test: add regression tests for cli-proxy validated fixes from #1820 (#1826)

* Initial plan

* test: add regression tests for cli-proxy validated fixes

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/86274f46-937b-46bd-a5c4-81ff4b46ce9f

* fix: add source reference comment for duplicated regex

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/86274f46-937b-46bd-a5c4-81ff4b46ce9f

* fix: freeze PROTECTED_ENV_KEYS and update comment

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/35b7845a-c062-4423-8ee3-5d260968c289

* refactor: remove redundant PROTECTED_KEYS alias

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/35b7845a-c062-4423-8ee3-5d260968c289

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

Author: Copilot

containers/cli-proxy/server.js

@@ -26,6 +26,20 @@ const CLI_PROXY_PORT = parseInt(process.env.AWF_CLI_PROXY_PORT || '11000', 10);
 const COMMAND_TIMEOUT_MS = parseInt(process.env.AWF_CLI_PROXY_TIMEOUT_MS || '30000', 10);
 const MAX_OUTPUT_BYTES = parseInt(process.env.AWF_CLI_PROXY_MAX_OUTPUT_BYTES || String(10 * 1024 * 1024), 10);
 
+// Environment keys that agents are not allowed to override via the /exec env field.
+// GH_HOST / GH_TOKEN / GITHUB_TOKEN — prevent auth/routing hijack.
+// NODE_EXTRA_CA_CERTS / SSL_CERT_FILE — prevent TLS trust-store bypass.
+const _PROTECTED_ENV_KEYS = new Set(['GH_HOST', 'GH_TOKEN', 'GITHUB_TOKEN', 'NODE_EXTRA_CA_CERTS', 'SSL_CERT_FILE']);
+const PROTECTED_ENV_KEYS = Object.freeze({
+  has(key) { return _PROTECTED_ENV_KEYS.has(key); },
+  get size() { return _PROTECTED_ENV_KEYS.size; },
+  values() { return _PROTECTED_ENV_KEYS.values(); },
+  keys() { return _PROTECTED_ENV_KEYS.keys(); },
+  entries() { return _PROTECTED_ENV_KEYS.entries(); },
+  forEach(callback, thisArg) { return _PROTECTED_ENV_KEYS.forEach(callback, thisArg); },
+  [Symbol.iterator]() { return _PROTECTED_ENV_KEYS[Symbol.iterator](); },
+});
+
 // --- Structured logging to /var/log/cli-proxy/access.log ---
 
 const LOG_DIR = process.env.AWF_CLI_PROXY_LOG_DIR || '/var/log/cli-proxy';
@@ -226,10 +240,9 @@ async function handleExec(req, res) {
   // Inherit server environment (includes GH_HOST, NODE_EXTRA_CA_CERTS, GH_REPO, etc.)
   const childEnv = Object.assign({}, process.env);
   if (extraEnv && typeof extraEnv === 'object') {
-    // Only allow safe string env overrides; never allow overriding GH_HOST or GH_TOKEN
-    const PROTECTED_KEYS = new Set(['GH_HOST', 'GH_TOKEN', 'GITHUB_TOKEN', 'NODE_EXTRA_CA_CERTS', 'SSL_CERT_FILE']);
+    // Only allow safe string env overrides; never allow overriding keys in PROTECTED_ENV_KEYS.
     for (const [key, value] of Object.entries(extraEnv)) {
-      if (typeof key === 'string' && typeof value === 'string' && !PROTECTED_KEYS.has(key)) {
+      if (typeof key === 'string' && typeof value === 'string' && !PROTECTED_ENV_KEYS.has(key)) {
         childEnv[key] = value;
       }
     }
@@ -353,4 +366,4 @@ if (require.main === module) {
   });
 }
 
-module.exports = { validateArgs, ALWAYS_DENIED_SUBCOMMANDS };
+module.exports = { validateArgs, ALWAYS_DENIED_SUBCOMMANDS, PROTECTED_ENV_KEYS };

containers/cli-proxy/server.test.js

@@ -6,7 +6,29 @@
  * The server only enforces meta-command denial (auth, config, extension).
  */
 
