[docs] docs: document Squid allow_api_proxy_ip ACL and Gemini raw-IP fix by github-actions[bot] · Pull Request #3009 · github/gh-aw-firewall

github-actions · 2026-05-12T05:52:16Z

Documentation Sync - May 2026

This PR synchronizes documentation with code changes from the past 7 days.

Changes Made

Updated docs/api-proxy-sidecar.md: Added explanation of the new allow_api_proxy_ip Squid ACL in the "Network isolation" section
Updated docs/api-proxy-sidecar.md: Added a new troubleshooting entry for "Gemini requests blocked by Squid (raw-IP denied)" that documents the root cause (undici routing raw IPs through HTTP_PROXY) and the resolution

Code Changes Referenced

Commit 6a9fcf9: fix: unblock Smoke Gemini — exclude MCP host env leak, allow api-proxy IP through Squid (#2986) — added acl allow_api_proxy_ip dst <ip> + http_access allow allow_api_proxy_ip to src/squid-config.ts before raw-IP deny rules, so that HTTP clients (e.g. Node.js undici ProxyAgent) that route raw IP addresses through HTTP_PROXY without honouring NO_PROXY are not rejected by Squid.

Verification

Code examples not affected (no example changes needed)
Consistent with existing admonition/callout style used in the doc
Focused and minimal — only documents the actual code change

Generated by Documentation Maintainer · ● 1.8M · ◷

Sync documentation with commit 6a9fcf9 which added an explicit Squid ACL (allow_api_proxy_ip) that permits traffic to the API proxy sidecar IP before raw-IP deny rules. This fixes Gemini CLI requests being rejected by Squid when the undici HTTP client routes the raw IP through HTTP_PROXY regardless of the NO_PROXY setting. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

github-actions · 2026-05-12T13:41:36Z

Documentation Preview

Documentation build failed for this PR. View logs.

Built from commit 33709cd

lpcox · 2026-05-12T14:50:15Z

@copilot fix this failing ci check https://github.com/github/gh-aw-firewall/actions/runs/25716192334/job/75581277264?pr=3009

Docker builds with --build-local can take >120s when USER_UID/USER_GID build args differ from the pre-built images (cache miss at the user creation layer). Increase runWithSudo timeout from 120000 to 180000ms and Jest test timeouts from 120000 to 240000ms to match the pattern established in one-shot-tokens.test.ts.

Copilot · 2026-05-12T15:05:30Z

@copilot fix this failing ci check https://github.com/github/gh-aw-firewall/actions/runs/25716192334/job/75581277264?pr=3009

The root cause was that no-docker.test.ts and skip-pull.test.ts used timeout: 120000 (2 min) for their buildLocal: true runs. When Docker builds with --build-local, getSafeHostUid()/getSafeHostGid() pass USER_UID/USER_GID build args derived from the running user (e.g. 1001 on GitHub Actions runners), which differs from the pre-built images' default of 1000. This causes a cache miss at the user-creation layer and all subsequent layers — including the gcc/binutils download for one-shot-token.so — adding ~108 seconds to the build time and exceeding the 120 s timeout.

Fixed in fix(tests): increase buildLocal timeout in skip-pull and no-docker tests by raising the runWithSudo timeout to 180000 and the Jest test timeouts to 240000, matching the pattern already established in one-shot-tokens.test.ts.

github-actions · 2026-05-12T15:59:40Z

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	87.78%	87.86%	📈 +0.08%
Statements	87.74%	87.81%	📈 +0.07%
Functions	92.12%	92.12%	➡️ +0.00%
Branches	79.85%	79.90%	📈 +0.05%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
`src/container-lifecycle.ts`	87.4% → 88.4% (+1.08%)	87.7% → 88.8% (+1.06%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

github-actions · 2026-05-12T16:00:56Z

Smoke Test Results

❌ GitHub MCP: auth unavailable
✅ Playwright: github.com page verified
✅ File Writing: test file created
✅ Bash Verification: file readable

Overall: 3/4 PASS — Core functionality working (auth context issue).

