refactor: split src/host-env.ts into focused modules

[Copilot]

src/host-env.ts had grown to 514 lines mixing 8 unrelated concerns, making the security-critical UID/GID path hard to audit in isolation and forcing every importer to take a dependency on everything.

New modules

Module	Contents
src/constants.ts	Container name constants, SQUID_PORT, env-size thresholds
src/docker-host.ts	setAwfDockerHost, getLocalDockerEnv
src/host-identity.ts	validateIdNotInSystemRange, getSafeHostUid, getSafeHostGid, getRealUserHome, ACT_PRESET_BASE_IMAGE, MIN_REGULAR_UID
src/github-env.ts	readGitHubPathEntries, readGitHubEnvEntries, parseGitHubEnvFile, mergeGitHubPathEntries, readEnvFile, TOOLCHAIN_ENV_VARS, extractGhHostFromServerUrl

src/host-env.ts (facade, ~125 lines)

Retains subnetsOverlap/testHelpers, SslConfig, stripScheme, and parseDifcProxyHost directly. Re-exports everything from the four new modules for backward compatibility — existing tests importing from ./host-env continue to work unchanged.

Caller updates

All 12 production callers updated to import from the focused module that owns what they need:

// before
import { AGENT_CONTAINER_NAME, SQUID_PORT, getSafeHostUid, readGitHubEnvEntries } from './host-env';

// after
import { AGENT_CONTAINER_NAME, SQUID_PORT } from './constants';
import { getSafeHostUid } from './host-identity';
import { readGitHubEnvEntries } from './github-env';

[Copilot]

Pull request overview

This PR refactors src/host-env.ts by splitting it into focused modules to reduce coupling and make the UID/GID handling easier to audit, while keeping src/host-env.ts as a backwards-compatible facade.

Changes:

• Introduces new focused modules: src/constants.ts, src/docker-host.ts, src/host-identity.ts, and src/github-env.ts.
• Converts src/host-env.ts into a facade that re-exports the new modules while retaining a few host-env-specific utilities/types.
• Updates multiple production callers to import from the focused modules instead of host-env.

Show a summary per file

File	Description
src/services/squid-service.ts	Imports squid constants from ../constants while keeping SslConfig from host-env.
src/services/doh-proxy-service.ts	Switches container-name import to ../constants.
src/services/cli-proxy-service.ts	Switches container-name import to ../constants; keeps parseDifcProxyHost from host-env.
src/services/api-proxy-service.ts	Switches constants import to ../constants and moves readEnvFile import to ../github-env.
src/services/agent-service.ts	Moves host UID/GID helpers + ACT preset image import to ../host-identity; constants to ../constants.
src/services/agent-environment.ts	Splits imports across ../constants, ../host-identity, and ../github-env for clarity.
src/host-identity.ts	New module containing UID/GID/home-dir logic and related constants.
src/github-env.ts	New module for GitHub Actions env/path recovery and env-file parsing.
src/docker-host.ts	New module for Docker host override + local docker env selection.
src/constants.ts	New module containing container name constants, SQUID_PORT, and env-size thresholds.
src/host-env.ts	Becomes a facade re-exporting focused modules, while retaining SslConfig, stripScheme, parseDifcProxyHost, and subnet overlap helpers.
src/container-lifecycle.ts	Imports container constants from ./constants and docker env helper from ./docker-host.
src/container-cleanup.ts	Imports container constants from ./constants and docker env helper from ./docker-host.
src/config-writer.ts	Switches to SQUID_PORT from ./constants and host identity helpers from ./host-identity.
src/compose-generator.ts	Switches getRealUserHome import to ./host-identity (keeps SslConfig from host-env).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 15/15 changed files
• Comments generated: 1

[lpcox]

@copilot merge main

[Copilot]

@copilot merge main

Done — merged main (commit a770aca) into this branch. Merge commit: 2a9e0ed.

[github-actions]

Smoke Test Results

❌ GitHub API: gh CLI not authenticated in sandboxed environment
✅ Playwright: Successfully navigated to https://github.com (title contains "GitHub")
✅ File verify: smoke-test-claude-25969530733.txt exists with expected content

Overall: FAIL (2/3 tests passed)

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode — Run #25969530767

Test	Result
GitHub MCP connectivity	❌ 401 Bad credentials (MCP token not available in this environment)
GitHub.com HTTP connectivity	⚠️ Pre-step template vars not expanded — result unavailable
File write/read (/tmp/gh-aw/agent/smoke-test-copilot-byok-25969530767.txt)	✅ File exists and readable
BYOK inference (agent → api-proxy → api.githubcopilot.com)	✅ Responding normally

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

Overall: PARTIAL (2/4 fully verified; 1 env issue, 1 infra limitation)

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	❌ (401 in sandbox)
GitHub.com HTTP	✅ 200
File write/read	✅ smoke-test-copilot-25969530790.txt verified

Overall: PASS (MCP 401 is a sandbox credential limitation, not a functional failure)

Author: @Copilot

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke test: FAIL
PR: Optimize export-audit workflow token usage by precomputing audits and bounding verification
PR: [awf] Support Azure Copilot BYOK env routing in api-proxy and resolve gpt-5.4 via gpt-5 family aliases
✅ GitHub PR review
❌ safeinputs-gh unavailable
✅ Playwright title contains GitHub
❌ Tavily search unavailable
✅ file write/bash read/build
⏭️ discussion skipped: tool unavailable
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke test failed

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Chroot Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	3.12.13	3.12.3	❌
Node.js	v24.15.0	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Result: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot.

Tested by Smoke Chroot

[github-actions]

Smoke Test Results — Services Connectivity

Check	Result
Redis PING	❌ Timeout / no response
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ No response

Overall: FAIL — host.docker.internal is unreachable on ports 6379 and 5432 from this runner environment. Service containers may not be running or network routing is blocked.

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3259 · ● 7.3M · ◷