fix(cli): use GHCR images for preset agent-images in chroot mode

[Mossaka]

Summary

• Fixes bug where --enable-chroot with --agent-image act failed with packaged binary
• Prioritizes GHCR preset images over local builds (even in chroot mode)
• Adds tests for chroot + preset image combinations

Problem

AWF v0.13.0 fails when using --enable-chroot with --agent-image act:

unable to prepare context: path "/snapshot/gh-aw-firewall/containers/agent" not found

The bug caused AWF to always try building the agent container locally instead of using the pre-built GHCR image, even when using preset images (default or act).

Root Cause

In v0.13.0's docker-manager.ts, the agent image selection logic checked enableChroot before useGHCR && isPreset, causing it to always build locally in chroot mode:

if (config.enableChroot) {
    // BUG: ALWAYS builds locally, ignoring --agent-image act
    agentService.build = { ... };
} else if (useGHCR && isPreset) {
    // NEVER REACHED when enableChroot is true
    agentService.image = `${registry}/${imageName}:${tag}`;
}

Fix

Changed the logic to prioritize GHCR preset images:

if (useGHCR && isPreset) {
    // Use pre-built GHCR image (works in both normal and chroot mode)
    agentService.image = `${registry}/${imageName}:${tag}`;
} else if (config.buildLocal || (config.enableChroot && !isPreset)) {
    // Build locally when --build-local OR --enable-chroot with custom image
    agentService.build = { ... };
} else {
    // Custom image specified
    agentService.image = agentImage;
}

Test plan

• Unit tests pass (npm test - 664 passing)
• New tests added for chroot + preset combinations
• Manual test with packaged binary: sudo -E awf --enable-chroot --agent-image act --allow-domains github.com -- echo "test"

Fixes #458

🤖 Generated with Claude Code

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	78.45%	78.45%	➡️ +0.00%
Statements	78.52%	78.52%	➡️ +0.00%
Functions	78.01%	78.01%	➡️ +0.00%
Branches	72.49%	72.54%	📈 +0.05%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	81.7% → 81.7% (-0.02%)	81.0% → 81.0% (-0.01%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• fix: switch security-guard workflow to claude engine #438: fix: switch security-guard workflow to claude engine
• feat(cli): add --enable-chroot for transparent host binary execution #448: feat(cli): add --enable-chroot for transparent host binary execution

Test Results:

• ✅ GitHub MCP (retrieved PRs)
• ✅ Playwright (page title: "GitHub · Change is constant...")
• ✅ File Write (created test file)
• ✅ Bash (verified file contents)

Status: PASS

AI generated by Smoke Claude

[github-actions]

Chroot Runtime Version Verification

Version Comparison

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.3	Python 3.13.11	❌ MISMATCH
Node	v20.20.0	v24.13.0	❌ MISMATCH
Go	go version go1.24.12 linux/amd64	go version go1.24.12 linux/amd64	✅ MATCH

Result

FAILED: Not all runtime versions match between host and chroot environment.

Details

• Python: Host has 3.12.3, chroot has 3.13.11 (different minor version)
• Node: Host has v20.20.0, chroot has v24.13.0 (different major version)
• Go: Both match at go1.24.12 ✅

This indicates that the chroot environment is not providing fully transparent access to host binaries for Python and Node.js runtimes. Only Go matched correctly.

AI generated by Smoke Chroot

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Smoke Test Results: Claude Engine

✅ GitHub MCP: #458: fix(smoke-chroot): add -E flag to sudo awf for PATH preservation, #457: fix(cli): use GHCR images for preset agent-images in chroot mode
✅ Playwright: Page title verified: "GitHub · Change is constant. GitHub keeps you ahead. · GitHub"
✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-claude-21612811011.txt
✅ Bash Tool: File verified: "Smoke test passed for Claude at Tue Feb 3 01:17:47 UTC 2026"

Overall Status: PASS

AI generated by Smoke Claude

[Copilot]

Pull request overview

This PR fixes a critical bug in v0.13.0 where using --enable-chroot with preset agent images (default or act) would fail in packaged binaries by attempting to build from a non-existent local directory instead of using pre-built GHCR images.

Changes:

• Reordered image selection logic in docker-manager.ts to prioritize GHCR preset images over local builds, even in chroot mode
• Added comprehensive test coverage for chroot mode with different agent image configurations
• Updated smoke test workflow to validate the fix by testing --enable-chroot with --agent-image act

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/docker-manager.ts	Reordered conditional logic to check for GHCR preset images before local build conditions, fixing the bug where chroot mode would always attempt local builds
src/docker-manager.test.ts	Added 4 new test cases covering chroot mode with default preset, act preset, custom images, and buildLocal combinations
package.json	Bumped version from 0.13.0 to 0.13.1 for this bug fix release
.github/workflows/smoke-chroot.md	Updated command examples to use sudo -E instead of sudo to preserve environment variables
.github/workflows/smoke-chroot.lock.yml	Updated workflow to test the fix scenario with --enable-chroot --agent-image act, upgraded dependency versions, and modernized workflow infrastructure

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Missing test case for when a custom image is specified without buildLocal and without chroot mode. According to the new logic at lines 609-612 in docker-manager.ts, this should use the custom image directly without building. Consider adding a test to cover this scenario and ensure the else branch is properly tested.

[Copilot]

The comment "The GHCR images already have the necessary setup for chroot mode" might be slightly misleading. The GHCR preset images are built from the regular Dockerfile (with Node.js and other tools), not from Dockerfile.minimal. While they do work correctly in chroot mode, they include packages that aren't strictly necessary when chrooting. Consider clarifying the comment to say "The GHCR images work correctly in chroot mode (though they include extra packages)" or similar to be more precise.

Suggested change

	// The GHCR images already have the necessary setup for chroot mode
	// The GHCR images work correctly in chroot mode (though they include extra packages and are not built from Dockerfile.minimal)

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges...