fix: align TLS hostname by sharing mcpg network namespace

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/b1a5ac57-6103-45c6-b689-67924f7df25b

Author: Copilot

containers/cli-proxy/entrypoint.sh

@@ -2,21 +2,21 @@
 # CLI Proxy sidecar entrypoint
 #
 # The mcpg DIFC proxy runs as a separate docker-compose service
-# (awf-cli-proxy-mcpg). This entrypoint waits for the mcpg TLS cert
-# (written to a shared volume at /tmp/proxy-tls), configures gh CLI to
-# route through the mcpg container, then starts the Node.js HTTP server.
+# (awf-cli-proxy-mcpg). This container shares mcpg's network namespace
+# (network_mode: service:cli-proxy-mcpg), so localhost resolves to mcpg.
+# This ensures the TLS cert's SAN (localhost + 127.0.0.1) matches the
+# hostname used by the gh CLI, avoiding TLS hostname verification failures.
 set -e
 
 echo "[cli-proxy] Starting CLI proxy sidecar..."
 
 NODE_PID=""
 
-# AWF_MCPG_HOST is set by docker-manager.ts to the mcpg container's IP.
-# Fall back to localhost for backward-compatible local testing.
-MCPG_HOST="${AWF_MCPG_HOST:-localhost}"
+# cli-proxy shares mcpg's network namespace, so mcpg is always at localhost.
+# AWF_MCPG_PORT is set by docker-manager.ts.
 MCPG_PORT="${AWF_MCPG_PORT:-18443}"
 
-echo "[cli-proxy] mcpg proxy at ${MCPG_HOST}:${MCPG_PORT}"
+echo "[cli-proxy] mcpg proxy at localhost:${MCPG_PORT}"
 
 # Wait for TLS cert to appear in the shared volume (max 30s)
 echo "[cli-proxy] Waiting for mcpg TLS certificate..."
@@ -36,7 +36,9 @@ if [ ! -f /tmp/proxy-tls/ca.crt ]; then
 fi
 
 # Configure gh CLI to route through the mcpg proxy (TLS, self-signed CA)
-export GH_HOST="${MCPG_HOST}:${MCPG_PORT}"
+# Uses localhost because cli-proxy shares mcpg's network namespace — the
+# self-signed cert's SAN covers localhost, so TLS hostname verification passes.
+export GH_HOST="localhost:${MCPG_PORT}"
 export NODE_EXTRA_CA_CERTS="/tmp/proxy-tls/ca.crt"
 export GH_REPO="${GH_REPO:-$GITHUB_REPOSITORY}"
 

src/docker-manager.test.ts

@@ -2658,7 +2658,9 @@ describe('docker-manager', () => {
         expect(result.services['cli-proxy']).toBeDefined();
         const proxy = result.services['cli-proxy'];
         expect(proxy.container_name).toBe('awf-cli-proxy');
-        expect((proxy.networks as any)['awf-net'].ipv4_address).toBe('172.30.0.50');
+        // cli-proxy shares mcpg's network namespace — no separate networks config
+        expect(proxy.network_mode).toBe('service:cli-proxy-mcpg');
+        expect(proxy.networks).toBeUndefined();
         // Also verify the separate mcpg container
         expect(result.services['cli-proxy-mcpg']).toBeDefined();
         const mcpg = result.services['cli-proxy-mcpg'];
@@ -2718,22 +2720,25 @@ describe('docker-manager', () => {
         const result = generateDockerCompose(configWithCliProxy, mockNetworkConfigWithCliProxy);
         const agent = result.services['agent'];
         const env = agent.environment as Record<string, string>;
-        expect(env.AWF_CLI_PROXY_URL).toBe('http://172.30.0.50:11000');
+        // cli-proxy shares mcpg's network namespace, so use mcpg's IP
+        expect(env.AWF_CLI_PROXY_URL).toBe('http://172.30.0.51:11000');
       });
 
       it('should set AWF_CLI_PROXY_IP in agent environment', () => {
         const configWithCliProxy = { ...mockConfig, enableCliProxy: true, githubToken: 'ghp_test_token' };
         const result = generateDockerCompose(configWithCliProxy, mockNetworkConfigWithCliProxy);
         const agent = result.services['agent'];
         const env = agent.environment as Record<string, string>;
-        expect(env.AWF_CLI_PROXY_IP).toBe('172.30.0.50');
+        // cli-proxy shares mcpg's network namespace, so use mcpg's IP
+        expect(env.AWF_CLI_PROXY_IP).toBe('172.30.0.51');
       });
 
       it('should pass AWF_CLI_PROXY_IP to iptables-init environment', () => {
         const configWithCliProxy = { ...mockConfig, enableCliProxy: true, githubToken: 'ghp_test_token' };
         const result = generateDockerCompose(configWithCliProxy, mockNetworkConfigWithCliProxy);
         const initEnv = result.services['iptables-init'].environment as Record<string, string>;
-        expect(initEnv.AWF_CLI_PROXY_IP).toBe('172.30.0.50');
+        // cli-proxy shares mcpg's network namespace, so use mcpg's IP
+        expect(initEnv.AWF_CLI_PROXY_IP).toBe('172.30.0.51');
       });
 
       it('should set AWF_CLI_PROXY_WRITABLE=false by default', () => {
@@ -2829,13 +2834,16 @@ describe('docker-manager', () => {
         expect(result.volumes!['cli-proxy-tls']).toBeDefined();
       });
 
