fix: bind mcpg to assigned IP + fail-close on missing GH_TOKEN

Address security review findings from #1778:

1. Bind mcpg to its assigned IP (172.30.0.51) instead of 0.0.0.0 so
   the agent container cannot reach mcpg directly. Previously mcpg
   listened on all interfaces, making it reachable from any container
   on awf-net.

2. Add fail-close guard: generateDockerCompose now throws if
   enableCliProxy is set but githubToken is absent. mcpg requires a
   token to enforce DIFC policies — running without one would bypass
   integrity checks.

3. Use mcpg IP in healthcheck (not localhost) for TLS hostname
   consistency with how cli-proxy connects via GH_HOST.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: lpcox

containers/cli-proxy/Dockerfile

@@ -1,21 +1,10 @@
-# CLI Proxy sidecar for AWF - provides gh CLI access with mcpg DIFC proxy
+# CLI Proxy sidecar for AWF - provides gh CLI access via mcpg DIFC proxy
 #
-# Multi-stage build:
-#   Stage 1: Extract mcpg binary from ghcr.io/github/gh-aw-mcpg image
-#   Stage 2: Assemble final image with gh CLI, Node.js, and mcpg
-#
-# This container runs two processes:
-#   1. mcpg proxy (TLS, port 18443) - holds GH_TOKEN, enforces guard policies
-#   2. HTTP server (port 11000) - receives gh invocations from the agent container
-
-# Stage 1: Extract the mcpg binary from the official gh-aw-mcpg image.
-# MCPG_IMAGE is configurable via --cli-proxy-mcpg-image so the AWF compiler
-# can control which mcpg version is pulled and run (e.g. for version pinning
-# or testing a new mcpg release before it is bundled in the GHCR cli-proxy image).
-ARG MCPG_IMAGE=ghcr.io/github/gh-aw-mcpg:v0.2.15
-FROM ${MCPG_IMAGE} AS mcpg-source
-
-# Stage 2: Build the CLI proxy image
+# This container runs the HTTP exec server (port 11000) that receives gh
+# invocations from the agent container.  The mcpg DIFC proxy runs as a
+# separate docker-compose service (awf-cli-proxy-mcpg) using the official
+# gh-aw-mcpg image directly — no binary extraction needed.  GH_HOST is
+# set to the mcpg container so all gh CLI traffic flows through the proxy.
 FROM node:22-alpine
 
 # Install gh CLI and curl for healthchecks/wrapper
@@ -26,10 +15,6 @@ RUN apk add --no-cache \
     ca-certificates \
     bash
 
-# Copy the mcpg binary from the mcpg-source stage
-COPY --from=mcpg-source /usr/local/bin/mcpg /usr/local/bin/mcpg
-RUN chmod +x /usr/local/bin/mcpg
-
 # Create app directory
 WORKDIR /app
 
@@ -50,10 +35,10 @@ RUN chmod +x /usr/local/bin/entrypoint.sh /usr/local/bin/healthcheck.sh
 RUN addgroup -S cliproxy && adduser -S cliproxy -G cliproxy
 
 # Create log directory owned by cliproxy (so non-root process can write)
-RUN mkdir -p /var/log/cli-proxy/mcpg && \
+RUN mkdir -p /var/log/cli-proxy && \
     chown -R cliproxy:cliproxy /var/log/cli-proxy
 
-# Create /tmp/proxy-tls directory owned by cliproxy for mcpg TLS cert generation
+# Create /tmp/proxy-tls directory owned by cliproxy for shared mcpg TLS certs
 RUN mkdir -p /tmp/proxy-tls && chown cliproxy:cliproxy /tmp/proxy-tls
 
 # Switch to non-root user

containers/cli-proxy/entrypoint.sh

@@ -1,51 +1,24 @@
 #!/bin/bash
 # CLI Proxy sidecar entrypoint
-# Starts the mcpg DIFC proxy (GH_TOKEN required), then starts the Node.js HTTP server
-# under a supervisor loop so signals are properly handled and mcpg is cleaned up.
+#
+# The mcpg DIFC proxy runs as a separate docker-compose service
+# (awf-cli-proxy-mcpg). This entrypoint waits for the mcpg TLS cert
+# (written to a shared volume at /tmp/proxy-tls), configures gh CLI to
+# route through the mcpg container, then starts the Node.js HTTP server.
 set -e
 
 echo "[cli-proxy] Starting CLI proxy sidecar..."
 
