Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions src/docker-manager.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1495,6 +1495,25 @@ describe('docker-manager', () => {
expect(fs.existsSync(path.join(testDir, 'squid-logs'))).toBe(true);
});

it('should create /tmp/gh-aw/mcp-logs directory', async () => {
const config: WrapperConfig = {
allowedDomains: ['github.com'],
agentCommand: 'echo test',
logLevel: 'info',
keepContainers: false,
workDir: testDir,
};

try {
await writeConfigs(config);
} catch {
// May fail, but directories should still be created
}

// Verify /tmp/gh-aw/mcp-logs directory was created
expect(fs.existsSync('/tmp/gh-aw/mcp-logs')).toBe(true);
});
Comment on lines +1498 to +1515
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test can pass even if /tmp/gh-aw/mcp-logs already existed before the test ran, so it may not actually validate the new directory-creation behavior. It also leaves /tmp/gh-aw/mcp-logs behind after the suite completes. Consider making the test hermetic by ensuring the path does not exist in setup (and cleaning it up in teardown), or by mocking/spying on fs.existsSync/fs.mkdirSync to assert the creation call happens.

Copilot uses AI. Check for mistakes.

it('should write squid.conf file', async () => {
const config: WrapperConfig = {
allowedDomains: ['github.com', 'example.com'],
Expand Down
9 changes: 9 additions & 0 deletions src/docker-manager.ts
Original file line number Diff line number Diff line change
Expand Up @@ -868,6 +868,15 @@ export async function writeConfigs(config: WrapperConfig): Promise<void> {
}
logger.debug(`Squid logs directory created at: ${squidLogsDir}`);

// Create /tmp/gh-aw/mcp-logs directory for hiding via /dev/null mount
// This directory must exist before Docker tries to mount /dev/null over it
// (selective mounting mode hides this directory to prevent MCP log exfiltration)
const mcpLogsDir = '/tmp/gh-aw/mcp-logs';
if (!fs.existsSync(mcpLogsDir)) {
fs.mkdirSync(mcpLogsDir, { recursive: true, mode: 0o755 });
logger.debug(`MCP logs directory created at: ${mcpLogsDir}`);
}
Comment on lines +874 to +878
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fs.existsSync(mcpLogsDir) only checks that the path exists, not that it’s a directory. If /tmp/gh-aw/mcp-logs exists as a regular file (or symlink), this code will skip mkdirSync and Docker will still fail with the same “not a directory” mount error. Consider validating with fs.statSync/lstatSync and either replacing non-directories with a directory or throwing a clear error.

This issue also appears on line 871 of the same file.

Copilot uses AI. Check for mistakes.

// Use fixed network configuration (network is created by host-iptables.ts)
const networkConfig = {
subnet: '172.30.0.0/24',
Expand Down
Loading