[Test Coverage] host-iptables branch coverage

[github-actions]

Adds src/host-iptables-coverage.test.ts with three targeted tests that cover branches flagged in the coverage report.

What's covered

File	Line	Branch	Test
host-iptables-rules.ts	85	Ternary '' fallback — thrown error has no stderr string property (plain new Error() vs ExecaError)	checkPermissionsAndSetupChain – no-stderr error object
host-iptables-rules.ts	172	Ternary DEFAULT_DNS_SERVERS fallback — setupHostIptables called with []	addIpv6DnsRules – empty dnsServers falls back to DEFAULT_DNS_SERVERS
host-iptables-shared.ts	171	if (match) false branch — iptables header line (e.g. Chain FW_WRAPPER (2 references)) matches shouldDelete but has no digit prefix	cleanupChain – shouldDelete true but line has no leading digit

Approach

All tests use the existing host-iptables-test-setup helpers (mockedExeca, execaResult, setupDefaultIptablesMocks) and exercise the target functions via their public API (setupHostIptables, cleanupChain). No production code was changed.

Generated by Test Coverage Improver · 471.2 AIC · ⊞ 30K · ◷

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	96.42%	96.47%	📈 +0.05%
Statements	96.34%	96.38%	📈 +0.04%
Functions	98.77%	98.77%	➡️ +0.00%
Branches	90.74%	90.84%	📈 +0.10%

📁 Per-file Coverage Changes (3 files)

File	Lines (Before → After)	Statements (Before → After)
src/commands/validators/config-assembly.ts	98.2% → 98.3% (+0.04%)	97.4% → 97.5% (+0.06%)
src/squid/policy-manifest.ts	87.0% → 87.2% (+0.28%)	87.2% → 87.5% (+0.27%)
src/config-writer.ts	89.3% → 90.9% (+1.65%)	89.3% → 90.9% (+1.65%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Adds a dedicated Jest test file to improve branch coverage in the host iptables logic, specifically exercising previously-uncovered conditional paths in host-iptables-rules and host-iptables-shared via the public APIs.

Changes:

• Adds src/host-iptables-coverage.test.ts to cover: missing-stderr error handling, empty dnsServers fallback to DEFAULT_DNS_SERVERS, and the cleanupChain “no leading digit” parsing path.
• Uses existing host-iptables-test-setup helpers (mockedExeca, execaResult, setupDefaultIptablesMocks, suite reset) to keep tests consistent with existing host-iptables tests.

Show a summary per file

File	Description
src/host-iptables-coverage.test.ts	Adds three targeted tests to cover specific uncovered branches in host iptables setup/cleanup code paths.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 3

[github-actions]

GitHub API: ✅ PASS
GitHub check: ✅ PASS
File verify: ✅ PASS

Total: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🤖 Smoke Test Results

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP	✅ (200)
File write/read	❌ (template vars not expanded)

Overall: FAIL

PR: [Test Coverage] host-iptables branch coverage — author: @github-actions[bot], no assignees.

⚠️ steps.smoke-data.outputs.* variables were not substituted — pre-step data unavailable.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

🔥 Smoke Test Results — Auth mode: PAT (COPILOT_GITHUB_TOKEN)

PR: [Test Coverage] host-iptables branch coverage — @github-actions[bot] (no assignees)

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	✅
File write/read (smoke-test-copilot-pat-27364112688.txt)	✅

Overall: PASS

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.16.0	v22.22.3	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

Smoke Test: Copilot BYOK (Direct) Mode

✅ GitHub MCP - PRs fetched successfully
✅ GitHub.com - HTTP 200 OK
✅ File I/O - Write/read verified
✅ BYOK Inference - Direct mode active (COPILOT_PROVIDER_API_KEY via api-proxy → api.githubcopilot.com)

Status: PASS

Author: @github-actions[bot] | All systems operational in direct BYOK mode.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

fix(api-proxy): stop double-counting cached tokens in AI credits ✅
fix(api-proxy): use 'token' auth prefix for GHES enterprise Copilot API ✅
GitHub query ✅
GH CLI query ✅
Playwright ✅
File write ✅
Discussion comment ✅
Build ✅
Status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

Check	Result
Redis PING	❌ No service listening on port 6379
PostgreSQL pg_isready	❌ No response on port 5432
PostgreSQL SELECT 1	❌ No response on port 5432

Overall: FAIL

host.docker.internal resolves to 172.17.0.1 but neither Redis nor PostgreSQL service containers are reachable (no listeners on ports 6379 or 5432). The GitHub Actions service containers do not appear to be running in this workflow context.

🔌 Service connectivity validated by Smoke Services