refactor: reduce pid-tracker API surface and harden api-proxy startup retry handling (#2895)

Copilot · lpcox · Copilot · web-flow · commit a37ff24b885e · 2026-05-11T16:39:12.000-07:00
* Initial plan * fix: reduce pid-tracker public API surface * docs: fix stale pid tracker jsdoc * fix: retry api-proxy startup when compose reports exited (1) Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/fcf2b573-5256-4c69-8f65-0a79431bd838 * fix(api-proxy): add missing JS modules to Dockerfile COPY The OIDC refactoring PRs (#2811, #2772, #2887) added new JS modules (github-oidc.js, aws-oidc-token-provider.js, gcp-oidc-token-provider.js, oidc-refresh-utils.js) but did not update the Dockerfile COPY command. This caused the api-proxy container to crash immediately on startup with exit code 1 (Cannot find module './github-oidc'), breaking all integration tests since commit 7c25298. Fixes the api-proxy container startup crash that has been failing all integration test runs on main since 2026-05-11T15:45Z. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: restore missing pid-tracker test cases for coverage Add back tests for malformed /proc/net/tcp rows and non-symlink file descriptors that were removed when the async trackPidForPort was dropped. These paths are still exercised in production via trackPidForPortSync and need coverage. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Landon Cox <landon.cox@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/src/container-lifecycle.ts b/src/container-lifecycle.ts
@@ -376,13 +376,16 @@ async function checkSquidLogs(workDir: string, proxyLogsDir?: string): Promise<{
 
 /**
  * Returns true when the Docker Compose error message indicates that the
- * api-proxy container specifically failed its health check.
+ * api-proxy container specifically failed to start.
  * Docker emits "dependency failed to start: container <name> is unhealthy"
- * when a dependent container's health check does not pass.
+ * for healthcheck failures, and may emit "dependency failed to start:
+ * container <name> exited (1)" for startup-time process exits.
  */
-function isApiProxyUnhealthyError(errorMsg: string): boolean {
-  return errorMsg.includes('is unhealthy') &&
-    errorMsg.includes(API_PROXY_CONTAINER_NAME);
+function isApiProxyStartupFailureError(errorMsg: string): boolean {
+  if (!errorMsg.includes(API_PROXY_CONTAINER_NAME)) {
+    return false;
+  }
+  return errorMsg.includes('is unhealthy') || errorMsg.includes('exited (1)');
 }
 
 /**
@@ -461,11 +464,11 @@ export async function startContainers(workDir: string, allowedDomains: string[],
   } catch (firstError) {
     const firstErrorMsg = firstError instanceof Error ? firstError.message : String(firstError);
 
-    // When api-proxy specifically fails its health check, retry once.
+    // When api-proxy specifically fails to start, retry once.
     // Transient failures are common on slow or busy runners (e.g. Azure-hosted runners)
     // where the Node.js process inside the container takes longer to bind its port.
-    if (isApiProxyUnhealthyError(firstErrorMsg)) {
-      logger.warn(`${API_PROXY_CONTAINER_NAME} failed its health check — this may be a transient startup failure, retrying once...`);
+    if (isApiProxyStartupFailureError(firstErrorMsg)) {
+      logger.warn(`${API_PROXY_CONTAINER_NAME} failed to start — this may be a transient startup failure, retrying once...`);
       await logContainerLogsToStderr(API_PROXY_CONTAINER_NAME);
 
