refactor: extract writeConfigs into dedicated config-writer module

[Copilot]

container-lifecycle.ts mixed config-generation with container lifecycle concerns. The writeConfigs function (284 lines spanning Squid config, Docker Compose YAML, seccomp profiles, SSL cert setup, and directory initialization) was the primary offender, making the file 769 lines with three distinct responsibilities.

Changes

• src/config-writer.ts (new): writeConfigs and all imports it exclusively owns (js-yaml, generateSquidConfig, generatePolicyManifest, generateSessionCa, initSslDb, parseUrlPatterns, generateDockerCompose, redactDockerComposeSecrets, SslConfig, SQUID_PORT, API_PROXY_PORTS, getSafeHostUid/Gid, getRealUserHome, __AWF_SECCOMP_PROFILE__ declare)

• src/container-lifecycle.ts: Reduced to its core concern — startContainers, runAgentCommand, fastKillAgentContainer, and the external-kill state flags

• src/docker-manager.ts: Re-exports writeConfigs from ./config-writer instead of ./container-lifecycle; all callers via this barrel are unaffected

// docker-manager.ts
-export {
-  writeConfigs,
-  startContainers,
-  ...
-} from './container-lifecycle';
+export { writeConfigs } from './config-writer';
+export { startContainers, runAgentCommand, ... } from './container-lifecycle';

No logic was changed — this is a pure code movement.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	87.63%	87.72%	📈 +0.09%
Statements	87.60%	87.69%	📈 +0.09%
Functions	92.16%	92.16%	➡️ +0.00%
Branches	79.65%	79.69%	📈 +0.04%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/container-lifecycle.ts	87.4% → 93.9% (+6.57%)	87.7% → 94.2% (+6.50%)

✨ New Files (1 files)

• src/config-writer.ts: 81.0% lines

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke Test Results:

❌ GitHub MCP: gh CLI not authenticated
✅ Playwright: GitHub page loaded
✅ File Writing: Test file created
✅ Bash Tool: File verified

Overall: FAIL

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	❌ (401 - credentials not available to agent, expected in BYOK mode)
GitHub.com connectivity	✅ (pre-step validated)
File write/read (/tmp/gh-aw/agent/smoke-test-copilot-byok-25748550225.txt)	✅ confirmed
BYOK inference (agent → api-proxy → api.githubcopilot.com)	✅ responding now

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

Overall: PASS ✅

🔑 BYOK report filed by Smoke Copilot BYOK

[Copilot]

Pull request overview

This PR refactors the Docker management layer by extracting the large writeConfigs implementation out of src/container-lifecycle.ts into a dedicated src/config-writer.ts module, keeping container lifecycle logic focused on starting/running/stopping containers while preserving the existing public API via src/docker-manager.ts.

Changes:

• Added src/config-writer.ts containing writeConfigs and its dedicated dependencies (Squid config generation, compose generation, SSL bump setup, seccomp profile handling, directory initialization).
• Removed writeConfigs (and now-unused imports) from src/container-lifecycle.ts, leaving only lifecycle responsibilities.
• Updated src/docker-manager.ts to re-export writeConfigs from ./config-writer while continuing to re-export lifecycle functions from ./container-lifecycle.

Show a summary per file

File	Description
src/config-writer.ts	New module housing writeConfigs and all config-writing responsibilities previously embedded in container lifecycle.
src/container-lifecycle.ts	Removes writeConfigs and related imports to narrow scope to container startup/agent execution logic.
src/docker-manager.ts	Maintains backwards-compatible public API by re-exporting writeConfigs from the new module.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 0

[github-actions]

Smoke Test Results

Test	Result
GitHub MCP connectivity	❌ (401 Bad credentials)
GitHub.com HTTP	⚠️ (template vars unresolved)
File write/read	✅ (smoke-test-copilot-25748550285.txt verified)

Overall: FAIL

PR details could not be retrieved (MCP auth error).

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Codex: FAIL
✅ [docs] docs: document Squid allow_api_proxy_ip ACL and Gemini raw-IP fix
✅ feat: --max-model-multiplier CLI flag + token steering body injection
❌ safeinputs-gh PR query unavailable
✅ Playwright GitHub title contains GitHub
❌ Tavily search unavailable
✅ File write/read and bash check
❌ Discussion query unavailable
✅ npm ci && npm run build
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test Results

• Redis PING: ❌ timeout / no response
• PostgreSQL pg_isready: ❌ no response
• PostgreSQL SELECT 1: ❌ not attempted (host unreachable)

Overall: FAIL — host.docker.internal service containers were not reachable from this runner environment.

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3031 · ● 475.4K · ◷

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.14.1	v20.20.2	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[lpcox]

@copilot address the review feedback

[Copilot]

@copilot address the review feedback

The automated review generated 0 comments — no issues were found across the 3 changed files. The PR is ready to merge as-is.

[lpcox]

@copilot fix this failing ci check https://github.com/github/gh-aw-firewall/actions/runs/25748550242/job/75619763092?pr=3031

[Copilot]

@copilot fix this failing ci check https://github.com/github/gh-aw-firewall/actions/runs/25748550242/job/75619763092?pr=3031

This failure is pre-existing and not caused by these changes.

The "Protocol & Security Tests" job also failed on main at run #1656 (2026-05-12T16:24) — immediately before this PR was created (16:41). The integration tests run AWF as a black-box CLI and don't import any of the TypeScript modules touched in this refactor, so a pure code movement cannot affect them.

The failure pattern (Container & Ops Tests also failed on both of those main-branch runs) indicates intermittent CI infrastructure issues (Docker startup timeouts, network flakiness), not a regression from this PR.