[cli-tools-test] Firewall analysis inflates blocked count with internal squid error entries (domain "-:-")

[github-actions]

Problem Description

The firewall analysis incorrectly counts internal Squid proxy error entries as "blocked external network requests". This inflates the blocked request count and causes misleading diagnostics and recommendations.

Root Cause Analysis

In the squid access log, when Squid encounters an internal connection error (e.g., error:transaction-end-before-headers), it logs entries like:

1773003472.027 ::1:52010 - -:- 0.0 - 0 NONE_NONE:HIER_NONE error:transaction-end-before-headers "-"

Key characteristics of these entries:

• Client IP: ::1 (localhost — Squid's internal API proxy or health check)
• Domain: - (no target domain)
• DestIPPort: -:- (no destination)
• Status: 0 (no HTTP status)
• Decision: NONE_NONE:HIER_NONE (internal error)

The parseFirewallLogLine in pkg/cli/firewall_log.go has a fallback:

// Extract domain - when domain is "-" (iptables-dropped traffic not visible to Squid),
// fall back to dest IP:port
domain := entry.Domain
if domain == "-" && entry.DestIPPort != "-" {
    domain = entry.DestIPPort
}

Since entry.DestIPPort == "-:-" (not equal to "-"), the condition triggers and sets domain = "-:-". Then isRequestAllowed("NONE_NONE:HIER_NONE", "0") returns false, so these entries are classified as blocked.

Steps to Reproduce

1. Run gh aw audit (run-id) on any workflow run with the Squid firewall enabled
2. Observe firewall_analysis.blocked_domains in JSON output
3. All blocked domains show as "-:-" with a high count

Example from run 22831150866 (Copilot Session Insights):

"firewall_analysis": {
  "blocked_domains": ["-:-"],
  "total_requests": 212,
  "allowed_requests": 78,
  "blocked_requests": 134,
  "requests_by_domain": {
    "-:-": {"allowed": 0, "blocked": 134},
    "api.anthropic.com:443": {"allowed": 67, "blocked": 0}
  }
}

The 134 blocked requests are actually internal Squid error entries, not actual blocked external connections.

Expected Behavior

1. Internal Squid error entries (client IP ::1, domain -, destIPPort -:-) should be filtered out or classified separately
2. The blocked count should reflect actual external blocked connections
3. The finding "Blocked Network Requests: 134 network requests were blocked by firewall" should not be triggered by internal errors
4. The recommendation "Review network access configuration - many blocked requests suggest missing network permissions" should not appear for internal-only entries

Actual Behavior

• All blocked domains show as "-:-" making it impossible to know what was actually blocked
• Blocked count is massively inflated (e.g., 134 out of 212 total for a workflow that only needs Anthropic)
• Users receive misleading "High Severity" finding and recommendation to "Review network access configuration"

Environment

• Repository: github/gh-aw
• Run IDs affected: 22831150866, 22831361149, 22829752108, 22832373731 (and many more — consistent across all runs)
• Date of testing: 2026-03-08
• Firewall type: Squid (steps.firewall: "squid")

Impact

• Severity: High
• Frequency: Always — every workflow run with Squid firewall shows this
• Workaround: None — users cannot distinguish real blocked traffic from internal errors

Proposed Fix

In pkg/cli/firewall_log.go, filter out internal Squid error entries before processing:

// Skip internal Squid error entries (client IP ::1, no domain, no destination)
// These are internal proxy health checks / API proxy connections, not real network traffic
if entry.ClientIPPort != "" && strings.HasPrefix(entry.ClientIPPort, "::1:") && domain == "-" {
    continue
}

// Only fall back to destIPPort if it's a valid host:port (not "-:-")
if domain == "-" && entry.DestIPPort != "-" && entry.DestIPPort != "-:-" {
    domain = entry.DestIPPort
}
```

Or alternatively, group them under a meaningful label like `[internal-proxy-error]` separate from blocked external traffic.

## Diagnostics

Actual squid access.log sample showing the problematic entries:
```
1773003472.027 ::1:52010 - -:- 0.0 - 0 NONE_NONE:HIER_NONE error:transaction-end-before-headers "-"
1773003477.068 ::1:35712 - -:- 0.0 - 0 NONE_NONE:HIER_NONE error:transaction-end-before-headers "-"
```

These are interleaved with valid entries like:
```
1773003475.167 172.30.0.30:50232 api.githubcopilot.com:443 140.82.112.21:443 1.1 CONNECT 200 TCP_TUNNEL:HIER_DIRECT api.githubcopilot.com:443 "-"

Generated by Daily CLI Tools Exploratory Tester · ◷

• expires on Mar 16, 2026, 12:00 AM UTC