Expose safe-inputs MCP HTTP server via host.docker.internal and add to default firewall domains

[Copilot]

Plan: Expose safe-inputs MCP HTTP URL through host.docker.internal

• Update safe-inputs HTTP server to bind to 0.0.0.0 instead of localhost only (already default)
• Update MCP renderer to use host.docker.internal URL for safe-inputs MCP server
• Add host.docker.internal to firewall allowed domains when safe-inputs is enabled
• Update tests to verify the new URL format
• Add comprehensive tests for the firewall integration
• Run formatter and linter
• Verify the changes work correctly
• Import shared/gh.md in smoke copilot workflows
• Add host.docker.internal to default set of domains
• Merge main branch (fixes safe_inputs_bootstrap.cjs missing module error)
• Update gh.md prompt to guide agents to use safe-input tool instead of bash
• Merge main again, recompile all workflows, format and lint
• Add missing JavaScript files to GetJavaScriptSources registry

Implementation Complete ✅

Successfully implemented the feature to expose the safe-inputs MCP HTTP URL through http://host.docker.internal and ensure the AWF firewall allows this domain.

Changes Made

1. Updated MCP URL rendering (mcp_renderer.go, safe_inputs.go):

   • Changed from http://localhost:$GH_AW_SAFE_INPUTS_PORT to http://host.docker.internal:$GH_AW_SAFE_INPUTS_PORT
   • This allows the firewall container to access the safe-inputs MCP server running on the host

2. Added host.docker.internal to default domains (domains.go):

   • Added host.docker.internal to CopilotDefaultDomains array so it's always included in firewall allowed domains
   • This allows any containerized service to access host services, not just safe-inputs

3. Updated Copilot engine (copilot_engine.go):

   • Modified firewall command generation to use the new function with safe-inputs awareness
   • Ensures host.docker.internal is in the allowed domains list

4. Updated and added tests:

   • Fixed safe_inputs_http_codex_test.go to expect host.docker.internal URL
   • Fixed safe_inputs_http_integration_test.go to expect host.docker.internal URL
   • Updated safe_inputs_firewall_test.go to verify host.docker.internal is always included

5. Added shared/gh.md import to smoke test workflows:

   • Added import to smoke-copilot.md
   • Added import to smoke-copilot-no-firewall.md

6. Merged main branch (twice):

   • First merge: fixes Cannot find module './safe_inputs_bootstrap.cjs' error
   • Second merge: includes MCP server consolidation changes and all latest updates

7. Updated gh.md with authentication guidance (.github/workflows/shared/gh.md):

   • Added prominent instructions telling agents to use the gh safe-input tool instead of bash
   • Explains that the safe-input tool has proper GITHUB_TOKEN authentication configured
   • Provides clear examples of correct vs incorrect usage

8. Recompiled, formatted and linted:

   • All 102 workflows recompiled successfully
   • Code formatting validated
   • Linter checks passed

9. Fixed JavaScript bundler registry (js.go):

   • Added 17 missing JavaScript files to GetJavaScriptSources() map
   • Files that were embedded with //go:embed but not in the registry are now properly registered
   • This fixes bundling issues where scripts requiring these files would fail
   • Added: add_copilot_reviewer.cjs, add_reaction_and_edit_comment.cjs, assign_issue.cjs, check_command_position.cjs, check_membership.cjs, check_skip_if_match.cjs, check_stop_time.cjs, check_workflow_timestamp_api.cjs, checkout_pr_branch.cjs, create_agent_task.cjs, interpolate_prompt.cjs, missing_tool.cjs, push_repo_memory.cjs, redact_secrets.cjs, update_project.cjs, validate_errors.cjs

Validation Results

✅ All unit tests pass
✅ Code formatting validated
✅ Linter checks pass
✅ All 102 workflows recompiled successfully
✅ Verified host.docker.internal in MCP config URL
✅ Verified host.docker.internal always in firewall allowed domains
✅ Smoke test workflows compile successfully with gh tool
✅ Merged latest changes from main
✅ JavaScript bundler tests pass
✅ Script registry properly configured

Example Output

For any workflow with firewall (regardless of safe-inputs):

# Firewall Command - host.docker.internal is now ALWAYS included
--allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org

For workflows with safe-inputs:

# MCP Configuration
"safeinputs": {
  "type": "http",
  "url": "http://host.docker.internal:${GH_AW_SAFE_INPUTS_PORT}",
  "headers": {
    "Authorization": "******"
  }
}

Agent prompt guidance in workflows using shared/gh.md:

**IMPORTANT**: Always use the `gh` safe-input tool for GitHub CLI commands instead of running `gh` directly via bash. The safe-input tool has proper authentication configured with `GITHUB_TOKEN`, while bash commands do not have GitHub CLI authentication by default.

The implementation is complete and ready for review!

Original prompt

Expose the safe-inputs MCP http url through the http://host.docker.internal domain and make sure the awf firewall allows this domain.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

---

Changeset

• Type: patch
• Description: Expose the safe-inputs MCP HTTP server via Docker's host.docker.internal and add host.docker.internal to the Copilot firewall allowlist when safe-inputs is enabled. This fixes AWF firewall container access to the host-hosted safe-inputs service.

🏴‍☠️ Ahoy! This treasure was crafted by Changeset Generator

---

---

Smoke Test Summary

• Timestamp: 2025-12-07T22:10:12Z
• Run ID: 20011060919
• Status: ✅ PASS
• Summary: All tests (GitHub MCP, File Writing, Bash, Playwright, Cache Memory, Safe Input gh) passed successfully

🤖 DIAGNOSTIC REPORT GENERATED BY Smoke Copilot No Firewall

---

Changeset

• Type: patch
• Description: Expose the safe-inputs MCP HTTP server via Docker's host.docker.internal and add host.docker.internal to the Copilot firewall allowlist when safe-inputs is enabled.

🏴‍☠️ Ahoy! This treasure was crafted by Changeset Generator

---

---

Smoke Test - 2025-12-07T22:49:39Z

Status: PASS - All 6 tests passed (GitHub MCP, File Writing, Bash, Playwright, Cache Memory, gh Tool)

🤖 DIAGNOSTIC REPORT GENERATED BY Smoke Copilot No Firewall

---

Changeset

• Type: patch
• Description: Expose the safe-inputs MCP HTTP server via Docker's host.docker.internal and add host.docker.internal to the Copilot firewall allowlist so containerized services (like the AWF firewall) can access host-hosted safe-inputs.

🏴‍☠️ Ahoy! This treasure was crafted by Changeset Generator

---

---

Smoke Test Summary

• Timestamp: 2025-12-08T00:47:17Z
• Status: PASS
• Summary: Copilot engine validated successfully with GitHub MCP, file operations, bash, Playwright, and cache memory (5/6 tests passed)

🤖 DIAGNOSTIC REPORT GENERATED BY Smoke Copilot No Firewall

---

Changeset

• Type: patch
• Description: Expose the safe-inputs MCP HTTP server via Docker's host.docker.internal and add host.docker.internal to the Copilot firewall allowlist so containerized services can access host-hosted safe-inputs.

🏴‍☠️ Ahoy! This treasure was crafted by Changeset Generator

[github-actions]

📰🚀🔍👀📡🕵️ https://github.com/githubnext/gh-aw/actions/runs/20011060891

[github-actions]

📰 BREAKING: Smoke Copilot Playwright is now investigating this pull request. Sources say the story is developing...

[github-actions]

🤖 SYSTEM_INIT: Smoke Copilot No Firewall ACTIVATED. PROCESSING pull request. ALL SUBSYSTEMS ONLINE.

[github-actions]

💥 WHOOSH! Smoke Claude springs into action on this pull request! [Panel 1 begins...]

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🔮 The ancient spirits stir... Smoke Codex awakens to divine this pull request...

[github-actions]

Smoke Test Results - Copilot Engine

Last 2 Merged PRs:

• Unable to retrieve (GitHub MCP test failed)

Test Results:

• ❌ GitHub MCP Testing - Failed to retrieve PR data
• ✅ File Writing Testing - Successfully created test file
• ✅ Bash Tool Testing - File verified with cat command
• ❌ Serena MCP Testing - Not available in this environment
• ❌ Safe Input gh Tool Testing - gh tool not accessible

Overall Status: FAIL (3/5 tests failed)

📰🔥📋 https://github.com/githubnext/gh-aw/actions/runs/20011060891 fer issue #5791 🗺️

[github-actions]

Smoke Test Results (20011060919)

PRs: #5789, #5790
✅ GitHub MCP
✅ File Writing
✅ Bash Tools
✅ Playwright MCP (title: "GitHub · Change is constant. GitHub keeps you ahead. · GitHub")
✅ Cache Memory
✅ Safe Input gh Tool

Status: PASS

🤖 DIAGNOSTIC REPORT GENERATED BY Smoke Copilot No Firewall fer issue #5791 🗺️

[github-actions]

Smoke Test Results

Last 2 merged PRs:

• Refactor update job builders to use shared helper pattern #5789: Refactor update job builders to use shared helper pattern
• Fix agent identifier extraction for .agent.md and .agent files #5790: Fix agent identifier extraction for .agent.md and .agent files

Test Results:

• ✅ GitHub MCP (list PRs)
• ✅ File writing (/tmp/gh-aw/agent/)
• ✅ Bash verification
• ✅ Playwright (GitHub.com navigation, title verified)
• ✅ Cache memory (/tmp/gh-aw/cache-memory/)
• ❌ gh safe-input tool (command syntax issue)

Status: PASS (5/6 core tests passed)

💥 [THE END] — Illustrated by Smoke Claude fer issue #5791 🗺️

[github-actions]

Smoke Test Results

✅ Playwright MCP: Page title contains "GitHub"
✅ Cache Memory: Test file created successfully
❌ Safe Input gh Tool: GH_TOKEN not configured

Overall Status: PARTIAL PASS

(gh tool requires GH_TOKEN setup - expected limitation)

📰 BREAKING: Report filed by Smoke Copilot Playwright fer issue #5791 🗺️

[github-actions]

Recent merged PRs: #5789 Refactor update job builders to use shared helper pattern; #5782 Add safe-inputs HTTP MCP support across engines
GitHub MCP (last 2 merged PRs): ✅
Agent file write/read (/tmp/gh-aw/agent): ✅
Playwright github.com title contains "GitHub": ✅
Cache memory file (/tmp/gh-aw/cache-memory): ✅
gh issues list --limit 3: ❌ (gh not authenticated)
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex fer issue #5791 🗺️

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

Smoke Test Results

Last 2 merged PRs:

• Refactor update job builders to use shared helper pattern #5789: Refactor update job builders to use shared helper pattern
• Revert Docker container implementation for safe-inputs MCP server #5784: Revert Docker container implementation for safe-inputs MCP server

Test Results:
✅ GitHub MCP - PR retrieval successful
✅ File Writing - Test file created at /tmp/gh-aw/agent/smoke-test-copilot-20011060883.txt
✅ Bash Tool - File verified successfully
❌ GitHub MCP Default Toolset - get_me tool correctly unavailable (403 error as expected)
✅ Cache Memory - Test file created at /tmp/gh-aw/cache-memory/smoke-test-20011060883.txt
✅ Safe Input gh Tool - GitHub issues accessible

Overall Status: PASS

📰 BREAKING: Report filed by Smoke Copilot fer issue #5791 🗺️

[pelikhan]

/q audit logs of #5791 (comment) to understand why hm there safe inputs server fails to load

[github-actions]

💥 WHOOSH! Smoke Claude springs into action on this pull request! [Panel 1 begins...]

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot Playwright reports failed. Our correspondents are investigating the incident...

[github-actions]

📰⚠️🔥❌🚨🔧 https://github.com/githubnext/gh-aw/actions/runs/20013674672

[github-actions]

🔮 The ancient spirits stir... Smoke Codex awakens to divine this pull request...

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🤖 ALERT: Smoke Copilot No Firewall failed. ANOMALY_DETECTED. REPAIR_REQUIRED.

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[Copilot]

@copilot merge main, compile, format, lint

✅ Merged latest changes from main
✅ Recompiled all 102 workflows successfully (0 errors, 70 warnings)
✅ Formatted code - all files validated
✅ Linted code - all checks passed

Commit: e8e13dc

[github-actions]

Smoke Test Results

Recent merged PRs:

• Consolidate duplicate MCP server implementations #5787: Consolidate duplicate MCP server implementations
• [docs] Remove bloat from memory.md reference documentation #5793: Remove bloat from memory.md reference documentation

Test Results:

• ✅ GitHub MCP (fetched PRs)
• ✅ File Writing (/tmp/gh-aw/agent/smoke-test-claude-20013674649.txt)
• ✅ Bash Tool (file verification)
• ✅ Playwright MCP (GitHub page title: "GitHub · Change is constant. GitHub keeps you ahead. · GitHub")
• ✅ Cache Memory (/tmp/gh-aw/cache-memory/smoke-test-20013674649.txt)
• ✅ gh Tool (issues list)

Status: PASS

💥 [THE END] — Illustrated by Smoke Claude fer issue #5791 🗺️

[github-actions]

Last merged PRs: “Consolidate duplicate MCP server implementations”; “[docs] Remove bloat from memory.md reference documentation”
GitHub MCP: ✅
File write: ✅
Bash cat: ✅
Playwright title: ✅
Cache memory: ✅
Gh issues list: ❌ (auth required)
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex fer issue #5791 🗺️

[pelikhan]

@copilot make sure JavaScript files are in the script registry

https://github.com/githubnext/gh-aw/actions/runs/20013674667/job/57387208769#step:19:1

[Copilot]

@copilot make sure JavaScript files are in the script registry

...

Added 17 missing JavaScript files to the GetJavaScriptSources() registry in js.go. These files were embedded with //go:embed but weren't in the map, which would cause bundling failures when scripts tried to require them.

Added files: add_copilot_reviewer.cjs, add_reaction_and_edit_comment.cjs, assign_issue.cjs, check_command_position.cjs, check_membership.cjs, check_skip_if_match.cjs, check_stop_time.cjs, check_workflow_timestamp_api.cjs, checkout_pr_branch.cjs, create_agent_task.cjs, interpolate_prompt.cjs, missing_tool.cjs, push_repo_memory.cjs, redact_secrets.cjs, update_project.cjs, validate_errors.cjs

All bundling tests now pass. Commit: f630c8b