Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions containers/agent/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,66 @@ if [ -n "$CLAUDE_CODE_API_KEY_HELPER" ]; then
fi
fi

# Pre-seed JVM build tool proxy configuration
# Java build tools (Maven, Gradle, sbt) do not honor HTTP_PROXY/HTTPS_PROXY env vars
# and need explicit proxy configuration files
if [ -n "$HTTP_PROXY" ]; then
# Extract proxy host and port from HTTP_PROXY (format: http://IP:PORT)
PROXY_HOST="${HTTP_PROXY#http://}"
PROXY_HOST="${PROXY_HOST%:*}"
PROXY_PORT="${SQUID_PROXY_PORT:-3128}"

Comment on lines +169 to +173
Copy link

Copilot AI Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The proxy host extraction from HTTP_PROXY is brittle (doesn't handle https:// scheme, credentials like user:pass@, IPv6, or paths) and ignores the actual port embedded in HTTP_PROXY. Since the agent env already provides SQUID_PROXY_HOST/SQUID_PROXY_PORT, prefer using those directly (or parse HTTP_PROXY more robustly) so the generated configs always point at the intended proxy.

Suggested change
# Extract proxy host and port from HTTP_PROXY (format: http://IP:PORT)
PROXY_HOST="${HTTP_PROXY#http://}"
PROXY_HOST="${PROXY_HOST%:*}"
PROXY_PORT="${SQUID_PROXY_PORT:-3128}"
# Determine proxy host and port for JVM tools.
# Prefer SQUID_PROXY_HOST/SQUID_PROXY_PORT if provided; otherwise, parse HTTP_PROXY robustly.
if [ -n "$SQUID_PROXY_HOST" ] && [ -n "$SQUID_PROXY_PORT" ]; then
PROXY_HOST="$SQUID_PROXY_HOST"
PROXY_PORT="$SQUID_PROXY_PORT"
else
PROXY_INFO="$(python3 - << 'PYEOF'
import os, sys
from urllib.parse import urlparse
url = os.environ.get("HTTP_PROXY") or os.environ.get("http_proxy")
if not url:
sys.exit(1)
if "://" not in url:
url = "http://" + url
parsed = urlparse(url)
host = parsed.hostname or ""
port = parsed.port or 3128
if not host:
sys.exit(1)
print(f"{host}:{port}")
PYEOF
)" || PROXY_INFO=""
PROXY_HOST="${PROXY_INFO%:*}"
PROXY_PORT="${PROXY_INFO##*:}"
fi

Copilot uses AI. Check for mistakes.
# Determine path prefix for config files (chroot-aware, same pattern as .claude.json)
if [ "${AWF_CHROOT_ENABLED}" = "true" ]; then
JVM_HOME_PREFIX="/host${HOME}"
else
JVM_HOME_PREFIX="${HOME}"
fi

echo "[entrypoint] Pre-seeding JVM build tool proxy configuration (${PROXY_HOST}:${PROXY_PORT})..."

# Maven proxy config (~/.m2/settings.xml)
mkdir -p "${JVM_HOME_PREFIX}/.m2"
cat > "${JVM_HOME_PREFIX}/.m2/settings.xml" << MAVEN_EOF
<settings>
Comment on lines +183 to +186
Copy link

Copilot AI Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This always overwrites ~/.m2/settings.xml on container start, which can destroy user/workflow-provided Maven settings (mirrors, repositories, auth, profiles). Consider creating the file only if it doesn't exist, or updating it in a way that preserves existing settings while ensuring the awf proxy entries are present.

This issue also appears on line 208 of the same file.

Copilot uses AI. Check for mistakes.
<proxies>
<proxy>
<id>awf-http</id>
<active>true</active>
<protocol>http</protocol>
<host>${PROXY_HOST}</host>
<port>${PROXY_PORT}</port>
</proxy>
<proxy>
<id>awf-https</id>
<active>true</active>
<protocol>https</protocol>
<host>${PROXY_HOST}</host>
<port>${PROXY_PORT}</port>
</proxy>
</proxies>
</settings>
MAVEN_EOF
chown awfuser:awfuser "${JVM_HOME_PREFIX}/.m2/settings.xml" 2>/dev/null || true
echo "[entrypoint] ✓ Created Maven proxy config (${JVM_HOME_PREFIX}/.m2/settings.xml)"

# Gradle proxy config (~/.gradle/gradle.properties)
mkdir -p "${JVM_HOME_PREFIX}/.gradle"
cat > "${JVM_HOME_PREFIX}/.gradle/gradle.properties" << GRADLE_EOF
systemProp.http.proxyHost=${PROXY_HOST}
systemProp.http.proxyPort=${PROXY_PORT}
systemProp.https.proxyHost=${PROXY_HOST}
systemProp.https.proxyPort=${PROXY_PORT}
GRADLE_EOF
chown awfuser:awfuser "${JVM_HOME_PREFIX}/.gradle/gradle.properties" 2>/dev/null || true
echo "[entrypoint] ✓ Created Gradle proxy config (${JVM_HOME_PREFIX}/.gradle/gradle.properties)"

# sbt/JVM proxy config via JAVA_TOOL_OPTIONS
# This covers sbt and any JVM tool that reads standard system properties
export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS:-} -Dhttp.proxyHost=${PROXY_HOST} -Dhttp.proxyPort=${PROXY_PORT} -Dhttps.proxyHost=${PROXY_HOST} -Dhttps.proxyPort=${PROXY_PORT}"
echo "[entrypoint] ✓ Set JAVA_TOOL_OPTIONS with proxy flags"
Comment on lines +221 to +222
Copy link

Copilot AI Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JAVA_TOOL_OPTIONS sets JVM proxy properties but doesn't set http.nonProxyHosts/https.nonProxyHosts, so JVM tools may attempt to proxy localhost/127.0.0.1 (and other bypass targets listed in NO_PROXY), which can break tests that talk to local services. Consider deriving Java nonProxyHosts from the existing NO_PROXY/no_proxy env (converting comma-separated hosts into Java's '|' pattern) and including it here.

Suggested change
export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS:-} -Dhttp.proxyHost=${PROXY_HOST} -Dhttp.proxyPort=${PROXY_PORT} -Dhttps.proxyHost=${PROXY_HOST} -Dhttps.proxyPort=${PROXY_PORT}"
echo "[entrypoint] ✓ Set JAVA_TOOL_OPTIONS with proxy flags"
NON_PROXY_RAW="${NO_PROXY:-${no_proxy}}"
if [ -n "$NON_PROXY_RAW" ]; then
# Convert comma-separated NO_PROXY to Java's '|' separated nonProxyHosts format
NON_PROXY_HOSTS=$(printf '%s' "$NON_PROXY_RAW" | tr ',' '|' | tr -d ' ')
export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS:-} -Dhttp.proxyHost=${PROXY_HOST} -Dhttp.proxyPort=${PROXY_PORT} -Dhttps.proxyHost=${PROXY_HOST} -Dhttps.proxyPort=${PROXY_PORT} -Dhttp.nonProxyHosts=${NON_PROXY_HOSTS} -Dhttps.nonProxyHosts=${NON_PROXY_HOSTS}"
echo "[entrypoint] ✓ Set JAVA_TOOL_OPTIONS with proxy and nonProxyHosts flags"
else
export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS:-} -Dhttp.proxyHost=${PROXY_HOST} -Dhttp.proxyPort=${PROXY_PORT} -Dhttps.proxyHost=${PROXY_HOST} -Dhttps.proxyPort=${PROXY_PORT}"
echo "[entrypoint] ✓ Set JAVA_TOOL_OPTIONS with proxy flags"
fi

Copilot uses AI. Check for mistakes.
fi

# Print proxy environment
echo "[entrypoint] Proxy configuration:"
echo "[entrypoint] HTTP_PROXY=$HTTP_PROXY"
Expand Down
Loading