feat: add localhost keyword for playwright testing (#427)

* Initial plan

* feat: add localhost keyword for playwright testing

- Automatically maps 'localhost' to 'host.docker.internal'
- Enables host access when localhost is specified
- Configures common development ports (3000, 4200, 5173, 8080, etc.)
- Supports protocol prefixes (http://localhost, https://localhost)
- Preserves user-specified --allow-host-ports if provided
- Add comprehensive integration tests for localhost functionality

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

* docs: add playwright localhost testing documentation

- Add localhost keyword section to AGENTS.md
- Add Playwright testing examples to README.md
- Add comprehensive guide to docs/usage.md
- Create dedicated Playwright testing guide in docs-site
- Explain automatic configuration and security considerations

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

* docs: update CLI help text for localhost keyword

Add localhost to --allow-domains help text explaining it auto-configures for local testing

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

* test: add unit tests for localhost keyword processing

Extract localhost processing logic into testable function and add comprehensive unit tests covering:
- Plain localhost, http://localhost, https://localhost variants
- Protocol prefix preservation
- Host access auto-enablement
- Default port configuration
- Edge cases and domain order preservation

Coverage improvements:
- Overall: 81.58% → 82.03% (+0.45%)
- cli.ts lines: 37.82% → 41.47% (+3.65%)
- cli.ts branches: 31.03% → 38.01% (+6.98%)

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

* fix: add security warning for localhost keyword host access

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

* test: verify security warning in localhost integration test

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Jiaxiao (mossaka) Zhou <duibao55328@gmail.com>

Author: 3 people

AGENTS.md

@@ -257,6 +257,27 @@ Containers stopped, temporary files cleaned up
   - `.github.com` → matches all subdomains
 - Squid denies any domain not in the allowlist
 
+### Localhost Keyword
+
+The `localhost` keyword provides simplified access to host services for Playwright testing and local development:
+
+**Usage:**
+```bash
+sudo awf --allow-domains localhost,playwright.dev -- npx playwright test
+```
+
+**Automatic configuration when `localhost` is specified:**
+1. Maps `localhost` to `host.docker.internal` (Docker's host gateway)
+2. Enables `--enable-host-access` automatically
+3. Allows common development ports: 3000, 3001, 4000, 4200, 5000, 5173, 8000, 8080, 8081, 8888, 9000, 9090
+4. Preserves protocol prefixes (`http://localhost` → `http://host.docker.internal`)
+
+**Customization:**
+- Use `--allow-host-ports` to override the default port list
+- Example: `--allow-domains localhost --allow-host-ports 3000,8080`
+
+**Security note:** The localhost keyword enables access to host services. Only use for trusted workloads like local testing and development.
+
 ## Exit Code Handling
 
 The wrapper propagates the exit code from the agent container:

