refactor: [Export Audit] Remove test-only re-exports from barrel modules

[lpcox]

Summary

Remove test-only re-exports from docker-manager.ts and host-iptables.ts barrel modules. Test files now import directly from source modules, narrowing the public API surface.

Changes

src/docker-manager.ts barrel — removed 19 test-only re-exports:

• From host-env: AGENT_CONTAINER_NAME, ACT_PRESET_BASE_IMAGE, MIN_REGULAR_UID, validateIdNotInSystemRange, getSafeHostUid, getSafeHostGid, getRealUserHome, extractGhHostFromServerUrl, readGitHubPathEntries, readGitHubEnvEntries, parseGitHubEnvFile, mergeGitHubPathEntries, readEnvFile, subnetsOverlap, SslConfig, stripScheme
• From compose-generator: generateDockerCompose
• From container-lifecycle: isAgentExternallyKilled, resetAgentExternallyKilled

src/host-iptables.ts barrel — removed 2 test-only re-exports:

• isValidPortSpec (from host-iptables-rules)
• cleanupFirewallNetwork (from host-iptables-network)

Test files updated to import directly from source modules:

• docker-manager-utils.test.ts → imports from ./host-env
• compose-generator.test.ts → imports from ./compose-generator + ./host-env
• docker-manager-lifecycle.test.ts → imports from ./container-lifecycle + ./container-cleanup + ./host-env
• host-iptables-setup.test.ts → imports from ./host-iptables-rules
• host-iptables-network.test.ts → imports from ./host-iptables-network

Verification

• ✅ Build passes (npm run build)
• ✅ All tests pass (5 pre-existing failures unrelated to these changes)

Closes #3165
Closes #3166
Closes #3167

[Copilot]

Pull request overview

Removes 21 test-only re-exports from the docker-manager.ts and host-iptables.ts barrel modules and updates the affected test files to import directly from the underlying source modules, narrowing the public API surface.

Changes:

• Trimmed src/docker-manager.ts to re-export only production-consumed symbols (removed 19 host-env, compose-generator, container-lifecycle re-exports).
• Trimmed src/host-iptables.ts to drop isValidPortSpec and cleanupFirewallNetwork re-exports.
• Updated five test files to import the removed symbols directly from their source modules.

Show a summary per file

File	Description
src/docker-manager.ts	Removed 19 test-only re-exports; updated comment block.
src/host-iptables.ts	Removed isValidPortSpec/cleanupFirewallNetwork re-exports.
src/docker-manager-utils.test.ts	Re-pointed imports from ./docker-manager to ./host-env.
src/docker-manager-lifecycle.test.ts	Split imports across container-lifecycle, container-cleanup, host-env.
src/compose-generator.test.ts	Imports generateDockerCompose from ./compose-generator and ACT_PRESET_BASE_IMAGE from ./host-env.
src/host-iptables-setup.test.ts	Imports isValidPortSpec from ./host-iptables-rules.
src/host-iptables-network.test.ts	Imports cleanupFirewallNetwork from ./host-iptables-network.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 7/7 changed files
• Comments generated: 0

[lpcox]

@copilot please fix this failing ci check https://github.com/github/gh-aw-firewall/actions/runs/25889383307/job/76088950010?pr=3169

[Copilot]

@copilot please fix this failing ci check https://github.com/github/gh-aw-firewall/actions/runs/25889383307/job/76088950010?pr=3169

The test coverage failure was caused by missing --ignore-scripts on npm install -g @anthropic-ai/claude-code in three lock files (secret-digger-claude.lock.yml, security-guard.lock.yml, smoke-claude.lock.yml). Fixed in commit fix: add --ignore-scripts to claude-code npm install in lock files.

The other CI failures are pre-existing and unrelated to this PR:

• PR Title Check: the title [Export Audit] Remove test-only re-exports from barrel modules doesn't follow Conventional Commits format — it would need to be renamed to something like refactor: remove test-only re-exports from barrel modules.
• Dependency Vulnerability Audit: 23 vulnerabilities in docs-site dependencies (astro/volar packages), pre-existing.
• Smoke Codex / Smoke OpenCode: "Download container images" infrastructure failures, unrelated to code changes.