-const { validateArgs, ALWAYS_DENIED_SUBCOMMANDS } = require('./server');
+const { validateArgs, ALWAYS_DENIED_SUBCOMMANDS, PROTECTED_ENV_KEYS } = require('./server');
+
+describe('PROTECTED_ENV_KEYS', () => {
+  it('should protect GH_HOST from agent override', () => {
+    expect(PROTECTED_ENV_KEYS.has('GH_HOST')).toBe(true);
+  });
+
+  it('should protect GH_TOKEN from agent override', () => {
+    expect(PROTECTED_ENV_KEYS.has('GH_TOKEN')).toBe(true);
+  });
+
+  it('should protect GITHUB_TOKEN from agent override', () => {
+    expect(PROTECTED_ENV_KEYS.has('GITHUB_TOKEN')).toBe(true);
+  });
+
+  it('should protect NODE_EXTRA_CA_CERTS from agent override', () => {
+    expect(PROTECTED_ENV_KEYS.has('NODE_EXTRA_CA_CERTS')).toBe(true);
+  });
+
+  it('should protect SSL_CERT_FILE from agent override (combined CA bundle for Go TLS)', () => {
+    expect(PROTECTED_ENV_KEYS.has('SSL_CERT_FILE')).toBe(true);
+  });
+});
 
 describe('validateArgs', () => {
   describe('input validation', () => {

scripts/ci/postprocess-smoke-workflows.test.ts

@@ -0,0 +1,67 @@
+/**
+ * Tests for postprocess-smoke-workflows.ts regex patterns.
+ *
+ * These tests verify that the install-step regex correctly handles both
+ * quoted and unquoted paths, covering the fix for gh-aw compilers that
+ * emit double-quoted ${RUNNER_TEMP}/... paths.
+ */
+
+// The regex is module-internal in postprocess-smoke-workflows.ts (line 58-59)
+// and cannot be imported because the script performs file I/O at module load
+// time. If the source regex changes, these tests will catch regressions by
+// failing on the expected inputs below.
+const installStepRegex =
+  /^(\s*)- name: Install [Aa][Ww][Ff] binary\n\1\s*run: bash "?(?:\/opt\/gh-aw|\$\{RUNNER_TEMP\}\/gh-aw)\/actions\/install_awf_binary\.sh"? v[0-9.]+\n/m;
+
+describe('installStepRegex', () => {
+  it('should match unquoted /opt/gh-aw path', () => {
+    const input =
+      '      - name: Install awf binary\n' +
+      '        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.25.17\n';
+    expect(installStepRegex.test(input)).toBe(true);
+  });
+
+  it('should match unquoted ${RUNNER_TEMP}/gh-aw path', () => {
+    const input =
+      '      - name: Install awf binary\n' +
+      '        run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.17\n';
+    expect(installStepRegex.test(input)).toBe(true);
+  });
+
+  it('should match double-quoted ${RUNNER_TEMP}/gh-aw path', () => {
+    const input =
+      '      - name: Install awf binary\n' +
+      '        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.17\n';
+    expect(installStepRegex.test(input)).toBe(true);
+  });
+
+  it('should match double-quoted /opt/gh-aw path', () => {
+    const input =
+      '      - name: Install awf binary\n' +
+      '        run: bash "/opt/gh-aw/actions/install_awf_binary.sh" v0.25.17\n';
+    expect(installStepRegex.test(input)).toBe(true);
+  });
+
+  it('should match case-insensitive AWF in step name', () => {
+    const input =
+      '      - name: Install AWF binary\n' +
+      '        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.25.17\n';
+    expect(installStepRegex.test(input)).toBe(true);
+  });
+
+  it('should not match step with wrong name', () => {
+    const input =
+      '      - name: Install something else\n' +
+      '        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.25.17\n';
+    expect(installStepRegex.test(input)).toBe(false);
+  });
+
+  it('should capture indentation for replacement', () => {
+    const input =
+      '          - name: Install awf binary\n' +
+      '            run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.17\n';
+    const match = input.match(installStepRegex);
+    expect(match).not.toBeNull();
+    expect(match![1]).toBe('          ');
+  });
+});