       // Tear down before retry so Docker Compose starts fresh
@@ -488,12 +491,12 @@ export async function startContainers(workDir: string, allowedDomains: string[],
         return;
       } catch (retryError) {
         const retryErrorMsg = retryError instanceof Error ? retryError.message : String(retryError);
-        if (isApiProxyUnhealthyError(retryErrorMsg)) {
+        if (isApiProxyStartupFailureError(retryErrorMsg)) {
           // Surface api-proxy logs and emit a clear, unambiguous error so
           // downstream parse steps don't blame the model for never running.
           await logContainerLogsToStderr(API_PROXY_CONTAINER_NAME);
           throw new Error(
-            `AWF firewall failed to start: ${API_PROXY_CONTAINER_NAME} failed its health check on both attempts. ` +
+            `AWF firewall failed to start: ${API_PROXY_CONTAINER_NAME} failed to start on both attempts. ` +
             `The agent was never invoked. ` +
             `See ${API_PROXY_CONTAINER_NAME} container logs above for details.`
           );
diff --git a/src/docker-manager-lifecycle.test.ts b/src/docker-manager-lifecycle.test.ts
@@ -152,10 +152,31 @@ describe('docker-manager lifecycle', () => {
       mockExecaFn.mockResolvedValueOnce({ stdout: 'api-proxy logs', stderr: '', exitCode: 0 } as any);
 
       await expect(startContainers(testDir, ['github.com'])).rejects.toThrow(
-        'AWF firewall failed to start: awf-api-proxy failed its health check on both attempts'
+        'AWF firewall failed to start: awf-api-proxy failed to start on both attempts'
       );
     });
 
+    it('should retry once when awf-api-proxy exits (1) during startup', async () => {
+      // 1. docker rm (initial cleanup)
+      mockExecaFn.mockResolvedValueOnce({ stdout: '', stderr: '', exitCode: 0 } as any);
+      // 2. docker compose up (first attempt - fails with api-proxy exited)
+      mockExecaFn.mockRejectedValueOnce(new Error('dependency failed to start: container awf-api-proxy exited (1)'));
+      // 3. docker logs --tail 50 awf-api-proxy (get logs for diagnosis)
+      mockExecaFn.mockResolvedValueOnce({ stdout: 'api-proxy startup logs', stderr: '', exitCode: 0 } as any);
+      // 4. docker compose down (cleanup before retry)
+      mockExecaFn.mockResolvedValueOnce({ stdout: '', stderr: '', exitCode: 0 } as any);
+      // 5. docker compose up (retry - succeeds)
+      mockExecaFn.mockResolvedValueOnce({ stdout: '', stderr: '', exitCode: 0 } as any);
+
+      await expect(startContainers(testDir, ['github.com'])).resolves.toBeUndefined();
+
+      // Verify retry happened: compose up was called twice
+      const upCalls = mockExecaFn.mock.calls.filter((call: any[]) =>
+        call[0] === 'docker' && Array.isArray(call[1]) && call[1].includes('up')
+      );
+      expect(upCalls).toHaveLength(2);
+    });
+
     it('should not retry for non-api-proxy healthcheck failures', async () => {
       // 1. docker rm (initial cleanup)
       mockExecaFn.mockResolvedValueOnce({ stdout: '', stderr: '', exitCode: 0 } as any);
diff --git a/src/pid-tracker.test.ts b/src/pid-tracker.test.ts
@@ -1,30 +1,24 @@
 /**
  * Unit tests for pid-tracker.ts
  *
- * These tests use mock /proc filesystem data to test the parsing
- * and tracking logic without requiring actual system access.
+ * These tests use mock /proc filesystem data to validate behavior
+ * through the module's public API.
  */
 
 import * as fs from 'fs';
 import * as path from 'path';
 import * as os from 'os';
-import {
-  trackPidForPort,
-  trackPidForPortSync,
-  isPidTrackingAvailable,
-} from './pid-tracker';
+import { trackPidForPortSync, isPidTrackingAvailable } from './pid-tracker';
 
 describe('pid-tracker', () => {
   describe('Mock /proc filesystem tests', () => {
     let mockProcPath: string;
 
     beforeEach(() => {
-      // Create a temporary mock /proc directory
       mockProcPath = fs.mkdtempSync(path.join(os.tmpdir(), 'mock-proc-'));
     });
 
     afterEach(() => {
-      // Clean up
       fs.rmSync(mockProcPath, { recursive: true, force: true });
     });
 
