diff --git a/src/docker-manager.test.ts b/src/docker-manager.test.ts index c893353d..882d38cb 100644 --- a/src/docker-manager.test.ts +++ b/src/docker-manager.test.ts @@ -1495,6 +1495,25 @@ describe('docker-manager', () => { expect(fs.existsSync(path.join(testDir, 'squid-logs'))).toBe(true); }); + it('should create /tmp/gh-aw/mcp-logs directory', async () => { + const config: WrapperConfig = { + allowedDomains: ['github.com'], + agentCommand: 'echo test', + logLevel: 'info', + keepContainers: false, + workDir: testDir, + }; + + try { + await writeConfigs(config); + } catch { + // May fail, but directories should still be created + } + + // Verify /tmp/gh-aw/mcp-logs directory was created + expect(fs.existsSync('/tmp/gh-aw/mcp-logs')).toBe(true); + }); + it('should write squid.conf file', async () => { const config: WrapperConfig = { allowedDomains: ['github.com', 'example.com'], diff --git a/src/docker-manager.ts b/src/docker-manager.ts index e1584b0a..b1a84d84 100644 --- a/src/docker-manager.ts +++ b/src/docker-manager.ts @@ -868,6 +868,15 @@ export async function writeConfigs(config: WrapperConfig): Promise { } logger.debug(`Squid logs directory created at: ${squidLogsDir}`); + // Create /tmp/gh-aw/mcp-logs directory for hiding via /dev/null mount + // This directory must exist before Docker tries to mount /dev/null over it + // (selective mounting mode hides this directory to prevent MCP log exfiltration) + const mcpLogsDir = '/tmp/gh-aw/mcp-logs'; + if (!fs.existsSync(mcpLogsDir)) { + fs.mkdirSync(mcpLogsDir, { recursive: true, mode: 0o755 }); + logger.debug(`MCP logs directory created at: ${mcpLogsDir}`); + } + // Use fixed network configuration (network is created by host-iptables.ts) const networkConfig = { subnet: '172.30.0.0/24',