diff --git a/.claude/skills/awf-skill/SKILL.md b/.claude/skills/awf-skill/SKILL.md
index d13d732b..aca24601 100644
--- a/.claude/skills/awf-skill/SKILL.md
+++ b/.claude/skills/awf-skill/SKILL.md
@@ -96,7 +96,6 @@ Container Options:
 Advanced Options:
   --ssl-bump                      Enable HTTPS content inspection
   --allow-urls <urls>             URL patterns for SSL Bump (requires --ssl-bump)
-  --enable-chroot                 Enable chroot for host binaries
 
 Debugging Options:
   --log-level <level>             Log level: debug, info, warn, error
@@ -195,11 +194,11 @@ sudo awf --allow-domains github.com \
   -- cat /data/config.json
 ```
 
-### 6. Use Chroot Mode for Host Binaries
+### 6. Use Host Binaries (Chroot Mode is Always On)
 
 ```bash
-# Access host Python, Node, Go, etc.
-sudo awf --enable-chroot --allow-domains api.github.com \
+# Access host Python, Node, Go, etc. (chroot mode is the default)
+sudo awf --allow-domains api.github.com \
   -- python3 -c "import requests; print(requests.get('https://api.github.com').status_code)"
 ```
 
diff --git a/.github/workflows/build-test-bun.lock.yml b/.github/workflows/build-test-bun.lock.yml
index 5f784525..dd884199 100644
--- a/.github/workflows/build-test-bun.lock.yml
+++ b/.github/workflows/build-test-bun.lock.yml
@@ -630,7 +630,7 @@ jobs:
         timeout-minutes: 15
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/build-test-cpp.lock.yml b/.github/workflows/build-test-cpp.lock.yml
index e1ce138e..7585b25a 100644
--- a/.github/workflows/build-test-cpp.lock.yml
+++ b/.github/workflows/build-test-cpp.lock.yml
@@ -630,7 +630,7 @@ jobs:
         timeout-minutes: 30
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/build-test-deno.lock.yml b/.github/workflows/build-test-deno.lock.yml
index a972aecc..36f3490f 100644
--- a/.github/workflows/build-test-deno.lock.yml
+++ b/.github/workflows/build-test-deno.lock.yml
@@ -630,7 +630,7 @@ jobs:
         timeout-minutes: 15
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,dl.deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,dl.deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/build-test-dotnet.lock.yml b/.github/workflows/build-test-dotnet.lock.yml
index d2682554..cb26a077 100644
--- a/.github/workflows/build-test-dotnet.lock.yml
+++ b/.github/workflows/build-test-dotnet.lock.yml
@@ -634,7 +634,7 @@ jobs:
         timeout-minutes: 15
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.nuget.org,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,builds.dotnet.microsoft.com,ci.dot.net,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dc.services.visualstudio.com,dist.nuget.org,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,oneocsp.microsoft.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.dev.azure.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.microsoft.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.nuget.org,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,builds.dotnet.microsoft.com,ci.dot.net,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dc.services.visualstudio.com,dist.nuget.org,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,oneocsp.microsoft.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.dev.azure.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.microsoft.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/build-test-go.lock.yml b/.github/workflows/build-test-go.lock.yml
index b5b57499..0862a05a 100644
--- a/.github/workflows/build-test-go.lock.yml
+++ b/.github/workflows/build-test-go.lock.yml
@@ -636,7 +636,7 @@ jobs:
         timeout-minutes: 15
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sum.golang.org,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sum.golang.org,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/build-test-java.lock.yml b/.github/workflows/build-test-java.lock.yml
index 20e2ce0f..cf0f60fb 100644
--- a/.github/workflows/build-test-java.lock.yml
+++ b/.github/workflows/build-test-java.lock.yml
@@ -635,7 +635,7 @@ jobs:
         timeout-minutes: 15
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,adoptium.net,api.adoptium.net,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.foojay.io,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.apache.org,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.azul.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dlcdn.apache.org,download.eclipse.org,download.java.net,download.oracle.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,gradle.org,host.docker.internal,jcenter.bintray.com,jdk.java.net,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,maven.apache.org,maven.oracle.com,maven.pkg.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,plugins-artifacts.gradle.org,plugins.gradle.org,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,repo.grails.org,repo.maven.apache.org,repo.spring.io,repo1.maven.org,s.symcb.com,s.symcd.com,security.ubuntu.com,services.gradle.org,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.java.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,adoptium.net,api.adoptium.net,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.foojay.io,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.apache.org,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.azul.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dlcdn.apache.org,download.eclipse.org,download.java.net,download.oracle.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,gradle.org,host.docker.internal,jcenter.bintray.com,jdk.java.net,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,maven.apache.org,maven.oracle.com,maven.pkg.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,plugins-artifacts.gradle.org,plugins.gradle.org,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,repo.grails.org,repo.maven.apache.org,repo.spring.io,repo1.maven.org,s.symcb.com,s.symcd.com,security.ubuntu.com,services.gradle.org,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.java.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/build-test-node.lock.yml b/.github/workflows/build-test-node.lock.yml
index c409d18c..8418f7c1 100644
--- a/.github/workflows/build-test-node.lock.yml
+++ b/.github/workflows/build-test-node.lock.yml
@@ -635,7 +635,7 @@ jobs:
         timeout-minutes: 15
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/build-test-rust.lock.yml b/.github/workflows/build-test-rust.lock.yml
index 6f2e5a34..496ad312 100644
--- a/.github/workflows/build-test-rust.lock.yml
+++ b/.github/workflows/build-test-rust.lock.yml
@@ -630,7 +630,7 @@ jobs:
         timeout-minutes: 30
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crates.io,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,index.crates.io,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sh.rustup.rs,static.crates.io,static.rust-lang.org,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crates.io,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,index.crates.io,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sh.rustup.rs,static.crates.io,static.rust-lang.org,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/ci-cd-gaps-assessment.lock.yml b/.github/workflows/ci-cd-gaps-assessment.lock.yml
index a0459b21..0cfa16e8 100644
--- a/.github/workflows/ci-cd-gaps-assessment.lock.yml
+++ b/.github/workflows/ci-cd-gaps-assessment.lock.yml
@@ -99,10 +99,6 @@ jobs:
       - name: Checkout .github and .agents folders
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
-          sparse-checkout: |
-            .github
-            .agents
-          depth: 1
           persist-credentials: false
       - name: Create gh-aw temp directory
         run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
@@ -138,8 +134,31 @@ jobs:
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405
-      - name: Install awf binary
-        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12
+      - name: Install awf dependencies
+        run: npm ci
+      - name: Build awf
+        run: npm run build
+      - name: Install awf binary (local)
+        run: |
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$(pwd)}"
+          NODE_BIN="$(command -v node)"
+          if [ ! -d "$WORKSPACE_PATH" ]; then
+            echo "Workspace path not found: $WORKSPACE_PATH"
+            exit 1
+          fi
+          if [ ! -x "$NODE_BIN" ]; then
+            echo "Node binary not found: $NODE_BIN"
+            exit 1
+          fi
+          if [ ! -d "/usr/local/bin" ]; then
+            echo "/usr/local/bin is missing"
+            exit 1
+          fi
+          sudo tee /usr/local/bin/awf > /dev/null <<EOF
+          #!/bin/bash
+          exec "${NODE_BIN}" "${WORKSPACE_PATH}/dist/cli.js" "\$@"
+          EOF
+          sudo chmod +x /usr/local/bin/awf
       - name: Determine automatic lockdown mode for GitHub MCP server
         id: determine-automatic-lockdown
         env:
@@ -632,7 +651,7 @@ jobs:
         timeout-minutes: 15
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml
index a8a08802..cc3b737b 100644
--- a/.github/workflows/ci-doctor.lock.yml
+++ b/.github/workflows/ci-doctor.lock.yml
@@ -131,10 +131,6 @@ jobs:
       - name: Checkout .github and .agents folders
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
-          sparse-checkout: |
-            .github
-            .agents
-          depth: 1
           persist-credentials: false
       - name: Create gh-aw temp directory
         run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
@@ -181,8 +177,31 @@ jobs:
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405
-      - name: Install awf binary
-        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12
+      - name: Install awf dependencies
+        run: npm ci
+      - name: Build awf
+        run: npm run build
+      - name: Install awf binary (local)
+        run: |
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$(pwd)}"
+          NODE_BIN="$(command -v node)"
+          if [ ! -d "$WORKSPACE_PATH" ]; then
+            echo "Workspace path not found: $WORKSPACE_PATH"
+            exit 1
+          fi
+          if [ ! -x "$NODE_BIN" ]; then
+            echo "Node binary not found: $NODE_BIN"
+            exit 1
+          fi
+          if [ ! -d "/usr/local/bin" ]; then
+            echo "/usr/local/bin is missing"
+            exit 1
+          fi
+          sudo tee /usr/local/bin/awf > /dev/null <<EOF
+          #!/bin/bash
+          exec "${NODE_BIN}" "${WORKSPACE_PATH}/dist/cli.js" "\$@"
+          EOF
+          sudo chmod +x /usr/local/bin/awf
       - name: Determine automatic lockdown mode for GitHub MCP server
         id: determine-automatic-lockdown
         env:
@@ -716,7 +735,7 @@ jobs:
         timeout-minutes: 10
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,codeload.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,lfs.github.com,objects.githubusercontent.com,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,codeload.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,lfs.github.com,objects.githubusercontent.com,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/cli-flag-consistency-checker.lock.yml b/.github/workflows/cli-flag-consistency-checker.lock.yml
index 3099da3b..e7dbb844 100644
--- a/.github/workflows/cli-flag-consistency-checker.lock.yml
+++ b/.github/workflows/cli-flag-consistency-checker.lock.yml
@@ -94,10 +94,6 @@ jobs:
       - name: Checkout .github and .agents folders
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
-          sparse-checkout: |
-            .github
-            .agents
-          depth: 1
           persist-credentials: false
       - name: Create gh-aw temp directory
         run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
@@ -133,8 +129,31 @@ jobs:
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405
-      - name: Install awf binary
-        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12
+      - name: Install awf dependencies
+        run: npm ci
+      - name: Build awf
+        run: npm run build
+      - name: Install awf binary (local)
+        run: |
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$(pwd)}"
+          NODE_BIN="$(command -v node)"
+          if [ ! -d "$WORKSPACE_PATH" ]; then
+            echo "Workspace path not found: $WORKSPACE_PATH"
+            exit 1
+          fi
+          if [ ! -x "$NODE_BIN" ]; then
+            echo "Node binary not found: $NODE_BIN"
+            exit 1
+          fi
+          if [ ! -d "/usr/local/bin" ]; then
+            echo "/usr/local/bin is missing"
+            exit 1
+          fi
+          sudo tee /usr/local/bin/awf > /dev/null <<EOF
+          #!/bin/bash
+          exec "${NODE_BIN}" "${WORKSPACE_PATH}/dist/cli.js" "\$@"
+          EOF
+          sudo chmod +x /usr/local/bin/awf
       - name: Determine automatic lockdown mode for GitHub MCP server
         id: determine-automatic-lockdown
         env:
@@ -587,7 +606,7 @@ jobs:
         timeout-minutes: 15
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/dependency-security-monitor.lock.yml b/.github/workflows/dependency-security-monitor.lock.yml
index 896e0797..34299c30 100644
--- a/.github/workflows/dependency-security-monitor.lock.yml
+++ b/.github/workflows/dependency-security-monitor.lock.yml
@@ -101,10 +101,6 @@ jobs:
       - name: Checkout .github and .agents folders
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
-          sparse-checkout: |
-            .github
-            .agents
-          depth: 1
           persist-credentials: false
       - name: Create gh-aw temp directory
         run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
@@ -140,8 +136,31 @@ jobs:
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405
-      - name: Install awf binary
-        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12
+      - name: Install awf dependencies
+        run: npm ci
+      - name: Build awf
+        run: npm run build
+      - name: Install awf binary (local)
+        run: |
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$(pwd)}"
+          NODE_BIN="$(command -v node)"
+          if [ ! -d "$WORKSPACE_PATH" ]; then
+            echo "Workspace path not found: $WORKSPACE_PATH"
+            exit 1
+          fi
+          if [ ! -x "$NODE_BIN" ]; then
+            echo "Node binary not found: $NODE_BIN"
+            exit 1
+          fi
+          if [ ! -d "/usr/local/bin" ]; then
+            echo "/usr/local/bin is missing"
+            exit 1
+          fi
+          sudo tee /usr/local/bin/awf > /dev/null <<EOF
+          #!/bin/bash
+          exec "${NODE_BIN}" "${WORKSPACE_PATH}/dist/cli.js" "\$@"
+          EOF
+          sudo chmod +x /usr/local/bin/awf
       - name: Determine automatic lockdown mode for GitHub MCP server
         id: determine-automatic-lockdown
         env:
@@ -716,7 +735,7 @@ jobs:
         timeout-minutes: 10
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,bun.sh,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,jsr.io,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,bun.sh,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,jsr.io,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/doc-maintainer.lock.yml b/.github/workflows/doc-maintainer.lock.yml
index 2693baa3..c60d6d1e 100644
--- a/.github/workflows/doc-maintainer.lock.yml
+++ b/.github/workflows/doc-maintainer.lock.yml
@@ -99,10 +99,6 @@ jobs:
       - name: Checkout .github and .agents folders
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
-          sparse-checkout: |
-            .github
-            .agents
-          depth: 1
           persist-credentials: false
       - name: Create gh-aw temp directory
         run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
@@ -138,8 +134,31 @@ jobs:
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405
-      - name: Install awf binary
-        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12
+      - name: Install awf dependencies
+        run: npm ci
+      - name: Build awf
+        run: npm run build
+      - name: Install awf binary (local)
+        run: |
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$(pwd)}"
+          NODE_BIN="$(command -v node)"
+          if [ ! -d "$WORKSPACE_PATH" ]; then
+            echo "Workspace path not found: $WORKSPACE_PATH"
+            exit 1
+          fi
+          if [ ! -x "$NODE_BIN" ]; then
+            echo "Node binary not found: $NODE_BIN"
+            exit 1
+          fi
+          if [ ! -d "/usr/local/bin" ]; then
+            echo "/usr/local/bin is missing"
+            exit 1
+          fi
+          sudo tee /usr/local/bin/awf > /dev/null <<EOF
+          #!/bin/bash
+          exec "${NODE_BIN}" "${WORKSPACE_PATH}/dist/cli.js" "\$@"
+          EOF
+          sudo chmod +x /usr/local/bin/awf
       - name: Determine automatic lockdown mode for GitHub MCP server
         id: determine-automatic-lockdown
         env:
@@ -602,7 +621,7 @@ jobs:
         timeout-minutes: 15
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/issue-duplication-detector.lock.yml b/.github/workflows/issue-duplication-detector.lock.yml
index fc82dd3d..2fd53a9f 100644
--- a/.github/workflows/issue-duplication-detector.lock.yml
+++ b/.github/workflows/issue-duplication-detector.lock.yml
@@ -97,10 +97,6 @@ jobs:
       - name: Checkout .github and .agents folders
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
-          sparse-checkout: |
-            .github
-            .agents
-          depth: 1
           persist-credentials: false
       - name: Create gh-aw temp directory
         run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
@@ -148,8 +144,31 @@ jobs:
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405
-      - name: Install awf binary
-        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12
+      - name: Install awf dependencies
+        run: npm ci
+      - name: Build awf
+        run: npm run build
+      - name: Install awf binary (local)
+        run: |
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$(pwd)}"
+          NODE_BIN="$(command -v node)"
+          if [ ! -d "$WORKSPACE_PATH" ]; then
+            echo "Workspace path not found: $WORKSPACE_PATH"
+            exit 1
+          fi
+          if [ ! -x "$NODE_BIN" ]; then
+            echo "Node binary not found: $NODE_BIN"
+            exit 1
+          fi
+          if [ ! -d "/usr/local/bin" ]; then
+            echo "/usr/local/bin is missing"
+            exit 1
+          fi
+          sudo tee /usr/local/bin/awf > /dev/null <<EOF
+          #!/bin/bash
+          exec "${NODE_BIN}" "${WORKSPACE_PATH}/dist/cli.js" "\$@"
+          EOF
+          sudo chmod +x /usr/local/bin/awf
       - name: Determine automatic lockdown mode for GitHub MCP server
         id: determine-automatic-lockdown
         env:
@@ -595,7 +614,7 @@ jobs:
         timeout-minutes: 10
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml
index 1a87fd43..8d96f7a6 100644
--- a/.github/workflows/issue-monster.lock.yml
+++ b/.github/workflows/issue-monster.lock.yml
@@ -106,10 +106,6 @@ jobs:
       - name: Checkout .github and .agents folders
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
-          sparse-checkout: |
-            .github
-            .agents
-          depth: 1
           persist-credentials: false
       - name: Create gh-aw temp directory
         run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
@@ -145,8 +141,31 @@ jobs:
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405
-      - name: Install awf binary
-        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12
+      - name: Install awf dependencies
+        run: npm ci
+      - name: Build awf
+        run: npm run build
+      - name: Install awf binary (local)
+        run: |
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$(pwd)}"
+          NODE_BIN="$(command -v node)"
+          if [ ! -d "$WORKSPACE_PATH" ]; then
+            echo "Workspace path not found: $WORKSPACE_PATH"
+            exit 1
