From a07d84d2ea510b8edd7c209e93d6c43747b01be5 Mon Sep 17 00:00:00 2001
From: "Jiaxiao (mossaka) Zhou" <duibao55328@gmail.com>
Date: Wed, 11 Mar 2026 01:12:10 +0000
Subject: [PATCH] test: add --allow-host-ports validation tests

Extract validateAllowHostPorts() function from inline CLI validation
and add 7 unit tests covering: error without --enable-host-access,
pass with --enable-host-access, undefined ports, port ranges, and
combined flag scenarios.

Fixes #498

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/cli.test.ts | 46 +++++++++++++++++++++++++++++++++++++++++++++-
 src/cli.ts      | 26 +++++++++++++++++++++++---
 2 files changed, 68 insertions(+), 4 deletions(-)

diff --git a/src/cli.test.ts b/src/cli.test.ts
index 6420ed37..efc5bfea 100644
--- a/src/cli.test.ts
+++ b/src/cli.test.ts
@@ -1,5 +1,5 @@
 import { Command } from 'commander';
-import { parseEnvironmentVariables, parseDomains, parseDomainsFile, escapeShellArg, joinShellArgs, parseVolumeMounts, isValidIPv4, isValidIPv6, parseDnsServers, validateAgentImage, isAgentImagePreset, AGENT_IMAGE_PRESETS, processAgentImageOption, processLocalhostKeyword, validateSkipPullWithBuildLocal, validateFormat, validateApiProxyConfig, buildRateLimitConfig, validateRateLimitFlags } from './cli';
+import { parseEnvironmentVariables, parseDomains, parseDomainsFile, escapeShellArg, joinShellArgs, parseVolumeMounts, isValidIPv4, isValidIPv6, parseDnsServers, validateAgentImage, isAgentImagePreset, AGENT_IMAGE_PRESETS, processAgentImageOption, processLocalhostKeyword, validateSkipPullWithBuildLocal, validateAllowHostPorts, validateFormat, validateApiProxyConfig, buildRateLimitConfig, validateRateLimitFlags } from './cli';
 import { redactSecrets } from './redact-secrets';
 import * as fs from 'fs';
 import * as path from 'path';
@@ -1495,4 +1495,48 @@ describe('cli', () => {
       expect(r.valid).toBe(true);
     });
   });
+
+  describe('validateAllowHostPorts', () => {
+    it('should fail when --allow-host-ports is used without --enable-host-access', () => {
+      const result = validateAllowHostPorts('3000', undefined);
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('--allow-host-ports requires --enable-host-access');
+    });
+
+    it('should fail when --allow-host-ports is used with enableHostAccess=false', () => {
+      const result = validateAllowHostPorts('8080', false);
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('--allow-host-ports requires --enable-host-access');
+    });
+
+    it('should pass when --allow-host-ports is used with --enable-host-access', () => {
+      const result = validateAllowHostPorts('3000', true);
+      expect(result.valid).toBe(true);
+      expect(result.error).toBeUndefined();
+    });
+
+    it('should pass when --allow-host-ports is not provided', () => {
+      const result = validateAllowHostPorts(undefined, undefined);
+      expect(result.valid).toBe(true);
+      expect(result.error).toBeUndefined();
+    });
+
+    it('should pass when only --enable-host-access is set without ports', () => {
+      const result = validateAllowHostPorts(undefined, true);
+      expect(result.valid).toBe(true);
+      expect(result.error).toBeUndefined();
+    });
+
+    it('should fail for port ranges without --enable-host-access', () => {
+      const result = validateAllowHostPorts('3000-3010,8080', undefined);
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('--allow-host-ports requires --enable-host-access');
+    });
+
+    it('should pass for port ranges with --enable-host-access', () => {
+      const result = validateAllowHostPorts('3000-3010,8000-8090', true);
+      expect(result.valid).toBe(true);
+      expect(result.error).toBeUndefined();
+    });
+  });
 });
diff --git a/src/cli.ts b/src/cli.ts
index b06238e5..56fa66f7 100644
--- a/src/cli.ts
+++ b/src/cli.ts
@@ -403,6 +403,25 @@ export function validateSkipPullWithBuildLocal(
   return { valid: true };
 }
 
+/**
+ * Validates that --allow-host-ports is only used with --enable-host-access
+ * @param allowHostPorts - The --allow-host-ports value (undefined if not provided)
+ * @param enableHostAccess - Whether --enable-host-access flag was provided
+ * @returns FlagValidationResult with validation status and error message
+ */
+export function validateAllowHostPorts(
+  allowHostPorts: string | undefined,
+  enableHostAccess: boolean | undefined
+): FlagValidationResult {
+  if (allowHostPorts && !enableHostAccess) {
+    return {
+      valid: false,
+      error: '--allow-host-ports requires --enable-host-access to be set',
+    };
+  }
+  return { valid: true };
+}
+
 /**
  * Parses and validates DNS servers from a comma-separated string
  * @param input - Comma-separated DNS server string (e.g., "8.8.8.8,1.1.1.1")
@@ -1110,9 +1129,10 @@ program
       logger.warn('   This may expose sensitive credentials if logs or configs are shared');
     }
 
-    // Warn if --allow-host-ports is used without --enable-host-access
-    if (config.allowHostPorts && !config.enableHostAccess) {
-      logger.error('❌ --allow-host-ports requires --enable-host-access to be set');
+    // Validate --allow-host-ports requires --enable-host-access
+    const hostPortsValidation = validateAllowHostPorts(config.allowHostPorts, config.enableHostAccess);
+    if (!hostPortsValidation.valid) {
+      logger.error(`❌ ${hostPortsValidation.error}`);
       process.exit(1);
     }