From 74d2d12842047d8658f6e949be2d09173a2a6f3f Mon Sep 17 00:00:00 2001
From: Landon Cox <landon.cox@microsoft.com>
Date: Wed, 1 Apr 2026 12:22:34 -0700
Subject: [PATCH 1/3] fix: copy AWF CA cert to chroot-accessible path for
 ssl-bump

When ssl-bump and chroot are both active, NODE_EXTRA_CA_CERTS points to
/usr/local/share/ca-certificates/awf-ca.crt which is a Docker volume
mount on the container's overlay filesystem. After chroot /host, this
path is inaccessible, causing TLS failures (transaction-end-before-headers
in Squid, EHOSTUNREACH in Claude Code after 10 retries).

Fix: copy the CA cert to /host/tmp/awf-lib/awf-ca.crt before chroot
activates (same pattern as one-shot-token.so and get-claude-key.sh),
then update NODE_EXTRA_CA_CERTS to the chroot-relative path.

Also set SSL_CERT_FILE and REQUESTS_CA_BUNDLE so non-Node.js tools
(curl, git, Python requests, Ruby) trust the AWF CA in both chroot
and non-chroot ssl-bump modes.

Cleanup is handled by the existing /tmp/awf-lib removal in the EXIT
trap.

Fixes #1546

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 containers/agent/entrypoint.sh | 35 +++++++++++++++++++++++++++++++---
 1 file changed, 32 insertions(+), 3 deletions(-)

diff --git a/containers/agent/entrypoint.sh b/containers/agent/entrypoint.sh
index 67435fb2d..30487b2e9 100644
--- a/containers/agent/entrypoint.sh
+++ b/containers/agent/entrypoint.sh
@@ -107,9 +107,14 @@ if [ "${AWF_SSL_BUMP_ENABLED}" = "true" ]; then
   echo "[entrypoint] SSL Bump mode detected - updating CA certificates..."
   if [ -f /usr/local/share/ca-certificates/awf-ca.crt ]; then
     update-ca-certificates 2>/dev/null
+    AWF_CA_PATH="/usr/local/share/ca-certificates/awf-ca.crt"
     # Set NODE_EXTRA_CA_CERTS so Node.js tools (Yarn 4, Corepack, npm) trust the AWF CA.
     # Node.js uses its own CA bundle, not the system CA store updated by update-ca-certificates.
-    export NODE_EXTRA_CA_CERTS="/usr/local/share/ca-certificates/awf-ca.crt"
+    export NODE_EXTRA_CA_CERTS="$AWF_CA_PATH"
+    # SSL_CERT_FILE is respected by curl, git, Python requests, Ruby, and most
+    # OpenSSL-based tools that don't use the system CA store updated above.
+    export SSL_CERT_FILE="$AWF_CA_PATH"
+    export REQUESTS_CA_BUNDLE="$AWF_CA_PATH"
     echo "[entrypoint] CA certificates updated for SSL Bump"
     echo "[entrypoint] NODE_EXTRA_CA_CERTS set to $NODE_EXTRA_CA_CERTS"
     echo "[entrypoint] ⚠️  WARNING: HTTPS traffic will be intercepted for URL inspection"
@@ -473,6 +478,30 @@ if [ "${AWF_CHROOT_ENABLED}" = "true" ]; then
     fi
   fi
 
+  # Copy AWF CA certificate to chroot-accessible path for ssl-bump TLS trust.
+  # NODE_EXTRA_CA_CERTS points to /usr/local/share/ca-certificates/awf-ca.crt which
+  # is a Docker volume mount on the container's overlay filesystem. After chroot /host,
+  # this path is inaccessible. Copy to /tmp/awf-lib/ (always writable) and update the
+  # env var so Node.js (Claude Code), curl, git, Python, etc. trust the Squid CA.
+  AWF_CA_CHROOT=""
+  if [ "${AWF_SSL_BUMP_ENABLED}" = "true" ] && [ -f /usr/local/share/ca-certificates/awf-ca.crt ]; then
+    if mkdir -p /host/tmp/awf-lib 2>/dev/null; then
+      if cp /usr/local/share/ca-certificates/awf-ca.crt /host/tmp/awf-lib/awf-ca.crt 2>/dev/null; then
+        AWF_CA_CHROOT="/tmp/awf-lib/awf-ca.crt"
+        export NODE_EXTRA_CA_CERTS="$AWF_CA_CHROOT"
+        # SSL_CERT_FILE is respected by curl, git, Python requests, Ruby, and most
+        # OpenSSL-based tools. This ensures non-Node.js tools also trust the AWF CA.
+        export SSL_CERT_FILE="$AWF_CA_CHROOT"
+        export REQUESTS_CA_BUNDLE="$AWF_CA_CHROOT"
+        echo "[entrypoint] AWF CA certificate copied to chroot at $AWF_CA_CHROOT"
+        echo "[entrypoint] NODE_EXTRA_CA_CERTS updated to $AWF_CA_CHROOT"
+        echo "[entrypoint] SSL_CERT_FILE updated to $AWF_CA_CHROOT"
+      else
+        echo "[entrypoint][WARN] Could not copy AWF CA certificate to chroot — ssl-bump TLS may fail"
+      fi
+    fi
+  fi
+
   # Verify capsh is available on the host (required for privilege drop)
   if ! chroot /host which capsh >/dev/null 2>&1; then
     echo "[entrypoint][ERROR] capsh not found on host system"
@@ -697,8 +726,8 @@ AWFEOF
     CLEANUP_CMD="${CLEANUP_CMD}; sed -i '/^[0-9.]\\+[[:space:]]\\+host\\.docker\\.internal\$/d' /etc/hosts 2>/dev/null || true"
     echo "[entrypoint] host.docker.internal will be removed from /etc/hosts on exit"
   fi
-  # Clean up the one-shot-token library if it was copied
-  if [ -n "${ONE_SHOT_TOKEN_LIB}" ]; then
+  # Clean up /tmp/awf-lib if anything was copied (one-shot-token, CA cert, key helper)
+  if [ -n "${ONE_SHOT_TOKEN_LIB}" ] || [ -n "${AWF_CA_CHROOT}" ]; then
     CLEANUP_CMD="${CLEANUP_CMD}; rm -rf /tmp/awf-lib 2>/dev/null || true"
   fi
 

