test: add CLI proxy sidecar integration tests

[lpcox]

Phase 2: CLI Proxy Integration Tests

Closes #1726

Following the merge of PR #1730 (Phase 1: CLI proxy sidecar implementation), this PR adds integration tests that verify end-to-end behavior with Docker containers.

Changes

Test infrastructure updates:

• tests/fixtures/awf-runner.ts: Add enableCliProxy and cliProxyWritable to AwfOptions; map --enable-cli-proxy and --cli-proxy-writable flags in both run() and runWithSudo()
• tests/fixtures/cleanup.ts: Add awf-cli-proxy to container cleanup list
• scripts/ci/cleanup.sh: Add awf-cli-proxy to CI cleanup script

New test file: tests/integration/cli-proxy.test.ts

Category	Tests	What's Verified
Health & Startup	3	Sidecar starts, healthcheck returns {"status":"ok"}, writable mode reported correctly
Token Isolation	3	GITHUB_TOKEN/GH_TOKEN excluded from agent env; AWF_CLI_PROXY_URL injected
gh Wrapper	2	Wrapper installed at correct PATH position; commands routed through proxy
Read-Only Mode	4	Write ops blocked (issue create), gh api blocked, auth always blocked, read ops allowed (pr list)
Writable Mode	1	gh api permitted when --cli-proxy-writable set
Squid Integration	1	CLI proxy traffic routes through Squid domain allowlist

Design doc items covered

From the implementation plan in #1726:

• Integration test: awf --enable-cli-proxy 'gh pr list'
• Integration test: verify write operations blocked in read-only mode
• Integration test: verify token isolation (agent can't access GH_TOKEN)
• Integration test: verify Squid domain allowlisting applies to cli-proxy traffic

Note

These are Docker integration tests that require sudo and docker. They run in CI via the integration test workflow, not locally via npm test.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	86.14%	86.23%	📈 +0.09%
Statements	86.02%	86.11%	📈 +0.09%
Functions	87.45%	87.45%	➡️ +0.00%
Branches	78.81%	78.86%	📈 +0.05%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	86.3% → 86.7% (+0.37%)	85.9% → 86.2% (+0.36%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Adds Docker-based integration tests for the CLI proxy sidecar to validate end-to-end behavior when --enable-cli-proxy is enabled (health/startup, token isolation, gh wrapper routing, read-only vs writable enforcement, and Squid/proxy wiring).

Changes:

• Added tests/integration/cli-proxy.test.ts covering CLI proxy sidecar behavior and policy enforcement.
• Extended the test runner fixture to pass --enable-cli-proxy / --cli-proxy-writable flags.
• Updated cleanup utilities/scripts to remove the awf-cli-proxy container.

Show a summary per file

File	Description
tests/integration/cli-proxy.test.ts	New Docker integration tests for cli-proxy health, env isolation, wrapper behavior, and mode enforcement
tests/fixtures/awf-runner.ts	Adds enableCliProxy / cliProxyWritable options and maps them to CLI flags in both run paths
tests/fixtures/cleanup.ts	Adds awf-cli-proxy to test cleanup container removal list
scripts/ci/cleanup.sh	Adds awf-cli-proxy to CI cleanup container removal list

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 3

[github-actions]

Smoke Test: GitHub Actions Services Connectivity ✅

All checks passed:

Check	Result
Redis PING → host.docker.internal:6379	✅ PONG
pg_isready → host.docker.internal:5432	✅ accepting connections
psql SELECT 1 → smoketest db as postgres	✅ returned 1

Note: redis-cli was not available; Redis was tested via raw TCP socket (RESP protocol).

🔌 Service connectivity validated by Smoke Services

[github-actions]

Security Review

The token isolation tests, write-blocking tests, and auth-always-denied tests are all well-designed and verify important security properties. No concerns there.

One issue to flag: the Squid Integration test appears to be broken in a security-sensitive way.

File: tests/integration/cli-proxy.test.ts, lines 202–224

test('should route cli-proxy traffic through Squid domain allowlist', async () => {
  const result = await runner.runWithSudo(
    `bash -c 'docker exec awf-cli-proxy env | grep -i proxy || true'`,
    { ...cliProxyDefaults, keepContainers: true },
  );
  expect(result).toSucceed();
  expect(extractCommandOutput(result.stdout)).toMatch(/HTTP_PROXY|HTTPS_PROXY|squid/i);
}, 180000);

The problem: This command runs docker exec awf-cli-proxy env from inside the agent container. However, containers/agent/docker-stub.sh explicitly blocks all Docker commands inside the agent with exit 127 and the message:

"Docker-in-Docker support was removed in AWF v0.9.1"

So the sequence is:

1. docker exec awf-cli-proxy env → fails silently (exit 127, stderr only)
2. grep -i proxy → receives empty stdin → produces no output
3. || true → forces exit 0
4. expect(result).toSucceed() → ✅ passes
5. expect(extractCommandOutput(result.stdout)).toMatch(...) → ❌ fails (empty output)

Security concern: A broken test that appears to verify Squid routing but actually asserts nothing creates latent pressure for a future developer to "fix" it by granting Docker socket access to the agent container. Docker socket access effectively grants root on the host and would bypass all AWF sandboxing — this was the exact reason DinD was removed in PR #205.

Suggested fix: Verify the cli-proxy's Squid routing by sending a request to a domain not in --allow-domains and asserting the proxy returns a connection error or 403, rather than inspecting the sibling container's environment directly. For example:

// Try to reach a domain not in allowDomains — Squid should block it
const result = await runner.runWithSudo(
  `bash -c 'curl -s -o /dev/null -w "%{http_code}" --proxy-insecure (notallowed.example.com/redacted) || true'`,
  { ...cliProxyDefaults, keepContainers: true },
);
// If Squid is routing cli-proxy traffic correctly, direct access is also blocked
expect(result).toSucceed();

Or, if the goal is truly to inspect the cli-proxy container's environment, do it from the host via a test-harness hook that runs docker exec outside AWF rather than inside the agent container.

Generated by Security Guard for issue #1734 · ● 133.3K · ◷

[github-actions]

Smoke Test Results

PRs: "test: add CLI proxy sidecar integration tests"; "feat: phase 1 – gh CLI proxy sidecar with mcpg DIFC proxy"

1. GitHub MCP review: ✅
2. safeinputs-gh PR query: ❌ (tool unavailable)
3. Playwright GitHub title: ✅
4. Tavily search: ❌ (tool unavailable)
5. File write /tmp/gh-aw/agent/...: ✅
6. Bash cat verification: ✅
7. Discussion query/comment: ❌ (discussion query tool unavailable)
8. npm ci && npm run build: ✅
   Overall: FAIL

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test Results — run 24082106071

✅ GitHub MCP: #1734 test: add CLI proxy sidecar integration tests, #1731 chore: upgrade workflows to gh-aw-actions v0.67.2
✅ Playwright: github.com title contains "GitHub"
✅ File write: /tmp/gh-aw/agent/smoke-test-claude-24082106071.txt created
✅ Bash verify: file read back successfully

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔥 Smoke Test: Copilot Engine — PASS

Test	Result
GitHub MCP	✅ PR #1734 "test: add CLI proxy sidecar integration tests"
GitHub.com HTTP	✅ Connectivity confirmed
File write/read	✅ /tmp/gh-aw/agent/smoke-test-copilot-24082066077.txt verified

Overall: PASS · @lpcox

📰 BREAKING: Report filed by Smoke Copilot