[Export Audit] Dead export `cleanupFirewallNetwork` not in public API barrel

[github-actions]

API Surface Issue

Category

Unused export

Summary

• File: src/host-iptables-network.ts
• Symbol: cleanupFirewallNetwork
• Issue: The function is exported from its source module but is not re-exported from the public API barrel (src/host-iptables.ts), and is never imported in any production code — only in test files.

Evidence

# Only usage sites:
src/host-iptables-network.ts:54:export async function cleanupFirewallNetwork(): Promise<void> {
src/host-iptables-network.test.ts:2:import { cleanupFirewallNetwork } from './host-iptables-network';

# The barrel export (src/host-iptables.ts) exposes ensureFirewallNetwork but NOT cleanupFirewallNetwork:
export { ensureFirewallNetwork } from './host-iptables-network';
export { cleanupHostIptables } from './host-iptables-cleanup';
# cleanupFirewallNetwork is absent

Recommended Fix

1. If the function is dead code: Remove the export keyword (or delete the function entirely if it has no internal callers).
2. If the function is part of the intended public API: Add a re-export to src/host-iptables.ts:

   export { ensureFirewallNetwork, cleanupFirewallNetwork } from './host-iptables-network';

3. If it is only needed by tests: Remove the export keyword — the test already imports directly from the source module, so removing export makes the test-only nature explicit without breaking anything.

Impact

• Dead code risk: Medium — the function is in a security-critical module (host-iptables) responsible for network isolation; stale exports can mislead contributors about the intended API boundary.
• Maintenance burden: Low — straightforward one-line fix.

---

Detected by Export Audit workflow. Triggered by push to main on 2026-05-15

Generated by API Surface & Export Audit · ● 16.6M · ◷

• expires on Jun 14, 2026, 3:16 PM UTC

[lpcox]

Addressed by #3169 (merged to main). The barrel re-exports have been removed.