API Surface Issue
Category
Unused export (test helper leaking into production API of security-critical module)
Summary
- File:
src/host-iptables-network.ts
- Symbol:
iptablesNetworkTestHelpers
- Issue: A test helper object is exported from the production iptables module and is only ever imported by the co-located test file. This exposes internal teardown logic as part of the module's public API.
Evidence
$ grep -rw "iptablesNetworkTestHelpers" src/ --include="*.ts"
src/host-iptables-network.ts:67:export const iptablesNetworkTestHelpers = { cleanupFirewallNetwork };
src/host-iptables-network.test.ts: import { iptablesNetworkTestHelpers } from './host-iptables-network';
src/host-iptables-network.test.ts: const { cleanupFirewallNetwork } = iptablesNetworkTestHelpers;
No production code ever imports iptablesNetworkTestHelpers. The public barrel src/host-iptables.ts does not re-export it.
Note: A prior issue #3220 tracked the direct export of cleanupFirewallNetwork. The apparent "fix" wrapped it in iptablesNetworkTestHelpers, but the symbol is still exported from a production module and still only used by tests — the underlying problem persists.
Recommended Fix
Remove the export keyword and import cleanupFirewallNetwork directly in the test file:
// src/host-iptables-network.ts — remove export
const iptablesNetworkTestHelpers = { cleanupFirewallNetwork };
// or simply remove the object entirely// src/host-iptables-network.test.ts — import the private function directly (test files may import from source)
import { cleanupFirewallNetwork } from './host-iptables-network'; // make cleanupFirewallNetwork non-exported too
// OR keep cleanupFirewallNetwork exported (it's used in tests) but drop the wrapper objectImpact
- Dead code risk: High — exported symbol in a security-critical iptables module with no production callers
- Maintenance burden: Medium — wrapper object obscures intent and bypasses the abstraction boundary established by the barrel
Detected by Export Audit workflow. Triggered by push to main on 2026-05-26
Generated by API Surface & Export Audit · sonnet46 931.4K · ◷
API Surface Issue
Category
Unused export (test helper leaking into production API of security-critical module)
Summary
src/host-iptables-network.tsiptablesNetworkTestHelpersEvidence
No production code ever imports
iptablesNetworkTestHelpers. The public barrelsrc/host-iptables.tsdoes not re-export it.Note: A prior issue #3220 tracked the direct export of
cleanupFirewallNetwork. The apparent "fix" wrapped it iniptablesNetworkTestHelpers, but the symbol is still exported from a production module and still only used by tests — the underlying problem persists.Recommended Fix
Remove the
exportkeyword and importcleanupFirewallNetworkdirectly in the test file:Impact
Detected by Export Audit workflow. Triggered by push to main on 2026-05-26