fix(docker): mount CLI state directories in chroot mode for Copilot and Claude (#702)

Copilot · lpcox · web-flow · commit 740a42ab6819 · 2026-02-11T18:06:46.000-08:00
* Initial plan * fix(docker): mount ~/.copilot in chroot mode for copilot cli GitHub Copilot CLI needs to extract bundled packages to ~/.copilot/pkg directory. In chroot mode, this directory was not accessible, causing "EACCES: permission denied" errors when trying to create directories. The fix mounts ~/.copilot at /host~/.copilot in chroot mode, allowing the CLI to create necessary directories while maintaining security (no full HOME mount). Added tests to verify ~/.copilot is writable in chroot mode. Fixes: https://github.com/github/gh-aw-firewall/actions/runs/21912194865/job/63270212999 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * feat(one-shot-token): add logging for cached token accesses Add print statements whenever getenv() or secure_getenv() are called for sensitive tokens, even when returning cached values. Previously, only the first access was logged. Now subsequent accesses also log "accessed (cached value)" for better debugging visibility. This helps diagnose token access patterns and verify that the one-shot-token library is working correctly. Example output: - First access: "Token GITHUB_TOKEN accessed and cached (value: ghp_...)" - Subsequent: "Token GITHUB_TOKEN accessed (cached value: ghp_...)" Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * fix(one-shot-token): temporarily disable ANTHROPIC_API_KEY Comment out ANTHROPIC_API_KEY from DEFAULT_SENSITIVE_TOKENS to address smoke CI timeout issues with Claude. This is a temporary change that will be reverted once the underlying issue is resolved. The token is commented out rather than removed to make it easy to restore later. Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * fix(one-shot-token): re-enable ANTHROPIC_API_KEY Uncomment ANTHROPIC_API_KEY in DEFAULT_SENSITIVE_TOKENS to restore token protection for Anthropic API keys. The token was temporarily disabled to address Claude timeout issues, but is now being re-enabled. Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * fix(docker): mount ~/.cache, ~/.config, ~/.local in chroot mode Claude Code and other CLI tools need write access to ~/.cache, ~/.config, and ~/.local directories for state management, caching, and configuration. In chroot mode, these directories were not mounted, causing tools to fail when trying to write state. This resulted in Claude Code timing out after 10 minutes. The fix mounts these directories at /host paths in chroot mode, similar to the ~/.copilot mount. These directories are safe to mount as they contain application state, not credentials. Specific credential files within ~/.config (like ~/.config/gh/hosts.yml) remain blocked via /dev/null overlays. Verified fix: - ~/.cache: ✓ Writable - ~/.config: ✓ Writable - ~/.local: ✓ Writable Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * fix(docker): mount ~/.anthropic in chroot mode for Claude Code Add read-write mount for ~/.anthropic directory in chroot mode to allow Claude Code to store Anthropic-specific state and configuration. This directory is safe to mount as it contains only Claude-specific application state, not credentials. Verified: ~/.anthropic is writable in chroot mode. Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * fix(one-shot-token): initialize token list in secure_getenv Critical security fix: secure_getenv() was calling get_token_index() before initializing the token list. If secure_getenv() was the first function called for a sensitive token, tokens_initialized would be 0, causing the token to pass through unprotected and remain exposed in /proc/self/environ. The fix mirrors getenv()'s initialization flow: 1. Take token_mutex 2. Call init_token_list() if not initialized 3. Get token_idx while holding mutex This ensures sensitive tokens are always properly cached and removed from the environment, regardless of which function is called first. Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * fix(docker): mount ~/.claude in chroot mode for Claude CLI Add read-write mount for ~/.claude directory in chroot mode to allow Claude CLI to store state and configuration. This directory is safe to mount as it contains only Claude-specific application state, not credentials. Verified: ~/.claude is writable in chroot mode. Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
diff --git a/containers/agent/one-shot-token/one-shot-token.c b/containers/agent/one-shot-token/one-shot-token.c
@@ -290,6 +290,8 @@ char *getenv(const char *name) {
     } else {
         /* Already accessed - return cached value */
         result = token_cache[token_idx];
+        fprintf(stderr, "[one-shot-token] Token %s accessed (cached value: %s)\n", 
+                name, format_token_value(result));
     }
 
     pthread_mutex_unlock(&token_mutex);
@@ -318,16 +320,22 @@ char *secure_getenv(const char *name) {
         return getenv(name);
     }
 
+    /* Initialize token list on first call (thread-safe) */
+    pthread_mutex_lock(&token_mutex);
+    if (!tokens_initialized) {
+        init_token_list();
+    }
+
+    /* Get token index while holding mutex to avoid race with initialization */
     int token_idx = get_token_index(name);
 
-    /* Not a sensitive token - pass through to real secure_getenv */
+    /* Not a sensitive token - release mutex and pass through to real secure_getenv */
     if (token_idx < 0) {
+        pthread_mutex_unlock(&token_mutex);
         return real_secure_getenv(name);
     }
 
-    /* Sensitive token - handle cached access with secure_getenv semantics */
-    pthread_mutex_lock(&token_mutex);
-
+    /* Sensitive token - handle cached access with secure_getenv semantics (mutex already held) */
     char *result = NULL;
 
     if (!token_accessed[token_idx]) {
@@ -354,6 +362,8 @@ char *secure_getenv(const char *name) {
     } else {
         /* Already accessed - return cached value */
         result = token_cache[token_idx];
+        fprintf(stderr, "[one-shot-token] Token %s accessed (cached value: %s) (via secure_getenv)\n", 
+                name, format_token_value(result));
     }
 
     pthread_mutex_unlock(&token_mutex);
diff --git a/src/docker-manager.ts b/src/docker-manager.ts
@@ -489,6 +489,26 @@ export function generateDockerCompose(
     // - One-shot token LD_PRELOAD library: /host/tmp/awf-lib/one-shot-token.so
     agentVolumes.push('/tmp:/host/tmp:rw');
 
