API Surface Issue
Category
Unused export / Dead code in security-critical module
Summary
- File:
src/host-iptables-network.ts
- Symbol:
cleanupFirewallNetwork
- Issue: Exported from the implementation module but intentionally omitted from the public barrel (
src/host-iptables.ts), and never called in any production code path. Only test code references it.
Evidence
# Production code referencing cleanupFirewallNetwork:
$ grep -rn "\bcleanupFirewallNetwork\b" src/ --include="*.ts" | grep -v ".test.ts"
src/host-iptables-network.ts:54:export async function cleanupFirewallNetwork(): Promise<void> {
# Public barrel (src/host-iptables.ts) does NOT re-export it:
export { setupHostIptables } from './host-iptables-rules';
export { ensureFirewallNetwork } from './host-iptables-network'; # <-- cleanupFirewallNetwork is absent
export { cleanupHostIptables } from './host-iptables-cleanup';
# Only test code uses it:
$ grep -rn "cleanupFirewallNetwork" src/ --include="*.ts"
src/host-iptables-network.test.ts:2: import { cleanupFirewallNetwork } from './host-iptables-network';
src/host-iptables-network.test.ts:65: describe('cleanupFirewallNetwork', () => { ...
The barrel comment explicitly states: "Re-export public API only. Test files should import directly from source modules." However, cleanupFirewallNetwork was never added to the public barrel — meaning if its functionality is needed at the call site level, callers must reach into the internal module, which bypasses the intended abstraction boundary.
Recommended Fix
Option A — If this function is intentionally test-only helper (it exercises network teardown logic only tested directly): remove the export keyword to make it module-private.
Option B — If production callers do need Docker network cleanup: add it to the public barrel alongside ensureFirewallNetwork:
// src/host-iptables.ts
export { ensureFirewallNetwork, cleanupFirewallNetwork } from './host-iptables-network';Impact
- Dead code risk: High — exported symbol in a security-critical iptables module that is unreachable from the intended public API
- Maintenance burden: Medium — future refactors may accidentally break this export with no failing test to catch the regression at the barrel level
Detected by Export Audit workflow. Triggered by push to main on 2026-05-15
Generated by API Surface & Export Audit · ● 10.6M · ◷
API Surface Issue
Category
Unused export / Dead code in security-critical module
Summary
src/host-iptables-network.tscleanupFirewallNetworksrc/host-iptables.ts), and never called in any production code path. Only test code references it.Evidence
The barrel comment explicitly states: "Re-export public API only. Test files should import directly from source modules." However,
cleanupFirewallNetworkwas never added to the public barrel — meaning if its functionality is needed at the call site level, callers must reach into the internal module, which bypasses the intended abstraction boundary.Recommended Fix
Option A — If this function is intentionally test-only helper (it exercises network teardown logic only tested directly): remove the
exportkeyword to make it module-private.Option B — If production callers do need Docker network cleanup: add it to the public barrel alongside
ensureFirewallNetwork:Impact
Detected by Export Audit workflow. Triggered by push to main on 2026-05-15