src/docker-manager.test.ts

@@ -2919,6 +2919,74 @@ describe('docker-manager', () => {
         expect(dependsOn['squid-proxy']).toBeDefined();
         expect(dependsOn['cli-proxy-mcpg']).toBeUndefined();
       });
+
+      it('should pass GH_TOKEN to cli-proxy environment when available', () => {
+        const originalGhToken = process.env.GH_TOKEN;
+        try {
+          process.env.GH_TOKEN = 'ghp_cli_proxy_test_token';
+          const configWithCliProxy = { ...mockConfig, difcProxyHost: 'host.docker.internal:18443' };
+          const result = generateDockerCompose(configWithCliProxy, mockNetworkConfigWithCliProxy);
+          const proxy = result.services['cli-proxy'];
+          const env = proxy.environment as Record<string, string>;
+          expect(env.GH_TOKEN).toBe('ghp_cli_proxy_test_token');
+        } finally {
+          if (originalGhToken !== undefined) {
+            process.env.GH_TOKEN = originalGhToken;
+          } else {
+            delete process.env.GH_TOKEN;
+          }
+        }
+      });
+
+      it('should fall back to GITHUB_TOKEN for cli-proxy when GH_TOKEN is absent', () => {
+        const originalGhToken = process.env.GH_TOKEN;
+        const originalGithubToken = process.env.GITHUB_TOKEN;
+        try {
+          delete process.env.GH_TOKEN;
+          process.env.GITHUB_TOKEN = 'ghp_github_token_fallback';
+          const configWithCliProxy = { ...mockConfig, difcProxyHost: 'host.docker.internal:18443' };
+          const result = generateDockerCompose(configWithCliProxy, mockNetworkConfigWithCliProxy);
+          const proxy = result.services['cli-proxy'];
+          const env = proxy.environment as Record<string, string>;
+          expect(env.GH_TOKEN).toBe('ghp_github_token_fallback');
+        } finally {
+          if (originalGhToken !== undefined) {
+            process.env.GH_TOKEN = originalGhToken;
+          } else {
+            delete process.env.GH_TOKEN;
+          }
+          if (originalGithubToken !== undefined) {
+            process.env.GITHUB_TOKEN = originalGithubToken;
+          } else {
+            delete process.env.GITHUB_TOKEN;
+          }
+        }
+      });
+
+      it('should not set GH_TOKEN in cli-proxy when neither GH_TOKEN nor GITHUB_TOKEN is set', () => {
+        const originalGhToken = process.env.GH_TOKEN;
+        const originalGithubToken = process.env.GITHUB_TOKEN;
+        try {
+          delete process.env.GH_TOKEN;
+          delete process.env.GITHUB_TOKEN;
+          const configWithCliProxy = { ...mockConfig, difcProxyHost: 'host.docker.internal:18443' };
+          const result = generateDockerCompose(configWithCliProxy, mockNetworkConfigWithCliProxy);
+          const proxy = result.services['cli-proxy'];
+          const env = proxy.environment as Record<string, string>;
+          expect(env.GH_TOKEN).toBeUndefined();
+        } finally {
+          if (originalGhToken !== undefined) {
+            process.env.GH_TOKEN = originalGhToken;
+          } else {
+            delete process.env.GH_TOKEN;
+          }
+          if (originalGithubToken !== undefined) {
+            process.env.GITHUB_TOKEN = originalGithubToken;
+          } else {
+            delete process.env.GITHUB_TOKEN;
+          }
+        }
+      });
     });
   });