Deduplicate Docker bridge gateway resolution in setupHostIptables

[Copilot]

setupHostIptables() was resolving the Docker bridge gateway and constructing gatewayIps twice in separate branches (cliProxyConfig and hostAccess.enabled). When both paths were active, this triggered redundant docker network inspect bridge calls for the same value.

• Refactor: shared gateway resolution

  • Hoisted gateway resolution to a single precomputed path:
    • compute once only when needed (cliProxyConfig || hostAccess?.enabled)
    • build one shared gatewayIps array
  • Both consumers now use the same resolved values, eliminating duplicate async work and keeping behavior aligned.

• Behavior guardrail

  • Added focused test coverage to assert the Docker bridge gateway is queried exactly once when both cliProxyConfig and hostAccess are enabled.

const needsGatewayIps = !!cliProxyConfig || !!hostAccess?.enabled;
const dockerBridgeGateway = needsGatewayIps ? await getDockerBridgeGateway() : null;
const gatewayIps = [AWF_NETWORK_GATEWAY];
if (dockerBridgeGateway) gatewayIps.push(dockerBridgeGateway);

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	96.54%	96.58%	📈 +0.04%
Statements	96.38%	96.42%	📈 +0.04%
Functions	97.99%	97.99%	➡️ +0.00%
Branches	90.78%	90.83%	📈 +0.05%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/host-iptables-rules.ts	97.0% → 96.9% (-0.07%)	97.0% → 97.0% (-0.06%)
src/config-writer.ts	89.3% → 90.9% (+1.65%)	89.3% → 90.9% (+1.65%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Refactors setupHostIptables() to avoid redundant docker network inspect bridge calls by resolving the Docker bridge gateway once and sharing the resulting gatewayIps across both the CLI-proxy and host-access rule paths.

Changes:

• Hoists Docker bridge gateway resolution behind a single needsGatewayIps guard and builds one shared gatewayIps array.
• Updates both cliProxyConfig and hostAccess.enabled rule generation to reuse the shared gateway IP list.
• Adds a unit test asserting the Docker bridge gateway is queried exactly once when both features are enabled.

Show a summary per file

File	Description
src/host-iptables-rules.ts	Deduplicates Docker bridge gateway lookup and shares gatewayIps between CLI-proxy and host-access rule branches.
src/host-iptables-setup.test.ts	Adds regression test ensuring only one Docker bridge gateway lookup occurs when both branches are active.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0

[github-actions]

Smoke Test: Claude Engine

• ✅ GitHub API: 2 recent PRs fetched (fix(api-proxy): prevent stream_options injection into OpenAI Responses API requests #3805, Filter unresolvable model aliases from /reflect and models.json #3803)
• ✅ GitHub check: playwright_check PASS
• ✅ File verify: smoke-test-claude-26424917327.txt exists

Result: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔥 Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	✅ PR listed successfully
GitHub.com HTTP	✅ (template vars unexpanded; agent reachable)
File write/read	✅ /tmp/gh-aw/agent/smoke-test-copilot-byok-26424917331.txt exists
BYOK inference	✅ Agent responded via api-proxy → api.githubcopilot.com

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Overall: PASS | PR by @Copilot, assignees: @lpcox @Copilot

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔬 Smoke Test Results

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	✅
File write/read (smoke-test-copilot-26424917362.txt)	✅

PR: Deduplicate Docker bridge gateway resolution in setupHostIptables
Author: @Copilot | Assignees: @lpcox, @Copilot

Overall: PASS ✅

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Merged PRs:

• fix(api-proxy): prevent stream_options injection into OpenAI Responses API requests
• Filter unresolvable model aliases from /reflect and models.json
  Queried PRs:
• refactor: split server.proxy.test.js into 6 focused test modules
• Disambiguate internal test-helper exports across six modules
  Checks: browser ✅ file ✅ build ✅ discussion ✅
  Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test Result: FAIL. PR titles: [Unable to retrieve]. Connectivity: FAIL (SSL Error). File/Bash: PASS.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3821 · sonnet46 1.1M · ◷

[github-actions]

Chroot Version Comparison — Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.15.0	v22.22.3	❌
Go	go1.22.12	go1.22.12	✅

Result: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

Smoke Test Results — FAIL

Check	Result
Redis PING	❌ No response
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ No response

host.docker.internal is unreachable from this environment. All three checks failed — FAIL.

🔌 Service connectivity validated by Smoke Services

[lpcox]

@copilot adddress review feedback

[Copilot]

@copilot adddress review feedback

Added a test covering the allowHostServicePorts invalid-port-spec validation path (lines 288-289 in host-iptables-rules.ts), which was the only pre-existing coverage gap touched by this PR. Line coverage on that file improved from 96.94% → 98.47% (commit test(host-iptables): cover invalid allowHostServicePorts validation path).