Skip to content

fix: create /tmp/gh-aw/mcp-logs before Docker mount #707

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lpcox merged 3 commits into from
Feb 12, 2026
Merged

fix: create /tmp/gh-aw/mcp-logs before Docker mount #707

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f23cea7
Initial plan
Copilot Feb 12, 2026
3e8982d
fix: create /tmp/gh-aw/mcp-logs directory before mounting
Copilot Feb 12, 2026
ce0b8b5
test: add test for /tmp/gh-aw/mcp-logs directory creation
Copilot Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions src/docker-manager.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1495,6 +1495,25 @@ describe('docker-manager', () => {
expect(fs.existsSync(path.join(testDir, 'squid-logs'))).toBe(true);
});

it('should create /tmp/gh-aw/mcp-logs directory', async () => {
const config: WrapperConfig = {
allowedDomains: ['github.com'],
agentCommand: 'echo test',
logLevel: 'info',
keepContainers: false,
workDir: testDir,
};

try {
await writeConfigs(config);
} catch {
// May fail, but directories should still be created
}

// Verify /tmp/gh-aw/mcp-logs directory was created
expect(fs.existsSync('/tmp/gh-aw/mcp-logs')).toBe(true);
});
Comment on lines +1498 to +1515
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test can pass even if /tmp/gh-aw/mcp-logs already existed before the test ran, so it may not actually validate the new directory-creation behavior. It also leaves /tmp/gh-aw/mcp-logs behind after the suite completes. Consider making the test hermetic by ensuring the path does not exist in setup (and cleaning it up in teardown), or by mocking/spying on fs.existsSync/fs.mkdirSync to assert the creation call happens.

Copilot uses AI. Check for mistakes.

it('should write squid.conf file', async () => {
const config: WrapperConfig = {
allowedDomains: ['github.com', 'example.com'],
Expand Down
9 changes: 9 additions & 0 deletions src/docker-manager.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -868,6 +868,15 @@ export async function writeConfigs(config: WrapperConfig): Promise<void> {
}
logger.debug(`Squid logs directory created at: ${squidLogsDir}`);

// Create /tmp/gh-aw/mcp-logs directory for hiding via /dev/null mount
// This directory must exist before Docker tries to mount /dev/null over it
// (selective mounting mode hides this directory to prevent MCP log exfiltration)
const mcpLogsDir = '/tmp/gh-aw/mcp-logs';
if (!fs.existsSync(mcpLogsDir)) {
fs.mkdirSync(mcpLogsDir, { recursive: true, mode: 0o755 });
logger.debug(`MCP logs directory created at: ${mcpLogsDir}`);
}
Comment on lines +874 to +878
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fs.existsSync(mcpLogsDir) only checks that the path exists, not that it’s a directory. If /tmp/gh-aw/mcp-logs exists as a regular file (or symlink), this code will skip mkdirSync and Docker will still fail with the same “not a directory” mount error. Consider validating with fs.statSync/lstatSync and either replacing non-directories with a directory or throwing a clear error.

This issue also appears on line 871 of the same file.

Copilot uses AI. Check for mistakes.

// Use fixed network configuration (network is created by host-iptables.ts)
const networkConfig = {
subnet: '172.30.0.0/24',
Expand Down
Loading