refactor: extract reportBlockedDomains helper to remove duplicated logic

[Copilot]

~37 lines of blocked-domain classification and diagnostic messaging were copy-pasted between handleHealthcheckError (startup path) and runAgentCommand (post-run path), differing only in log level.

Changes

• New helper reportBlockedDomains in src/container-lifecycle.ts — accepts a log: (msg: string) => void parameter, making the error vs warn distinction explicit at each call site
• Both duplicate blocks replaced with single-line calls:

// startup error path
reportBlockedDomains(blockedTargets, allowedDomains, msg => logger.error(msg));

// post-run warning path
reportBlockedDomains(blockedTargets, allowedDomains, msg => logger.warn(msg));

• Correct domain matching — isAllowed now uses parseDomainWithProtocol to strip http:///https:// prefixes and isWildcardPattern/wildcardToRegex for wildcard patterns (e.g. *.github.com), consistent with how domain-patterns.ts handles these elsewhere. Previously, protocol-prefixed or wildcard entries in --allow-domains would be incorrectly reported as missing from the allowlist.

• Deduplicated --allow-domains suggestion — missingDomains is now collected in a Set so the same host blocked on multiple targets (e.g. both port 80 and 443) only appears once in the remediation hint.

• Regression tests — Four new tests in docker-manager-lifecycle.test.ts covering: wildcard allowlist matching, protocol-prefixed allowlist matching, --allow-domains deduplication, and the warn-vs-error call-site distinction.

Any future changes to domain classification logic, fix suggestion format, or port-allowlist rules now only need to be made in one place.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	86.45%	86.60%	📈 +0.15%
Statements	86.39%	86.54%	📈 +0.15%
Functions	90.61%	90.61%	➡️ +0.00%
Branches	79.23%	79.52%	📈 +0.29%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/container-lifecycle.ts	86.1% → 88.2% (+2.13%)	86.3% → 88.6% (+2.23%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR refactors src/container-lifecycle.ts to centralize blocked-domain diagnostic logging so both the startup failure path and the post-run failure path use the same reporting logic.

Changes:

• Added a new reportBlockedDomains helper to classify blocked targets and emit remediation messages.
• Replaced the duplicated blocked-domain reporting blocks in handleHealthcheckError and runAgentCommand with calls to the helper.
• Kept the call-site distinction between logger.error during startup failures and logger.warn after agent command failures.

Show a summary per file

File	Description
src/container-lifecycle.ts	Extracts shared blocked-domain reporting logic and wires both startup and post-run paths to the new helper.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 3

[lpcox]

@copilot merge main and address the review feedback

[Copilot]

@copilot merge main and address the review feedback

Done in 97239ab. Merged main and addressed all three review issues:

1. Wildcard/protocol-prefix matching (src/container-lifecycle.ts:528-529): The isAllowed check in reportBlockedDomains now uses parseDomainWithProtocol to strip http:///https:// prefixes and isWildcardPattern/wildcardToRegex for regex-based wildcard matching, consistent with how domain-patterns.ts handles these elsewhere.

2. Test coverage (src/container-lifecycle.ts:519-523): Added four regression tests in docker-manager-lifecycle.test.ts covering wildcard allowlist matching, protocol-prefixed allowlist matching, --allow-domains deduplication, and the warn-vs-error call-site distinction.

3. Deduplication (src/container-lifecycle.ts:550): missingDomains is now collected in a uniqueMissingDomains Set, so the same host blocked on multiple targets only appears once in the --allow-domains suggestion.

[github-actions]

🔥 Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP (list PRs)	✅
GitHub.com connectivity	⚠️ N/A (pre-step template var unexpanded)
File write/read	⚠️ N/A (pre-step template var unexpanded)
BYOK inference (this response)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Author: @Copilot · Assignees: @lpcox, @Copilot

Overall: PASS (core BYOK path confirmed working)

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test Results

Test Results:
✅ GitHub MCP: Last 2 merged PRs retrieved
✅ Playwright: github.com title verified
✅ File Writing: Test file created successfully
✅ Bash Verification: File contents verified

Merged PRs:

• api-proxy: inject X-Initiator: agent default on all Copilot-bound requests to prevent billing inflation #2571: api-proxy: inject X-Initiator: agent default on all Copilot-bound requests to prevent billing inflation
• refactor: extract shared parameterised test factory for log sub-commands #2563: refactor: extract shared parameterised test factory for log sub-commands

Status: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	⚠️ N/A (pre-step template vars not expanded)
File write/read	⚠️ N/A (pre-step template vars not expanded)

PR: refactor: extract reportBlockedDomains helper to remove duplicated logic
Author: @Copilot | Assignees: @lpcox, @Copilot

Overall: PARTIAL — MCP connectivity confirmed ✅; pre-computed step outputs were not injected (raw ${{ }} literals passed through).

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

🔮 Codex Smoke Test: FAIL
PRs: refactor(entrypoint): deduplicate signal-handler + token-cleanup into shared function; refactor: extract reportBlockedDomains helper to remove duplicated logic
✅ Reviewed last 2 merged PRs: api-proxy: inject X-Initiator: agent default on all Copilot-bound requests to prevent billing inflation; refactor: extract shared parameterised test factory for log sub-commands
❌ safeinputs-gh PR query: tool unavailable; gh fallback returned 2 PRs
✅ Playwright: GitHub title verified
❌ Tavily search: bridge exposed no tools
✅ File write/read and npm ci && npm run build
❌ Discussion query tool unavailable; oracle comment posted via safeoutputs
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	N/A	❌ CLONE_FAILED
Deno	std	N/A	N/A	❌ CLONE_FAILED
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	✅ all passed	✅ PASS
Node.js	execa	✅	✅ all passed	✅ PASS
Node.js	p-limit	✅	✅ all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 7/8 ecosystems passed — ❌ FAIL

---

❌ Failures

Deno — CLONE_FAILED
The gh CLI requires GH_TOKEN to be set, and the unauthenticated fallback did not succeed for this repository:

gh: To use GitHub CLI in a GitHub Actions workflow, set the GH_TOKEN environment variable.
Exit code: 4

oak and std could not be tested as a result.

Generated by Build Test Suite for issue #2564 · ● 1.9M · ◷

[github-actions]

Smoke Test Results — FAIL

Check	Result
Redis PING	❌ Timeout (no response)
PostgreSQL pg_isready	❌ No response on port 5432
PostgreSQL SELECT 1	❌ Timeout (no response)

Overall: FAIL — host.docker.internal service containers are not reachable from this runner environment.

🔌 Service connectivity validated by Smoke Services

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.14.1	v20.20.2	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Result: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot.

Tested by Smoke Chroot