+          fi
+          if [ ! -x "$NODE_BIN" ]; then
+            echo "Node binary not found: $NODE_BIN"
+            exit 1
+          fi
+          if [ ! -d "/usr/local/bin" ]; then
+            echo "/usr/local/bin is missing"
+            exit 1
+          fi
+          sudo tee /usr/local/bin/awf > /dev/null <<EOF
+          #!/bin/bash
+          exec "${NODE_BIN}" "${WORKSPACE_PATH}/dist/cli.js" "\$@"
+          EOF
+          sudo chmod +x /usr/local/bin/awf
       - name: Determine automatic lockdown mode for GitHub MCP server
         id: determine-automatic-lockdown
         env:
@@ -640,7 +659,7 @@ jobs:
         timeout-minutes: 30
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/pelis-agent-factory-advisor.lock.yml b/.github/workflows/pelis-agent-factory-advisor.lock.yml
index ef03a0d0..4163383f 100644
--- a/.github/workflows/pelis-agent-factory-advisor.lock.yml
+++ b/.github/workflows/pelis-agent-factory-advisor.lock.yml
@@ -100,10 +100,6 @@ jobs:
       - name: Checkout .github and .agents folders
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
-          sparse-checkout: |
-            .github
-            .agents
-          depth: 1
           persist-credentials: false
       - name: Create gh-aw temp directory
         run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
@@ -150,8 +146,31 @@ jobs:
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405
-      - name: Install awf binary
-        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12
+      - name: Install awf dependencies
+        run: npm ci
+      - name: Build awf
+        run: npm run build
+      - name: Install awf binary (local)
+        run: |
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$(pwd)}"
+          NODE_BIN="$(command -v node)"
+          if [ ! -d "$WORKSPACE_PATH" ]; then
+            echo "Workspace path not found: $WORKSPACE_PATH"
+            exit 1
+          fi
+          if [ ! -x "$NODE_BIN" ]; then
+            echo "Node binary not found: $NODE_BIN"
+            exit 1
+          fi
+          if [ ! -d "/usr/local/bin" ]; then
+            echo "/usr/local/bin is missing"
+            exit 1
+          fi
+          sudo tee /usr/local/bin/awf > /dev/null <<EOF
+          #!/bin/bash
+          exec "${NODE_BIN}" "${WORKSPACE_PATH}/dist/cli.js" "\$@"
+          EOF
+          sudo chmod +x /usr/local/bin/awf
       - name: Determine automatic lockdown mode for GitHub MCP server
         id: determine-automatic-lockdown
         env:
@@ -649,7 +668,7 @@ jobs:
         timeout-minutes: 30
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,codeload.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.github.io,github.githubassets.com,host.docker.internal,lfs.github.com,objects.githubusercontent.com,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,codeload.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.github.io,github.githubassets.com,host.docker.internal,lfs.github.com,objects.githubusercontent.com,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml
index be7770b4..b6209cbb 100644
--- a/.github/workflows/plan.lock.yml
+++ b/.github/workflows/plan.lock.yml
@@ -128,10 +128,6 @@ jobs:
       - name: Checkout .github and .agents folders
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
-          sparse-checkout: |
-            .github
-            .agents
-          depth: 1
           persist-credentials: false
       - name: Create gh-aw temp directory
         run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
@@ -167,8 +163,31 @@ jobs:
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405
-      - name: Install awf binary
-        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12
+      - name: Install awf dependencies
+        run: npm ci
+      - name: Build awf
+        run: npm run build
+      - name: Install awf binary (local)
+        run: |
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$(pwd)}"
+          NODE_BIN="$(command -v node)"
+          if [ ! -d "$WORKSPACE_PATH" ]; then
+            echo "Workspace path not found: $WORKSPACE_PATH"
+            exit 1
+          fi
+          if [ ! -x "$NODE_BIN" ]; then
+            echo "Node binary not found: $NODE_BIN"
+            exit 1
+          fi
+          if [ ! -d "/usr/local/bin" ]; then
+            echo "/usr/local/bin is missing"
+            exit 1
+          fi
+          sudo tee /usr/local/bin/awf > /dev/null <<EOF
+          #!/bin/bash
+          exec "${NODE_BIN}" "${WORKSPACE_PATH}/dist/cli.js" "\$@"
+          EOF
+          sudo chmod +x /usr/local/bin/awf
       - name: Determine automatic lockdown mode for GitHub MCP server
         id: determine-automatic-lockdown
         env:
@@ -706,7 +725,7 @@ jobs:
         timeout-minutes: 10
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/security-guard.lock.yml b/.github/workflows/security-guard.lock.yml
index 32c5e730..44510b07 100644
--- a/.github/workflows/security-guard.lock.yml
+++ b/.github/workflows/security-guard.lock.yml
@@ -96,10 +96,6 @@ jobs:
       - name: Checkout .github and .agents folders
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
-          sparse-checkout: |
-            .github
-            .agents
-          depth: 1
           persist-credentials: false
       - name: Create gh-aw temp directory
         run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
@@ -139,8 +135,31 @@ jobs:
         with:
           node-version: '24'
           package-manager-cache: false
-      - name: Install awf binary
-        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12
+      - name: Install awf dependencies
+        run: npm ci
+      - name: Build awf
+        run: npm run build
+      - name: Install awf binary (local)
+        run: |
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$(pwd)}"
+          NODE_BIN="$(command -v node)"
+          if [ ! -d "$WORKSPACE_PATH" ]; then
+            echo "Workspace path not found: $WORKSPACE_PATH"
+            exit 1
+          fi
+          if [ ! -x "$NODE_BIN" ]; then
+            echo "Node binary not found: $NODE_BIN"
+            exit 1
+          fi
+          if [ ! -d "/usr/local/bin" ]; then
+            echo "/usr/local/bin is missing"
+            exit 1
+          fi
+          sudo tee /usr/local/bin/awf > /dev/null <<EOF
+          #!/bin/bash
+          exec "${NODE_BIN}" "${WORKSPACE_PATH}/dist/cli.js" "\$@"
+          EOF
+          sudo chmod +x /usr/local/bin/awf
       - name: Install Claude Code CLI
         run: npm install -g --silent @anthropic-ai/claude-code@2.1.34
       - name: Determine automatic lockdown mode for GitHub MCP server
@@ -645,7 +664,7 @@ jobs:
         timeout-minutes: 10
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --tty --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \
+          sudo -E awf --tty --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools Bash,BashOutput,Edit,ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
         env:
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml
index 18360c1a..79711cd5 100644
--- a/.github/workflows/security-review.lock.yml
+++ b/.github/workflows/security-review.lock.yml
@@ -101,10 +101,6 @@ jobs:
       - name: Checkout .github and .agents folders
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
-          sparse-checkout: |
-            .github
-            .agents
-          depth: 1
           persist-credentials: false
       - name: Create gh-aw temp directory
         run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
@@ -151,8 +147,31 @@ jobs:
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405
-      - name: Install awf binary
-        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12
+      - name: Install awf dependencies
+        run: npm ci
+      - name: Build awf
+        run: npm run build
+      - name: Install awf binary (local)
+        run: |
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$(pwd)}"
+          NODE_BIN="$(command -v node)"
+          if [ ! -d "$WORKSPACE_PATH" ]; then
+            echo "Workspace path not found: $WORKSPACE_PATH"
+            exit 1
+          fi
+          if [ ! -x "$NODE_BIN" ]; then
+            echo "Node binary not found: $NODE_BIN"
+            exit 1
+          fi
+          if [ ! -d "/usr/local/bin" ]; then
+            echo "/usr/local/bin is missing"
+            exit 1
+          fi
+          sudo tee /usr/local/bin/awf > /dev/null <<EOF
+          #!/bin/bash
+          exec "${NODE_BIN}" "${WORKSPACE_PATH}/dist/cli.js" "\$@"
+          EOF
+          sudo chmod +x /usr/local/bin/awf
       - name: Determine automatic lockdown mode for GitHub MCP server
         id: determine-automatic-lockdown
         env:
@@ -650,7 +669,7 @@ jobs:
         timeout-minutes: 45
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,codeload.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,lfs.github.com,objects.githubusercontent.com,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,codeload.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,lfs.github.com,objects.githubusercontent.com,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/smoke-chroot.lock.yml b/.github/workflows/smoke-chroot.lock.yml
index 7fff328c..9ac95aff 100644
--- a/.github/workflows/smoke-chroot.lock.yml
+++ b/.github/workflows/smoke-chroot.lock.yml
@@ -19,7 +19,7 @@
 #   gh aw compile
 # For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md
 #
-# Smoke test workflow that validates the --enable-chroot feature by testing host binary access and comparing versions
+# Smoke test workflow that validates the feature by testing host binary access and comparing versions
 #
 # frontmatter-hash: 6c23bed48392b5bec3e9f49fb0242a36a3e2c12032bf0e4d5bcf8cfd172ae2a9
 
@@ -79,7 +79,7 @@ jobs:
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           GH_AW_WORKFLOW_NAME: "Smoke Chroot"
-          GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e Tested by [{workflow_name}]({run_url})\",\"runStarted\":\"**Testing chroot feature** [{workflow_name}]({run_url}) is validating --enable-chroot functionality...\",\"runSuccess\":\"**Chroot tests passed!** [{workflow_name}]({run_url}) - All security and functionality tests succeeded.\",\"runFailure\":\"**Chroot tests failed** [{workflow_name}]({run_url}) {status} - See logs for details.\"}"
+          GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e Tested by [{workflow_name}]({run_url})\",\"runStarted\":\"**Testing chroot feature** [{workflow_name}]({run_url}) is validating functionality...\",\"runSuccess\":\"**Chroot tests passed!** [{workflow_name}]({run_url}) - All security and functionality tests succeeded.\",\"runFailure\":\"**Chroot tests failed** [{workflow_name}]({run_url}) {status} - See logs for details.\"}"
         with:
           script: |
             const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
@@ -156,7 +156,7 @@ jobs:
           docker build -t ghcr.io/github/gh-aw-firewall/squid:latest containers/squid/
           docker build -t ghcr.io/github/gh-aw-firewall/agent:latest containers/agent/
       - name: Run chroot version tests
-        run: "echo \"=== Running chroot version tests ===\"\n\n# Capture GOROOT for chroot tests\nexport GOROOT=$(go env GOROOT)\n\n# Test Python version in chroot\necho \"Testing Python...\"\nCHROOT_PYTHON=$(sudo -E awf --enable-chroot --skip-pull --allow-domains localhost -- python3 --version 2>&1 | grep -oP 'Python \\d+\\.\\d+\\.\\d+' | head -1) || CHROOT_PYTHON=\"FAILED\"\n\n# Test Node version in chroot\necho \"Testing Node...\"\nCHROOT_NODE=$(sudo -E awf --enable-chroot --skip-pull --allow-domains localhost -- node --version 2>&1 | grep -oP 'v\\d+\\.\\d+\\.\\d+' | head -1) || CHROOT_NODE=\"FAILED\"\n\n# Test Go version in chroot\necho \"Testing Go...\"\nCHROOT_GO=$(sudo -E awf --enable-chroot --skip-pull --allow-domains localhost -- go version 2>&1 | grep -oP 'go\\d+\\.\\d+(\\.\\d+)?' | head -1) || CHROOT_GO=\"FAILED\"\n\n# Save chroot versions\n{\n  echo \"CHROOT_PYTHON_VERSION=$CHROOT_PYTHON\"\n  echo \"CHROOT_NODE_VERSION=$CHROOT_NODE\"\n  echo \"CHROOT_GO_VERSION=$CHROOT_GO\"\n} > /tmp/gh-aw/chroot-test/chroot-versions.env\n\ncat /tmp/gh-aw/chroot-test/chroot-versions.env\n\n# Compare versions and create results\nsource /tmp/gh-aw/chroot-test/host-versions.env\n\nPYTHON_MATCH=\"NO\"\nNODE_MATCH=\"NO\"\nGO_MATCH=\"NO\"\n\n# Compare Python (extract version number - chroot already extracted as \"Python X.Y.Z\")\nHOST_PY_NUM=$(echo \"$HOST_PYTHON_VERSION\" | grep -oP 'Python \\d+\\.\\d+\\.\\d+' || echo \"\")\nCHROOT_PY_NUM=\"$CHROOT_PYTHON\"\n[ \"$HOST_PY_NUM\" = \"$CHROOT_PY_NUM\" ] && [ -n \"$HOST_PY_NUM\" ] && PYTHON_MATCH=\"YES\"\n\n# Compare Node (extract version number - already extracted as v\\d+.\\d+.\\d+)\nHOST_NODE_NUM=$(echo \"$HOST_NODE_VERSION\" | grep -oP 'v\\d+\\.\\d+\\.\\d+' || echo \"\")\nCHROOT_NODE_NUM=\"$CHROOT_NODE\"\n[ \"$HOST_NODE_NUM\" = \"$CHROOT_NODE_NUM\" ] && [ -n \"$HOST_NODE_NUM\" ] && NODE_MATCH=\"YES\"\n\n# Compare Go (extract version number - chroot already extracted as \"goX.Y.Z\")\nHOST_GO_NUM=$(echo \"$HOST_GO_VERSION\" | grep -oP 'go\\d+\\.\\d+(\\.\\d+)?' || echo \"\")\nCHROOT_GO_NUM=\"$CHROOT_GO\"\n[ \"$HOST_GO_NUM\" = \"$CHROOT_GO_NUM\" ] && [ -n \"$HOST_GO_NUM\" ] && GO_MATCH=\"YES\"\n\n# Create results summary\n{\n  echo \"PYTHON_MATCH=$PYTHON_MATCH\"\n  echo \"NODE_MATCH=$NODE_MATCH\"\n  echo \"GO_MATCH=$GO_MATCH\"\n  echo \"HOST_PY_NUM=$HOST_PY_NUM\"\n  echo \"CHROOT_PY_NUM=$CHROOT_PY_NUM\"\n  echo \"HOST_NODE_NUM=$HOST_NODE_NUM\"\n  echo \"CHROOT_NODE_NUM=$CHROOT_NODE_NUM\"\n  echo \"HOST_GO_NUM=$HOST_GO_NUM\"\n  echo \"CHROOT_GO_NUM=$CHROOT_GO_NUM\"\n} > /tmp/gh-aw/chroot-test/results.env\n\ncat /tmp/gh-aw/chroot-test/results.env\n\n# Determine overall result\nif [ \"$PYTHON_MATCH\" = \"YES\" ] && [ \"$NODE_MATCH\" = \"YES\" ] && [ \"$GO_MATCH\" = \"YES\" ]; then\n  echo \"ALL_TESTS_PASSED=true\" >> /tmp/gh-aw/chroot-test/results.env\n  echo \"=== ALL CHROOT TESTS PASSED ===\"\nelse\n  echo \"ALL_TESTS_PASSED=false\" >> /tmp/gh-aw/chroot-test/results.env\n  echo \"=== SOME CHROOT TESTS FAILED ===\"\nfi\n"
+        run: "echo \"=== Running chroot version tests ===\"\n\n# Capture GOROOT for chroot tests\nexport GOROOT=$(go env GOROOT)\n\n# Test Python version in chroot\necho \"Testing Python...\"\nCHROOT_PYTHON=$(sudo -E awf --skip-pull --allow-domains localhost -- python3 --version 2>&1 | grep -oP 'Python \\d+\\.\\d+\\.\\d+' | head -1) || CHROOT_PYTHON=\"FAILED\"\n\n# Test Node version in chroot\necho \"Testing Node...\"\nCHROOT_NODE=$(sudo -E awf --skip-pull --allow-domains localhost -- node --version 2>&1 | grep -oP 'v\\d+\\.\\d+\\.\\d+' | head -1) || CHROOT_NODE=\"FAILED\"\n\n# Test Go version in chroot\necho \"Testing Go...\"\nCHROOT_GO=$(sudo -E awf --skip-pull --allow-domains localhost -- go version 2>&1 | grep -oP 'go\\d+\\.\\d+(\\.\\d+)?' | head -1) || CHROOT_GO=\"FAILED\"\n\n# Save chroot versions\n{\n  echo \"CHROOT_PYTHON_VERSION=$CHROOT_PYTHON\"\n  echo \"CHROOT_NODE_VERSION=$CHROOT_NODE\"\n  echo \"CHROOT_GO_VERSION=$CHROOT_GO\"\n} > /tmp/gh-aw/chroot-test/chroot-versions.env\n\ncat /tmp/gh-aw/chroot-test/chroot-versions.env\n\n# Compare versions and create results\nsource /tmp/gh-aw/chroot-test/host-versions.env\n\nPYTHON_MATCH=\"NO\"\nNODE_MATCH=\"NO\"\nGO_MATCH=\"NO\"\n\n# Compare Python (extract version number - chroot already extracted as \"Python X.Y.Z\")\nHOST_PY_NUM=$(echo \"$HOST_PYTHON_VERSION\" | grep -oP 'Python \\d+\\.\\d+\\.\\d+' || echo \"\")\nCHROOT_PY_NUM=\"$CHROOT_PYTHON\"\n[ \"$HOST_PY_NUM\" = \"$CHROOT_PY_NUM\" ] && [ -n \"$HOST_PY_NUM\" ] && PYTHON_MATCH=\"YES\"\n\n# Compare Node (extract version number - already extracted as v\\d+.\\d+.\\d+)\nHOST_NODE_NUM=$(echo \"$HOST_NODE_VERSION\" | grep -oP 'v\\d+\\.\\d+\\.\\d+' || echo \"\")\nCHROOT_NODE_NUM=\"$CHROOT_NODE\"\n[ \"$HOST_NODE_NUM\" = \"$CHROOT_NODE_NUM\" ] && [ -n \"$HOST_NODE_NUM\" ] && NODE_MATCH=\"YES\"\n\n# Compare Go (extract version number - chroot already extracted as \"goX.Y.Z\")\nHOST_GO_NUM=$(echo \"$HOST_GO_VERSION\" | grep -oP 'go\\d+\\.\\d+(\\.\\d+)?' || echo \"\")\nCHROOT_GO_NUM=\"$CHROOT_GO\"\n[ \"$HOST_GO_NUM\" = \"$CHROOT_GO_NUM\" ] && [ -n \"$HOST_GO_NUM\" ] && GO_MATCH=\"YES\"\n\n# Create results summary\n{\n  echo \"PYTHON_MATCH=$PYTHON_MATCH\"\n  echo \"NODE_MATCH=$NODE_MATCH\"\n  echo \"GO_MATCH=$GO_MATCH\"\n  echo \"HOST_PY_NUM=$HOST_PY_NUM\"\n  echo \"CHROOT_PY_NUM=$CHROOT_PY_NUM\"\n  echo \"HOST_NODE_NUM=$HOST_NODE_NUM\"\n  echo \"CHROOT_NODE_NUM=$CHROOT_NODE_NUM\"\n  echo \"HOST_GO_NUM=$HOST_GO_NUM\"\n  echo \"CHROOT_GO_NUM=$CHROOT_GO_NUM\"\n} > /tmp/gh-aw/chroot-test/results.env\n\ncat /tmp/gh-aw/chroot-test/results.env\n\n# Determine overall result\nif [ \"$PYTHON_MATCH\" = \"YES\" ] && [ \"$NODE_MATCH\" = \"YES\" ] && [ \"$GO_MATCH\" = \"YES\" ]; then\n  echo \"ALL_TESTS_PASSED=true\" >> /tmp/gh-aw/chroot-test/results.env\n  echo \"=== ALL CHROOT TESTS PASSED ===\"\nelse\n  echo \"ALL_TESTS_PASSED=false\" >> /tmp/gh-aw/chroot-test/results.env\n  echo \"=== SOME CHROOT TESTS FAILED ===\"\nfi\n"
       - if: always()
         name: Cleanup test containers
         run: |
@@ -694,7 +694,7 @@ jobs:
         timeout-minutes: 20
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
@@ -915,7 +915,7 @@ jobs:
           GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
           GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }}
           GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }}
-          GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e Tested by [{workflow_name}]({run_url})\",\"runStarted\":\"**Testing chroot feature** [{workflow_name}]({run_url}) is validating --enable-chroot functionality...\",\"runSuccess\":\"**Chroot tests passed!** [{workflow_name}]({run_url}) - All security and functionality tests succeeded.\",\"runFailure\":\"**Chroot tests failed** [{workflow_name}]({run_url}) {status} - See logs for details.\"}"
+          GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e Tested by [{workflow_name}]({run_url})\",\"runStarted\":\"**Testing chroot feature** [{workflow_name}]({run_url}) is validating functionality...\",\"runSuccess\":\"**Chroot tests passed!** [{workflow_name}]({run_url}) - All security and functionality tests succeeded.\",\"runFailure\":\"**Chroot tests failed** [{workflow_name}]({run_url}) {status} - See logs for details.\"}"
         with:
           github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
           script: |
@@ -951,7 +951,7 @@ jobs:
           GH_AW_WORKFLOW_NAME: "Smoke Chroot"
           GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
           GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.result }}
-          GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e Tested by [{workflow_name}]({run_url})\",\"runStarted\":\"**Testing chroot feature** [{workflow_name}]({run_url}) is validating --enable-chroot functionality...\",\"runSuccess\":\"**Chroot tests passed!** [{workflow_name}]({run_url}) - All security and functionality tests succeeded.\",\"runFailure\":\"**Chroot tests failed** [{workflow_name}]({run_url}) {status} - See logs for details.\"}"
+          GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e Tested by [{workflow_name}]({run_url})\",\"runStarted\":\"**Testing chroot feature** [{workflow_name}]({run_url}) is validating functionality...\",\"runSuccess\":\"**Chroot tests passed!** [{workflow_name}]({run_url}) - All security and functionality tests succeeded.\",\"runFailure\":\"**Chroot tests failed** [{workflow_name}]({run_url}) {status} - See logs for details.\"}"
         with:
           github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
           script: |
@@ -994,7 +994,7 @@ jobs:
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           WORKFLOW_NAME: "Smoke Chroot"
-          WORKFLOW_DESCRIPTION: "Smoke test workflow that validates the --enable-chroot feature by testing host binary access and comparing versions"
