Merge branch 'main' into copilot/fix-dind-configuration-issue

Author: lpcox

.github/workflows/security-guard.lock.yml

@@ -11,7 +11,7 @@ permissions:
   issues: read
 engine:
   id: claude
-  max-turns: 25
+  max-turns: 8
 tools:
   github:
     toolsets: [pull_requests, repos]
@@ -23,7 +23,7 @@ safe-outputs:
     enabled: false
   add-comment:
     max: 1
-timeout-minutes: 10
+timeout-minutes: 15
 steps:
   - name: Fetch PR changed files
     id: pr-diff
@@ -42,14 +42,34 @@ steps:
       GH_TOKEN: ${{ github.token }}
       PR_NUMBER: ${{ github.event.pull_request.number }}
       GH_REPO: ${{ github.repository }}
+
+  - name: Check security relevance
+    id: security-relevance
+    if: github.event.pull_request.number
+    run: |
+      SECURITY_RE="host-iptables|setup-iptables|squid-config|docker-manager|seccomp-profile|domain-patterns|entrypoint\.sh|Dockerfile|containers/"
+      COUNT=$(gh api "repos/${GH_REPO}/pulls/${PR_NUMBER}/files" \
+        --paginate --jq '.[].filename' \
+        | grep -cE "$SECURITY_RE" || true)
+      echo "security_files_changed=$COUNT" >> "$GITHUB_OUTPUT"
+    env:
+      GH_TOKEN: ${{ github.token }}
+      PR_NUMBER: ${{ github.event.pull_request.number }}
+      GH_REPO: ${{ github.repository }}
 ---
 
 # Security Guard
 
-You are a security-focused AI agent that carefully reviews pull requests in this repository to identify changes that could weaken the security posture or extend the security boundaries of the Agentic Workflow Firewall (AWF).
+## Security Relevance Check
+
+**Security-critical files changed in this PR:** ${{ steps.security-relevance.outputs.security_files_changed }}
+
+> If this value is `0`, no security-critical files were modified. Use `noop` immediately without further analysis — this PR does not require a security review.
 
 ## Repository Context
 
+You are a security-focused AI agent that carefully reviews pull requests in this repository to identify changes that could weaken the security posture or extend the security boundaries of the Agentic Workflow Firewall (AWF).
+
 This repository implements a **network firewall for AI agents** that provides L7 (HTTP/HTTPS) egress control using Squid proxy and Docker containers. The firewall restricts network access to a whitelist of approved domains.
 
 ### Critical Security Components
@@ -134,6 +154,8 @@ Look for these types of security-weakening changes:
 
 ## Output Format
 
+**IMPORTANT: Be concise.** Report each security finding in ≤ 150 words. Maximum 5 findings total.
+
 If you find security concerns:
 1. Add a comment to the PR explaining each concern
 2. For each issue, provide:

.github/workflows/security-guard.md

@@ -888,6 +888,31 @@ if (require.main === module) {
       const contentLength = parseInt(req.headers['content-length'], 10) || 0;
       if (checkRateLimit(req, res, 'copilot', contentLength)) return;
 
+      // Copilot CLI 1.0.21+ calls GET /models at startup (to list or validate models).
+      // The /models endpoint lives on the Copilot inference API (COPILOT_API_TARGET),
+      // NOT on the GitHub REST API. Explicitly use COPILOT_GITHUB_TOKEN for this
+      // request so the GitHub OAuth token is used even when both COPILOT_GITHUB_TOKEN
+      // and COPILOT_API_KEY are configured (COPILOT_API_KEY alone is not accepted by
+      // the /models endpoint).
+      let reqPathname;
+      try {
+        reqPathname = new URL(req.url, 'http://localhost').pathname;
+      } catch {
+        logRequest('warn', 'copilot_proxy_malformed_url', {
+          message: 'Malformed request URL in Copilot proxy — rejecting with 400',
+        });
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Invalid request URL' }));
+        return;
+      }
+      const isModelsPath = reqPathname === '/models' || reqPathname.startsWith('/models/');
+      if (isModelsPath && req.method === 'GET' && COPILOT_GITHUB_TOKEN) {
+        proxyRequest(req, res, COPILOT_API_TARGET, {
+          'Authorization': `Bearer ${COPILOT_GITHUB_TOKEN}`,
+        }, 'copilot');
+        return;
+      }
+
       proxyRequest(req, res, COPILOT_API_TARGET, {
         'Authorization': `Bearer ${COPILOT_AUTH_TOKEN}`,
       }, 'copilot');

