Refactor Squid config generation into focused modules by Copilot · Pull Request #3637 · github/gh-aw-firewall

Copilot · 2026-05-23T16:56:57Z

src/squid-config.ts had grown into a single large generateSquidConfig() implementation spanning validation, ACL construction, access rules, and feature-specific config assembly. This change breaks that logic into focused modules while preserving the existing config surface and keeping src/squid-config.ts as a compatibility facade.

Module split
- Added /src/squid/config-generator.ts as the main orchestrator for Squid config assembly
- Extracted focused helpers into:
  - /src/squid/validation.ts
  - /src/squid/acl-generator.ts
  - /src/squid/access-rules.ts
  - /src/squid/config-sections.ts
Responsibility boundaries
- validation.ts: api-proxy IP validation, host-access port validation/sanitization, api-proxy port validation
- acl-generator.ts: allowed/blocked domain ACL generation
- access-rules.ts: protocol-specific allow rules and default deny rule construction
- config-sections.ts: DLP, SSL bump, port ACLs, DNS, and api-proxy config sections
Compatibility / caller updates
- Kept src/squid-config.ts as a minimal facade exporting generateSquidConfig
- Updated src/config-writer.ts to import generateSquidConfig from ./squid/config-generator
- Left policy manifest generation in place under the existing facade path
Targeted coverage
- Added focused tests for extracted validation behavior in src/squid/validation.test.ts

import { generateSquidConfig } from './squid/config-generator';
import { generatePolicyManifest } from './squid-config';

github-actions · 2026-05-23T17:20:09Z

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	95.98%	96.09%	📈 +0.11%
Statements	95.81%	95.92%	📈 +0.11%
Functions	98.02%	97.92%	📉 -0.10%
Branches	89.44%	89.64%	📈 +0.20%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
`src/services/agent-environment.ts`	98.6% → 0.0% (-98.62%)	98.0% → 0.0% (-97.97%)
`src/config-writer.ts`	83.0% → 85.6% (+2.54%)	83.0% → 85.6% (+2.54%)

✨ New Files (15 files)

src/services/agent-environment/api-proxy-environment.ts: 100.0% lines
src/services/agent-environment/core-environment.ts: 100.0% lines
src/services/agent-environment/env-passthrough.ts: 96.8% lines
src/services/agent-environment/environment-builder.ts: 93.5% lines
src/services/agent-environment/excluded-vars.ts: 100.0% lines
src/services/agent-environment/github-actions-environment.ts: 100.0% lines
src/services/agent-environment/host-path-recovery.ts: 100.0% lines
src/services/agent-environment/observability-environment.ts: 100.0% lines
src/services/agent-environment/proxy-environment.ts: 100.0% lines
src/services/agent-environment/tool-specific-environment.ts: 100.0% lines
src/squid/access-rules.ts: 100.0% lines
src/squid/acl-generator.ts: 100.0% lines
src/squid/config-generator.ts: 100.0% lines
src/squid/config-sections.ts: 100.0% lines
src/squid/validation.ts: 100.0% lines

Coverage comparison generated by scripts/ci/compare-coverage.ts

Copilot

Pull request overview

Refactors Squid configuration generation by splitting the previously large generateSquidConfig() implementation into focused modules under src/squid/, while keeping src/squid-config.ts as a compatibility facade for existing callers.

Changes:

Added a new orchestrator (src/squid/config-generator.ts) and extracted helpers for validation, ACL generation, access rules, and config sections.
Kept src/squid-config.ts as a re-exporting facade and adjusted src/config-writer.ts imports accordingly.
Added unit tests for the extracted validation helpers (src/squid/validation.test.ts).

Show a summary per file

File	Description
src/squid/validation.ts	New validation helpers for api-proxy IP/ports and host-access port sanitization/validation.
src/squid/validation.test.ts	New focused tests for the extracted validation helpers.
src/squid/config-sections.ts	New helpers to generate DLP/SSL/DNS/api-proxy/port ACL config sections.
src/squid/config-generator.ts	New main `generateSquidConfig()` orchestrator assembling the final squid.conf output.
src/squid/acl-generator.ts	New helpers to generate allowed/blocked domain ACLs and related deny rules.
src/squid/access-rules.ts	New helpers to generate protocol-specific allow rules and the default deny rule.
src/squid-config.ts	Reduced to a compatibility facade re-exporting `generateSquidConfig` and `generatePolicyManifest`.
src/config-writer.ts	Updated to import Squid config generation from the new module structure.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files reviewed: 8/8 changed files
Comments generated: 2

+export function validateAndSanitizeHostAccessPort(port: string): string {
+  const parts = port.split('-');


+import { generatePolicyManifest } from './squid-config';
+import { generateSquidConfig } from './squid/config-generator';


lpcox · 2026-05-23T19:43:49Z

@copilot address review feedback

Copilot · 2026-05-23T19:48:23Z

@copilot address review feedback

Addressed in commit f983a5e.

Hardened validateAndSanitizeHostAccessPort to require trimmed input to match strict numeric/range format before parsing, preventing mixed-character bypass cases.
Switched config-writer.ts back to importing generateSquidConfig via ./squid-config so existing test mocks keep working.
Added validation tests for whitespace trimming and mixed-character rejection.

Validated with:

npm test -- --runInBand src/squid/validation.test.ts src/config-writer.test.ts
npm run build
npm run lint
CodeQL scan (0 alerts).

github-actions · 2026-05-23T20:05:14Z

Smoke Test: Claude Engine Validation

✅ GitHub API: 2 PR entries confirmed
✅ GitHub check: playwright_check = ✅ PASS
✅ File verify: smoke-test file exists

Result: PASS — All validation checks passed

💥 [THE END] — Illustrated by Smoke Claude

github-actions · 2026-05-23T20:07:09Z

Service Connectivity Test Results

❌ Redis: Connection timeout
❌ PostgreSQL (pg_isready): No response
❌ PostgreSQL (SELECT 1): Connection timeout

Overall: FAIL — All service connectivity checks failed. Services on host.docker.internal are unreachable from the AWF sandbox.

🔌 Service connectivity validated by Smoke Services

github-actions · 2026-05-23T20:07:10Z

Merged PRs: Refactor agent environment assembly into focused modules | fix(claude-token-optimizer): resolve workflow file via .lock.yml when .md lacks name field
Listed PRs: Refactor agent volume assembly into focused mount modules | Refactor Squid config generation into focused modules
✅ GitHub PR review via gh fallback
❌ safeinputs-gh unavailable
✅ Playwright title contains GitHub
❌ Tavily search unavailable: server exposes no tools
✅ File write/read and build
❌ Discussion query wrapper unavailable; oracle comment posted via fallback
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

github-actions · 2026-05-23T20:07:55Z

Smoke Test: Gemini Engine Validation

GitHub MCP Testing: ✅
- Last 2 merged PRs:
  - Refactor agent environment assembly into focused modules #3636: Refactor agent environment assembly into focused modules
  - fix(claude-token-optimizer): resolve workflow file via .lock.yml when .md lacks name field #3633: fix(claude-token-optimizer): resolve workflow file via .lock.yml when .md lacks name field
GitHub.com Connectivity: ❌
- HTTP Status: 000 (SSL Error 35: wrong version number) / 400 (Squid error)
File Writing Testing: ✅
Bash Tool Testing: ✅

Overall Status: FAIL (Network connectivity failed)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

github-actions · 2026-05-23T20:08:14Z

Chroot Runtime Version Test Results

Comparison of runtime versions between host and chroot environments:

Runtime	Host Version	Chroot Version	Match?
Python	3.12.13	3.12.3	❌ NO
Node.js	v24.15.0	v22.22.3	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall Result: Some runtime versions do not match between host and chroot environments.

Python: Minor version mismatch (3.12.13 vs 3.12.3)
Node.js: Major version mismatch (v24 vs v22)
Go: Versions match ✅

The version mismatches indicate that the chroot environment is successfully isolating the agent from host binaries, using the Ubuntu 22.04 base image versions instead of GitHub Actions runner versions.

Tested by Smoke Chroot

github-actions · 2026-05-23T20:09:59Z

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	1/1 passed	✅ PASS
Node.js	execa	✅	1/1 passed	✅ PASS
Node.js	p-limit	✅	1/1 passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

All build and test operations completed successfully across all language ecosystems.

Generated by Build Test Suite for issue #3637 · ● 17.1M · ◷

github-actions · 2026-05-23T20:15:49Z

Smoke Test: Copilot BYOK (Offline) Mode — PASS ✅

✅ GitHub MCP: Retrieved PR Refactor agent volume assembly into focused mount modules #3638 ("Refactor agent volume assembly into focused mount modules")
✅ BYOK Inference: Running in COPILOT_OFFLINE mode via api-proxy → api.githubcopilot.com
⚠️ File test: Unable to verify (template variable not expanded)
⚠️ HTTP test: Unable to verify (template variable not expanded)

PR #3637: "Refactor Squid config generation into focused modules" — @Copilot, assignees: @lpcox, @Copilot

Note: Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

🔑 BYOK report filed by Smoke Copilot BYOK

github-actions · 2026-05-23T20:16:00Z

Smoke Test Results

MCP Connectivity: ✅ (#3636: Refactor agent environment assembly into focused modules)
GitHub.com: ⚠️ (pre-step data not available)
File I/O: ⚠️ (pre-step data not available)

Status: INCOMPLETE (template vars not expanded)

cc @Copilot @lpcox

📰 BREAKING: Report filed by Smoke Copilot

Initial plan

faad28c

Copilot AI assigned Copilot and lpcox May 23, 2026

Copilot started work on behalf of lpcox May 23, 2026 16:57 View session

Copilot AI linked an issue May 23, 2026 that may be closed by this pull request

[Refactoring] Split src/squid-config.ts into focused configuration modules #3631

Closed

refactor: split squid config generator modules

90edc58

Copilot AI changed the title ~~[WIP] Refactor squid-config.ts into focused configuration modules~~ Refactor Squid config generation into focused modules May 23, 2026

Copilot finished work on behalf of lpcox May 23, 2026 17:04

Copilot AI requested a review from lpcox May 23, 2026 17:04

lpcox marked this pull request as ready for review May 23, 2026 17:18

Copilot AI review requested due to automatic review settings May 23, 2026 17:18

Copilot started reviewing on behalf of lpcox May 23, 2026 17:18 View session