Refactor host-access port spec parsing to remove duplicate logic

[Copilot]

setupHostIptables() had two near-identical parse/trim/validate loops for allowHostPorts and allowHostServicePorts, differing only in warning label text. This change consolidates that logic so both inputs use one validation path while preserving existing behavior and log semantics.

• Code simplification

  • Added parseValidPortSpecs(input, label) in src/host-iptables-rules.ts.
  • Replaced duplicated inline loops with:
    • parseValidPortSpecs(hostAccess.allowHostPorts, "port spec")
    • parseValidPortSpecs(hostAccess.allowHostServicePorts, "host service port spec")
  • Kept deduplication and default port merging unchanged.

• Behavioral parity

  • Invalid entries are still skipped.
  • Warning messages retain source-specific context via label.
  • Valid single ports/ranges continue to flow into the same customPorts/allPorts path.

• Test coverage adjustment

  • Added a focused unit test in src/host-iptables-host-access.test.ts to verify invalid allowHostServicePorts values are filtered and valid ones still produce rules.

const customPorts = [
  ...parseValidPortSpecs(hostAccess.allowHostPorts, 'port spec'),
  ...parseValidPortSpecs(hostAccess.allowHostServicePorts, 'host service port spec'),
];

[Copilot]

Pull request overview

This PR refactors host-access port-spec parsing in setupHostIptables() by consolidating duplicated CSV parse/trim/validate logic for allowHostPorts and allowHostServicePorts into a shared helper, while keeping warning text semantics intact via a label parameter.

Changes:

• Added internal helper parseValidPortSpecs(input, label) to centralize port-spec parsing/validation and warning emission.
• Replaced the two duplicated inline loops with calls to the shared helper for allowHostPorts and allowHostServicePorts.
• Added a unit test ensuring invalid allowHostServicePorts entries are skipped while valid ports still produce iptables rules.

Show a summary per file

File	Description
src/host-iptables-rules.ts	Introduces parseValidPortSpecs() and uses it to remove duplicated validation logic for host-access port specs.
src/host-iptables-host-access.test.ts	Adds a test covering invalid-value filtering for allowHostServicePorts while verifying valid ports still generate rules.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	96.54%	96.60%	📈 +0.06%
Statements	96.38%	96.44%	📈 +0.06%
Functions	97.99%	98.00%	📈 +0.01%
Branches	90.78%	90.88%	📈 +0.10%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/host-iptables-rules.ts	97.0% → 97.7% (+0.68%)	97.0% → 97.7% (+0.67%)
src/config-writer.ts	89.3% → 90.9% (+1.65%)	89.3% → 90.9% (+1.65%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	⚠️ N/A (pre-step template vars not expanded)
File write/read	⚠️ N/A (pre-step template vars not expanded)

PR: "Refactor host-access port spec parsing to remove duplicate logic"
Author: @Copilot | Assignees: @lpcox, @Copilot

Overall: PARTIAL — MCP ✅, connectivity tests skipped (workflow template vars unexpanded)

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: Claude Engine

• ✅ GitHub API: 2 recent PRs fetched (fix(api-proxy): prevent stream_options injection into OpenAI Responses API requests #3805, Filter unresolvable model aliases from /reflect and models.json #3803)
• ✅ Playwright check: PASS
• ✅ File verify: smoke-test-claude-26424932707.txt present

Result: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

✅ fix(api-proxy): prevent stream_options injection into OpenAI Responses API requests
✅ Filter unresolvable model aliases from /reflect and models.json
✅ GitHub title contains GitHub
✅ Smoke file verified
✅ Discussion comment added
✅ Build passed
Overall status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🔥 Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	✅ PR listed successfully
GitHub.com HTTP	⚠️ Pre-step data not expanded (template vars unavailable)
File write/read	⚠️ Pre-step data not expanded (template vars unavailable)
BYOK inference (this response)	✅ Responding via api-proxy → api.githubcopilot.com

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

PR author: @Copilot | Assignees: @lpcox, @Copilot

Overall: PARTIAL — BYOK inference confirmed ✅; pre-step HTTP/file tests had unexpanded template variables.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Gemini Smoke Test Results

• GitHub MCP: ✅
• Connectivity: ✅
• File Writing: ✅
• Bash Tool: ✅

PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Chroot Runtime Version Comparison

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.15.0	v22.22.3	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Result: ❌ Not all runtimes match — smoke-chroot label not added.

Tested by Smoke Chroot

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3822 · sonnet46 1M · ◷

[github-actions]

Smoke Test Results — Services Connectivity

Check	Result
Redis PING	❌ Timeout/no response
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ No response

Overall: FAIL — host.docker.internal unreachable on ports 6379 and 5432. Service containers may not be running or the host alias is not resolvable in this environment.

🔌 Service connectivity validated by Smoke Services

[lpcox]

@copilot adddress review feedback

[Copilot]

@copilot adddress review feedback

I checked the PR review threads and don’t see any actionable review comments to address—the review summary shows 0 findings. Point me to the specific comment or requested change and I’ll update the PR.