fix: bypass Squid for host.docker.internal MCP gateway traffic

[Mossaka]

Summary

• In chroot mode, the agent communicates with the MCP gateway via host.docker.internal. This traffic gets DNAT'd to Squid, where Squid fails with "Invalid URL - Missing hostname" because rmcp sends relative URLs (GET /path instead of GET http://host/path).
• When --enable-host-access is used, add iptables rules to let traffic to host.docker.internal bypass Squid entirely. This traffic is internal (agent → MCP gateway) and shouldn't be domain-filtered.
• Add AWF_ENABLE_HOST_ACCESS env var to signal setup-iptables.sh when host access is enabled.

Test plan

• npm run build compiles
• npm test — 731 unit tests pass (including 3 new tests)
• npm run lint — no errors
• Manual test with sudo awf --enable-host-access --allow-host-ports 8080 --allow-domains host.docker.internal --build-local --log-level debug -- curl -v http://host.docker.internal:8080/ to confirm [iptables] Allow direct traffic to host gateway appears in logs

🤖 Generated with Claude Code

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Chroot tests failed Smoke Chroot failed - See logs for details.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.08%	82.09%	📈 +0.01%
Statements	82.12%	82.13%	➡️ +0.01%
Functions	81.95%	81.95%	➡️ +0.00%
Branches	75.41%	75.41%	➡️ +0.00%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	82.9% → 82.9% (+0.04%)	82.2% → 82.2% (+0.05%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

All Deno tests completed successfully.

AI generated by Build Test Deno

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS ✅

All C++ projects built successfully.

AI generated by Build Test C++

[github-actions]

Node.js Build Test Results

Project	Install	Tests	Status
clsx	✅	PASS	PASS
execa	✅	PASS	PASS
p-limit	✅	PASS	PASS

Overall: PASS ✅

All Node.js projects installed successfully and passed their test suites.

AI generated by Build Test Node.js

[github-actions]

❌ Build Test: Java - FAILED

Environment Error: Maven installation is corrupted and cannot run.

Error Details

-Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf: line 1: 
/usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar: cannot execute binary file: Exec format error

Test Results

Project	Compile	Tests	Status
gson	❌	❌	FAILED
caffeine	❌	❌	FAILED

Overall: FAILED

The Maven binary at /usr/share/apache-maven-3.9.12 appears to be corrupted or incompatible with the current architecture. Unable to compile or test any Java projects.

AI generated by Build Test Java

[github-actions]

Smoke Test Results

Last 2 merged PRs:

• revert: remove Squid intercept mode and all cascading fixes #541: revert: remove Squid intercept mode and all cascading fixes
• ci: add write permissions for issue monster agent assignment #537: ci: add write permissions for issue monster agent assignment

Test Results:

• ✅ GitHub MCP (fetched PRs)
• ✅ Playwright (title: "GitHub · Change is constant...")
• ✅ File creation (/tmp/gh-aw/agent/smoke-test-claude-21734436740.txt)
• ✅ Bash verification (file read successful)

Overall: PASS

AI generated by Smoke Claude

[github-actions]

Smoke Test Results (Copilot)

Last 2 merged PRs:

• revert: remove Squid intercept mode and all cascading fixes #541: revert: remove Squid intercept mode and all cascading fixes
• ci: add write permissions for issue monster agent assignment #537: ci: add write permissions for issue monster agent assignment

Test Results:

• ✅ GitHub MCP (list PRs)
• ✅ Playwright (GitHub homepage verified)
• ✅ File write (smoke-test-copilot-21734436724.txt)
• ✅ Bash tool (file verified)

Status: PASS

cc: @Mossaka

AI generated by Smoke Copilot

[github-actions]

Go Build Test Results

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS ✅

All Go projects built and tested successfully.

AI generated by Build Test Go

[Copilot]

Pull request overview

This PR fixes a Squid proxy issue where MCP gateway traffic to host.docker.internal in chroot mode fails because rmcp sends relative URLs that Squid cannot handle. The solution adds an iptables bypass for host.docker.internal when --enable-host-access is enabled, allowing this internal agent-to-gateway traffic to skip Squid entirely.

Changes:

• Added AWF_ENABLE_HOST_ACCESS environment variable to signal host access enablement to the agent container
• Added comprehensive test coverage for the new environment variable (3 tests covering true/false/undefined states)
• Added iptables rules in setup-iptables.sh to bypass Squid for host.docker.internal traffic when host access is enabled

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
src/docker-manager.ts	Sets AWF_ENABLE_HOST_ACCESS='1' environment variable when enableHostAccess is true
src/docker-manager.test.ts	Adds 3 new tests to verify AWF_ENABLE_HOST_ACCESS is correctly set/unset based on enableHostAccess config
containers/agent/setup-iptables.sh	Adds iptables NAT RETURN and OUTPUT ACCEPT rules to bypass Squid for host.docker.internal traffic when AWF_ENABLE_HOST_ACCESS is set

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The value '1' is inconsistent with other boolean AWF environment variables in this codebase. AWF_CHROOT_ENABLED and AWF_SSL_BUMP_ENABLED both use 'true' as their value (see lines 393 and 488). While the current implementation works because setup-iptables.sh checks with [ -n "$AWF_ENABLE_HOST_ACCESS" ] (which accepts any non-empty value), using 'true' would be more consistent with established patterns and would prevent potential confusion if the checking logic changes in the future.

Suggested change

	environment.AWF_ENABLE_HOST_ACCESS = '1';
	environment.AWF_ENABLE_HOST_ACCESS = 'true';

[Copilot]

The OUTPUT filter chain rule (line 132) is placed in the middle of the NAT table configuration section, which makes the script structure harder to follow. According to the script's organization pattern (as documented by the "OUTPUT filter chain rules" comment at line 203), all filter chain rules should be grouped together after the NAT table rules are configured. While this works functionally (iptables evaluates NAT first, then filter), consider moving this ACCEPT rule to the OUTPUT filter chain section (after line 221) alongside the other filter rules for better code organization and maintainability.

[github-actions]

Build Test: Bun - FAIL ❌

Test Results

Project	Install	Tests	Status
elysia	⚠️ N/A	❌ 0/1	FAIL
hono	⚠️ N/A	❌ 0/1	FAIL

Overall: FAIL

Error Details

Both projects failed with identical runtime errors:

bun test v1.3.8 (b64edcb4)
Aborted (core dumped)
Exit code: 134

Root Cause: Bun 1.3.8 crashes in the container environment with segmentation faults. This appears to be an incompatibility between Bun and the container's kernel (6.11.0-1018-azure) or missing /proc/cpuinfo.

Environment:

• Bun version: 1.3.8
• Kernel: 6.11.0-1018-azure Extract domain parsing into testable function #18~24.04.1-Ubuntu
• Note: /proc/cpuinfo not available in container

The test repository and test files are valid but Bun cannot execute in this environment.

AI generated by Build Test Bun