[Coverage Report] Test Coverage Report — 2026-05-22

[github-actions[bot]]

📊 Overall Coverage

Metric	Coverage	Status
Statements	95.87% (4119/4296)	✅ Excellent
Branches	89.56% (2239/2500)	✅ Good
Functions	98.02% (447/456)	✅ Excellent
Lines	96.05% (3994/4158)	✅ Excellent

All CI thresholds (statements ≥38%, branches ≥30%, functions ≥35%) — ✅ passing.

---

🔴 Critical Gaps (< 50% statement coverage)

None — every source file is above 80% statement coverage.

---

🟡 Low Coverage (50–79% statement coverage)

None below 80%. The following are in the 80–86% range:

File	Statements	Branches	Functions
commands/validators/config-assembly.ts	81.1%	65.3%	100%
commands/validators/network-options.ts	81.2%	50.0%	100%
logs/audit-enricher.ts	83.6%	74.1%	100%
logs/log-parser.ts	85.5%	65.6%	100%
config-writer.ts	85.6%	65.5%	100%
cli.ts	85.7%	65.5%	100%

---

🛡️ Security-Critical Path Status

File	Statements	Branches	Functions	Status
host-iptables.ts	100%	100%	100%	✅ Fully covered
host-iptables-rules.ts	97.0%	94.0%	100%	✅ Excellent
host-iptables-network.ts	100%	100%	100%	✅ Fully covered
host-iptables-cleanup.ts	100%	100%	100%	✅ Fully covered
squid-config.ts	100%	96.1%	100%	✅ Fully covered
squid/domain-acl.ts	100%	100%	100%	✅ Fully covered
squid/ssl-bump.ts	93.8%	91.7%	100%	✅ Good
domain-patterns.ts	97.7%	95.4%	100%	✅ Excellent
docker-manager.ts	100%	100%	100%	✅ Fully covered
dlp.ts	100%	100%	100%	✅ Fully covered
redact-secrets.ts	100%	100%	100%	✅ Fully covered

All security-critical paths exceed the 70% branch coverage threshold. 🎉

---

📋 Files Needing Attention (by branch coverage)

File	Statements	Branches	Functions
commands/validators/network-options.ts	81.2%	50.0%	100%
cli-options.ts	93.0%	60.0%	25.0%
commands/validators/config-assembly.ts	81.1%	65.3%	100%
logs/log-parser.ts	85.5%	65.6%	100%
config-writer.ts	85.6%	65.5%	100%
squid/policy-manifest.ts	87.2%	88.2%	70.0%

---

🔍 Notable Findings

1. commands/validators/network-options.ts — 50% branch coverage: Network option validation (DNS servers, proxy settings, port configs) has half its branches untested. Missing coverage likely includes: invalid IP format rejection, conflicting option combinations, and edge values.

2. cli-options.ts — 25% function coverage: Only 2 of 8 functions exercised. Uncovered functions likely handle option defaults, environment variable overrides, or deprecated flag paths — all worth testing as they control the firewall's runtime behaviour.

3. logs/log-parser.ts — 65.6% branch coverage: Log parsing branches for malformed lines, missing fields, and alternate timestamp formats are not tested. These are real-world edge cases from production Squid logs.

4. squid/policy-manifest.ts — 70% function coverage: 3 of 10 functions uncovered. Since this module feeds the Squid ACL generator, closing the gap would add defence-in-depth for the policy pipeline.

---

📈 Recommendations

1. High — commands/validators/network-options.ts branch coverage (50%): Add tests for invalid DNS server IPs, conflicting proxy settings, and out-of-range ports. These validate security-relevant network configuration inputs.

2. High — cli-options.ts function coverage (25%): Write unit tests for each exported option-builder/resolver function. Uncovered option-parsing logic is a common source of subtle security misconfigurations.

3. Medium — logs/log-parser.ts branch coverage (65.6%): Add tests with malformed Squid log lines, truncated entries, and non-standard timestamps to cover the defensive branches.

4. Low — squid/policy-manifest.ts function coverage (70%): Cover the remaining uncovered functions to bring this security-adjacent module to ≥95%.

---

📊 Suite Statistics

Metric	Value
Test files	75
Source files	107
Recent commits (7d)	1 (ac64d63 — remove unused ProbeResult export)

---

Generated by test-coverage-reporter workflow · Trigger: push · 2026-05-22

Generated by Test Coverage Reporter · ● 2.9M · ◷

• expires on May 29, 2026, 3:02 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir: the Codex smoke test agent passed through this chamber, leaving a clear sign in the workflow run.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir: the Codex smoke test agent was here, and its signal has passed through the veil of this workflow.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir... the smoke test agent was here, tracing green flame through the firewall runes.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex