Skip to content

feat: allow empty allowDomains to block all network access#451

Merged
Mossaka merged 7 commits intomainfrom
copilot/update-allowdomains-empty-value
Feb 4, 2026
Merged

feat: allow empty allowDomains to block all network access#451
Mossaka merged 7 commits intomainfrom
copilot/update-allowdomains-empty-value

Conversation

Copy link
Contributor

Copilot AI commented Jan 29, 2026
edited
Loading

--allow-domains previously required at least one domain. Users need the ability to run commands with no network access.

Changes

  • src/cli.ts: Remove validation requiring ≥1 domain; add debug log when no domains specified
  • src/squid-config.test.ts: Add test verifying empty domains generates http_access deny all
  • tests/integration/empty-domains.test.ts: Add integration tests verifying network blocking, offline commands, and debug output when no domains are specified
  • docs/usage.md, docs-site/.../cli-reference.md: Update docs to reflect optional nature

Usage

# Run command with no network access
sudo awf -- echo "offline command"

# Squid config generates deny-all rule
# No domains configured
http_access deny all

The squid config generator already handled empty domain lists correctly (http_access deny all); only the CLI validation was blocking this use case.

Original prompt

awf allowDomains should accept empty, meaning no network is allowed

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@Mossaka
feat: allow empty allowDomains to block all network access
89a42ff 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copilot AI changed the title [WIP] Update allowDomains to accept empty value for no network access feat: allow empty allowDomains to block all network access Jan 29, 2026
Copilot AI requested a review from Mossaka January 29, 2026 22:15
@Mossaka
Copy link
Collaborator

Mossaka commented Jan 29, 2026

@copilot add more integration tests to test the awf with empty domains

@Mossaka
test: add integration tests for empty domains (no network access)
8536a42 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Jan 29, 2026

@copilot add more integration tests to test the awf with empty domains

Added integration tests in tests/integration/empty-domains.test.ts (8536a42). The tests verify:

  • All network access (HTTP/HTTPS) is blocked when no domains are specified
  • Offline commands (echo, file operations, computations) still work
  • Debug output indicates no domains are configured
  • DNS resolution works but network requests fail

@Mossaka
test: fix misleading test title for DNS behavior test
f82265a 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
@github-actions
Copy link
Contributor

github-actions bot commented Jan 30, 2026
edited
Loading

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 77.98% 78.49% 📈 +0.51%
Statements 78.05% 78.56% 📈 +0.51%
Functions 77.77% 78.01% 📈 +0.24%
Branches 71.70% 72.49% 📈 +0.79%
📁 Per-file Coverage Changes (2 files)
File Lines (Before → After) Statements (Before → After)
src/cli.ts 40.1% → 40.2% (+0.14%) 40.3% → 40.4% (+0.14%)
src/docker-manager.ts 79.7% → 81.7% (+1.97%) 79.0% → 81.0% (+2.05%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions
Copy link
Contributor

github-actions bot commented Jan 30, 2026
edited
Loading

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions
Copy link
Contributor

github-actions bot commented Jan 30, 2026
edited
Loading

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 30, 2026
edited
Loading

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions
Copy link
Contributor

github-actions bot commented Jan 30, 2026

Smoke Test Results (Run 21529827614)

✅ GitHub MCP: #448 feat(cli): add --enable-chroot for transparent host binary execution
✅ GitHub MCP: #426 docs: add agent image tooling reference
✅ Playwright: GitHub page title verified
✅ File Write: smoke-test-copilot-21529827614.txt created
✅ Bash: File read successful

Status: PASS

cc @Mossaka

AI generated by Smoke Copilot

@github-actions
Copy link
Contributor

github-actions bot commented Jan 30, 2026

Smoke Test Results - Claude Engine

✅ GitHub MCP: #450 ci: add npm registry auth, #449 chore: bump version to 0.1.5
✅ Playwright: Page title verified ("GitHub · Change is constant. GitHub keeps you ahead. · GitHub")
✅ File Write: Created /tmp/gh-aw/agent/smoke-test-claude-21529827612.txt
✅ Bash Tool: Verified file contents successfully

Overall: PASS

AI generated by Smoke Claude

@github-actions
Copy link
Contributor

github-actions bot commented Jan 30, 2026

❌ Smoke Test: Chroot Runtime Verification - Cannot Run

This smoke test cannot be executed in the current GitHub Actions environment due to security restrictions.

Issue

The environment has the NoNewPrivs flag set (NoNewPrivs=1), which prevents:

  • Running sudo to gain root privileges
  • Using chroot (requires root)

Host Versions Captured

Python 3.12.3
Node.js v20.20.0
Go 1.24.12

Alternatives

To properly test --enable-chroot, this test needs to run in:

  1. Self-hosted runner without NoNewPrivs restrictions
  2. Container with privileged capabilities (e.g., --cap-add=SYS_CHROOT)
  3. Different job configuration that allows privilege escalation

Recommendation

Consider adding a separate workflow job specifically for chroot testing with appropriate permissions, or run this test manually on a development machine where sudo/chroot is available.

AI generated by Smoke Chroot

@Mossaka
Copy link
Collaborator

Mossaka commented Jan 30, 2026

@copilot-swe-agent review

@Mossaka Mossaka marked this pull request as ready for review January 30, 2026 20:52
@Mossaka
Copy link
Collaborator

Mossaka commented Feb 3, 2026

@copilot please merge origin/main

Copilot AI and others added 2 commits February 3, 2026 19:50
chore: merge origin/main into branch
c6e4c77
@Mossaka
chore: merge origin/main and fix integration test
1b6b0cc 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
@Mossaka Mossaka merged commit f23f9b9 into main Feb 4, 2026
@Mossaka Mossaka deleted the copilot/update-allowdomains-empty-value branch February 4, 2026 17:06
Copilot AI added a commit that referenced this pull request Feb 4, 2026
@Mossaka
feat: allow empty allowDomains to block all network access (#451)
75023ce 
* Initial plan

* feat: allow empty allowDomains to block all network access

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

* test: add integration tests for empty domains (no network access)

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

* test: fix misleading test title for DNS behavior test

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

* ci: re-trigger workflow checks

* chore: merge origin/main and fix integration test

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Co-authored-by: Jiaxiao (mossaka) Zhou <duibao55328@gmail.com>
This was referenced Feb 4, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mossaka Mossaka Awaiting requested review from Mossaka

Assignees

@Mossaka Mossaka

Copilot code review Copilot

Labels

smoke-claude

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Mossaka