+          WORKFLOW_DESCRIPTION: "Smoke test workflow that validates the feature by testing host binary access and comparing versions"
           HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
         with:
           script: |
@@ -1073,7 +1073,7 @@ jobs:
     timeout-minutes: 15
     env:
       GH_AW_ENGINE_ID: "copilot"
-      GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e Tested by [{workflow_name}]({run_url})\",\"runStarted\":\"**Testing chroot feature** [{workflow_name}]({run_url}) is validating --enable-chroot functionality...\",\"runSuccess\":\"**Chroot tests passed!** [{workflow_name}]({run_url}) - All security and functionality tests succeeded.\",\"runFailure\":\"**Chroot tests failed** [{workflow_name}]({run_url}) {status} - See logs for details.\"}"
+      GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e Tested by [{workflow_name}]({run_url})\",\"runStarted\":\"**Testing chroot feature** [{workflow_name}]({run_url}) is validating functionality...\",\"runSuccess\":\"**Chroot tests passed!** [{workflow_name}]({run_url}) - All security and functionality tests succeeded.\",\"runFailure\":\"**Chroot tests failed** [{workflow_name}]({run_url}) {status} - See logs for details.\"}"
       GH_AW_WORKFLOW_ID: "smoke-chroot"
       GH_AW_WORKFLOW_NAME: "Smoke Chroot"
     outputs:
diff --git a/.github/workflows/smoke-chroot.md b/.github/workflows/smoke-chroot.md
index ee5df978..ea8e7f83 100644
--- a/.github/workflows/smoke-chroot.md
+++ b/.github/workflows/smoke-chroot.md
@@ -1,5 +1,5 @@
 ---
-description: Smoke test workflow that validates the --enable-chroot feature by testing host binary access and comparing versions
+description: Smoke test workflow that validates the feature by testing host binary access and comparing versions
 on:
   workflow_dispatch:
   pull_request:
@@ -39,7 +39,7 @@ safe-outputs:
       allowed: [smoke-chroot]
     messages:
       footer: "> Tested by [{workflow_name}]({run_url})"
-      run-started: "**Testing chroot feature** [{workflow_name}]({run_url}) is validating --enable-chroot functionality..."
+      run-started: "**Testing chroot feature** [{workflow_name}]({run_url}) is validating functionality..."
       run-success: "**Chroot tests passed!** [{workflow_name}]({run_url}) - All security and functionality tests succeeded."
       run-failure: "**Chroot tests failed** [{workflow_name}]({run_url}) {status} - See logs for details."
 timeout-minutes: 20
@@ -85,15 +85,15 @@ steps:
 
       # Test Python version in chroot
       echo "Testing Python..."
-      CHROOT_PYTHON=$(sudo -E awf --enable-chroot --skip-pull --allow-domains localhost -- python3 --version 2>&1 | grep -oP 'Python \d+\.\d+\.\d+' | head -1) || CHROOT_PYTHON="FAILED"
+      CHROOT_PYTHON=$(sudo -E awf --skip-pull --allow-domains localhost -- python3 --version 2>&1 | grep -oP 'Python \d+\.\d+\.\d+' | head -1) || CHROOT_PYTHON="FAILED"
 
       # Test Node version in chroot
       echo "Testing Node..."
-      CHROOT_NODE=$(sudo -E awf --enable-chroot --skip-pull --allow-domains localhost -- node --version 2>&1 | grep -oP 'v\d+\.\d+\.\d+' | head -1) || CHROOT_NODE="FAILED"
+      CHROOT_NODE=$(sudo -E awf --skip-pull --allow-domains localhost -- node --version 2>&1 | grep -oP 'v\d+\.\d+\.\d+' | head -1) || CHROOT_NODE="FAILED"
 
       # Test Go version in chroot
       echo "Testing Go..."
-      CHROOT_GO=$(sudo -E awf --enable-chroot --skip-pull --allow-domains localhost -- go version 2>&1 | grep -oP 'go\d+\.\d+(\.\d+)?' | head -1) || CHROOT_GO="FAILED"
+      CHROOT_GO=$(sudo -E awf --skip-pull --allow-domains localhost -- go version 2>&1 | grep -oP 'go\d+\.\d+(\.\d+)?' | head -1) || CHROOT_GO="FAILED"
 
       # Save chroot versions
       {
diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml
index 78e0e491..9c660c74 100644
--- a/.github/workflows/smoke-claude.lock.yml
+++ b/.github/workflows/smoke-claude.lock.yml
@@ -785,7 +785,7 @@ jobs:
         timeout-minutes: 10
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --tty --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
+          sudo -E awf --tty --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && claude --print --disable-slash-commands --no-chrome --max-turns 15 --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools '\''Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users,mcp__playwright__browser_click,mcp__playwright__browser_close,mcp__playwright__browser_console_messages,mcp__playwright__browser_drag,mcp__playwright__browser_evaluate,mcp__playwright__browser_file_upload,mcp__playwright__browser_fill_form,mcp__playwright__browser_handle_dialog,mcp__playwright__browser_hover,mcp__playwright__browser_install,mcp__playwright__browser_navigate,mcp__playwright__browser_navigate_back,mcp__playwright__browser_network_requests,mcp__playwright__browser_press_key,mcp__playwright__browser_resize,mcp__playwright__browser_select_option,mcp__playwright__browser_snapshot,mcp__playwright__browser_tabs,mcp__playwright__browser_take_screenshot,mcp__playwright__browser_type,mcp__playwright__browser_wait_for'\'' --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
         env:
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml
index 301bc8b7..61288f35 100644
--- a/.github/workflows/smoke-codex.lock.yml
+++ b/.github/workflows/smoke-codex.lock.yml
@@ -1372,7 +1372,7 @@ jobs:
         run: |
           set -o pipefail
           mkdir -p "$CODEX_HOME/logs"
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,172.30.0.1,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,mcp.tavily.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,172.30.0.1,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,mcp.tavily.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --dangerously-bypass-approvals-and-sandbox --skip-git-repo-check "$INSTRUCTION"' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml
index c212378a..0327bc60 100644
--- a/.github/workflows/smoke-copilot.lock.yml
+++ b/.github/workflows/smoke-copilot.lock.yml
@@ -710,7 +710,7 @@ jobs:
         timeout-minutes: 5
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/test-coverage-improver.lock.yml b/.github/workflows/test-coverage-improver.lock.yml
index a1be1f76..4d1b4d78 100644
--- a/.github/workflows/test-coverage-improver.lock.yml
+++ b/.github/workflows/test-coverage-improver.lock.yml
@@ -102,10 +102,6 @@ jobs:
       - name: Checkout .github and .agents folders
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
-          sparse-checkout: |
-            .github
-            .agents
-          depth: 1
           persist-credentials: false
       - name: Create gh-aw temp directory
         run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
@@ -141,8 +137,31 @@ jobs:
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405
-      - name: Install awf binary
-        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12
+      - name: Install awf dependencies
+        run: npm ci
+      - name: Build awf
+        run: npm run build
+      - name: Install awf binary (local)
+        run: |
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$(pwd)}"
+          NODE_BIN="$(command -v node)"
+          if [ ! -d "$WORKSPACE_PATH" ]; then
+            echo "Workspace path not found: $WORKSPACE_PATH"
+            exit 1
+          fi
+          if [ ! -x "$NODE_BIN" ]; then
+            echo "Node binary not found: $NODE_BIN"
+            exit 1
+          fi
+          if [ ! -d "/usr/local/bin" ]; then
+            echo "/usr/local/bin is missing"
+            exit 1
+          fi
+          sudo tee /usr/local/bin/awf > /dev/null <<EOF
+          #!/bin/bash
+          exec "${NODE_BIN}" "${WORKSPACE_PATH}/dist/cli.js" "\$@"
+          EOF
+          sudo chmod +x /usr/local/bin/awf
       - name: Determine automatic lockdown mode for GitHub MCP server
         id: determine-automatic-lockdown
         env:
@@ -670,7 +689,7 @@ jobs:
         timeout-minutes: 25
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,codeload.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,lfs.github.com,objects.githubusercontent.com,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,codeload.github.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,lfs.github.com,objects.githubusercontent.com,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(cat:*)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(git add:*)'\'' --allow-tool '\''shell(git branch:*)'\'' --allow-tool '\''shell(git checkout:*)'\'' --allow-tool '\''shell(git commit:*)'\'' --allow-tool '\''shell(git merge:*)'\'' --allow-tool '\''shell(git rm:*)'\'' --allow-tool '\''shell(git status)'\'' --allow-tool '\''shell(git switch:*)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(head:*)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(ls:*)'\'' --allow-tool '\''shell(npm ci)'\'' --allow-tool '\''shell(npm run:*)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(tail:*)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/.github/workflows/update-release-notes.lock.yml b/.github/workflows/update-release-notes.lock.yml
index 6a5d3241..50f056cc 100644
--- a/.github/workflows/update-release-notes.lock.yml
+++ b/.github/workflows/update-release-notes.lock.yml
@@ -96,10 +96,6 @@ jobs:
       - name: Checkout .github and .agents folders
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
-          sparse-checkout: |
-            .github
-            .agents
-          depth: 1
           persist-credentials: false
       - name: Create gh-aw temp directory
         run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
@@ -135,8 +131,31 @@ jobs:
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405
-      - name: Install awf binary
-        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12
+      - name: Install awf dependencies
+        run: npm ci
+      - name: Build awf
+        run: npm run build
+      - name: Install awf binary (local)
+        run: |
+          WORKSPACE_PATH="${GITHUB_WORKSPACE:-$(pwd)}"
+          NODE_BIN="$(command -v node)"
+          if [ ! -d "$WORKSPACE_PATH" ]; then
+            echo "Workspace path not found: $WORKSPACE_PATH"
+            exit 1
+          fi
+          if [ ! -x "$NODE_BIN" ]; then
+            echo "Node binary not found: $NODE_BIN"
+            exit 1
+          fi
+          if [ ! -d "/usr/local/bin" ]; then
+            echo "/usr/local/bin is missing"
+            exit 1
+          fi
+          sudo tee /usr/local/bin/awf > /dev/null <<EOF
+          #!/bin/bash
+          exec "${NODE_BIN}" "${WORKSPACE_PATH}/dist/cli.js" "\$@"
+          EOF
+          sudo chmod +x /usr/local/bin/awf
       - name: Determine automatic lockdown mode for GitHub MCP server
         id: determine-automatic-lockdown
         env:
@@ -617,7 +636,7 @@ jobs:
         timeout-minutes: 10
         run: |
           set -o pipefail
-          sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(git diff:*)'\'' --allow-tool '\''shell(git log:*)'\'' --allow-tool '\''shell(git show:*)'\'' --allow-tool '\''shell(git tag:*)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/README.md b/README.md
index f3d29b37..57f9c97c 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ A network firewall for agentic workflows with domain whitelisting. This tool pro
 
 - **L7 Domain Whitelisting**: Control HTTP/HTTPS traffic at the application layer
 - **Host-Level Enforcement**: Uses iptables DOCKER-USER chain to enforce firewall on ALL containers
-- **Chroot Mode**: Optional `--enable-chroot` for transparent access to host binaries (Python, Node.js, Go) while maintaining network isolation
+- **Chroot Mode**: Transparent access to host binaries (Python, Node.js, Go) while maintaining network isolation
 
 ## Requirements
 
diff --git a/docs-site/src/content/docs/reference/cli-reference.md b/docs-site/src/content/docs/reference/cli-reference.md
index 349ee802..6e2604f0 100644
--- a/docs-site/src/content/docs/reference/cli-reference.md
+++ b/docs-site/src/content/docs/reference/cli-reference.md
@@ -43,7 +43,6 @@ awf [options] -- <command>
 | `--allow-host-ports <ports>` | string | `80,443` | Ports to allow when using --enable-host-access |
 | `--agent-image <value>` | string | `default` | Agent container image (default, act, or custom) |
 | `--allow-full-filesystem-access` | flag | `false` | ⚠️ Mount entire host filesystem with read-write access |
-| `--enable-chroot` | flag | `false` | Run command inside chroot to host filesystem |
 | `-V, --version` | flag | — | Display version |
 | `-h, --help` | flag | — | Display help |
 
@@ -271,42 +270,8 @@ Comma-separated list of trusted DNS servers. DNS traffic is **only** allowed to
 Docker's embedded DNS (127.0.0.11) is always allowed for container name resolution, regardless of this setting.
 :::
 
-### `--enable-chroot`
-
-Run user commands inside a `chroot /host` jail, making the host filesystem appear as the root filesystem. This enables transparent access to host-installed binaries (Python, Node.js, Go, etc.) without needing to prefix paths with `/host`.
-
-```bash
-# Use host's Python directly
-sudo awf --enable-chroot --allow-domains pypi.org \
-  -- python3 -c "import requests; print(requests.__version__)"
-
-# Combined with --env-all for full host environment
-sudo awf --enable-chroot --env-all --allow-domains api.github.com \
-  -- curl https://api.github.com
-```
-
-**How it works:**
-1. Host filesystem is mounted at `/host` inside the container
-2. The entrypoint performs `chroot /host` before running your command
-3. Inside the chroot, `/` = host's `/`, so binaries work with normal paths
-4. Network isolation is maintained (iptables rules apply at namespace level)
-
-**Requirements:**
-- `capsh` must be installed on the host (`apt-get install libcap2-bin`)
-- Host user must exist in `/etc/passwd` (matched by UID)
-
-**Security:**
-- `CAP_NET_ADMIN` and `CAP_SYS_CHROOT` are dropped before user command executes
-- Docker socket is hidden (`/dev/null`) to prevent firewall bypass
-- `/proc` is mounted read-only (host processes visible but not modifiable)
-
-**Use cases:**
-- GitHub Actions runners with pre-installed tools
-- Minimal container + host binaries
-- Avoiding version conflicts between container and host tools
-
-:::caution[Security Trade-offs]
-Chroot mode exposes the host filesystem (read-only for system paths, read-write for `$HOME` and `/tmp`). See [Chroot Mode Documentation](/gh-aw-firewall/docs/chroot-mode/) for security details.
+:::note[Chroot Mode]
+AWF always runs in chroot mode, making the host filesystem appear as the root filesystem inside the container. This provides transparent access to host-installed binaries (Python, Node.js, Go, etc.) while maintaining network isolation. See [Chroot Mode Documentation](/gh-aw-firewall/docs/chroot-mode/) for details.
 :::
 
 ### `--enable-host-access`
@@ -424,7 +389,6 @@ sudo awf --allow-full-filesystem-access \
 
 **Alternatives:**
 - Use `--mount` to selectively mount only needed directories (recommended)
-- Use `--enable-chroot` for transparent host binary access with selective mounting
 
 ## Exit Codes
 
diff --git a/docs-site/src/content/docs/reference/security-architecture.md b/docs-site/src/content/docs/reference/security-architecture.md
index dd11e4d5..3935a799 100644
--- a/docs-site/src/content/docs/reference/security-architecture.md
+++ b/docs-site/src/content/docs/reference/security-architecture.md
@@ -284,7 +284,7 @@ DNS tunneling through the *allowed* DNS servers (encoding data in query names to
 
 ## Chroot Mode Security
 
-When `--enable-chroot` is enabled, user commands run inside a `chroot /host` jail, providing transparent access to host binaries while maintaining network isolation.
+AWF always runs in chroot mode, where user commands run inside a `chroot /host` jail, providing transparent access to host binaries while maintaining network isolation.
 
 ### Why Chroot Doesn't Break Network Isolation
 
@@ -320,14 +320,13 @@ A common question: "If the command runs in the host filesystem, doesn't it escap
 | **Host $HOME access** | Can read `.ssh/`, `.aws/` | Use env vars for secrets, not files |
 | **DNS override** | Host's resolv.conf modified | Backup created, restored on exit |
 
-### When to Use Chroot Mode
+### Chroot Mode Use Cases
 
-| Scenario | Recommendation |
-|----------|----------------|
-| GitHub Actions with pre-installed tools | Use `--enable-chroot` |
-| Need host-specific binaries (Python, Go) | Use `--enable-chroot` |
-| Want full container isolation | Use default mode |
-| Sensitive secrets in home directory | Consider default mode |
+| Scenario | Notes |
+|----------|-------|
+| GitHub Actions with pre-installed tools | Primary use case |
+| Need host-specific binaries (Python, Go) | Works transparently |
+| Sensitive secrets in home directory | Use `--env` for secrets instead of files |
 
 For complete documentation, see [Chroot Mode](/gh-aw-firewall/docs/chroot-mode/).
 
diff --git a/docs/architecture.md b/docs/architecture.md
index f04a869e..ee1cca9a 100644
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -79,7 +79,7 @@ The firewall uses a containerized architecture with Squid proxy for L7 (HTTP/HTT
 - Mounts entire host filesystem at `/host` and user home directory for full access
 - `NET_ADMIN` capability required for iptables setup during initialization
 - **Security:** `NET_ADMIN` is dropped via `capsh --drop=cap_net_admin` before executing user commands, preventing malicious code from modifying iptables rules
-- **Chroot Mode:** With `--enable-chroot`, user commands run inside `chroot /host` for transparent host binary access. See [Chroot Mode](./chroot-mode.md) for details.
+- **Chroot Mode:** User commands run inside `chroot /host` for transparent host binary access. See [Chroot Mode](./chroot-mode.md) for details.
 - Two-stage entrypoint:
   1. `setup-iptables.sh`: Configures iptables NAT rules to redirect HTTP/HTTPS traffic to Squid (agent container only)
   2. `entrypoint.sh`: Drops NET_ADMIN capability, then executes user command as non-root user
diff --git a/docs/chroot-mode.md b/docs/chroot-mode.md
index 851943bf..88910ac5 100644
--- a/docs/chroot-mode.md
+++ b/docs/chroot-mode.md
@@ -1,20 +1,11 @@
-# Chroot Mode (`--enable-chroot`)
+# Chroot Mode
 
 ## Overview
 
-The `--enable-chroot` flag enables **transparent host binary execution** within the firewall's network isolation. When enabled, user commands run inside a `chroot /host` jail, making the host filesystem appear as the root filesystem. This allows commands to use host-installed binaries (Python, Node.js, Go, etc.) with their normal paths, while all network traffic remains controlled by the firewall.
+AWF always runs in **chroot mode**, providing **transparent host binary execution** within the firewall's network isolation. User commands run inside a `chroot /host` jail, making the host filesystem appear as the root filesystem. This allows commands to use host-installed binaries (Python, Node.js, Go, etc.) with their normal paths, while all network traffic remains controlled by the firewall.
 
 **Key insight**: Chroot changes the filesystem view, not network isolation. The agent sees the host filesystem as `/`, but iptables rules still redirect all HTTP/HTTPS traffic through Squid.
 
-## When to Use Chroot Mode
-
-| Scenario | Recommended Mode |
-|----------|------------------|
-| GitHub Actions runner with pre-installed tools | `--enable-chroot` |
-| Minimal container + host binaries | `--enable-chroot` |
-| Self-contained container with all tools | Default (no chroot) |
-| Need container-specific tool versions | Default (no chroot) |
-
 **Primary use case**: Running AI agents on GitHub Actions runners where Python, Node.js, Go, and other tools are pre-installed. Instead of bundling everything in the container, use the host's tooling directly.
 
 ## How It Works
@@ -112,20 +103,20 @@ As of v0.13.13, chroot mode mounts a fresh container-scoped procfs at `/host/pro
 