containers/api-proxy/server.js

@@ -124,6 +124,7 @@ The API proxy sidecar receives **real credentials** and routing configuration:
 | `ANTHROPIC_API_KEY` | Real API key | `--enable-api-proxy` and env set | Anthropic API key (injected into requests) |
 | `COPILOT_GITHUB_TOKEN` | Real token | `--enable-api-proxy` and env set | GitHub Copilot token (injected into requests) |
 | `COPILOT_API_KEY` | Real API key | `--enable-api-proxy` and env set | GitHub Copilot BYOK key (injected into requests) |
+| `GEMINI_API_KEY` | Real API key | `--enable-api-proxy` and env set | Google Gemini API key (injected into requests) |
 | `HTTP_PROXY` | `http://172.30.0.10:3128` | Always | Routes through Squid for domain filtering |
 | `HTTPS_PROXY` | `http://172.30.0.10:3128` | Always | Routes through Squid for domain filtering |
 
@@ -148,6 +149,8 @@ The agent container receives **redacted placeholders** and proxy URLs:
 | `COPILOT_OFFLINE` | `true` | `COPILOT_API_KEY` provided to host | Enables offline+BYOK mode (skips GitHub OAuth handshake) |
 | `COPILOT_PROVIDER_BASE_URL` | `http://172.30.0.30:10002` | `COPILOT_API_KEY` provided to host | Points Copilot CLI BYOK provider at sidecar |
 | `COPILOT_PROVIDER_API_KEY` | `placeholder-token-for-credential-isolation` | `COPILOT_API_KEY` provided to host | BYOK provider API key placeholder (real key in sidecar) |
+| `GEMINI_API_BASE_URL` | `http://172.30.0.30:10003` | `--enable-api-proxy` always | Redirects Gemini CLI to proxy (set unconditionally — see note below) |
+| `GEMINI_API_KEY` | `gemini-api-key-placeholder-for-credential-isolation` | `--enable-api-proxy` always | Placeholder so Gemini CLI auth check passes (real key in sidecar) |
 | `OPENAI_API_KEY` | Not set | `--enable-api-proxy` | Excluded from agent (held in api-proxy) |
 | `ANTHROPIC_API_KEY` | Not set | `--enable-api-proxy` | Excluded from agent (held in api-proxy) |
 | `HTTP_PROXY` | `http://172.30.0.10:3128` | Always | Routes through Squid proxy |
@@ -156,6 +159,14 @@ The agent container receives **redacted placeholders** and proxy URLs:
 | `AWF_API_PROXY_IP` | `172.30.0.30` | `--enable-api-proxy` | Used by iptables setup script |
 | `AWF_ONE_SHOT_TOKENS` | `COPILOT_GITHUB_TOKEN,GITHUB_TOKEN,...` | Always | Tokens protected by one-shot-token library |
 
