test(origin_guard): cover bracketed IPv6 host matching (#421)

claude · claude · commit b992148b6e6a · 2026-05-31T18:18:50.000Z
Closes the one patch-coverage gap codecov flagged: the bracketed-IPv6 Host unwrap in _host_ip_in_networks was only exercised by IPv4 hosts. Add a test matching [fd00::1] against an IPv6 CIDR (in-range allowed, out-of-range rejected). https://claude.ai/code/session_01Jq5X4ivngAf1N6r5UX2BVw
diff --git a/tests/unit/test_origin_guard.py b/tests/unit/test_origin_guard.py
@@ -501,6 +501,15 @@ def test_is_allowed_host_dns_name_never_matches_network() -> None:
     assert is_allowed_host("attacker.example.com:8000", nets) is False
 
 
+def test_is_allowed_host_bracketed_ipv6_in_network() -> None:
+    # A bracketed IPv6 Host literal is unwrapped and matched against an IPv6
+    # CIDR; one outside the range is rejected.
+    nets = parse_allow_hosts(["fd00::/8"])
+    assert is_allowed_host("[fd00::1]:8000", nets) is True
+    assert is_allowed_host("[fd00::1]", nets) is True
+    assert is_allowed_host("[2001:db8::1]:8000", nets) is False
+
+
 def test_is_allowed_host_without_networks_unchanged() -> None:
     # Default (None) is byte-for-byte loopback-only.
     assert is_allowed_host("192.168.1.50:8000") is False
