fix: unblock Smoke Gemini — exclude MCP host env leak, allow api-proxy IP through Squid

.github/workflows/smoke-gemini.md

@@ -18,6 +18,8 @@ network:
   allowed:
     - defaults
     - github
+    - generativelanguage.googleapis.com
+    - aiplatform.googleapis.com
 tools:
   bash:
     - "*"

src/container-lifecycle.ts

@@ -2,7 +2,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import * as yaml from 'js-yaml';
 import execa from 'execa';
-import { WrapperConfig, BlockedTarget } from './types';
+import { WrapperConfig, BlockedTarget, API_PROXY_PORTS } from './types';
 import { logger } from './logger';
 import { generateSquidConfig, generatePolicyManifest } from './squid-config';
 import { parseDomainWithProtocol, isWildcardPattern, wildcardToRegex } from './domain-patterns';
@@ -252,6 +252,13 @@ export async function writeConfigs(config: WrapperConfig): Promise<void> {
     enableDlp: config.enableDlp,
     dnsServers: config.dnsServers,
     upstreamProxy: config.upstreamProxy,
+    // Allow the api-proxy sidecar IP through Squid before the raw-IP deny rule.
+    // Some HTTP clients (e.g., Node.js fetch / undici ProxyAgent) route requests
+    // to the api-proxy via HTTP_PROXY without honouring NO_PROXY for raw IPs.
+    ...(config.enableApiProxy && networkConfig.proxyIp ? {
+      apiProxyIp: networkConfig.proxyIp,
+      apiProxyPorts: Object.values(API_PROXY_PORTS),
+    } : {}),
   });
   const squidConfigPath = path.join(config.workDir, 'squid.conf');
   fs.writeFileSync(squidConfigPath, squidConfig, { mode: 0o644 });
@@ -297,6 +304,9 @@ export async function writeConfigs(config: WrapperConfig): Promise<void> {
     allowHostPorts: config.allowHostPorts,
     enableDlp: config.enableDlp,
     dnsServers: config.dnsServers,
+    ...(config.enableApiProxy && networkConfig.proxyIp ? {
+      apiProxyIp: networkConfig.proxyIp,
+    } : {}),
   });
   fs.writeFileSync(
     path.join(auditDir, 'policy-manifest.json'),

src/services/agent-environment.ts

@@ -61,6 +61,13 @@ export function buildAgentEnvironment(params: AgentEnvironmentParams): Record<st
     // via --env-all; they are set explicitly by generateDockerCompose when needed.
     'AWF_PREFLIGHT_BINARY',
     'AWF_GEMINI_ENABLED',
+    // Host-side MCP gateway domain (always "localhost" on the runner) must not leak
+    // into the agent container. Inside the container, MCP CLI wrappers must use
+    // MCP_GATEWAY_DOMAIN (host.docker.internal) to reach the gateway — not this
+    // host-only alias. Leaking MCP_GATEWAY_HOST_DOMAIN=localhost causes some HTTP
+    // clients to route MCP gateway requests through HTTP_PROXY to Squid, which then
+    // blocks "localhost" because it is not in the domain allow-list.
+    'MCP_GATEWAY_HOST_DOMAIN',
   ]);
 
   // When api-proxy is enabled, exclude API keys from agent environment