fix: replace deprecated log_access directive with Squid 5+ syntax

[Mossaka]

Summary

• Fixes CI breakage caused by deprecated log_access directive in Squid 5+
• Replaces with modern ACL filter syntax on access_log directive
• Updates tests to verify new syntax

Problem

After merging PR #432, CI started failing because the Squid container was crashing immediately on startup with exit code 1. The root cause is that the log_access directive was removed from Squid starting with version 5.0, and the ubuntu/squid:latest Docker image uses Squid 5+.

Solution

Replace the deprecated syntax:

acl healthcheck_localhost src 127.0.0.1 ::1
log_access deny healthcheck_localhost
access_log /var/log/squid/access.log firewall_detailed

With the modern Squid 5+ syntax:

acl healthcheck_localhost src 127.0.0.1 ::1
access_log /var/log/squid/access.log firewall_detailed !healthcheck_localhost

The ! negates the ACL, meaning "log everything EXCEPT healthcheck_localhost".

Test plan

• Unit tests pass (npm test -- squid-config.test.ts - 119 tests pass)
• Manual integration test: sudo awf --allow-domains github.com -- curl -s https://api.github.com/zen completes successfully
• CI integration tests should pass

🤖 Generated with Claude Code

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.44%	82.44%	➡️ +0.00%
Statements	82.47%	82.47%	➡️ +0.00%
Functions	81.77%	81.77%	➡️ +0.00%
Branches	75.59%	75.59%	➡️ +0.00%

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR fixes CI breakage caused by the deprecated log_access directive in Squid 5+. The ubuntu/squid:latest Docker image uses Squid 5.0+, which removed support for the log_access directive that was introduced in PR #432. The fix replaces the deprecated three-line configuration with modern two-line ACL filter syntax.

Changes:

• Replaced deprecated log_access deny healthcheck_localhost directive with ACL filter syntax on the access_log directive (!healthcheck_localhost)
• Updated tests to verify the new Squid 5+ syntax and ensure deprecated directive is not present
• Updated test descriptions and comments to clarify the Squid 5+ migration

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
src/squid-config.ts	Replaces deprecated log_access directive with modern Squid 5+ ACL filter syntax on access_log directive
src/squid-config.test.ts	Updates tests to verify new syntax, ensure deprecated directive is absent, and correctly validates ACL ordering

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Smoke Test Results (Copilot)

Last 2 Merged PRs:

• feat: filter benign operational logs from Squid access.log #432: feat: filter benign operational logs from Squid access.log
• feat: allow empty allowDomains to block all network access #451: feat: allow empty allowDomains to block all network access

Test Results:

• ✅ GitHub MCP: Retrieved 2 merged PRs successfully
• ❌ Playwright: Browser download blocked (403 from cdn.playwright.dev)
• ✅ File Write: Created /tmp/gh-aw/agent/smoke-test-copilot-21681537655.txt
• ✅ Bash Tool: Verified file contents successfully
• ✅ GitHub Title (curl fallback): "GitHub · Change is constant. GitHub keeps you ahead."

Status: PARTIAL PASS (4/5 tests passed, Playwright unavailable in CI)

cc @Mossaka

AI generated by Smoke Copilot

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• feat: filter benign operational logs from Squid access.log #432: feat: filter benign operational logs from Squid access.log
• feat: allow empty allowDomains to block all network access #451: feat: allow empty allowDomains to block all network access

Test Results:

• ✅ GitHub MCP Testing (fetched merged PRs)
• ❌ Playwright Testing (MCP tool not available in environment)
• ✅ File Writing (created /tmp/gh-aw/agent/smoke-test-claude-21681537641.txt)
• ✅ Bash Tool (verified file content)

Overall Status: PARTIAL PASS (3/4 tests passed)

AI generated by Smoke Claude

[github-actions]

⚠️ Smoke Test Chroot - Configuration Issue

The smoke-chroot workflow has a design incompatibility:

Problem: The workflow attempts to run awf --enable-chroot commands from within an AWF sandbox container (the agentic workflow environment). This creates a nested Docker-in-Docker scenario that is not supported (Docker-in-Docker was removed in AWF v0.9.1, PR #205).

Current State:

• ✅ Host versions captured: Python 3.12.3, Node v20.20.0, Go 1.24.12
• ❌ Cannot execute awf --enable-chroot from inside AWF container
• ❌ Docker access denied in sandbox environment

Error:

ERROR: Docker-in-Docker support was removed in AWF v0.9.1

Recommended Fix:
The smoke-chroot.md workflow should be restructured to run as a standard GitHub Actions job (without the agentic workflow wrapper), or the test commands should execute on the host runner directly.

Test Design Issue: The workflow instructions at lines 72-81 expect to run AWF CLI commands, but these cannot execute from within the AWF-based agentic workflow sandbox.

---

Tested by Smoke Chroot

AI generated by Smoke Chroot