Refactor host iptables setup into validation, chain, and rule modules

[Copilot]

src/host-iptables-rules.ts had grown into a single security-critical module mixing input validation, chain lifecycle management, and rule application. This change splits those concerns into focused modules while keeping the public setupHostIptables API and rule behavior intact.

• Validation helpers

  • Moved port-spec parsing and iptables error-shape helpers into src/host-iptables-validation.ts
  • Kept the test-only validation helper export available through src/host-iptables-rules.test-utils.ts

• Chain lifecycle management

  • Moved chain setup, DOCKER-USER jump insertion, and debug logging into src/host-iptables-chain.ts
  • Preserved the existing permission checks, missing-iptables handling, and prior-chain cleanup flow

• Rule application module

  • Reduced src/host-iptables-rules.ts to rule construction/orchestration plus the public host-access config types
  • Left setupHostIptables(...) and its caller-facing contract unchanged

Example of the new separation:

// host-iptables-rules.ts
import {
  checkPermissionsAndSetupChain,
  insertDockerUserJumpRule,
  logChainDebugOutput,
} from './host-iptables-chain';
import { parseValidPortSpecs } from './host-iptables-validation';

[Copilot]

Pull request overview

This PR refactors the host iptables implementation by separating validation, chain lifecycle management, and rule orchestration into dedicated modules, while keeping the setupHostIptables(...) entrypoint and runtime behavior intended to remain unchanged.

Changes:

• Added src/host-iptables-validation.ts to house port-spec parsing and iptables error-shape helpers (plus test-only helper export).
• Added src/host-iptables-chain.ts to encapsulate chain setup/cleanup, DOCKER-USER jump insertion, and chain debug logging.
• Updated src/host-iptables-rules.ts to focus on rule construction/orchestration and delegate chain + validation responsibilities to the new modules.

Show a summary per file

File	Description
src/host-iptables-validation.ts	New validation/error-shape helper module extracted from the prior monolithic rules file.
src/host-iptables-chain.ts	New chain lifecycle module for permissions checks, chain creation/cleanup, and DOCKER-USER jump management.
src/host-iptables-rules.ts	Reduced to orchestration + rule application; imports chain/validation helpers from new modules.
src/host-iptables-rules.test-utils.ts	Redirected test-only helper re-export to the new validation module.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 1

[github-actions]

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

[github-actions]

✅ Smoke Claude passed

[github-actions]

❌ Smoke Copilot BYOK AOAI (api-key) reports failed. AOAI BYOK (api-key) mode investigation needed...

[github-actions]

❌ Smoke Copilot BYOK AOAI (Entra) reports failed. AOAI BYOK (Entra) mode investigation needed...

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

✅ Smoke Gemini completed. All facets verified. 💎

[github-actions]

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

[github-actions]

🔌 Smoke Services — All services reachable! ✅

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

✅ Build Test Suite completed successfully!

[github-actions]

Smoke Test: BYOK Mode ✅

Mode: Direct BYOK via api-proxy → api.githubcopilot.com

• ✅ MCP Connectivity: GitHub API responding
• ✅ BYOK Inference: Copilot executing prompts
• ✅ Placeholder Auth: Agent has dummy key, real key in sidecar
• ✅ API Environment: Copilot variables properly injected

Status: PASS — All BYOK inference tests verified.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test: Claude Engine Validation

• API status: ✅ PASS
• gh check: ✅ PASS
• File status: ✅ PASS

Overall result: PASS

Generated by Smoke Claude for issue #5355 · 36.6 AIC · ⊞ 3.1K · ◷

[github-actions]

🔬 Smoke Test Results

PR: Refactor host iptables setup into validation, chain, and rule modules
Author: @Copilot | Assignees: @lpcox @Copilot

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	❌ (pre-step data missing)
File write/read	❌ (pre-step data missing)

Overall: FAIL — pre-step outputs were not resolved (unsubstituted ${{ steps.smoke-data.outputs.* }} variables).

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

🔍 Smoke Test: PAT Auth — PASS

PR: Refactor host iptables setup into validation, chain, and rule modules
Author: @Copilot | Assignees: @lpcox @Copilot
Auth mode: PAT (COPILOT_GITHUB_TOKEN)

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP	✅ 200
File write/read	⚠️ template vars unexpanded

Overall: PASS (2/2 verifiable tests passed; file test skipped — pre-step template expansion issue)

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

PRs reviewed:

• [Test Coverage] Cover regex rules in policy-manifest and signals in log-streamer
• perf(security-guard): prioritize security-relevant files in PR diff
• GitHub title check: ✅
• File write/verify: ✅
• Discussion comment: ✅
• Build: ✅
• Overall: PASS

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🧪 Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.16.0	v22.22.3	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall result: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

🔍 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario	Result	Notes
1. Module Loading	✅ Pass	otel.js loads successfully; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + internal helpers
2. Test Suite	✅ Pass	59 tests passed, 0 failed across otel.test.js + otel-fanout.test.js
3. Env Var Forwarding	✅ Pass	api-proxy-service-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
4. Token Tracker Integration	✅ Pass	onUsage callback exists in token-tracker-http.js (line 283/324) as the OTEL hook point
5. OTEL Diagnostics / Graceful Degradation	✅ Pass	When no OTEL endpoint is configured, isEnabled() returns true with local file fallback (/var/log/api-proxy/otel.jsonl); provider initializes cleanly

All scenarios pass. ✅

📡 OTel tracing validated by Smoke OTel Tracing

[github-actions]

Smoke Test Results: Gemini

• GitHub MCP Testing: ❌ (Tool not found)
• GitHub.com Connectivity: ❌ (SSL error 35)
• File Writing Testing: ✅
• Bash Tool Testing: ✅

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

Check	Result
Redis PING	❌ Connection timed out
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ Connection timed out

Overall: FAIL

host.docker.internal resolves to 172.17.0.1 but none of the service containers (Redis :6379, PostgreSQL :5432) are reachable from this environment.

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #5355 · 34.3 AIC · ⊞ 7.7K · ◷

[github-actions]

@Copilot @lpcox

Smoke test results:

• PR 5352: ❌ live MCP test skipped (using pre-fetched data)
• GitHub.com HTTP: ✅
• File I/O: ✅
• BYOK path: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

Overall: PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)