-      it('should configure cli-proxy to connect to mcpg container', () => {
+      it('should configure cli-proxy to connect to mcpg via shared network namespace', () => {
         const configWithCliProxy = { ...mockConfig, enableCliProxy: true, githubToken: 'ghp_test_token' };
         const result = generateDockerCompose(configWithCliProxy, mockNetworkConfigWithCliProxy);
         const proxy = result.services['cli-proxy'];
         const env = proxy.environment as Record<string, string>;
-        expect(env.AWF_MCPG_HOST).toBe('172.30.0.51');
+        // AWF_MCPG_HOST should not be set — cli-proxy uses localhost via shared network namespace
+        expect(env.AWF_MCPG_HOST).toBeUndefined();
         expect(env.AWF_MCPG_PORT).toBe('18443');
+        // Verify network_mode is used instead of networks
+        expect(proxy.network_mode).toBe('service:cli-proxy-mcpg');
       });
     });
   });

src/docker-manager.ts

@@ -1366,8 +1366,9 @@ export function generateDockerCompose(
 
   // Pre-set CLI proxy IP in environment before the init container definition
   // for the same reason as AWF_API_PROXY_IP above.
+  // cli-proxy shares mcpg's network namespace, so use the mcpg IP.
   if (config.enableCliProxy && networkConfig.cliProxyIp) {
-    environment.AWF_CLI_PROXY_IP = networkConfig.cliProxyIp;
+    environment.AWF_CLI_PROXY_IP = networkConfig.cliProxyMcpgIp || '172.30.0.51';
   }
 
   // SECURITY: iptables init container - sets up NAT rules in a separate container
@@ -1679,7 +1680,9 @@ export function generateDockerCompose(
         no_proxy: `localhost,127.0.0.1,::1`,
       },
       healthcheck: {
-        test: ['CMD', 'curl', '-sf', '--cacert', '/tmp/proxy-tls/ca.crt', `https://${mcpgIp}:${mcpgPort}/api/v3/health`],
+        // Use localhost — healthcheck runs inside the mcpg container where
+        // localhost matches the self-signed TLS cert's SAN.
+        test: ['CMD', 'curl', '-sf', '--cacert', '/tmp/proxy-tls/ca.crt', `https://localhost:${mcpgPort}/api/v3/health`],
         interval: '5s',
         timeout: '3s',
         retries: 5,
@@ -1703,22 +1706,22 @@ export function generateDockerCompose(
     services['cli-proxy-mcpg'] = mcpgService;
 
     // --- CLI proxy HTTP server (Node.js + gh CLI) ---
+    // Uses network_mode: service:cli-proxy-mcpg to share mcpg's network namespace.
+    // This allows cli-proxy to connect to mcpg via localhost, matching the TLS
+    // cert's SAN (localhost + 127.0.0.1) and avoiding hostname mismatch errors.
     const cliProxyService: any = {
       container_name: CLI_PROXY_CONTAINER_NAME,
-      networks: {
-        'awf-net': {
-          ipv4_address: networkConfig.cliProxyIp,
-        },
-      },
+      // Share mcpg's network namespace — localhost resolves to mcpg
+      network_mode: 'service:cli-proxy-mcpg',
       volumes: [
         // Shared TLS cert volume — read certs written by mcpg
         'cli-proxy-tls:/tmp/proxy-tls:ro',
         // Log directory for HTTP server logs
         `${cliProxyLogsPath}:/var/log/cli-proxy:rw`,
       ],
       environment: {
-        // Tell entrypoint where the mcpg proxy is running
-        AWF_MCPG_HOST: mcpgIp,
+        // mcpg port for the entrypoint to set GH_HOST=localhost:${port}
+        // AWF_MCPG_HOST is not needed — cli-proxy shares mcpg's network namespace
         AWF_MCPG_PORT: String(mcpgPort),
         // Pass GITHUB_REPOSITORY for GH_REPO default in entrypoint
         ...(process.env.GITHUB_REPOSITORY && { GITHUB_REPOSITORY: process.env.GITHUB_REPOSITORY }),
@@ -1768,9 +1771,9 @@ export function generateDockerCompose(
     };
 
     // Tell the agent how to reach the CLI proxy
-    // Use IP address instead of hostname since Docker DNS may not resolve in chroot mode
-    environment.AWF_CLI_PROXY_URL = `http://${networkConfig.cliProxyIp}:${CLI_PROXY_PORT}`;
-    environment.AWF_CLI_PROXY_IP = networkConfig.cliProxyIp;
+    // cli-proxy shares mcpg's network namespace, so use mcpg's IP
+    environment.AWF_CLI_PROXY_URL = `http://${mcpgIp}:${CLI_PROXY_PORT}`;
+    environment.AWF_CLI_PROXY_IP = mcpgIp;
 
     // Install the gh wrapper in the agent's PATH by symlinking to the pre-installed wrapper
     // The agent entrypoint uses AWF_CLI_PROXY_URL to know it should activate the wrapper

src/types.ts

@@ -1207,11 +1207,24 @@ export interface DockerService {
    * - Object with IPs: { 'awf-net': { ipv4_address: '172.30.0.10' } } - Static IPs
    * 
    * Static IPs are used to ensure predictable addressing for iptables rules.
+   * Mutually exclusive with network_mode.
    * 
    * @example ['awf-net']
    * @example { 'awf-net': { ipv4_address: '172.30.0.10' } }
    */
-  networks: string[] | { [key: string]: { ipv4_address?: string } };
+  networks?: string[] | { [key: string]: { ipv4_address?: string } };
+
+  /**
+   * Network mode for the container
+   * 
+   * When set to 'service:<name>', the container shares the named service's
+   * network namespace. This is used when two containers need to communicate
+   * via localhost (e.g., for TLS cert hostname matching).
+   * Mutually exclusive with networks.
+   * 
+   * @example 'service:cli-proxy-mcpg'
+   */
+  network_mode?: string;
 
   /**
    * Custom DNS servers for the container