Refactoring Opportunity
Summary
- File:
src/squid-config.ts
- Current size: 945 lines
- Responsibilities identified: 4 distinct concerns
Evidence
The file mixes multiple distinct responsibilities inside a single module, with several functions that are individually massive:
| Function |
Lines |
Concern |
generateSquidConfig |
439 lines |
Main Squid ACL/config assembly |
generatePolicyManifest |
198 lines |
Policy manifest generation (separate data structure) |
generateSslBumpSection |
120 lines |
SSL-bump / CONNECT splice config |
generateUpstreamProxySection |
83 lines |
Upstream proxy chaining config |
generateSquidConfig at 439 lines is the primary concern: it contains domain parsing, protocol grouping, SSL-bump logic, ACL generation, logging format, and http_access rules all inline.
grep -n "^export\|^function" src/squid-config.ts
# 21: function generateUpstreamProxySection
# 104: function assertSafeForSquidConfig
# 117: function formatDomainForSquid
# 125: function groupDomainsByProtocol
# 136: function groupPatternsByProtocol
# 148: function parseDomainConfig
# 188: function generateSslBumpSection
# 308: export function generateSquidConfig
# 747: export function generatePolicyManifest
Proposed Split
src/squid-config.ts (945 lines) could be split into:
src/squid/domain-acl.ts — domain parsing helpers, groupDomainsByProtocol, groupPatternsByProtocol, formatDomainForSquid, assertSafeForSquidConfig (~100 lines)src/squid/ssl-bump.ts — generateSslBumpSection and related splice/peek rules (~120 lines)src/squid/upstream-proxy.ts — generateUpstreamProxySection (~85 lines)src/squid/policy-manifest.ts — generatePolicyManifest (~200 lines)src/squid-config.ts — generateSquidConfig facade assembling sections (~200 lines after extraction)
Affected Callers
grep -rn "from.*squid-config" src/ 2>/dev/null
# src/container-lifecycle.ts: import { generateSquidConfig, generatePolicyManifest }Effort Estimate
Medium
Benefits
generateSquidConfig at 439 lines is very hard to review for security correctness- Each sub-section can be unit tested independently
- SSL-bump logic and domain ACL logic are independently modifiable
- Security-critical path: smaller modules reduce risk of accidental domain bypass bugs
Detected by Refactoring Scanner workflow. Run date: 2026-05-12
Generated by Refactoring Opportunity Scanner · ● 621.5K · ◷
Refactoring Opportunity
Summary
src/squid-config.tsEvidence
The file mixes multiple distinct responsibilities inside a single module, with several functions that are individually massive:
generateSquidConfiggeneratePolicyManifestgenerateSslBumpSectiongenerateUpstreamProxySectiongenerateSquidConfigat 439 lines is the primary concern: it contains domain parsing, protocol grouping, SSL-bump logic, ACL generation, logging format, and http_access rules all inline.Proposed Split
src/squid-config.ts(945 lines) could be split into:src/squid/domain-acl.ts— domain parsing helpers,groupDomainsByProtocol,groupPatternsByProtocol,formatDomainForSquid,assertSafeForSquidConfig(~100 lines)src/squid/ssl-bump.ts—generateSslBumpSectionand related splice/peek rules (~120 lines)src/squid/upstream-proxy.ts—generateUpstreamProxySection(~85 lines)src/squid/policy-manifest.ts—generatePolicyManifest(~200 lines)src/squid-config.ts—generateSquidConfigfacade assembling sections (~200 lines after extraction)Affected Callers
Effort Estimate
Medium
Benefits
generateSquidConfigat 439 lines is very hard to review for security correctnessDetected by Refactoring Scanner workflow. Run date: 2026-05-12