refactor: split validate-options.ts into focused validator modules

[Copilot]

validateOptions was a single 450-line function handling 11 distinct concerns, making security-critical sections (domain resolution, SSL Bump URL pattern validation) impossible to test or review in isolation.

Structure

Extracts the monolith into four focused modules under src/commands/validators/:

• log-and-limits.ts — log level, --anthropic-cache-tail-ttl, model multipliers (--max-effective-tokens, --max-model-multiplier, --max-runs), memory limit, agent image
• network-options.ts — Docker host detection, --docker-host-path-prefix, domain resolution (--allow-domains, --block-domains), upstream proxy, DNS (security-critical)
• agent-options.ts — --env/--env-file, --mount, SSL Bump --allow-urls URL pattern validation (security-critical)
• config-assembly.ts — buildConfig call + all post-assembly guards (docker host URI, rate limits, feature-flag compatibility, port rules, API proxy warnings)

Orchestrator

validate-options.ts becomes a 33-line thin orchestrator — public API unchanged, no caller modifications required:

export function validateOptions(options, agentCommand): WrapperConfig {
  const logAndLimits    = validateLogAndLimits(options);
  const networkOptions  = validateNetworkOptions(options);
  const agentOptions    = validateAgentOptions(options);
  return assembleAndValidateConfig(options, agentCommand, logAndLimits, networkOptions, agentOptions);
}

Each sub-validator exports a typed result interface (LogAndLimitsResult, NetworkOptionsResult, AgentOptionsResult) so the assembly stage receives fully-typed, pre-validated inputs.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	95.73%	95.83%	📈 +0.10%
Statements	95.56%	95.65%	📈 +0.09%
Functions	96.86%	96.88%	📈 +0.02%
Branches	89.30%	89.34%	📈 +0.04%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/config-writer.ts	83.0% → 85.6% (+2.54%)	83.0% → 85.6% (+2.54%)
src/commands/validate-options.ts	87.3% → 100.0% (+12.70%)	86.4% → 100.0% (+13.62%)

✨ New Files (4 files)

• src/commands/validators/agent-options.ts: 93.0% lines
• src/commands/validators/config-assembly.ts: 83.0% lines
• src/commands/validators/log-and-limits.ts: 95.2% lines
• src/commands/validators/network-options.ts: 81.3% lines

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke Test Results

✅ GitHub API: 2 PR entries confirmed in recent-prs.json
✅ Playwright: GitHub homepage title contains "GitHub"
✅ File verify: smoke-test-claude-26195577058.txt exists

Result: PASS - All smoke tests passed successfully.

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔬 Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP (list PRs)	✅ PR #3488 "fix: align OTEL attributes with gen_ai semconv spec"
GitHub.com connectivity	⚠️ template var unexpanded — no pre-step data
File write/read	⚠️ template var unexpanded — no pre-step data
BYOK inference (this response)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

PR author: @Copilot · Assignees: @lpcox, @Copilot

Overall: PARTIAL (pre-step smoke data not injected; BYOK inference and MCP pass ✅)

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	✅ PR fetched: "fix: align OTEL attributes with gen_ai semconv spec"
GitHub.com HTTP connectivity	✅ (pre-step passed)
File write/read	✅ smoke-test-copilot-26195577054.txt verified

Overall: PASS 🎉

PR by @Copilot · Assignees: @lpcox, @Copilot

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Codex: FAIL
PRs reviewed: fix: align OTEL attributes with gen_ai semconv spec; fix: Use --build-local in smoke-otel-tracing for latest api-proxy code
✅ PR review/read; ❌ safeinputs-gh wrapper; ✅ Playwright; ❌ Tavily search
✅ file/bash; ❌ discussion query/comment; ✅ npm ci && npm run build
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.15.0	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[Copilot]

Pull request overview

Refactors the CLI option validation pipeline by splitting the previously monolithic validateOptions implementation into focused validator modules, keeping the public API and call sites unchanged while isolating security-critical validation paths (domain/DNS resolution and SSL bump URL pattern checks).

Changes:

• Added focused validators for log/resource limits, network options, agent-runtime options, and post-assembly config guards under src/commands/validators/.
• Moved config assembly + post-validation guards (rate limits, feature-flag compatibility, port rules, API proxy warnings, docker host URI checks) into a dedicated assembly stage.
• Reduced validate-options.ts to a thin orchestrator that composes the validators and returns the assembled WrapperConfig.

Show a summary per file

File	Description
src/commands/validators/network-options.ts	Extracts Docker-host handling, domain allow/block resolution, and network config resolution into a typed validator result.
src/commands/validators/log-and-limits.ts	Extracts log level validation, Anthropic cache TTL validation, model multiplier parsing, memory limit parsing, and agent image validation.
src/commands/validators/config-assembly.ts	Centralizes buildConfig call and all post-assembly guards/warnings (docker host URI/path prefix, rate limits, ports, API proxy validations/warnings).
src/commands/validators/agent-options.ts	Extracts agent runtime validation (env/env-file, mounts) and SSL bump URL pattern validation (security-critical).
src/commands/validate-options.ts	Replaced monolithic implementation with a small orchestrator wiring the new validator modules together.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 5/5 changed files
• Comments generated: 0

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3479 · ● 3.4M · ◷

[github-actions]

Smoke test results: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Smoke Test Results — FAIL

Check	Result
Redis PING	❌ Timeout/no response
PostgreSQL pg_isready	❌ No response on port 5432
PostgreSQL SELECT 1	❌ Timeout/no response

host.docker.internal is not reachable from this runner environment. All three service connectivity checks failed.

🔌 Service connectivity validated by Smoke Services