@@ -34,18 +28,6 @@ describe('pid-tracker', () => {
       fs.writeFileSync(path.join(netDir, 'tcp'), entries);
     };
 
-    describe('isPidTrackingAvailable', () => {
-      it('should return true when /proc/net/tcp exists', () => {
-        createMockNetTcp('header\n');
-        expect(isPidTrackingAvailable(mockProcPath)).toBe(true);
-      });
-
-      it('should return false when /proc/net/tcp does not exist', () => {
-        expect(isPidTrackingAvailable(mockProcPath)).toBe(false);
-      });
-    });
-
-    // Helper to create mock proc with actual symlinks (for socket fd testing)
     const createMockProcWithSymlinks = (
       pid: number,
       cmdline: string,
@@ -55,196 +37,145 @@ describe('pid-tracker', () => {
       const pidDir = path.join(mockProcPath, pid.toString());
       fs.mkdirSync(pidDir, { recursive: true });
 
-      // Write cmdline (null-separated)
       fs.writeFileSync(path.join(pidDir, 'cmdline'), cmdline.replace(/ /g, '\0'));
-
-      // Write comm
       fs.writeFileSync(path.join(pidDir, 'comm'), comm);
 
-      // Create fd directory and socket symlinks
       const fdDir = path.join(pidDir, 'fd');
       fs.mkdirSync(fdDir, { recursive: true });
 
       socketInodes.forEach((inode, index) => {
         const fdPath = path.join(fdDir, (index + 3).toString());
-        // Create actual symlink to socket:[inode]
         fs.symlinkSync(`socket:[${inode}]`, fdPath);
       });
     };
 
-    describe('trackPidForPort', () => {
-      it('should ignore malformed /proc/net/tcp rows', async () => {
-        const netTcpContent = `  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode
-   0: malformed`;
-        createMockNetTcp(netTcpContent);
+    describe('isPidTrackingAvailable', () => {
+      it('should return true when /proc/net/tcp exists', () => {
+        createMockNetTcp('header\n');
+        expect(isPidTrackingAvailable(mockProcPath)).toBe(true);
+      });
 
-        const result = await trackPidForPort(3306, mockProcPath);
-        expect(result.pid).toBe(-1);
-        expect(result.error).toContain('No socket found');
+      it('should return false when /proc/net/tcp does not exist', () => {
+        expect(isPidTrackingAvailable(mockProcPath)).toBe(false);
       });
+    });
 
-      it('should return error when /proc/net/tcp does not exist', async () => {
-        const result = await trackPidForPort(45678, mockProcPath);
+    describe('trackPidForPortSync', () => {
+      it('should return error when /proc/net/tcp does not exist', () => {
+        const result = trackPidForPortSync(45678, mockProcPath);
         expect(result.pid).toBe(-1);
         expect(result.error).toContain('Failed to read');
       });
 
-      it('should return error when port not found in tcp table', async () => {
+      it('should return error when tcp table content is empty', () => {
+        createMockNetTcp('');
+
+        const result = trackPidForPortSync(3306, mockProcPath);
+        expect(result.pid).toBe(-1);
+        expect(result.error).toContain('No socket found');
+      });
+
+      it('should return error when port not found in tcp table', () => {
         const netTcpContent = `  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode
    0: 0100007F:0CEA 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 123456 1 0000000000000000 100 0 0 10 0`;
         createMockNetTcp(netTcpContent);
 
-        const result = await trackPidForPort(99999, mockProcPath);
+        const result = trackPidForPortSync(99999, mockProcPath);
         expect(result.pid).toBe(-1);
         expect(result.error).toContain('No socket found');
       });
 
-      it('should return error when inode is 0', async () => {
-        // Inode 0 indicates no socket assigned
+      it('should return error when inode is 0', () => {
         const netTcpContent = `  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode
    0: 0100007F:0CEA 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 0 1 0000000000000000 100 0 0 10 0`;
         createMockNetTcp(netTcpContent);
 