 ```bash
 # Run a command using host binaries
-sudo awf --enable-chroot --allow-domains api.github.com \
+sudo awf --allow-domains api.github.com \
   -- python3 -c "import requests; print(requests.get('https://api.github.com').status_code)"
 
 # Run with environment variable passthrough
-sudo awf --enable-chroot --env-all --allow-domains api.github.com \
+sudo awf --env-all --allow-domains api.github.com \
   -- curl https://api.github.com
 ```
 
 ### Combined with --env-all
 
-The `--env-all` flag complements `--enable-chroot` by passing host environment variables:
+The `--env-all` flag passes host environment variables:
 
 ```bash
-sudo awf --enable-chroot --env-all --allow-domains api.github.com \
+sudo awf --env-all --allow-domains api.github.com \
   -- bash -c 'echo "Home: $HOME, User: $USER"'
 ```
 
@@ -167,7 +158,6 @@ For GitHub Actions workflows, ensure GOROOT is captured after `actions/setup-go`
     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   run: |
     sudo -E npx awf \
-      --enable-chroot \
       --env-all \
       --allow-domains api.github.com,github.com \
       -- copilot -p "Review this PR" --allow-tool github
@@ -363,7 +353,7 @@ Chroot doesn't affect network isolation. If requests fail:
 ### Option A: Chroot Mode (Current)
 
 ```bash
-sudo awf --enable-chroot --allow-domains api.github.com \
+sudo awf --allow-domains api.github.com \
   -- python3 script.py
 ```
 
diff --git a/docs/selective-mounting.md b/docs/selective-mounting.md
index dfdfa69f..63ce45c4 100644
--- a/docs/selective-mounting.md
+++ b/docs/selective-mounting.md
@@ -57,46 +57,9 @@ The agent's legitimate tools (Read, Bash) become attack vectors when credentials
 
 ## Selective Mounting Solution
 
-### Normal Mode (without --enable-chroot)
+### Selective Mounting
 
-**What gets mounted:**
-
-```typescript
-// Essential directories only
-const agentVolumes = [
-  '/tmp:/tmp:rw',                                    // Temporary files
-  `${HOME}:${HOME}:rw`,                             // User home (includes workspace)
-  `${workDir}/agent-logs:${HOME}/.copilot/logs:rw`, // Copilot CLI logs
-];
-// Note: $GITHUB_WORKSPACE is typically a subdirectory of $HOME
-// (e.g., /home/runner/work/repo/repo), so it's accessible via the HOME mount.
-```
-
-**What gets hidden:**
-
-```typescript
-// Credential files are mounted as /dev/null (empty file)
-const hiddenCredentials = [
-  '/dev/null:~/.docker/config.json:ro',           // Docker Hub tokens
-  '/dev/null:~/.npmrc:ro',                        // NPM tokens
-  '/dev/null:~/.cargo/credentials:ro',            // Rust tokens
-  '/dev/null:~/.composer/auth.json:ro',           // PHP tokens
-  '/dev/null:~/.config/gh/hosts.yml:ro',          // GitHub CLI tokens
-  '/dev/null:~/.ssh/id_rsa:ro',                   // SSH private keys
-  '/dev/null:~/.ssh/id_ed25519:ro',
-  '/dev/null:~/.ssh/id_ecdsa:ro',
-  '/dev/null:~/.ssh/id_dsa:ro',
-  '/dev/null:~/.aws/credentials:ro',              // AWS credentials
-  '/dev/null:~/.aws/config:ro',
-  '/dev/null:~/.kube/config:ro',                  // Kubernetes credentials
-  '/dev/null:~/.azure/credentials:ro',            // Azure credentials
-  '/dev/null:~/.config/gcloud/credentials.db:ro', // GCP credentials
-];
-```
-
-**Result:** Even if an attacker successfully injects a command like `cat ~/.docker/config.json`, the file will be empty (reads from `/dev/null`).
-
-### Chroot Mode (with --enable-chroot)
+AWF uses chroot mode with selective path mounts. Credential files are hidden at the `/host` paths:
 
 **What gets mounted:**
 
diff --git a/docs/usage.md b/docs/usage.md
index a9ad7047..4d05da2a 100644
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -20,8 +20,6 @@ Options:
   --ssl-bump                   Enable SSL Bump for HTTPS content inspection
   --allow-urls <urls>          Comma-separated list of allowed URL patterns (requires --ssl-bump)
                                Example: https://github.com/myorg/*
-  --enable-chroot              Enable chroot to /host for running host binaries
-                               (Python, Node, Go, etc.) See chroot-mode.md
   --log-level <level>          Log level: debug, info, warn, error (default: info)
   --keep-containers            Keep containers running after command exits
   --work-dir <dir>             Working directory for temporary files
@@ -607,15 +605,15 @@ To fix this, remove `--skip-pull` to allow automatic pulling, or pre-download th
 
 ## Chroot Mode
 
-The `--enable-chroot` flag enables transparent access to host binaries (Python, Node.js, Go, etc.) while maintaining network isolation. This is useful for GitHub Actions runners with pre-installed tools.
+AWF always runs in chroot mode, providing transparent access to host binaries (Python, Node.js, Go, etc.) while maintaining network isolation. This is especially useful for GitHub Actions runners with pre-installed tools.
 
