diff --git a/src/host-iptables.test.ts b/src/host-iptables.test.ts
index 85c67c77..8fadd359 100644
--- a/src/host-iptables.test.ts
+++ b/src/host-iptables.test.ts
@@ -1,4 +1,4 @@
-import { ensureFirewallNetwork, setupHostIptables, cleanupHostIptables, cleanupFirewallNetwork, _resetIpv6State, HostAccessConfig, isValidPortSpec } from './host-iptables';
+import { ensureFirewallNetwork, setupHostIptables, cleanupHostIptables, cleanupFirewallNetwork, __testing, HostAccessConfig, isValidPortSpec } from './host-iptables';
 import execa from 'execa';
 
 // Mock execa
@@ -24,7 +24,7 @@ jest.mock('./logger', () => ({
 describe('host-iptables', () => {
   beforeEach(() => {
     jest.clearAllMocks();
-    _resetIpv6State();
+    __testing._resetIpv6State();
   });
 
   describe('ensureFirewallNetwork', () => {
diff --git a/src/host-iptables.ts b/src/host-iptables.ts
index 2f8c86c4..c328c2dc 100644
--- a/src/host-iptables.ts
+++ b/src/host-iptables.ts
@@ -56,11 +56,16 @@ let ipv6DisabledViaSysctl = false;
 /**
  * Resets internal IPv6 state (for testing only).
  */
-export function _resetIpv6State(): void {
+function _resetIpv6State(): void {
   ip6tablesAvailableCache = null;
   ipv6DisabledViaSysctl = false;
 }
 
+/**
+ * @internal Exported for testing.
+ */
+export const __testing = Object.freeze({ _resetIpv6State });
+
 /**
  * Gets the bridge interface name for the firewall network
  */
@@ -85,7 +90,7 @@ async function getNetworkBridgeName(): Promise<string | null> {
  * Gets the Docker default bridge gateway IP (e.g., 172.17.0.1).
  * This is the IP that host.docker.internal resolves to inside containers.
  */
-export async function getDockerBridgeGateway(): Promise<string | null> {
+async function getDockerBridgeGateway(): Promise<string | null> {
   try {
     const { stdout } = await execa('docker', [
       'network', 'inspect', 'bridge',
diff --git a/src/ssl-bump.ts b/src/ssl-bump.ts
index 568fd31c..76e7acb4 100644
--- a/src/ssl-bump.ts
+++ b/src/ssl-bump.ts
@@ -52,7 +52,7 @@ export interface CaFiles {
  * @param sslDir - Directory path to mount tmpfs on
  * @returns true if tmpfs was mounted, false if fallback to disk
  */
-export async function mountSslTmpfs(sslDir: string): Promise<boolean> {
+async function mountSslTmpfs(sslDir: string): Promise<boolean> {
   try {
     // Mount tmpfs with restrictive options (4MB is more than enough for SSL keys)
     await execa('mount', [