Refactor duplicated invalid host-service port assertions in host-access firewall tests

[Copilot]

The host-access firewall tests duplicated the same invalid allowHostServicePorts setup and negative iptables assertions in two security-sensitive cases. This consolidates that coverage so the default-port and valid-service-port variants share the same invalid-port expectations.

• What changed

  • Extracted a shared setup helper for host-access tests that exercise allowHostServicePorts.
  • Extracted a shared assertion helper for verifying invalid host service ports are never emitted as iptables --dport rules.
  • Updated the two duplicated tests to focus only on their differing behavior:
    • default gateway HTTP rules still exist when all service ports are invalid
    • a valid service port is still allowed when mixed with invalid entries

• Why this matters

  • Keeps the invalid-port security assertions aligned across both test paths.
  • Reduces the chance that future changes update one case but not the other.

• Example

  const invalidHostServicePorts = ['abc', '99999', '-1'];
  
  await setupHostAccessWithServicePorts(`${invalidHostServicePorts.join(',')},5432`);
  expectInvalidHostServicePortsSkipped(invalidHostServicePorts);
  
  expect(mockedExeca).toHaveBeenCalledWith('iptables', [
    '-t', 'filter', '-A', 'FW_WRAPPER',
    '-p', 'tcp', '-d', '172.30.0.1', '--dport', '5432',
    '-j', 'ACCEPT',
  ]);

[Copilot]

Pull request overview

This PR refactors the host-access firewall unit tests to remove duplicated setup and assertions around invalid allowHostServicePorts values, keeping the security-sensitive “invalid ports must not produce iptables --dport rules” coverage consistent across related test cases.

Changes:

• Added a shared setupHostAccessWithServicePorts() helper to centralize the common host-access test setup for allowHostServicePorts.
• Added a shared expectInvalidHostServicePortsSkipped() helper to consolidate negative assertions for invalid service ports.
• Updated the two previously duplicated test cases to reuse these helpers and focus on their distinct expectations (default gateway HTTP rules still present; valid service port still allowed).

Show a summary per file

File	Description
src/host-iptables-host-access.test.ts	Consolidates duplicated allowHostServicePorts setup and invalid-port iptables negative assertions into shared helpers, then updates the affected tests to use them.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 0

[github-actions]

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

[github-actions]

🔌 Smoke Services — All services reachable! ✅

[github-actions]

❌ Smoke Copilot BYOK AOAI (api-key) reports failed. AOAI BYOK (api-key) mode investigation needed...

[github-actions]

✅ Smoke Gemini completed. All facets verified. 💎

Smoke test completed with partial success.

[github-actions]

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

✅ Smoke Claude passed

[github-actions]

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

[github-actions]

✅ Build Test Suite completed successfully!

[github-actions]

✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

[github-actions]

✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	97.85%	97.89%	📈 +0.04%
Statements	97.78%	97.82%	📈 +0.04%
Functions	99.50%	99.50%	➡️ +0.00%
Branches	93.55%	93.58%	📈 +0.03%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/workdir-setup.ts	92.7% → 94.5% (+1.82%)	92.7% → 94.5% (+1.82%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke Test: Claude Engine Validation

Check	Result
API Status	✅ PASS
GH Check	✅ PASS
File Status	✅ PASS

Overall Result: PASS

Generated by Smoke Claude for issue #5350 · 60.9 AIC · ⊞ 3.1K · ◷

[github-actions]

✅ Smoke Test: Copilot BYOK (Direct Mode)

Test	Status
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	✅
File write/read	✅
BYOK inference (api-proxy → api.githubcopilot.com)	✅

Mode: Direct BYOK (COPILOT_PROVIDER_API_KEY via api-proxy sidecar)
Overall: PASS

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🤖 Smoke Test Results — PASS

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP	✅ 200
File write/read	✅

PR: Refactor duplicated invalid host-service port assertions in host-access firewall tests
Author: @Copilot — Assignees: @lpcox @Copilot

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Split docker-manager cleanup tests by concern
Split api-proxy token parser tests by JSON, SSE, and normalization concerns
GitHub title: ✅
PR list: ✅
Discussion lookup: ✅
File write/read: ✅
Build: ✅
Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test: API Proxy OpenTelemetry Tracing

Scenario	Status	Detail
1. Module Loading	✅	otel.js loads successfully; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + internal helpers
2. Test Suite	✅	59 tests passed, 0 failed (2 suites: otel.test.js, otel-fanout.test.js)
3. Env Var Forwarding	✅	src/services/api-proxy-service-config.ts forwards OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME to api-proxy container
4. Token Tracker Integration	✅	onUsage callback exists in token-tracker-http.js (line 283/324) as the OTEL hook point
5. OTEL Diagnostics	✅	No OTEL endpoint configured in this run; graceful degradation active — spans written to /var/log/api-proxy/otel.jsonl fallback

All 5 scenarios pass. OTEL tracing integration is fully operational.

📡 OTel tracing validated by Smoke OTel Tracing

[github-actions]

cc @lpcox

Smoke Test Results:

• GitHub MCP listing: ✅
• github.com connectivity: ✅
• file read/write: ✅
• direct BYOK inference: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)

[github-actions]

🧪 Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.16.0	v22.22.3	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

🔬 Smoke Test: Copilot PAT — PASS

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP	✅ 200
File write/read	✅

Auth mode: PAT (COPILOT_GITHUB_TOKEN)

PR author: @Copilot — Assignees: @lpcox, @Copilot

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

Smoke Test Results

• Redis PING: ❌ Connection timed out (no response on host.docker.internal:6379)
• PostgreSQL pg_isready: ❌ No response on host.docker.internal:5432
• PostgreSQL SELECT 1: ❌ Not attempted (connection failed)

Overall: FAIL — Service containers are not reachable. host.docker.internal resolves to 172.17.0.1 but neither port is listening.

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	1/1 passed	✅ PASS
Node.js	execa	✅	1/1 passed	✅ PASS
Node.js	p-limit	✅	1/1 passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Details

• Bun v1.3.14 — elysia and hono each passed 1 test (1 expect() call each)
• C++ — fmt and json both configured with GCC 13.3.0 and built cleanly (static libs produced)
• Deno v2.8.3 — oak passed in 49ms, std passed in 145ms
• .NET — hello-world printed Hello, World!; json-parse correctly parsed and printed JSON fields
• Go — color (TestRed), env (TestGet), uuid (TestNew) all passed
• Java — gson and caffeine each ran 1 Maven test (0 failures, 0 errors, 0 skipped)
• Node.js — clsx, execa, p-limit each ran 1 assertion test (no external packages fetched)
• Rust — fd and zoxide each built and passed 1 test

Generated by Build Test Suite for issue #5350 · 163.3 AIC · ⊞ 7.7K · ◷

[github-actions]

Smoke Test Results: Gemini Engine

• GitHub MCP Testing: ❌ (mcpscripts not found)
• GitHub.com Connectivity: ❌ (SSL error 35)
• File Writing Testing: ✅
• Bash Tool Testing: ✅

Overall status: FAIL

PR titles (partial):

1. [Test Coverage] Cover regex rules in policy-manifest and signals in log-streamer ([Test Coverage] Cover regex rules in policy-manifest and signals in log-streamer #5317)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini