which have no test files at all. The redaction module is security-adjacent and should have explicit coverage.
Generated by test-coverage-reporter workflow · Trigger: push · Run: 25294189084
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Overall Coverage
Thresholds are passing, but coverage is low overall — especially for security-critical orchestration code.
🔴 Critical Gaps (< 50% statement coverage)
src/cli.tssrc/docker-manager.tsThese two files represent the core orchestration pipeline — CLI argument handling and container lifecycle — and are almost entirely untested.
🟡 Low Coverage (50–79%)
src/host-iptables.ts🛡️ Security-Critical Path Status
src/squid-config.tssrc/host-iptables.tssrc/docker-manager.tssrc/cli.ts📋 Full Coverage Table
logger.tssquid-config.tscli-workflow.tshost-iptables.tsdocker-manager.tscli.tsTest suite: 6 suites · 135 tests · ~4.4s
Files with no test file at all:
src/commands/logs-command-helpers.ts,src/logs/index.ts,src/redact-secrets.ts,src/types.ts🔍 Notable Findings
1.
src/cli.ts— 0% coverage despite 24 test casescli.test.tsexists with 24 tests, but records 0% coverage. This suggests tests may be mocking the entry point entirely rather than exercising the actual code paths. The 10 exported functions (includingrunMainWorkflow, argument validators, domain parsers) are untested at the statement level.2.
src/docker-manager.ts— 4% function coverage (1/25)Only 1 of 25 exported functions is covered. The file contains
generateDockerCompose,writeConfigs, and all container lifecycle management — these are the paths that enforce network isolation. 24 uncovered functions in a 250-statement file is a significant gap.3.
src/host-iptables.ts— branch coverage at 55.5%All 5 functions are called by tests, but 8 of 18 branches are untested. The likely gaps are error-handling paths inside
setupHostIptables(IPv6 fallback, firewall network overlap detection) and cleanup edge cases incleanupHostIptables/cleanupFirewallNetwork.4. New functions added in the last 7 days with 0% coverage
PR #2435 added ~20 new exported functions to
src/cli.ts/src/docker-manager.ts— includingparseDomains,validateApiProxyConfig,validateRateLimitFlags,validateEnableOpenCodeFlag, andresolveApiTargetsToAllowedDomains. None are covered at the statement level.📈 Recommendations
High — Cover
cli.tsvalidation functions (validateApiProxyConfig,validateRateLimitFlags,validateEnableOpenCodeFlag,resolveApiTargetsToAllowedDomains). These were added in the last 7 days and contain security-relevant validation logic. Unit tests are straightforward since they are pure functions.High — Add
docker-manager.tsfunction coverage forgenerateDockerComposeandwriteConfigs. These produce the Docker Compose config that controls network isolation. Even snapshot tests would dramatically improve the 4% function coverage.Medium — Cover
host-iptables.tserror branches — specifically the IPv6 detection fallback ingetDockerBridgeGatewayand cleanup failure paths incleanupFirewallNetwork. These branches are reachable with mockedexecarejection.Low — Add tests for
src/redact-secrets.tsandsrc/commands/logs-command-helpers.ts, which have no test files at all. The redaction module is security-adjacent and should have explicit coverage.Generated by test-coverage-reporter workflow · Trigger:
push· Run: 25294189084Beta Was this translation helpful? Give feedback.
All reactions