+:::note[Gemini always redirected to proxy]
+Unlike OpenAI, Anthropic, and Copilot, `GEMINI_API_BASE_URL` and the `GEMINI_API_KEY` placeholder are **always** set in the agent when `--enable-api-proxy` is active, regardless of whether `GEMINI_API_KEY` is present in the runner environment.
+
+This prevents the Gemini CLI from failing with exit code 41 ("no auth method") when the real API key is only available as a GitHub Actions secret (not as a runner-level environment variable). In that case the api-proxy sidecar will return `503` for Gemini requests — a clear, actionable failure rather than a confusing missing-auth error.
+
+**Important**: `GEMINI_API_KEY` must be set as a **runner-level environment variable** (e.g. `env: GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}` in the workflow step), not only as a GitHub Actions secret. The AWF process running on the runner must be able to read it so it can pass the key to the api-proxy sidecar container.
+:::
+
 :::tip[Placeholder tokens]
 Token variables in the agent are set to `placeholder-token-for-credential-isolation` instead of real values. This ensures:
 - Agent code cannot exfiltrate credentials
@@ -262,6 +273,24 @@ sudo awf --enable-api-proxy [OPTIONS] -- COMMAND
 **Required environment variables** (at least one):
 - `OPENAI_API_KEY` — OpenAI API key
 - `ANTHROPIC_API_KEY` — Anthropic API key
+- `GEMINI_API_KEY` — Google Gemini API key
+- `COPILOT_GITHUB_TOKEN` — GitHub Copilot access token
+- `COPILOT_API_KEY` — GitHub Copilot API key (BYOK)
+
+:::caution[GitHub Actions: expose keys as runner env vars]
+When running AWF in a GitHub Actions workflow, API keys must be available as **runner-level environment variables** — not just as GitHub Actions secrets. AWF reads the key from the environment at startup to pass it to the api-proxy sidecar container. Use `env:` in the workflow step and `sudo --preserve-env` to ensure keys pass through:
+
+```yaml
+- name: Run agent
+  env:
+    GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
+  run: sudo --preserve-env=GEMINI_API_KEY awf --enable-api-proxy ...
+```
+
+> **Note:** `sudo` strips most environment variables by default. Use `--preserve-env=VAR` (or `sudo -E` to preserve all) to ensure API keys are visible to the AWF process.
+
+If the key is present only in `secrets.*` but not exported into the step's `env:`, AWF will warn that no Gemini key was found and the api-proxy Gemini listener will return `503`.
+:::
 
 **Recommended domain whitelist**:
 - `api.openai.com` — for OpenAI/Codex
@@ -283,7 +312,7 @@ The sidecar container:
 - **Image**: `ghcr.io/github/gh-aw-firewall/api-proxy:latest`
 - **Base**: `node:22-alpine`
 - **Network**: `awf-net` at `172.30.0.30`
-- **Ports**: 10000 (OpenAI), 10001 (Anthropic), 10002 (GitHub Copilot)
+- **Ports**: 10000 (OpenAI), 10001 (Anthropic), 10002 (GitHub Copilot), 10003 (Google Gemini)
 - **Proxy**: Routes via Squid at `http://172.30.0.10:3128`
 
 ### Health check
@@ -296,14 +325,33 @@ Docker healthcheck on the `/health` endpoint (port 10000):
 
 ## Troubleshooting
 
+### Gemini proxy returns 503
+
+When `--enable-api-proxy` is active, `GEMINI_API_BASE_URL` and a placeholder `GEMINI_API_KEY` are always injected into the agent container. If the real `GEMINI_API_KEY` was not set in the AWF runner environment, the api-proxy Gemini listener (port 10003) responds with **503** to all requests.
+
+**Solution**: Export `GEMINI_API_KEY` in the runner environment before invoking AWF. In GitHub Actions, add it to the step's `env:` block and use `sudo --preserve-env`:
+
+```yaml
+- name: Run Gemini agent
+  env:
+    GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
+  run: |
+    sudo --preserve-env=GEMINI_API_KEY \
+      awf --enable-api-proxy \
+          --allow-domains generativelanguage.googleapis.com \
+          -- gemini ...
+```
+
+> **Note:** Exit code 41 ("no auth method") should no longer occur with `--enable-api-proxy` since the placeholder key satisfies the CLI's pre-flight check. If you see exit 41, ensure `--enable-api-proxy` is active.
+
 ### API keys not detected
 
 ```
 ⚠️  API proxy enabled but no API keys found in environment
-   Set OPENAI_API_KEY or ANTHROPIC_API_KEY to use the proxy
+   Set OPENAI_API_KEY, ANTHROPIC_API_KEY, GEMINI_API_KEY, COPILOT_GITHUB_TOKEN, or COPILOT_API_KEY to use the proxy
 ```
 