-        const result = await trackPidForPort(3306, mockProcPath);
+        const result = trackPidForPortSync(3306, mockProcPath);
         expect(result.pid).toBe(-1);
         expect(result.error).toContain('No socket found');
       });
 
-      it('should successfully track process for port', async () => {
+      it('should successfully track process for parsed hex port and inode', () => {
         const netTcpContent = `  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode
    0: 0100007F:B278 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 123456 1 0000000000000000 100 0 0 10 0`;
         createMockNetTcp(netTcpContent);
         createMockProcWithSymlinks(1234, 'curl https://github.com', 'curl', ['123456']);
 
-        const result = await trackPidForPort(45688, mockProcPath); // B278 in hex
+        const result = trackPidForPortSync(45688, mockProcPath); // B278 in hex
         expect(result.pid).toBe(1234);
         expect(result.cmdline).toBe('curl https://github.com');
         expect(result.comm).toBe('curl');
         expect(result.inode).toBe('123456');
         expect(result.error).toBeUndefined();
       });
 
-      it('should return error when no process owns the socket', async () => {
-        const netTcpContent = `  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode
-   0: 0100007F:B278 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 123456 1 0000000000000000 100 0 0 10 0`;
-        createMockNetTcp(netTcpContent);
-        // Create a process but with different inode
-        createMockProcWithSymlinks(1234, 'curl', 'curl', ['999999']);
-        expect(fs.existsSync(path.join(mockProcPath, '1234'))).toBe(true);
-
-        const result = await trackPidForPort(45688, mockProcPath);
-        expect(result.pid).toBe(-1);
-        expect(result.inode).toBe('123456');
-        expect(result.error).toContain('Socket inode 123456 found but no process owns it');
-      });
-
-      it('should return unknown metadata when cmdline and comm are unreadable', async () => {
+      it('should return unknown labels when process info files are missing', () => {
         const netTcpContent = `  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode
    0: 0100007F:B278 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 123456 1 0000000000000000 100 0 0 10 0`;
         createMockNetTcp(netTcpContent);
 
-        const pidDir = path.join(mockProcPath, '4321');
-        const fdDir = path.join(pidDir, 'fd');
-        fs.mkdirSync(fdDir, { recursive: true });
-        fs.symlinkSync('socket:[123456]', path.join(fdDir, '3'));
-        // Intentionally omit /proc/[pid]/cmdline and /proc/[pid]/comm
+        const pidDir = path.join(mockProcPath, '1234');
+        fs.mkdirSync(path.join(pidDir, 'fd'), { recursive: true });
+        fs.symlinkSync('socket:[123456]', path.join(pidDir, 'fd', '3'));
 
-        const result = await trackPidForPort(45688, mockProcPath);
-        expect(result.pid).toBe(4321);
-        expect(result.inode).toBe('123456');
+        const result = trackPidForPortSync(45688, mockProcPath);
+        expect(result.pid).toBe(1234);
         expect(result.cmdline).toBe('unknown');
         expect(result.comm).toBe('unknown');
       });
-    });
 
-    describe('trackPidForPortSync', () => {
-      it('should return error when /proc/net/tcp does not exist', () => {
-        const result = trackPidForPortSync(45678, mockProcPath);
-        expect(result.pid).toBe(-1);
-        expect(result.error).toContain('Failed to read');
-      });
-
-      it('should return error when port not found in tcp table', () => {
+      it('should return error when no process owns the socket', () => {
         const netTcpContent = `  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode
-   0: 0100007F:0CEA 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 123456 1 0000000000000000 100 0 0 10 0`;
+   0: 0100007F:B278 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 123456 1 0000000000000000 100 0 0 10 0`;
         createMockNetTcp(netTcpContent);
+        createMockProcWithSymlinks(1234, 'curl', 'curl', ['999999']);
 
