test: add --allow-host-ports validation tests

[Mossaka]

Summary

• Extracts validateAllowHostPorts() function from inline CLI validation for testability
• Adds 7 unit tests covering all edge cases: error without --enable-host-access, pass with --enable-host-access, undefined ports, port ranges, and combined flag scenarios

Fixes #498

Test plan

• npm run build passes
• npm test passes (846 tests, 7 new)
• npm run lint passes (0 errors)
• CI checks pass

🤖 Generated with Claude Code

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.37%	82.50%	📈 +0.13%
Statements	82.27%	82.40%	📈 +0.13%
Functions	82.60%	82.69%	📈 +0.09%
Branches	74.21%	74.52%	📈 +0.31%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/cli.ts	46.6% → 47.0% (+0.43%)	47.0% → 47.5% (+0.42%)
src/docker-manager.ts	83.4% → 84.0% (+0.54%)	82.8% → 83.3% (+0.52%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR improves testability of the CLI’s host-port gating logic by extracting --allow-host-ports validation into a dedicated helper and adding unit coverage for the flag-combination behavior (fixing #498).

Changes:

• Extracts validateAllowHostPorts() from inline CLI validation logic.
• Adds unit tests for validateAllowHostPorts() covering enabled/disabled/undefined scenarios and port list/range strings.
• Updates CLI execution path to use the extracted validation function before continuing.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
src/cli.ts	Extracts and uses validateAllowHostPorts() during CLI option validation.
src/cli.test.ts	Adds 7 unit tests covering validateAllowHostPorts() behavior across flag combinations.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

validateAllowHostPorts uses a truthy check (if (allowHostPorts && ...)). If the flag is provided as an empty string (e.g. --allow-host-ports ""), this bypasses validation even though the option was explicitly set. Consider checking allowHostPorts !== undefined (and optionally allowHostPorts.trim() !== '') instead of relying on truthiness so the constraint is enforced consistently.

[Copilot]

hostPortsValidation.error is optional in FlagValidationResult, but this log interpolates it without a non-null assertion or fallback. If a future refactor returns { valid: false } without an error message, this would log ❌ undefined. Consider asserting non-null (error!) or providing a default message when valid is false.

Suggested change

	logger.error(`❌ ${hostPortsValidation.error}`);
	logger.error(`❌ ${hostPortsValidation.error ?? 'Invalid --allow-host-ports configuration'}`);

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	❌	N/A	❌ CLONE_FAILED
Bun	hono	❌	N/A	❌ CLONE_FAILED
C++	fmt	❌	N/A	❌ CLONE_FAILED
C++	json	❌	N/A	❌ CLONE_FAILED
Deno	oak	❌	N/A	❌ CLONE_FAILED
Deno	std	❌	N/A	❌ CLONE_FAILED
.NET	hello-world	❌	N/A	❌ CLONE_FAILED
.NET	json-parse	❌	N/A	❌ CLONE_FAILED
Go	color	❌	N/A	❌ CLONE_FAILED
Go	env	❌	N/A	❌ CLONE_FAILED
Go	uuid	❌	N/A	❌ CLONE_FAILED
Java	gson	❌	N/A	❌ CLONE_FAILED
Java	caffeine	❌	N/A	❌ CLONE_FAILED
Node.js	clsx	❌	N/A	❌ CLONE_FAILED
Node.js	execa	❌	N/A	❌ CLONE_FAILED
Node.js	p-limit	❌	N/A	❌ CLONE_FAILED
Rust	fd	❌	N/A	❌ CLONE_FAILED
Rust	zoxide	❌	N/A	❌ CLONE_FAILED

Overall: 0/8 ecosystems passed — ❌ FAIL

---

❌ Error Details

All repository clones failed with the following error:

gh: To use GitHub CLI in a GitHub Actions workflow, set the GH_TOKEN environment variable.

Root cause: The GH_TOKEN environment variable is not set in this workflow run, so gh repo clone cannot authenticate with GitHub to clone the test repositories (Mossaka/gh-aw-firewall-test-{bun,cpp,deno,dotnet,go,java,node,rust}).

Fix: Ensure GH_TOKEN: ${{ github.token }} (or a PAT with repo read access to the Mossaka org) is set in the workflow step's env: block before invoking the build-test agent.

Generated by Build Test Suite for issue #1221 · ◷

[github-actions]

Smoke test results for run 22931851492 — @Mossaka

✅ GitHub MCP: Last 2 merged PRs: #1160 "fix(squid): block direct IP connections that bypass domain filtering", #1157 "feat: combine all build-test workflows into single build-test.md"
✅ Playwright: github.com title contains "GitHub"
✅ File write: /tmp/gh-aw/agent/smoke-test-copilot-22931851492.txt created and verified
✅ Bash: cat confirmed file contents

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot for issue #1221

[github-actions]

Smoke Test Results

• ✅ GitHub MCP: fix(squid): block direct IP connections that bypass domain filtering #1160 fix(squid): block direct IP connections that bypass domain filtering, feat: combine all build-test workflows into single build-test.md #1157 feat: combine all build-test workflows into single build-test.md
• ✅ Playwright: github.com title contains "GitHub"
• ✅ File Write: /tmp/gh-aw/agent/smoke-test-claude-22931851528.txt created
• ✅ Bash: File contents verified

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1221

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.14.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Result: ❌ Not all tests passed. Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot for issue #1221

[github-actions]

PR Titles:
fix(squid): block direct IP connections that bypass domain filtering
feat: combine all build-test workflows into single build-test.md
Tests: GitHub MCP ✅ | Safeinputs GH CLI ✅
Tests: Playwright ✅ | Tavily ❌
Tests: File Writing ✅ | Bash ✅
Tests: Discussion ✅ | Build ✅
Overall Status: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #1221