-**Solution**: Export API keys before running awf:
+**Solution**: Export API keys before running awf (use `sudo --preserve-env` in CI):
 
 ```bash
 export OPENAI_API_KEY="sk-..."
@@ -343,9 +391,8 @@ docker exec awf-squid cat /var/log/squid/access.log | grep DENIED
 
 ## Limitations
 
-- Only supports OpenAI and Anthropic APIs
 - Keys must be set as environment variables (not file-based)
-- No support for Azure OpenAI endpoints
+- No support for Azure OpenAI endpoints (use `--openai-api-target` for custom endpoints)
 - No request/response logging (by design, for security)
 
 ## Related documentation

docs/api-proxy-sidecar.md

@@ -310,4 +310,67 @@ describe('runMainWorkflow', () => {
 
     await expect(runMainWorkflow(configWithDiagnostics, dependencies, { logger, performCleanup: jest.fn() })).resolves.toBe(1);
   });
+
+  it('calls collectDiagnosticLogs on startContainers failure when diagnosticLogs is enabled', async () => {
+    const startError = new Error('Squid container is unhealthy');
+    const collectDiagnosticLogs = jest.fn().mockResolvedValue(undefined);
+    const configWithDiagnostics: WrapperConfig = {
+      ...baseConfig,
+      diagnosticLogs: true,
+    };
+    const dependencies: WorkflowDependencies = {
+      ensureFirewallNetwork: jest.fn().mockResolvedValue({ squidIp: '172.30.0.10' }),
+      setupHostIptables: jest.fn().mockResolvedValue(undefined),
+      writeConfigs: jest.fn().mockResolvedValue(undefined),
+      startContainers: jest.fn().mockRejectedValue(startError),
+      runAgentCommand: jest.fn(),
+      collectDiagnosticLogs,
+    };
+    const logger = createLogger();
+
+    await expect(runMainWorkflow(configWithDiagnostics, dependencies, { logger, performCleanup: jest.fn() })).rejects.toBe(startError);
+
+    expect(collectDiagnosticLogs).toHaveBeenCalledWith(configWithDiagnostics.workDir);
+    expect(dependencies.runAgentCommand).not.toHaveBeenCalled();
+  });
+
+  it('does not call collectDiagnosticLogs on startContainers failure when diagnosticLogs is disabled', async () => {
+    const startError = new Error('Squid container is unhealthy');
+    const collectDiagnosticLogs = jest.fn().mockResolvedValue(undefined);
+    const dependencies: WorkflowDependencies = {
+      ensureFirewallNetwork: jest.fn().mockResolvedValue({ squidIp: '172.30.0.10' }),
+      setupHostIptables: jest.fn().mockResolvedValue(undefined),
+      writeConfigs: jest.fn().mockResolvedValue(undefined),
+      startContainers: jest.fn().mockRejectedValue(startError),
+      runAgentCommand: jest.fn(),
+      collectDiagnosticLogs,
+    };
+    const logger = createLogger();
+
+    await expect(runMainWorkflow(baseConfig, dependencies, { logger, performCleanup: jest.fn() })).rejects.toBe(startError);
+
+    expect(collectDiagnosticLogs).not.toHaveBeenCalled();
+  });
+
+  it('rethrows startContainers error after collecting diagnostics', async () => {
+    const startError = new Error('docker compose failed');
+    const configWithDiagnostics: WrapperConfig = {
+      ...baseConfig,
+      diagnosticLogs: true,
+    };
+    const performCleanup = jest.fn().mockResolvedValue(undefined);
+    const dependencies: WorkflowDependencies = {
+      ensureFirewallNetwork: jest.fn().mockResolvedValue({ squidIp: '172.30.0.10' }),
+      setupHostIptables: jest.fn().mockResolvedValue(undefined),
+      writeConfigs: jest.fn().mockResolvedValue(undefined),
+      startContainers: jest.fn().mockRejectedValue(startError),
