[Refactoring] Split `writeConfigs` (171 lines) in `src/config-writer.ts` into focused setup phases

[github-actions]

Refactoring Opportunity

Summary

• File: src/config-writer.ts
• Current size: 202 lines
• Responsibilities identified: 7 distinct phases inside writeConfigs

Evidence

writeConfigs (line 31, ~171 lines) is the only substantive function in the file and performs seven sequential phases with no internal helper extraction:

1. Work-directory security hardening (lines 31–50): mkdirSync, symlink guard, chmodSync with restrictive 0o700 permissions.
2. Log path & working-directory preparation (lines 52–66): resolveLogPaths, prepareWorkDirectories, network config assembly.
3. Seccomp profile copying (lines 70–94): three-path fallback search (inline bundle → containers/agent/ → dist/) — security-critical.
4. SSL-Bump initialization (lines 96–115): conditional generateSessionCa + initSslDb — security-critical.
5. Squid ACL config generation + write (lines 117–149): generateSquidConfig + writeFileSync(squid.conf, mode 0o644) — security-critical domain allowlist.
6. Docker Compose generation + write (lines 151–159): generateDockerCompose + writeFileSync(docker-compose.yml, mode 0o600) — contains secrets.
7. Audit artifact writing (lines 161–202): redacted compose, squid.conf copy, policy-manifest.json.

Three of those seven phases (seccomp, SSL-bump, Squid ACL) are security-critical and currently buried in the same linear function body as orchestration boilerplate.

Proposed Split

Extract focused sub-functions within (or alongside) config-writer.ts:

• validateAndPrepareWorkDir(config) — workdir security hardening (~20 lines)
• copySeccompProfile(config) — seccomp three-path fallback (~25 lines)
• initializeSslBump(config) — SSL-bump CA + DB setup (~20 lines)
• writeAuditArtifacts(config, networkConfig, dockerCompose, squidConfig) — audit dir + all artifacts (~40 lines)
• writeConfigs(config) remaining as a lean orchestration facade (~70 lines)

Affected Callers

grep -rn "from.*config-writer\|require.*config-writer" src/ containers/

• src/docker-manager.ts — re-exports writeConfigs
• src/config-writer.test.ts — direct unit tests
• src/docker-manager-write-configs.test.ts — integration tests
• src/docker-manager-reexports.test.ts — re-export smoke test

Effort Estimate

Low

Benefits

• Each security-critical phase (seccomp, SSL, Squid ACL) becomes independently unit-testable
• Reduces cognitive load when reviewing security-sensitive initialization code
• Makes it easy to add/remove phases (e.g., future credential injection steps) without touching unrelated logic

---

Detected by Refactoring Scanner workflow. Run date: 2026-06-24

Generated by Refactoring Opportunity Scanner · 140.6 AIC · ⊞ 6.9K · ◷

• expires on Aug 23, 2026, 3:58 PM UTC