fix: clean up remaining export audit issues

[lpcox]

Summary

Addresses the remaining 3 [Export Audit] issues not fixed by #3169.

Changes

1. _testing → testHelpers in host-iptables-shared.ts (fixes [Export Audit] Naming convention violation: _testing export in host-iptables-shared.ts #3221)

   • TypeScript convention: underscore prefix implies unused, not test-only
   • Added @internal JSDoc tag
   • Updated all 5 consuming test files

2. Remove public export of subnetsOverlap in host-env.ts (fixes [Export Audit] Dead export: subnetsOverlap in src/host-env.ts is never called in production code #3205)

   • No production callers (dead export since refactor: [Export Audit] Remove test-only re-exports from barrel modules #3169 removed docker-manager.ts import)
   • Exposed via testHelpers object for test access only

3. Add @internal JSDoc to DOMAIN_CHAR_PATTERN in domain-patterns.ts (fixes [Export Audit] Dead export: DOMAIN_CHAR_PATTERN in src/domain-patterns.ts is only used internally #3206)

   • Only used internally and by test assertions for readability
   • Kept exported per issue recommendation but marked as non-public API

Issues closed

Closes #3221, closes #3205, closes #3206

Previously closed by #3169: #3220, #3226, #3223, #3224, #3225

All 8 [Export Audit] issues are now resolved.

[Copilot]

Pull request overview

Cleans up the remaining three [Export Audit] findings not resolved by #3169: renames the test-only _testing export in host-iptables-shared.ts to testHelpers, makes subnetsOverlap module-private in host-env.ts and re-exposes it via a testHelpers object, and annotates DOMAIN_CHAR_PATTERN as @internal.

Changes:

• Rename _testing → testHelpers in host-iptables-shared.ts and update all 5 consuming test files.
• Make subnetsOverlap non-exported in host-env.ts; expose via testHelpers object and update the test file.
• Add @internal JSDoc + ts-prune-ignore-next to DOMAIN_CHAR_PATTERN.

Show a summary per file

File	Description
src/host-iptables-shared.ts	Rename _testing export to testHelpers with refined @internal doc.
src/host-iptables-setup.test.ts	Update import to use testHelpers.
src/host-iptables-network.test.ts	Update import to use testHelpers.
src/host-iptables-host-access.test.ts	Update import to use testHelpers.
src/host-iptables-doh.test.ts	Update import to use testHelpers.
src/host-iptables-cleanup.test.ts	Update import to use testHelpers.
src/host-env.ts	Make subnetsOverlap private and re-expose via testHelpers.
src/docker-manager-utils.test.ts	Switch to testHelpers.subnetsOverlap for assertions.
src/domain-patterns.ts	Mark DOMAIN_CHAR_PATTERN as @internal and ignored by ts-prune.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 9/9 changed files
• Comments generated: 0

[github-actions]

Smoke Test Results

• ✅ Playwright: GitHub page title confirmed
• ✅ File verify: smoke-test file exists
• ❌ GitHub API: gh CLI authentication failed (HTTP 401)

Result: FAIL (1/3 tests failed)

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	❌ GitHub MCP returned 401 (unauthenticated)
GitHub.com HTTP	❌ Template variable not expanded (${{ steps.smoke-data.outputs.SMOKE_HTTP_CODE }})
File write/read	❌ Template variable not expanded (${{ steps.smoke-data.outputs.SMOKE_FILE_PATH }})
BYOK inference (api-proxy → api.githubcopilot.com)	✅ Agent responding confirms BYOK path works

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

Overall: FAIL — workflow misconfiguration: pre-step outputs not passed to agent step; GitHub MCP unauthenticated.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔬 Smoke Test Results

Test	Result
GitHub MCP connectivity	❌ 401 Bad credentials
GitHub.com HTTP	⚠️ Template vars not expanded
File write/read	⚠️ Template vars not expanded

Overall: FAIL — GitHub Actions template substitution did not occur; ${{ steps.smoke-data.outputs.* }} variables were passed literally to the agent. GitHub MCP returned 401.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: Gemini Engine Validation

• GitHub MCP Testing: ❌ (Tool not found)
• GitHub.com Connectivity: ❌ (Status 000, SSL Error 35)
• File Writing Testing: ✅
• Bash Tool Testing: ✅

PR Titles Reviewed:

1. fix: clean up remaining export audit issues ([Export Audit] Naming convention violation: _testing export in host-iptables-shared.ts #3221)
2. Initial plan (fix(api-proxy): apply responses wire API unconditionally for GPT-5/O3 models on COPILOT_GITHUB_TOKEN path #3207)

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Smoke test Codex: FAIL
PRs: fix(api-proxy): apply responses wire API unconditionally for GPT-5/O3 models on COPILOT_GITHUB_TOKEN path; docs: expand README to reflect AWF feature scope and command surface
GitHub PR review: ✅
safeinputs-gh PR query: ❌
Playwright title check: ✅
Tavily search: ❌
File/bash check: ✅
Discussion interaction: ❌
Build AWF: ✅
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Runtime Version Comparison

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.15.0	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Result: ❌ Not all versions match — Python and Node.js differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

Smoke Test Results — FAIL

Check	Result
Redis PING	❌ Timeout/no response
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ Timeout/no response

host.docker.internal is unreachable from this environment. Service containers are not accessible.

Overall: ❌ FAIL

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	❌	N/A	❌ FAIL
Java	caffeine	❌	N/A	❌ FAIL
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 7/8 ecosystems passed — ❌ FAIL

---

❌ Failure Details

Java (gson, caffeine) — two compounding issues:

1. Root-owned ~/.m2: The ~/.m2 directory was created/owned by root, preventing Maven from writing to its local repository.
2. Network unreachable: JAVA_TOOL_OPTIONS (set by AWF) points the proxy to squid-proxy:3128, which does not resolve outside an AWF container. As a result, repo.maven.apache.org is unreachable and Maven cannot fetch dependencies (e.g., maven-resources-plugin:3.4.0).

Both projects fail at the mvn compile stage before any tests can run.

Generated by Build Test Suite for issue #3230 · ● 10.2M · ◷