You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
src/cli.ts entry-point has only 50% branch coverage: the require.main === module guard that invokes program.parse() is never exercised by the test suite, meaning the real CLI bootstrap path is completely untested.
Branches are the weakest metric overall (94% vs. 99.53% functions / 98.28% lines): the largest gaps are in src/config-writer.ts (branches 78.94%), src/workdir-setup.ts (79.62%), src/ssl-bump.ts (83.33%), and src/commands/logs-command-helpers.ts (83.33%) — all covering error and defensive-guard paths.
Security-critical host-iptables-chain.ts has one uncovered error branch (90%): the isMissingIptablesError throw path is never tested, leaving the "fail-closed vs. fail-open" behavior of the firewall unverified in the error case.
domain-patterns.ts has 2 uncovered branches (89.47%): these lie in the domain validation/matching logic that drives Squid ACL decisions; any regression here could silently allow unintended egress.
📌 Recommendations
[High] Cover the CLI bootstrap path in src/cli.ts
The require.main === module guard and the program.parse() call are never executed during tests (branch coverage 50%). Add a test that spawns the CLI as a child process (or mocks require.main) to exercise the real entry path. This is the first line of defense for argument handling and security flag wiring.
[High] Add defensive-branch tests for src/config-writer.ts and src/workdir-setup.ts
Both files guard against symlink attacks (isSymbolicLink() → throw) and non-directory paths (isDirectory() → throw), and config-writer.ts also has the seccomp-profile embedded-write path entirely untested. These guards protect against filesystem manipulation; bringing both files from ~79% to ≥90% branch coverage would close the largest remaining gaps.
[Medium] Test iptables error propagation in src/host-iptables-chain.ts
The isMissingIptablesError throw branch (the one that converts a low-level error into a user-friendly "iptables is required" message) is not covered. A single unit test that injects a mock iptables-missing error would cover this path and verify the firewall fails safely rather than silently.
Generated by test-coverage-reporter workflow. Trigger: schedule
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Test Coverage Report — 2026-06-27
Overall Coverage
🛡️ Security-Critical Path Status
📋 Coverage Table (Security-Critical Files + Files < 80% Statements)
🔧 Function Audit
📅 Recent Source Changes
Recently modified files include:
🔍 Notable Findings
src/cli.tsentry-point has only 50% branch coverage: therequire.main === moduleguard that invokesprogram.parse()is never exercised by the test suite, meaning the real CLI bootstrap path is completely untested.src/config-writer.ts(branches 78.94%),src/workdir-setup.ts(79.62%),src/ssl-bump.ts(83.33%), andsrc/commands/logs-command-helpers.ts(83.33%) — all covering error and defensive-guard paths.host-iptables-chain.tshas one uncovered error branch (90%): theisMissingIptablesErrorthrow path is never tested, leaving the "fail-closed vs. fail-open" behavior of the firewall unverified in the error case.domain-patterns.tshas 2 uncovered branches (89.47%): these lie in the domain validation/matching logic that drives Squid ACL decisions; any regression here could silently allow unintended egress.📌 Recommendations
[High] Cover the CLI bootstrap path in
src/cli.tsThe
require.main === moduleguard and theprogram.parse()call are never executed during tests (branch coverage 50%). Add a test that spawns the CLI as a child process (or mocksrequire.main) to exercise the real entry path. This is the first line of defense for argument handling and security flag wiring.[High] Add defensive-branch tests for
src/config-writer.tsandsrc/workdir-setup.tsBoth files guard against symlink attacks (
isSymbolicLink()→ throw) and non-directory paths (isDirectory()→ throw), andconfig-writer.tsalso has the seccomp-profile embedded-write path entirely untested. These guards protect against filesystem manipulation; bringing both files from ~79% to ≥90% branch coverage would close the largest remaining gaps.[Medium] Test iptables error propagation in
src/host-iptables-chain.tsThe
isMissingIptablesErrorthrow branch (the one that converts a low-level error into a user-friendly "iptables is required" message) is not covered. A single unit test that injects a mock iptables-missing error would cover this path and verify the firewall fails safely rather than silently.Generated by test-coverage-reporter workflow. Trigger:
scheduleBeta Was this translation helpful? Give feedback.
All reactions