feat: add --tty option for interactive tools and update docker config (#51)

* feat: add --tty option for interactive tools and update docker config

Signed-off-by: Jiaxiao (mossaka) Zhou <duibao55328@gmail.com>

* feat: add claude code integration tests and tty support

Signed-off-by: Jiaxiao (mossaka) Zhou <duibao55328@gmail.com>

* feat: enhance claude integration tests and improve command in cli

Signed-off-by: Jiaxiao (mossaka) Zhou <duibao55328@gmail.com>

* docs: document command argument handling for shell variables

The args.length === 1 check is correct and necessary for preserving
shell variables ($HOME, $(command), etc.) that must expand in the
container, not on the host.

Root cause analysis:
- shell-quote library would expand variables on HOST machine
- GitHub Actions commands contain $GITHUB_WORKSPACE, $HOME, etc
- These must expand INSIDE the container, not before
- Docker Compose $$$$ escaping requires literal $ preservation

Solution: Keep single-argument passthrough, add comprehensive docs

Changes:
- Enhanced documentation in src/cli.ts explaining behavior
- Added JSDoc to test runner explaining string vs array
- Added test cases for variable preservation
- Updated docs/usage.md with environment variable examples

This ensures shell variables expand correctly in the container
environment while maintaining backward compatibility.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: add npm cache cleanup step

Signed-off-by: Jiaxiao (mossaka) Zhou <duibao55328@gmail.com>

* fix: update npm cache clean command to use sudo for consistency

Signed-off-by: Jiaxiao (mossaka) Zhou <duibao55328@gmail.com>

* fix: more ci pipeline failure fixes

Signed-off-by: Jiaxiao (mossaka) Zhou <duibao55328@gmail.com>

* ci: remove cache and summary

Signed-off-by: Jiaxiao (mossaka) Zhou <duibao55328@gmail.com>

---------

Signed-off-by: Jiaxiao (mossaka) Zhou <duibao55328@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>

Author: Mossaka

.github/workflows/test-claude.yml

@@ -0,0 +1,70 @@
+name: Claude Code Tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  test-claude-code:
+    name: Claude Code Integration Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build project
+        run: npm run build
+
+      - name: Pre-test cleanup
+        run: sudo ./scripts/ci/cleanup.sh
+
+      - name: Run Claude Code tests
+        id: run-tests
+        env:
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+        run: |
+          set +e
+          sudo -E npm run test:integration -- claude-code.test.ts 2>&1 | tee test-output.log
+          echo "exit_code=$?" >> $GITHUB_OUTPUT
+        continue-on-error: true
+
+      - name: Check test results
+        if: always()
+        run: |
+          if [ "${{ steps.run-tests.outputs.exit_code }}" != "0" ]; then
+            echo "Tests failed with exit code ${{ steps.run-tests.outputs.exit_code }}"
+            exit 1
+          fi
+
+      - name: Post-test cleanup
+        if: always()
+        run: sudo ./scripts/ci/cleanup.sh
+
+      - name: Upload test logs on failure
+        if: failure()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: claude-code-test-logs
+          path: |
+            /tmp/*-test.log
+            /tmp/awf-*/
+            /tmp/copilot-logs-*/
+            /tmp/squid-logs-*/
+          retention-days: 7

.github/workflows/test-integration.yml

@@ -65,6 +65,12 @@ jobs:
           sudo -E npm run test:integration -- basic-firewall.test.ts 2>&1 | tee test-output.log
         continue-on-error: true
 
+      - name: Clean npm cache
+        if: always()
+        run: |
+          sudo npm cache clean --force
+          sudo rm -rf ~/.npm/_npx
+
       - name: Generate test summary
         if: always()
         run: |
@@ -120,6 +126,12 @@ jobs:
           sudo -E npm run test:integration -- robustness.test.ts 2>&1 | tee test-output.log
         continue-on-error: true
 
+      - name: Clean npm cache
+        if: always()
+        run: |
+          sudo npm cache clean --force
+          sudo rm -rf ~/.npm/_npx
+
       - name: Generate test summary
         if: always()
         run: |
@@ -175,6 +187,12 @@ jobs:
           sudo -E npm run test:integration -- docker-egress.test.ts 2>&1 | tee test-output.log
         continue-on-error: true
 
+      - name: Clean npm cache
+        if: always()
+        run: |
+          sudo npm cache clean --force
+          sudo rm -rf ~/.npm/_npx
+
       - name: Generate test summary
         if: always()
         run: |

docs/usage.md

@@ -62,6 +62,54 @@ sudo awf \
   'copilot --mcp arxiv,tavily --prompt "Search arxiv for recent AI papers"'
 ```
 
+## Command Passing with Environment Variables
+
+AWF preserves shell variables for expansion inside the container, making it compatible with GitHub Actions and other CI/CD environments.
+
+### Single Argument (Recommended for Complex Commands)
+
+Quote your entire command to preserve shell syntax and variables:
+
+```bash
+# Variables expand inside the container
+sudo awf --allow-domains github.com -- 'echo $HOME && pwd'
+```
+
+Variables like `$HOME`, `$USER`, `$PWD` will expand inside the container, not on your host machine. This is **critical** for commands that need to reference the container environment.
+
+### Multiple Arguments (Simple Commands)
+
+For simple commands without variables or special shell syntax:
+
+```bash
+# Each argument is automatically shell-escaped
+sudo awf --allow-domains github.com -- curl -H "Authorization: Bearer token" https://api.github.com
+```
+
+### GitHub Actions Usage
+
+Environment variables work correctly when using the single-argument format:
+
+```yaml
+- name: Run with environment variables
+  run: |
+    sudo -E awf --allow-domains github.com -- 'cd $GITHUB_WORKSPACE && npm test'
+```
+
+**Why this works:**
+- GitHub Actions expands `${{ }}` syntax before the shell sees it
+- Shell variables like `$GITHUB_WORKSPACE` are preserved literally
+- These variables then expand inside the container with correct values
+
+**Important:** Do NOT use multi-argument format with variables:
+```bash
+# ❌ Wrong: Variables won't expand correctly
+sudo awf -- echo $HOME  # Shell expands $HOME on host first
+
+# ✅ Correct: Single-quoted preserves for container
+sudo awf -- 'echo $HOME'  # Expands to container home
+```
+
 ## Domain Whitelisting
 
 ### Subdomain Matching

src/cli.test.ts

@@ -441,6 +441,38 @@ describe('cli', () => {
     });
   });
 
+  describe('command argument handling with variables', () => {
+    it('should preserve $ in single argument for container expansion', () => {
+      // Single argument - passed through for container expansion
+      const args = ['echo $HOME && echo $USER'];
+      const result = args.length === 1 ? args[0] : joinShellArgs(args);
+      expect(result).toBe('echo $HOME && echo $USER');
+      // $ signs will be escaped to $$ by Docker Compose generator
+    });
+
+    it('should escape arguments when multiple provided', () => {
+      // Multiple arguments - each escaped
+      const args = ['echo', '$HOME', '&&', 'echo', '$USER'];
+      const result = args.length === 1 ? args[0] : joinShellArgs(args);
+      expect(result).toBe("echo '$HOME' '&&' echo '$USER'");
+      // Now $ signs are quoted, won't expand
+    });
+
+    it('should handle GitHub Actions style commands', () => {
+      // Simulates: awf -- 'cd $GITHUB_WORKSPACE && npm test'
+      const args = ['cd $GITHUB_WORKSPACE && npm test'];
+      const result = args.length === 1 ? args[0] : joinShellArgs(args);
+      expect(result).toBe('cd $GITHUB_WORKSPACE && npm test');
+    });
+
+    it('should preserve command substitution', () => {
+      // Simulates: awf -- 'echo $(pwd) && echo $(whoami)'
+      const args = ['echo $(pwd) && echo $(whoami)'];
+      const result = args.length === 1 ? args[0] : joinShellArgs(args);
+      expect(result).toBe('echo $(pwd) && echo $(whoami)');
+    });
+  });
+
   describe('work directory generation', () => {
     it('should generate unique work directories', () => {
       const dir1 = `/tmp/awf-${Date.now()}`;

src/cli.ts

@@ -263,6 +263,11 @@ program
     'Keep containers running after command exits',
     false
   )
+  .option(
+    '--tty',
+    'Allocate a pseudo-TTY for the container (required for interactive tools like Claude Code)',
+    false
+  )
   .option(
     '--work-dir <dir>',
     'Working directory for temporary files',
@@ -312,9 +317,34 @@ program
       console.error('Example: awf --allow-domains github.com -- curl https://api.github.com');
       process.exit(1);
     }
-    
-    // Join arguments with proper shell escaping to preserve argument boundaries
-    const copilotCommand = joinShellArgs(args);
+
+    // Command argument handling:
+    //
+    // SINGLE ARGUMENT (complete shell command):
+    //   When a single argument is passed, it's treated as a complete shell
+    //   command string. This is CRITICAL for preserving shell variables ($HOME,
+    //   $(command), etc.) that must expand in the container, not on the host.
+    //
+    //   Example: awf -- 'echo $HOME'
+    //   → args = ['echo $HOME']  (single element)
+    //   → Passed as-is: 'echo $HOME'
+    //   → Docker Compose: 'echo $$HOME' (escaped for YAML)
+    //   → Container shell: 'echo $HOME' (expands to container home)
+    //
+    // MULTIPLE ARGUMENTS (shell-parsed by user's shell):
+    //   When multiple arguments are passed, each is shell-escaped and joined.
+    //   This happens when the user doesn't quote the command.
+    //
+    //   Example: awf -- curl -H "Auth: token" https://api.github.com
+    //   → args = ['curl', '-H', 'Auth: token', 'https://api.github.com']
+    //   → joinShellArgs(): curl -H 'Auth: token' https://api.github.com
+    //
+    // Why not use shell-quote library?
+    // - shell-quote expands variables on the HOST ($HOME → /home/hostuser)
+    // - We need variables to expand in CONTAINER ($HOME → /root or /home/runner)
+    // - The $$$$  escaping pattern requires literal $ preservation
+    //
+    const copilotCommand = args.length === 1 ? args[0] : joinShellArgs(args);
     // Parse and validate options
     const logLevel = options.logLevel as LogLevel;
     if (!['debug', 'info', 'warn', 'error'].includes(logLevel)) {
@@ -381,6 +411,7 @@ program
       copilotCommand,
       logLevel,
       keepContainers: options.keepContainers,
+      tty: options.tty || false,
       workDir: options.workDir,
       buildLocal: options.buildLocal,
       imageRegistry: options.imageRegistry,

src/docker-manager.test.ts

@@ -173,13 +173,21 @@ describe('docker-manager', () => {
       expect(copilot.cap_add).toContain('NET_ADMIN');
     });
 
-    it('should disable TTY to prevent ANSI escape sequences', () => {
+    it('should disable TTY by default to prevent ANSI escape sequences', () => {
       const result = generateDockerCompose(mockConfig, mockNetworkConfig);
       const copilot = result.services.copilot;
 
       expect(copilot.tty).toBe(false);
     });
 
+    it('should enable TTY when config.tty is true', () => {
+      const configWithTty = { ...mockConfig, tty: true };
+      const result = generateDockerCompose(configWithTty, mockNetworkConfig);
+      const copilot = result.services.copilot;
+
+      expect(copilot.tty).toBe(true);
+    });
+
     it('should escape dollar signs in commands for docker-compose', () => {
       const configWithVars = {
         ...mockConfig,

src/docker-manager.ts

@@ -36,7 +36,7 @@ async function getExistingDockerSubnets(): Promise<string[]> {
 
     logger.debug(`Found existing Docker subnets: ${subnets.join(', ')}`);
     return subnets;
-  } catch (error) {
+  } catch {
     logger.debug('Failed to query Docker networks, proceeding with random subnet');
     return [];
   }
@@ -196,6 +196,8 @@ export function generateDockerCompose(
     if (process.env.GITHUB_TOKEN) environment.GITHUB_TOKEN = process.env.GITHUB_TOKEN;
     if (process.env.GH_TOKEN) environment.GH_TOKEN = process.env.GH_TOKEN;
     if (process.env.GITHUB_PERSONAL_ACCESS_TOKEN) environment.GITHUB_PERSONAL_ACCESS_TOKEN = process.env.GITHUB_PERSONAL_ACCESS_TOKEN;
+    // Anthropic API key for Claude Code
+    if (process.env.ANTHROPIC_API_KEY) environment.ANTHROPIC_API_KEY = process.env.ANTHROPIC_API_KEY;
     if (process.env.USER) environment.USER = process.env.USER;
     if (process.env.TERM) environment.TERM = process.env.TERM;
     if (process.env.XDG_CONFIG_HOME) environment.XDG_CONFIG_HOME = process.env.XDG_CONFIG_HOME;
@@ -253,7 +255,7 @@ export function generateDockerCompose(
     },
     cap_add: ['NET_ADMIN'], // Required for iptables
     stdin_open: true,
-    tty: false, // Disable TTY to prevent ANSI escape sequences in logs
+    tty: config.tty || false, // Use --tty flag, default to false for clean logs
     // Escape $ with $$ for Docker Compose variable interpolation
     command: ['/bin/bash', '-c', config.copilotCommand.replace(/\$/g, '$$$$')],
   };
@@ -432,7 +434,7 @@ export async function startContainers(workDir: string, allowedDomains: string[])
     await execa('docker', ['rm', '-f', 'awf-squid', 'awf-copilot'], {
       reject: false,
     });
-  } catch (error) {
+  } catch {
     // Ignore errors if containers don't exist
     logger.debug('No existing containers to remove (this is normal)');
   }
@@ -636,6 +638,12 @@ export async function cleanup(workDir: string, keepFiles: boolean): Promise<void
         const preservedSquidLogsDir = path.join(os.tmpdir(), `squid-logs-${timestamp}`);
         try {
           fs.renameSync(squidLogsDir, preservedSquidLogsDir);
+
+          // Make logs readable by GitHub Actions runner for artifact upload
+          // Squid creates logs as 'proxy' user (UID 13) which runner cannot read
+          // chmod a+rX sets read for all users, and execute for dirs (capital X)
+          execa.sync('chmod', ['-R', 'a+rX', preservedSquidLogsDir]);
+
           logger.info(`Squid logs preserved at: ${preservedSquidLogsDir}`);
         } catch (error) {
           logger.debug('Could not preserve squid logs:', error);

src/host-iptables.ts

@@ -41,7 +41,7 @@ export async function ensureFirewallNetwork(): Promise<{
     await execa('docker', ['network', 'inspect', NETWORK_NAME]);
     networkExists = true;
     logger.debug(`Network '${NETWORK_NAME}' already exists`);
-  } catch (error) {
+  } catch {
     // Network doesn't exist
   }
 
@@ -96,7 +96,7 @@ export async function setupHostIptables(squidIp: string, squidPort: number): Pro
     logger.warn('DOCKER-USER chain does not exist, which is unexpected. Attempting to create it...');
     try {
       await execa('iptables', ['-t', 'filter', '-N', 'DOCKER-USER']);
-    } catch (createError) {
+    } catch {
       throw new Error(
         'Failed to create DOCKER-USER chain. This may indicate a permission or Docker installation issue.'
       );