+      runAgentCommand: jest.fn(),
+      collectDiagnosticLogs: jest.fn().mockResolvedValue(undefined),
+    };
+    const logger = createLogger();
+
+    await expect(runMainWorkflow(configWithDiagnostics, dependencies, { logger, performCleanup })).rejects.toBe(startError);
+    // performCleanup should NOT be called — that is the caller's (cli.ts) responsibility
+    expect(performCleanup).not.toHaveBeenCalled();
+  });
 });

src/cli-workflow.test.ts

@@ -71,7 +71,25 @@ export async function runMainWorkflow(
   await dependencies.writeConfigs(config);
 
   // Step 2: Start containers
-  await dependencies.startContainers(config.workDir, config.allowedDomains, config.proxyLogsDir, config.skipPull);
+  try {
+    await dependencies.startContainers(config.workDir, config.allowedDomains, config.proxyLogsDir, config.skipPull);
+  } catch (startError) {
+    // Signal that containers may have been partially created so the caller's
+    // cleanup (stopContainers / docker compose down -v) will tear them down
+    // instead of leaving orphaned containers and networks.
+    onContainersStarted?.();
+
+    // Collect diagnostics for startup failures before containers are torn down.
+    // Must happen before performCleanup() / stopContainers() destroys them.
+    if (config.diagnosticLogs && dependencies.collectDiagnosticLogs) {
+      try {
+        await dependencies.collectDiagnosticLogs(config.workDir);
+      } catch (diagError) {
+        logger.warn('Failed to collect diagnostic logs; continuing with cleanup.', diagError);
+      }
+    }
+    throw startError;
+  }
   onContainersStarted?.();
 
   // Step 3: Wait for agent to complete

src/cli-workflow.ts

@@ -2763,12 +2763,24 @@ describe('docker-manager', () => {
         expect(env.GEMINI_API_KEY).toBe('gemini-api-key-placeholder-for-credential-isolation');
       });
 
-      it('should not set GEMINI_API_BASE_URL in agent when geminiApiKey is not provided', () => {
+      it('should always set GEMINI_API_BASE_URL in agent when api-proxy is enabled (regardless of geminiApiKey)', () => {
         const configWithProxy = { ...mockConfig, enableApiProxy: true, openaiApiKey: 'sk-test-key' };
         const result = generateDockerCompose(configWithProxy, mockNetworkConfigWithProxy);
         const agent = result.services.agent;
         const env = agent.environment as Record<string, string>;
-        expect(env.GEMINI_API_BASE_URL).toBeUndefined();
+        // GEMINI_API_BASE_URL must be set even without a geminiApiKey so that the
+        // Gemini CLI does not fail with exit code 41 ("no auth method") when the
+        // GEMINI_API_KEY is only available as a GitHub Actions secret.
+        expect(env.GEMINI_API_BASE_URL).toBe('http://172.30.0.30:10003');
+      });
+
+      it('should set GEMINI_API_KEY placeholder in agent when api-proxy is enabled without geminiApiKey', () => {
+        const configWithProxy = { ...mockConfig, enableApiProxy: true, openaiApiKey: 'sk-test-key' };
+        const result = generateDockerCompose(configWithProxy, mockNetworkConfigWithProxy);
+        const agent = result.services.agent;
+        const env = agent.environment as Record<string, string>;
+        // Placeholder is required so Gemini CLI's startup auth check passes (exit code 41).
+        expect(env.GEMINI_API_KEY).toBe('gemini-api-key-placeholder-for-credential-isolation');
       });
 
       it('should not leak GEMINI_API_KEY to agent when api-proxy is enabled', () => {