[awf] API Proxy Sidecar: intermittent health check failure blocks agent startup

[lpcox]

Problem

The awf-api-proxy sidecar container intermittently fails its Docker health check during docker compose up, causing the entire AWF agent startup to fail with exit code 1 before any agent turns run. Affected workflows include Smoke CI, Sub-Issue Closer, and Daily Team Evolution Insights.

Failure signature:

Container awf-api-proxy  Waiting
Container awf-squid      Healthy
Container awf-api-proxy  Error
dependency failed to start: container awf-api-proxy is unhealthy
[ERROR] Failed to start containers: Command failed with exit code 1: docker compose up -d --pull never

Context

• Source issue: [aw-failures] Fix P0: awf-api-proxy container intermittently fails health check, blocking agent startup gh-aw#28949 (parent: [aw-failures] P0/P1 Failure Report (2026-04-28 07:00–13:00 UTC): awf-api-proxy health check + copilot node-not-found gh-aw#28947)
• Confirmed failing runs: 25049338576, 25049605437, 25052667955 (all 2026-04-28)
• Interleaved with successful runs on the same day/runner tier, confirming intermittency
• The API proxy sidecar is defined in containers/api-proxy/; health check and Docker Compose integration are configured in src/docker-manager.ts (the api-proxy service block)

Root Cause

The awf-api-proxy Node.js HTTP server takes longer to bind on some runners (resource contention, cold start), exceeding the Docker health check start_period. The Docker Compose depends_on: api-proxy: condition: service_healthy in src/docker-manager.ts means any health check timeout terminates the entire stack.

Specifically:

• The HEALTHCHECK in containers/api-proxy/Dockerfile likely uses default start_period (0s) and low retries, which is intolerant of runner load variance
• No docker logs awf-api-proxy capture in the error path in src/docker-manager.ts, so the actual container failure reason is hidden

Proposed Solution

1. containers/api-proxy/Dockerfile: Increase HEALTHCHECK start_period to at least 15s and set retries=5 to tolerate slow cold starts:

   HEALTHCHECK --interval=3s --timeout=5s --start-period=15s --retries=5 \
     CMD curl -f (localhost/redacted) || exit 1

2. src/docker-manager.ts: In the error path for docker compose up failure, add a step to capture and log docker logs awf-api-proxy so the failure reason is surfaced in agent-stdio.log.

3. src/docker-manager.ts: Consider adding a retry loop (up to 2 retries with docker compose up) specifically for transient health check failures, guarded by checking the exit message.

4. src/docker-manager.ts: The api-proxy service depends_on block should be reviewed — consider whether service_started (instead of service_healthy) is appropriate for non-critical proxy paths, or keep service_healthy and fix the health check timing.

Success criteria: Smoke CI passes 5 consecutive runs without awf-api-proxy Error.

Generated by Firewall Issue Dispatcher · ● 450K · ◷

[github-actions]

👋 Hello! I noticed this issue might be related to existing issues:

• [awf] api-proxy: Flaky awf-api-proxy unhealthy failure during docker compose up #2266 - "[awf] api-proxy: Flaky awf-api-proxy unhealthy failure during docker compose up" — describes the same intermittent awf-api-proxy health check failure blocking docker compose up, with the same proposed fixes (increase start_period, add retries)
• [awf] Agent + API Proxy: P0/P1 failure report — health check intermittent + node not found in copilot container #2275 - "[awf] Agent + API Proxy: P0/P1 failure report — health check intermittent + node not found in copilot container" — also covers the intermittent health check failure

If one of these addresses your concern, please consider closing this issue as a duplicate. Otherwise, feel free to clarify how your issue differs!

This is an automated message from the issue duplication detector.

Generated by Issue Duplication Detector for issue #2274 · ● 97.7K · ◷

[lpcox]

Closing as duplicate of #2266 — already addressed by PR #2255 (merged), which significantly increased api-proxy health check tolerances (start_period 10s→30s, retries 10→15, interval 1s→2s, timeout 2s→3s). Included in firewall v0.25.29.