-MCPG_PID=""
 NODE_PID=""
 
-# GH_TOKEN is required: without it, mcpg cannot authenticate and DIFC guard policies
-# cannot be enforced.  Fail closed rather than starting an unenforced server.
-if [ -z "$GH_TOKEN" ]; then
-  echo "[cli-proxy] ERROR: GH_TOKEN not set - refusing to start without mcpg DIFC enforcement"
-  exit 1
-fi
-
-echo "[cli-proxy] GH_TOKEN present - starting mcpg DIFC proxy..."
+# AWF_MCPG_HOST is set by docker-manager.ts to the mcpg container's IP.
+# Fall back to localhost for backward-compatible local testing.
+MCPG_HOST="${AWF_MCPG_HOST:-localhost}"
+MCPG_PORT="${AWF_MCPG_PORT:-18443}"
 
-mkdir -p /tmp/proxy-tls /var/log/cli-proxy/mcpg
+echo "[cli-proxy] mcpg proxy at ${MCPG_HOST}:${MCPG_PORT}"
 
-# Build the guard policy JSON if not explicitly provided
-if [ -z "$AWF_GH_GUARD_POLICY" ]; then
-  if [ -n "$GITHUB_REPOSITORY" ]; then
-    AWF_GH_GUARD_POLICY="{\"repos\":[\"${GITHUB_REPOSITORY}\"],\"min-integrity\":\"public\"}"
-  else
-    AWF_GH_GUARD_POLICY="{\"min-integrity\":\"public\"}"
-  fi
-  echo "[cli-proxy] Using default guard policy: ${AWF_GH_GUARD_POLICY}"
-else
-  echo "[cli-proxy] Using provided guard policy"
-fi
-
-# Start mcpg proxy in background
-# mcpg proxy holds GH_TOKEN and applies DIFC guard policies before forwarding
-mcpg proxy \
-  --policy "${AWF_GH_GUARD_POLICY}" \
-  --listen 127.0.0.1:18443 \
-  --tls \
-  --tls-dir /tmp/proxy-tls \
-  --guards-mode filter \
-  --trusted-bots "github-actions[bot],github-actions,dependabot[bot],copilot" \
-  --log-dir /var/log/cli-proxy/mcpg &
-MCPG_PID=$!
-echo "[cli-proxy] mcpg proxy started (PID: ${MCPG_PID})"
-
-# Wait for TLS cert to be generated (max 30s)
+# Wait for TLS cert to appear in the shared volume (max 30s)
 echo "[cli-proxy] Waiting for mcpg TLS certificate..."
 i=0
 while [ $i -lt 30 ]; do
@@ -58,31 +31,24 @@ while [ $i -lt 30 ]; do
 done
 
 if [ ! -f /tmp/proxy-tls/ca.crt ]; then
-  echo "[cli-proxy] ERROR: mcpg TLS certificate not generated within 30s"
-  kill "$MCPG_PID" 2>/dev/null || true
+  echo "[cli-proxy] ERROR: mcpg TLS certificate not found within 30s"
   exit 1
 fi
 
 # Configure gh CLI to route through the mcpg proxy (TLS, self-signed CA)
-export GH_HOST="localhost:18443"
+export GH_HOST="${MCPG_HOST}:${MCPG_PORT}"
 export NODE_EXTRA_CA_CERTS="/tmp/proxy-tls/ca.crt"
 export GH_REPO="${GH_REPO:-$GITHUB_REPOSITORY}"
 
 echo "[cli-proxy] gh CLI configured to route through mcpg proxy at ${GH_HOST}"
 
-# Cleanup handler: stop both the Node HTTP server and mcpg when we receive a signal
-# or when the server exits.  This runs correctly because we do NOT exec Node — we
-# start it in the background and wait, so the shell (and its traps) remain active.
+# Cleanup handler: stop the Node HTTP server on signal
 cleanup() {
   echo "[cli-proxy] Shutting down..."
   if [ -n "$NODE_PID" ]; then
     kill "$NODE_PID" 2>/dev/null || true
     wait "$NODE_PID" 2>/dev/null || true
   fi
-  if [ -n "$MCPG_PID" ]; then
-    kill "$MCPG_PID" 2>/dev/null || true
-    wait "$MCPG_PID" 2>/dev/null || true
-  fi
 }
 trap 'cleanup; exit 0' INT TERM
 

scripts/ci/cleanup.sh

@@ -12,7 +12,7 @@ echo "==========================================="
 
 # First, explicitly remove containers by name (handles orphaned containers)
 echo "Removing awf containers by name..."
-docker rm -f awf-squid awf-agent awf-iptables-init awf-api-proxy awf-cli-proxy 2>/dev/null || true
+docker rm -f awf-squid awf-agent awf-iptables-init awf-api-proxy awf-cli-proxy awf-cli-proxy-mcpg 2>/dev/null || true
 
 # Cleanup diagnostic test containers
 echo "Stopping docker compose services..."

src/cli.ts

@@ -1454,9 +1454,8 @@ program
   )
   .option(
     '--cli-proxy-mcpg-image <image>',
-    'Docker image for the mcpg DIFC proxy used inside the CLI proxy sidecar\n' +
-    '                                       (only used with --build-local; ignored when pulling pre-built GHCR images)\n' +
-    '                                       Set by the AWF compiler to control which mcpg version is pulled and run',
+    'Docker image for the mcpg DIFC proxy container (runs as a separate service alongside cli-proxy)\n' +
+    '                                       Set by the AWF compiler to control which mcpg version is used',
     'ghcr.io/github/gh-aw-mcpg:v0.2.15'
   )
   // -- Logging & Debug --
@@ -2058,6 +2057,7 @@ export async function handlePredownloadAction(options: {
   agentImage: string;
   enableApiProxy: boolean;
   enableCliProxy?: boolean;
+  cliProxyMcpgImage?: string;
 }): Promise<void> {
   const { predownloadCommand } = await import('./commands/predownload');
   try {
@@ -2067,6 +2067,7 @@ export async function handlePredownloadAction(options: {
       agentImage: options.agentImage,
       enableApiProxy: options.enableApiProxy,
       enableCliProxy: options.enableCliProxy,
+      cliProxyMcpgImage: options.cliProxyMcpgImage,
     });
   } catch (error) {
     const exitCode = (error as Error & { exitCode?: number }).exitCode ?? 1;
@@ -2091,6 +2092,7 @@ program
   )
   .option('--enable-api-proxy', 'Also download the API proxy image', false)
   .option('--enable-cli-proxy', 'Also download the CLI proxy image', false)
+  .option('--cli-proxy-mcpg-image <image>', 'Docker image for the mcpg DIFC proxy container', 'ghcr.io/github/gh-aw-mcpg:v0.2.15')
   .action(handlePredownloadAction);
 
 // Logs subcommand - view Squid proxy logs

src/commands/predownload.test.ts

@@ -43,12 +43,13 @@ describe('predownload', () => {
       ]);
     });
 
-    it('should include cli-proxy when enabled', () => {
+    it('should include cli-proxy and mcpg when enabled', () => {
       const images = resolveImages({ ...defaults, enableCliProxy: true });
       expect(images).toEqual([
         'ghcr.io/github/gh-aw-firewall/squid:latest',
         'ghcr.io/github/gh-aw-firewall/agent:latest',
         'ghcr.io/github/gh-aw-firewall/cli-proxy:latest',
+        'ghcr.io/github/gh-aw-mcpg:v0.2.15',
       ]);
     });
 
@@ -59,6 +60,17 @@ describe('predownload', () => {
         'ghcr.io/github/gh-aw-firewall/agent:latest',
         'ghcr.io/github/gh-aw-firewall/api-proxy:latest',
         'ghcr.io/github/gh-aw-firewall/cli-proxy:latest',
+        'ghcr.io/github/gh-aw-mcpg:v0.2.15',
+      ]);
+    });
+
+    it('should use custom mcpg image when specified', () => {
+      const images = resolveImages({ ...defaults, enableCliProxy: true, cliProxyMcpgImage: 'ghcr.io/github/gh-aw-mcpg:v0.3.0' });
+      expect(images).toEqual([
+        'ghcr.io/github/gh-aw-firewall/squid:latest',
+        'ghcr.io/github/gh-aw-firewall/agent:latest',
+        'ghcr.io/github/gh-aw-firewall/cli-proxy:latest',
+        'ghcr.io/github/gh-aw-mcpg:v0.3.0',
       ]);
     });
 
@@ -135,15 +147,20 @@ describe('predownload', () => {
       );
     });
 
-    it('should pull cli-proxy when enabled', async () => {
+    it('should pull cli-proxy and mcpg when enabled', async () => {
       await predownloadCommand({ ...defaults, enableCliProxy: true });
 
-      expect(execa).toHaveBeenCalledTimes(3);
+      expect(execa).toHaveBeenCalledTimes(4);
       expect(execa).toHaveBeenCalledWith(
         'docker',
         ['pull', 'ghcr.io/github/gh-aw-firewall/cli-proxy:latest'],
         { stdio: 'inherit' },
       );
+      expect(execa).toHaveBeenCalledWith(
+        'docker',
+        ['pull', 'ghcr.io/github/gh-aw-mcpg:v0.2.15'],
+        { stdio: 'inherit' },
+      );
     });
 
     it('should throw with exitCode 1 when a pull fails', async () => {

src/commands/predownload.ts

@@ -7,6 +7,7 @@ export interface PredownloadOptions {
   agentImage: string;
   enableApiProxy: boolean;
   enableCliProxy?: boolean;
+  cliProxyMcpgImage?: string;
 }
 
 /**
@@ -48,9 +49,13 @@ export function resolveImages(options: PredownloadOptions): string[] {
     images.push(`${imageRegistry}/api-proxy:${imageTag}`);
   }
 
-  // Optionally pull cli-proxy
+  // Optionally pull cli-proxy and its mcpg sidecar
   if (options.enableCliProxy) {
     images.push(`${imageRegistry}/cli-proxy:${imageTag}`);
+    // mcpg runs as a separate container; default or user-specified image
+    const mcpgImage = options.cliProxyMcpgImage || 'ghcr.io/github/gh-aw-mcpg:v0.2.15';
+    validateImageReference(mcpgImage);
+    images.push(mcpgImage);
   }
 
   return images;