[Refactoring] Split `src/host-iptables.test.ts` into focused test modules

[github-actions]

Refactoring Opportunity

Summary

• File: src/host-iptables.test.ts
• Current size: 1,112 lines
• Responsibilities identified: 7 distinct test areas for a security-critical module

Evidence

The file contains 7 distinct top-level describe() blocks testing different aspects of host-side iptables management:

src/host-iptables.test.ts (1,112 lines):
  23:  describe('ensureFirewallNetwork', ...)
  79:  describe('setupHostIptables', ...)         # ~453 lines
 532:  describe('setupHostIptables with host access', ...)  # ~357 lines
 889:  describe('isValidPortSpec', ...)
 917:  describe('cleanupHostIptables', ...)        # ~114 lines
1031:  describe('setupHostIptables with DoH proxy', ...)    # ~61 lines
1092:  describe('cleanupFirewallNetwork', ...)

setupHostIptables alone spans from line 79 to 531 (~453 lines), covering many scenarios. The host iptables module is security-critical — tests for it should be easy to navigate and review.

Proposed Split

• src/host-iptables-network.test.ts — ensureFirewallNetwork, cleanupFirewallNetwork
• src/host-iptables-setup.test.ts — setupHostIptables (core cases), isValidPortSpec
• src/host-iptables-host-access.test.ts — setupHostIptables with host access variants
• src/host-iptables-cleanup.test.ts — cleanupHostIptables
• src/host-iptables-doh.test.ts — setupHostIptables with DoH proxy

Affected Callers

None — test files are not imported by production code.

Effort Estimate

Low

Benefits

• Security-critical code should have highly navigable tests — reviewers need to quickly find relevant test cases
• Smaller test files reduce merge conflicts when multiple contributors extend coverage
• Focused test files make it clearer what scenarios each iptables function must handle

---

Detected by Refactoring Scanner workflow. Run date: 2026-05-10

Generated by Refactoring Opportunity Scanner · ● 735.6K · ◷

• expires on Jul 9, 2026, 2:10 PM UTC