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	89.88%	89.90%	📈 +0.02%
Statements	89.79%	89.81%	📈 +0.02%
Functions	94.34%	93.60%	📉 -0.74%
Branches	81.51%	81.55%	📈 +0.04%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/config-writer.ts	83.0% → 85.6% (+2.54%)	83.0% → 85.6% (+2.54%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[lpcox]

@copilot fix the failing ci check https://github.com/github/gh-aw-firewall/actions/runs/25890271394/job/76111521947?pr=3169

[lpcox]

@copilot recompile smoke claude

[Copilot]

@copilot recompile smoke claude

Done — all 35 workflows recompiled and post-processed in commit chore: recompile all agentic workflows with post-processing. smoke-claude.lock.yml was updated along with all other lock files.

[github-actions]

Smoke Test Results

Test	Result
GitHub API	❌ FAIL (auth issue)
Playwright	✅ PASS
File verify	✅ PASS
Overall	FAIL (2/3)

GitHub CLI authentication failed; other tests passed successfully.

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test: Copilot BYOK — Results

Test	Status
GitHub MCP connectivity	❌ (401 Bad credentials)
GitHub.com HTTP	⚠️ (pre-step vars not substituted)
File write/read	✅ (smoke-test-copilot-byok-25899818098.txt exists)
BYOK inference (this response)	✅

Note: Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Overall: PARTIAL — BYOK inference works, but GitHub MCP returned 401 and pre-step template variables were not substituted.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Codex: FAIL

PRs: fix(api-proxy): route GPT-5 family models to /responses regardless of auth path; Fix token usage extraction for OpenAI Responses API (response.usage) in SSE/WS paths
✅ GitHub PR review
❌ safeinputs-gh query
✅ Playwright title contains GitHub
❌ Tavily search
✅ file write + bash readback
⚪ discussion comment skipped
✅ npm ci && npm run build
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🧪 Smoke Test Results

Test	Result
GitHub MCP connectivity	❌ (401 Bad credentials)
GitHub.com HTTP	⚠️ (pre-step data not injected)
File write/read	✅ (verified)

Overall: FAIL — GitHub MCP returned 401 Bad credentials.

📰 BREAKING: Report filed by Smoke Copilot

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Chroot Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.15.0	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Overall: FAILED — Python and Node.js versions differ between host and chroot.

Tested by Smoke Chroot

[github-actions]

Smoke Test Results

Check	Result
Redis PING	❌ Connection failed (timeout)
PostgreSQL pg_isready	❌ No response on port 5432
PostgreSQL SELECT 1	❌ Connection failed

Overall: FAIL — host.docker.internal is not reachable from this runner environment. Service containers may not be configured or the host DNS alias is not available.

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3169 · ● 7.6M · ◷

[github-actions]

Gemini Engine Validation Results

• GitHub MCP Testing: ❌ (mcpscripts command not found)
• GitHub.com Connectivity: ❌ (Blocked by Squid/SSL error 35)
• File Writing Testing: ✅
• Bash Tool Testing: ✅

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[lpcox]

@copilot fix this failed ci check https://github.com/github/gh-aw-firewall/actions/runs/25899818114/job/76121041361?pr=3169

[Copilot]

@copilot fix this failed ci check https://github.com/github/gh-aw-firewall/actions/runs/25899818114/job/76121041361?pr=3169

This failure is a transient infrastructure issue unrelated to the PR changes. All 4 failing tests in protocol-support.test.ts run curl -fsS https://api.github.com/zen through the firewall and receive HTTP 403 back from GitHub's API (not a proxy block — the tests that should be blocked pass). GitHub's API is rate-limiting unauthenticated requests from the runner's IP at that point in time.

The same tests passed on main (run 25899156724 at 03:48) roughly 24 minutes before this run. None of my changes touch proxy configuration, iptables rules, or the squid setup that would affect external HTTP responses.