From bdb16c27c5a5563fc81c4e484b6b8d758fc1a711 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 26 May 2026 13:41:50 +0000 Subject: [PATCH 1/3] Initial plan From d209adbe116f3b463d56c7cbdf038efc0a80a166 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 26 May 2026 13:49:46 +0000 Subject: [PATCH 2/3] test: add gh api comments DIFC regression coverage --- tests/integration/cli-proxy.test.ts | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/tests/integration/cli-proxy.test.ts b/tests/integration/cli-proxy.test.ts index f1224a6a4..36278a495 100644 --- a/tests/integration/cli-proxy.test.ts +++ b/tests/integration/cli-proxy.test.ts @@ -35,6 +35,11 @@ const cliProxyDefaults = { }, }; +const approvedIntegrityToken = process.env.GITHUB_TOKEN || process.env.GH_TOKEN; +const approvedIntegrityLiveTest = process.env.AWF_RUN_APPROVED_DIFC_PROXY_TESTS === '1' && approvedIntegrityToken + ? test + : test.skip; + describe('CLI Proxy Sidecar', () => { let runner: AwfRunner; @@ -116,6 +121,25 @@ describe('CLI Proxy Sidecar', () => { // Should NOT get "command not found" — the wrapper must be installed expect(output + stderr).not.toContain('command not found'); }, 180000); + + approvedIntegrityLiveTest( + 'should preserve array JSON responses for gh api issue comment endpoints under approved integrity', + async () => { + const result = await runner.runWithSudo( + 'bash -c \'gh api "repos/github/gh-aw-firewall/issues/1/comments?per_page=1" | jq -r type\'', + { + ...cliProxyDefaults, + env: { + GITHUB_TOKEN: approvedIntegrityToken!, + }, + }, + ); + + expect(result).toSucceed(); + expect(extractCommandOutput(result.stdout).trim()).toBe('array'); + }, + 180000 + ); }); describe('Meta-command Denial', () => { From fb0bd435499a7a1fd71355c08042571f7a968de2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 26 May 2026 14:56:37 +0000 Subject: [PATCH 3/3] test: fix cli proxy regression pipeline handling --- tests/README.md | 17 ++++++++++++++--- tests/integration/cli-proxy.test.ts | 2 +- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/tests/README.md b/tests/README.md index 6d6764cae..c2db9b9b8 100644 --- a/tests/README.md +++ b/tests/README.md @@ -4,7 +4,7 @@ TypeScript-based integration tests for the awf (Agentic Workflow Firewall) CLI. ## Overview -This directory contains comprehensive integration tests that verify firewall behavior across multiple scenarios. Currently includes **17 integration test files** covering: +This directory contains comprehensive integration tests that verify firewall behavior across multiple scenarios, including: ### Core Functionality - **Basic Firewall Functionality** (`basic-firewall.test.ts`) - Domain whitelisting, subdomain matching, exit code propagation @@ -33,6 +33,7 @@ This directory contains comprehensive integration tests that verify firewall beh - **Log Commands** (`log-commands.test.ts`) - Log parsing and analysis ### Integration Testing +- **CLI Proxy** (`cli-proxy.test.ts`) - gh wrapper routing, token isolation, and opt-in approved-integrity live regression coverage - **Claude Code** (`claude-code.test.ts`) - Claude Code CLI integration - **No Docker** (`no-docker.test.ts`) - Docker-in-Docker removal verification - **Docker Warning** (`docker-warning.test.ts`) - Docker command warning messages @@ -54,9 +55,10 @@ These smoke tests use the locally built firewall and validate: ``` tests/ -├── integration/ # Integration test suites (17 files) +├── integration/ # Integration test suites │ ├── basic-firewall.test.ts │ ├── blocked-domains.test.ts +│ ├── cli-proxy.test.ts │ ├── claude-code.test.ts │ ├── container-workdir.test.ts │ ├── dns-servers.test.ts @@ -125,6 +127,14 @@ npm test:unit npm run test:integration ``` +### Run the CLI proxy approved-integrity live regression + +This opt-in regression requires a running external DIFC proxy plus a GitHub token supplied via `GITHUB_TOKEN` or `GH_TOKEN`. + +```bash +AWF_RUN_APPROVED_DIFC_PROXY_TESTS=1 sudo -E npm run test:integration -- cli-proxy +``` + ### Run Specific Test Suite ```bash @@ -267,7 +277,7 @@ Key considerations: The project uses TypeScript-based integration tests that run in CI via `.github/workflows/test-coverage.yml`: -**Integration test files (17 total):** +**Selected integration test files:** | Category | Test File | Description | |----------|-----------|-------------| | Core | `basic-firewall.test.ts` | Domain whitelisting, connectivity | @@ -277,6 +287,7 @@ The project uses TypeScript-based integration tests that run in CI via `.github/ | Domains | `wildcard-patterns.test.ts` | Wildcard matching | | Security | `network-security.test.ts` | Capability restrictions, SSRF | | Security | `robustness.test.ts` | Edge cases, bypass prevention | +| Integration | `cli-proxy.test.ts` | CLI proxy sidecar coverage, including opt-in approved-integrity gh api array regression | | Config | `dns-servers.test.ts` | DNS configuration | | Config | `environment-variables.test.ts` | Environment variables | | Config | `volume-mounts.test.ts` | Volume mounts | diff --git a/tests/integration/cli-proxy.test.ts b/tests/integration/cli-proxy.test.ts index 36278a495..22c40ad0e 100644 --- a/tests/integration/cli-proxy.test.ts +++ b/tests/integration/cli-proxy.test.ts @@ -126,7 +126,7 @@ describe('CLI Proxy Sidecar', () => { 'should preserve array JSON responses for gh api issue comment endpoints under approved integrity', async () => { const result = await runner.runWithSudo( - 'bash -c \'gh api "repos/github/gh-aw-firewall/issues/1/comments?per_page=1" | jq -r type\'', + 'bash -o pipefail -c \'gh api "repos/github/gh-aw-firewall/issues/1/comments?per_page=1" | jq -er type\'', { ...cliProxyDefaults, env: {