diff --git a/src/docker-manager.test.ts b/src/docker-manager.test.ts
index 7801c05f..35ec10dd 100644
--- a/src/docker-manager.test.ts
+++ b/src/docker-manager.test.ts
@@ -1980,6 +1980,15 @@ describe('docker-manager', () => {
 
         expect(env.AWF_ENABLE_HOST_ACCESS).toBeUndefined();
       });
+
+      it('should set AWF_ENABLE_HOST_ACCESS to 1 via safety net when allowHostServicePorts is set without enableHostAccess', () => {
+        const config = { ...mockConfig, allowHostServicePorts: '5432,6379' };
+        const result = generateDockerCompose(config, mockNetworkConfig);
+        const env = result.services.agent.environment as Record<string, string>;
+
+        expect(env.AWF_ENABLE_HOST_ACCESS).toBe('1');
+        expect(env.AWF_HOST_SERVICE_PORTS).toBe('5432,6379');
+      });
     });
 
     describe('NO_PROXY baseline', () => {
diff --git a/src/docker-manager.ts b/src/docker-manager.ts
index 812c9187..c098361e 100644
--- a/src/docker-manager.ts
+++ b/src/docker-manager.ts
@@ -1067,7 +1067,7 @@ export function generateDockerCompose(
     // Ensure host access is enabled (setup-iptables.sh requires AWF_ENABLE_HOST_ACCESS)
     // The CLI auto-enables this, but this is a safety net for programmatic usage
     if (!environment.AWF_ENABLE_HOST_ACCESS) {
-      environment.AWF_ENABLE_HOST_ACCESS = 'true';
+      environment.AWF_ENABLE_HOST_ACCESS = '1';
     }
   }