[Export Audit] Dead export `cleanupFirewallNetwork` in security-critical module (regression)

## API Surface Issue

### Category
Unused export / Dead code in security-critical module

### Summary
- **File**: `src/host-iptables-network.ts`
- **Symbol**: `cleanupFirewallNetwork` (line 56)
- **Issue**: Exported from a security-critical iptables module but never called in any production code path. Only referenced by test code. This is a regression — prior tracking issue #3220 was closed as completed, but the export persists.

### Evidence

```
$ grep -rw "cleanupFirewallNetwork" src/ --include="*.ts" | grep -v test
src/host-iptables-network.ts:56:export async function cleanupFirewallNetwork(): Promise<void> {

$ grep -rw "cleanupFirewallNetwork" src/ --include="*.ts"
src/host-iptables-network.test.ts:import { cleanupFirewallNetwork } from './host-iptables-network';
src/host-iptables-network.test.ts:  describe('cleanupFirewallNetwork', () => {
src/host-iptables-network.test.ts:      await cleanupFirewallNetwork();
src/host-iptables-network.test.ts:      await expect(cleanupFirewallNetwork()).resolves.not.toThrow();
src/host-iptables-network.ts:56:export async function cleanupFirewallNetwork(): Promise<void> {
```

No production module imports or calls `cleanupFirewallNetwork`. The public barrel `src/host-iptables.ts` does not re-export it.

### Recommended Fix

1. For **unused exports**: If the function is test-only teardown logic, remove the `export` keyword to make it module-private.
2. If it has a real production role, add it to the public barrel `src/host-iptables.ts` alongside `ensureFirewallNetwork`.

### Impact
- Dead code risk: **High** — exported symbol in security-critical iptables module unreachable from public API
- Maintenance burden: **Medium** — future refactors may silently break this export

### Prior Issue
Regression from #3220 (closed as completed on 2026-05-15).

---
*Detected by Export Audit workflow. Triggered by push to main on 2026-05-27*




> Generated by [API Surface & Export Audit](https://github.com/github/gh-aw-firewall/actions/runs/26488024824) · sonnet46 973.1K · [◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw-firewall+is%3Aissue+%22gh-aw-workflow-call-id%3A+github%2Fgh-aw-firewall%2Fexport-audit%22&type=issues)
> - [x] expires  on Jun 26, 2026, 3:04 AM UTC

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Export Audit] Dead export `cleanupFirewallNetwork` in security-critical module (regression) #3908

API Surface Issue

Category

Summary

Evidence

Recommended Fix

Impact

Prior Issue

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Uh oh!

[Export Audit] Dead export cleanupFirewallNetwork in security-critical module (regression) #3908

Description

API Surface Issue

Category

Summary

Evidence

Recommended Fix

Impact

Prior Issue

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions

[Export Audit] Dead export `cleanupFirewallNetwork` in security-critical module (regression) #3908