diff --git a/.github/workflows/smoke-chroot.lock.yml b/.github/workflows/smoke-chroot.lock.yml
index 036d675b..06ec2ef6 100644
--- a/.github/workflows/smoke-chroot.lock.yml
+++ b/.github/workflows/smoke-chroot.lock.yml
@@ -191,6 +191,10 @@ jobs:
         run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default
         env:
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
+      - name: Ensure .copilot directory permissions
+        run: |
+          mkdir -p /home/runner/.copilot
+          sudo chown -R runner:runner /home/runner/.copilot
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402
       - name: Install awf binary
@@ -959,6 +963,10 @@ jobs:
         run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default
         env:
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
+      - name: Ensure .copilot directory permissions
+        run: |
+          mkdir -p /home/runner/.copilot
+          sudo chown -R runner:runner /home/runner/.copilot
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402
       - name: Execute GitHub Copilot CLI
diff --git a/.github/workflows/smoke-chroot.md b/.github/workflows/smoke-chroot.md
index 3ed0ae0c..992ddb9a 100644
--- a/.github/workflows/smoke-chroot.md
+++ b/.github/workflows/smoke-chroot.md
@@ -153,6 +153,10 @@ steps:
     if: always()
     run: |
       ./scripts/ci/cleanup.sh || true
+  - name: Ensure .copilot directory permissions
+    run: |
+      mkdir -p /home/runner/.copilot
+      sudo chown -R runner:runner /home/runner/.copilot
 ---
 
 # Analyze Chroot Test Results
diff --git a/src/docker-manager.ts b/src/docker-manager.ts
index 99f27b87..410ab789 100644
--- a/src/docker-manager.ts
+++ b/src/docker-manager.ts
@@ -9,7 +9,6 @@ import { generateSquidConfig } from './squid-config';
 import { generateSessionCa, initSslDb, CaFiles, parseUrlPatterns } from './ssl-bump';
 
 const SQUID_PORT = 3128;
-const SQUID_INTERCEPT_PORT = 3129; // Port for transparently intercepted traffic
 
 /**
  * Base image for the 'act' preset when building locally.
@@ -273,7 +272,7 @@ export function generateDockerCompose(
       retries: 5,
       start_period: '10s',
     },
-    ports: [`${SQUID_PORT}:${SQUID_PORT}`, `${SQUID_INTERCEPT_PORT}:${SQUID_INTERCEPT_PORT}`],
+    ports: [`${SQUID_PORT}:${SQUID_PORT}`],
     // Security hardening: Drop unnecessary capabilities
     // Squid only needs network capabilities, not system administration capabilities
     cap_drop: [
@@ -329,7 +328,6 @@ export function generateDockerCompose(
     HTTPS_PROXY: `http://${networkConfig.squidIp}:${SQUID_PORT}`,
     SQUID_PROXY_HOST: 'squid-proxy',
     SQUID_PROXY_PORT: SQUID_PORT.toString(),
-    SQUID_INTERCEPT_PORT: SQUID_INTERCEPT_PORT.toString(),
     HOME: homeDir,
     PATH: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
   };