[Export Audit] Test helper objects re-exported from production modules (regression of #3968 / #3969)

[github-actions]

API Surface Issue

Category

Dead export in production module / Test isolation issue

Summary

Three production modules still export test-only helper objects, despite this exact pattern being fixed in prior audits (issues #3968 and #3969, both state_reason: completed). All three symbols are consumed exclusively by test files.

File	Exported Symbol	Prior Issue
src/host-iptables-shared.ts	iptablesSharedTestHelpers	regression of #3968
src/host-env.ts	hostEnvTestHelpers	regression of #3969
src/logs/log-discovery.ts	logDiscoveryTestHelpers	regression of #3969

Evidence

src/host-iptables-shared.ts:27:export const iptablesSharedTestHelpers = { resetIpv6State };
src/host-env.ts:52:export const hostEnvTestHelpers = { subnetsOverlap };
src/logs/log-discovery.ts:168:export const logDiscoveryTestHelpers = { isContainerRunning };

Import sites (all test files — no production consumers):

src/host-iptables-shared.test-utils.ts: export { iptablesSharedTestHelpers } from './host-iptables-shared';
src/host-env.test-utils.ts:             export { hostEnvTestHelpers } from './host-env';
src/logs/log-discovery.test-utils.ts:   export { logDiscoveryTestHelpers } from './log-discovery';

Each .test-utils.ts wrapper re-exports the helper, but the underlying symbol is defined and exported from the production module, polluting its public surface.

Recommended Fix

For each symbol:

1. Remove export from the *TestHelpers constant in the production file
2. Move the helper definition (or re-export the underlying function directly) into the co-located *.test-utils.ts file
3. Update any test imports accordingly (the .test-utils.ts wrappers already exist and just need updating)

For example, in src/host-iptables-shared.ts:

-export const iptablesSharedTestHelpers = { resetIpv6State };
+const iptablesSharedTestHelpers = { resetIpv6State };

Then expose it from src/host-iptables-shared.test-utils.ts directly.

Impact

• Dead code risk: High — iptablesSharedTestHelpers exposes a state-mutation function (resetIpv6State) on a security-critical iptables module
• Maintenance burden: Medium — recurring pattern; likely needs a lint rule (no-restricted-syntax or no-test-helpers-in-src) to prevent further regressions

---

Detected by Export Audit workflow. Triggered by push to main on 2026-05-31

Generated by API Surface & Export Audit · sonnet46 2.3M · ◷

• expires on Jun 30, 2026, 2:28 PM UTC

[lpcox]

Closing as won't-fix / by-design.

PR #3972 (merged 2026-05-28) explicitly explains why these exports must remain: the test helpers mutate module-scoped let variables that cannot be accessed from external files without the export. The fix applied by #3972 was to route all test imports through .test-utils.ts re-export files, establishing a convention that can be enforced via lint rules.

The exports are physically required given the module architecture. Removing them would require refactoring each module to use dependency injection or a resettable state pattern — a disproportionate change for test isolation.