README.md

@@ -36,6 +36,15 @@ sudo -E awf \
   -- copilot --prompt "List my repositories"
 ```
 
+### Playwright Testing Localhost (out of the box)
+
+```bash
+# Start your dev server, then test it:
+sudo awf --allow-domains localhost,playwright.dev -- npx playwright test
+```
+
+The `localhost` keyword automatically configures everything for local testing.
+
 For checksum verification, version pinning, and manual installation steps, see [Quick start](docs/quickstart.md).
 
 #### GitHub Action (recommended for CI/CD)

containers/agent/setup-iptables.sh

@@ -174,7 +174,8 @@ if [ -n "$AWF_ALLOW_HOST_PORTS" ]; then
     if [[ $port_spec == *"-"* ]]; then
       # Port range (e.g., "3000-3010")
       echo "[iptables]   Redirect port range $port_spec to Squid..."
-      iptables -t nat -A OUTPUT -p tcp -m multiport --dports "$port_spec" -j DNAT --to-destination "${SQUID_IP}:${SQUID_PORT}"
+      # For port ranges, use --dport with range syntax (without multiport)
+      iptables -t nat -A OUTPUT -p tcp --dport "$port_spec" -j DNAT --to-destination "${SQUID_IP}:${SQUID_PORT}"
     else
       # Single port (e.g., "3000")
       echo "[iptables]   Redirect port $port_spec to Squid..."

docs-site/src/content/docs/guides/playwright-testing.md

@@ -0,0 +1,157 @@
+---
+title: Playwright Testing with Localhost
+description: Test local web applications with Playwright through the firewall
+---
+
+The firewall makes it easy to test local web applications with Playwright using the `localhost` keyword.
+
+## Quick Start
+
+Test a local development server with Playwright:
+
+```bash
+# Start your dev server (e.g., npm run dev on port 3000)
+
+# Run Playwright tests through the firewall
+sudo awf --allow-domains localhost,playwright.dev -- npx playwright test
+```
+
+The `localhost` keyword automatically configures everything needed for local testing - no manual setup required.
+
+## What the localhost Keyword Does
+
+When you include `localhost` in `--allow-domains`, awf automatically:
+
+1. **Enables host access** - Activates `--enable-host-access` flag
+2. **Maps to host.docker.internal** - Replaces `localhost` with Docker's host gateway
+3. **Allows development ports** - Opens common dev ports: 3000, 3001, 4000, 4200, 5000, 5173, 8000, 8080, 8081, 8888, 9000, 9090
+
+This means your Playwright tests inside the container can reach services running on your host machine's localhost.
+
+## Protocol Prefixes
+
+The `localhost` keyword preserves HTTP/HTTPS protocol prefixes:
+
+```bash
+# HTTP only
+sudo awf --allow-domains http://localhost -- npx playwright test
+
+# HTTPS only
+sudo awf --allow-domains https://localhost -- npx playwright test
+
+# Both HTTP and HTTPS (default)
+sudo awf --allow-domains localhost -- npx playwright test
+```
+
+## Custom Port Configuration
+
+Override the default port list with `--allow-host-ports`:
+
+```bash
+# Allow only specific ports
+sudo awf \
+  --allow-domains localhost \
+  --allow-host-ports 3000,8080 \
+  -- npx playwright test
+
+# Allow a port range
+sudo awf \
+  --allow-domains localhost \
+  --allow-host-ports 3000,8080-8090 \
+  -- npx playwright test
+```
+
+:::note
+Port ranges must avoid dangerous ports (SSH, databases, etc.). See the [security model](/gh-aw-firewall/concepts/security-model) for details.
+:::
+
+## Example: Testing a Next.js App
+
+```bash
+# Terminal 1: Start Next.js dev server
+npm run dev
+# Server runs on http://localhost:3000
+
+# Terminal 2: Run Playwright tests through firewall
+sudo awf \
+  --allow-domains localhost,vercel.app,next.js.org \
+  -- npx playwright test
+```
+
+Your Playwright tests can now access `http://localhost:3000` and also fetch from `vercel.app` and `next.js.org`.
+
+## Example: Testing a React App with External APIs
+
+```bash
+# Start React dev server on port 3000
+npm start
+
+# Run tests with access to localhost and external APIs
+sudo awf \
+  --allow-domains localhost,api.github.com,cdn.example.com \
+  -- npx playwright test
+```
+
+## Without the localhost Keyword
+
+Before the `localhost` keyword, you had to manually configure host access:
+
+```bash
+# Old way (still works)
+sudo awf \
+  --enable-host-access \
+  --allow-domains host.docker.internal \
+  --allow-host-ports 3000,8080 \
+  -- npx playwright test
+```
+
+The `localhost` keyword eliminates this boilerplate.
+
+## Security Considerations
+
+:::caution
+The `localhost` keyword enables access to services running on your host machine. Only use it for trusted workloads like local testing and development.
+:::
+
+When `localhost` is specified:
+- Containers can access ANY service on the specified ports on your host machine
+- This includes local databases, development servers, and other services
+- This is safe for local development but should not be used in production
+
+## Troubleshooting
+
+### "Connection refused" errors
+
+If Playwright can't connect to your local server:
+
+1. **Verify server is running:** Check that your dev server is actually running on the host
+2. **Check the port:** Ensure the port is in the allowed list (default: 3000, 3001, 4000, 4200, 5000, 5173, 8000, 8080, 8081, 8888, 9000, 9090)
+3. **Use custom ports:** If using a different port, specify it with `--allow-host-ports`
+
+### "Host not found" errors
+
+If you see DNS resolution errors:
+
+- Use `localhost` (not `127.0.0.1` or your machine's hostname)
+- The `localhost` keyword maps to `host.docker.internal` which resolves to the host
+
+### Server binds to 127.0.0.1 only
+
+Some dev servers bind only to 127.0.0.1. To make them accessible from Docker containers:
+
+```bash
+# Bind to 0.0.0.0 instead of 127.0.0.1
+npm run dev -- --host 0.0.0.0
+
+# Or for Vite/Vue
+npm run dev -- --host
+
+# Or for Next.js
+npm run dev -- -H 0.0.0.0
+```
+
+## See Also
+
+- [Server Connectivity](/gh-aw-firewall/guides/server-connectivity) - Connecting to HTTP, HTTPS, and gRPC servers
+- [Security Model](/gh-aw-firewall/concepts/security-model) - Understanding the firewall's security guarantees
+- [CLI Reference](/gh-aw-firewall/reference/cli-reference) - All command-line options

docs/usage.md

@@ -54,6 +54,31 @@ sudo awf \
   'curl https://api.github.com'
 ```
 
+### Playwright Testing Localhost
+
+Test local web applications with Playwright without complex configuration:
+
+```bash
+# Start your dev server (e.g., npm run dev on port 3000)
+# Then run Playwright tests through the firewall:
+sudo awf \
+  --allow-domains localhost,playwright.dev \
+  'npx playwright test'
+```
+
+The `localhost` keyword automatically:
+- Enables access to host services via `host.docker.internal`
+- Allows common development ports (3000, 4200, 5173, 8080, etc.)
+- Works with both HTTP and HTTPS protocols
+
+You can customize the ports with `--allow-host-ports`:
+```bash
+sudo awf \
+  --allow-domains localhost \
+  --allow-host-ports 3000,8080 \
+  'npx playwright test'
+```
+
 ### With GitHub Copilot CLI
 
 ```bash