 ```bash
-# Run with chroot mode to use host binaries
-sudo awf --enable-chroot --allow-domains api.github.com \
+# Use host binaries with network isolation
+sudo awf --allow-domains api.github.com \
   -- python3 -c "import requests; print(requests.get('https://api.github.com').status_code)"
 
 # Combine with --env-all for environment variables
-sudo awf --enable-chroot --env-all --allow-domains api.github.com \
+sudo awf --env-all --allow-domains api.github.com \
   -- bash -c 'echo "Home: $HOME, User: $USER"'
 ```
 
diff --git a/scripts/ci/postprocess-smoke-workflows.ts b/scripts/ci/postprocess-smoke-workflows.ts
index 6e792557..47f1f451 100644
--- a/scripts/ci/postprocess-smoke-workflows.ts
+++ b/scripts/ci/postprocess-smoke-workflows.ts
@@ -19,6 +19,22 @@ const workflowPaths = [
   path.join(repoRoot, '.github/workflows/build-test-deno.lock.yml'),
   path.join(repoRoot, '.github/workflows/build-test-bun.lock.yml'),
   path.join(repoRoot, '.github/workflows/build-test-dotnet.lock.yml'),
+  // Agentic workflows (use --image-tag/--skip-pull which must be replaced
+  // with --build-local since chroot mode is now always-on and requires
+  // a container image built from the current source)
+  path.join(repoRoot, '.github/workflows/security-guard.lock.yml'),
+  path.join(repoRoot, '.github/workflows/security-review.lock.yml'),
+  path.join(repoRoot, '.github/workflows/ci-cd-gaps-assessment.lock.yml'),
+  path.join(repoRoot, '.github/workflows/ci-doctor.lock.yml'),
+  path.join(repoRoot, '.github/workflows/cli-flag-consistency-checker.lock.yml'),
+  path.join(repoRoot, '.github/workflows/dependency-security-monitor.lock.yml'),
+  path.join(repoRoot, '.github/workflows/doc-maintainer.lock.yml'),
+  path.join(repoRoot, '.github/workflows/issue-duplication-detector.lock.yml'),
+  path.join(repoRoot, '.github/workflows/issue-monster.lock.yml'),
+  path.join(repoRoot, '.github/workflows/pelis-agent-factory-advisor.lock.yml'),
+  path.join(repoRoot, '.github/workflows/plan.lock.yml'),
+  path.join(repoRoot, '.github/workflows/test-coverage-improver.lock.yml'),
+  path.join(repoRoot, '.github/workflows/update-release-notes.lock.yml'),
 ];
 
 // Matches the install step with captured indentation:
diff --git a/skill.md b/skill.md
index cd87b2b8..fa53d151 100644
--- a/skill.md
+++ b/skill.md
@@ -96,7 +96,6 @@ Container Options:
 Advanced Options:
   --ssl-bump                      Enable HTTPS content inspection
   --allow-urls <urls>             URL patterns for SSL Bump (requires --ssl-bump)
-  --enable-chroot                 Enable chroot for host binaries
 
 Debugging Options:
   --log-level <level>             Log level: debug, info, warn, error
@@ -195,11 +194,11 @@ sudo awf --allow-domains github.com \
   -- cat /data/config.json
 ```
 
-### 6. Use Chroot Mode for Host Binaries
+### 6. Use Host Binaries (Chroot Mode is Always On)
 
 ```bash
-# Access host Python, Node, Go, etc.
-sudo awf --enable-chroot --allow-domains api.github.com \
+# Access host Python, Node, Go, etc. (chroot mode is the default)
+sudo awf --allow-domains api.github.com \
   -- python3 -c "import requests; print(requests.get('https://api.github.com').status_code)"
 ```
 
diff --git a/src/cli.test.ts b/src/cli.test.ts
index 4469117e..7947dc95 100644
--- a/src/cli.test.ts
+++ b/src/cli.test.ts
@@ -1,5 +1,5 @@
 import { Command } from 'commander';
-import { parseEnvironmentVariables, parseDomains, parseDomainsFile, escapeShellArg, joinShellArgs, parseVolumeMounts, isValidIPv4, isValidIPv6, parseDnsServers, validateAgentImage, isAgentImagePreset, AGENT_IMAGE_PRESETS, processAgentImageOption, processLocalhostKeyword, validateSkipPullWithBuildLocal } from './cli';
+import { parseEnvironmentVariables, parseDomains, parseDomainsFile, escapeShellArg, joinShellArgs, parseVolumeMounts, isValidIPv4, isValidIPv6, parseDnsServers, validateAgentImage, isAgentImagePreset, AGENT_IMAGE_PRESETS, processAgentImageOption, processLocalhostKeyword, validateSkipPullWithBuildLocal, validateFormat } from './cli';
 import { redactSecrets } from './redact-secrets';
 import * as fs from 'fs';
 import * as path from 'path';
@@ -1337,4 +1337,24 @@ describe('cli', () => {
       expect(result.error).toBeUndefined();
     });
   });
+
+  describe('validateFormat', () => {
+    const mockExit = jest.spyOn(process, 'exit').mockImplementation(() => {
+      throw new Error('process.exit called');
+    });
+
+    afterAll(() => {
+      mockExit.mockRestore();
+    });
+
+    it('should not throw for valid formats', () => {
+      expect(() => validateFormat('json', ['json', 'markdown', 'pretty'])).not.toThrow();
+      expect(() => validateFormat('pretty', ['json', 'markdown', 'pretty'])).not.toThrow();
+      expect(() => validateFormat('markdown', ['json', 'markdown', 'pretty'])).not.toThrow();
+    });
+
+    it('should exit with error for invalid format', () => {
+      expect(() => validateFormat('xml', ['json', 'markdown', 'pretty'])).toThrow('process.exit called');
+    });
+  });
 });
diff --git a/src/cli.ts b/src/cli.ts
index 0db70bdc..8d5e35bc 100644
--- a/src/cli.ts
+++ b/src/cli.ts
@@ -669,13 +669,6 @@ program
     'Comma-separated list of allowed URL patterns for HTTPS (requires --ssl-bump).\n' +
     '                                   Supports wildcards: https://github.com/myorg/*'
   )
-  .option(
-    '--enable-chroot',
-    'Enable chroot to /host for running host binaries (Python, Node, Go, etc.)\n' +
-    '                                   Uses selective path mounts instead of full filesystem access.\n' +
-    '                                   Docker socket is hidden to prevent firewall bypass.',
-    false
-  )
   .argument('[args...]', 'Command and arguments to execute (use -- to separate from options)')
   .action(async (args: string[], options) => {
     // Require -- separator for passing command arguments
@@ -937,7 +930,6 @@ program
       allowHostPorts: options.allowHostPorts,
       sslBump: options.sslBump,
       allowedUrls,
-      enableChroot: options.enableChroot,
     };
 
     // Warn if --env-all is used
@@ -1065,7 +1057,7 @@ program
  * @param validFormats - Array of valid format options
  * @throws Exits process with error if format is invalid
  */
-function validateFormat(format: string, validFormats: string[]): void {
+export function validateFormat(format: string, validFormats: string[]): void {
   if (!validFormats.includes(format)) {
     logger.error(`Invalid format: ${format}. Must be one of: ${validFormats.join(', ')}`);
     process.exit(1);
diff --git a/src/docker-manager.test.ts b/src/docker-manager.test.ts
index 078188b6..9fd67f52 100644
--- a/src/docker-manager.test.ts
+++ b/src/docker-manager.test.ts
@@ -552,30 +552,27 @@ describe('docker-manager', () => {
 
       // Should include blanket /:/host:rw mount
       expect(volumes).toContain('/:/host:rw');
-      // Should NOT include /dev/null credential hiding
-      expect(volumes.some((v: string) => v.startsWith('/dev/null'))).toBe(false);
+      // Docker socket should still be hidden for security even with full filesystem access
+      expect(volumes).toContain('/dev/null:/host/var/run/docker.sock:ro');
+      // But credential files should NOT be hidden (user opted in to full access)
+      expect(volumes.some((v: string) => v.includes('/dev/null') && v.includes('.docker/config.json'))).toBe(false);
     });
 
-    it('should use blanket mount when allowFullFilesystemAccess is true in chroot mode', () => {
-      const configWithFullAccessChroot = {
+    it('should use blanket mount when allowFullFilesystemAccess is true', () => {
+      const configWithFullAccess = {
         ...mockConfig,
         allowFullFilesystemAccess: true,
-        enableChroot: true,
       };
-      const result = generateDockerCompose(configWithFullAccessChroot, mockNetworkConfig);
+      const result = generateDockerCompose(configWithFullAccess, mockNetworkConfig);
       const agent = result.services.agent;
       const volumes = agent.volumes as string[];
 
-      // Should include blanket /:/host:rw mount even in chroot mode
+      // Should include blanket /:/host:rw mount
       expect(volumes).toContain('/:/host:rw');
     });
 
-    it('should use selective mounts when enableChroot is true', () => {
-      const configWithChroot = {
-        ...mockConfig,
-        enableChroot: true
-      };
-      const result = generateDockerCompose(configWithChroot, mockNetworkConfig);
+    it('should use selective mounts by default', () => {
+      const result = generateDockerCompose(mockConfig, mockNetworkConfig);
       const agent = result.services.agent;
       const volumes = agent.volumes as string[];
 
@@ -614,12 +611,8 @@ describe('docker-manager', () => {
       expect(volumes.some((v: string) => v.includes('agent-logs'))).toBe(true);
     });
 
-    it('should hide Docker socket when enableChroot is true', () => {
-      const configWithChroot = {
-        ...mockConfig,
-        enableChroot: true
-      };
-      const result = generateDockerCompose(configWithChroot, mockNetworkConfig);
+    it('should hide Docker socket', () => {
+      const result = generateDockerCompose(mockConfig, mockNetworkConfig);
       const agent = result.services.agent;
       const volumes = agent.volumes as string[];
 
@@ -628,12 +621,8 @@ describe('docker-manager', () => {
       expect(volumes).toContain('/dev/null:/host/run/docker.sock:ro');
     });
 
-    it('should mount user home directory under /host when enableChroot is true', () => {
-      const configWithChroot = {
-        ...mockConfig,
-        enableChroot: true
-      };
-      const result = generateDockerCompose(configWithChroot, mockNetworkConfig);
+    it('should mount user home directory under /host', () => {
+      const result = generateDockerCompose(mockConfig, mockNetworkConfig);
       const agent = result.services.agent;
       const volumes = agent.volumes as string[];
 
@@ -642,12 +631,8 @@ describe('docker-manager', () => {
       expect(volumes).toContain(`${homeDir}:/host${homeDir}:rw`);
     });
 
-    it('should add SYS_CHROOT and SYS_ADMIN capabilities when enableChroot is true', () => {
-      const configWithChroot = {
-        ...mockConfig,
-        enableChroot: true
-      };
-      const result = generateDockerCompose(configWithChroot, mockNetworkConfig);
+    it('should add SYS_CHROOT and SYS_ADMIN capabilities', () => {
+      const result = generateDockerCompose(mockConfig, mockNetworkConfig);
       const agent = result.services.agent;
 
       expect(agent.cap_add).toContain('NET_ADMIN');
@@ -656,46 +641,22 @@ describe('docker-manager', () => {
       expect(agent.cap_add).toContain('SYS_ADMIN');
     });
 
-    it('should not add SYS_CHROOT or SYS_ADMIN capability when enableChroot is false', () => {
+    it('should add apparmor:unconfined security_opt', () => {
       const result = generateDockerCompose(mockConfig, mockNetworkConfig);
       const agent = result.services.agent;
 
-      expect(agent.cap_add).toContain('NET_ADMIN');
-      expect(agent.cap_add).not.toContain('SYS_CHROOT');
-      expect(agent.cap_add).not.toContain('SYS_ADMIN');
-    });
-
-    it('should add apparmor:unconfined security_opt when enableChroot is true', () => {
-      const configWithChroot = {
-        ...mockConfig,
-        enableChroot: true
-      };
-      const result = generateDockerCompose(configWithChroot, mockNetworkConfig);
-      const agent = result.services.agent;
-
       expect(agent.security_opt).toContain('apparmor:unconfined');
     });
 
-    it('should not add apparmor:unconfined security_opt when enableChroot is false', () => {
+    it('should set AWF_CHROOT_ENABLED environment variable', () => {
       const result = generateDockerCompose(mockConfig, mockNetworkConfig);
       const agent = result.services.agent;
-
-      expect(agent.security_opt).not.toContain('apparmor:unconfined');
-    });
-
-    it('should set AWF_CHROOT_ENABLED environment variable when enableChroot is true', () => {
-      const configWithChroot = {
-        ...mockConfig,
-        enableChroot: true
-      };
-      const result = generateDockerCompose(configWithChroot, mockNetworkConfig);
-      const agent = result.services.agent;
       const environment = agent.environment as Record<string, string>;
 
       expect(environment.AWF_CHROOT_ENABLED).toBe('true');
     });
 
-    it('should pass GOROOT, CARGO_HOME, JAVA_HOME, DOTNET_ROOT, BUN_INSTALL to container when enableChroot is true and env vars are set', () => {
+    it('should pass GOROOT, CARGO_HOME, JAVA_HOME, DOTNET_ROOT, BUN_INSTALL to container when env vars are set', () => {
       const originalGoroot = process.env.GOROOT;
       const originalCargoHome = process.env.CARGO_HOME;
       const originalJavaHome = process.env.JAVA_HOME;
@@ -709,11 +670,7 @@ describe('docker-manager', () => {
       process.env.BUN_INSTALL = '/home/user/.bun';
 
       try {
-        const configWithChroot = {
-          ...mockConfig,
-          enableChroot: true
-        };
-        const result = generateDockerCompose(configWithChroot, mockNetworkConfig);
+        const result = generateDockerCompose(mockConfig, mockNetworkConfig);
         const agent = result.services.agent;
         const environment = agent.environment as Record<string, string>;
 
@@ -757,11 +714,7 @@ describe('docker-manager', () => {
       delete process.env.BUN_INSTALL;
 
       try {
-        const configWithChroot = {
-          ...mockConfig,
-          enableChroot: true
-        };
-        const result = generateDockerCompose(configWithChroot, mockNetworkConfig);
+        const result = generateDockerCompose(mockConfig, mockNetworkConfig);
         const agent = result.services.agent;
         const environment = agent.environment as Record<string, string>;
 
@@ -773,21 +726,12 @@ describe('docker-manager', () => {
       }
     });
 
-    it('should not set AWF_CHROOT_ENABLED when enableChroot is false', () => {
-      const result = generateDockerCompose(mockConfig, mockNetworkConfig);
-      const agent = result.services.agent;
-      const environment = agent.environment as Record<string, string>;
-
-      expect(environment.AWF_CHROOT_ENABLED).toBeUndefined();
-    });
-
-    it('should set AWF_WORKDIR environment variable when enableChroot is true', () => {
-      const configWithChroot = {
+    it('should set AWF_WORKDIR environment variable', () => {
+      const configWithWorkDir = {
         ...mockConfig,
-        enableChroot: true,
         containerWorkDir: '/workspace/project'
       };
-      const result = generateDockerCompose(configWithChroot, mockNetworkConfig);
+      const result = generateDockerCompose(configWithWorkDir, mockNetworkConfig);
       const agent = result.services.agent;
       const environment = agent.environment as Record<string, string>;
 
@@ -795,11 +739,7 @@ describe('docker-manager', () => {
     });
 
     it('should mount /tmp under /host for chroot temp scripts', () => {
-      const configWithChroot = {
-        ...mockConfig,
-        enableChroot: true
-      };
-      const result = generateDockerCompose(configWithChroot, mockNetworkConfig);
+      const result = generateDockerCompose(mockConfig, mockNetworkConfig);
       const agent = result.services.agent;
       const volumes = agent.volumes as string[];
 
@@ -808,11 +748,7 @@ describe('docker-manager', () => {
     });
 
     it('should mount /etc/passwd and /etc/group for user lookup in chroot mode', () => {
-      const configWithChroot = {
-        ...mockConfig,
-        enableChroot: true
-      };
-      const result = generateDockerCompose(configWithChroot, mockNetworkConfig);
+      const result = generateDockerCompose(mockConfig, mockNetworkConfig);
       const agent = result.services.agent;
       const volumes = agent.volumes as string[];
 
@@ -822,10 +758,9 @@ describe('docker-manager', () => {
       expect(volumes).toContain('/etc/nsswitch.conf:/host/etc/nsswitch.conf:ro');
     });
 
-    it('should mount read-only chroot-hosts when enableChroot and enableHostAccess are true', () => {
+    it('should mount read-only chroot-hosts when enableHostAccess is true', () => {
       const config = {
         ...mockConfig,
-        enableChroot: true,
         enableHostAccess: true
       };
       const result = generateDockerCompose(config, mockNetworkConfig);
@@ -841,7 +776,6 @@ describe('docker-manager', () => {
     it('should inject host.docker.internal into chroot-hosts file', () => {
       const config = {
         ...mockConfig,
-        enableChroot: true,
         enableHostAccess: true
       };
       generateDockerCompose(config, mockNetworkConfig);
@@ -857,10 +791,9 @@ describe('docker-manager', () => {
       expect(content).toContain('localhost');
     });
 
-    it('should mount custom chroot-hosts when enableChroot is true even without enableHostAccess', () => {
+    it('should mount custom chroot-hosts even without enableHostAccess', () => {
       const config = {
         ...mockConfig,
-        enableChroot: true,
         enableHostAccess: false
       };
       const result = generateDockerCompose(config, mockNetworkConfig);
@@ -893,7 +826,6 @@ describe('docker-manager', () => {
       const config = {
         ...mockConfig,
         allowedDomains: ['github.com', 'npmjs.org', '*.wildcard.com'],
-        enableChroot: true
       };
       generateDockerCompose(config, mockNetworkConfig);
 
