Remove dead __testing export from host-iptables public API

[Copilot]

Bug Fix

What was the bug?

src/host-iptables.ts exposed a dead __testing export that leaked _resetIpv6State on a security-critical module’s public surface. The symbol had no non-test consumers and unnecessarily exposed IPv6 firewall state mutation internals.

How did you fix it?

• API surface hardening

  • Removed __testing from src/host-iptables.ts.
  • Removed the facade-level import of _resetIpv6State tied only to that export.

• Test boundary cleanup

  • Updated host-iptables test files to import _resetIpv6State directly from src/host-iptables-shared.ts instead of via __testing on the public facade.
  • Kept existing test setup behavior unchanged (setupHostIptablesTestSuite(_resetIpv6State)), while eliminating the leaked public symbol.

Example

// Before
import { setupHostIptables, __testing } from './host-iptables';
setupHostIptablesTestSuite(__testing._resetIpv6State);

// After
import { setupHostIptables } from './host-iptables';
import { _resetIpv6State } from './host-iptables-shared';
setupHostIptablesTestSuite(_resetIpv6State);

[Copilot]

Pull request overview

This PR hardens the host-iptables facade’s public API by removing the dead __testing export (which leaked IPv6 state mutation internals) and updates the unit tests to use the internal reset helper directly from the shared module.

Changes:

• Removed the unused __testing export (and its _resetIpv6State import) from src/host-iptables.ts.
• Updated host-iptables unit tests to import _resetIpv6State from src/host-iptables-shared.ts and pass it to setupHostIptablesTestSuite.

Show a summary per file

File	Description
src/host-iptables.ts	Removes __testing from the facade to avoid leaking internal IPv6 reset functionality on the module’s public surface.
src/host-iptables-setup.test.ts	Switches test reset wiring from __testing._resetIpv6State to direct _resetIpv6State import.
src/host-iptables-network.test.ts	Same test boundary change: imports _resetIpv6State from host-iptables-shared.
src/host-iptables-host-access.test.ts	Same test boundary change: imports _resetIpv6State from host-iptables-shared.
src/host-iptables-doh.test.ts	Same test boundary change: imports _resetIpv6State from host-iptables-shared.
src/host-iptables-cleanup.test.ts	Same test boundary change: imports _resetIpv6State from host-iptables-shared.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 6/6 changed files
• Comments generated: 0

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	❌ 401 Bad credentials
GitHub.com HTTP	⚠️ Template vars unresolved
File write/read	⚠️ Template vars unresolved

Overall: FAIL — GitHub MCP auth unavailable in this environment; workflow template variables were not interpolated before reaching the agent.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
1. GitHub MCP Connectivity	❌ (401 Bad credentials — MCP unauthenticated)
2. GitHub.com HTTP	⚠️ (pre-step data not expanded in template)
3. File Write/Read	⚠️ (pre-step data not expanded in template)
4. BYOK Inference	✅ (responding via api-proxy → api.githubcopilot.com)

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

Overall: PARTIAL — BYOK inference works; pre-step data (${{ steps.smoke-data.outputs.* }}) was not substituted before agent execution, so tests 2–3 could not be verified.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test Results

✅ Playwright: Navigated to github.com, title confirmed
✅ File verify: smoke-test-claude-25772065933.txt exists with content
❌ GitHub API: gh CLI authentication failed (HTTP 401)

Result: 2/3 tests passed

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	ok	✅ PASS
Go	env	✅	ok	✅ PASS
Go	uuid	✅	ok	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3080 · ● 3.3M · ◷

[github-actions]

Chroot Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.14.1	v20.20.2	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot.

Tested by Smoke Chroot

[github-actions]

Gemini Engine Smoke Test Results

1. GitHub MCP Testing: ✅
   • Remove dead __testing export from host-iptables public API #3080: fix: remove dead host-iptables testing export
   • perf(export-audit): move phases 1–3 to pre-steps, cut ~75% token usage #3077: perf(export-audit): move phases 1–3 to pre-steps, cut ~75% token usage
2. GitHub.com Connectivity: ❌ (Status: 000, Exit Code: 35)
3. File Writing Testing: ✅
4. Bash Tool Testing: ✅

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Smoke Test Results

• Redis PING: ❌ (timeout — no response from host.docker.internal:6379)
• PostgreSQL pg_isready: ❌ (no response from host.docker.internal:5432)
• PostgreSQL SELECT 1: ❌ (skipped — pg_isready failed)

Overall: FAIL — service containers are not reachable via host.docker.internal.

🔌 Service connectivity validated by Smoke Services

[github-actions]

Smoke Test: FAIL
PRs: Remove dead __testing export from host-iptables public API; perf(export-audit): move phases 1–3 to pre-steps, cut ~75% token usage
GitHub MCP: ❌; safeinputs-gh: ❌; Playwright: ✅; Tavily: ❌
File/bash: ✅; Discussion: ❌; Build: ✅
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex