first commit

Author: Mossaka

.dockerignore

@@ -0,0 +1,10 @@
+node_modules
+npm-debug.log
+dist
+.git
+.github
+*.md
+.gitignore
+.env
+*.tgz
+.DS_Store

.gitattributes

@@ -0,0 +1 @@
+.github/workflows/*.lock.yml linguist-generated=true merge=ours

.github/workflows/dev.lock.yml

@@ -0,0 +1,54 @@
+---
+on: 
+  workflow_dispatch:
+concurrency:
+  group: dev-workflow-${{ github.ref }}
+  cancel-in-progress: true
+name: Dev
+engine: copilot
+permissions:
+  contents: read
+  actions: read
+tools:
+  github:
+---
+
+# Test GitHub MCP Tools
+
+Test each GitHub MCP tool with sensible arguments to verify they are configured properly.
+
+**Goal**: Invoke each tool from the GitHub MCP server with reasonable arguments. Some tools may fail due to missing data or invalid arguments, but they should at least be callable. Fail if there are permission issues indicating the tools aren't properly configured.
+
+## Instructions
+
+**Discover and test all available GitHub MCP tools:**
+
+1. First, explore and identify all tools available from the GitHub MCP server
+2. For each discovered tool, invoke it with sensible arguments based on the repository context (${{ github.repository }})
+3. Use appropriate parameters for each tool (e.g., repository name, issue numbers, PR numbers, etc.)
+
+Example tools you should discover and test may include (but are not limited to):
+- Context tools: `get_me`, etc.
+- Repository tools: `get_file_contents`, `list_branches`, `list_commits`, `search_repositories`, etc.
+- Issues tools: `list_issues`, `search_issues`, `get_issue`, etc.
+- Pull Request tools: `list_pull_requests`, `get_pull_request`, `search_pull_requests`, etc.
+- Actions tools: `list_workflows`, `list_workflow_runs`, etc.
+- Release tools: `list_releases`, etc.
+- And any other tools you discover from the GitHub MCP server
+
+## Expected Behavior
+
+- Each tool should be invoked successfully, even if it returns empty results or errors due to data not existing
+- If a tool cannot be called due to **permission issues** (e.g., "tool not allowed", "permission denied", "unauthorized"), the task should **FAIL** 
+- If a tool fails due to invalid arguments or missing data (e.g., "resource not found", "invalid parameters"), that's acceptable - continue to the next tool
+- Log the results of each tool invocation (success or failure reason)
+
+## Summary
+
+After testing all tools, provide a summary:
+- Total tools tested: [count]
+- Successfully invoked: [count]
+- Failed due to missing data/invalid args: [count]  
+- Failed due to permission issues: [count] - **FAIL if > 0**
+
+If any permission issues were encountered, clearly state which tools had permission problems and fail the workflow.

.github/workflows/dev.md

@@ -0,0 +1,130 @@
+name: Test Firewall with Copilot Fetch
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  test-copilot-fetch:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: |
+          npm install
+          npm run build
+
+      - name: Make wrapper available globally with sudo
+        run: |
+          # Create sudo wrapper script for iptables manipulation
+          sudo tee /usr/local/bin/awf > /dev/null <<EOF
+          #!/bin/bash
+          exec $(which node) $GITHUB_WORKSPACE/dist/cli.js "\$@"
+          EOF
+          sudo chmod +x /usr/local/bin/awf
+          which awf
+          awf --version
+
+      - name: Test HTTP fetch through firewall
+        timeout-minutes: 5
+        env:
+          GITHUB_TOKEN: ${{ secrets.COPILOT_CLI_TOKEN }}
+        run: |
+          set -o pipefail
+
+          # Test that curl can access GitHub API through the firewall
+          # This validates that HTTP/HTTPS traffic is properly routed through Squid
+          sudo awf \
+            --allow-domains raw.githubusercontent.com,api.github.com,github.com,api.anthropic.com,api.enterprise.githubcopilot.com,registry.npmjs.org,statsig.anthropic.com,ghcr.io,githubusercontent.com \
+            --log-level debug \
+            "curl -s https://api.github.com/repos/nodejs/node/releases/latest" \
+            2>&1 | tee /tmp/copilot-fetch-output.log
+
+          # Verify the output contains expected data from the API fetch
+          if grep -qi "tag_name\|version\|release" /tmp/copilot-fetch-output.log; then
+            echo "✓ Successfully fetched and processed GitHub API data through firewall"
+            exit 0
+          else
+            echo "✗ Fetch output doesn't contain expected release information"
+            echo "This could indicate network filtering issues through the firewall"
+            exit 1
+          fi
+
+      - name: Upload logs
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: copilot-fetch-logs
+          path: /tmp/copilot-fetch-output.log
+          if-no-files-found: warn
+
+      - name: Test blocked domain
+        timeout-minutes: 3
+        env:
+          GITHUB_TOKEN: ${{ secrets.COPILOT_CLI_TOKEN }}
+        run: |
+          set -o pipefail
+
+          echo "Testing that blocked domains are actually blocked..."
+
+          PROMPT="Fetch data from https://httpbin.org/get and show me the response"
+
+          # Run copilot through firewall WITHOUT allowing httpbin.org
+          # This should fail or return an error about network access
+          sudo -E awf \
+            --allow-domains raw.githubusercontent.com,api.github.com,github.com,api.anthropic.com,api.enterprise.githubcopilot.com,registry.npmjs.org,statsig.anthropic.com,ghcr.io,githubusercontent.com \
+            --log-level debug \
+            "npx -y @github/copilot --prompt \"$PROMPT\"" \
+            2>&1 | tee /tmp/copilot-blocked-output.log || true
+
+          # Verify that the request was blocked (look for connection errors or proxy denial)
+          if grep -qi "denied\|blocked\|connection.*failed\|network.*error\|unable to fetch\|cannot access" /tmp/copilot-blocked-output.log; then
+            echo "✓ Blocked domain was correctly denied by firewall"
+            exit 0
+          else
+            echo "⚠ Warning: Could not confirm domain blocking (may need manual verification)"
+            echo "Check the logs to verify httpbin.org was actually blocked"
+            # Don't fail the test - this is a best-effort verification
+            exit 0
+          fi
+
+      - name: Upload blocked domain test logs
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: copilot-blocked-logs
+          path: /tmp/copilot-blocked-output.log
+          if-no-files-found: warn
+
+      - name: Test Summary
+        if: always()
+        run: |
+          echo "=============================================="
+          echo "Firewall + Copilot Fetch Test"
+          echo "=============================================="
+          echo "This test validates that:"
+          echo "  1. HTTP requests can be made through the firewall"
+          echo "  2. Allowed domains (github.com, api.github.com) are accessible"
+          echo "  3. Applications can fetch and process real API data"
+          echo "  4. Blocked domains are denied by the proxy"
+          echo "  5. The firewall correctly filters L7 HTTP/HTTPS traffic"
+          echo ""
+          echo "Test scenarios:"
+          echo "  ✓ Fetch GitHub API data (allowed)"
+          echo "  ✓ Block httpbin.org (not in allowlist)"
+          echo "=============================================="

.github/workflows/scout.yml

@@ -0,0 +1,85 @@
+name: Test Firewall with Copilot Help
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  test-copilot-help:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: |
+          npm install
+          npm run build
+
+      - name: Make wrapper available globally with sudo
+        run: |
+          # Create sudo wrapper script for iptables manipulation
+          sudo tee /usr/local/bin/awf > /dev/null <<EOF
+          #!/bin/bash
+          exec $(which node) $GITHUB_WORKSPACE/dist/cli.js "\$@"
+          EOF
+          sudo chmod +x /usr/local/bin/awf
+          which awf
+          awf --version
+
+      - name: Test Copilot CLI --help through firewall
+        timeout-minutes: 3
+        env:
+          GITHUB_TOKEN: ${{ secrets.COPILOT_CLI_TOKEN }}
+        run: |
+          set -o pipefail
+
+          # Run copilot --help through the firewall
+          # Only allow essential domains for Copilot CLI
+          sudo -E awf \
+            --allow-domains raw.githubusercontent.com,api.github.com,github.com,registry.npmjs.org \
+            --log-level debug \
+            "npx -y @github/copilot@0.0.347 --help" \
+            2>&1 | tee /tmp/copilot-help-output.log
+
+          # Verify the help output contains expected content
+          if grep -q "Usage: copilot" /tmp/copilot-help-output.log; then
+            echo "✓ Copilot help command succeeded"
+            exit 0
+          else
+            echo "✗ Copilot help output not found"
+            exit 1
+          fi
+
+      - name: Upload logs
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: copilot-help-logs
+          path: /tmp/copilot-help-output.log
+          if-no-files-found: warn
+
+      - name: Test Summary
+        if: always()
+        run: |
+          echo "=========================================="
+          echo "Firewall + Copilot --help Test"
+          echo "=========================================="
+          echo "This test validates that:"
+          echo "  1. Copilot CLI can run inside the firewall"
+          echo "  2. Basic help command works with minimal domain whitelist"
+          echo "  3. The firewall doesn't interfere with simple commands"
+          echo "=========================================="