+    // Mount ~/.copilot for GitHub Copilot CLI (package extraction, config, logs)
+    // This is safe as ~/.copilot contains only Copilot CLI state, not credentials
+    agentVolumes.push(`${effectiveHome}/.copilot:/host${effectiveHome}/.copilot:rw`);
+
+    // Mount ~/.cache, ~/.config, ~/.local for CLI tool state management (Claude Code, etc.)
+    // These directories are safe to mount as they contain application state, not credentials
+    // Note: Specific credential files within ~/.config (like ~/.config/gh/hosts.yml) are
+    // still blocked via /dev/null overlays applied later in the code
+    agentVolumes.push(`${effectiveHome}/.cache:/host${effectiveHome}/.cache:rw`);
+    agentVolumes.push(`${effectiveHome}/.config:/host${effectiveHome}/.config:rw`);
+    agentVolumes.push(`${effectiveHome}/.local:/host${effectiveHome}/.local:rw`);
+
+    // Mount ~/.anthropic for Claude Code state and configuration
+    // This is safe as ~/.anthropic contains only Claude-specific state, not credentials
+    agentVolumes.push(`${effectiveHome}/.anthropic:/host${effectiveHome}/.anthropic:rw`);
+
+    // Mount ~/.claude for Claude CLI state and configuration
+    // This is safe as ~/.claude contains only Claude-specific state, not credentials
+    agentVolumes.push(`${effectiveHome}/.claude:/host${effectiveHome}/.claude:rw`);
+
     // Minimal /etc - only what's needed for runtime
     // Note: /etc/shadow is NOT mounted (contains password hashes)
     agentVolumes.push(
diff --git a/tests/integration/chroot-copilot-home.test.ts b/tests/integration/chroot-copilot-home.test.ts
@@ -0,0 +1,87 @@
+/**
+ * Chroot Copilot Home Directory Tests
+ *
+ * These tests verify that the GitHub Copilot CLI can access and write
+ * to ~/.copilot directory in chroot mode. This is essential for:
+ * - Package extraction (CLI extracts bundled packages to ~/.copilot/pkg)
+ * - Configuration storage
+ * - Log file management
+ *
+ * The fix mounts ~/.copilot at /host~/.copilot in chroot mode to enable
+ * write access while maintaining security (no full HOME mount).
+ */
+
+/// <reference path="../jest-custom-matchers.d.ts" />
+
+import { describe, test, expect, beforeAll, afterAll } from '@jest/globals';
+import { createRunner, AwfRunner } from '../fixtures/awf-runner';
+import { cleanup } from '../fixtures/cleanup';
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+
+describe('Chroot Copilot Home Directory Access', () => {
+  let runner: AwfRunner;
+  let testCopilotDir: string;
+
+  beforeAll(async () => {
+    await cleanup(false);
+    runner = createRunner();
+    
+    // Ensure ~/.copilot exists on the host (as the workflow does)
+    testCopilotDir = path.join(os.homedir(), '.copilot');
+    if (!fs.existsSync(testCopilotDir)) {
+      fs.mkdirSync(testCopilotDir, { recursive: true, mode: 0o755 });
+    }
+  });
+
+  afterAll(async () => {
+    await cleanup(false);
+  });
+
+  test('should be able to write to ~/.copilot directory', async () => {
+    const result = await runner.runWithSudo(
+      'mkdir -p ~/.copilot/test && echo "test-content" > ~/.copilot/test/file.txt && cat ~/.copilot/test/file.txt',
+      {
+        allowDomains: ['localhost'],
+        logLevel: 'debug',
+        timeout: 60000,
+        enableChroot: true,
+      }
+    );
+
+    expect(result).toSucceed();
+    expect(result.stdout).toContain('test-content');
+  }, 120000);
+
+  test('should be able to create nested directories in ~/.copilot', async () => {
+    // Simulate what Copilot CLI does: create pkg/linux-x64/VERSION
+    const result = await runner.runWithSudo(
+      'mkdir -p ~/.copilot/pkg/linux-x64/0.0.405 && echo "package-extracted" > ~/.copilot/pkg/linux-x64/0.0.405/marker.txt && cat ~/.copilot/pkg/linux-x64/0.0.405/marker.txt',
+      {
+        allowDomains: ['localhost'],
+        logLevel: 'debug',
+        timeout: 60000,
+        enableChroot: true,
+      }
+    );
+
+    expect(result).toSucceed();
+    expect(result.stdout).toContain('package-extracted');
+  }, 120000);
+
+  test('should verify ~/.copilot is writable with correct permissions', async () => {
+    const result = await runner.runWithSudo(
+      'touch ~/.copilot/write-test && rm ~/.copilot/write-test && echo "write-success"',
+      {
+        allowDomains: ['localhost'],
+        logLevel: 'debug',
+        timeout: 60000,
+        enableChroot: true,
+      }
+    );
+
+    expect(result).toSucceed();
+    expect(result.stdout).toContain('write-success');
+  }, 120000);
+});
