fix: restrict host gateway iptables bypass to allowed ports only (#558)

* fix: restrict host gateway iptables bypass to allowed ports only

The --enable-host-access flag added an iptables ACCEPT rule for
host.docker.internal with no port restriction, allowing agent code
to reach ANY service on the host (databases, admin panels, etc.)
and bypassing the dangerous-ports blocklist entirely.

Changes:
- Restrict host gateway FILTER ACCEPT to ports 80, 443, and any
  ports from --allow-host-ports (was: all ports)
- Apply same port restriction to network gateway bypass
- Add IPv4 format validation for dynamically resolved IPs before
  using them in iptables rules
- Mount chroot-hosts as read-only (:ro) since host.docker.internal
  is pre-injected by docker-manager.ts before mounting

The NAT RETURN rule (which prevents DNAT to Squid) is unchanged,
so MCP traffic still bypasses Squid correctly. Non-allowed port
traffic hits the final DROP rule in the FILTER chain.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: add Maven proxy setup to Java workflow and Java/Maven docs

Move Maven proxy configuration to the workflow markdown (settings.xml
created at runtime using SQUID_PROXY_HOST/SQUID_PROXY_PORT env vars)
rather than generating it in docker-manager.ts. Add Java/Maven/Gradle
troubleshooting section to docs and JAVA_TOOL_OPTIONS documentation
to CLAUDE.md. Recompile build-test-java workflow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: regenerate workflow lock files after merging main

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: add skip-unset mode to one-shot token library with value preview (enabled by default) (#640)

* Initial plan

* feat: add AWF_ONE_SHOT_SKIP_UNSET flag to skip clearing tokens

- Add skip_unset flag controlled by AWF_ONE_SHOT_SKIP_UNSET env var
- When enabled, tokens are logged but not cleared after access
- Allow multiple reads of tokens in skip-unset mode
- Update README with skip-unset mode documentation
- Add tests for skip-unset mode in both container and chroot modes

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* test: verify skip-unset functionality works correctly

- Built one-shot-token library successfully
- Verified normal mode clears tokens after first access
- Verified skip-unset mode preserves tokens and logs accesses
- Unit tests pass (736/737)
- Lint passes with no new errors

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* fix: always strdup result in skip-unset mode for safety

- Call strdup() on result in both normal and skip-unset modes
- Prevents potential use-after-free if environment is modified
- Applies to both first access and subsequent accesses in skip-unset mode
- Addresses code review feedback about pointer safety

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* feat: enable skip-unset mode by default

Set AWF_ONE_SHOT_SKIP_UNSET=1 in entrypoint.sh to skip variable
unsetting while still logging token accesses. This applies to both
container mode and chroot mode.

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* feat: add token value preview to log messages

Show first 4 characters of token value plus "..." in log messages
to provide debugging context while protecting sensitive data.
Updates both getenv and secure_getenv interceptors.

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* feat: replace skip-unset with in-memory caching strategy

Cache token values in memory on first access, then unset from
environment. Subsequent getenv() calls return the cached value,
allowing programs to read tokens multiple times while
/proc/self/environ is cleared.

Remove AWF_ONE_SHOT_SKIP_UNSET - caching makes it unnecessary.

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* fix: use mkdtempSync for chroot-hosts to address CodeQL CWE-377

Build complete chroot-hosts content in memory, then write atomically
to a securely-created temp directory (fs.mkdtempSync). This satisfies
CodeQL's js/insecure-temporary-file rule by using the recognized
sanitizer for temp file creation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: recompile build-test-java workflow after merge

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

Author: 4 people