@@ -923,7 +855,6 @@ describe('docker-manager', () => {
       const config = {
         ...mockConfig,
         allowedDomains: ['unreachable.tailnet.example'],
-        enableChroot: true
       };
       // Should not throw even if resolution fails
       generateDockerCompose(config, mockNetworkConfig);
@@ -956,7 +887,6 @@ describe('docker-manager', () => {
       const config = {
         ...mockConfig,
         allowedDomains: ['localhost'], // localhost is already in /etc/hosts
-        enableChroot: true
       };
       generateDockerCompose(config, mockNetworkConfig);
 
@@ -977,76 +907,55 @@ describe('docker-manager', () => {
       mockExecaSync.mockReset();
     });
 
-    it('should use GHCR image when enableChroot is true with default preset (GHCR)', () => {
-      const configWithChroot = {
-        ...mockConfig,
-        enableChroot: true
-      };
-      const result = generateDockerCompose(configWithChroot, mockNetworkConfig);
+    it('should use GHCR image with default preset', () => {
+      const result = generateDockerCompose(mockConfig, mockNetworkConfig);
       const agent = result.services.agent as any;
 
-      // Chroot mode with preset image should use GHCR (not build locally)
-      // This fixes the bug where packaged binaries couldn't find containers/agent directory
+      // Preset image should use GHCR (not build locally)
       expect(agent.image).toBe('ghcr.io/github/gh-aw-firewall/agent:latest');
       expect(agent.build).toBeUndefined();
     });
 
-    it('should use GHCR agent-act image when enableChroot is true with act preset', () => {
-      const configWithChroot = {
+    it('should use GHCR agent-act image with act preset', () => {
+      const configWithAct = {
         ...mockConfig,
-        enableChroot: true,
         agentImage: 'act'
       };
-      const result = generateDockerCompose(configWithChroot, mockNetworkConfig);
+      const result = generateDockerCompose(configWithAct, mockNetworkConfig);
       const agent = result.services.agent as any;
 
-      // Chroot mode with 'act' preset should use GHCR agent-act image
+      // 'act' preset should use GHCR agent-act image
       expect(agent.image).toBe('ghcr.io/github/gh-aw-firewall/agent-act:latest');
       expect(agent.build).toBeUndefined();
     });
 
-    it('should build locally with full Dockerfile when enableChroot with custom image', () => {
-      const configWithChroot = {
+    it('should build locally with full Dockerfile when using custom image', () => {
+      const configWithCustomImage = {
         ...mockConfig,
-        enableChroot: true,
         agentImage: 'ubuntu:24.04' // Custom (non-preset) image
       };
-      const result = generateDockerCompose(configWithChroot, mockNetworkConfig);
+      const result = generateDockerCompose(configWithCustomImage, mockNetworkConfig);
       const agent = result.services.agent as any;
 
-      // Chroot mode with custom image should build locally with full Dockerfile for feature parity
+      // Custom image should build locally with full Dockerfile for feature parity
       expect(agent.build).toBeDefined();
       expect(agent.build.dockerfile).toBe('Dockerfile');
       expect(agent.build.args.BASE_IMAGE).toBe('ubuntu:24.04');
       expect(agent.image).toBeUndefined();
     });
 
-    it('should build locally with full Dockerfile when buildLocal and enableChroot are both true', () => {
-      const configWithChrootAndBuildLocal = {
-        ...mockConfig,
-        enableChroot: true,
-        buildLocal: true
-      };
-      const result = generateDockerCompose(configWithChrootAndBuildLocal, mockNetworkConfig);
-      const agent = result.services.agent as any;
-
-      // When both buildLocal and enableChroot are set, should use full Dockerfile for feature parity
-      expect(agent.build).toBeDefined();
-      expect(agent.build.dockerfile).toBe('Dockerfile');
-      expect(agent.image).toBeUndefined();
-    });
-
-    it('should use standard Dockerfile when enableChroot is false and buildLocal is true', () => {
+    it('should build locally with full Dockerfile when buildLocal is true', () => {
       const configWithBuildLocal = {
         ...mockConfig,
-        buildLocal: true,
-        enableChroot: false
+        buildLocal: true
       };
       const result = generateDockerCompose(configWithBuildLocal, mockNetworkConfig);
       const agent = result.services.agent as any;
 
+      // Should use full Dockerfile for feature parity
       expect(agent.build).toBeDefined();
       expect(agent.build.dockerfile).toBe('Dockerfile');
+      expect(agent.image).toBeUndefined();
     });
 
     it('should set agent to depend on healthy squid', () => {
@@ -1432,9 +1341,8 @@ describe('docker-manager', () => {
         expect(tmpfs.some((t: string) => t.startsWith(`${mockConfig.workDir}:`))).toBe(true);
       });
 
-      it('should hide workDir at both paths in chroot mode', () => {
-        const configWithChroot = { ...mockConfig, enableChroot: true };
-        const result = generateDockerCompose(configWithChroot, mockNetworkConfig);
+      it('should hide workDir at both normal and /host paths (chroot always on)', () => {
+        const result = generateDockerCompose(mockConfig, mockNetworkConfig);
         const agent = result.services.agent;
         const tmpfs = agent.tmpfs as string[];
 
@@ -1452,6 +1360,51 @@ describe('docker-manager', () => {
         expect(tmpfs.some((t: string) => t.includes('/tmp/gh-aw/mcp-logs'))).toBe(true);
         expect(tmpfs.some((t: string) => t.startsWith(`${mockConfig.workDir}:`))).toBe(true);
       });
+
+      it('should set secure tmpfs options (noexec, nosuid, size limit)', () => {
+        const result = generateDockerCompose(mockConfig, mockNetworkConfig);
+        const agent = result.services.agent;
+        const tmpfs = agent.tmpfs as string[];
+
+        // All tmpfs mounts should have security options
+        tmpfs.forEach((mount: string) => {
+          expect(mount).toContain('noexec');
+          expect(mount).toContain('nosuid');
+          expect(mount).toContain('size=1m');
+        });
+      });
+
+      it('should apply tmpfs overlay to custom workDir paths', () => {
+        const configWithCustomWorkDir = {
+          ...mockConfig,
+          workDir: '/var/tmp/custom-awf-work',
+        };
+        fs.mkdirSync(configWithCustomWorkDir.workDir, { recursive: true });
+        try {
+          const result = generateDockerCompose(configWithCustomWorkDir, mockNetworkConfig);
+          const agent = result.services.agent;
+          const tmpfs = agent.tmpfs as string[];
+
+          expect(tmpfs.some((t: string) => t.startsWith('/var/tmp/custom-awf-work:'))).toBe(true);
+          expect(tmpfs.some((t: string) => t.startsWith('/host/var/tmp/custom-awf-work:'))).toBe(true);
+        } finally {
+          fs.rmSync(configWithCustomWorkDir.workDir, { recursive: true, force: true });
+        }
+      });
+
+      it('should include exactly 4 tmpfs mounts (mcp-logs + workDir, both normal and /host)', () => {
+        const result = generateDockerCompose(mockConfig, mockNetworkConfig);
+        const agent = result.services.agent;
+        const tmpfs = agent.tmpfs as string[];
+
+        expect(tmpfs).toHaveLength(4);
+        // Normal paths
+        expect(tmpfs.some((t: string) => t.includes('/tmp/gh-aw/mcp-logs:'))).toBe(true);
+        expect(tmpfs.some((t: string) => t.startsWith(`${mockConfig.workDir}:`))).toBe(true);
+        // /host-prefixed paths (chroot always on)
+        expect(tmpfs.some((t: string) => t.includes('/host/tmp/gh-aw/mcp-logs:'))).toBe(true);
+        expect(tmpfs.some((t: string) => t.startsWith(`/host${mockConfig.workDir}:`))).toBe(true);
+      });
     });
   });
 
diff --git a/src/docker-manager.ts b/src/docker-manager.ts
index 8aab6269..cb064ce1 100644
--- a/src/docker-manager.ts
+++ b/src/docker-manager.ts
@@ -321,8 +321,8 @@ export function generateDockerCompose(
   ]);
 
   // Start with required/overridden environment variables
-  // For chroot mode, use the real user's home (not /root when running with sudo)
-  const homeDir = config.enableChroot ? getRealUserHome() : (process.env.HOME || '/root');
+  // Use the real user's home (not /root when running with sudo)
+  const homeDir = getRealUserHome();
   const environment: Record<string, string> = {
     HTTP_PROXY: `http://${networkConfig.squidIp}:${SQUID_PORT}`,
     HTTPS_PROXY: `http://${networkConfig.squidIp}:${SQUID_PORT}`,
@@ -344,35 +344,33 @@ export function generateDockerCompose(
     environment.no_proxy = environment.NO_PROXY;
   }
 
-  // For chroot mode, pass the host's actual PATH and tool directories so the entrypoint can use them
+  // Pass the host's actual PATH and tool directories so the entrypoint can use them
   // This ensures toolcache paths (Python, Node, Go, Rust, Java) are correctly resolved
-  if (config.enableChroot) {
-    if (process.env.PATH) {
-      environment.AWF_HOST_PATH = process.env.PATH;
-    }
-    // Go on GitHub Actions uses trimmed binaries that require GOROOT to be set
-    // Pass GOROOT as AWF_GOROOT so entrypoint.sh can export it in the chroot script
-    if (process.env.GOROOT) {
-      environment.AWF_GOROOT = process.env.GOROOT;
-    }
-    // Rust: Pass CARGO_HOME so entrypoint can add $CARGO_HOME/bin to PATH
-    if (process.env.CARGO_HOME) {
-      environment.AWF_CARGO_HOME = process.env.CARGO_HOME;
-    }
-    // Java: Pass JAVA_HOME so entrypoint can add $JAVA_HOME/bin to PATH and set JAVA_HOME
-    if (process.env.JAVA_HOME) {
-      environment.AWF_JAVA_HOME = process.env.JAVA_HOME;
-    }
-    // .NET: Pass DOTNET_ROOT so entrypoint can add it to PATH and set DOTNET_ROOT
-    if (process.env.DOTNET_ROOT) {
-      environment.AWF_DOTNET_ROOT = process.env.DOTNET_ROOT;
-    }
-    // Bun: Pass BUN_INSTALL so entrypoint can add $BUN_INSTALL/bin to PATH
-    // Bun crashes with core dump when installed inside chroot (restricted /proc access),
-    // so it must be pre-installed on the host via setup-bun action
-    if (process.env.BUN_INSTALL) {
-      environment.AWF_BUN_INSTALL = process.env.BUN_INSTALL;
-    }
+  if (process.env.PATH) {
+    environment.AWF_HOST_PATH = process.env.PATH;
+  }
+  // Go on GitHub Actions uses trimmed binaries that require GOROOT to be set
+  // Pass GOROOT as AWF_GOROOT so entrypoint.sh can export it in the chroot script
+  if (process.env.GOROOT) {
+    environment.AWF_GOROOT = process.env.GOROOT;
+  }
+  // Rust: Pass CARGO_HOME so entrypoint can add $CARGO_HOME/bin to PATH
+  if (process.env.CARGO_HOME) {
+    environment.AWF_CARGO_HOME = process.env.CARGO_HOME;
+  }
+  // Java: Pass JAVA_HOME so entrypoint can add $JAVA_HOME/bin to PATH and set JAVA_HOME
+  if (process.env.JAVA_HOME) {
+    environment.AWF_JAVA_HOME = process.env.JAVA_HOME;
+  }
+  // .NET: Pass DOTNET_ROOT so entrypoint can add it to PATH and set DOTNET_ROOT
+  if (process.env.DOTNET_ROOT) {
+    environment.AWF_DOTNET_ROOT = process.env.DOTNET_ROOT;
+  }
+  // Bun: Pass BUN_INSTALL so entrypoint can add $BUN_INSTALL/bin to PATH
+  // Bun crashes with core dump when installed inside chroot (restricted /proc access),
+  // so it must be pre-installed on the host via setup-bun action
+  if (process.env.BUN_INSTALL) {
+    environment.AWF_BUN_INSTALL = process.env.BUN_INSTALL;
   }
 
   // If --env-all is specified, pass through all host environment variables (except excluded ones)
@@ -409,17 +407,15 @@ export function generateDockerCompose(
   }
 
   // Pass chroot mode flag to container for entrypoint.sh capability drop
-  if (config.enableChroot) {
-    environment.AWF_CHROOT_ENABLED = 'true';
-    // Pass the container working directory for chroot mode
-    // If containerWorkDir is set, use it; otherwise use home directory
-    // The entrypoint will strip /host prefix to get the correct path inside chroot
-    if (config.containerWorkDir) {
-      environment.AWF_WORKDIR = config.containerWorkDir;
-    } else {
-      // Default to real user's home directory (not /root when running with sudo)
-      environment.AWF_WORKDIR = getRealUserHome();
-    }
+  environment.AWF_CHROOT_ENABLED = 'true';
+  // Pass the container working directory for chroot mode
+  // If containerWorkDir is set, use it; otherwise use home directory
+  // The entrypoint will strip /host prefix to get the correct path inside chroot
+  if (config.containerWorkDir) {
+    environment.AWF_WORKDIR = config.containerWorkDir;
+  } else {
+    // Default to real user's home directory (not /root when running with sudo)
+    environment.AWF_WORKDIR = getRealUserHome();
   }
 
   // Pass host UID/GID for runtime user adjustment in entrypoint
@@ -429,8 +425,8 @@ export function generateDockerCompose(
   // Note: UID/GID values are logged by the container entrypoint if needed for debugging
 
   // Build volumes list for agent execution container
-  // For chroot mode, use the real user's home (not /root when running with sudo)
-  const effectiveHome = config.enableChroot ? getRealUserHome() : (process.env.HOME || '/root');
+  // Use the real user's home (not /root when running with sudo)
+  const effectiveHome = getRealUserHome();
   const agentVolumes: string[] = [
     // Essential mounts that are always included
     '/tmp:/tmp:rw',
@@ -439,10 +435,8 @@ export function generateDockerCompose(
     `${config.workDir}/agent-logs:${effectiveHome}/.copilot/logs:rw`,
   ];
 
-  // Add chroot-related volume mounts when --enable-chroot is specified
-  // These mounts enable chroot /host to work properly for running host binaries
-  if (config.enableChroot) {
-    logger.debug('Chroot mode enabled - using selective path mounts for security');
+  // Volume mounts for chroot /host to work properly with host binaries
+  logger.debug('Using selective path mounts for security');
 
     // System paths (read-only) - required for binaries and libraries
     agentVolumes.push(
@@ -566,7 +560,6 @@ export function generateDockerCompose(
     agentVolumes.push('/dev/null:/host/run/docker.sock:ro');
 
     logger.debug('Selective mounts configured: system paths (ro), home (rw), Docker socket hidden');
-  }
 
   // Add SSL CA certificate mount if SSL Bump is enabled
   // This allows the agent container to trust the dynamically-generated CA
@@ -613,11 +606,7 @@ export function generateDockerCompose(
   //
   // **Implementation Details**
   //
-  // Normal mode (without --enable-chroot):
-  // - Mount: $HOME (for workspace, including $GITHUB_WORKSPACE when it resides under $HOME), /tmp, ~/.copilot/logs
-  // - Hide: credential files (Docker, NPM, Cargo, Composer, GitHub CLI, SSH keys, AWS, Azure, GCP, k8s)
-  //
-  // Chroot mode (with --enable-chroot):
+  // AWF always runs in chroot mode:
   // - Mount: $HOME at /host$HOME (for chroot environment), system paths at /host
   // - Hide: Same credentials at /host paths
   //
@@ -639,44 +628,12 @@ export function generateDockerCompose(
     logger.warn('   This exposes sensitive credential files to potential prompt injection attacks');
     logger.warn('   Consider using selective mounting (default) or --volume-mount for specific directories');
 
