Skip to content

fix: AWF_ENABLE_HOST_ACCESS safety net sets '1' instead of 'true'#2227

Merged
lpcox merged 1 commit intomainfrom
fix/host-access-env-mismatch
Apr 27, 2026
Merged

fix: AWF_ENABLE_HOST_ACCESS safety net sets '1' instead of 'true'#2227
lpcox merged 1 commit intomainfrom
fix/host-access-env-mismatch

Conversation

@lpcox
Copy link
Copy Markdown
Collaborator

@lpcox lpcox commented Apr 27, 2026

Problem

The allowHostServicePorts safety net in docker-manager.ts (line 1070) was setting:

environment.AWF_ENABLE_HOST_ACCESS = 'true';

But containers/agent/entrypoint.sh:567 checks:

if [ "${AWF_ENABLE_HOST_ACCESS}" = "1" ]; then

This mismatch meant host access features silently failed when allowHostServicePorts was set without explicit enableHostAccess.

Fix

Changed 'true''1' to match the convention used everywhere else (the primary path at line 1603, setup-iptables.sh, and entrypoint.sh).

Testing

  • Added test: should set AWF_ENABLE_HOST_ACCESS to 1 via safety net when allowHostServicePorts is set without enableHostAccess
  • All 383 existing tests pass (4 pre-existing failures unrelated to this change)

Fixes #1728

@lpcox
fix: AWF_ENABLE_HOST_ACCESS safety net sets '1' instead of 'true'
76d3a24 
The allowHostServicePorts safety net in docker-manager.ts was setting
AWF_ENABLE_HOST_ACCESS='true', but entrypoint.sh checks for '1'.
This caused host access features to silently fail when
allowHostServicePorts was set without explicit enableHostAccess.

Fixes #1728

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 27, 2026 00:32
@lpcox lpcox requested a review from Mossaka as a code owner April 27, 2026 00:32
Copilot AI reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a mismatch between how AWF_ENABLE_HOST_ACCESS was being set in the TypeScript “safety net” path and how it’s checked in the agent container scripts, which could cause host access features to silently not activate when allowHostServicePorts is used programmatically.

Changes:

  • Update the allowHostServicePorts safety net to set AWF_ENABLE_HOST_ACCESS to '1' (instead of 'true') for consistency with container-side checks.
  • Add a unit test covering the safety-net behavior when allowHostServicePorts is set without enableHostAccess.
Show a summary per file
File Description
src/docker-manager.ts Aligns AWF_ENABLE_HOST_ACCESS safety-net value with shell scripts expecting "1".
src/docker-manager.test.ts Adds regression test ensuring the safety net sets AWF_ENABLE_HOST_ACCESS when allowHostServicePorts is provided without enableHostAccess.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 0

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 27, 2026

Smoke Test Results

✅ GitHub MCP: Retrieved last 2 merged PRs
✅ Playwright: Page title verified at github.com
✅ File Writing: Test file created with timestamp
✅ Bash Tool: File verified via cat

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

@github-actions

This comment has been minimized.

Sign in to view
@github-actions

This comment has been minimized.

Sign in to view
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 27, 2026

chore: recompile all agentic workflows
feat: optimize Smoke Services workflow for token efficiency
GitHub MCP ❌
safeinputs-gh ❌
Playwright ✅
Tavily ❌
File write/bash ✅
Discussion ✅
Build ✅
Overall: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

@github-actions github-actions Bot mentioned this pull request Apr 27, 2026
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 27, 2026

Smoke Test Results

  • Redis PING: ❌ (timeout — no response from host.docker.internal:6379)
  • PostgreSQL pg_isready: ❌ (no response from host.docker.internal:5432)
  • PostgreSQL SELECT 1: ❌ (skipped — pg unreachable)

Overall: FAILhost.docker.internal is not routing to service containers in this environment.

🔌 Service connectivity validated by Smoke Services

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 27, 2026

Chroot Version Comparison Results

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3
Node.js v24.14.1 v20.20.2
Go go1.22.12 go1.22.12

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 27, 2026

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color ok ✅ PASS
Go env ok ✅ PASS
Go uuid ok ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx All passed ✅ PASS
Node.js execa All passed ✅ PASS
Node.js p-limit All passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #2227 · ● 431.7K ·

@lpcox lpcox merged commit 4cd4edc into main Apr 27, 2026
67 of 72 checks passed
@lpcox lpcox deleted the fix/host-access-env-mismatch branch April 27, 2026 00:50
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 27, 2026

🔬 Smoke Test Results

Overall: PASS

PR by @lpcox · Reviewer: @Mossaka

📰 BREAKING: Report filed by Smoke Copilot

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 27, 2026

Smoke Test: Copilot BYOK (Offline) Mode — Run #24971929239

Test Result
GitHub MCP (list PRs)
GitHub.com connectivity
File write/read ✅ (BYOK smoke test passed at Mon Apr 27 01:12:31 UTC 2026)
BYOK inference (api-proxy → api.githubcopilot.com)

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com
Author: @lpcox | Reviewer: @Mossaka

Overall: PASS

🔑 BYOK report filed by Smoke Copilot BYOK

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Mossaka Mossaka Awaiting requested review from Mossaka Mossaka is a code owner

Assignees

No one assigned

Labels

build-test smoke-claude smoke-copilot smoke-copilot-byok

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix: AWF_ENABLE_HOST_ACCESS safety net sets 'true' but checks expect '1'

2 participants

@lpcox