From ae6c63f232a18a584e3336708ddf501547efcb7b Mon Sep 17 00:00:00 2001
From: Landon Cox <landon.cox@microsoft.com>
Date: Wed, 1 Apr 2026 12:28:18 -0700
Subject: [PATCH 2/3] Update containers/agent/entrypoint.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 containers/agent/entrypoint.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/containers/agent/entrypoint.sh b/containers/agent/entrypoint.sh
index 30487b2e9..b424dffe0 100644
--- a/containers/agent/entrypoint.sh
+++ b/containers/agent/entrypoint.sh
@@ -727,7 +727,7 @@ AWFEOF
     echo "[entrypoint] host.docker.internal will be removed from /etc/hosts on exit"
   fi
   # Clean up /tmp/awf-lib if anything was copied (one-shot-token, CA cert, key helper)
-  if [ -n "${ONE_SHOT_TOKEN_LIB}" ] || [ -n "${AWF_CA_CHROOT}" ]; then
+  if [ -n "${ONE_SHOT_TOKEN_LIB}" ] || [ -n "${AWF_CA_CHROOT}" ] || [ -n "${CHROOT_KEY_HELPER}" ]; then
     CLEANUP_CMD="${CLEANUP_CMD}; rm -rf /tmp/awf-lib 2>/dev/null || true"
   fi
 

From d50dfdebbfde1748658b9c4a8dccf342b9eb92ac Mon Sep 17 00:00:00 2001
From: Landon Cox <landon.cox@microsoft.com>
Date: Wed, 1 Apr 2026 12:30:19 -0700
Subject: [PATCH 3/3] fix: address PR review feedback on ssl-bump chroot CA

- Verify destination file exists after copy ([ -f ] check)
- Log warning when mkdir /host/tmp/awf-lib fails
- Include CHROOT_KEY_HELPER in cleanup condition to prevent
  /tmp/awf-lib leak when only key helper was copied

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 containers/agent/entrypoint.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/containers/agent/entrypoint.sh b/containers/agent/entrypoint.sh
index b424dffe0..15376a294 100644
--- a/containers/agent/entrypoint.sh
+++ b/containers/agent/entrypoint.sh
@@ -486,7 +486,8 @@ if [ "${AWF_CHROOT_ENABLED}" = "true" ]; then
   AWF_CA_CHROOT=""
   if [ "${AWF_SSL_BUMP_ENABLED}" = "true" ] && [ -f /usr/local/share/ca-certificates/awf-ca.crt ]; then
     if mkdir -p /host/tmp/awf-lib 2>/dev/null; then
-      if cp /usr/local/share/ca-certificates/awf-ca.crt /host/tmp/awf-lib/awf-ca.crt 2>/dev/null; then
+      if cp /usr/local/share/ca-certificates/awf-ca.crt /host/tmp/awf-lib/awf-ca.crt 2>/dev/null && \
+         [ -f /host/tmp/awf-lib/awf-ca.crt ]; then
         AWF_CA_CHROOT="/tmp/awf-lib/awf-ca.crt"
         export NODE_EXTRA_CA_CERTS="$AWF_CA_CHROOT"
         # SSL_CERT_FILE is respected by curl, git, Python requests, Ruby, and most
@@ -499,6 +500,8 @@ if [ "${AWF_CHROOT_ENABLED}" = "true" ]; then
       else
         echo "[entrypoint][WARN] Could not copy AWF CA certificate to chroot — ssl-bump TLS may fail"
       fi
+    else
+      echo "[entrypoint][WARN] Could not create /host/tmp/awf-lib for CA cert — ssl-bump TLS may fail in chroot"
     fi
   fi