fix: set JAVA_TOOL_OPTIONS and generate Maven settings.xml for JVM proxy

[Copilot]

All Java builds (0/10) fail because JVM ignores HTTP_PROXY/HTTPS_PROXY. The docs claimed JAVA_TOOL_OPTIONS was set automatically — it wasn't.

Changes

• src/docker-manager.ts — Set JAVA_TOOL_OPTIONS in agent container environment:

  -Dhttp.proxyHost=squid-proxy -Dhttp.proxyPort=3128 -Dhttps.proxyHost=squid-proxy -Dhttps.proxyPort=3128 -Dhttp.nonProxyHosts=localhost|127.0.0.1
  

• containers/agent/entrypoint.sh — Auto-generate ~/.m2/settings.xml with proxy config (Maven ignores both HTTP_PROXY and JAVA_TOOL_OPTIONS). Skips if file already exists.
• docs/troubleshooting.md — Updated to reflect both are now automatic
• .github/workflows/build-test-java.md — Removed manual Maven proxy setup instructions
• src/docker-manager.test.ts — Test for JAVA_TOOL_OPTIONS presence and content

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Java builds fail 0/10: Maven Central and Gradle Plugin Portal unreachable through Squid proxy</issue_title>
<issue_description>## Summary

In the AWF Build/Test Experiment v3 (Feb 17, 2026) using gh-aw v0.45.2 and AWF v0.19.1, all 10 Java repos failed to build despite the java ecosystem domain allowlist including repo1.maven.org, repo.maven.apache.org, plugins.gradle.org, services.gradle.org, etc.

The chroot binary interception issue (#711) is now fully resolved — java, javac, gradle, and mvn all execute correctly inside the container. The failure is purely dependency resolution through the Squid proxy.

Symptoms

Maven repos (gson, guava, jackson-databind, mapstruct, mybatis-3):

• Could not resolve dependencies / Could not transfer artifact from/to central
• Maven Central (repo1.maven.org) returns connection errors through the proxy

Gradle repos (caffeine, mockito, okhttp, resilience4j, retrofit):

• Could not resolve plugin / Gradle wrapper download fails with SocketException
• Plugin artifacts from plugins.gradle.org / plugins-artifacts.gradle.org fail
• Gradle wrapper download from services.gradle.org fails

Domains Already in Allowlist

The java ecosystem already includes:

• repo1.maven.org, repo.maven.apache.org (Maven Central)
• plugins.gradle.org, services.gradle.org, plugins-artifacts.gradle.org, gradle.org
• jcenter.bintray.com, maven.pkg.github.com, maven.oracle.com
• And many more Java-related domains

Root Cause Hypothesis

Since the domains ARE in the allowlist, possible causes:

1. SSL interception issues: Squid's SSL bump may be breaking Java's TLS verification for these specific domains
2. Missing CDN/redirect domains: Maven Central and Gradle may redirect to CDN hosts (e.g., downloads.gradle-dn.com, Sonatype CDN) not in the allowlist
3. SNI or certificate chain issues specific to Java's HTTP client through the proxy

Impact

• 10 repos affected: caffeine, gson, guava, jackson-databind, mapstruct, mockito, mybatis-3, okhttp, resilience4j, retrofit
• Java is the only language at 0% build success (all other languages are 70-100%)
• This is the Improve links in readme to AW project #1 remaining blocker from the v3 experiment

Experiment Context

• gh-aw: v0.45.2
• AWF: v0.19.1
• Full report: AWF Build/Test Experiment v3 (Feb 17, 2026)
• Previous issue Java and .NET runtimes fail to execute inside AWF chroot mode (v0.13.14) #711 (chroot interception) is now resolved</issue_description>

Comments on the Issue (you are @copilot in this section)

@Mossaka ## Root Cause Found: JVM Proxy Configuration Gap

After deeper investigation, the issue is NOT missing domains — it's that Java/JVM does not read HTTP_PROXY/HTTPS_PROXY environment variables.

The Problem

AWF sets HTTP_PROXY, HTTPS_PROXY, SQUID_PROXY_HOST, SQUID_PROXY_PORT in the agent container environment. However:

1. JVM ignores these — Java uses JVM system properties (-Dhttp.proxyHost, -Dhttps.proxyHost) instead
2. Maven double-ignores them — Maven requires ~/.m2/settings.xml with proxy configuration, even beyond JVM system properties
3. Gradle also doesn't automatically use HTTP_PROXY — it uses gradle.properties or JVM args

The AWF troubleshooting docs mention JAVA_TOOL_OPTIONS should be set automatically, but the actual code in src/docker-manager.ts (around line 342) only sets HTTP_PROXY, HTTPS_PROXY, SQUID_PROXY_HOST, SQUID_PROXY_PORT — no JAVA_TOOL_OPTIONS.

Evidence

Firewall logs from the failed runs showed zero requests to Maven/Gradle domains — traffic never even reached the Squid proxy because the JVM didn't know about it.

Fix Verification

When the Copilot agent was instructed to manually set:

• JAVA_TOOL_OPTIONS="-Dhttp.proxyHost=$SQUID_PROXY_HOST -Dhttp.proxyPort=$SQUID_PROXY_PORT -Dhttps.proxyHost=$SQUID_PROXY_HOST -Dhttps.proxyPort=$SQUID_PROXY_PORT"
• Create ~/.m2/settings.xml with proxy configuration

Results improved from 0/10 to 5/10 builds succeeding:

Repo	Result	Notes
resilience4j	SUCCESS (2,357 tests pass)	Perfect
guava	SUCCESS (833,000+ tests)	Excellent
jackson-databind	SUCCESS (5,348 tests)	Clean
gson	PARTIAL (9,194/9,232 tests)	Needs maven.google.com
mybatis-3	PARTIAL (1,964 pass, 29 fail)	Param-name test issues
caffeine	TIMEOUT	Build works, needs >20 min
mapstruct	TIMEOUT	Build works, Javadoc timed out
mockito	FAILED	Needs dl.google.com
okhttp	FAILED	Needs dl.google.com (680 blocked requests)
retrofit	FAILED	DNS resolution failure

Proposed Fix

AWF's docker-manager.ts should automatically set JAVA_TOOL_OPTIONS with proxy configuration when SQUID_PROXY_HOST/SQUID_PROXY_PORT are available:

// In docker-manager.ts envir...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes github/gh-aw-firewall#946

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.30%	82.45%	📈 +0.15%
Statements	82.23%	82.37%	📈 +0.14%
Functions	82.74%	82.74%	➡️ +0.00%
Branches	74.46%	74.55%	📈 +0.09%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	83.2% → 83.8% (+0.55%)	82.5% → 83.0% (+0.54%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Bun Build Test Results

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: PASS

All Bun build tests passed successfully.

AI generated by Build Test Bun

[github-actions]

Node.js Build Test Results

Project	Install	Tests	Status
clsx	✅	PASS	PASS
execa	✅	PASS	PASS
p-limit	✅	PASS	PASS

Overall: PASS ✅

All projects installed successfully and passed their test suites.

AI generated by Build Test Node.js

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS ✅

All C++ projects built successfully.

AI generated by Build Test C++

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS

All .NET projects restored, built, and ran successfully.

AI generated by Build Test .NET

[github-actions]

Smoke Test Results (Copilot)

Last 2 Merged PRs:

• feat: update agentic workflows to v0.47.0 and add smoke-gemini #974: feat: update agentic workflows to v0.47.0 and add smoke-gemini
• feat: set NO_COLOR=1 in agent container environment #971: feat: set NO_COLOR=1 in agent container environment

Test Results:

• ✅ GitHub MCP: Retrieved merged PRs
• ✅ Playwright: Page title contains "GitHub"
• ✅ File Write: Created smoke-test-copilot-22164939185.txt
• ✅ Bash: File verified successfully

Status: PASS

cc @Copilot

AI generated by Smoke Copilot

[github-actions]

Build Test: Deno - Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

All Deno tests passed successfully.

AI generated by Build Test Deno

[Copilot]

Pull request overview

This PR fixes Java builds failing in AWF by configuring JVM proxy settings. The root cause was that Java/JVM tools don't read standard HTTP_PROXY/HTTPS_PROXY environment variables. The solution sets JAVA_TOOL_OPTIONS with JVM system properties for proxy configuration and auto-generates Maven's settings.xml file.

Changes:

• Automatically sets JAVA_TOOL_OPTIONS environment variable in agent container with JVM proxy system properties
• Auto-generates ~/.m2/settings.xml with Maven proxy configuration during container entrypoint
• Updates documentation to reflect these features are now automatic

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/docker-manager.ts	Adds JAVA_TOOL_OPTIONS environment variable with JVM proxy system properties (-Dhttp.proxyHost, -Dhttp.proxyPort, etc.)
src/docker-manager.test.ts	Adds test coverage for JAVA_TOOL_OPTIONS environment variable presence and content
containers/agent/entrypoint.sh	Auto-generates Maven settings.xml with proxy configuration if SQUID_PROXY_HOST/PORT are set
docs/troubleshooting.md	Updates Java proxy documentation to indicate JAVA_TOOL_OPTIONS and Maven settings.xml are now generated automatically
.github/workflows/build-test-java.md	Removes manual Maven proxy setup instructions since it's now automatic

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The MAVEN_DIR should use $HOME instead of ~awfuser, and needs chroot mode handling. The HOME environment variable is set to the real user's home directory (via getRealUserHome() in docker-manager.ts, e.g., /home/runner on GitHub Actions), not /home/awfuser. Maven will look for settings.xml in $HOME/.m2/, not /home/awfuser/.m2/.

Additionally, in chroot mode, the file must be created at /host$HOME/.m2/settings.xml to be accessible after the chroot transition, following the same pattern as Claude Code configuration (lines 130-134).

Replace line 173 with:

if [ "${AWF_CHROOT_ENABLED}" = "true" ]; then
  MAVEN_DIR="/host$HOME/.m2"
else
  MAVEN_DIR="$HOME/.m2"
fi

Suggested change

	MAVEN_DIR="$(eval echo ~awfuser)/.m2"
	if [ "${AWF_CHROOT_ENABLED}" = "true" ]; then
	MAVEN_DIR="/host$HOME/.m2"
	else
	MAVEN_DIR="$HOME/.m2"
	fi

[github-actions]

Build Test: Java - FAILED ❌

Test Results

Project	Compile	Tests	Status
gson	❌	N/A	FAILED
caffeine	N/A	N/A	SKIPPED

Overall: FAILED

Error Details

gson compilation failed with network connectivity issue:

[ERROR] Plugin org.apache.maven.plugins:maven-resources-plugin:3.3.1 or one of its dependencies could not be resolved:
[ERROR] Could not transfer artifact org.apache.maven.plugins:maven-resources-plugin:pom:3.3.1 from/to central (https://repo.maven.apache.org/maven2): Network is unreachable

Root Cause

The firewall is blocking access to repo.maven.apache.org, which is Maven Central Repository. This domain must be added to the allowed domains list for Java builds to work.

Required Action

The workflow needs to include repo.maven.apache.org in the --allow-domains parameter when calling awf.

Test Environment

• ✅ Running in AWF agent container
• ✅ JAVA_TOOL_OPTIONS configured with proxy settings
• ✅ HTTP_PROXY/HTTPS_PROXY environment variables set
• ❌ Maven Central repository blocked by firewall

Note: Maven settings.xml proxy configuration is not needed when JAVA_TOOL_OPTIONS is set (JVM reads proxy settings directly).

AI generated by Build Test Java

[github-actions]

Smoke Test Results - Claude

✅ GitHub MCP: Last 2 merged PRs retrieved

• feat: update agentic workflows to v0.47.0 and add smoke-gemini #974: feat: update agentic workflows to v0.47.0 and add smoke-gemini
• feat: set NO_COLOR=1 in agent container environment #971: feat: set NO_COLOR=1 in agent container environment

✅ Playwright: Navigated to github.com (page title verified)
✅ File Writing: Created test file at /tmp/gh-aw/agent/smoke-test-claude-22164939163.txt
✅ Bash Tool: File content verified

Status: PASS

AI generated by Smoke Claude

[github-actions]

Build Test: Rust ✅

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: PASS

All Rust projects built and tested successfully.

AI generated by Build Test Rust

[github-actions]

PRs: feat: update agentic workflows to v0.47.0 and add smoke-gemini; Add macOS binary support (Darwin x64 and ARM64)
GitHub MCP merged PRs ✅
safeinputs-gh PR list ✅
Playwright github.com title ✅
Tavily search ❌
File write ✅
Bash cat ✅
Discussion query+comment ✅
npm ci && npm run build ✅
Overall: FAIL

AI generated by Smoke Codex

[github-actions]

Chroot Version Comparison Test Results

Runtime	Host Version	Chroot Version	Match?
Python	3.12.12	3.12.3	❌ NO
Node.js	v24.13.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall Result: Tests FAILED (not all runtimes matched)

The chroot mode successfully accessed host binaries, but version mismatches were detected for Python and Node.js. This is expected behavior - the test validates that chroot mode uses host binaries transparently.

AI generated by Smoke Chroot