-        const result = trackPidForPortSync(99999, mockProcPath);
+        const result = trackPidForPortSync(45688, mockProcPath);
         expect(result.pid).toBe(-1);
-        expect(result.error).toContain('No socket found');
+        expect(result.inode).toBe('123456');
+        expect(result.error).toContain('Socket inode 123456 found but no process owns it');
       });
 
-      it('should return error when inode is 0', () => {
+      it('should ignore malformed /proc/net/tcp rows', () => {
         const netTcpContent = `  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode
-   0: 0100007F:0CEA 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 0 1 0000000000000000 100 0 0 10 0`;
+   0: malformed`;
         createMockNetTcp(netTcpContent);
 
         const result = trackPidForPortSync(3306, mockProcPath);
         expect(result.pid).toBe(-1);
         expect(result.error).toContain('No socket found');
       });
 
-      it('should successfully track process for port synchronously', () => {
-        const netTcpContent = `  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode
-   0: 0100007F:B278 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 123456 1 0000000000000000 100 0 0 10 0`;
-        createMockNetTcp(netTcpContent);
-        createMockProcWithSymlinks(1234, 'curl https://github.com', 'curl', ['123456']);
-
-        const result = trackPidForPortSync(45688, mockProcPath); // B278 in hex
-        expect(result.pid).toBe(1234);
-        expect(result.cmdline).toBe('curl https://github.com');
-        expect(result.comm).toBe('curl');
-        expect(result.inode).toBe('123456');
-        expect(result.error).toBeUndefined();
-      });
-
-      it('should return error when no process owns the socket synchronously', () => {
-        const netTcpContent = `  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode
-   0: 0100007F:B278 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 123456 1 0000000000000000 100 0 0 10 0`;
-        createMockNetTcp(netTcpContent);
-        // Create a process but with different inode
-        createMockProcWithSymlinks(1234, 'curl', 'curl', ['999999']);
-        expect(fs.existsSync(path.join(mockProcPath, '1234'))).toBe(true);
-
-        const result = trackPidForPortSync(45688, mockProcPath);
-        expect(result.pid).toBe(-1);
-        expect(result.inode).toBe('123456');
-        expect(result.error).toContain('Socket inode 123456 found but no process owns it');
-      });
-
       it('should ignore non-symlink file descriptors', () => {
         const netTcpContent = `  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode
    0: 0100007F:B278 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 123456 1 0000000000000000 100 0 0 10 0`;
         createMockNetTcp(netTcpContent);
 
-        const pidDir = path.join(mockProcPath, '5678');
+        // Create a process with a regular file fd instead of a socket symlink
+        const pidDir = path.join(mockProcPath, '1234');
         const fdDir = path.join(pidDir, 'fd');
         fs.mkdirSync(fdDir, { recursive: true });
-        fs.writeFileSync(path.join(pidDir, 'cmdline'), 'curl');
-        fs.writeFileSync(path.join(pidDir, 'comm'), 'curl');
-        fs.writeFileSync(path.join(fdDir, '3'), 'not-a-symlink');
+        fs.writeFileSync(path.join(pidDir, 'cmdline'), 'test');
+        fs.writeFileSync(path.join(pidDir, 'comm'), 'test');
+        fs.writeFileSync(path.join(fdDir, '3'), 'regular-file');
 
         const result = trackPidForPortSync(45688, mockProcPath);
         expect(result.pid).toBe(-1);
-        expect(result.inode).toBe('123456');
         expect(result.error).toContain('Socket inode 123456 found but no process owns it');
       });
     });
   });
 
   describe('Real /proc filesystem (integration)', () => {
-    // These tests only run if /proc is available (Linux only)
     const isLinux = process.platform === 'linux';
 
     it('should check if PID tracking is available', () => {
       const result = isPidTrackingAvailable();
-      // On Linux, this should be true; on other platforms, false
       if (isLinux) {
         expect(result).toBe(true);
       } else {
         expect(result).toBe(false);
       }
     });
-
   });
 });
diff --git a/src/pid-tracker.ts b/src/pid-tracker.ts