-    // Add blanket mount for full filesystem access in both modes
+    // Add blanket mount for full filesystem access
     agentVolumes.unshift('/:/host:rw');
-  } else if (!config.enableChroot) {
-    // Default: Selective mounting for normal mode (chroot already uses selective mounting)
-    // This provides security against credential exfiltration via prompt injection
-    logger.debug('Using selective mounting for security (credential files hidden)');
-
-    // SECURITY: Hide credential files by mounting /dev/null over them
-    // This prevents prompt-injected commands from reading sensitive tokens
-    // even if the attacker knows the file paths
-    const credentialFiles = [
-      `${effectiveHome}/.docker/config.json`,       // Docker Hub tokens
-      `${effectiveHome}/.npmrc`,                    // NPM registry tokens
-      `${effectiveHome}/.cargo/credentials`,        // Rust crates.io tokens
-      `${effectiveHome}/.composer/auth.json`,       // PHP Composer tokens
-      `${effectiveHome}/.config/gh/hosts.yml`,      // GitHub CLI OAuth tokens
-      // SSH private keys (CRITICAL - server access, git operations)
-      `${effectiveHome}/.ssh/id_rsa`,
-      `${effectiveHome}/.ssh/id_ed25519`,
-      `${effectiveHome}/.ssh/id_ecdsa`,
-      `${effectiveHome}/.ssh/id_dsa`,
-      // Cloud provider credentials (CRITICAL - infrastructure access)
-      `${effectiveHome}/.aws/credentials`,
-      `${effectiveHome}/.aws/config`,
-      `${effectiveHome}/.kube/config`,
-      `${effectiveHome}/.azure/credentials`,
-      `${effectiveHome}/.config/gcloud/credentials.db`,
-    ];
-
-    credentialFiles.forEach(credFile => {
-      agentVolumes.push(`/dev/null:${credFile}:ro`);
-    });
-
-    logger.debug(`Hidden ${credentialFiles.length} credential file(s) via /dev/null mounts`);
   }
 
-  // Chroot mode: Hide credentials at /host paths
-  if (config.enableChroot && !config.allowFullFilesystemAccess) {
+  // Hide credentials at /host paths
+  if (!config.allowFullFilesystemAccess) {
     logger.debug('Chroot mode: Hiding credential files at /host paths');
 
     const userHome = getRealUserHome();
@@ -732,31 +689,26 @@ export function generateDockerCompose(
     //    are mapped to different container paths (e.g., ~/.copilot/logs, /var/log/squid)
     //    so they are unaffected by the tmpfs overlay on workDir.
     //
-    // For chroot mode: hide both normal and /host-prefixed paths since /tmp is
-    // mounted at both /tmp and /host/tmp
-    tmpfs: config.enableChroot
-      ? [
-          '/tmp/gh-aw/mcp-logs:rw,noexec,nosuid,size=1m',
-          '/host/tmp/gh-aw/mcp-logs:rw,noexec,nosuid,size=1m',
-          `${config.workDir}:rw,noexec,nosuid,size=1m`,
-          `/host${config.workDir}:rw,noexec,nosuid,size=1m`,
-        ]
-      : [
-          '/tmp/gh-aw/mcp-logs:rw,noexec,nosuid,size=1m',
-          `${config.workDir}:rw,noexec,nosuid,size=1m`,
-        ],
+    // Hide both normal and /host-prefixed paths since /tmp is mounted at both
+    // /tmp and /host/tmp in chroot mode (which is always on)
+    tmpfs: [
+      '/tmp/gh-aw/mcp-logs:rw,noexec,nosuid,size=1m',
+      '/host/tmp/gh-aw/mcp-logs:rw,noexec,nosuid,size=1m',
+      `${config.workDir}:rw,noexec,nosuid,size=1m`,
+      `/host${config.workDir}:rw,noexec,nosuid,size=1m`,
+    ],
     depends_on: {
       'squid-proxy': {
         condition: 'service_healthy',
       },
     },
     // NET_ADMIN is required for iptables setup in entrypoint.sh.
-    // SYS_CHROOT is added when --enable-chroot is specified for chroot operations.
-    // SYS_ADMIN is added in chroot mode to mount procfs at /host/proc (required for
+    // SYS_CHROOT is required for chroot operations.
+    // SYS_ADMIN is required to mount procfs at /host/proc (required for
     // dynamic /proc/self/exe resolution needed by .NET CLR and other runtimes).
     // Security: All capabilities are dropped before running user commands
     // via 'capsh --drop=cap_net_admin,cap_sys_chroot,cap_sys_admin' in entrypoint.sh.
-    cap_add: config.enableChroot ? ['NET_ADMIN', 'SYS_CHROOT', 'SYS_ADMIN'] : ['NET_ADMIN'],
+    cap_add: ['NET_ADMIN', 'SYS_CHROOT', 'SYS_ADMIN'],
     // Drop capabilities to reduce attack surface (security hardening)
     cap_drop: [
       'NET_RAW',      // Prevents raw socket creation (iptables bypass attempts)
@@ -766,13 +718,13 @@ export function generateDockerCompose(
       'MKNOD',        // Prevents device node creation
     ],
     // Apply seccomp profile and no-new-privileges to restrict dangerous syscalls and prevent privilege escalation
-    // In chroot mode, AppArmor is set to unconfined to allow mounting procfs at /host/proc
+    // AppArmor is set to unconfined to allow mounting procfs at /host/proc
     // (Docker's default AppArmor profile blocks mount). This is safe because SYS_ADMIN is
     // dropped via capsh before user code runs, so user code cannot mount anything.
     security_opt: [
       'no-new-privileges:true',
       `seccomp=${config.workDir}/seccomp-profile.json`,
-      ...(config.enableChroot ? ['apparmor:unconfined'] : []),
+      'apparmor:unconfined',
     ],
     // Resource limits to prevent DoS attacks (conservative defaults)
     mem_limit: '4g',           // 4GB memory limit
@@ -799,23 +751,20 @@ export function generateDockerCompose(
 
   // Use GHCR image or build locally
   // Priority: GHCR preset images > local build (when requested) > custom images
-  // For presets ('default', 'act'), use GHCR images (even in chroot mode)
-  // This fixes a bug where --enable-chroot would ignore --agent-image preset
+  // For presets ('default', 'act'), use GHCR images
   const agentImage = config.agentImage || 'default';
   const isPreset = agentImage === 'default' || agentImage === 'act';
 
   if (useGHCR && isPreset) {
-    // Use pre-built GHCR image for preset images (works in both normal and chroot mode)
+    // Use pre-built GHCR image for preset images
     // The GHCR images already have the necessary setup for chroot mode
     const imageName = agentImage === 'act' ? 'agent-act' : 'agent';
     agentService.image = `${registry}/${imageName}:${tag}`;
-    if (config.enableChroot) {
-      logger.debug(`Chroot mode: using GHCR image ${imageName}:${tag}`);
-    }
-  } else if (config.buildLocal || (config.enableChroot && !isPreset)) {
+    logger.debug(`Using GHCR image ${imageName}:${tag}`);
+  } else if (config.buildLocal || !isPreset) {
     // Build locally when:
     // 1. --build-local is explicitly specified, OR
-    // 2. --enable-chroot with a custom (non-preset) image
+    // 2. A custom (non-preset) image is specified
     const buildArgs: Record<string, string> = {
       USER_UID: getSafeHostUid(),
       USER_GID: getSafeHostGid(),
@@ -901,7 +850,7 @@ export async function writeConfigs(config: WrapperConfig): Promise<void> {
   // This directory exists on the HOST for MCP gateway to write logs
   // Inside the AWF container, it's hidden via tmpfs mount (see generateDockerCompose)
   // Uses mode 0o777 to allow GitHub Actions workflows and MCP gateway to create subdirectories
-  // even when AWF runs as root (e.g., sudo awf --enable-chroot)
+  // even when AWF runs as root (e.g., sudo awf)
   const mcpLogsDir = '/tmp/gh-aw/mcp-logs';
   if (!fs.existsSync(mcpLogsDir)) {
     fs.mkdirSync(mcpLogsDir, { recursive: true, mode: 0o777 });
diff --git a/src/squid-config.test.ts b/src/squid-config.test.ts
index 620034b7..a32b52ab 100644
--- a/src/squid-config.test.ts
+++ b/src/squid-config.test.ts
@@ -1081,6 +1081,39 @@ describe('generateSquidConfig', () => {
       expect(result).toContain('ssl_bump terminate all');
     });
 
+    it('should include ssl_bump rules for regex patterns only', () => {
+      const config: SquidConfig = {
+        domains: ['api-*.example.com'],
+        port: defaultPort,
+        sslBump: true,
+        caFiles: {
+          certPath: '/tmp/test/ssl/ca-cert.pem',
+          keyPath: '/tmp/test/ssl/ca-key.pem',
+        },
+        sslDbPath: '/tmp/test/ssl_db',
+      };
+      const result = generateSquidConfig(config);
+      expect(result).toContain('ssl_bump bump allowed_domains_regex');
+      expect(result).toContain('ssl_bump terminate all');
+    });
+
+    it('should include ssl_bump rules for both plain domains and regex patterns', () => {
+      const config: SquidConfig = {
+        domains: ['github.com', 'api-*.example.com'],
+        port: defaultPort,
+        sslBump: true,
+        caFiles: {
+          certPath: '/tmp/test/ssl/ca-cert.pem',
+          keyPath: '/tmp/test/ssl/ca-key.pem',
+        },
+        sslDbPath: '/tmp/test/ssl_db',
+      };
+      const result = generateSquidConfig(config);
+      expect(result).toContain('ssl_bump bump allowed_domains');
+      expect(result).toContain('ssl_bump bump allowed_domains_regex');
+      expect(result).toContain('ssl_bump terminate all');
+    });
+
     it('should include URL pattern ACLs when provided', () => {
       // URL patterns passed here are the output of parseUrlPatterns which now uses [^\s]*
       const config: SquidConfig = {
@@ -1099,6 +1132,48 @@ describe('generateSquidConfig', () => {
       expect(result).toContain('^https://github\\.com/myorg/[^\\s]*');
     });
 
+    it('should handle HTTP-only protocol-restricted domains', () => {
+      const config: SquidConfig = {
+        domains: ['http://legacy-api.example.com'],
+        port: defaultPort,
+      };
+      const result = generateSquidConfig(config);
+      expect(result).toContain('allowed_http_only');
+      expect(result).toContain('!CONNECT');
+    });
+
+    it('should handle HTTPS-only protocol-restricted domains', () => {
+      const config: SquidConfig = {
+        domains: ['https://secure.example.com'],
+        port: defaultPort,
+      };
+      const result = generateSquidConfig(config);
+      expect(result).toContain('allowed_https_only');
+      expect(result).toContain('CONNECT');
+    });
+
+    it('should handle mix of HTTP-only plain domains and wildcard patterns', () => {
+      const config: SquidConfig = {
+        domains: ['http://legacy.example.com', 'http://api-*.example.com'],
+        port: defaultPort,
+      };
+      const result = generateSquidConfig(config);
+      // Both plain and regex ACLs should be generated for http-only
+      expect(result).toContain('allowed_http_only');
+      expect(result).toContain('allowed_http_only_regex');
+    });
+
+    it('should handle mix of HTTPS-only plain domains and wildcard patterns', () => {
+      const config: SquidConfig = {
+        domains: ['https://secure.example.com', 'https://api-*.example.com'],
+        port: defaultPort,
+      };
+      const result = generateSquidConfig(config);
+      // Both plain and regex ACLs should be generated for https-only
+      expect(result).toContain('allowed_https_only');
+      expect(result).toContain('allowed_https_only_regex');
+    });
+
     it('should not include SSL Bump section when disabled', () => {
       const config: SquidConfig = {
         domains: ['github.com'],
diff --git a/src/types.ts b/src/types.ts
index 29cb2bb4..fdf34ca7 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -380,32 +380,6 @@ export interface WrapperConfig {
    * @example ['https://github.com/myorg/*', 'https://api.example.com/v1/*']
    */
   allowedUrls?: string[];
-
-  /**
-   * Enable chroot to /host for running host binaries
-   *
-   * When true, uses selective path mounts instead of the blanket /:/host:rw mount,
-   * enabling chroot-based execution of host binaries (Python, Node, Go, Rust, etc.)
-   * while maintaining network isolation through iptables.
-   *
-   * Mounted paths (read-only):
-   * - /usr, /bin, /sbin, /lib, /lib64 - System binaries and libraries
-   * - /opt - Tool cache (Python, Node, Ruby, Go, Java from GitHub runners)
-   * - /etc/ssl, /etc/ca-certificates, /etc/alternatives, /etc/ld.so.cache - Runtime config
-   * - /proc/self, /sys, /dev - Special filesystems (only /proc/self, not full /proc)
-   *
-   * Mounted paths (read-write):
-   * - $HOME - User home directory for project files and Rust/Cargo
-   *
-   * Security protections:
-   * - Docker socket hidden (/dev/null mounted over /var/run/docker.sock)
-   * - /etc/shadow NOT mounted (password hashes protected)
-   * - /etc/passwd mounted read-only (required for user lookup in chroot)
-   * - CAP_SYS_CHROOT capability added but dropped before user commands
-   *
-   * @default false
-   */
-  enableChroot?: boolean;
 }
 
 /**
diff --git a/test-chroot.sh b/test-chroot.sh
index 9603a540..17dc2832 100755
--- a/test-chroot.sh
+++ b/test-chroot.sh
@@ -8,13 +8,13 @@ AWF="/usr/local/bin/awf"
 
 # Core functionality
 echo -n "1. Python available: "
-sudo $AWF --enable-chroot --allow-domains localhost -- python3 --version 2>&1 | grep "Python" | head -1
+sudo $AWF --allow-domains localhost -- python3 --version 2>&1 | grep "Python" | head -1
 
 echo -n "2. Node available: "
-sudo $AWF --enable-chroot --allow-domains localhost -- node --version 2>&1 | grep -E "^v[0-9]" | head -1
+sudo $AWF --allow-domains localhost -- node --version 2>&1 | grep -E "^v[0-9]" | head -1
 
 echo -n "3. Network firewall works: "
-RESULT=$(sudo $AWF --enable-chroot --allow-domains api.github.com -- curl -s https://api.github.com/zen 2>&1 | grep -v "^\[" | grep -v Container | grep -v Process | grep -v entrypoint | grep -v iptables | grep -v "^$" | grep -v "Chain" | grep -v "pkts" | grep -v RETURN | grep -v DNAT | head -1)
+RESULT=$(sudo $AWF --allow-domains api.github.com -- curl -s https://api.github.com/zen 2>&1 | grep -v "^\[" | grep -v Container | grep -v Process | grep -v entrypoint | grep -v iptables | grep -v "^$" | grep -v "Chain" | grep -v "pkts" | grep -v RETURN | grep -v DNAT | head -1)
 if [ -n "$RESULT" ]; then
     echo "PASS (got: $RESULT)"
 else
@@ -23,7 +23,7 @@ else
 fi
 
 echo -n "4. Docker socket hidden: "
-SOCKET_CHECK=$(sudo $AWF --enable-chroot --allow-domains localhost -- ls -la /var/run/docker.sock 2>&1 | grep "1, 3" || true)
+SOCKET_CHECK=$(sudo $AWF --allow-domains localhost -- ls -la /var/run/docker.sock 2>&1 | grep "1, 3" || true)
 if [ -n "$SOCKET_CHECK" ]; then
     echo "PASS (mapped to /dev/null)"
 else
@@ -32,7 +32,7 @@ else
 fi
 
 echo -n "5. iptables blocked: "
-IPTABLES_CHECK=$(sudo $AWF --enable-chroot --allow-domains localhost -- iptables -L 2>&1 | grep -E "Permission denied|not permitted" || true)
+IPTABLES_CHECK=$(sudo $AWF --allow-domains localhost -- iptables -L 2>&1 | grep -E "Permission denied|not permitted" || true)
 if [ -n "$IPTABLES_CHECK" ]; then
     echo "PASS"
 else
@@ -41,7 +41,7 @@ else
 fi
 
 echo -n "6. Read-only /usr: "
-READONLY_CHECK=$(sudo $AWF --enable-chroot --allow-domains localhost -- touch /usr/test 2>&1 | grep "Read-only" || true)
+READONLY_CHECK=$(sudo $AWF --allow-domains localhost -- touch /usr/test 2>&1 | grep "Read-only" || true)
 if [ -n "$READONLY_CHECK" ]; then
     echo "PASS"
 else
@@ -50,7 +50,7 @@ else
 fi
 
 echo -n "7. Writable /tmp: "
-TMP_CHECK=$(sudo $AWF --enable-chroot --allow-domains localhost -- bash -c "echo test > /tmp/awf-smoke-test && cat /tmp/awf-smoke-test && rm /tmp/awf-smoke-test" 2>&1 | grep "^test$" || true)
+TMP_CHECK=$(sudo $AWF --allow-domains localhost -- bash -c "echo test > /tmp/awf-smoke-test && cat /tmp/awf-smoke-test && rm /tmp/awf-smoke-test" 2>&1 | grep "^test$" || true)
 if [ "$TMP_CHECK" = "test" ]; then
     echo "PASS"
 else
@@ -59,7 +59,7 @@ else
 fi
 
