refactor(services): deduplicate container security-hardening config across sidecar builders

[Copilot]

cap_drop, security_opt, and the resource-limit fields were copy-pasted verbatim into three sidecar service builders, meaning a hardening change (e.g. adding read_only: true) had to be applied manually in three places and could silently diverge.

Changes

• New src/services/service-security.ts — exports buildContainerSecurityHardening(limits) which returns the standard hardening block; cap_drop/security_opt are fixed, resource limits are per-caller:

  export function buildContainerSecurityHardening(limits: ContainerResourceLimits): Record<string, unknown> {
    return {
      cap_drop: ['ALL'],
      security_opt: ['no-new-privileges:true'],
      mem_limit: limits.memLimit,
      memswap_limit: limits.memLimit,   // always match mem_limit
      pids_limit: limits.pidsLimit,
      ...(limits.cpuShares !== undefined && { cpu_shares: limits.cpuShares }),
    };
  }

• api-proxy-service.ts, doh-proxy-service.ts, cli-proxy-service.ts — replace the inline blocks with a single spread:

  ...buildContainerSecurityHardening({ memLimit: '512m', pidsLimit: 100, cpuShares: 512 }),

  Resource limits remain service-specific; security fields are now a single source of truth.

[Copilot]

Pull request overview

This PR refactors the Docker Compose sidecar service builders to avoid copy-pasted container hardening blocks by introducing a shared helper in src/services/service-security.ts.

Changes:

• Added buildContainerSecurityHardening() helper to centralize cap_drop, security_opt, and common resource-limit fields.
• Updated api-proxy, cli-proxy, and doh-proxy service builders to spread the shared hardening config with service-specific limits.

Show a summary per file

File	Description
src/services/service-security.ts	Introduces a shared helper to build consistent container hardening/resource-limit fields for sidecars.
src/services/api-proxy-service.ts	Replaces inline hardening/resource-limit block with the shared helper.
src/services/cli-proxy-service.ts	Replaces inline hardening/resource-limit block with the shared helper.
src/services/doh-proxy-service.ts	Replaces inline hardening/resource-limit block with the shared helper.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 1

[lpcox]

@copilot address review feedback

[Copilot]

@copilot address review feedback

Done in the latest commit. The module-level JSDoc now explicitly names the three proxy sidecars (api-proxy, cli-proxy, doh-proxy) this helper is intended for and calls out that squid-service and agent-service have different hardening requirements and should not use it. The function-level JSDoc echoes the same scope.

[github-actions]

Smoke Test Results

• ❌ GitHub API: List last 2 merged PRs — HTTP 401: Bad credentials
• ✅ Playwright: Navigate to github.com, title contains "GitHub"
• ✅ File verify: Smoke test file read successfully

Total: FAIL (2 pass, 1 fail)

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	❌ 401 Bad credentials
GitHub.com HTTP connectivity	❌ Template vars not expanded
File write/read	❌ Template vars not expanded

Overall: FAIL — Pre-computed step outputs (steps.smoke-data.outputs.*) were not injected into this workflow run. The smoke-data pre-step may not have executed or the workflow template variables were not resolved before agent invocation.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	❌ (401 Bad credentials — MCP read tools unauthenticated in this environment)
GitHub.com HTTP connectivity	⚠️ (template var ${{ steps.smoke-data.outputs.SMOKE_HTTP_CODE }} not expanded)
File write/read	⚠️ (template var ${{ steps.smoke-data.outputs.SMOKE_FILE_PATH }} not expanded)
BYOK inference (agent → api-proxy → api.githubcopilot.com)	✅ (responding via BYOK offline mode)

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

Overall: FAIL — workflow template variables were not substituted before agent execution; pre-step data unavailable for verification.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test Codex: FAIL
PRs: refactor: extract addDnsRules helper to eliminate duplicate DNS iptables rule pairs; fix: remove unused exports from public API surface (batch 2)
✅ PR review via public API; Playwright title; file/bash; npm ci && npm run build
❌ safeinputs-gh unavailable; Tavily search unavailable; github-discussion-query unavailable
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Runtime Version Comparison

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.15.0	v20.20.2	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Result: Some versions differ between host and chroot. Go matches, but Python and Node.js are on different versions (Python patch version differs; Node.js major version differs: 24 vs 20).

Tested by Smoke Chroot

[github-actions]

Gemini Engine Smoke Test: FAIL (MCP missing, Connectivity failed)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3274 · ● 4.1M · ◷

[github-actions]

Smoke Test Results

Check	Result
Redis PING	❌ Timeout (no response)
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ Not attempted (pg_isready failed)

Overall: FAIL — host.docker.internal is unreachable on both ports 6379 and 5432. Service containers may not be running or the host DNS alias is not resolving in this environment.

🔌 Service connectivity validated by Smoke Services