💥 [THE END] — Illustrated by Smoke Claude

github-actions · 2026-05-12T16:01:21Z

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	❌ 401 auth error
HTTP github.com connectivity	⚠️ template vars not expanded
File write/read	✅ `/tmp/gh-aw/agent/smoke-test-copilot-25743331630.txt` verified

Overall: FAIL — GitHub MCP returned 401 (bad credentials); template variable substitution did not occur for pre-step outputs.

PR author and assignees: unable to retrieve due to MCP auth failure.

📰 BREAKING: Report filed by Smoke Copilot

github-actions · 2026-05-12T16:01:27Z

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	❌ 401 Unauthorized
GitHub.com HTTP connectivity	⚠️ Pre-step data unavailable (template not expanded)
File write/read	⚠️ Pre-step data unavailable (template not expanded)
BYOK inference (api-proxy → api.githubcopilot.com)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

Overall: FAIL — GitHub MCP returned 401; pre-step smoke data templates were not expanded.

🔑 BYOK report filed by Smoke Copilot BYOK

github-actions · 2026-05-12T16:02:04Z

Smoke Test Codex: FAIL
PRs: fix: unblock Smoke Gemini — exclude MCP host env leak, allow api-proxy IP through Squid; refactor: remove dead re-exports from cli.ts and unexport ExecaMockResult
✅ PR review via public API, Playwright, file/bash, discussion, build
❌ safeinputs-gh missing; Tavily bridge has zero tools/unknown search tool
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

github-actions · 2026-05-12T16:03:09Z

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Note (Java): Maven's default local repo at ~/.m2/repository was not writable due to directory ownership (root:root). Tests were run with -Dmaven.repo.local=/tmp/gh-aw/agent/m2-repo as a workaround — all tests passed successfully.

Generated by Build Test Suite for issue #3009 · ● 599K · ◷

github-actions · 2026-05-12T16:04:11Z

Smoke Test: GitHub Actions Services Connectivity

Check	Result
Redis PING	❌ Timeout/no response
PostgreSQL pg_isready	❌ No response on port 5432
PostgreSQL SELECT 1	❌ Timeout/no response

Overall: FAIL — host.docker.internal service containers are not reachable from this environment.

🔌 Service connectivity validated by Smoke Services

github-actions Bot requested a review from Mossaka as a code owner May 12, 2026 05:52

github-actions Bot added ai-generated documentation Improvements or additions to documentation labels May 12, 2026

This comment has been minimized.

Sign in to view

github-actions Bot added the smoke-copilot label May 12, 2026

This comment has been minimized.

Sign in to view

github-actions Bot added the build-test label May 12, 2026

github-actions Bot mentioned this pull request May 12, 2026

[aw] Smoke Codex failed #3017

Closed

This comment has been minimized.

Sign in to view

Copilot started work on behalf of lpcox May 12, 2026 14:50 View session

Copilot AI requested a review from lpcox May 12, 2026 15:06

Copilot finished work on behalf of lpcox May 12, 2026 15:09

lpcox merged commit 904864e into main May 12, 2026
62 of 66 checks passed

lpcox deleted the docs/sync-api-proxy-squid-allow-rule-fa4316cf2b3fe562 branch May 12, 2026 16:24

Conversation

github-actions Bot commented May 12, 2026

Documentation Sync - May 2026

Changes Made

Code Changes Referenced

Verification

Uh oh!

github-actions Bot commented May 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Documentation Preview

Uh oh!

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

lpcox commented May 12, 2026

Uh oh!

Copilot AI commented May 12, 2026

Uh oh!

github-actions Bot commented May 12, 2026

✅ Coverage Check Passed

Overall Coverage

Uh oh!

github-actions Bot commented May 12, 2026

Smoke Test Results

Uh oh!

github-actions Bot commented May 12, 2026

🔬 Smoke Test Results

Uh oh!

github-actions Bot commented May 12, 2026

Smoke Test: Copilot BYOK (Offline) Mode

Uh oh!

github-actions Bot commented May 12, 2026

Uh oh!

github-actions Bot commented May 12, 2026

🏗️ Build Test Suite Results

Uh oh!

github-actions Bot commented May 12, 2026

Smoke Test: GitHub Actions Services Connectivity

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

github-actions Bot commented May 12, 2026 •

edited

Loading