 echo -n "8. Blocked domain denied: "
-BLOCKED_CHECK=$(sudo $AWF --enable-chroot --allow-domains api.github.com -- curl -s --connect-timeout 5 https://example.com 2>&1 | grep -E "403|TCP_DENIED|Firewall blocked" || true)
+BLOCKED_CHECK=$(sudo $AWF --allow-domains api.github.com -- curl -s --connect-timeout 5 https://example.com 2>&1 | grep -E "403|TCP_DENIED|Firewall blocked" || true)
 if [ -n "$BLOCKED_CHECK" ]; then
     echo "PASS"
 else
@@ -68,7 +68,7 @@ else
 fi
 
 echo -n "9. Exit code propagation: "
-sudo $AWF --enable-chroot --allow-domains localhost -- false 2>&1 > /dev/null || EXIT_CODE=$?
+sudo $AWF --allow-domains localhost -- false 2>&1 > /dev/null || EXIT_CODE=$?
 if [ "$EXIT_CODE" = "1" ]; then
     echo "PASS"
 else
@@ -77,7 +77,7 @@ else
 fi
 
 echo -n "10. User identity preserved: "
-USER_CHECK=$(sudo $AWF --enable-chroot --allow-domains localhost -- whoami 2>&1 | grep -E "^[a-z][a-z0-9_-]*$" | head -1)
+USER_CHECK=$(sudo $AWF --allow-domains localhost -- whoami 2>&1 | grep -E "^[a-z][a-z0-9_-]*$" | head -1)
 if [ "$USER_CHECK" != "root" ] && [ -n "$USER_CHECK" ]; then
     echo "PASS (user: $USER_CHECK)"
 else
diff --git a/tests/fixtures/awf-runner.ts b/tests/fixtures/awf-runner.ts
index 12d67cd3..93dc9995 100644
--- a/tests/fixtures/awf-runner.ts
+++ b/tests/fixtures/awf-runner.ts
@@ -17,7 +17,6 @@ export interface AwfOptions {
   tty?: boolean; // Allocate pseudo-TTY (required for interactive tools like Claude Code)
   dnsServers?: string[]; // DNS servers to use (e.g., ['8.8.8.8', '2001:4860:4860::8888'])
   allowHostPorts?: string; // Ports or port ranges to allow for host access (e.g., '3000' or '3000-8000')
-  enableChroot?: boolean; // Enable chroot to /host for transparent host binary execution
   allowFullFilesystemAccess?: boolean; // Allow full filesystem access (disables selective mounting security)
 }
 
@@ -100,11 +99,6 @@ export class AwfRunner {
       args.push('--allow-host-ports', options.allowHostPorts);
     }
 
-    // Add enable-chroot flag
-    if (options.enableChroot) {
-      args.push('--enable-chroot');
-    }
-
     // Add allow-full-filesystem-access flag
     if (options.allowFullFilesystemAccess) {
       args.push('--allow-full-filesystem-access');
@@ -251,11 +245,6 @@ export class AwfRunner {
       args.push('--allow-host-ports', options.allowHostPorts);
     }
 
-    // Add enable-chroot flag
-    if (options.enableChroot) {
-      args.push('--enable-chroot');
-    }
-
     // Add allow-full-filesystem-access flag
     if (options.allowFullFilesystemAccess) {
       args.push('--allow-full-filesystem-access');
diff --git a/tests/integration/chroot-edge-cases.test.ts b/tests/integration/chroot-edge-cases.test.ts
index b75dba11..b21f0d9f 100644
--- a/tests/integration/chroot-edge-cases.test.ts
+++ b/tests/integration/chroot-edge-cases.test.ts
@@ -2,7 +2,7 @@
  * Chroot Edge Cases and Error Handling Tests
  *
  * These tests verify edge cases, security features, and error handling
- * for the --enable-chroot feature.
+ * for chroot mode.
  *
  * NOTE: stdout may contain entrypoint debug logs in addition to command output.
  * Use toContain() instead of exact matches, or check the last line of output.
@@ -40,7 +40,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
         containerWorkDir: '/tmp',
       });
 
@@ -54,7 +53,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
         containerWorkDir: '/nonexistent/directory/path',
       });
 
@@ -71,7 +69,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -85,7 +82,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -101,7 +97,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
         env: {
           MY_CUSTOM_VAR: 'test_value_123',
         },
@@ -118,7 +113,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -130,7 +124,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -145,7 +138,6 @@ describe('Chroot Edge Cases', () => {
           allowDomains: ['localhost'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
@@ -161,7 +153,6 @@ describe('Chroot Edge Cases', () => {
           allowDomains: ['localhost'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
@@ -178,7 +169,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       // Should fail due to lack of permissions
@@ -192,7 +182,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       // Should fail due to lack of CAP_SYS_CHROOT
@@ -206,7 +195,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toExitWithCode(0);
@@ -217,7 +205,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toExitWithCode(1);
@@ -228,7 +215,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toExitWithCode(1);
@@ -239,7 +225,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toExitWithCode(127);
@@ -252,7 +237,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['api.github.com'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -264,7 +248,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['github.com'],
         logLevel: 'debug',
         timeout: 30000,
-        enableChroot: true,
       });
 
       // Should fail or timeout
@@ -276,7 +259,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['github.com'],
         logLevel: 'debug',
         timeout: 30000,
-        enableChroot: true,
       });
 
       // Should fail or timeout
@@ -290,7 +272,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -304,7 +285,6 @@ describe('Chroot Edge Cases', () => {
           allowDomains: ['localhost'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
@@ -317,7 +297,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -329,7 +308,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -345,7 +323,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -360,7 +337,6 @@ describe('Chroot Edge Cases', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
diff --git a/tests/integration/chroot-languages.test.ts b/tests/integration/chroot-languages.test.ts
index 11587d03..08011e5d 100644
--- a/tests/integration/chroot-languages.test.ts
+++ b/tests/integration/chroot-languages.test.ts
@@ -1,7 +1,7 @@
 /**
  * Chroot Language Tests
  *
- * These tests verify that the --enable-chroot feature correctly provides access
+ * These tests verify that the chroot mode correctly provides access
  * to host binaries for different programming languages. This is critical for
  * GitHub Actions runners where tools are installed on the host.
  *
@@ -33,7 +33,6 @@ describe('Chroot Language Support', () => {
         allowDomains: ['github.com'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -47,7 +46,6 @@ describe('Chroot Language Support', () => {
           allowDomains: ['github.com'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
@@ -62,7 +60,6 @@ describe('Chroot Language Support', () => {
           allowDomains: ['github.com'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
@@ -75,7 +72,6 @@ describe('Chroot Language Support', () => {
         allowDomains: ['github.com'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -89,7 +85,6 @@ describe('Chroot Language Support', () => {
         allowDomains: ['github.com'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -103,7 +98,6 @@ describe('Chroot Language Support', () => {
           allowDomains: ['github.com'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
@@ -118,7 +112,6 @@ describe('Chroot Language Support', () => {
           allowDomains: ['github.com'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
@@ -131,7 +124,6 @@ describe('Chroot Language Support', () => {
         allowDomains: ['github.com'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -143,7 +135,6 @@ describe('Chroot Language Support', () => {
         allowDomains: ['github.com'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -157,7 +148,6 @@ describe('Chroot Language Support', () => {
         allowDomains: ['github.com'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -169,7 +159,6 @@ describe('Chroot Language Support', () => {
         allowDomains: ['github.com'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -185,7 +174,6 @@ describe('Chroot Language Support', () => {
         allowDomains: ['github.com'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -202,7 +190,6 @@ describe('Chroot Language Support', () => {
           allowDomains: ['github.com'],
           logLevel: 'debug',
           timeout: 120000,
-          enableChroot: true,
         }
       );
 
@@ -229,7 +216,6 @@ describe('Chroot Language Support', () => {
           allowDomains: ['github.com'],
           logLevel: 'debug',
           timeout: 120000,
-          enableChroot: true,
         }
       );
 
@@ -247,7 +233,6 @@ describe('Chroot Language Support', () => {
         allowDomains: ['github.com'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -259,7 +244,6 @@ describe('Chroot Language Support', () => {
         allowDomains: ['github.com'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -277,7 +261,6 @@ describe('Chroot Language Support', () => {
           allowDomains: ['api.nuget.org', 'nuget.org', 'dotnetcli.azureedge.net'],
           logLevel: 'debug',
           timeout: 180000,
-          enableChroot: true,
         }
       );
 
@@ -296,7 +279,6 @@ describe('Chroot Language Support', () => {
           allowDomains: ['github.com'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
@@ -308,7 +290,6 @@ describe('Chroot Language Support', () => {
         allowDomains: ['github.com'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -320,7 +301,6 @@ describe('Chroot Language Support', () => {
         allowDomains: ['github.com'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
diff --git a/tests/integration/chroot-package-managers.test.ts b/tests/integration/chroot-package-managers.test.ts
index 635379dd..ee4a5008 100644
--- a/tests/integration/chroot-package-managers.test.ts
+++ b/tests/integration/chroot-package-managers.test.ts
@@ -1,7 +1,7 @@
 /**
  * Chroot Package Manager Tests
  *
- * These tests verify that the --enable-chroot feature correctly provides access
+ * These tests verify that the chroot mode correctly provides access
  * to package managers and SDK tools. Tests validate that tools can perform
  * network operations through the firewall with proper domain whitelisting.
  *
@@ -33,7 +33,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['pypi.org', 'files.pythonhosted.org'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -45,7 +44,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -57,7 +55,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['pypi.org'],
         logLevel: 'debug',
         timeout: 90000,
-        enableChroot: true,
       });
 
       // pip index versions should work or show available versions
@@ -72,7 +69,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['registry.npmjs.org'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -83,7 +79,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['registry.npmjs.org'],
         logLevel: 'debug',
         timeout: 90000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -95,7 +90,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       // Should fail because registry is not allowed
@@ -109,7 +103,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['crates.io', 'static.crates.io'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -121,7 +114,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -133,7 +125,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['crates.io', 'static.crates.io', 'index.crates.io'],
         logLevel: 'debug',
         timeout: 120000,
-        enableChroot: true,
       });
 
       // Should succeed or fail gracefully - the key is it attempts network access
@@ -149,7 +140,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -161,7 +151,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       // javac might not always be available, but Java should be
@@ -175,7 +164,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['repo.maven.apache.org', 'repo1.maven.org'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       // Maven might not be installed, that's OK
@@ -191,7 +179,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -203,7 +190,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -221,7 +207,6 @@ describe('Chroot Package Manager Support', () => {
           allowDomains: ['api.nuget.org', 'nuget.org', 'dotnetcli.azureedge.net'],
           logLevel: 'debug',
           timeout: 180000,
-          enableChroot: true,
         }
       );
 
@@ -244,7 +229,6 @@ describe('Chroot Package Manager Support', () => {
           allowDomains: ['localhost'],
           logLevel: 'debug',
           timeout: 90000,
-          enableChroot: true,
         }
       );
 
@@ -259,7 +243,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -271,7 +254,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['rubygems.org'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -283,7 +265,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['localhost'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -294,7 +275,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['rubygems.org'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       // Bundler might not be installed
@@ -308,7 +288,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['rubygems.org', 'index.rubygems.org'],
         logLevel: 'debug',
         timeout: 120000,
-        enableChroot: true,
       });
 
       // Should attempt network access
@@ -324,7 +303,6 @@ describe('Chroot Package Manager Support', () => {
         allowDomains: ['proxy.golang.org', 'sum.golang.org'],
         logLevel: 'debug',
         timeout: 60000,
-        enableChroot: true,
       });
 
       expect(result).toSucceed();
@@ -338,7 +316,6 @@ describe('Chroot Package Manager Support', () => {
           allowDomains: ['localhost'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
diff --git a/tests/integration/chroot-procfs.test.ts b/tests/integration/chroot-procfs.test.ts
index 6887e964..e7fd8b48 100644
--- a/tests/integration/chroot-procfs.test.ts
+++ b/tests/integration/chroot-procfs.test.ts
@@ -38,7 +38,6 @@ describe('Chroot /proc Filesystem Correctness', () => {
           allowDomains: ['localhost'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
@@ -57,7 +56,6 @@ describe('Chroot /proc Filesystem Correctness', () => {
           allowDomains: ['localhost'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
@@ -79,7 +77,6 @@ describe('Chroot /proc Filesystem Correctness', () => {
           allowDomains: ['localhost'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
@@ -95,7 +92,6 @@ describe('Chroot /proc Filesystem Correctness', () => {
           allowDomains: ['localhost'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
@@ -110,7 +106,6 @@ describe('Chroot /proc Filesystem Correctness', () => {
           allowDomains: ['localhost'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
@@ -145,7 +140,6 @@ describe('Chroot /proc Filesystem Correctness', () => {
           allowDomains: ['localhost'],
           logLevel: 'debug',
           timeout: 120000,
-          enableChroot: true,
         }
       );
 
@@ -173,7 +167,6 @@ describe('Chroot /proc Filesystem Correctness', () => {
           allowDomains: ['localhost'],
           logLevel: 'debug',
           timeout: 120000,
-          enableChroot: true,
         }
       );
 
diff --git a/tests/integration/credential-hiding.test.ts b/tests/integration/credential-hiding.test.ts
index a53f60ef..94c0ff84 100644
--- a/tests/integration/credential-hiding.test.ts
+++ b/tests/integration/credential-hiding.test.ts
@@ -37,7 +37,7 @@ describe('Credential Hiding Security', () => {
     await cleanup(false);
   });
 
-  describe('Normal Mode (without --enable-chroot)', () => {
+  describe('Normal Mode', () => {
     test('Test 1: Docker config.json is hidden (empty file)', async () => {
       // Use the real home directory - if the file exists, it should be hidden
       const homeDir = os.homedir();
@@ -137,7 +137,7 @@ describe('Credential Hiding Security', () => {
     }, 120000);
   });
 
-  describe('Chroot Mode (with --enable-chroot)', () => {
+  describe('Chroot Mode', () => {
     test('Test 6: Chroot mode hides credentials at /host paths', async () => {
       const homeDir = os.homedir();
 
@@ -148,7 +148,6 @@ describe('Credential Hiding Security', () => {
           allowDomains: ['github.com'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
@@ -170,7 +169,6 @@ describe('Credential Hiding Security', () => {
           allowDomains: ['github.com'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
@@ -324,7 +322,6 @@ describe('Credential Hiding Security', () => {
           allowDomains: ['github.com'],
           logLevel: 'debug',
           timeout: 60000,
-          enableChroot: true,
         }
       );
 
diff --git a/tests/integration/one-shot-tokens.test.ts b/tests/integration/one-shot-tokens.test.ts
index c955157f..64b8c2f1 100644
--- a/tests/integration/one-shot-tokens.test.ts
+++ b/tests/integration/one-shot-tokens.test.ts
@@ -295,7 +295,6 @@ print(f"Second getenv: [{second}]")
           logLevel: 'debug',
           timeout: 60000,
           buildLocal: true,
-          enableChroot: true,
           env: {
             GITHUB_TOKEN: 'ghp_chroot_token_12345',
           },
@@ -326,7 +325,6 @@ print(f"Second getenv: [{second}]")
           logLevel: 'debug',
           timeout: 60000,
           buildLocal: true,
-          enableChroot: true,
           env: {
             COPILOT_GITHUB_TOKEN: 'copilot_chroot_token_67890',
           },
@@ -355,7 +353,6 @@ print(f"Second: [{second}]")
           logLevel: 'debug',
           timeout: 60000,
           buildLocal: true,
-          enableChroot: true,
           env: {
             GITHUB_TOKEN: 'ghp_chroot_python_token',
           },
@@ -385,7 +382,6 @@ print(f"Second: [{second}]")
           logLevel: 'debug',
           timeout: 60000,
           buildLocal: true,
-          enableChroot: true,
           env: {
             NORMAL_VAR: 'chroot_not_a_token',
           },
@@ -418,7 +414,6 @@ print(f"Second: [{second}]")
           logLevel: 'debug',
           timeout: 60000,
           buildLocal: true,
-          enableChroot: true,
           env: {
             GITHUB_TOKEN: 'ghp_chroot_multi_1',
             OPENAI_API_KEY: 'sk-chroot-multi-2',