From 832a7670af3abdf6b26c87d784836559700f60eb Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 12 Feb 2026 03:55:28 +0000
Subject: [PATCH 1/3] Initial plan


From a228abf079918aeff110c6af7d748a44c8ddfcc1 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 12 Feb 2026 04:01:14 +0000
Subject: [PATCH 2/3] fix: set /tmp/gh-aw/mcp-logs to world-writable (0o777)

Fixes permission denied error when GitHub Actions workflows try to create
subdirectories in /tmp/gh-aw/mcp-logs after AWF runs with sudo.

Changes:
- Set directory permissions to 0o777 (rwxrwxrwx) instead of 0o755
- Explicitly call chmodSync after mkdirSync to bypass umask
- Fix permissions if directory already exists from previous run
- Update test to verify 777 permissions

Root cause: When AWF runs with sudo (e.g., --enable-chroot), it creates
/tmp/gh-aw/mcp-logs owned by root. With 755 permissions, non-root users
cannot create subdirectories. Using 777 allows workflows to create
subdirectories like /tmp/gh-aw/mcp-logs/safeoutputs without sudo.

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
---
 src/docker-manager.test.ts |  4 +++-
 src/docker-manager.ts      | 10 +++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/docker-manager.test.ts b/src/docker-manager.test.ts
index ddaa4cd4..9ef80eff 100644
--- a/src/docker-manager.test.ts
+++ b/src/docker-manager.test.ts
@@ -1495,7 +1495,7 @@ describe('docker-manager', () => {
       expect(fs.existsSync(path.join(testDir, 'squid-logs'))).toBe(true);
     });
 
-    it('should create /tmp/gh-aw/mcp-logs directory', async () => {
+    it('should create /tmp/gh-aw/mcp-logs directory with world-writable permissions', async () => {
       const config: WrapperConfig = {
         allowedDomains: ['github.com'],
         agentCommand: 'echo test',
@@ -1514,6 +1514,8 @@ describe('docker-manager', () => {
       expect(fs.existsSync('/tmp/gh-aw/mcp-logs')).toBe(true);
       const stats = fs.statSync('/tmp/gh-aw/mcp-logs');
       expect(stats.isDirectory()).toBe(true);
+      // Verify permissions are 0o777 (rwxrwxrwx) to allow non-root users to create subdirectories
+      expect((stats.mode & 0o777).toString(8)).toBe('777');
     });
 
     it('should write squid.conf file', async () => {
diff --git a/src/docker-manager.ts b/src/docker-manager.ts
index 94032ccb..92ef204c 100644
--- a/src/docker-manager.ts
+++ b/src/docker-manager.ts
@@ -878,10 +878,18 @@ export async function writeConfigs(config: WrapperConfig): Promise<void> {
   // Create /tmp/gh-aw/mcp-logs directory
   // This directory exists on the HOST for MCP gateway to write logs
   // Inside the AWF container, it's hidden via tmpfs mount (see generateDockerCompose)
+  // Uses mode 0o777 to allow GitHub Actions workflows and MCP gateway to create subdirectories
+  // even when AWF runs as root (e.g., sudo awf --enable-chroot)
   const mcpLogsDir = '/tmp/gh-aw/mcp-logs';
   if (!fs.existsSync(mcpLogsDir)) {
-    fs.mkdirSync(mcpLogsDir, { recursive: true, mode: 0o755 });
+    fs.mkdirSync(mcpLogsDir, { recursive: true, mode: 0o777 });
+    // Explicitly set permissions to 0o777 (not affected by umask)
+    fs.chmodSync(mcpLogsDir, 0o777);
     logger.debug(`MCP logs directory created at: ${mcpLogsDir}`);
+  } else {
+    // Fix permissions if directory already exists (e.g., created by a previous run)
+    fs.chmodSync(mcpLogsDir, 0o777);
+    logger.debug(`MCP logs directory permissions fixed at: ${mcpLogsDir}`);
   }
 
   // Use fixed network configuration (network is created by host-iptables.ts)

From 10134c40d069219f280d9902e887046921f73c33 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 12 Feb 2026 04:02:59 +0000
Subject: [PATCH 3/3] fix: ensure squid logs dir has 777 permissions

Apply same fix to squidLogsDir for consistency with mcpLogsDir.
Explicitly calls chmodSync to bypass umask effects.

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
---
 src/docker-manager.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/docker-manager.ts b/src/docker-manager.ts
index 92ef204c..22f517ea 100644
--- a/src/docker-manager.ts
+++ b/src/docker-manager.ts
@@ -872,6 +872,8 @@ export async function writeConfigs(config: WrapperConfig): Promise<void> {
   const squidLogsDir = config.proxyLogsDir || path.join(config.workDir, 'squid-logs');
   if (!fs.existsSync(squidLogsDir)) {
     fs.mkdirSync(squidLogsDir, { recursive: true, mode: 0o777 });
+    // Explicitly set permissions to 0o777 (not affected by umask)
+    fs.chmodSync(squidLogsDir, 0o777);
   }
   logger.debug(`Squid logs directory created at: ${squidLogsDir}`);