[Test Coverage] test: expand host-iptables branch coverage

[github-actions]

Adds 8 new tests to src/host-iptables.test.ts targeting previously uncovered branches in src/host-iptables.ts, improving branch coverage from ~55% to near 100%.

Coverage Before/After

File	Branches Before	Branches After (estimated)
host-iptables.ts	55.55% (10/18)	~94% (17/18)

New Tests Added

setupHostIptables – uncovered branches:

1. Bridge name null – covers if (!bridgeName) throw path
2. apiProxyIp configured – covers if (apiProxyIp) port-range rule (OPENAI:10000–COPILOT:10002)
3. DOCKER-USER rule already exists – covers if (!existingRules.includes(...)) false branch (no duplicate insertion)
4. DOCKER-USER chain missing (non-permission error) – covers the warning + chain-creation fallback path
5. DOCKER-USER chain creation fails – covers the nested error throw

cleanupHostIptables – uncovered branches:

6. Bridge name null – covers if (bridgeName) false branch (IPv4 flush still runs, DOCKER-USER lookup skipped)

ip6tables unavailability (using jest.isolateModulesAsync for fresh module cache):

7. setupHostIptables with ip6tables unavailable – covers if (!ip6tablesAvailable) warn path; verifies no IPv6 chain is created
8. cleanupHostIptables with ip6tables unavailable – covers if (ip6tablesAvailable) false path; verifies no IPv6 flush/delete commands run

Security Relevance

host-iptables.ts is security-critical — it manages the iptables rules that enforce network egress control. The new tests verify:

• Error propagation when privileged operations fail
• API proxy sidecar firewall rule correctness (port range 10000:10002)
• IPv6 bypass prevention when ip6tables is unavailable (warning is surfaced)
• Safe cleanup even when Docker network bridge is unavailable

AI generated by Weekly Test Coverage Improver

[Copilot]

Pull request overview

This PR adds comprehensive test coverage for previously untested branches in the security-critical host-iptables.ts module, which manages iptables rules for network egress control. The changes improve branch coverage from approximately 55% to near 100% by adding 8 targeted tests that exercise error paths, conditional logic, and platform-specific behavior (IPv6 availability).

Changes:

• Added 8 new test cases targeting uncovered branches in setupHostIptables and cleanupHostIptables functions
• Introduced tests for edge cases including null bridge names, duplicate rule prevention, chain creation failures, and IPv6 unavailability scenarios
• Utilized jest.isolateModulesAsync to properly test module-level cache behavior for ip6tables availability

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Build Test: Node.js Results

Project	Install	Tests	Status
clsx	✅	PASS	✅ PASS
execa	✅	PASS	✅ PASS
p-limit	✅	PASS	✅ PASS

Overall: ✅ PASS

Generated by Build Test Node.js for issue #1022

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS

Run output

hello-world:

Hello, World!
```

**json-parse:**
```
{
  "Name": "AWF Test",
  "Version": 1,
  "Success": true
}
Name: AWF Test, Success: True

Generated by Build Test .NET for issue #1022

[github-actions]

Build Test: Bun Results

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: ✅ PASS

Bun version: 1.3.9

Generated by Build Test Bun for issue #1022

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

Deno version: 2.7.1

Generated by Build Test Deno for issue #1022

[github-actions]

🦀 Rust Build Test Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: ✅ PASS

Generated by Build Test Rust for issue #1022

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS

Generated by Build Test C++ for issue #1022

[github-actions]

Java Build Test Results

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: PASS ✅

All Maven projects compiled and all tests passed successfully.

Generated by Build Test Java for issue #1022

[github-actions]

Go Build Test Results ✅

Project	Download	Tests	Status
color	✅	PASS	PASS
env	✅	PASS	PASS
uuid	✅	PASS	PASS

Overall: PASS

Generated by Build Test Go for issue #1022

[github-actions]

Smoke Test Results — Copilot Engine ✅ PASS

Test	Result
GitHub MCP (last 2 merged PRs)	✅ #1025 "docs: add sandbox design rationale (Docker vs microVMs)" · #992 "docs: update runner and architecture compatibility" (both by @Mossaka)
Playwright (github.com title)	✅ Title contains "GitHub"
File write /tmp/gh-aw/agent/smoke-test-copilot-22409296196.txt	✅ Created
Bash cat verify	✅ Content confirmed

Overall: PASS · PR author: @Mossaka · No assignees

📰 BREAKING: Report filed by Smoke Copilot for issue #1022

[github-actions]

Smoke Test Results — FAIL
Merged PRs: docs: add sandbox design rationale (Docker vs microVMs); docs: update runner and architecture compatibility
Recent PRs: fix: always set NO_PROXY to bypass Squid for localhost; [Deps] Safe dependency updates (2026-02-25)
GitHub MCP merged PRs ✅
safeinputs-gh pr list ✅
Playwright title ✅
Tavily search ❌ (tool unavailable)
File write + cat ✅
Discussion comment ✅
npm ci && npm run build ✅

🔮 The oracle has spoken through Smoke Codex for issue #1022

[github-actions]

Smoke Test Results — PASS

Test	Result
GitHub MCP (last 2 merged PRs: #1025, #992)	✅
Playwright (github.com title contains "GitHub")	✅
File write (smoke-test-claude-22409296193.txt)	✅
Bash verification (cat file)	✅

💥 [THE END] — Illustrated by Smoke Claude for issue #1022