Narrow Squid module exports by internalizing helper functions

[Copilot]

This change tightens the src/squid/ API surface by removing accidental exports of internal helpers that are only used by config-generator.ts. The exposed interface is reduced to higher-level composition functions while preserving existing config generation behavior.

• API surface reduction (targeted helpers)

  • src/squid/access-rules.ts: internalized
    • generateProtocolRules
    • generateDenyRule
    • generateAccessRulesSection
  • src/squid/acl-generator.ts: internalized
    • generateDomainAcls
    • generateBlockedDomainAcls
  • src/squid/config-sections.ts: internalized
    • generateConfigSections

• Module-level facade exports (replacement entry points)

  • Added generateAccessRules(...) in access-rules.ts to return:
    • accessRulesSection
    • denyRule
  • Added generateAclSections(...) in acl-generator.ts to return:
    • aclLines
    • blockedDomainConfig
  • Exported buildConfigSections as the external entry point from config-sections.ts.

• Call-site update

  • src/squid/config-generator.ts now imports and uses only the new facades (generateAclSections, generateAccessRules, buildConfigSections) instead of helper-level functions.

• Export contract guard

  • Added src/squid/internal-exports.test.ts to assert that the helper symbols above are not exported and only the intended facade functions are exposed.

// config-generator.ts (updated import shape)
import { generateAclSections } from './acl-generator';
import { generateAccessRules } from './access-rules';
import { buildConfigSections } from './config-sections';

[Copilot]

Pull request overview

Narrows the public surface of src/squid/ modules by converting low-level helpers (generateProtocolRules, generateDenyRule, generateAccessRulesSection, generateDomainAcls, generateBlockedDomainAcls, generateConfigSections) into module-internal functions and exposing only higher-level facades (generateAccessRules, generateAclSections, buildConfigSections). config-generator.ts is updated to use the new facades, and a guard test asserts the internal helpers stay unexported.

Changes:

• Internalize helper functions in access-rules.ts, acl-generator.ts, and config-sections.ts, exposing only new facade APIs.
• Update config-generator.ts to consume the new facades.
• Add internal-exports.test.ts to lock the reduced export surface.

Show a summary per file

File	Description
src/squid/access-rules.ts	Drops export from three helpers and adds generateAccessRules facade.
src/squid/acl-generator.ts	Drops export from two helpers and adds generateAclSections facade.
src/squid/config-sections.ts	Makes generateConfigSections module-private, re-exports as buildConfigSections.
src/squid/config-generator.ts	Switches imports/usages to the new facade functions.
src/squid/internal-exports.test.ts	New guard test asserting the helper exports are not present.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 5/5 changed files
• Comments generated: 0

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	96.48%	96.62%	📈 +0.14%
Statements	96.35%	96.48%	📈 +0.13%
Functions	98.22%	98.23%	📈 +0.01%
Branches	90.62%	90.78%	📈 +0.16%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/config-writer.ts	89.3% → 90.9% (+1.65%)	89.3% → 90.9% (+1.65%)
src/cli-workflow.ts	88.9% → 100.0% (+11.12%)	88.9% → 100.0% (+11.12%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke Test: Claude Engine

• ✅ GitHub API read (2 recent PRs)
• ✅ Playwright check (github.com title verified)
• ✅ File verify (smoke-test-claude-26586460725.txt)

Total: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	✅ PASS
GitHub.com HTTP connectivity	⚠️ N/A (template vars unexpanded)
File write/read	⚠️ N/A (template vars unexpanded)

PR: "Narrow Squid module exports by internalizing helper functions" — author: @Copilot, assignees: @lpcox, @Copilot

Overall: PARTIAL — MCP works; pre-computed test data was not injected into the agent prompt (raw ${{ }} expressions received).

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

🔥 Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP (list PRs)	✅ PR #3945 returned
GitHub.com connectivity	⚠️ Pre-step data unavailable (template vars not expanded)
File write/read	⚠️ Pre-step data unavailable (template vars not expanded)
BYOK inference (this response)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Author: @Copilot — Assignees: @lpcox, @Copilot

Overall: PASS (core BYOK path verified ✅)

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke test results: FAIL. Tool mcpscripts missing, Connectivity failed.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Smoke Test Results — FAIL

Check	Result
Redis PING	❌ Timeout/no response
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ No response

host.docker.internal is unreachable on ports 6379 and 5432. Service containers may not be running or the hostname is not resolvable in this environment.

Overall: FAIL

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3961 · sonnet46 810.5K · ◷

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.16.0	v22.22.3	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot.

Tested by Smoke Chroot

[github-actions]

[Test Coverage] Cover uncovered branches in cli-workflow runMainWorkflow ✅
[docs] Document AWF_DIND env var and ARC/DinD sibling-socket auto-detection ✅
GitHub title check ✅
File write/read ✅
Discussion comment ✅
Build ❌
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex