fix(https): remove ports from compose fragment — MACVLAN makes port publishing incompatible with network_mode

decnet/services/https.py

@@ -113,8 +113,6 @@ class HTTPSService(BaseService):
             fragment["environment"]["TLS_CN"] = cfg["tls_cn"]
         if "http_versions" in cfg:
             fragment["environment"]["HTTP_VERSIONS"] = json.dumps(cfg["http_versions"])
-            if "http/3" in cfg["http_versions"]:
-                fragment.setdefault("ports", []).append("443:443/udp")
 
         return fragment
 

tests/services/test_http_https_versions.py

@@ -1,4 +1,4 @@
-"""http_versions multi_enum field: coercion, compose env, UDP port gate."""
+"""http_versions multi_enum field: coercion, compose env."""
 import json
 
 import pytest
@@ -116,22 +116,18 @@ def test_https_compose_http_versions_env():
     assert versions == ["http/1.1", "http/2"]
 
 
-def test_https_compose_h3_adds_udp_port():
+def test_https_compose_h3_no_ports_key():
+    # Fleet uses MACVLAN — service containers share base netns, port publishing
+    # is incompatible with network_mode: service:<base>. UDP/443 is reachable
+    # via the MACVLAN IP without any ports: mapping.
     svc = HTTPSService()
     cfg = svc.validate_cfg({"http_versions": ["http/1.1", "http/2", "http/3"]})
     frag = svc.compose_fragment("decky-test", service_cfg=cfg)
-    assert "443:443/udp" in frag.get("ports", [])
+    assert "ports" not in frag
 
 
-def test_https_compose_no_h3_no_udp_port():
+def test_https_compose_no_h3_no_ports_key():
     svc = HTTPSService()
     cfg = svc.validate_cfg({"http_versions": ["http/1.1", "http/2"]})
     frag = svc.compose_fragment("decky-test", service_cfg=cfg)
-    assert "443:443/udp" not in frag.get("ports", [])
+    assert "ports" not in frag
-
-
-def test_https_compose_h3_only_still_adds_udp_port():
-    svc = HTTPSService()
-    cfg = svc.validate_cfg({"http_versions": ["http/3"]})
-    frag = svc.compose_fragment("decky-test", service_cfg=cfg)
-    assert "443:443/udp" in frag.get("ports", [])